Problems with MCS/Targeted policy update.

Problems with MCS/Targeted policy update.

[Daniel J Walsh]

I would like to be able to upgrade rawhide with a new targeted policy 
containing MCS.   I see a couple of problems when I do this.

The number one problem, it that it still requires an relable.  Even 
though the latest kernel defaults everything to level of "sid file"
getfilecon or the kernel is is still reading the file context off disks 
without the "s0" so the kernel is reporting hundreds of invalid 
contexts, need to figure a way to fix this or we will need a relabel.  
(Relabeling when upgrading from FC4-FC5 will not be pretty).

Certain applications like chcon, might need to change to use _raw 
functions, _raw function/options would be nice to add to certain 
coreutils, at least for debugging purposes.


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with MCS/Targeted policy update.

[Stephen Smalley]

On Wed, 2005-08-24 at 09:34 -0400, Daniel J Walsh wrote:
> I would like to be able to upgrade rawhide with a new targeted policy 
> containing MCS.   I see a couple of problems when I do this.
> 
> The number one problem, it that it still requires an relable.  Even 
> though the latest kernel defaults everything to level of "sid file"
> getfilecon or the kernel is is still reading the file context off disks 
> without the "s0" so the kernel is reporting hundreds of invalid 
> contexts, need to figure a way to fix this or we will need a relabel.  
> (Relabeling when upgrading from FC4-FC5 will not be pretty).

What is the exact error message?  Given the change made by James, the
kernel shouldn't be getting any error from
security_context_to_sid_default and thus shouldn't be logging a warning
about the contexts.  What kernel are you running?

> Certain applications like chcon, might need to change to use _raw 
> functions, _raw function/options would be nice to add to certain 
> coreutils, at least for debugging purposes.

You certainly don't want them to use the raw functions by default, but
having it as an option might be useful.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with MCS/Targeted policy update.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Wed, 2005-08-24 at 09:34 -0400, Daniel J Walsh wrote:
>  
>
>>I would like to be able to upgrade rawhide with a new targeted policy 
>>containing MCS.   I see a couple of problems when I do this.
>>
>>The number one problem, it that it still requires an relable.  Even 
>>though the latest kernel defaults everything to level of "sid file"
>>getfilecon or the kernel is is still reading the file context off disks 
>>without the "s0" so the kernel is reporting hundreds of invalid 
>>contexts, need to figure a way to fix this or we will need a relabel.  
>>(Relabeling when upgrading from FC4-FC5 will not be pretty).
>>    
>>
>
>What is the exact error message?  Given the change made by James, the
>kernel shouldn't be getting any error from
>security_context_to_sid_default and thus shouldn't be logging a warning
>about the contexts.  What kernel are you running?
>
>  
>
Must have been a older kernel.   Just tried it again with 
2.6.12-1.1505_FC5 and it seems to work. 
chcon is broken though, ls and other commands are not getting the :s0 
since it is not there, so there might be other problems,

>>Certain applications like chcon, might need to change to use _raw 
>>functions, _raw function/options would be nice to add to certain 
>>coreutils, at least for debugging purposes.
>>    
>>
>
>You certainly don't want them to use the raw functions by default, but
>having it as an option might be useful.
>
>  
>


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with MCS/Targeted policy update.

[Stephen Smalley]

On Wed, 2005-08-24 at 11:14 -0400, Daniel J Walsh wrote:
> Must have been a older kernel.   Just tried it again with 
> 2.6.12-1.1505_FC5 and it seems to work. 
> chcon is broken though, ls and other commands are not getting the :s0 
> since it is not there, so there might be other problems,

