Busted by constraints.

Busted by constraints.

[Daniel J Walsh]

Auditing of constraint failures sucks.  We are putting out incorrect 
error messages.  Or at least not informative enough to help the 
user/policy writer to figure out what is wrong.

Yesterday,  Another engineer and I spent a lot of time trying to figure 
out why setfscreatecon was failing.  The only indication was the the
application was not allowed to created a directory.  Of course the allow 
rule was present in the policy.  Eventually we figured out we needed
the privowner priv to get by a constraint.    Shouldn't the kernel be 
reporting a constraint failure.  Isn't this going to become a lot more
important with MLS?

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Stephen Smalley]

On Thu, 2005-05-12 at 10:32 -0400, Daniel J Walsh wrote:
> Auditing of constraint failures sucks.  We are putting out incorrect 
> error messages.  Or at least not informative enough to help the 
> user/policy writer to figure out what is wrong.
> 
> Yesterday,  Another engineer and I spent a lot of time trying to figure 
> out why setfscreatecon was failing.  The only indication was the the
> application was not allowed to created a directory.  Of course the allow 
> rule was present in the policy.  Eventually we figured out we needed
> the privowner priv to get by a constraint.    Shouldn't the kernel be 
> reporting a constraint failure.  Isn't this going to become a lot more
> important with MLS?

The AVC just sees that a given permission was denied, not what component
of the policy engine denied it.  See "Flask architecture", "policy-
flexibility", ...

But nothing prevents you from creating a simple tool linked against
libsepol that takes an avc denial and determines which part of the
policy caused it.  I'd expect that to be part of an audit analysis tool
like seaudit, not a change to the kernel.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2005-05-12 at 10:32 -0400, Daniel J Walsh wrote:
>  
>
>>Auditing of constraint failures sucks.  We are putting out incorrect 
>>error messages.  Or at least not informative enough to help the 
>>user/policy writer to figure out what is wrong.
>>
>>Yesterday,  Another engineer and I spent a lot of time trying to figure 
>>out why setfscreatecon was failing.  The only indication was the the
>>application was not allowed to created a directory.  Of course the allow 
>>rule was present in the policy.  Eventually we figured out we needed
>>the privowner priv to get by a constraint.    Shouldn't the kernel be 
>>reporting a constraint failure.  Isn't this going to become a lot more
>>important with MLS?
>>    
>>
>
>The AVC just sees that a given permission was denied, not what component
>of the policy engine denied it.  See "Flask architecture", "policy-
>flexibility", ...
>
>But nothing prevents you from creating a simple tool linked against
>libsepol that takes an avc denial and determines which part of the
>policy caused it.  I'd expect that to be part of an audit analysis tool
>like seaudit, not a change to the kernel.
>
>  
>
Well I would have no idea how to do it, but it is going to be 
increasingly needed
as constraints grow.

Something to tell me the failure is caused by a missing role or 
constraint would be great.
audit2why :^)
Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1169 bytes --]

On Thu, 2005-05-12 at 10:46 -0400, Daniel J Walsh wrote:
> Well I would have no idea how to do it, but it is going to be 
> increasingly needed
> as constraints grow.
> 
> Something to tell me the failure is caused by a missing role or 
> constraint would be great.
> audit2why :^)

Ok, just committed the two attached patches for libsepol and
policycoreutils to introduce an audit2why utility.  A sample of the
output of audit2why is below from running:
$ /usr/sbin/audit2why < /var/log/audit/audit.log

type=KERNEL msg=audit(1115316525.803:399552): avc:  denied  { getattr } for  path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
	Was caused by:
		Missing TE allow rule for the type pair (use audit2allow).

type=KERNEL msg=audit(1115320071.648:606858): avc:  denied  { append } for  name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
	Was caused by:
		Constraint violation (add type attribute to domain to satisfy constraints or alter constraint).

-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: Type: text/x-patch, Size: 5583 bytes --]

Index: selinux-usr/libsepol/ChangeLog
diff -u selinux-usr/libsepol/ChangeLog:1.27 selinux-usr/libsepol/ChangeLog:1.28
--- selinux-usr/libsepol/ChangeLog:1.27	Mon Apr 25 15:55:29 2005
+++ selinux-usr/libsepol/ChangeLog	Fri May 13 10:40:56 2005
@@ -1,3 +1,6 @@
+1.5.7 2005-05-13
+	* Added sepol_compute_av_reason() for audit2why.
+
 1.5.6 2005-04-25
 	* Fixed bug in role hierarchy checker.
 
Index: selinux-usr/libsepol/VERSION
diff -u selinux-usr/libsepol/VERSION:1.22 selinux-usr/libsepol/VERSION:1.23
--- selinux-usr/libsepol/VERSION:1.22	Mon Apr 25 15:55:29 2005
+++ selinux-usr/libsepol/VERSION	Fri May 13 10:40:56 2005
@@ -1 +1 @@
-1.5.6
+1.5.7
Index: selinux-usr/libsepol/libsepol.spec
diff -u selinux-usr/libsepol/libsepol.spec:1.24 selinux-usr/libsepol/libsepol.spec:1.25
--- selinux-usr/libsepol/libsepol.spec:1.24	Mon Apr 25 15:55:29 2005
+++ selinux-usr/libsepol/libsepol.spec	Fri May 13 10:40:56 2005
@@ -1,6 +1,6 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
-Version: 1.5.6
+Version: 1.5.7
 Release: 1
 License: GPL
 Group: System Environment/Libraries
Index: selinux-usr/libsepol/include/sepol/services.h
diff -u selinux-usr/libsepol/include/sepol/services.h:1.3 selinux-usr/libsepol/include/sepol/services.h:1.4
--- selinux-usr/libsepol/include/sepol/services.h:1.3	Wed Aug 11 09:34:16 2004
+++ selinux-usr/libsepol/include/sepol/services.h	Fri May 13 10:40:57 2005
@@ -40,6 +40,18 @@
 	access_vector_t requested,		/* IN */
 	struct av_decision *avd);               /* OUT */
 
+/* Same as above, but also return the reason(s) for any
+   denials of the requested permissions. */
+#define SEPOL_COMPUTEAV_TE   1
+#define SEPOL_COMPUTEAV_CONS 2
+#define SEPOL_COMPUTEAV_RBAC 4
+int sepol_compute_av_reason(security_id_t ssid,
+			    security_id_t tsid,
+			    security_class_t tclass,
+			    access_vector_t requested,
+			    struct av_decision *avd,
+			    unsigned int *reason);
+
 /*
  * Compute a SID to use for labeling a new object in the 
  * class `tclass' based on a SID pair.  
Index: selinux-usr/libsepol/src/services.c
diff -u selinux-usr/libsepol/src/services.c:1.10 selinux-usr/libsepol/src/services.c:1.11
--- selinux-usr/libsepol/src/services.c:1.10	Thu Feb 17 09:59:27 2005
+++ selinux-usr/libsepol/src/services.c	Fri May 13 10:40:59 2005
@@ -73,7 +73,7 @@
 		return -1;
 	}
 	policydb = &mypolicydb;
-	return 0;
+	return sepol_sidtab_init(sidtab);
 }
 
