Added is_context_configurable function

Added is_context_configurable function

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1549 bytes --]

This patch defines two functions.

is_context_configurable(scontext) 
This returns if if the context is in the 
/etc/selinux/*/contexts/configurable_contexts file.
0 If not and -1 on error.

Internally this calls get_configurable_context_list which returns a 
contextarray of the contexts of that file.

I have also patched the policy makefile to populate that file, but 
looking for all contexts marked as configurable.

Now I would like to use this function in restorecon/setfiles, so that by 
default they will leave configurable contexts alone.

Dan

is_context_configurable(3) SELinux API 
documentationis_context_configurable(3)



NAME
       is_context_configurable  - check whether context is configurable 
by the
       administrator.

SYNOPSIS
       #include <selinux/selinux.h>

       int is_context_configurable(security_context_t scon);


DESCRIPTION
       is_context_configurable
       This function checks  whether  scon  is  in  the  
/etc/selinux/SELINUX-
       TYPE/context/configurable_contexts  file.  A 
configurable_contexts is a
       file contexts that administrators set on the  file  system  
usually  to
       allow  certain  domains  to share the file content. restorecon 
and set-
       files by default leave these context in place.



RETURN VALUE
       returns 1 if security context is  configurable  or  0  if  it  
is  not.
       returns -1 on error


FILE
       /etc/selinux/SELINUXTYPE/context/configurable_contexts




dwalsh@redhat.com               10 January 2005     
is_context_configurable(3)


[-- Attachment #2: libselinux-rhat.patch --]
[-- Type: text/x-patch, Size: 5022 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.20.1/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2004-12-03 14:40:05.000000000 -0500
+++ libselinux-1.20.1/include/selinux/selinux.h	2005-01-10 17:12:13.775893740 -0500
@@ -226,6 +226,7 @@
 extern const char *selinux_media_context_path(void);
 extern const char *selinux_contexts_path(void);
 extern const char *selinux_booleans_path(void);
+extern const char *selinux_configurable_contexts_path(void);
 
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
@@ -242,6 +243,10 @@
 		       const char *filename, 
 		       char *const argv[], char *const envp[]);
 
+/* Returns whether a file context is configurable, and should not 
+   be relabeled . */
+extern int is_context_configurable (security_context_t scontext);
+
 #ifdef __cplusplus
 }
 #endif
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_configurable.3 libselinux-1.20.1/man/man3/is_context_configurable.3
--- nsalibselinux/man/man3/is_context_configurable.3	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.20.1/man/man3/is_context_configurable.3	2005-01-10 17:12:39.279014613 -0500
@@ -0,0 +1,22 @@
+.TH "is_context_configurable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+is_context_configurable \- check whether context is configurable by the administrator.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B int is_context_configurable(security_context_t scon);
+
+.SH "DESCRIPTION"
+.B is_context_configurable
+.br
+This function checks whether scon is in the /etc/selinux/SELINUXTYPE/context/configurable_contexts file.  A configurable_contexts is a file contexts that
+administrators set on the file system usually to allow certain domains to share the file content. restorecon and setfiles by default leave these context in place.
+
+ 
+.SH "RETURN VALUE"
+returns 1 if security context is configurable or 0 if it is not. 
+returns -1 on error
+
+.SH "FILE"
+/etc/selinux/SELINUXTYPE/context/configurable_contexts
+
diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.20.1/src/file_path_suffixes.h
--- nsalibselinux/src/file_path_suffixes.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.20.1/src/file_path_suffixes.h	2005-01-10 17:12:13.776893627 -0500
@@ -9,3 +9,4 @@
 S_(BOOLEANS, "/booleans")
 S_(MEDIA_CONTEXTS, "/contexts/files/media")
 S_(REMOVABLE_CONTEXT, "/contexts/removable_context")
+S_(CONFIGURABLE_CONTEXTS, "/contexts/configurable_contexts")
diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_configurable_context.c libselinux-1.20.1/src/is_configurable_context.c
--- nsalibselinux/src/is_configurable_context.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.20.1/src/is_configurable_context.c	2005-01-10 17:12:13.777893514 -0500
@@ -0,0 +1,61 @@
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <pwd.h>
+#include <selinux/selinux.h>
+
+static int get_configurable_context_list (security_context_t **retlist)
+{
+	FILE *fp;
+	char buf[4097];
+	int ctr=0, i;
+	security_context_t *list=NULL;
+
+	fp = fopen(selinux_configurable_contexts_path(), "r");
+	if (!fp)
+		return -1;
+
+	while (fgets_unlocked(buf, 4096, fp)) {
+		ctr++;
+	}
+	rewind(fp);
+	if (ctr) {
+		list=(security_context_t *) calloc(sizeof(security_context_t *), ctr+1);
+		if (list) {
+		  i=0;
+		  while (fgets_unlocked(buf, 4096, fp)) {
+		    buf[strlen(buf)-1]=0;
+		    list[i++]=(security_context_t) strdup(buf);
+		    if (i>ctr) { 
+		      /* Should never happen */
+		      free(list);
+		      list=NULL;
+		      break;
+		    }
+		  }
+		}
+	}
+	fclose(fp);
+	if (!list)
+		return -1;
+	*retlist=list;
+	return 0;
+}
+
+static security_context_t *configurable_list=NULL;
+
+int is_context_configurable (security_context_t scontext) {
+  int i;
+  if (! configurable_list) {
+    if (get_configurable_context_list(&configurable_list)!=0) 
+      return -1;
+  }
+  
+  for (i = 0; configurable_list[i]; i++) {
+    if (strcmp(configurable_list[i],scontext) == 0) return 1;
+  }
+  return 0;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.20.1/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.20.1/src/selinux_config.c	2005-01-10 17:12:13.779893288 -0500
@@ -26,7 +26,8 @@
 #define BOOLEANS          7
 #define MEDIA_CONTEXTS    8
 #define REMOVABLE_CONTEXT 9
-#define NEL               10
+#define CONFIGURABLE_CONTEXTS    10
+#define NEL               11
 
 /* New layout is relative to SELINUXDIR/policytype. */
 static char *file_paths[NEL];
@@ -211,6 +212,10 @@
   return get_path(MEDIA_CONTEXTS);
 }
 
+const char *selinux_configurable_contexts_path() {
+  return get_path(CONFIGURABLE_CONTEXTS);
+}
+
 const char *selinux_contexts_path() {
   return get_path(CONTEXTS_DIR);
 }

[-- Attachment #3: configurable_contexts --]
[-- Type: text/plain, Size: 136 bytes --]

httpd_sys_content_t
httpd_sys_script_exec_t
httpd_sys_script_ro_t
httpd_sys_script_rw_t
httpd_sys_script_ra_t
ftpd_anon_t
samba_share_t

Re: Added is_context_configurable function

[Stephen Smalley]

On Mon, 2005-01-10 at 17:17, Daniel J Walsh wrote:
> This patch defines two functions.
> 
> is_context_configurable(scontext) 
> This returns if if the context is in the 
> /etc/selinux/*/contexts/configurable_contexts file.
> 0 If not and -1 on error.
> 
> Internally this calls get_configurable_context_list which returns a 
> contextarray of the contexts of that file.
> 
> I have also patched the policy makefile to populate that file, but 
> looking for all contexts marked as configurable.
> 
> Now I would like to use this function in restorecon/setfiles, so that by 
> default they will leave configurable contexts alone.