Ok, Dan pointed out another issue with cleanly upgrading from targeted
to MCS:  although the SELinux module now defaults the MLS level for
inodes that lack one (based on the default file SID associated with the
superblock, typically the 'file' initial SID unless one uses a
defcontext= mount option), userspace still sees the real xattr value,
and this leads to problems, e.g. userspace can take a context obtained
via getfilecon and later try to pass it to an interface like setfilecon
or setfscreatecon or security_compute_create, and the SELinux module
will then reject the context as invalid (because the defaulting logic
only applies when mapping inode contexts to incore inode SIDs, not for
contexts supplied by userspace).  Options are:
- Change the SELinux module to reset the on-disk xattr when it defaults
the MLS level so that userspace will see the same context, or
- Have the MCS libsetrans insert a default level (s0) into the context
if it lacks one for trans_to_raw conversion.  However, the latter would
also require libselinux to invoke the translation functions in some
additional cases where it does not presently need to, e.g. rpm_execcon
currently works entirely with raw contexts, but would need to go through
libsetrans in order to gain the benefit of such corrections on the
result of the getfilecon.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with MCS/Targeted policy update.

[Stephen Smalley]

On Thu, 2005-08-25 at 10:44 -0400, Stephen Smalley wrote:
> Ok, Dan pointed out another issue with cleanly upgrading from targeted
> to MCS:  although the SELinux module now defaults the MLS level for
> inodes that lack one (based on the default file SID associated with the
> superblock, typically the 'file' initial SID unless one uses a
> defcontext= mount option), userspace still sees the real xattr value,
> and this leads to problems, e.g. userspace can take a context obtained
> via getfilecon and later try to pass it to an interface like setfilecon
> or setfscreatecon or security_compute_create, and the SELinux module
> will then reject the context as invalid (because the defaulting logic
> only applies when mapping inode contexts to incore inode SIDs, not for
> contexts supplied by userspace).  Options are:
> - Change the SELinux module to reset the on-disk xattr when it defaults
> the MLS level so that userspace will see the same context, or
> - Have the MCS libsetrans insert a default level (s0) into the context
> if it lacks one for trans_to_raw conversion.  However, the latter would
> also require libselinux to invoke the translation functions in some
> additional cases where it does not presently need to, e.g. rpm_execcon
> currently works entirely with raw contexts, but would need to go through
> libsetrans in order to gain the benefit of such corrections on the
> result of the getfilecon.

Here is the workaround patch for rpm_execcon until the kernel is fixed.

Index: libselinux/src/rpm.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/rpm.c,v
retrieving revision 1.5
diff -u -p -r1.5 rpm.c
--- libselinux/src/rpm.c	23 Aug 2005 16:46:41 -0000	1.5
+++ libselinux/src/rpm.c	25 Aug 2005 14:52:49 -0000
@@ -16,15 +16,15 @@ int rpm_execcon(unsigned int verified __
 	if (is_selinux_enabled() < 1)
 		return execve(filename, argv, envp);
 
-	rc = getcon_raw(&mycon);
+	rc = getcon(&mycon);
 	if (rc < 0)
 		goto out;
 
-	rc = getfilecon_raw(filename, &fcon);
+	rc = getfilecon(filename, &fcon);
 	if (rc < 0)
 		goto out;
 
-	rc = security_compute_create_raw(mycon, fcon, SECCLASS_PROCESS, &newcon);
+	rc = security_compute_create(mycon, fcon, SECCLASS_PROCESS, &newcon);
 	if (rc < 0)
 		goto out;
 
@@ -41,7 +41,7 @@ int rpm_execcon(unsigned int verified __
 			goto out;
 	}
 
-	rc = setexeccon_raw(newcon);
+	rc = setexeccon(newcon);
 	if (rc < 0) 
 		goto out;
 	rc = execve(filename, argv, envp);

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Problems with MCS/Targeted policy update.