 
@@ -278,8 +278,9 @@
 static int context_struct_compute_av(context_struct_t *scontext,
 				     context_struct_t *tcontext,
 				     security_class_t tclass,
-				     access_vector_t requested __attribute__ ((unused)),
-				     struct av_decision *avd)
+				     access_vector_t requested,
+				     struct av_decision *avd,
+				     unsigned int *reason)
 {
 	constraint_node_t *constraint;
 	struct role_allow *ra;
@@ -302,6 +303,7 @@
 	avd->auditallow = 0;
 	avd->auditdeny = 0xffffffff;
 	avd->seqno = latest_granting;
+	*reason = 0;
 
 	/*
 	 * If a specific type enforcement rule was defined for
@@ -319,10 +321,15 @@
 		if (avdatum->specified & AVTAB_AUDITALLOW)
 			avd->auditallow = avtab_auditallow(avdatum);
 	}
-	
+
 	/* Check conditional av table for additional permissions */
 	cond_compute_av(&policydb->te_cond_avtab, &avkey, avd);
 
+	if (requested & ~avd->allowed) {
+		*reason |= SEPOL_COMPUTEAV_TE;
+		requested &= avd->allowed;
+	}
+	
 	/* 
 	 * Remove any permissions prohibited by a constraint (this includes
 	 * the MLS policy).
@@ -337,6 +344,11 @@
 		constraint = constraint->next;
 	}
 
+	if (requested & ~avd->allowed) {
+		*reason |= SEPOL_COMPUTEAV_CONS;
+		requested &= avd->allowed;
+	}
+
 	/* 
 	 * If checking process transition permission and the
 	 * role is changing, then check the (current_role, new_role) 
@@ -353,7 +365,12 @@
 		if (!ra)
 			avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
 			                                PROCESS__DYNTRANSITION);
-	}	
+	}
+
+	if (requested & ~avd->allowed) {
+		*reason |= SEPOL_COMPUTEAV_RBAC;
+		requested &= avd->allowed;
+	}
 
 	return 0;
 }
@@ -407,11 +424,12 @@
 	return 0;
 }
 
-int sepol_compute_av(security_id_t ssid,
-			security_id_t tsid,
-			security_class_t tclass,
-			access_vector_t requested,
-			struct av_decision *avd)
+int sepol_compute_av_reason(security_id_t ssid,
+			    security_id_t tsid,
+			    security_class_t tclass,
+			    access_vector_t requested,
+			    struct av_decision *avd,
+			    unsigned int *reason)
 {
 	context_struct_t *scontext = 0, *tcontext = 0;
 	int rc = 0;
@@ -430,11 +448,20 @@
 	}
 
 	rc = context_struct_compute_av(scontext, tcontext, tclass, 
-				       requested, avd);
+				       requested, avd, reason);
 out:
 	return rc;
 }
 
+int sepol_compute_av(security_id_t ssid,
+		     security_id_t tsid,
+		     security_class_t tclass,
+		     access_vector_t requested,
+		     struct av_decision *avd)
+{
+	unsigned int reason = 0;
+	return sepol_compute_av_reason(ssid, tsid, tclass, requested, avd, &reason);
+}
 
 /*
  * Write the security context string representation of 
@@ -1302,7 +1329,7 @@
 	role_datum_t *role;
 	struct av_decision avd;
 	int rc = 0;
-	unsigned int i, j;
+	unsigned int i, j, reason;
 
 	fromcon = sepol_sidtab_search(sidtab, fromsid);
 	if (!fromcon) {
@@ -1343,7 +1370,7 @@
 			rc = context_struct_compute_av(fromcon, &usercon, 
 						       SECCLASS_PROCESS,
 						       PROCESS__TRANSITION, 
-						       &avd);
+						       &avd, &reason);
 			if (rc ||  !(avd.allowed & PROCESS__TRANSITION)) 
 				continue;
 			rc = sepol_sidtab_context_to_sid(sidtab, &usercon, &sid);

[-- Attachment #3: policycoreutils-audit2why.patch --]
[-- Type: text/x-patch, Size: 9868 bytes --]

Index: selinux-usr/policycoreutils/ChangeLog
diff -u selinux-usr/policycoreutils/ChangeLog:1.112 selinux-usr/policycoreutils/ChangeLog:1.113
--- selinux-usr/policycoreutils/ChangeLog:1.112	Fri Apr 29 11:26:54 2005
+++ selinux-usr/policycoreutils/ChangeLog	Fri May 13 10:42:19 2005
@@ -1,3 +1,6 @@
+1.23.8 2005-05-13
+	* Added audit2why utility.
+
 1.23.7 2005-04-29
 	* Merged patch for fixfiles from Dan Walsh.
 	  Allow passing -F to force reset of customizable contexts.
Index: selinux-usr/policycoreutils/Makefile
diff -u selinux-usr/policycoreutils/Makefile:1.6 selinux-usr/policycoreutils/Makefile:1.7
--- selinux-usr/policycoreutils/Makefile:1.6	Wed Mar 31 16:07:41 2004
+++ selinux-usr/policycoreutils/Makefile	Fri May 13 10:42:19 2005
@@ -1,4 +1,4 @@
-SUBDIRS=setfiles load_policy newrole run_init restorecon audit2allow scripts po  sestatus
+SUBDIRS=setfiles load_policy newrole run_init restorecon audit2allow audit2why scripts po  sestatus
 