I think that in prior discussions of this functionality, we had
discussed allowing an optional list of alternative contexts at the end
of each entry in the file_contexts configuration, and having
setfiles/restorecon not change the context if the file already had any
context in that list, but still set the context to the first context
listed if the file lacked any context at all (e.g. initial labeling). 
I'm not sure I see the benefit of marking the types with an attribute in
the policy since you aren't defining any rules based on that attribute
or providing a separate configuration file from file_contexts.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Daniel J Walsh]

Stephen Smalley wrote:

>On Mon, 2005-01-10 at 17:17, Daniel J Walsh wrote:
>  
>
>>This patch defines two functions.
>>
>>is_context_configurable(scontext) 
>>This returns if if the context is in the 
>>/etc/selinux/*/contexts/configurable_contexts file.
>>0 If not and -1 on error.
>>
>>Internally this calls get_configurable_context_list which returns a 
>>contextarray of the contexts of that file.
>>
>>I have also patched the policy makefile to populate that file, but 
>>looking for all contexts marked as configurable.
>>
>>Now I would like to use this function in restorecon/setfiles, so that by 
>>default they will leave configurable contexts alone.
>>    
>>
>
>I think that in prior discussions of this functionality, we had
>discussed allowing an optional list of alternative contexts at the end
>of each entry in the file_contexts configuration, and having
>setfiles/restorecon not change the context if the file already had any
>context in that list, but still set the context to the first context
>listed if the file lacked any context at all (e.g. initial labeling). 
>I'm not sure I see the benefit of marking the types with an attribute in
>the policy since you aren't defining any rules based on that attribute
>or providing a separate configuration file from file_contexts.
>
>  
>
I think this is more flexible, in that it allows users to specify the 
location of these files versus policy.
IE I create a new top level directory /rsync which I want to label 
ftp_anon_t, I don't want to have to specify
ftp_anon_t is an alternative to default_t.  Specifying it as an 
attribute just gives a way of creating the file on the
fly from policy rather than just having a flat file in contexts called 
configurable_contexts, also depending on the
policy the file may differ.  I could see someone writing policy say 
allowing ftp r_dir_file(ftp_t, configurable).

I think we should rename the concept from configurable_contexts to 
configurable_types, and change all the functions
to match, also.  Since this is really just the type we are concerned with.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Stephen Smalley]

On Tue, 2005-01-11 at 11:12, Daniel J Walsh wrote:
> I think this is more flexible, in that it allows users to specify the 
> location of these files versus policy.
> IE I create a new top level directory /rsync which I want to label 
> ftp_anon_t, I don't want to have to specify
> ftp_anon_t is an alternative to default_t.

You could certainly specify a /rsync/(/.*)? entry in file_contexts that
had both contexts listed.  Ordinary user shouldn't be able to
create/populate /rsync anyway without administrative setup.

Failing to associate the context with a location in any manner means
that setfiles/restorecon will fail to fix the label on e.g. /etc/shadow
if it happens to get one of these configurable types at some point. 
Admittedly, getting to that point requires some kind of serious error in
the first place, but running fixfiles relabel will no longer correct
such errors for you.

BTW, customizable or alternatives seems better than configurable.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2005-01-11 at 11:12, Daniel J Walsh wrote:
>  
>
>>I think this is more flexible, in that it allows users to specify the 
>>location of these files versus policy.
>>IE I create a new top level directory /rsync which I want to label 
>>ftp_anon_t, I don't want to have to specify
>>ftp_anon_t is an alternative to default_t.
>>    
>>
>
>You could certainly specify a /rsync/(/.*)? entry in file_contexts that
>had both contexts listed.  Ordinary user shouldn't be able to
>create/populate /rsync anyway without administrative setup.
>
>  
>
Using your method for every file he puts under /var/www/html now needs 
him to write some special rule into file_context file?
I don't like the usability of that.

>Failing to associate the context with a location in any manner means
>that setfiles/restorecon will fail to fix the label on e.g. /etc/shadow
>if it happens to get one of these configurable types at some point. 
>Admittedly, getting to that point requires some kind of serious error in
>the first place, but running fixfiles relabel will no longer correct
>such errors for you.
>
>BTW, customizable or alternatives seems better than configurable.
>
>  
>
I was going to put in a -F qualifier which would allow you to override 
the configurable_types.  Also
using -v -v will show you all files with configurable types

restorecon -R -v /var
Quietly leave configurables

restorecon -R -v -v /var
Would leave configurable entries but report them

restorecon -F -R -v /var
Will work like current restorecon works.


Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Stephen Smalley]

On Tue, 2005-01-11 at 15:31, Daniel J Walsh wrote:
> Using your method for every file he puts under /var/www/html now needs 
> him to write some special rule into file_context file?
> I don't like the usability of that.

No, you just add contexts to the end of the existing entries in
apache.fc where you want to support alternatives.  Only case where you
need a new entry is if you want to allow alternatives for a smaller set
than is presently covered by some pathname regex.

> I was going to put in a -F qualifier which would allow you to override 
> the configurable_types.  Also
> using -v -v will show you all files with configurable types
> 
> restorecon -R -v /var
> Quietly leave configurables
> 
> restorecon -R -v -v /var
> Would leave configurable entries but report them
> 
> restorecon -F -R -v /var
> Will work like current restorecon works.

configurable -> customizable or alternatives

In practice, I would expect that admins will only use the default form
(i.e. leave them intact and not report them) unless they encounter some
other policy error, and that could prove fatal, e.g. if some sensitive
file becomes mislabeled and accessible to untrusted processes.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2005-01-11 at 15:31, Daniel J Walsh wrote:
>  
>
>>Using your method for every file he puts under /var/www/html now needs 
>>him to write some special rule into file_context file?
>>I don't like the usability of that.
>>    
>>
>
>No, you just add contexts to the end of the existing entries in
>apache.fc where you want to support alternatives.  Only case where you
>need a new entry is if you want to allow alternatives for a smaller set
>than is presently covered by some pathname regex.
>  
>
>  
>
>>I was going to put in a -F qualifier which would allow you to override 
>>the configurable_types.  Also
>>using -v -v will show you all files with configurable types
>>
>>restorecon -R -v /var
>>Quietly leave configurables
>>
>>restorecon -R -v -v /var
>>Would leave configurable entries but report them
>>
>>restorecon -F -R -v /var
>>Will work like current restorecon works.
>>    
>>
>
>configurable -> customizable or alternatives
>
>In practice, I would expect that admins will only use the default form
>(i.e. leave them intact and not report them) unless they encounter some
>other policy error, and that could prove fatal, e.g. if some sensitive
>file becomes mislabeled and accessible to untrusted processes.
>
>  
>
This might be a conflict between strict and relaxed policy.  I am 
getting bugs from users who setup the apache web servers
with files in different locations than the preordaned.  I am looking for 
an easy way for them to configure their system and make
it survive a restoration of file labels.  I don't believe telling them 
that they have to edit some file_context file and place regular expression
commands in some wierd format is a workable solution.  In strict policy 
it seems to me we have more control over the environment.
How about a user who wants to share /home/USER/www instead of 
/home/USER/public_html, how about setting up cluster system that
shares pages off of a /share directory.  Their are lots of examples with 
shared (customizable,alternatives, configurable whatever) files need to be
labeled, and we want a simple way for users to do this.  If the 
mechanism is to have them chcon -t samba_share_t XYZ and then they
forget to add an entry to file_context of they make a mistake in 
file_context and a restorecon blows their mods away they are not going to be
happy.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Colin Walters]

On Tue, 2005-01-11 at 15:58 -0500, Daniel J Walsh wrote:

> This might be a conflict between strict and relaxed policy.  I am 
> getting bugs from users who setup the apache web servers
> with files in different locations than the preordaned.  I am looking for 
> an easy way for them to configure their system and make
> it survive a restoration of file labels. 