[Karl MacMillan]

> -----Original Message-----
> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> Sent: Thursday, August 25, 2005 10:44 AM
> To: Daniel J Walsh
> Cc: SELinux-dev@tresys.com; Darrel Goeddel; James Morris; SELinux
> Subject: Re: Problems with MCS/Targeted policy update.
> 
> On Wed, 2005-08-24 at 11:14 -0400, Daniel J Walsh wrote:
> > Must have been a older kernel.   Just tried it again with
> > 2.6.12-1.1505_FC5 and it seems to work.
> > chcon is broken though, ls and other commands are not getting the :s0
> > since it is not there, so there might be other problems,
> 
> Ok, Dan pointed out another issue with cleanly upgrading from targeted
> to MCS:  although the SELinux module now defaults the MLS level for
> inodes that lack one (based on the default file SID associated with the
> superblock, typically the 'file' initial SID unless one uses a
> defcontext= mount option), userspace still sees the real xattr value,
> and this leads to problems, e.g. userspace can take a context obtained
> via getfilecon and later try to pass it to an interface like setfilecon
> or setfscreatecon or security_compute_create, and the SELinux module
> will then reject the context as invalid (because the defaulting logic
> only applies when mapping inode contexts to incore inode SIDs, not for
> contexts supplied by userspace).  Options are:
> - Change the SELinux module to reset the on-disk xattr when it defaults
> the MLS level so that userspace will see the same context, or
> - Have the MCS libsetrans insert a default level (s0) into the context
> if it lacks one for trans_to_raw conversion.  However, the latter would
> also require libselinux to invoke the translation functions in some
> additional cases where it does not presently need to, e.g. rpm_execcon
> currently works entirely with raw contexts, but would need to go through
> libsetrans in order to gain the benefit of such corrections on the
> result of the getfilecon.
> 

This is a problem in other places as well - particularly when the on-disk
contexts are invalid. It would be ideal to have interfaces to retrieve both the
on-disk label (for relabeling based on old, possibly invalid contexts) and the
label being used by the kernel. Resetting the on-disk xattr seems like the
better choice of the two you gave to me because it could be generalized to
handle the invalid context case, but we would lose the ability to change the
label based on the previous label.

Karl

---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134

---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134

> --
> Stephen Smalley
> National Security Agency



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Problems with MCS/Targeted policy update.

[Stephen Smalley]

On Thu, 2005-08-25 at 11:19 -0400, Karl MacMillan wrote:
> This is a problem in other places as well - particularly when the on-disk
> contexts are invalid. It would be ideal to have interfaces to retrieve both the
> on-disk label (for relabeling based on old, possibly invalid contexts) and the
> label being used by the kernel.

Yes, that has been discussed in the past, but no real consensus on the
right approach.  The generic VFS fallback for security xattrs patch
seems to be going forward, so that at least allows us to get the incore
inode security label for filesystems that do not support xattrs, but it
doesn't help with the inconsistent xattr/label problem on filesystems
that do support xattrs.

In general we don't want applications to have to deal with the notion
that there are two distinct labels at all, so we'd just like to ensure
consistency whenever possible.  We could possibly export a selinuxfs
interface for querying the incore inode security label of a given file,
but it seems rather ugly, and most applications are just going to call
getfilecon/getxattr for normal work.

>  Resetting the on-disk xattr seems like the
> better choice of the two you gave to me because it could be generalized to
> handle the invalid context case, but we would lose the ability to change the
> label based on the previous label.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Problems with MCS/Targeted policy update.

[Karl MacMillan]

> -----Original Message-----
> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> Sent: Thursday, August 25, 2005 12:15 PM
> To: Karl MacMillan
> Cc: 'Daniel J Walsh'; SELinux-dev@tresys.com; 'Darrel Goeddel'; 'James
> Morris'; 'SELinux'
> Subject: RE: Problems with MCS/Targeted policy update.
> 
> On Thu, 2005-08-25 at 11:19 -0400, Karl MacMillan wrote:
> > This is a problem in other places as well - particularly when the on-disk
> > contexts are invalid. It would be ideal to have interfaces to retrieve both
> the
> > on-disk label (for relabeling based on old, possibly invalid contexts) and
> the
> > label being used by the kernel.
> 
> Yes, that has been discussed in the past, but no real consensus on the
> right approach.  The generic VFS fallback for security xattrs patch
> seems to be going forward, so that at least allows us to get the incore
> inode security label for filesystems that do not support xattrs, but it
> doesn't help with the inconsistent xattr/label problem on filesystems
> that do support xattrs.
> 
> In general we don't want applications to have to deal with the notion
> that there are two distinct labels at all, so we'd just like to ensure
> consistency whenever possible.  We could possibly export a selinuxfs
> interface for querying the incore inode security label of a given file,
> but it seems rather ugly, and most applications are just going to call
> getfilecon/getxattr for normal work.
>

