From: KaiGai Kohei <kaigai@kaigai.gr.jp>
To: "SELinux(NSA)" <SELinux@tycho.nsa.gov>
Subject: [PATCH] independent with attribute declararion oeder for attachment
Date: Sun, 12 Jun 2005 20:59:50 +0900 [thread overview]
Message-ID: <42AC23B6.8070304@kaigai.gr.jp> (raw)
[-- Attachment #1: Type: text/plain, Size: 3854 bytes --]
Hi,
When I read the source code of checkpolicy, I noticed an interesting
functionality is commented out by #if 0 - #endif.
That is automatically attributes definition on type declaration statements.
I can look the author intended to try to attach attributes with any types
before this attributes declared.
Try to see, by less +1700 checkpolicy-1.23.4/policy_parse.y.
---- checkpolicy-1.23.4/policy_parse.y --
while ((id = queue_remove(id_queue))) {
attr = hashtab_search(policydbp->p_types.table, id);
if (!attr) {
sprintf(errormsg, "attribute %s is not declared", id);
#if 1
/* treat it as a fatal error */
yyerror(errormsg);
return -1;
#else
/* Warn but automatically define the attribute.
Useful for quickly finding all those attributes you
forgot to declare. */
yywarn(errormsg);
attr = (type_datum_t *) malloc(sizeof(type_datum_t));
if (!attr) {
yyerror("out of memory");
return -1;
}
memset(attr, 0, sizeof(type_datum_t));
attr->isattr = TRUE;
ret = hashtab_insert(policydbp->p_types.table,
id, (hashtab_datum_t) attr);
if (ret) {
yyerror("hash table overflow");
return -1;
}
newattr = 1;
#endif
} else {
newattr = 0;
}
-----------------------------------------
The disabled section works similar as an ATTRIBUTE statement.
But such automaticalyl declaration conflicts with normal ATTRIBUTE statement
by "duplicate declaration for attribute %s\n".
Currently, we must declare an attribute before attachment to any types.
Thus, almost attributes are declared in attrib.te and attrib.te's merging
order for policy.conf is earlier than any *.te files.
The attached checkpolicy-1.23.4-O4A.patch resolves this limitation.
For example, we can use an attribute declared in postgresql.te for
apache's configuration although apache.te is merged into policy.conf
ealier than postgresql.te.
Of cause, existing semantics is not changed without an exception.
When we declare a type with undeclared attributes and thoes attributes
are not declared untill the last, the attached attributes are ignored.
There are two reason. (1) It's harmless since any TE statements with
undeclared attributes are restricted. (2) We should not worry about
the dependence of type and attribute, so this feature make reduce
'ifdef/ifndef' macros.
Currently, checkpolicy will abort when we declare a type with undeclared
attribtes. Is this difference so fatal ?
The following actions are same as current checkpolicy.
* ALLOW and any TE statements with undeclared attributes are restricted.
* Duplicate attribute declaration is restricted.
* Any attribute need a declaration by ATTRIBUTE statement.
The following four patches are sample of the out of order of attribute declaration.
- apache.te-1.23.17-3.attribute.patch
- ftpd.te-1.23.17-3.attribute.patch
- mysqld.te-1.23.17-3.attribute.patch
- postgresql.te-1.23.17-3.attribute.patch
BTW, I noticed a problem that any CGI program works in httpd_sys_script_t can not
connect to PostgreSQL via UNIX domain socket. This patch resolve it.
Since I think configuration for apache is done in postgresql.te is strange,
I used postgresql_connectable_a as a interface for PostgreSQL client application.
Thank.
