Re: Problems with MCS/Targeted policy update.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Darrel Goeddel <dgoeddel@TrustedCS.com>,
	Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@redhat.com>, SELinux <SELinux@tycho.nsa.gov>
Subject: Re: Problems with MCS/Targeted policy update.
Date: Fri, 26 Aug 2005 14:16:43 -0400	[thread overview]
Message-ID: <430F5C8B.3060102@redhat.com> (raw)
In-Reply-To: <430C776B.4060309@redhat.com>

[-- Attachment #1: Type: text/plain, Size: 385 bytes --]

Basically this patch checks to see if
mls and translation is enabled and the *getfilecon_raw returns a context 
without a level, it calls the untranslate function to try to get a 
level, with MCS this will get you a s0.  So we could put back the raw 
calls in rpm_execcon.

So we could have most contexts on disk without the s0 and the getfilecon 
raw call will return it.

Dan

-- 



[-- Attachment #2: libselinux-rhat.patch --]
[-- Type: text/x-patch, Size: 4662 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/src/context.c libselinux-1.25.4/src/context.c
--- nsalibselinux/src/context.c	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/context.c	2005-08-26 12:02:38.000000000 -0400
@@ -181,16 +181,8 @@
 def_set(type,COMP_TYPE)
 def_set(role,COMP_ROLE)
 def_set(user,COMP_USER)
+def_set(range,COMP_RANGE)
 
-int context_range_set(context_t context,const char* str)
-{
-        context_private_t *n = context->ptr;
-        if ( ! n->component[COMP_RANGE] ) {
-                return 0;
-        } else {
-                return set_comp(n,COMP_RANGE,str);
-        }
-}
 hidden_def(context_range_set)
 
 #ifdef L1TEST
--- nsalibselinux/src/fgetfilecon.c	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/fgetfilecon.c	2005-08-26 12:38:16.000000000 -0400
@@ -39,8 +39,21 @@
 out:			
 	if (ret < 0)
 		free(buf);
-	else
-		*context = buf;
+	else {
+ 		*context = buf;
+		/* The following code is to check if the 4th parameter on disk 
+		   has been set, if not attempt to untranslate it to get the 
+		   fourth parameter.  MCS Defaults 4th parameter to s0: */
+		if (mls_enabled && context_translations) {
+			int ctr=0, i=0;
+			for (i=0; i<size;i++) 
+				if (buf[i] && buf[i]==':') ctr++;
+			if (ctr<3) {
+				trans_to_raw_context(buf,context);
+				free(buf);
+			}
+		}
+	}
 	return ret;
 }
 hidden_def(fgetfilecon_raw)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.25.4/src/getfilecon.c
--- nsalibselinux/src/getfilecon.c	2005-08-24 09:07:11.000000000 -0400
+++ libselinux-1.25.4/src/getfilecon.c	2005-08-26 12:28:58.000000000 -0400
@@ -39,8 +39,21 @@
 out:			
 	if (ret < 0)
 		free(buf);
-	else
-		*context = buf;
+	else {
+ 		*context = buf;
+		/* The following code is to check if the 4th parameter on disk 
+		   has been set, if not attempt to untranslate it to get the 
+		   fourth parameter.  MCS Defaults 4th parameter to s0: */
+		if (mls_enabled && context_translations) {
+			int ctr=0, i=0;
+			for (i=0; i<size;i++) 
+				if (buf[i] && buf[i]==':') ctr++;
+			if (ctr<3) {
+				trans_to_raw_context(buf,context);
+				free(buf);
+			}
+		}
+	}
 	return ret;
 }
 hidden_def(getfilecon_raw)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/init.c libselinux-1.25.4/src/init.c
--- nsalibselinux/src/init.c	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/init.c	2005-08-26 12:06:08.000000000 -0400
@@ -119,11 +119,13 @@
 	}
 }
 
+int mls_enabled hidden;
 static void init_lib(void) __attribute__ ((constructor));
 static void init_lib(void)
 {
 	init_selinuxmnt();
 	init_translations();
+	mls_enabled=is_selinux_mls_enabled();
 }
 
 static void fini_lib(void) __attribute__ ((destructor));
--- nsalibselinux/src/lgetfilecon.c	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/lgetfilecon.c	2005-08-26 12:38:12.000000000 -0400
@@ -39,8 +39,21 @@
 out:			
 	if (ret < 0)
 		free(buf);
-	else
-		*context = buf;
+	else {
+ 		*context = buf;
+		/* The following code is to check if the 4th parameter on disk 
+		   has been set, if not attempt to untranslate it to get the 
+		   fourth parameter.  MCS Defaults 4th parameter to s0: */
+		if (mls_enabled && context_translations) {
+			int ctr=0, i=0;
+			for (i=0; i<size;i++) 
+				if (buf[i] && buf[i]==':') ctr++;
+			if (ctr<3) {
+				trans_to_raw_context(buf,context);
+				free(buf);
+			}
+		}
+	}
 	return ret;
 }
 hidden_def(lgetfilecon_raw)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/query_user_context.c libselinux-1.25.4/src/query_user_context.c
--- nsalibselinux/src/query_user_context.c	2005-02-22 16:34:17.000000000 -0500
+++ libselinux-1.25.4/src/query_user_context.c	2005-08-26 12:06:47.000000000 -0400
@@ -122,7 +122,6 @@
     int  typelen = 100;
     char level[100];       /* The level requested by the user         */
     int  levellen = 100;
-    int mls_enabled = is_selinux_mls_enabled();
 
     context_t new_context;     /* The new context chosen by the user     */
     char *user_context = NULL; /* String value of the user's context     */
--- nsalibselinux/src/selinux_internal.h	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/selinux_internal.h	2005-08-26 12:24:26.000000000 -0400
@@ -51,5 +51,10 @@
 hidden_proto(selinux_users_path)
 
 extern int context_translations hidden;
+extern int mls_enabled hidden;
 extern int hidden trans_to_raw_context(char *trans, char **rawp);
 extern int hidden raw_to_trans_context(char *raw, char **transp);
+extern int hidden internal_getfilecon_raw(
+	ssize_t (*func)(const char *, const char*, void *, size_t), 
+	const char *path, 
+	security_context_t *context);

next prev parent reply	other threads:[~2005-08-26 18:16 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-24 13:34 Problems with MCS/Targeted policy update Daniel J Walsh
2005-08-24 14:20 ` Stephen Smalley
2005-08-24 15:14   ` Daniel J Walsh
2005-08-25 14:44     ` Stephen Smalley
2005-08-25 15:12       ` Stephen Smalley
2005-08-25 15:19       ` Karl MacMillan
2005-08-25 16:14         ` Stephen Smalley
2005-08-25 18:13           ` Karl MacMillan
2005-08-26 18:16 ` Daniel J Walsh [this message]
2005-08-26 18:24   ` Stephen Smalley
2005-08-26 18:50     ` Daniel J Walsh
2005-08-26 18:55       ` Stephen Smalley
2005-08-26 18:51     ` Daniel J Walsh
2005-08-26 18:25 ` Daniel J Walsh
2005-08-26 18:27   ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=430F5C8B.3060102@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=SELinux@tycho.nsa.gov \
    --cc=dgoeddel@TrustedCS.com \
    --cc=jmorris@redhat.com \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.