I agree that most apps only want to know about one label, but it seems like most
applications want the incore inode security label. Only maintenance tools like
restorecon or replcon would want access to the actual on-disk labels. I would
think that updating the on-disk label to be consistent with the incore labels
would be the best default. As you say, consistency is the best default.

Karl 

---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134
 
> >  Resetting the on-disk xattr seems like the
> > better choice of the two you gave to me because it could be generalized to
> > handle the invalid context case, but we would lose the ability to change the
> > label based on the previous label.
> 
> --
> Stephen Smalley
> National Security Agency



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with MCS/Targeted policy update.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 385 bytes --]

Basically this patch checks to see if
mls and translation is enabled and the *getfilecon_raw returns a context 
without a level, it calls the untranslate function to try to get a 
level, with MCS this will get you a s0.  So we could put back the raw 
calls in rpm_execcon.

So we could have most contexts on disk without the s0 and the getfilecon 
raw call will return it.

Dan

-- 



[-- Attachment #2: libselinux-rhat.patch --]
[-- Type: text/x-patch, Size: 4662 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/src/context.c libselinux-1.25.4/src/context.c
--- nsalibselinux/src/context.c	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/context.c	2005-08-26 12:02:38.000000000 -0400
@@ -181,16 +181,8 @@
 def_set(type,COMP_TYPE)
 def_set(role,COMP_ROLE)
 def_set(user,COMP_USER)
+def_set(range,COMP_RANGE)
 
-int context_range_set(context_t context,const char* str)
-{
-        context_private_t *n = context->ptr;
-        if ( ! n->component[COMP_RANGE] ) {
-                return 0;
-        } else {
-                return set_comp(n,COMP_RANGE,str);
-        }
-}
 hidden_def(context_range_set)
 
 #ifdef L1TEST
--- nsalibselinux/src/fgetfilecon.c	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/fgetfilecon.c	2005-08-26 12:38:16.000000000 -0400
@@ -39,8 +39,21 @@
 out:			
 	if (ret < 0)
 		free(buf);
-	else
-		*context = buf;
+	else {
+ 		*context = buf;
+		/* The following code is to check if the 4th parameter on disk 
+		   has been set, if not attempt to untranslate it to get the 
+		   fourth parameter.  MCS Defaults 4th parameter to s0: */
+		if (mls_enabled && context_translations) {
+			int ctr=0, i=0;
+			for (i=0; i<size;i++) 
+				if (buf[i] && buf[i]==':') ctr++;
+			if (ctr<3) {
+				trans_to_raw_context(buf,context);
+				free(buf);
+			}
+		}
+	}
 	return ret;
 }
 hidden_def(fgetfilecon_raw)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.25.4/src/getfilecon.c
--- nsalibselinux/src/getfilecon.c	2005-08-24 09:07:11.000000000 -0400
+++ libselinux-1.25.4/src/getfilecon.c	2005-08-26 12:28:58.000000000 -0400
@@ -39,8 +39,21 @@
 out:			
 	if (ret < 0)
 		free(buf);
-	else
-		*context = buf;
+	else {
+ 		*context = buf;
+		/* The following code is to check if the 4th parameter on disk 
+		   has been set, if not attempt to untranslate it to get the 
+		   fourth parameter.  MCS Defaults 4th parameter to s0: */
+		if (mls_enabled && context_translations) {
+			int ctr=0, i=0;
+			for (i=0; i<size;i++) 
+				if (buf[i] && buf[i]==':') ctr++;
+			if (ctr<3) {
+				trans_to_raw_context(buf,context);
+				free(buf);
+			}
+		}
+	}
 	return ret;
 }
 hidden_def(getfilecon_raw)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/init.c libselinux-1.25.4/src/init.c
--- nsalibselinux/src/init.c	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/init.c	2005-08-26 12:06:08.000000000 -0400
@@ -119,11 +119,13 @@
 	}
 }
 