 all install relabel clean: 
 	@for subdir in $(SUBDIRS); do \
Index: selinux-usr/policycoreutils/VERSION
diff -u selinux-usr/policycoreutils/VERSION:1.51 selinux-usr/policycoreutils/VERSION:1.52
--- selinux-usr/policycoreutils/VERSION:1.51	Fri Apr 29 11:26:54 2005
+++ selinux-usr/policycoreutils/VERSION	Fri May 13 10:42:19 2005
@@ -1 +1 @@
-1.23.7
+1.23.8
Index: selinux-usr/policycoreutils/policycoreutils.spec
diff -u selinux-usr/policycoreutils/policycoreutils.spec:1.74 selinux-usr/policycoreutils/policycoreutils.spec:1.75
--- selinux-usr/policycoreutils/policycoreutils.spec:1.74	Fri Apr 29 11:26:54 2005
+++ selinux-usr/policycoreutils/policycoreutils.spec	Fri May 13 10:42:19 2005
@@ -1,6 +1,6 @@
 Summary: SELinux policy core utilities.
 Name: policycoreutils
-Version: 1.23.7
+Version: 1.23.8
 Release: 1
 License: GPL
 Group: System Environment/Base
@@ -68,6 +68,7 @@
 %{_sbindir}/load_policy
 %{_bindir}/newrole
 %{_bindir}/audit2allow
+%{_sbindir}/audit2why
 %{_mandir}/man1/newrole.1.gz
 %{_mandir}/man1/audit2allow.1.gz
 %config %{_sysconfdir}/pam.d/newrole
Index: selinux-usr/policycoreutils/audit2why/Makefile
diff -u /dev/null selinux-usr/policycoreutils/audit2why/Makefile:1.1
--- /dev/null	Fri May 13 10:52:35 2005
+++ selinux-usr/policycoreutils/audit2why/Makefile	Fri May 13 10:42:21 2005
@@ -0,0 +1,24 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
+BINDIR ?= $(PREFIX)/sbin
+LIBDIR ?= ${PREFIX}/lib
+MANDIR ?= $(PREFIX)/share/man
+LOCALEDIR ?= /usr/share/locale
+
+
+CFLAGS = -Werror
+override CFLAGS += -Wall -W
+LDLIBS += ${LIBDIR}/libsepol.a -lselinux
+
+TARGETS=audit2why
+
+all: $(TARGETS)
+
+install: all
+	-mkdir -p $(BINDIR)
+	install -m 755 $(TARGETS) $(SBINDIR)
+
+clean:
+	rm -f $(TARGETS) *.o
+
+relabel:
Index: selinux-usr/policycoreutils/audit2why/audit2why.c
diff -u /dev/null selinux-usr/policycoreutils/audit2why/audit2why.c:1.1
--- /dev/null	Fri May 13 10:52:35 2005
+++ selinux-usr/policycoreutils/audit2why/audit2why.c	Fri May 13 10:42:21 2005
@@ -0,0 +1,239 @@
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <errno.h>
+#include <getopt.h>
+#include <limits.h>
+#include <sepol/sepol.h>
+#include <sepol/services.h>
+
+#define AVCPREFIX "avc:  denied  { "
+#define SCONTEXT "scontext="
+#define TCONTEXT "tcontext="
+#define TCLASS "tclass="
+
+/* Copied from selinux/selinux.h.
+   Should be replaced with #include <selinux/selinux.h>,
+   but first requires elimination of namespace collisions
+   between libselinux and libsepol. */
+extern const char *selinux_binary_policy_path(void);
+extern security_class_t string_to_security_class(const char *name);
+extern access_vector_t string_to_av_perm(security_class_t tclass, const char *name);
+extern int security_policyvers(void);
+extern int is_selinux_enabled(void);
+
+void usage(char *progname, int rc) 
+{
+ 	fprintf(stderr, "usage:  %s [-p policy] < /var/log/audit/audit.log\n", progname);
+	exit(rc);
+}
+
+int main(int argc, char **argv) 
+{
+	char path[PATH_MAX];
+	char *buffer = NULL, *bufcopy = NULL;
+	unsigned int lineno = 0;
+	size_t len = 0, bufcopy_len = 0;
+	FILE *fp;
+	int opt, rc, set_path = 0;
+	char *p, *scon, *tcon, *tclassstr, *permstr;
+	security_id_t ssid, tsid;
+	security_class_t tclass;
+	access_vector_t perm, av;
+	struct av_decision avd;
+	unsigned int reason;
+	int vers = 0;
+
+	while ((opt = getopt(argc, argv, "p:?h")) > 0) {
+		switch (opt) {
+		case 'p':
+			set_path = 1;
+			strncpy(path, optarg, PATH_MAX);
+			fp = fopen(path, "r");
+			if (!fp) {
+				fprintf(stderr, "%s:  unable to open %s:  %s\n",
+					argv[0], path, strerror(errno));
+				exit(1);
+			}
+			break;
+		default:
+			usage(argv[0], 0);
+		}
+	}
+
+	if (argc - optind)
+		usage(argv[0], 1);
+
+	if (!set_path) {
+		if (!is_selinux_enabled()) {
+			fprintf(stderr, "%s:  Must specify -p policy on non-SELinux systems\n", argv[0]);
+			exit(1);
+		}
+		vers = security_policyvers();
+		snprintf(path, PATH_MAX, "%s.%d", 
+			 selinux_binary_policy_path(), vers);
+		fp = fopen(path, "r");
+		while (!fp && errno == ENOENT && --vers) {
+			snprintf(path, PATH_MAX, "%s.%d", 
+				 selinux_binary_policy_path(), vers);
+			fp = fopen(path, "r");
+		}
+		if (!fp) {
+			snprintf(path, PATH_MAX, "%s.%d", 
+				 selinux_binary_policy_path(), security_policyvers());
+			fprintf(stderr, "%s:  unable to open %s:  %s\n",
+				argv[0], path, strerror(errno));
+			exit(1);
+		}
+	}
+
+	rc = sepol_set_policydb_from_file(fp);
+	if (rc < 0) {
+		fprintf(stderr, "%s:  unable to load policy from %s:  %s\n",
+			argv[0], path, strerror(errno));
+		exit(1);
+	}
+	fclose(fp);
+	
+	while (getline(&buffer, &len, stdin) > 0) {
+		size_t len2 = strlen(buffer);
+
+		if (buffer[len2-1] == '\n') 
+			buffer[len2-1] = 0;
+		lineno++;
+
+		p = buffer;
+		while (*p && strncmp(p, AVCPREFIX, sizeof(AVCPREFIX) - 1))
+			p++;
+		if (!(*p))
+			continue; /* not an avc denial */
+
+		p += sizeof(AVCPREFIX) - 1;
+
+		/* Save a copy of the original unmodified buffer. */
+		if (!bufcopy) {
+			/* Initial allocation */
+			bufcopy_len = len;
+			bufcopy = malloc(len);
+		} else if (bufcopy_len < len) {
+			/* Grow */
+			bufcopy_len = len;
+			bufcopy = realloc(bufcopy, len);
+		}
+		if (!bufcopy) {
+			fprintf(stderr, "%s:  OOM on buffer copy\n", argv[0]);
+			exit(2);
+		}
+		memcpy(bufcopy, buffer, len);
+
+		/* Remember where the permission list begins,
+		   and terminate the list. */
+		permstr = p;
+		while (*p && *p != '}') 
+			p++;
+		if (!(*p)) {
+			fprintf(stderr, "Missing closing bracket on line %u, skipping...\n", lineno);
+			continue;
+		}
+		*p++ = 0;
+
+		/* Get scontext and convert to SID. */
+		while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT)-1))
+			p++;
+		if (!(*p)) {
+			fprintf(stderr, "Missing %s on line %u, skipping...\n", SCONTEXT, lineno);
+			continue;
+		}
+		p += sizeof(SCONTEXT) - 1;
+		scon = p;
+		while (*p && !isspace(*p))
+			p++;
+		if (*p)
+			*p++ = 0;
+		rc = sepol_context_to_sid(scon, strlen(scon)+1, &ssid);
+		if (rc < 0) {
+			fprintf(stderr, "Invalid %s%s on line %u, skipping...\n", SCONTEXT, scon, lineno);
+			continue;
+		}
+
+		/* Get tcontext and convert to SID. */
+		while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT)-1))
+			p++;
+		if (!(*p)) {
+			fprintf(stderr, "Missing %s on line %u, skipping...\n", TCONTEXT, lineno);
+			continue;
+		}
+		p += sizeof(TCONTEXT) - 1;
+		tcon = p;
+		while (*p && !isspace(*p))
+			p++;
+		if (*p)
+			*p++ = 0;
+		rc = sepol_context_to_sid(tcon, strlen(tcon)+1, &tsid);
+		if (rc < 0) {
+			fprintf(stderr, "Invalid %s%s on line %u, skipping...\n", TCONTEXT, tcon, lineno);
+			continue;
+		}
+
+		/* Get tclass= and convert to value. */
+		while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1))
+			p++;
+		if (!(*p)) {
+			fprintf(stderr, "Missing %s on line %u, skipping...\n", TCLASS, lineno);
+			continue;
+		}
+		p += sizeof(TCLASS) - 1;
+		tclassstr = p;
+		while (*p && !isspace(*p))
+			p++;
+		if (*p)
+			*p = 0;
+		tclass = string_to_security_class(tclassstr);
+		if (!tclass) {
+			fprintf(stderr, "Invalid %s%s on line %u, skipping...\n", TCLASS, tclassstr, lineno);
+			continue;
+		}
+
+		/* Convert the permission list to an AV. */
+		p = permstr;
+		av = 0;
+		while (*p) {
+			while (*p && !isspace(*p))
+				p++;
+			if (*p)
+				*p++ = 0;
+			perm = string_to_av_perm(tclass, permstr);
+			if (!perm) {
+				fprintf(stderr, "Invalid permission %s on line %u, skipping...\n", permstr, lineno);
+				continue;
+			}
+			av |= perm;
+			permstr = p;
+		}
+
+		/* Reproduce the computation. */
+		rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd,
+					     &reason);
+		if (rc < 0) {
+			fprintf(stderr, "Error during access vector computation on line %u, skipping...\n", lineno);
+			continue;
+		}
+
+		if (!reason)
+			continue; /* Denial would not occur under specified policy. */
+
+		printf("%s\n\tWas caused by:\n", bufcopy);
+		if (reason & SEPOL_COMPUTEAV_TE)
+			printf("\t\tMissing TE allow rule for the type pair (use audit2allow).\n");
+		if (reason & SEPOL_COMPUTEAV_CONS)
+			printf("\t\tConstraint violation (add type attribute to domain to satisfy constraints or alter constraint).\n");
+		if (reason & SEPOL_COMPUTEAV_RBAC)
+			printf("\t\tMissing role allow rule for the role pair (add role allow rule).\n");
+		printf("\n");
+	}
+	free(buffer);
+	free(bufcopy);
+	exit(0);
+}
Index: selinux-usr/policycoreutils/load_policy/Makefile
diff -u selinux-usr/policycoreutils/load_policy/Makefile:1.13 selinux-usr/policycoreutils/load_policy/Makefile:1.14
--- selinux-usr/policycoreutils/load_policy/Makefile:1.13	Tue Feb 22 11:07:51 2005
+++ selinux-usr/policycoreutils/load_policy/Makefile	Fri May 13 10:42:23 2005
@@ -2,6 +2,7 @@
 PREFIX ?= ${DESTDIR}/usr
 SBINDIR ?= $(PREFIX)/sbin
 MANDIR ?= $(PREFIX)/share/man
+LIBDIR ?= ${PREFIX}/lib
 LOCALEDIR ?= /usr/share/locale
 
