From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Darrel Goeddel <dgoeddel@TrustedCS.com>,
SE Linux <selinux@tycho.nsa.gov>
Subject: Re: libselinux category patch
Date: Tue, 23 Aug 2005 13:54:39 -0400 [thread overview]
Message-ID: <430B62DF.4080602@redhat.com> (raw)
In-Reply-To: <1124815922.7874.124.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 64 bytes --]
Updated setrans.c to handle s0 and multiple categories.
--
[-- Attachment #2: setrans.c --]
[-- Type: text/x-csrc, Size: 3876 bytes --]
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
#define CATEGORYFILE "/etc/secat.conf"
/* Define data structures */
typedef struct selevel {
char* name;
char* sename;
} selevel_t;
/* catlist is a simple linked list of selevels extracted from the CATEGORYFILE */
typedef struct cat {
struct cat *next;
selevel_t level;
} cat_t;
static cat_t *catlist=NULL;
/* Remove excess white space */
static char *strtrim(char *dest, char *source, int size) {
int i=0;
char *ptr=source;
i=0;
while(isspace(*ptr) && i < size) {
ptr++;
i++;
}
strncpy(dest,ptr,size);
for(i=strlen(dest)-1; i> 0; i--) {
if (!isspace(dest[i])) break;
}
dest[i+1]='\0';
return dest;
}
/* Process line from CATEGORYFILE.
Remove white space and set name do data before the "=" and sename to data
after it */
static int process_category(char *buffer, cat_t **cat) {
char name[BUFSIZ];
char name1[BUFSIZ];
int namesize=sizeof(name);
struct cat *next;
char *ptr;
char *tok=strtok_r(buffer,"=",&ptr);
if (!tok) return 0;
strncpy(name1,tok, BUFSIZ-1);
strtrim(name,name1,namesize-1);
if ( name[0]=='#' ) return 0;
tok=strtok_r(NULL,"\0",&ptr);
if (!tok) return 0;
while (isspace(*tok)) tok++;
next=(cat_t *) calloc(sizeof(cat_t), 1);
if (!next) return 0;
next->level.name=strdup(name);
if (!next->level.name) {
free(next);
return 0;
}
strncpy(name1,tok, BUFSIZ-1);
strtrim(name,name1,namesize-1);
next->level.sename=strdup(name);
if (!next->level.sename) {
free(next->level.name);
free(next);
return 0;
}
*cat=next;
return 1;
}
/* Read in CATEGORYFILE Only runs once per process.
Might want to change to some kind of reload eventually, for long running
processes.
*/
int init_context_translations(void) {
FILE *cfg;
cat_t *ptr=NULL;
cat_t *next=NULL;
size_t size=0;
char *buffer=NULL;
int ctr=0;
if (catlist) return 0;
cfg = fopen(CATEGORYFILE,"r");
if (cfg == NULL)
return 1;
ptr=catlist=calloc(1,sizeof(cat_t));
while (getline(&buffer, &size, cfg) > 0) {
if (process_category(buffer, &next)) {
ctr++;
ptr->next=next;
ptr=next;
}
}
if (buffer)
free(buffer);
return 0;
}
/* Look for selevel via internal name */
static char *translate(const char *cat) {
cat_t *ptr=NULL;
if (catlist)
for (ptr=catlist->next;ptr; ptr=ptr->next)
if (strcmp(cat,ptr->level.name)==0) {
if (strlen(ptr->level.sename)==0)
return NULL;
else
return strdup(ptr->level.sename);
}
return strdup(cat);
}
/* Look for selevel via external name */
static char *untranslate(const char *sename) {
cat_t *ptr=NULL;
if (catlist)
for(ptr=catlist->next;ptr; ptr=ptr->next)
if (strcmp(sename,ptr->level.sename)==0) {
char *buf=calloc(strlen(ptr->level.name+4),1);
if (buf)
sprintf(buf, "s0:%s",ptr->level.name);
return buf;
}
return strdup(sename);
}
/* Look for selevel via external name */
int translate_context( const security_context_t oldcon, security_context_t *rcon) {
const char *range=NULL;
const char *ptr=NULL;
context_t con=context_new(oldcon);
if (! con)
return -1;
range=context_range_get(con);
if (range) {
ptr=strrchr(range,':');
if (ptr)
ptr++;
else
ptr=range;
context_range_set(con,translate(ptr));
}
*rcon=strdup(context_str(con));
context_free(con);
return 0;
}
/* Look for selevel via external name */
int untranslate_context( const security_context_t oldcon, security_context_t *rcon) {
const char *range=NULL;
char *newrange=NULL;
context_t con=context_new(oldcon);
if (! con)
return -1;
range=context_range_get(con);
if (range) {
newrange=untranslate(range);
if (newrange) {
context_range_set(con,newrange);
}
}
*rcon=strdup(context_str(con));
context_free(con);
return 0;
}
[-- Attachment #3: secat.conf --]
[-- Type: text/plain, Size: 500 bytes --]
#
# Multiple Category System translation table for SELinux
#
# Sensitivities s0= should not be modified
# Objects can be categorized with 0-127 categories defined by the admin.
# Objects can be in more then one categories at a time.
# Categories are stored in the system as c0-c127. Users can use this
# table to translate the categories into a more meaningfull output.
# Examples:
# c0=CompanyConfidential
# c1=PatientRecord
# c2=Unclassified
# c3=TopSecret
# c1,c3=CompanyConfidentialRedHat
s0=
next prev parent reply other threads:[~2005-08-23 18:03 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-22 20:21 libselinux category patch Daniel J Walsh
2005-08-23 13:45 ` Stephen Smalley
2005-08-24 14:19 ` Darrel Goeddel
2005-08-24 14:34 ` Stephen Smalley
2005-08-23 14:06 ` Joshua Brindle
2005-08-23 14:18 ` Daniel J Walsh
2005-08-23 14:50 ` Stephen Smalley
2005-08-23 15:11 ` Daniel J Walsh
2005-08-23 16:15 ` Stephen Smalley
2005-08-24 14:34 ` Darrel Goeddel
2005-08-24 14:39 ` Joshua Brindle
2005-08-23 14:27 ` Stephen Smalley
2005-08-23 15:02 ` Daniel J Walsh
2005-08-23 15:04 ` Stephen Smalley
2005-08-24 14:48 ` Darrel Goeddel
2005-08-24 14:49 ` Stephen Smalley
2005-08-23 16:52 ` Stephen Smalley
2005-08-23 17:21 ` Stephen Smalley
2005-08-23 18:03 ` Stephen Smalley
2005-08-23 18:10 ` Stephen Smalley
2005-08-24 13:27 ` Daniel J Walsh
2005-08-24 14:13 ` Stephen Smalley
2005-08-24 14:24 ` Daniel J Walsh
2005-08-24 14:50 ` Ok I plead ignorance to the way MLS works Daniel J Walsh
2005-08-24 16:44 ` Darrel Goeddel
2005-08-24 16:56 ` Stephen Smalley
2005-08-24 17:27 ` Daniel J Walsh
2005-08-24 17:40 ` Stephen Smalley
2005-08-24 19:14 ` James Morris
2005-08-24 19:36 ` libselinux category patch Stephen Smalley
2005-08-23 17:54 ` Daniel J Walsh [this message]
2005-08-25 14:19 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2005-08-24 20:18 Chad Hanson
2005-08-25 14:56 ` Stephen Smalley
2005-08-25 20:43 Chad Hanson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=430B62DF.4080602@redhat.com \
--to=dwalsh@redhat.com \
--cc=dgoeddel@TrustedCS.com \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.