+int mls_enabled hidden;
 static void init_lib(void) __attribute__ ((constructor));
 static void init_lib(void)
 {
 	init_selinuxmnt();
 	init_translations();
+	mls_enabled=is_selinux_mls_enabled();
 }
 
 static void fini_lib(void) __attribute__ ((destructor));
--- nsalibselinux/src/lgetfilecon.c	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/lgetfilecon.c	2005-08-26 12:38:12.000000000 -0400
@@ -39,8 +39,21 @@
 out:			
 	if (ret < 0)
 		free(buf);
-	else
-		*context = buf;
+	else {
+ 		*context = buf;
+		/* The following code is to check if the 4th parameter on disk 
+		   has been set, if not attempt to untranslate it to get the 
+		   fourth parameter.  MCS Defaults 4th parameter to s0: */
+		if (mls_enabled && context_translations) {
+			int ctr=0, i=0;
+			for (i=0; i<size;i++) 
+				if (buf[i] && buf[i]==':') ctr++;
+			if (ctr<3) {
+				trans_to_raw_context(buf,context);
+				free(buf);
+			}
+		}
+	}
 	return ret;
 }
 hidden_def(lgetfilecon_raw)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/query_user_context.c libselinux-1.25.4/src/query_user_context.c
--- nsalibselinux/src/query_user_context.c	2005-02-22 16:34:17.000000000 -0500
+++ libselinux-1.25.4/src/query_user_context.c	2005-08-26 12:06:47.000000000 -0400
@@ -122,7 +122,6 @@
     int  typelen = 100;
     char level[100];       /* The level requested by the user         */
     int  levellen = 100;
-    int mls_enabled = is_selinux_mls_enabled();
 
     context_t new_context;     /* The new context chosen by the user     */
     char *user_context = NULL; /* String value of the user's context     */
--- nsalibselinux/src/selinux_internal.h	2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.25.4/src/selinux_internal.h	2005-08-26 12:24:26.000000000 -0400
@@ -51,5 +51,10 @@
 hidden_proto(selinux_users_path)
 
 extern int context_translations hidden;
+extern int mls_enabled hidden;
 extern int hidden trans_to_raw_context(char *trans, char **rawp);
 extern int hidden raw_to_trans_context(char *raw, char **transp);
+extern int hidden internal_getfilecon_raw(
+	ssize_t (*func)(const char *, const char*, void *, size_t), 
+	const char *path, 
+	security_context_t *context);

Re: Problems with MCS/Targeted policy update.

[Stephen Smalley]

On Fri, 2005-08-26 at 14:16 -0400, Daniel J Walsh wrote:
> Basically this patch checks to see if
> mls and translation is enabled and the *getfilecon_raw returns a context 
> without a level, it calls the untranslate function to try to get a 
> level, with MCS this will get you a s0.  So we could put back the raw 
> calls in rpm_execcon.
> 
> So we could have most contexts on disk without the s0 and the getfilecon 
> raw call will return it.

Umm....I really don't think we want to do this.

If you want transparently insert and remove a default MLS level in your
libsetrans, that is fine.  But I don't want this in libselinux.

I think we need to change the kernel to setxattr the on-disk xattr to be
consistent with the incore inode security label in these cases, which
will also solve the problem for us (once that is upstreamed).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with MCS/Targeted policy update.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 36 bytes --]


Patch to use raw functions.