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
[-- Attachment #2: apache.te-1.23.17-3.attribute.patch --]
[-- Type: text/plain, Size: 1213 bytes --]
--- policy-1.23.17/domains/program/unused/apache.te 2005-05-25 11:28:28.000000000 -0400
+++ policy-1.23.17.kaigai/domains/program/unused/apache.te 2005-06-12 05:57:53.000000000 -0400
@@ -219,17 +219,15 @@
# Creation of lock files for apache2
lock_domain(httpd)
-# connect to mysql
-ifdef(`mysqld.te', `
-can_unix_connect(httpd_php_t, mysqld_t)
-can_unix_connect(httpd_t, mysqld_t)
-can_unix_connect(httpd_sys_script_t, mysqld_t)
-allow httpd_php_t mysqld_var_run_t:dir search;
-allow httpd_php_t mysqld_var_run_t:sock_file write;
-allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
-allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
-allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
-')
+# connect to mysql/PostgreSQL
+typeattribute httpd_t mysqld_connectable_a;
+typeattribute httpd_php_t mysqld_connectable_a;
+typeattribute httpd_sys_script_t mysqld_connectable_a;
+
+typeattribute httpd_t postgresql_connectable_a;
+typeattribute httpd_php_t postgresql_connectable_a;
+typeattribute httpd_sys_script_t postgresql_connectable_a;
+
allow httpd_t bin_t:dir search;
allow httpd_t sbin_t:dir search;
allow httpd_t httpd_log_t:dir remove_name;
[-- Attachment #3: checkpolicy-1.23.4-O4A.patch --]
[-- Type: text/plain, Size: 4155 bytes --]
--- checkpolicy-1.23.4/checkpolicy.h 2005-05-20 13:23:04.000000000 -0400
+++ checkpolicy-1.23.4.O4A/checkpolicy.h 2005-06-11 01:24:50.000000000 -0400
@@ -18,4 +18,8 @@
extern unsigned int policyvers;
extern unsigned int mlspol;
+/* isattr of type_datum_t takes the value of FALSE, TRUE and TRUE_BUT_UNDECLARED
+ An attribute with TRUE_BUT_UNDECLARED will be reclaimed before phase 2. */
+#define TRUE_BUT_UNDECLARED 2
+
#endif
--- checkpolicy-1.23.4/checkpolicy.c 2005-05-20 13:23:05.000000000 -0400
+++ checkpolicy-1.23.4.O4A/checkpolicy.c 2005-06-12 05:03:41.000000000 -0400
@@ -157,6 +157,27 @@
return 0;
}
+static int check_undeclared_attr(hashtab_key_t key __attribute__ ((unused)),
+ hashtab_datum_t datum, void *p __attribute__ ((unused)))
+{
+ type_datum_t *typdatum;
+
+ typdatum = (type_datum_t *) datum;
+ if (typdatum->isattr==TRUE_BUT_UNDECLARED)
+ return 1;
+ return 0;
+}
+
+static void destroy_undeclared_attr(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused)))
+{
+ type_datum_t *typdatum;
+
+ typdatum = (type_datum_t *) datum;
+ ebitmap_destroy(&typdatum->types);
+ free(key);
+ free(datum);
+}
+
#ifdef EQUIVTYPES
static int insert_type_rule(avtab_key_t *k, avtab_datum_t *d,
struct avtab_node *type_rules)
@@ -600,6 +621,10 @@
fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);
exit(1);
}
+ /* Remove undeclared and automatically generated attributes before phase 2. */
+ hashtab_map_remove_on_error(policydb.p_types.table,
+ check_undeclared_attr, destroy_undeclared_attr, 0);
+
rewind(yyin);
policydb_lineno = 1;
source_file[0] = '\0';
--- checkpolicy-1.23.4/policy_parse.y 2005-05-20 13:23:04.000000000 -0400
+++ checkpolicy-1.23.4.O4A/policy_parse.y 2005-06-11 01:36:49.000000000 -0400
@@ -1480,6 +1480,12 @@
attr = hashtab_search(policydbp->p_types.table, id);
if (attr) {
+ /* undeclared attribute is promoted to declared one. */
+ if (attr->isattr==TRUE_BUT_UNDECLARED) {
+ attr->isattr = TRUE;
+ free(id);
+ return 0;
+ }
sprintf(errormsg, "duplicate declaration for attribute %s\n",
id);
yyerror(errormsg);
@@ -1568,6 +1574,7 @@
{
char *id;
type_datum_t *t, *attr;
+ int newattr;
if (pass == 2) {
while ((id = queue_remove(id_queue)))
@@ -1590,13 +1597,22 @@
}
while ((id = queue_remove(id_queue))) {
+ newattr = 0;
attr = hashtab_search(policydbp->p_types.table, id);
if (!attr) {
- sprintf(errormsg, "attribute %s is not declared", id);
- /* treat it as a fatal error */
- yyerror(errormsg);
- free(id);
- return -1;
+ attr = (type_datum_t *) malloc(sizeof(type_datum_t));
+ if (!attr) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(attr, 0, sizeof(type_datum_t));
+ attr->isattr = TRUE_BUT_UNDECLARED;
+ if (hashtab_insert(policydbp->p_types.table,
+ id, (hashtab_datum_t) attr)) {
+ yyerror("hash table overflow");
+ return -1;
+ }
+ newattr = 1;
}
if (!attr->isattr) {
@@ -1606,7 +1622,8 @@
return -1;
}
- free(id);
+ if (!newattr)
+ free(id);
if (ebitmap_set_bit(&attr->types, (t->value - 1), TRUE)) {
yyerror("out of memory");
@@ -1698,25 +1715,16 @@
}
while ((id = queue_remove(id_queue))) {
+ newattr = 0;
attr = hashtab_search(policydbp->p_types.table, id);
if (!attr) {
- sprintf(errormsg, "attribute %s is not declared", id);
-#if 1
- /* treat it as a fatal error */
- yyerror(errormsg);
- return -1;
-#else
- /* Warn but automatically define the attribute.
