Another place where policy blows up because of translations in MCS.

Another place where policy blows up because of translations in MCS.

[Daniel J Walsh]

/usr/bin/checkpolicy -M -o policy.20 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 20) to 
policy.20
Validating file contexts files ...
/usr/sbin/setfiles -q -c policy.20 file_contexts/file_contexts
libsepol.sepol_ctx_struct_create: mls is enabled, but no mls context found
libsepol.sepol_ctx_struct_create: error creating context structure
libsepol.sepol_ctx_struct_from_string: unable to create context structure
libsepol.sepol_context_to_sid: could not convert 
system_u:object_r:default_t to sid
file_contexts/file_contexts:  line 155 has invalid context 
system_u:object_r:default_t
make: *** [policy.20] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.74451 (%build)

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Another place where policy blows up because of translations in MCS.

[Stephen Smalley]

On Tue, 2005-08-30 at 12:02 -0400, Daniel J Walsh wrote:
> /usr/bin/checkpolicy -M -o policy.20 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> /usr/bin/checkpolicy:  policy configuration loaded
> /usr/bin/checkpolicy:  writing binary representation (version 20) to 
> policy.20
> Validating file contexts files ...
> /usr/sbin/setfiles -q -c policy.20 file_contexts/file_contexts
> libsepol.sepol_ctx_struct_create: mls is enabled, but no mls context found
> libsepol.sepol_ctx_struct_create: error creating context structure
> libsepol.sepol_ctx_struct_from_string: unable to create context structure
> libsepol.sepol_context_to_sid: could not convert 
> system_u:object_r:default_t to sid
> file_contexts/file_contexts:  line 155 has invalid context 
> system_u:object_r:default_t
> make: *** [policy.20] Error 1
> error: Bad exit status from /var/tmp/rpm-tmp.74451 (%build)

That looks correct to me.  file_contexts for MCS should include the s0
component.  The goal wasn't to allow you to ship policy without MLS
fields, just to not require a complete relabeling of the filesystem upon
an upgrade from non-MLS to MLS/MCS.

A while back, I added the 'make mlsconvert' target to the policy
Makefile to allow simple conversion to a MLS enabled policy from the
example policy.

On a different note, is anyone working on kernel patch to cause SELinux
to set the on-disk xattr to be consistent with the incore inode security
label when it lacks the MLS field, so that getxattr will subsequently
return the right value?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Another place where policy blows up because of translations in MCS.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2005-08-30 at 12:02 -0400, Daniel J Walsh wrote:
>  
>
>>/usr/bin/checkpolicy -M -o policy.20 policy.conf
>>/usr/bin/checkpolicy:  loading policy configuration from policy.conf
>>/usr/bin/checkpolicy:  policy configuration loaded
>>/usr/bin/checkpolicy:  writing binary representation (version 20) to 
>>policy.20
>>Validating file contexts files ...
>>/usr/sbin/setfiles -q -c policy.20 file_contexts/file_contexts
>>libsepol.sepol_ctx_struct_create: mls is enabled, but no mls context found
>>libsepol.sepol_ctx_struct_create: error creating context structure
>>libsepol.sepol_ctx_struct_from_string: unable to create context structure
>>libsepol.sepol_context_to_sid: could not convert 
>>system_u:object_r:default_t to sid
>>file_contexts/file_contexts:  line 155 has invalid context 
>>system_u:object_r:default_t
>>make: *** [policy.20] Error 1
>>error: Bad exit status from /var/tmp/rpm-tmp.74451 (%build)
>>    
>>
>
>That looks correct to me.  file_contexts for MCS should include the s0
>component.  The goal wasn't to allow you to ship policy without MLS
>fields, just to not require a complete relabeling of the filesystem upon
>an upgrade from non-MLS to MLS/MCS.
>
>  
>
They do.  I think Matchpathcon is going through the translation library 
and removing the :s0.  If I turn off translation it works.

>A while back, I added the 'make mlsconvert' target to the policy
>Makefile to allow simple conversion to a MLS enabled policy from the
>example policy.
>
>  
>
We use it.

>On a different note, is anyone working on kernel patch to cause SELinux
>to set the on-disk xattr to be consistent with the incore inode security
>label when it lacks the MLS field, so that getxattr will subsequently
>return the right value?
>
>  
>


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Another place where policy blows up because of translations in MCS.