-- 



[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 1048 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.25.7/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2005-07-27 09:58:39.000000000 -0400
+++ policycoreutils-1.25.7/restorecon/restorecon.c	2005-08-26 14:20:10.000000000 -0400
@@ -186,7 +186,7 @@
     freecon(scontext);
     return 0;
   }
-  retcontext=lgetfilecon(filename,&prev_context);
+  retcontext=lgetfilecon_raw(filename,&prev_context);
   
   if (retcontext >= 0 || errno == ENODATA) {
     int customizable=0;
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.25.7/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c	2005-04-11 16:00:46.000000000 -0400
+++ policycoreutils-1.25.7/setfiles/setfiles.c	2005-08-26 14:20:28.000000000 -0400
@@ -285,7 +285,7 @@
 	}
 
 	/* Get the current context of the file. */
-	ret = lgetfilecon(my_file, &context);
+	ret = lgetfilecon_raw(my_file, &context);
 	if (ret < 0) {
 		if (errno == ENODATA) {
 			context = malloc(10);

Re: Problems with MCS/Targeted policy update.

[Stephen Smalley]

On Fri, 2005-08-26 at 14:25 -0400, Daniel J Walsh wrote:
> Patch to use raw functions.

Why?  It is a bug somewhere else if they need to use getfilecon_raw here
when they are using matchpathcon() and setfilecon() otherwise.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with MCS/Targeted policy update.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2005-08-26 at 14:16 -0400, Daniel J Walsh wrote:
>  
>
>>Basically this patch checks to see if
>>mls and translation is enabled and the *getfilecon_raw returns a context 
>>without a level, it calls the untranslate function to try to get a 
>>level, with MCS this will get you a s0.  So we could put back the raw 
>>calls in rpm_execcon.
>>
>>So we could have most contexts on disk without the s0 and the getfilecon 
>>raw call will return it.
>>    
>>
>
>Umm....I really don't think we want to do this.
>
>If you want transparently insert and remove a default MLS level in your
>libsetrans, that is fine.  But I don't want this in libselinux.
>
>I think we need to change the kernel to setxattr the on-disk xattr to be
>consistent with the incore inode security label in these cases, which
>will also solve the problem for us (once that is upstreamed).
>
>  
>
Ok then I think the security_context_to_sid functions in the kernel need 
to change to do the translation.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with MCS/Targeted policy update.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2005-08-26 at 14:16 -0400, Daniel J Walsh wrote:
>  
>
>>Basically this patch checks to see if
>>mls and translation is enabled and the *getfilecon_raw returns a context 
>>without a level, it calls the untranslate function to try to get a 
>>level, with MCS this will get you a s0.  So we could put back the raw 
>>calls in rpm_execcon.
>>
>>So we could have most contexts on disk without the s0 and the getfilecon 
>>raw call will return it.
>>    
>>
>
>Umm....I really don't think we want to do this.
>
>If you want transparently insert and remove a default MLS level in your
>libsetrans, that is fine.  But I don't want this in libselinux.
>
>I think we need to change the kernel to setxattr the on-disk xattr to be
>consistent with the incore inode security label in these cases, which
>will also solve the problem for us (once that is upstreamed).
>
>  
>
Yup, your right, I have a bad policy file, forget it.

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with MCS/Targeted policy update.

[Stephen Smalley]

On Fri, 2005-08-26 at 14:50 -0400, Daniel J Walsh wrote:
> Ok then I think the security_context_to_sid functions in the kernel need 
> to change to do the translation.

We just need security_context_to_sid_default to return a status to the
caller (inode_doinit) to indicate that the caller needs to perform a
setxattr to update the on-disk state.  Then the caller can get the full
context via a security_sid_to_context() and pass that to setxattr.

That will still only affect existing inodes, nothing else.
selinuxfs, /proc/pid/attr, and setxattr will only accept legal contexts
that include the MLS field.  We are only trying to deal with upgrading
without relabeling filesystems.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.