Re: Doing testing with MCS looks like we get initial roles/levels by using fromcon.

Re: Doing testing with MCS looks like we get initial roles/levels by using fromcon.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2005-09-15 at 16:54 -0400, Daniel J Walsh wrote:
>  
>
>>As a test I added the following function to pam_selinux.so
>>
>>security_context_t getprefcon(const char *name);
>>security_context_t getprefcon(const char *name) {
>>    security_context_t fromcon;
>>    security_context_t newcon=NULL;
>>    context_t con;
>>    if (strcmp(name, "root") == 0)
>>        return NULL;
>>    if (getcon(&fromcon) < 0)
>>      return NULL;
>>    con=context_new(fromcon);
>>    context_range_set(con, "s0:c1,c4");
>>    newcon=strdup(context_str(con));
>>    context_free(con);
>>    freecon(fromcon);
>>    return newcon;
>>}
>> ...
>>
>>
>>  fromcon=getprefcon(username);
>>  num_contexts = get_ordered_context_list(username, fromcon, &contextlist);
>>  if (fromcon)
>>      freecon(fromcon);
>>
>>And it seems to handle the levels fine, so I don't think we need 
>>anything special in libselinux.  Just need to figure out how pam will 
>>get the preferred context.  Did not test with prefered fole.
>>    
>>
>
>Hi,
>
>A few observations:
>1) We need this functionality in more than just pam_selinux, as we need
>the same logic to be applied from sshd (direct selinux patch), crond
>(direct selinux patch), etc.  So that's why it needs to go into
>libselinux or glibc or some shared library.
>
>  
>
Yes, I agree I just hacked this up to test it and see if 
get_ordered_context_list did the right thing.
And I was happily surprised when it did.

>2) The idea is supposed to be that we have a mapping from Linux username
>to (SELinux username, default role, default range) so that we no longer
>need to add SELinux users whenever we want a different default role or a
>different default range for a given Linux user.  So the idea is that we
>call a function to lookup the (SELinux username, <context blob ==
>default role:default range>) for the Linux username, then pass that data
>to another function to create an actual context for the user.  For
>example, the mapping might contain:
>dwalsh	staff_u	staff_r:s0:c0,c12
>sds	staff_u sysadm_r:s1:c2,c3
>And the SELinux policy would just have:
>user staff_u roles { staff_r sysadm_r } level s0 range s0-s9:c0.c127
>
>  
>
>And then when you login, you become staff_u:staff_r:s0:c0,c12 but I
>become staff_u:sysadm_r:s1:c2,c3.  So the sysadmin can assign default
>roles and ranges for individual Linux users just by changing the mapping
>file, without needing to touch the policy.
>
>  
>
Yes, but with this change the "username" field in the 
get_ordered_context_list becomes useless.
I know this was discussed heavily in the past but not sure we came to 
conclusion.

Since we are looking to add this functionality to make MCS work, I think 
we need to finalize this now.

Options seem to be:

pam modules and some apps like sshd will call


int getseprefcon(const char *name,  selinux_context_t *prefcon)

to get the preferred context.

This function will be defined in one of the following libraries.

libselinux:
I don't think it should.  Libselinux should just deal with selinux users.
libsemanage:
Might be a first use of libsemanage
libsetrans:
Could add functionality to allow it to "translate" Linux users into 
selinux users.

First release will probably be a flat file that defaults to returning 
"u_default" entry.
for targeted something like...
u_default=user_u:system_r:unconfined_t:s0
for strict something like:
u_default=user_u:user_r:user_t:s0

Eventually this will be build a "selinux" daemon which will provide this 
information and translations from remote information sources (LDAP).

>3) Watch out for differences between targeted and strict; testing under
>targeted isn't going to show you much about what will happen when you
>have multiple user roles.
>  
>
Understood.

>4) This discussion should be occurring on list. 
>
>  
>
I added it to list.


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Doing testing with MCS looks like we get initial roles/levels by using fromcon.

[Stephen Smalley]

On Fri, 2005-09-16 at 13:24 -0400, Daniel J Walsh wrote:
> Yes, I agree I just hacked this up to test it and see if 
> get_ordered_context_list did the right thing.
> And I was happily surprised when it did.

For the range, yes - the fromcon range implicitly bounds the possible
range of the user.  But it won't generalize to the role (fromcon user
may not be authorized for the role of the user at all), and it is really
a misuse of the existing interface.

> Yes, but with this change the "username" field in the 
> get_ordered_context_list becomes useless.
> I know this was discussed heavily in the past but not sure we came to 
> conclusion.

Not sure I follow; username argument to libselinux is supposed to be the
SELinux username, as looked up previously based on the Linux username.
It is true that if the <context data> includes both a default role and a
default range for the Linux user, the only thing we are getting from
libselinux is taking the inputs (SELinux username, default role:default
range), determining the default type, and putting it all together into a
context.  At which point we are fairly close to just defining
per-Linuxuser default contexts directly in this mapping configuration
without needing to query libselinux at all.

> Since we are looking to add this functionality to make MCS work, I think 
> we need to finalize this now.
> 
> Options seem to be:
> 
> pam modules and some apps like sshd will call
> 
> 
> int getseprefcon(const char *name,  selinux_context_t *prefcon)
> 
> to get the preferred context.