[Stephen Smalley]

On Tue, 2005-08-30 at 13:21 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> 
> >On Tue, 2005-08-30 at 12:02 -0400, Daniel J Walsh wrote:
> >  
> >
> >>/usr/bin/checkpolicy -M -o policy.20 policy.conf
> >>/usr/bin/checkpolicy:  loading policy configuration from policy.conf
> >>/usr/bin/checkpolicy:  policy configuration loaded
> >>/usr/bin/checkpolicy:  writing binary representation (version 20) to 
> >>policy.20
> >>Validating file contexts files ...
> >>/usr/sbin/setfiles -q -c policy.20 file_contexts/file_contexts
> >>libsepol.sepol_ctx_struct_create: mls is enabled, but no mls context found
> >>libsepol.sepol_ctx_struct_create: error creating context structure
> >>libsepol.sepol_ctx_struct_from_string: unable to create context structure
> >>libsepol.sepol_context_to_sid: could not convert 
> >>system_u:object_r:default_t to sid
> >>file_contexts/file_contexts:  line 155 has invalid context 
> >>system_u:object_r:default_t
> >>make: *** [policy.20] Error 1
> >>error: Bad exit status from /var/tmp/rpm-tmp.74451 (%build)
> >>    
> >>
> >
> >That looks correct to me.  file_contexts for MCS should include the s0
> >component.  The goal wasn't to allow you to ship policy without MLS
> >fields, just to not require a complete relabeling of the filesystem upon
> >an upgrade from non-MLS to MLS/MCS.
> >
> >  
> >
> They do.  I think Matchpathcon is going through the translation library 
> and removing the :s0.  If I turn off translation it works.

Ok, you are correct - matchpathcon_init is calling the invalidcon
callback with the translated context, and setfiles' invalidcon function
is then invoking sepol_check_context when checking a file_contexts file
against a binary policy file.  Since libsepol isn't translation-aware,
it needs a raw context instead.  Options seem to be:
- Change setfiles to invoke the libsetrans functions to translate to a
raw context prior to calling libsepol, or
- Make libsepol translation-aware.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Another place where policy blows up because of translations in MCS.

[Stephen Smalley]

On Wed, 2005-08-31 at 08:57 -0400, Stephen Smalley wrote:
> Ok, you are correct - matchpathcon_init is calling the invalidcon
> callback with the translated context, and setfiles' invalidcon function
> is then invoking sepol_check_context when checking a file_contexts file
> against a binary policy file.  Since libsepol isn't translation-aware,
> it needs a raw context instead.  Options seem to be:
> - Change setfiles to invoke the libsetrans functions to translate to a
> raw context prior to calling libsepol, or

Note that we wouldn't want to require setfiles to link against
libsetrans, as there is no upstream libsetrans and it is optional.
Hence, either setfiles would need to dlopen libsetrans in the same
manner as libselinux to access the translation functions or libselinux
needs to export wrapper functions for the translation functions it has
already looked up from libsetrans.  The latter seems simpler, but
requires that we add such functions to libselinux that are exported and
have proper namespace prefixes, unlike the hidden
trans_to_raw_context/raw_to_trans_context functions.  The exported
functions would also need to internally check the context_translations
flag unlike the current trans_to_raw_context/raw_to_trans_context
functions.

> - Make libsepol translation-aware.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Another place where policy blows up because of translations in MCS.

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1056 bytes --]

On Wed, 2005-08-31 at 10:08 -0400, Stephen Smalley wrote:
> Note that we wouldn't want to require setfiles to link against
> libsetrans, as there is no upstream libsetrans and it is optional.
> Hence, either setfiles would need to dlopen libsetrans in the same
> manner as libselinux to access the translation functions or libselinux
> needs to export wrapper functions for the translation functions it has
> already looked up from libsetrans.  The latter seems simpler, but
> requires that we add such functions to libselinux that are exported and
> have proper namespace prefixes, unlike the hidden
> trans_to_raw_context/raw_to_trans_context functions.  The exported
> functions would also need to internally check the context_translations
> flag unlike the current trans_to_raw_context/raw_to_trans_context
> functions.

See the attached patches for libselinux and setfiles.  Does this address
the issue?  Is it the right approach (i.e. keeping libsepol
translation-unaware and handling this in setfiles)?