 CFLAGS = -Werror

Re: Busted by constraints.

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1281 bytes --]

On Fri, 2005-05-13 at 11:00 -0400, Stephen Smalley wrote:
> Ok, just committed the two attached patches for libsepol and
> policycoreutils to introduce an audit2why utility.

In creating audit2why, I ran into the known namespace collision between
libsepol and libselinux; they both define the base set of Flask types,
with the one set of definitions for security-aware applications running
on SELinux and the other set of definitions for the binary policy and
the userspace security server code (the latter is only exported by the
static libsepol, not the shared library).  I worked around the collision
temporarily in audit2why.c by not including selinux.h and manually
defining function prototypes for the functions from libselinux, but I
think we should eliminate the collision by applying the attached script
to all *.[chy] files in libsepol and checkpolicy and then applying the
attached patch to audit2why.  I don't think we want to actually fold the
types together, as the libsepol definitions need to stay consistent with
the binary policy format whereas the libselinux ones don't need to be
fixed size (and in the case of security_id_t we cannot fold them since
one is an integer and the other is a struct).  Seem reasonable?

-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: fixnamespace --]
[-- Type: application/x-shellscript, Size: 439 bytes --]

[-- Attachment #3: audit2why-namespace.patch --]
[-- Type: text/x-patch, Size: 1668 bytes --]

Index: policycoreutils/audit2why/audit2why.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/audit2why/audit2why.c,v
retrieving revision 1.1
diff -u -p -r1.1 audit2why.c
--- policycoreutils/audit2why/audit2why.c	13 May 2005 14:42:21 -0000	1.1
+++ policycoreutils/audit2why/audit2why.c	13 May 2005 19:14:22 -0000
@@ -8,22 +8,13 @@
 #include <limits.h>
 #include <sepol/sepol.h>
 #include <sepol/services.h>
+#include <selinux/selinux.h>
 
 #define AVCPREFIX "avc:  denied  { "
 #define SCONTEXT "scontext="
 #define TCONTEXT "tcontext="
 #define TCLASS "tclass="
 
-/* Copied from selinux/selinux.h.
-   Should be replaced with #include <selinux/selinux.h>,
-   but first requires elimination of namespace collisions
-   between libselinux and libsepol. */
-extern const char *selinux_binary_policy_path(void);
-extern security_class_t string_to_security_class(const char *name);
-extern access_vector_t string_to_av_perm(security_class_t tclass, const char *name);
-extern int security_policyvers(void);
-extern int is_selinux_enabled(void);
-
 void usage(char *progname, int rc) 
 {
  	fprintf(stderr, "usage:  %s [-p policy] < /var/log/audit/audit.log\n", progname);
@@ -39,10 +30,10 @@ int main(int argc, char **argv) 
 	FILE *fp;
 	int opt, rc, set_path = 0;
 	char *p, *scon, *tcon, *tclassstr, *permstr;
-	security_id_t ssid, tsid;
-	security_class_t tclass;
-	access_vector_t perm, av;
-	struct av_decision avd;
+	sepol_security_id_t ssid, tsid;
+	sepol_security_class_t tclass;
+	sepol_access_vector_t perm, av;
+	struct sepol_av_decision avd;
 	unsigned int reason;
 	int vers = 0;
 

Re: Busted by constraints.

[Stephen Smalley]

On Fri, 2005-05-13 at 15:30 -0400, Stephen Smalley wrote:
> In creating audit2why, I ran into the known namespace collision between
> libsepol and libselinux; they both define the base set of Flask types,
> with the one set of definitions for security-aware applications running
> on SELinux and the other set of definitions for the binary policy and
> the userspace security server code (the latter is only exported by the
> static libsepol, not the shared library).  I worked around the collision
> temporarily in audit2why.c by not including selinux.h and manually
> defining function prototypes for the functions from libselinux, but I
> think we should eliminate the collision by applying the attached script
> to all *.[chy] files in libsepol and checkpolicy and then applying the
> attached patch to audit2why.  I don't think we want to actually fold the
> types together, as the libsepol definitions need to stay consistent with
> the binary policy format whereas the libselinux ones don't need to be
> fixed size (and in the case of security_id_t we cannot fold them since
> one is an integer and the other is a struct).  Seem reasonable?