Now, part of this problem is that we're asking users to run "fixfiles
relabel" so often.  This is really a quite drastic measure, and we
should be solving some of these cases automatically.  For example, when
PostgreSQL was added to the targeted policy, or when we move files
around between FC3 and FC4, and users want to upgrade.  One approach
here might be to have an idea of file system label "versions".  Let's
call the contexts in the current rawhide to be version 0.  This version
is stored in /.label_version.  Then let's say we add postgres, and we
need to ensure that it's labeled correctly.  We call this version 1.
Inside the postinst, we have code like this:

# Increase this on every incompatible change to file_contexts
curver=1

fsver=$(cat /.label_version)
if test $fsver -lt 1; then
  relabel_package postgresql
fi

Then later, we move the dhcpd files around, so we just suffix this code:

if test $fsver -lt 2; then
  relabel_package dhcpd
fi

etc.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Colin Walters]

On Tue, 2005-01-11 at 15:00 -0500, Stephen Smalley wrote:
> On Tue, 2005-01-11 at 11:12, Daniel J Walsh wrote:
> > I think this is more flexible, in that it allows users to specify the 
> > location of these files versus policy.
> > IE I create a new top level directory /rsync which I want to label 
> > ftp_anon_t, I don't want to have to specify
> > ftp_anon_t is an alternative to default_t.
> 
> You could certainly specify a /rsync/(/.*)? entry in file_contexts that
> had both contexts listed.  Ordinary user shouldn't be able to
> create/populate /rsync anyway without administrative setup.

I've said this before, but I don't like the idea of having to edit
file_contexts whenever I want to change the labels.  I feel that the 
on-disk version should be canonical, and the file_contexts only used for
system initialization.  One major reason for this is that right now,
practically speaking, it's difficult to maintain a local system policy
delta, *particularly* with files/file_contexts.  file_contexts is a
machine-generated file; in Fedora it's included in the 
selinux-policy-targeted package.  If you change it you get .rpmnew files
which you have to manually merge on every package update.  This could be
solved to some extent if we also had matchpathcon read from
file_contexts.local or something.  Even if we implemented that though,
it is still painful for administrators to e.g. use a non-default Apache
DocumentRoot; they will have to remember to create an entry in their
file_contexts.local file with a regexp matching the path and all of the
possible alternate types, which is pretty unintuitive.  Although the
obvious merge conflict is gone, you still have to manually keep this
line in sync with any Apache policy updates.

> Failing to associate the context with a location in any manner means
> that setfiles/restorecon will fail to fix the label on e.g. /etc/shadow
> if it happens to get one of these configurable types at some point. 
> Admittedly, getting to that point requires some kind of serious error in
> the first place,

To say the least.

>  but running fixfiles relabel will no longer correct
> such errors for you.

If your /etc/shadow is somehow mislabeled, I would think that you likely
have larger problems than a fixfiles relabel could solve; e.g. you
accidentally untarred an old system snapshot onto /.

> BTW, customizable or alternatives seems better than configurable.

Yeah, I like customizable, but it's not a strong preference.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Casey Schaufler]

--- Colin Walters <walters@redhat.com> wrote:
 
> I feel that the 
> on-disk version should be canonical, and the
> file_contexts only used for
> system initialization.

I'd have to recheck the LSPP spec, but the B1
requirements clearly stated that MAC labels
had to be stored on the same media as the files.
The "closer" the MAC attribute is to the file,
the better. Hence an attribute of the file with
the MAC label is prefered to a file or database.
Further, the attribute must be associated with
the file, not a pathname. Files can exist, after
all, without a pathname.


=====
Casey Schaufler
casey@schaufler-ca.com


	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Stephen Smalley]

On Tue, 2005-01-11 at 17:10, Colin Walters wrote:
> I've said this before, but I don't like the idea of having to edit
> file_contexts whenever I want to change the labels.  I feel that the 
> on-disk version should be canonical, and the file_contexts only used for
> system initialization.

That is also my view.  However, if people are going to run setfiles or
restorecon at runtime to check or set contexts (which is current
practice in Fedora), then we do need a way to distinguish legitimate
customizations from what are essentially bugs in the policy (e.g. lack
of a file type transition rule) or applications (e.g. failure to
preserve or set context on a file where file type transition rules are
insufficient).  The file contexts configuration seemed like a reasonable
way to capture that distinction to me.  Two questions:
1) Is it sufficient to identify legitimate customizations based solely
on the TE type of the file?  If not, what other information should be
taken into account, irrespective of whether this is done via
file_contexts or via a different config file?
2) Is it feasible for the policy writer to identify all such TE types a
priori in the policy without covering such a large set as to make
setfiles/restorecon completely useless by default? If not, what
mechanism will be provided to allow users/admins to easily mark
additional types without conflicting with future policy updates?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2005-01-11 at 17:10, Colin Walters wrote:
>  
>
>>I've said this before, but I don't like the idea of having to edit
>>file_contexts whenever I want to change the labels.  I feel that the 
>>on-disk version should be canonical, and the file_contexts only used for
>>system initialization.
>>    
>>
>
>That is also my view.  However, if people are going to run setfiles or
>restorecon at runtime to check or set contexts (which is current
>practice in Fedora), then we do need a way to distinguish legitimate
>customizations from what are essentially bugs in the policy (e.g. lack
>of a file type transition rule) or applications (e.g. failure to
>preserve or set context on a file where file type transition rules are
>insufficient).  The file contexts configuration seemed like a reasonable
>way to capture that distinction to me.  Two questions:
>1) Is it sufficient to identify legitimate customizations based solely
>on the TE type of the file?  If not, what other information should be
>taken into account, irrespective of whether this is done via
>file_contexts or via a different config file?
>  
>
I think we can somewhat do that now.  I am not looking at the ability to 
put general
files in random location, just based off the wim of the Administrator.  
IE putting
/var/named some where else is not what we are considering, in this case 
a secondary
file_context.local file should be required.  But the usual case of 
labeling file for sharing
IE samba_share_t, http*, ftp_anon_t.  These will be come common, and the 
admin should not
be required to update file_context in this case.  (We had considered 
calling them sharables)

>2) Is it feasible for the policy writer to identify all such TE types a
>priori in the policy without covering such a large set as to make
>setfiles/restorecon completely useless by default? If not, what
>mechanism will be provided to allow users/admins to easily mark
>additional types without conflicting with future policy updates?
>
>  
>
I believe so as long as we confine it to shareable types of context, not 
files that have standard locations,
that an admin might decide to change.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 470 bytes --]

Patched for libselinux.

This patch changes the previous to rename configurable_contexts to 
customizable_paths.

Also modifies matchpathcon to process file_contexts.local

So if a user wants to change the config file of a server to a different 
location they can
do something like the following

sed 's|/var/www|/usr/local/www/g' 
/etc/selinux/targeted/context/file_context > 
/etc/selinux/targeted/context/file_context.local

And then restorecon -R -v /usr/local/www


[-- Attachment #2: libselinux-rhat.patch --]
[-- Type: text/x-patch, Size: 12781 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.20.1/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2004-12-03 14:40:05.000000000 -0500
+++ libselinux-1.20.1/include/selinux/selinux.h	2005-01-12 10:09:49.691145916 -0500
@@ -226,6 +226,7 @@
 extern const char *selinux_media_context_path(void);
 extern const char *selinux_contexts_path(void);
 extern const char *selinux_booleans_path(void);
+extern const char *selinux_customizable_types_path(void);
 
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
@@ -242,6 +243,10 @@
 		       const char *filename, 
 		       char *const argv[], char *const envp[]);
 