- Useful for quickly finding all those attributes you
- forgot to declare. */
- yywarn(errormsg);
attr = (type_datum_t *) malloc(sizeof(type_datum_t));
if (!attr) {
yyerror("out of memory");
return -1;
}
memset(attr, 0, sizeof(type_datum_t));
- attr->isattr = TRUE;
+ attr->isattr = TRUE_BUT_UNDECLARED;
ret = hashtab_insert(policydbp->p_types.table,
id, (hashtab_datum_t) attr);
if (ret) {
@@ -1724,9 +1732,6 @@
return -1;
}
newattr = 1;
-#endif
- } else {
- newattr = 0;
}
if (!attr->isattr) {
[-- Attachment #4: ftpd.te-1.23.17-3.attribute.patch --]
[-- Type: text/plain, Size: 907 bytes --]
--- policy-1.23.17/domains/program/unused/ftpd.te 2005-05-25 11:28:28.000000000 -0400
+++ policy-1.23.17.kaigai/domains/program/unused/ftpd.te 2005-06-12 06:07:21.000000000 -0400
@@ -113,6 +113,21 @@
#
# Type for access to anon ftp
#
-r_dir_file(ftpd_t,ftpd_anon_t)
+typeattribute ftpd_anon_t ftpd_file_ro_a;
type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
-create_dir_file(ftpd_t,ftpd_anon_rw_t)
+typeattribute ftpd_anon_rw_t ftpd_file_rw_a;
+
+# Any files which can be accessed by FTPd should be attach
+# the following attributes.
+#
+# ftpd_file_path_a represents directories which are the way to target files.
+# ftpd_file_ro_a represents Read-Only files. (e.g )
+#
+attribute ftpd_file_path_a;
+attribute ftpd_file_ro_a;
+attribute ftpd_file_rw_a;
+
+allow ftpd_t ftpd_file_path_a : dir {getattr search};
+r_dir_file(ftpd_t, ftpd_file_ro_a);
+create_dir_file(ftpd_t, ftpd_file_rw_a);
+
[-- Attachment #5: mysqld.te-1.23.17-3.attribute.patch --]
[-- Type: text/plain, Size: 532 bytes --]
--- policy-1.23.17/domains/program/unused/mysqld.te 2005-05-25 11:28:28.000000000 -0400
+++ policy-1.23.17.kaigai/domains/program/unused/mysqld.te 2005-06-12 05:20:03.000000000 -0400
@@ -89,3 +89,9 @@
}
')
+# mysqld_connectable_a : a domain can connect mysqld via UNIX domain socket.
+attribute mysqld_connectable_a;
+can_unix_connect(mysqld_connectable_a, mysqld_t)
+allow mysqld_connectable_a {mysqld_var_run_t mysqld_db_t} : dir search;
+allow mysqld_connectable_a {mysqld_var_run_t mysqld_db_t} : sock_file rw_file_perms;
+
[-- Attachment #6: postgresql.te-1.23.17-3.attribute.patch --]
[-- Type: text/plain, Size: 1101 bytes --]
--- policy-1.23.17/domains/program/unused/postgresql.te 2005-05-25 11:28:28.000000000 -0400
+++ policy-1.23.17.kaigai/domains/program/unused/postgresql.te 2005-06-12 06:07:38.000000000 -0400
@@ -12,6 +12,8 @@
#
type postgresql_port_t, port_type;
daemon_domain(postgresql)
+attribute postgresql_connectable_a;
+
allow initrc_t postgresql_exec_t:lnk_file read;
allow postgresql_t usr_t:file { getattr read };
@@ -113,13 +115,11 @@
allow postgresql_t mail_spool_t:dir { search };
lock_domain(postgresql)
can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
-ifdef(`apache.te', `
-#
-# Allow httpd to work with postgresql
-#
-allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
-can_unix_connect(httpd_t, postgresql_t)
-')
+
+# Allow postgresql_connectable_a to connect with postgresql via UNIX domain socket.
+allow postgresql_connectable_a tmp_t:dir search;
+allow postgresql_connectable_a postgresql_tmp_t:sock_file rw_file_perms;
+can_unix_connect(postgresql_connectable_a, postgresql_t)
ifdef(`distro_gentoo', `
# "su - postgres ..." is called from initrc_t
next reply other threads:[~2005-06-12 11:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-12 11:59 KaiGai Kohei [this message]
2005-06-12 14:23 ` [PATCH] independent with attribute declararion oeder for attachment Joshua Brindle
2005-06-12 15:58 ` KaiGai Kohei
2005-06-13 14:07 ` Stephen Smalley
2005-06-14 14:37 ` Interface between applications. (Re: [PATCH] independent with attribute declararion oeder for attachment) KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42AC23B6.8070304@kaigai.gr.jp \
--to=kaigai@kaigai.gr.jp \
--cc=SELinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.