Ah, there was one duplicated expression in the sed script, but otherwise
it yielded the expected result, and the resulting libsepol, checkpolicy,
and audit2why all build as expected.  Committed to sourceforge CVS.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1094 bytes --]

On Fri, 2005-05-13 at 11:00 -0400, Stephen Smalley wrote:
> Ok, just committed the two attached patches for libsepol and
> policycoreutils to introduce an audit2why utility.  A sample of the
> output of audit2why is below from running:
> $ /usr/sbin/audit2why < /var/log/audit/audit.log
> 
> type=KERNEL msg=audit(1115316525.803:399552): avc:  denied  { getattr } for  path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
> 	Was caused by:
> 		Missing TE allow rule for the type pair (use audit2allow).
> 
> type=KERNEL msg=audit(1115320071.648:606858): avc:  denied  { append } for  name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
> 	Was caused by:
> 		Constraint violation (add type attribute to domain to satisfy constraints or alter constraint).

Further patches to libsepol and audit2why so that audit2why can handle
boolean settings and local user definitions properly.

-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: libsepol.patch --]
[-- Type: text/x-patch, Size: 6812 bytes --]

Index: libsepol/ChangeLog
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/ChangeLog,v
retrieving revision 1.29
diff -u -p -r1.29 ChangeLog
--- libsepol/ChangeLog	13 May 2005 19:38:06 -0000	1.29
+++ libsepol/ChangeLog	16 May 2005 18:21:50 -0000
@@ -1,3 +1,7 @@
+1.5.9 2005-05-16
+	* Added sepol_genbools_policydb and sepol_genusers_policydb for
+	  audit2why.
+
 1.5.8 2005-05-13
 	* Added sepol_ prefix to Flask types to avoid 
 	  namespace collision with libselinux.
Index: libsepol/VERSION
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/VERSION,v
retrieving revision 1.24
diff -u -p -r1.24 VERSION
--- libsepol/VERSION	13 May 2005 19:38:06 -0000	1.24
+++ libsepol/VERSION	16 May 2005 18:21:00 -0000
@@ -1 +1 @@
-1.5.8
+1.5.9
Index: libsepol/libsepol.spec
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/libsepol.spec,v
retrieving revision 1.26
diff -u -p -r1.26 libsepol.spec
--- libsepol/libsepol.spec	13 May 2005 19:38:06 -0000	1.26
+++ libsepol/libsepol.spec	16 May 2005 18:21:03 -0000
@@ -1,6 +1,6 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
-Version: 1.5.8
+Version: 1.5.9
 Release: 1
 License: GPL
 Group: System Environment/Libraries
Index: libsepol/include/sepol/policydb.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/include/sepol/policydb.h,v
retrieving revision 1.8
diff -u -p -r1.8 policydb.h
--- libsepol/include/sepol/policydb.h	13 May 2005 19:38:13 -0000	1.8
+++ libsepol/include/sepol/policydb.h	16 May 2005 17:33:49 -0000
@@ -263,6 +263,8 @@ extern int policydb_index_bools(policydb
 
 extern int policydb_index_others(policydb_t * p, unsigned int verbose);
 
+extern int policydb_reindex_users(policydb_t * p);
+
 extern int constraint_expr_destroy(constraint_expr_t * expr);
 
 extern void policydb_destroy(policydb_t * p);
Index: libsepol/include/sepol/services.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/include/sepol/services.h,v
retrieving revision 1.5
diff -u -p -r1.5 services.h
--- libsepol/include/sepol/services.h	13 May 2005 19:38:13 -0000	1.5
+++ libsepol/include/sepol/services.h	16 May 2005 17:33:49 -0000
@@ -25,6 +25,13 @@
 extern int sepol_set_policydb(policydb_t *p);
 extern int sepol_set_sidtab(sidtab_t *s);
 
+/* Modify a policydb for boolean settings. */
+int sepol_genbools_policydb(policydb_t *policydb, const char *booleans);
+
+/* Modify a policydb for user settings. */
+int sepol_genusers_policydb(policydb_t *policydb,
+			    const char *usersdir);
+
 /* Load the security policy. This initializes the policydb
    and sidtab based on the provided binary policy. */
 int sepol_load_policy(void * data, size_t len);
Index: libsepol/src/genbools.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/genbools.c,v
retrieving revision 1.13
diff -u -p -r1.13 genbools.c
--- libsepol/src/genbools.c	25 Apr 2005 19:55:30 -0000	1.13
+++ libsepol/src/genbools.c	16 May 2005 17:33:49 -0000
@@ -52,7 +52,7 @@ static int process_boolean(char *buffer,
 	return 1;
 }
 
-static int load_booleans(struct policydb *policydb, char *path) {
+static int load_booleans(struct policydb *policydb, const char *path) {
 	FILE *boolf;
 	char *buffer=NULL;
 	size_t size=0;
@@ -64,7 +64,7 @@ static int load_booleans(struct policydb
 
 	boolf = fopen(path,"r");
 	if (boolf == NULL) 
-		return -1;
+		goto localbool;
 
 	while (getline(&buffer, &size, boolf) > 0) {
 		int ret=process_boolean(buffer, name, sizeof(name), &val);
@@ -81,6 +81,7 @@ static int load_booleans(struct policydb
 		}
 	}
 	fclose(boolf);
+localbool:
 	snprintf(localbools,sizeof(localbools), "%s.local", path);
 	boolf = fopen(localbools,"r");
 	if (boolf != NULL) {
@@ -157,6 +158,18 @@ int sepol_genbools(void *data, size_t le
 	return -1;
 }
 
+int sepol_genbools_policydb(policydb_t *policydb, const char *booleans)
+{
+	int rc;
+
+	rc = load_booleans(policydb, booleans);
+	if (!rc)
+		rc = evaluate_conds(policydb);
+	if (rc)
+		errno = EINVAL;
+	return rc;
+}
+
 int sepol_genbools_array(void *data, size_t len, char **names, int *values, int nel)
 {
 	struct policydb policydb;
Index: libsepol/src/genusers.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/genusers.c,v
retrieving revision 1.11
diff -u -p -r1.11 genusers.c
--- libsepol/src/genusers.c	13 Apr 2005 14:30:18 -0000	1.11
+++ libsepol/src/genusers.c	16 May 2005 17:34:14 -0000
@@ -444,3 +444,34 @@ err:
 	policydb_destroy(&policydb);
 	return -1;
 }
+
+int sepol_genusers_policydb(policydb_t *policydb,
+			    const char *usersdir)
+{
+	char path[PATH_MAX];
+
+	/* Load base set of system users from the policy package. */
+	snprintf(path, sizeof path, "%s/system.users", usersdir);
+	if (load_users(policydb, path) < 0) {
+		__sepol_debug_printf("%s: Can't load system.users:  %s\n",
+				     __FUNCTION__, strerror(errno));
+		return -1;
+	}
+
+	/* Load locally defined users. */
+	snprintf(path, sizeof path, "%s/local.users", usersdir);
+	if (load_users(policydb, path) < 0) {
+		__sepol_debug_printf("%s:  Can't load local.users:  %s\n",
+				     __FUNCTION__, strerror(errno));
+		return -1;
+	}
+
+	if (policydb_reindex_users(policydb) < 0) {
+		__sepol_debug_printf("%s:  Can't reindex users:  %s\n",
+				     __FUNCTION__, strerror(errno));
+		return -1;
+
+	}
+
+	return 0;
+}
Index: libsepol/src/policydb.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/policydb.c,v
retrieving revision 1.8
diff -u -p -r1.8 policydb.c
--- libsepol/src/policydb.c	17 Feb 2005 14:59:27 -0000	1.8
+++ libsepol/src/policydb.c	16 May 2005 17:38:29 -0000
@@ -440,7 +440,6 @@ int policydb_index_others(policydb_t * p
 	return 0;
 }
 