+/* Returns whether a file context is customizable, and should not 
+   be relabeled . */
+extern int is_context_customizable (security_context_t scontext);
+
 #ifdef __cplusplus
 }
 #endif
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_customizable.3 libselinux-1.20.1/man/man3/is_context_customizable.3
--- nsalibselinux/man/man3/is_context_customizable.3	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.20.1/man/man3/is_context_customizable.3	2005-01-12 10:09:49.692145804 -0500
@@ -0,0 +1,22 @@
+.TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+is_context_customizable \- check whether context type is customizable by the administrator.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B int is_context_customizable(security_context_t scon);
+
+.SH "DESCRIPTION"
+.B is_context_customizable
+.br
+This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file.  A customizable type is a file context type that
+administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place.
+
+ 
+.SH "RETURN VALUE"
+returns 1 if security context is customizable or 0 if it is not. 
+returns -1 on error
+
+.SH "FILE"
+/etc/selinux/SELINUXTYPE/context/customizable_types
+
diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.20.1/src/file_path_suffixes.h
--- nsalibselinux/src/file_path_suffixes.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.20.1/src/file_path_suffixes.h	2005-01-12 10:09:49.693145692 -0500
@@ -9,3 +9,4 @@
 S_(BOOLEANS, "/booleans")
 S_(MEDIA_CONTEXTS, "/contexts/files/media")
 S_(REMOVABLE_CONTEXT, "/contexts/removable_context")
+S_(CUSTOMIZABLE_TYPES, "/contexts/customizable_types")
diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_customizable_type.c libselinux-1.20.1/src/is_customizable_type.c
--- nsalibselinux/src/is_customizable_type.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.20.1/src/is_customizable_type.c	2005-01-12 10:09:49.695145469 -0500
@@ -0,0 +1,68 @@
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <pwd.h>
+#include <selinux/selinux.h>
+
+static int get_customizable_type_list (security_context_t **retlist)
+{
+	FILE *fp;
+	char buf[4097];
+	int ctr=0, i;
+	security_context_t *list=NULL;
+
+	fp = fopen(selinux_customizable_types_path(), "r");
+	if (!fp)
+		return -1;
+
+	while (fgets_unlocked(buf, 4096, fp)) {
+		ctr++;
+	}
+	rewind(fp);
+	if (ctr) {
+		list=(security_context_t *) calloc(sizeof(security_context_t *), ctr+1);
+		if (list) {
+		  i=0;
+		  while (fgets_unlocked(buf, 4096, fp)) {
+		    buf[strlen(buf)-1]=0;
+		    list[i++]=(security_context_t) strdup(buf);
+		    if (i>ctr) { 
+		      /* Should never happen */
+		      free(list);
+		      list=NULL;
+		      break;
+		    }
+		  }
+		}
+	}
+	fclose(fp);
+	if (!list)
+		return -1;
+	*retlist=list;
+	return 0;
+}
+
+static security_context_t *customizable_list=NULL;
+
+int is_context_customizable (security_context_t scontext) {
+  int i;
+  char *ptr;
+  if (! customizable_list) {
+    if (get_customizable_type_list(&customizable_list)!=0) 
+      return -1;
+  }
+  
+  ptr=strrchr(scontext, ':');
+  if (ptr) {
+	  ptr++;
+  } else {
+	  ptr=scontext;
+  }
+  for (i = 0; customizable_list[i]; i++) {
+    if (strcmp(customizable_list[i],ptr) == 0) return 1;
+  }
+  return 0;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.20.1/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c	2004-12-29 11:51:23.000000000 -0500
+++ libselinux-1.20.1/src/matchpathcon.c	2005-01-12 10:10:03.411611561 -0500
@@ -207,15 +207,135 @@
 	}
 	return;
 }
-
+static int process_line( const char *path, char *line_buf, int pass, int lineno) {
+	int items, len, regerr;
+	char *buf_p;
+	char *regex, *type, *context;
+	char *anchored_regex;
+	len = strlen(line_buf);
+	if (line_buf[len - 1] != '\n') {
+		myprintf("%s:  line %d is too long, would be truncated, skipping\n", path, lineno); 
+		return 0;
+	}
+	line_buf[len - 1] = 0;
+	buf_p = line_buf;
+	while (isspace(*buf_p))
+		buf_p++;
+	/* Skip comment lines and empty lines. */
+	if (*buf_p == '#' || *buf_p == 0)
+		return 0;
+	items =
+		sscanf(line_buf, "%as %as %as", &regex, &type,
+		       &context);
+	if (items < 2) {
+		myprintf("%s:  line %d is missing fields\n, skipping", path, lineno); 
+		return 0;
+	} else if (items == 2) {
+		/* The type field is optional. */
+		free(context);
+		context = type;
+		type = 0;
+	}
+	
+	if (pass == 1) {
+		/* On the second pass, compile and store the specification in spec. */
+		const char *reg_buf = regex;
+		char *cp;
+		spec_arr[nspec].stem_id = find_stem_from_spec(&reg_buf);
+		spec_arr[nspec].regex_str = regex;
+		
+		/* Anchor the regular expression. */
+		len = strlen(reg_buf);
+		cp = anchored_regex = malloc(len + 3);
+		if (!anchored_regex)
+			return -1;
+		/* Create ^...$ regexp.  */
+		*cp++ = '^';
+		cp = mempcpy(cp, reg_buf, len);
+		*cp++ = '$';
+		*cp = '\0';
+		
+		/* Compile the regular expression. */
+		regerr =
+			regcomp(&spec_arr[nspec].regex,
+				anchored_regex,
+				REG_EXTENDED | REG_NOSUB);
+		free(anchored_regex);
+		if (regerr < 0) {
+			myprintf("%s:  line %d has invalid regex %s\n", path, lineno, anchored_regex); 
+			return 0;
+		}
+		
+		/* Convert the type string to a mode format */
+		spec_arr[nspec].type_str = type;
+		spec_arr[nspec].mode = 0;
+		if (!type)
+			goto skip_type;
+		len = strlen(type);
+		if (type[0] != '-' || len != 2) {
+			myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 
+			return 0;
+		}
+		switch (type[1]) {
+		case 'b':
+			spec_arr[nspec].mode = S_IFBLK;
+			break;
+		case 'c':
+			spec_arr[nspec].mode = S_IFCHR;
+			break;
+		case 'd':
+			spec_arr[nspec].mode = S_IFDIR;
+			break;
+		case 'p':
+			spec_arr[nspec].mode = S_IFIFO;
+			break;
+		case 'l':
+			spec_arr[nspec].mode = S_IFLNK;
+			break;
+		case 's':
+			spec_arr[nspec].mode = S_IFSOCK;
+			break;
+		case '-':
+			spec_arr[nspec].mode = S_IFREG;
+			break;
+		default:
+			myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 
+			return 0;
+		}
+		
+	skip_type:
+		
+		spec_arr[nspec].context = context;
+		
+		if (strcmp(context, "<<none>>")) {
+			if (security_check_context(context) < 0 && errno != ENOENT) {
+				myprintf("%s:  line %d has invalid context %s\n", path, lineno, context); 
+				return 0;
+			}
+		}
+		
+		/* Determine if specification has 
+		 * any meta characters in the RE */
+		spec_hasMetaChars(&spec_arr[nspec]);
+	}
+	
+	nspec++;
+	if (pass == 0) {
+		free(regex);
+		if (type)
+			free(type);
+		free(context);
+	}
+	return 0;
+}
 static int matchpathcon_init(void)
 {
 	FILE *fp;
 	const char *path;
-	char line_buf[BUFSIZ + 1], *buf_p;
-	char *regex, *type, *context;
-	char *anchored_regex;
-	int items, len, lineno, pass, regerr, i, j;
+	FILE *localfp;
+	char local_path[PATH_MAX + 1];
+	char line_buf[BUFSIZ + 1];
+	int lineno, pass, i, j;
 	spec_t *spec_copy;
 
 	/* Open the specification file. */
@@ -223,6 +343,9 @@
 	if ((fp = fopen(path, "r")) == NULL)
 		return -1;
 