-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: libselinux-trans.patch --]
[-- Type: text/x-patch, Size: 2071 bytes --]

Index: libselinux/include/selinux/selinux.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/include/selinux/selinux.h,v
retrieving revision 1.42
diff -u -p -r1.42 selinux.h
--- libselinux/include/selinux/selinux.h	24 Aug 2005 19:56:29 -0000	1.42
+++ libselinux/include/selinux/selinux.h	31 Aug 2005 14:15:13 -0000
@@ -344,6 +344,14 @@ extern int rpm_execcon(unsigned int veri
    be relabeled . */
 extern int is_context_customizable (security_context_t scontext);
 
+/* Perform context translation between the human-readable format
+   ("translated") and the internal system format ("raw"). 
+   Caller must free the resulting context.  
+   Returns -1 upon an error or 0 otherwise.
+   If passed NULL, sets the returned context to NULL and returns 0. */
+extern int selinux_trans_to_raw_context(char *trans, char **rawp);
+extern int selinux_raw_to_trans_context(char *raw, char **transp);
+
 #ifdef __cplusplus
 }
 #endif
Index: libselinux/src/trans.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/trans.c,v
retrieving revision 1.4
diff -u -p -r1.4 trans.c
--- libselinux/src/trans.c	25 Aug 2005 14:11:39 -0000	1.4
+++ libselinux/src/trans.c	31 Aug 2005 14:12:15 -0000
@@ -16,6 +16,20 @@ int hidden trans_to_raw_context(char *tr
 	return *rawp ? 0 : -1;
 }
 
+int selinux_trans_to_raw_context(char *trans, char **rawp)
+{
+	if (context_translations)
+		return trans_to_raw_context(trans, rawp);
+
+	if (!trans) {
+		*rawp = NULL;
+		return 0;
+	}
+
+	*rawp = strdup(trans);
+	return *rawp ? 0 : -1;
+}
+
 int hidden raw_to_trans_context(char *raw, char **transp) 
 {
 	*transp = NULL;
@@ -28,3 +42,16 @@ int hidden raw_to_trans_context(char *ra
 	return *transp ? 0 : -1;
 }
 
+int selinux_raw_to_trans_context(char *raw, char **transp)
+{
+	if (context_translations)
+		return raw_to_trans_context(raw, transp);
+
+	if (!raw) {
+		*transp = NULL;
+		return 0;
+	}
+
+	*transp = strdup(raw);
+	return *transp ? 0 : -1;
+}

[-- Attachment #3: setfiles-trans.patch --]
[-- Type: text/x-patch, Size: 795 bytes --]

Index: policycoreutils/setfiles/setfiles.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/setfiles/setfiles.c,v
retrieving revision 1.35
diff -u -p -r1.35 setfiles.c
--- policycoreutils/setfiles/setfiles.c	8 Apr 2005 12:27:08 -0000	1.35
+++ policycoreutils/setfiles/setfiles.c	31 Aug 2005 14:16:15 -0000
@@ -387,7 +387,11 @@ int invalidcon(const char *path, unsigne
 	int valid = 1;
 
 	if (policyfile) {
-		valid = (sepol_check_context ((char *) context) >= 0);
+		char *raw;
+		if (selinux_trans_to_raw_context((char*)context, &raw))
+			valid = 0;
+		if (valid)
+			valid = (sepol_check_context (raw) >= 0);
 	} else if (security_check_context((char *) context) < 0 && errno != ENOENT) {
 		valid = 0;
 		inc_err();

Re: Another place where policy blows up because of translations in MCS.

[Darrel Goeddel]

Stephen Smalley wrote:
> On Wed, 2005-08-31 at 10:08 -0400, Stephen Smalley wrote:
> 
>>Note that we wouldn't want to require setfiles to link against
>>libsetrans, as there is no upstream libsetrans and it is optional.
>>Hence, either setfiles would need to dlopen libsetrans in the same
>>manner as libselinux to access the translation functions or libselinux
>>needs to export wrapper functions for the translation functions it has
>>already looked up from libsetrans.  The latter seems simpler, but
>>requires that we add such functions to libselinux that are exported and
>>have proper namespace prefixes, unlike the hidden
>>trans_to_raw_context/raw_to_trans_context functions.  The exported
>>functions would also need to internally check the context_translations
>>flag unlike the current trans_to_raw_context/raw_to_trans_context
>>functions.
> 
> 
> See the attached patches for libselinux and setfiles.  Does this address
> the issue?  Is it the right approach (i.e. keeping libsepol
> translation-unaware and handling this in setfiles)?

This seems to be the proper approach.  We should keep the concept of
translated contexts at the higher levels (libselinux and applications) to
keep things as simple as possible.  The patches look good from here.  I
just wonder how I've never seen the problem.

-- 

Darrel

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.