-
 /*
  * The following *_destroy functions are used to
  * free any memory allocated for each kind of
@@ -1733,5 +1732,30 @@ bad:
 	return -1;
 }
 
+int policydb_reindex_users(policydb_t * p)
+{
+	unsigned int i = SYM_USERS;
+
+	if (p->user_val_to_struct)
+		free(p->user_val_to_struct);
+	if (p->sym_val_to_name[i])
+		free(p->sym_val_to_name[i]);
+
+	p->user_val_to_struct = (user_datum_t **)
+	    malloc(p->p_users.nprim * sizeof(user_datum_t *));
+	if (!p->user_val_to_struct)
+		return -1;
+
+	p->sym_val_to_name[i] = (char **)
+		malloc(p->symtab[i].nprim * sizeof(char *));
+	if (!p->sym_val_to_name[i])
+		return -1;
+
+	if (hashtab_map(p->symtab[i].table, index_f[i], p))
+		return -1;
+
+	return 0;
+}
+
 
 

[-- Attachment #3: policycoreutils.patch --]
[-- Type: text/x-patch, Size: 5838 bytes --]

Index: policycoreutils/ChangeLog
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/ChangeLog,v
retrieving revision 1.114
diff -u -p -r1.114 ChangeLog
--- policycoreutils/ChangeLog	13 May 2005 19:41:30 -0000	1.114
+++ policycoreutils/ChangeLog	16 May 2005 18:23:47 -0000
@@ -1,3 +1,7 @@
+1.23.10 2005-05-16
+	* Extended audit2why to incorporate booleans and local user 
+	  settings when analyzing audit messages.
+
 1.23.9 2005-05-13
 	* Updated audit2why for sepol_ prefixes on Flask types to
 	  avoid namespace collision with libselinux, and to 
Index: policycoreutils/VERSION
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/VERSION,v
retrieving revision 1.53
diff -u -p -r1.53 VERSION
--- policycoreutils/VERSION	13 May 2005 19:41:30 -0000	1.53
+++ policycoreutils/VERSION	16 May 2005 18:23:04 -0000
@@ -1 +1 @@
-1.23.9
+1.23.10
Index: policycoreutils/policycoreutils.spec
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/policycoreutils.spec,v
retrieving revision 1.76
diff -u -p -r1.76 policycoreutils.spec
--- policycoreutils/policycoreutils.spec	13 May 2005 19:41:30 -0000	1.76
+++ policycoreutils/policycoreutils.spec	16 May 2005 18:23:02 -0000
@@ -1,6 +1,6 @@
 Summary: SELinux policy core utilities.
 Name: policycoreutils
-Version: 1.23.9
+Version: 1.23.10
 Release: 1
 License: GPL
 Group: System Environment/Base
Index: policycoreutils/audit2why/audit2why.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/audit2why/audit2why.c,v
retrieving revision 1.2
diff -u -p -r1.2 audit2why.c
--- policycoreutils/audit2why/audit2why.c	13 May 2005 19:41:37 -0000	1.2
+++ policycoreutils/audit2why/audit2why.c	16 May 2005 18:25:16 -0000
@@ -36,6 +36,9 @@ int main(int argc, char **argv) 
 	struct sepol_av_decision avd;
 	unsigned int reason;
 	int vers = 0;
+	sidtab_t sidtab;
+	policydb_t policydb;
+	struct policy_file pf;
 
 	while ((opt = getopt(argc, argv, "p:?h")) > 0) {
 		switch (opt) {
@@ -63,6 +66,10 @@ int main(int argc, char **argv) 
 			exit(1);
 		}
 		vers = security_policyvers();
+		if (vers < 0) {
+			fprintf(stderr, "%s:  Could not get policy version:  %s\n", argv[0], strerror(errno));
+			exit(1);
+		}
 		snprintf(path, PATH_MAX, "%s.%d", 
 			 selinux_binary_policy_path(), vers);
 		fp = fopen(path, "r");
@@ -80,14 +87,44 @@ int main(int argc, char **argv) 
 		}
 	}
 
-	rc = sepol_set_policydb_from_file(fp);
-	if (rc < 0) {
-		fprintf(stderr, "%s:  unable to load policy from %s:  %s\n",
-			argv[0], path, strerror(errno));
+	/* Set up a policydb directly so that we can mutate it later
+	   for booleans and user settings.  Otherwise we would just use
+	   sepol_set_policydb_from_file() here. */
+	pf.fp = fp;
+	pf.type = PF_USE_STDIO;
+	if (policydb_read(&policydb, &pf, 0)) {
+		fprintf(stderr, "%s:  invalid binary policy %s\n",
+			argv[0], path);
 		exit(1);
 	}
 	fclose(fp);
-	
+	sepol_set_policydb(&policydb);
+
+	if (!set_path) {
+		/* If they didn't specify a full path of a binary policy file,
+		   then also try loading any boolean settings and user
+		   definitions from the active locations.  Otherwise,
+		   they can use genpolbools and genpolusers to build a
+		   binary policy file that includes any desired settings
+		   and then apply audit2why -p to the resulting file. 
+		   Errors are non-fatal as such settings are optional. */
+		sepol_debug(0);
+		(void)sepol_genbools_policydb(&policydb, selinux_booleans_path());
+		(void)sepol_genusers_policydb(&policydb, selinux_users_path());
+	}
+
+
+	/* Initialize the sidtab for subsequent use by sepol_context_to_sid
+	   and sepol_compute_av_reason. */
+	rc = sepol_sidtab_init(&sidtab);
+	if (rc < 0) {
+		fprintf(stderr, "%s:  unable to init sidtab\n",
+			argv[0]);
+		exit(1);
+	}
+	sepol_set_sidtab(&sidtab);
+
+	/* Process the audit messages. */
 	while (getline(&buffer, &len, stdin) > 0) {
 		size_t len2 = strlen(buffer);
 