+	snprintf(local_path, sizeof(local_path), "%s.local", path);
+	localfp = fopen(local_path, "r");
+
 	/* 
 	 * Perform two passes over the specification file.
 	 * The first pass counts the number of specifications and
@@ -235,123 +358,15 @@
 		lineno = 0;
 		nspec = 0;
 		while (fgets_unlocked(line_buf, sizeof line_buf, fp)) {
-			lineno++;
-			len = strlen(line_buf);
-			if (line_buf[len - 1] != '\n') {
-				myprintf("%s:  line %d is too long, would be truncated, skipping\n", path, lineno); 
-				continue;
-			}
-			line_buf[len - 1] = 0;
-			buf_p = line_buf;
-			while (isspace(*buf_p))
-				buf_p++;
-			/* Skip comment lines and empty lines. */
-			if (*buf_p == '#' || *buf_p == 0)
-				continue;
-			items =
-			    sscanf(line_buf, "%as %as %as", &regex, &type,
-				   &context);
-			if (items < 2) {
-				myprintf("%s:  line %d is missing fields\n, skipping", path, lineno); 
-				continue;
-			} else if (items == 2) {
-				/* The type field is optional. */
-				free(context);
-				context = type;
-				type = 0;
-			}
-
-			if (pass == 1) {
-				/* On the second pass, compile and store the specification in spec. */
-				const char *reg_buf = regex;
-				char *cp;
-				spec_arr[nspec].stem_id = find_stem_from_spec(&reg_buf);
-				spec_arr[nspec].regex_str = regex;
-
-				/* Anchor the regular expression. */
-				len = strlen(reg_buf);
-				cp = anchored_regex = malloc(len + 3);
-				if (!anchored_regex)
+			if (process_line(path, line_buf, pass, ++lineno) != 0)
+				return -1;
+		}
+		if (localfp) 
+			while (fgets_unlocked(line_buf, sizeof line_buf, localfp)) {
+				if (process_line(local_path, line_buf, pass, ++lineno) != 0)
 					return -1;
-				/* Create ^...$ regexp.  */
-				*cp++ = '^';
-				cp = mempcpy(cp, reg_buf, len);
-				*cp++ = '$';
-				*cp = '\0';
-
-				/* Compile the regular expression. */
-				regerr =
-				    regcomp(&spec_arr[nspec].regex,
-					    anchored_regex,
-					    REG_EXTENDED | REG_NOSUB);
-				free(anchored_regex);
-				if (regerr < 0) {
-					myprintf("%s:  line %d has invalid regex %s\n", path, lineno, anchored_regex); 
-					continue;
-				}
-
-				/* Convert the type string to a mode format */
-				spec_arr[nspec].type_str = type;
-				spec_arr[nspec].mode = 0;
-				if (!type)
-					goto skip_type;
-				len = strlen(type);
-				if (type[0] != '-' || len != 2) {
-					myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 
-					continue;
-				}
-				switch (type[1]) {
-				case 'b':
-					spec_arr[nspec].mode = S_IFBLK;
-					break;
-				case 'c':
-					spec_arr[nspec].mode = S_IFCHR;
-					break;
-				case 'd':
-					spec_arr[nspec].mode = S_IFDIR;
-					break;
-				case 'p':
-					spec_arr[nspec].mode = S_IFIFO;
-					break;
-				case 'l':
-					spec_arr[nspec].mode = S_IFLNK;
-					break;
-				case 's':
-					spec_arr[nspec].mode = S_IFSOCK;
-					break;
-				case '-':
-					spec_arr[nspec].mode = S_IFREG;
-					break;
-				default:
-					myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 
-					continue;
-				}
-
-			      skip_type:
-
-				spec_arr[nspec].context = context;
-
-				if (strcmp(context, "<<none>>")) {
-					if (security_check_context(context) < 0 && errno != ENOENT) {
-						myprintf("%s:  line %d has invalid context %s\n", path, lineno, context); 
-						continue;
-					}
-				}
-
-				/* Determine if specification has 
-				 * any meta characters in the RE */
-				spec_hasMetaChars(&spec_arr[nspec]);
 			}
 
-			nspec++;
-			if (pass == 0) {
-				free(regex);
-				if (type)
-					free(type);
-				free(context);
-			}
-		}
-
 		if (pass == 0) {
 			if (nspec == 0)
 				return 0;
@@ -360,9 +375,11 @@
 				return -1;
 			memset(spec_arr, '\0', sizeof(spec_t) * nspec);
 			rewind(fp);
+			if (localfp) rewind(localfp);
 		}
 	}
 	fclose(fp);
+	if (localfp) fclose(localfp);
 
 	/* Move exact pathname specifications to the end. */
 	spec_copy = malloc(sizeof(spec_t) * nspec);
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.20.1/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.20.1/src/selinux_config.c	2005-01-12 10:09:49.698145133 -0500
@@ -26,7 +26,8 @@
 #define BOOLEANS          7
 #define MEDIA_CONTEXTS    8
 #define REMOVABLE_CONTEXT 9
-#define NEL               10
+#define CUSTOMIZABLE_TYPES    10
+#define NEL               11
 
 /* New layout is relative to SELINUXDIR/policytype. */
 static char *file_paths[NEL];
@@ -211,6 +212,10 @@
   return get_path(MEDIA_CONTEXTS);
 }
 
+const char *selinux_customizable_types_path() {
+  return get_path(CUSTOMIZABLE_TYPES);
+}
+
 const char *selinux_contexts_path() {
   return get_path(CONTEXTS_DIR);
 }

Re: Added is_context_configurable function

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 748 bytes --]

On Wed, 2005-01-12 at 10:37, Daniel J Walsh wrote:
> Patched for libselinux.
> 
> This patch changes the previous to rename configurable_contexts to 
> customizable_paths.
> 
> Also modifies matchpathcon to process file_contexts.local
> 
> So if a user wants to change the config file of a server to a different 
> location they can
> do something like the following
> 
> sed 's|/var/www|/usr/local/www/g' 
> /etc/selinux/targeted/context/file_context > 
> /etc/selinux/targeted/context/file_context.local
> 
> And then restorecon -R -v /usr/local/www

Thanks, merged into sourceforge CVS as of libselinux version 1.21.1,
along with the modifications below relative to your patch.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: libselinux-fixes.patch --]
[-- Type: text/x-patch, Size: 3672 bytes --]

Index: libselinux/src/is_customizable_type.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/is_customizable_type.c,v
retrieving revision 1.1
diff -u -p -r1.1 is_customizable_type.c
--- libselinux/src/is_customizable_type.c	19 Jan 2005 16:09:40 -0000	1.1
+++ libselinux/src/is_customizable_type.c	19 Jan 2005 16:25:03 -0000
@@ -5,36 +5,40 @@
 #include <string.h>
 #include <ctype.h>
 #include <pwd.h>
-#include <selinux/selinux.h>
+#include <limits.h>
+#include "selinux_internal.h"
+#include "context_internal.h"
 
 static int get_customizable_type_list (security_context_t **retlist)
 {
 	FILE *fp;
 	char buf[4097];
-	int ctr=0, i;
+	unsigned int ctr=0, i;
 	security_context_t *list=NULL;
 
 	fp = fopen(selinux_customizable_types_path(), "r");
 	if (!fp)
 		return -1;
 
-	while (fgets_unlocked(buf, 4096, fp)) {
+	while (fgets_unlocked(buf, 4096, fp) && ctr < UINT_MAX) {
 		ctr++;
 	}
 	rewind(fp);
 	if (ctr) {
-		list=(security_context_t *) calloc(sizeof(security_context_t *), ctr+1);
+		list=(security_context_t *) calloc(sizeof(security_context_t), ctr+1);
 		if (list) {
 		  i=0;
-		  while (fgets_unlocked(buf, 4096, fp)) {
+		  while (fgets_unlocked(buf, 4096, fp) && i < ctr) {
 		    buf[strlen(buf)-1]=0;
-		    list[i++]=(security_context_t) strdup(buf);
-		    if (i>ctr) { 
-		      /* Should never happen */
+		    list[i]=(security_context_t) strdup(buf);
+		    if (!list[i]) {
+		      unsigned int j;
+		      for (j = 0; j < i; j++) free(list[j]);
 		      free(list);
 		      list=NULL;
 		      break;
 		    }
+		    i++;
 		  }
 		}
 	}
@@ -49,20 +53,31 @@ static security_context_t *customizable_
 
 int is_context_customizable (security_context_t scontext) {
   int i;
-  char *ptr;
+  const char *type;
+  context_t c;
+
   if (! customizable_list) {
     if (get_customizable_type_list(&customizable_list)!=0) 
       return -1;
   }
-  
-  ptr=strrchr(scontext, ':');
-  if (ptr) {
-	  ptr++;
-  } else {
-	  ptr=scontext;
+
+  c = context_new(scontext);
+  if (!c)
+	  return -1;
+
+  type = context_type_get(c);
+  if (!type) {
+	  context_free(c);
+	  return -1;
   }
+  
   for (i = 0; customizable_list[i]; i++) {
-    if (strcmp(customizable_list[i],ptr) == 0) return 1;
+	  if (strcmp(customizable_list[i],type) == 0) {
+		  context_free(c);
+		  return 1;
+	  }
   }
+  context_free(c);
   return 0;
 }
+
Index: libselinux/src/selinux_config.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/selinux_config.c,v
retrieving revision 1.11
diff -u -p -r1.11 selinux_config.c
--- libselinux/src/selinux_config.c	19 Jan 2005 16:09:40 -0000	1.11
+++ libselinux/src/selinux_config.c	19 Jan 2005 16:14:54 -0000
@@ -215,6 +215,7 @@ const char *selinux_media_context_path()
 const char *selinux_customizable_types_path() {
   return get_path(CUSTOMIZABLE_TYPES);
 }
+hidden_def(selinux_customizable_types_path)
 
 const char *selinux_contexts_path() {
   return get_path(CONTEXTS_DIR);
Index: libselinux/src/selinux_internal.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/selinux_internal.h,v
retrieving revision 1.2
diff -u -p -r1.2 selinux_internal.h
--- libselinux/src/selinux_internal.h	5 Oct 2004 20:31:50 -0000	1.2
+++ libselinux/src/selinux_internal.h	19 Jan 2005 16:12:17 -0000
@@ -20,3 +20,4 @@ hidden_proto(selinux_removable_context_p
 hidden_proto(selinux_file_context_path)
 hidden_proto(selinux_user_contexts_path)
 hidden_proto(selinux_booleans_path)
+hidden_proto(selinux_customizable_types_path)

Re: Added is_context_configurable function

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 121 bytes --]

Patch to policycoreutils so restorecon/setfiles can handle 
customizable_types.

Also fix a segfault in restorecon.

Dan

[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 6189 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.20.1/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8	2004-10-06 09:47:27.000000000 -0400
+++ policycoreutils-1.20.1/restorecon/restorecon.8	2005-01-12 09:34:55.756460549 -0500
@@ -7,7 +7,7 @@
 .I [\-o outfilename ] [\-R] [\-n] [\-v] pathname...
 .P
 .B restorecon
-.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v] 
+.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v] [\-F]
 
 .SH "DESCRIPTION"
 This manual page describes the
@@ -38,6 +38,12 @@
 .B \-v
 show changes in file labels.
 .TP 
+.B \-vv
+show changes in file labels, if type, role, or user are changing.
+.TP 
+.B \-F
+Force reset of context to match file_context for customizable files
+.TP 
 .SH "ARGUMENTS"
 .B pathname...
 The pathname for the file(s) to be relabeled. 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.20.1/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2005-01-07 09:42:39.000000000 -0500
+++ policycoreutils-1.20.1/restorecon/restorecon.c	2005-01-12 09:34:55.758460325 -0500
@@ -13,6 +13,7 @@
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
  * -o filename save list of files with incorrect context
+ * -F	Force reset of context to match file_context for customizable files
  *
  * pathname...	The file(s) to label 
  *
@@ -41,13 +42,16 @@
 static FILE *outfile=NULL;
 static char *progname;
 static int errors=0;
-static int recurse;
+static int recurse=0;
+static int force=0;
 
 /* Compare two contexts to see if their differences are "significant",
  * or whether the only difference is in the user. */
 static int only_changed_user(const char *a, const char *b)
 {
 	char *rest_a, *rest_b; /* Rest of the context after the user */
+	if (!a || !b)
+		return 0;
 	rest_a = strchr(a, ':');
 	rest_b = strchr(b, ':');
 	if (!rest_a || !rest_b)
@@ -128,7 +132,10 @@
   retcontext=lgetfilecon(filename,&prev_context);
   
   if (retcontext >= 0 || errno == ENODATA) {
-    if (retcontext < 0 || strcmp(prev_context,scontext) != 0) {
+    int customizable=0;
+    if (retcontext < 0 || 
+	(strcmp(prev_context,scontext) != 0 && 	
+	 (customizable=(force ? 0: is_context_customizable(prev_context))==0))) {
       if (outfile) {
 	fprintf(outfile, "%s\n", filename);
       }
@@ -143,11 +150,16 @@
 	  freecon(scontext);
 	  return 1;
       } else 	
-	  if (verbose > 1 || 
-	      !only_changed_user(scontext, prev_context)) 
-	      fprintf(stderr,"%s reset context %s:%s->%s\n",
-		      progname, filename, prev_context, scontext);
-    } 
+	      if (verbose && 
+		  (verbose > 1 || !only_changed_user(scontext, prev_context)))
+		      fprintf(stderr,"%s reset context %s:%s->%s\n",
+			      progname, filename, (retcontext >= 0 ? prev_context : ""), scontext);
+    }
+    if (verbose > 1 && customizable>0) {
+	    fprintf(stderr,"%s: %s not reset customized by admin to %s\n",
+		      progname, filename, prev_context);
+    }
+
     if (retcontext >= 0)
       freecon(prev_context);
   } 
@@ -197,7 +209,7 @@
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "FRnvf:o:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
@@ -205,6 +217,9 @@
     case 'R':
       recurse = 1;
       break;
+    case 'F':
+      force = 1;
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-1.20.1/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.20.1/setfiles/setfiles.8	2005-01-12 09:34:55.759460213 -0500
@@ -4,7 +4,7 @@
 
 .SH "SYNOPSIS"
 .B setfiles
-.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] spec_file pathname...
+.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] [\F] spec_file pathname...
 .SH "DESCRIPTION"
 This manual page describes the
 .BR setfiles
@@ -35,6 +35,9 @@
 .B \-e directory
 directory to exclude (repeat option for more than one directory.)
 .TP 
+.B \-F
+Force reset of context to match file_context for customizable files
+.TP 
 .B \-o filename
 save list of files with incorrect context in filename.
 .TP 
@@ -44,6 +47,7 @@
 .TP
 .B \-v
 show changes in file labels, if type or role are changing.
+.TP 
 .B \-vv
 show changes in file labels, if type, role, or user are changing.
 .TP 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.20.1/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.20.1/setfiles/setfiles.c	2005-01-12 09:34:55.761459989 -0500
@@ -15,6 +15,7 @@
  * setfiles [-dnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
  * 
  * -e   Specify directory to exclude
+ * -F	Force reset of context to match file_context for customizable files
  * -c   Verify the specification file using a binary policy
  * -d   Show what specification matched each file.
  * -l   Log changes in files labels to syslog.
@@ -76,6 +77,7 @@
 
 static int add_assoc = 1;
 static FILE *outfile=NULL;
+static int force=0;
 