@@ -212,16 +249,31 @@ int main(int argc, char **argv) 
 			continue;
 		}
 
-		if (!reason)
-			continue; /* Denial would not occur under specified policy. */
-
 		printf("%s\n\tWas caused by:\n", bufcopy);
-		if (reason & SEPOL_COMPUTEAV_TE)
-			printf("\t\tMissing TE allow rule for the type pair (use audit2allow).\n");
-		if (reason & SEPOL_COMPUTEAV_CONS)
-			printf("\t\tConstraint violation (add type attribute to domain to satisfy constraints or alter constraint).\n");
-		if (reason & SEPOL_COMPUTEAV_RBAC)
-			printf("\t\tMissing role allow rule for the role pair (add role allow rule).\n");
+
+		if (!reason) {
+			printf("\t\tUnknown - would be allowed by %s policy\n", set_path ? "specified" : "active");
+			printf("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n");
+			printf("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n");
+		}
+
+		if (reason & SEPOL_COMPUTEAV_TE) {
+			printf("\t\tMissing or disabled TE allow rule.\n");
+			printf("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n");
+			printf("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
+		}
+
+		if (reason & SEPOL_COMPUTEAV_CONS) {
+			printf("\t\tConstraint violation.\n");
+			printf("\t\tCheck policy/constraints.\n");
+			printf("\t\tTypically, you just need to add a type attribute to the domain to satisfy the constraint.\n");
+		}
+
+		if (reason & SEPOL_COMPUTEAV_RBAC) {
+			printf("\t\tMissing role allow rule.\n");
+			printf("\t\tAdd allow rule for the role pair.\n");
+		}
+
 		printf("\n");
 	}
 	free(buffer);

Re: Busted by constraints.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 192 bytes --]

I think, this patch is needed to export symbols of newly added libsepol 
functions. 

Also policycoreutils-rhat.patch needed to build on 64 bit platforms, 
plus some other stuff.

Dan


-- 



[-- Attachment #2: libsepol-rhat.patch --]
[-- Type: text/x-patch, Size: 578 bytes --]

diff --exclude-from=exclude -N -u -r nsalibsepol/src/libsepol.map libsepol-1.5.8/src/libsepol.map
--- nsalibsepol/src/libsepol.map	2005-04-14 07:22:14.000000000 -0400
+++ libsepol-1.5.8/src/libsepol.map	2005-05-16 17:43:48.000000000 -0400
@@ -1,4 +1,4 @@
 {
-  global: sepol_genbools*; sepol_set_policydb_from_file; sepol_check_context; sepol_genusers; sepol_debug; sepol_set_delusers;
+  global: sepol_genbools*; sepol_set_policydb_from_file; sepol_check_context; sepol_genusers; sepol_debug; sepol_set_delusers; sepol_context_to_sid; sepol_compute_av_reason;
   local: *;
 };

[-- Attachment #3: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 4031 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2why/audit2why.1 policycoreutils-1.23.9/audit2why/audit2why.1
--- nsapolicycoreutils/audit2why/audit2why.1	1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.23.9/audit2why/audit2why.1	2005-05-16 17:24:58.000000000 -0400
@@ -0,0 +1,62 @@
+.\" Hey, Emacs! This is an -*- nroff -*- source file.
+.\" Copyright (c) 2005 Dan Walsh <dwalsh@redhat.com>
+.\"
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, write to the Free
+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
+.\" USA.
+.\"
+.\"
+.TH AUDIT2ALLOW "1" "May 2005" "Security Enhanced Linux" NSA
+.SH NAME
+audit2why \- Translates auditmessages into a description of why the access was denied
+.SH SYNOPSIS
+.B audit2why
+.RI [ options "] "
+.SH OPTIONS
+.TP
+
+.B "\-\-help"
+Print a short usage message
+.TP
+.B "\-p <policyfile>"
+Specify an alternate policy file.
+.SH DESCRIPTION
+.PP
+This utility scans stdin (logfiles) for messages logged when the 
+system denied permission for operations, and generates a reason why the 
+access was denied
+.PP
+.SH EXAMPLE
+$ /usr/sbin/audit2why < /var/log/audit/audit.log
+
+type=KERNEL msg=audit(1115316525.803:399552): avc:  denied  { getattr } for  path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
+	Was caused by:
+		Missing TE allow rule for the type pair (use audit2allow).
+
+type=KERNEL msg=audit(1115320071.648:606858): avc:  denied  { append } for  name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
+	Was caused by:
+		Constraint violation (add type attribute to domain to satisfy constraints or alter constraint).
+
+
+.PP
+.SH AUTHOR
+This manual page was written by 
+.I Dan Walsh <dwalsh@redhat.com>,
+.B audit2why
+utility was written by Stephen Smalley <sds@tycho.nsa.gov>.
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2why/Makefile policycoreutils-1.23.9/audit2why/Makefile
--- nsapolicycoreutils/audit2why/Makefile	2005-05-16 15:40:11.000000000 -0400
+++ policycoreutils-1.23.9/audit2why/Makefile	2005-05-16 17:26:05.000000000 -0400
@@ -1,6 +1,6 @@
 # Installation directories.
 PREFIX ?= ${DESTDIR}/usr
-BINDIR ?= $(PREFIX)/sbin
+BINDIR ?= $(PREFIX)/bin
 LIBDIR ?= ${PREFIX}/lib
 MANDIR ?= $(PREFIX)/share/man
 LOCALEDIR ?= /usr/share/locale
@@ -8,7 +8,7 @@
 
 CFLAGS = -Werror
 override CFLAGS += -Wall -W
-LDLIBS += ${LIBDIR}/libsepol.a -lselinux
+LDLIBS += -lsepol -lselinux
 
 TARGETS=audit2why
 
@@ -17,6 +17,8 @@
 install: all
 	-mkdir -p $(BINDIR)
 	install -m 755 $(TARGETS) $(BINDIR)
+	-mkdir -p $(MANDIR)/man1
+	install -m 644 audit2why.1 $(MANDIR)/man1/
 
 clean:
 	rm -f $(TARGETS) *.o
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.23.9/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2005-04-29 14:11:23.000000000 -0400
+++ policycoreutils-1.23.9/scripts/fixfiles	2005-05-16 17:24:58.000000000 -0400
@@ -164,7 +164,7 @@
 fi
 
 # See how we were called.
-while getopts "C:Fo:R:l:" i; do
+while getopts "C:Ffo:R:l:" i; do
     case "$i" in
 	f)
 		fullFlag=1

Re: Busted by constraints.

[Stephen Smalley]

On Mon, 2005-05-16 at 18:00 -0400, Daniel J Walsh wrote:
> I think, this patch is needed to export symbols of newly added libsepol 
> functions. 

No.  These particular functions are _only_ for the static library and
programs that link with it, as they expose too much of the internals of
libsepol.  Note that audit2why is linked with libsepol.a, not the shared
library (prior to your policycoreutils patch).  We will not _export_
these symbols via the shared library.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Stephen Smalley]

On Tue, 2005-05-17 at 07:39 -0400, Stephen Smalley wrote:
> On Mon, 2005-05-16 at 18:00 -0400, Daniel J Walsh wrote:
> > I think, this patch is needed to export symbols of newly added libsepol 
> > functions. 
> 
> No.  These particular functions are _only_ for the static library and
> programs that link with it, as they expose too much of the internals of
> libsepol.  Note that audit2why is linked with libsepol.a, not the shared
> library (prior to your policycoreutils patch).  We will not _export_
> these symbols via the shared library.