 #define MAX_EXCLUDES 100
 static int excludeCtr=0;
@@ -675,6 +677,15 @@
 		return 0;
 	}
 
+	if (! force && 
+	    ( is_context_customizable(context)>0 )) {
+		if (verbose > 1) {
+			fprintf(stderr,"%s: %s not reset customized by admin to %s\n",
+				progname, my_file, context);
+		}
+		return 0;
+	}
+
 	if (verbose) {
 		/* If we're just doing "-v", trim out any relabels where
 		 * the user has changed but the role and type are the
@@ -775,7 +786,7 @@
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "c:dlnqrsvWe:o:")) > 0) {
+	while ((opt = getopt(argc, argv, "Fc:dlnqrsvWe:o:")) > 0) {
 		switch (opt) {
 		case 'c':
 		{
@@ -837,6 +848,9 @@
 		case 'l':
 			log = 1;
 			break;
+		case 'F':
+			force = 1;
+			break;
 		case 'n':
 			change = 0;
 			break;

Re: Added is_context_configurable function

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 492 bytes --]

On Wed, 2005-01-12 at 10:39, Daniel J Walsh wrote:
> Patch to policycoreutils so restorecon/setfiles can handle 
> customizable_types.
> 
> Also fix a segfault in restorecon.

Thanks, merged into sourceforge CVS as of policycoreutils version
1.21.1, depends on libselinux 1.21.1, along with the modifications below
relative to your patch.  Note that setfiles and rpm still need to be
modified for file_contexts.local support.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency

[-- Attachment #2: policycoreutils-fixes.patch --]
[-- Type: text/x-patch, Size: 764 bytes --]

Index: policycoreutils/restorecon/restorecon.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/restorecon/restorecon.c,v
retrieving revision 1.19
diff -u -p -r1.19 restorecon.c
--- policycoreutils/restorecon/restorecon.c	19 Jan 2005 16:48:41 -0000	1.19
+++ policycoreutils/restorecon/restorecon.c	19 Jan 2005 17:23:20 -0000
@@ -135,7 +135,7 @@ int restore(char *filename) {
     int customizable=0;
     if (retcontext < 0 || 
 	(strcmp(prev_context,scontext) != 0 && 	
-	 (customizable=(force ? 0: is_context_customizable(prev_context))==0))) {
+	 !(customizable=(force ? 0: is_context_customizable(prev_context))))) {
       if (outfile) {
 	fprintf(outfile, "%s\n", filename);
       }

Re: Added is_context_configurable function

[Colin Walters]

On Wed, 2005-01-12 at 09:19 -0500, Stephen Smalley wrote:
> On Tue, 2005-01-11 at 17:10, Colin Walters wrote:
> > I've said this before, but I don't like the idea of having to edit
> > file_contexts whenever I want to change the labels.  I feel that the 
> > on-disk version should be canonical, and the file_contexts only used for
> > system initialization.
> 
> That is also my view.  However, if people are going to run setfiles or
> restorecon at runtime to check or set contexts (which is current
> practice in Fedora), then we do need a way to distinguish legitimate
> customizations from what are essentially bugs in the policy 

Right.

> Two questions:
> 1) Is it sufficient to identify legitimate customizations based solely
> on the TE type of the file?  

Actually, thinking about this a bit: probably not.  On my system I have
several times changed the SELinux user identity component of file
contexts from the default system_u to e.g. foo_u.  The reason is that
the constraints prevent a user from relabeling a file unless the SELinux
user matches.  So a list of alternate types would not be sufficient in
this case.

> If not, what other information should be
> taken into account, irrespective of whether this is done via
> file_contexts or via a different config file?

It seems the SELinux uid, for one.  Also perhaps whether or not the
pathname is part of the standard filesystem.  There seems to me to be a
difference between a very well known file such as /etc/shadow being
mislabeled according to file_contexts versus an unknown path such
as /apps/web/blah.

> 2) Is it feasible for the policy writer to identify all such TE types a
> priori in the policy without covering such a large set as to make
> setfiles/restorecon completely useless by default?

My intuition is yes.  I think there's a clear difference between types
such as httpd_staff_script_ro_t and dhcpd_var_run_t.  The latter is very
much like an implementation detail, something sysadmins generally should
never have to change.  Dan identified a reasonable starting set in his
initial patch.

>  If not, what
> mechanism will be provided to allow users/admins to easily mark
> additional types without conflicting with future policy updates?

Hmm.  This seems to me to be another instance of the whole general
problem of maintaining a policy source delta.  Right now we essentially
don't support it.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Stephen Smalley]

On Wed, 2005-01-12 at 10:48, Colin Walters wrote:
> Actually, thinking about this a bit: probably not.  On my system I have
> several times changed the SELinux user identity component of file
> contexts from the default system_u to e.g. foo_u.  The reason is that
> the constraints prevent a user from relabeling a file unless the SELinux
> user matches.  So a list of alternate types would not be sufficient in
> this case.
<snip>
> It seems the SELinux uid, for one.  Also perhaps whether or not the
> pathname is part of the standard filesystem.  There seems to me to be a
> difference between a very well known file such as /etc/shadow being
> mislabeled according to file_contexts versus an unknown path such
> as /apps/web/blah.

Ok, so I take this to mean that I should await a new patchset from Dan
that supports this more general way of specifying customizable contexts
based on a combination of type, user identity, and file location.  Yes?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Colin Walters]

On Wed, 2005-01-12 at 17:09 -0500, Stephen Smalley wrote:
> On Wed, 2005-01-12 at 10:48, Colin Walters wrote:
> > Actually, thinking about this a bit: probably not.  On my system I have
> > several times changed the SELinux user identity component of file
> > contexts from the default system_u to e.g. foo_u.  The reason is that
> > the constraints prevent a user from relabeling a file unless the SELinux
> > user matches.  So a list of alternate types would not be sufficient in
> > this case.
> <snip>
> > It seems the SELinux uid, for one.  Also perhaps whether or not the
> > pathname is part of the standard filesystem.  There seems to me to be a
> > difference between a very well known file such as /etc/shadow being
> > mislabeled according to file_contexts versus an unknown path such
> > as /apps/web/blah.
> 
> Ok, so I take this to mean that I should await a new patchset from Dan
> that supports this more general way of specifying customizable contexts
> based on a combination of type, user identity, and file location.  Yes?

This is a complex issue, given we've been going back and forth on this
for months now, with several proposed patches.  The last time this came
up in October, you posted a good message:

http://marc.theaimsgroup.com/?l=selinux&m=109872521815476&w=2

You say:

> The file_contexts configuration and setfiles were only intended to
> initialize the system, as previously noted.  After installation, one
> should only do a make relabel upon a major policy upgrade, and even in
> that case, it would be better to selectively relabel based on the
> differences between the policies.

And I couldn't agree more.  If we can get to the point where we never
(and I really mean never!) tell users to run "fixfiles relabel", I think
a lot of these problems would essentially just go away.   I brainstormed
a bit in another message in this thread about how we can avoid it for
policy upgrades, which I believe is the major cause.  I'll follow up to
that in a bit.

Let's assume for now that we've successfully gotten rid of fixfiles (at
least from the user's perspective; it may exist as an implementation
detail).  At that point, what problems remain?  The problem of user-
customizable types like httpd_sys_script_ro_t in well-known areas such
as /var/www being reset to httpd_sys_content_t goes away, because there
is nothing to reset them.  The problem of user-defined locations such
as /web/mysite1 with type httpd_sys_content_t being reset to default_t
goes away as well.  Are there any other problems?