Note btw that this is no different than checkpolicy, which also links
with the static libsepol.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Mon, 2005-05-16 at 18:00 -0400, Daniel J Walsh wrote:
>  
>
>>I think, this patch is needed to export symbols of newly added libsepol 
>>functions. 
>>    
>>
>
>No.  These particular functions are _only_ for the static library and
>programs that link with it, as they expose too much of the internals of
>libsepol.  Note that audit2why is linked with libsepol.a, not the shared
>library (prior to your policycoreutils patch).  We will not _export_
>these symbols via the shared library.
>
>  
>
Ok libdir needs to be passed in via spec file.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Stephen Smalley]

On Mon, 2005-05-16 at 18:00 -0400, Daniel J Walsh wrote:
> I think, this patch is needed to export symbols of newly added libsepol 
> functions. 
> 
> Also policycoreutils-rhat.patch needed to build on 64 bit platforms, 
> plus some other stuff.

Also, I specifically put it into sbin rather than bin because you need
to be able to read the policy and the audit log in order to use it
effectively, so it didn't seem overly useful to put it into bin.

Note that the output has changed somewhat with my last patch from the
sample messages I posted earlier (that you included into the man page).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Stephen Smalley]

On Thu, 2005-05-12 at 10:30 -0400, Stephen Smalley wrote:
> The AVC just sees that a given permission was denied, not what component
> of the policy engine denied it.  See "Flask architecture", "policy-
> flexibility", ...

BTW, to elaborate on this point, when a permission check is first made
for a given (subject security context, object security context, object
security class) triple, the AVC gets a complete access vector (all
permission decisions) for that triple from the security server, so the
security server does the complete policy computation at that time and
never sees subsequent permission checks on the same triple as long as
the cache entry isn't evicted.  Hence, even if we modified the kernel
security server to log a message about the cause when it receives a
request for a computation and one of the requested permissions is
denied, we'd still never see the causes for denials that are handled
entirely by the AVC using the cached access vector.   To support that in
the kernel (vs. creating a utility like audit2why), we'd have to have
the kernel security server return a vector of _reasons_ for each denied
permission in the access vector to the AVC and have the AVC interpret
that vector when generating the audit message.  In addition to being
rather painful, that also tends to break the desired encapsulation of
policy logic within the security server in the kernel (vs. having some
policy-aware applications like audit2why).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:


> But nothing prevents you from creating a simple tool
> linked against
> libsepol that takes an avc denial and determines
> which part of the
> policy caused it.

I seriously doubt this would be a "simple" tool.
Two months after the event are you absolutely sure
you are going to have all the information you need
to reconstruct the policy and file system context
that was in force at the time of a particular
access attempt?

One of the first MLS systems (System V/MLS)
did reconstructive audit. The experience of
that system lead all of the Unix vendors after
to use schemes that created individual records
that include all interesting information.

I disagree with your assessment that it's easier
to do this is user space after the fact than in
the kernel as the action happens.


Casey Schaufler
casey@schaufler-ca.com


		
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Stephen Smalley]

On Thu, 2005-05-12 at 13:37 -0700, Casey Schaufler wrote:
> I seriously doubt this would be a "simple" tool.
> Two months after the event are you absolutely sure
> you are going to have all the information you need
> to reconstruct the policy and file system context
> that was in force at the time of a particular
> access attempt?

Everything we need to reproduce the denial is included in the audit
message (i.e. the relevant security contexts and object information)
except for the policy itself.  So all you need is the audit log and the
policy that was in effect at the time, and you can reproduce the
computation.  I'll make a simple patch to libsepol and a trivial utility
that does this.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Thu, 2005-05-12 at 13:37 -0700, Casey Schaufler
> wrote:

> Everything we need to reproduce the denial is
> included in the audit
> message (i.e. the relevant security contexts and
> object information)
> except for the policy itself.

Yup.

> So all you need is
> the audit log and the
> policy that was in effect at the time, and you can
> reproduce the
> computation.

So where is the policy-in-effect stored?
Certainly you're not going to suggest using
the policy source file that happens to be there
at the time of analysis. That policy file
(actually, that set of policy files soon)
may bear little resemblence to the policy
that was in force at the time the event
occured. Even if you're talking about the
policy file at the time of collection
there is real risk that the content of the
policy file does not match what the kernel
is enforcing.

> I'll make a simple patch to libsepol
> and a trivial utility
> that does this.

Enjoy. It's pretty pointless.


Casey Schaufler
casey@schaufler-ca.com


		
Discover Yahoo! 
Stay in touch with email, IM, photo sharing and more. Check it out! 
http://discover.yahoo.com/stayintouch.html

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Stephen Smalley]

On Fri, 2005-05-13 at 08:10 -0700, Casey Schaufler wrote:
> So where is the policy-in-effect stored?
> Certainly you're not going to suggest using
> the policy source file that happens to be there
> at the time of analysis. That policy file
> (actually, that set of policy files soon)
> may bear little resemblence to the policy
> that was in force at the time the event
> occured. Even if you're talking about the
> policy file at the time of collection
> there is real risk that the content of the
> policy file does not match what the kernel
> is enforcing.

audit2why/libsepol actually acts on the binary policy file, and libsepol
has the same policy engine code as the kernel, but I understand your
concern about matching up with the policy that was in effect at the time
of the denial.  However, keep in mind that:
a) keeping a versioned repository of your policies is a good idea
independent of this issue,
b) we are only trying to identify what component of the policy caused a
denial (e.g. Type Enforcement, RBAC, or constraint), and this is not
likely to be highly variable across policy changes/upgrades for a given
denial.

It might be useful if the kernel audit messages included some kind of
policy identifier / hash that could be used in correlating against a
versioned repository of policies.   That wouldn't be difficult.

> Enjoy. It's pretty pointless.

To the contrary, it specifically addresses Dan's problem (i.e. being
able to quickly determine which part of the policy caused a given denial
for application and policy debugging), where he knows what policy he is
using at the time of the denial.  And it should provide a basis for
future work on audit analysis tools, even if we have to make further
enhancements to support that functionality fully.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Busted by constraints.

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

 
> audit2why/libsepol actually acts on the binary
> policy file, and libsepol
> has the same policy engine code as the kernel, but I
> understand your
> concern about matching up with the policy that was
> in effect at the time
> of the denial.

Since the policy is a variable in the security
lattice it needs to be included in the audit 
information.

> However, keep in mind that:
> a) keeping a versioned repository of your policies
> is a good idea
> independent of this issue,

Sure, just as versioned repositories of your
users and system installation is a good idea.

> b) we are only trying to identify what component of
> the policy caused a
> denial (e.g. Type Enforcement, RBAC, or constraint),
> and this is not
> likely to be highly variable across policy
> changes/upgrades for a given
> denial.

The likelyhood of change does not discount the
threat of change.

> It might be useful if the kernel audit messages
> included some kind of
> policy identifier / hash that could be used in
> correlating against a
> versioned repository of policies.   That wouldn't be
> difficult.

Your audit message should explicitly identify
what policy resulted in any failure.
 
> > Enjoy. It's pretty pointless.
> 
> To the contrary, it specifically addresses Dan's
> problem

OKay, it's a valuable debug tool until such
time as you repair the audit records.


Casey Schaufler
casey@schaufler-ca.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.