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Daniel J Walsh]

Colin Walters wrote:

>On Wed, 2005-01-12 at 17:09 -0500, Stephen Smalley wrote:
>  
>
>>On Wed, 2005-01-12 at 10:48, Colin Walters wrote:
>>    
>>
>>>Actually, thinking about this a bit: probably not.  On my system I have
>>>several times changed the SELinux user identity component of file
>>>contexts from the default system_u to e.g. foo_u.  The reason is that
>>>the constraints prevent a user from relabeling a file unless the SELinux
>>>user matches.  So a list of alternate types would not be sufficient in
>>>this case.
>>>      
>>>
>><snip>
>>    
>>
>>>It seems the SELinux uid, for one.  Also perhaps whether or not the
>>>pathname is part of the standard filesystem.  There seems to me to be a
>>>difference between a very well known file such as /etc/shadow being
>>>mislabeled according to file_contexts versus an unknown path such
>>>as /apps/web/blah.
>>>      
>>>
>>Ok, so I take this to mean that I should await a new patchset from Dan
>>that supports this more general way of specifying customizable contexts
>>based on a combination of type, user identity, and file location.  Yes?
>>    
>>
>
>This is a complex issue, given we've been going back and forth on this
>for months now, with several proposed patches.  The last time this came
>up in October, you posted a good message:
>
>http://marc.theaimsgroup.com/?l=selinux&m=109872521815476&w=2
>
>You say:
>
>  
>
>>The file_contexts configuration and setfiles were only intended to
>>initialize the system, as previously noted.  After installation, one
>>should only do a make relabel upon a major policy upgrade, and even in
>>that case, it would be better to selectively relabel based on the
>>differences between the policies.
>>    
>>
>
>And I couldn't agree more.  If we can get to the point where we never
>(and I really mean never!) tell users to run "fixfiles relabel", I think
>a lot of these problems would essentially just go away.   I brainstormed
>a bit in another message in this thread about how we can avoid it for
>policy upgrades, which I believe is the major cause.  I'll follow up to
>that in a bit.
>
>Let's assume for now that we've successfully gotten rid of fixfiles (at
>least from the user's perspective; it may exist as an implementation
>detail).  At that point, what problems remain?  The problem of user-
>customizable types like httpd_sys_script_ro_t in well-known areas such
>as /var/www being reset to httpd_sys_content_t goes away, because there
>is nothing to reset them.  The problem of user-defined locations such
>as /web/mysite1 with type httpd_sys_content_t being reset to default_t
>goes away as well.  Are there any other problems?
>
>
>
>  
>
You loose the ability to do something like fixfiles.cron.  I removed it 
because it was bringing
back too many false positives, and some people complained that they do 
not trust that the file
contexts aren't being modified.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Colin Walters]

On Thu, 2005-01-13 at 09:55 -0500, Daniel J Walsh wrote:

> You loose the ability to do something like fixfiles.cron.  I removed it 
> because it was bringing
> back too many false positives, and some people complained that they do 
> not trust that the file
> contexts aren't being modified.

Okay; are you saying you want to bring it back?  I don't see anything
inherently wrong with simply warning on contexts that differ from the
expected, particularly if we limit it to well-known critical directories
such as /etc.  What does seem wrong is relabeling all known files any
time we encounter a labeling issue. 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Daniel J Walsh]

Colin Walters wrote:

>On Thu, 2005-01-13 at 09:55 -0500, Daniel J Walsh wrote:
>
>  
>
>>You loose the ability to do something like fixfiles.cron.  I removed it 
>>because it was bringing
>>back too many false positives, and some people complained that they do 
>>not trust that the file
>>contexts aren't being modified.
>>    
>>
>
>Okay; are you saying you want to bring it back?  I don't see anything
>inherently wrong with simply warning on contexts that differ from the
>expected, particularly if we limit it to well-known critical directories
>such as /etc.  What does seem wrong is relabeling all known files any
>time we encounter a labeling issue. 
>
>
>  
>
Yes, I would like to bring back something to tell me the policy is 
working correctly.  Right now
I don't think we have a great understanding of how the file context are 
being labeled.  IE What
relabels /etc/mtab to etc_t instead of etc_runtime_t? 

I agree the fixfiles relabel has got to go.  But most of the problems we 
are seeing of relabel are either
yum upgrade blew away shlib_t or policy was broken and an update would 
fix it but you need to relabel
/var/lib/mysql ...

Hopefully policy will eventually stabelize and we can find the yum 
upgrade problem.  Then the fixfiles.cron
type application could reveal potential security vulnerabilities.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Daniel J Walsh]

Stephen Smalley wrote:

>On Wed, 2005-01-12 at 10:48, Colin Walters wrote:
>  
>
>>Actually, thinking about this a bit: probably not.  On my system I have
>>several times changed the SELinux user identity component of file
>>contexts from the default system_u to e.g. foo_u.  The reason is that
>>the constraints prevent a user from relabeling a file unless the SELinux
>>user matches.  So a list of alternate types would not be sufficient in
>>this case.
>>    
>>
><snip>
>  
>
>>It seems the SELinux uid, for one.  Also perhaps whether or not the
>>pathname is part of the standard filesystem.  There seems to me to be a
>>difference between a very well known file such as /etc/shadow being
>>mislabeled according to file_contexts versus an unknown path such
>>as /apps/web/blah.
>>    
>>
>
>Ok, so I take this to mean that I should await a new patchset from Dan
>that supports this more general way of specifying customizable contexts
>based on a combination of type, user identity, and file location.  Yes?
>
>  
>
No.  I gave a patch to handle user customizable file_context 
(file_context.local)  which will sort of do this.
Restorecon/setfiles currently modify the user section of the 
file_context which should stop unless you specify a -F
this would preserve the functionality that Colin wants.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Luke Kenneth Casson Leighton]

On Wed, Jan 12, 2005 at 09:19:15AM -0500, Stephen Smalley wrote:
> On Tue, 2005-01-11 at 17:10, Colin Walters wrote:
> > I've said this before, but I don't like the idea of having to edit
> > file_contexts whenever I want to change the labels.  I feel that the 
> > on-disk version should be canonical, and the file_contexts only used for
> > system initialization.
> 
> That is also my view.  However, if people are going to run setfiles or
> restorecon at runtime to check or set contexts (which is current
> practice in Fedora), then we do need a way to distinguish legitimate
> customizations 

 ... so there _is_ actually a genuine requirement to minimise the
 number of changes to policy files?

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Added is_context_configurable function

[Colin Walters]

On Wed, 2005-01-12 at 18:19 +0000, Luke Kenneth Casson Leighton wrote:
> On Wed, Jan 12, 2005 at 09:19:15AM -0500, Stephen Smalley wrote:
> > On Tue, 2005-01-11 at 17:10, Colin Walters wrote:
> > > I've said this before, but I don't like the idea of having to edit
> > > file_contexts whenever I want to change the labels.  I feel that the 
> > > on-disk version should be canonical, and the file_contexts only used for
> > > system initialization.
> > 
> > That is also my view.  However, if people are going to run setfiles or
> > restorecon at runtime to check or set contexts (which is current
> > practice in Fedora), then we do need a way to distinguish legitimate
> > customizations 
> 
>  ... so there _is_ actually a genuine requirement to minimise the
>  number of changes to policy files?

There is certainly a desire to do so, particularly for the targeted
policy that Fedora ships by default.  We're trying to get common
configuration changes (e.g. named writing zone files, using ypbind,
httpd reading homedirs) mapped into booleans, so there's no need for
administrators to install the policy source and rebuild.  This makes
management a lot easier.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.