Hmmm...the original idea IIRC was to change current callers of
get_default_context or get_ordered_context_list (including pam_selinux,
sshd, crond, sudo, and others) to first call an interface like
getuserseinfo(const char *linuxuser, char **seuser, char
**secontextdata) that could be implemented in libselinux or elsewhere
(since glibc/nss wasn't accepted) and then call a new libselinux
interface like getseusercontext(const char *seuser, const char
*secontextdata, security_context_t *usercon) to get the actual user
context based on the result of the first call.

> This function will be defined in one of the following libraries.
> 
> libselinux:
> I don't think it should.  Libselinux should just deal with selinux users.

If we can't get the first function in glibc/nss, then the most natural
place is libselinux.  In which case we can actually simplify the
interface by just providing a single unified getseusercontext(const char
*linuxuser, security_context_t *usercon) function that internally does
both the lookup and the creation of the context.  Then
pam_selinux/sshd/crond/etc just call that one interface.

> libsemanage:
> Might be a first use of libsemanage

No, login et al shouldn't be invoking libsemanage at all.

> libsetrans:
> Could add functionality to allow it to "translate" Linux users into 
> selinux users.

Doesn't seem quite right, as presently libsetrans is purely optional and
only indirectly called through libselinux.  If pam_selinux and the
SELinux patches for sshd, crond, etc are going to directly invoke these
new interfaces, I think they have to go into libselinux.

> First release will probably be a flat file that defaults to returning 
> "u_default" entry.
> for targeted something like...
> u_default=user_u:system_r:unconfined_t:s0
> for strict something like:
> u_default=user_u:user_r:user_t:s0

One issue to keep in mind here is that the current default_contexts
scheme allows for different default contexts based on the fromcon, so
local root login can default to sysadm_r while remote root login can
default to staff_r, and cron jobs can run in derived domains (e.g.
staff_r:staff_crond_t) with a more limited permission set.  This new
scheme doesn't take the fromcon into account.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Doing testing with MCS looks like we get initial roles/levels by using fromcon.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2005-09-16 at 13:24 -0400, Daniel J Walsh wrote:
>  
>
>>Yes, I agree I just hacked this up to test it and see if 
>>get_ordered_context_list did the right thing.
>>And I was happily surprised when it did.
>>    
>>
>
>For the range, yes - the fromcon range implicitly bounds the possible
>range of the user.  But it won't generalize to the role (fromcon user
>may not be authorized for the role of the user at all), and it is really
>a misuse of the existing interface.
>
>  
>
>>Yes, but with this change the "username" field in the 
>>get_ordered_context_list becomes useless.
>>I know this was discussed heavily in the past but not sure we came to 
>>conclusion.
>>    
>>
>
>Not sure I follow; username argument to libselinux is supposed to be the
>SELinux username, as looked up previously based on the Linux username.
>It is true that if the <context data> includes both a default role and a
>default range for the Linux user, the only thing we are getting from
>libselinux is taking the inputs (SELinux username, default role:default
>range), determining the default type, and putting it all together into a
>context.  At which point we are fairly close to just defining
>per-Linuxuser default contexts directly in this mapping configuration
>without needing to query libselinux at all.
>
>  
>
>>Since we are looking to add this functionality to make MCS work, I think 
>>we need to finalize this now.
>>
>>Options seem to be:
>>
>>pam modules and some apps like sshd will call
>>
>>
>>int getseprefcon(const char *name,  selinux_context_t *prefcon)
>>
>>to get the preferred context.
>>    
>>
>
>Hmmm...the original idea IIRC was to change current callers of
>get_default_context or get_ordered_context_list (including pam_selinux,
>sshd, crond, sudo, and others) to first call an interface like
>getuserseinfo(const char *linuxuser, char **seuser, char
>**secontextdata) that could be implemented in libselinux or elsewhere
>(since glibc/nss wasn't accepted) and then call a new libselinux
>interface like getseusercontext(const char *seuser, const char
>*secontextdata, security_context_t *usercon) to get the actual user
>context based on the result of the first call.
>  
>
Not sure how the admim would set this up.  I was thinking the admin 
would just state that
when dwalsh logs in I want this as his preferred context.  Policy could 
allow or modify the preferred context
as it sees fit.  Anyways we need this interface now, in order to make 
MCS and eventually MLS usefull.

>  
>
>>This function will be defined in one of the following libraries.
>>
>>libselinux:
>>I don't think it should.  Libselinux should just deal with selinux users.
>>    
>>
>
>If we can't get the first function in glibc/nss, then the most natural
>place is libselinux.  In which case we can actually simplify the
>interface by just providing a single unified getseusercontext(const char
>*linuxuser, security_context_t *usercon) function that internally does
>both the lookup and the creation of the context.  Then
>pam_selinux/sshd/crond/etc just call that one interface.
>
>  
>
I disagree.  I think we need them separate so that we could eventually 
get them into glibc/nss.  Putting them in libselinux, forces everything 
that links with libselinux to eventually link ldap and friends.  

>>libsemanage:
>>Might be a first use of libsemanage
>>    
>>
>
>No, login et al shouldn't be invoking libsemanage at all.
>
>  
>
>>libsetrans:
>>Could add functionality to allow it to "translate" Linux users into 
>>selinux users.
>>    
>>
>
>Doesn't seem quite right, as presently libsetrans is purely optional and
>only indirectly called through libselinux.  If pam_selinux and the
>SELinux patches for sshd, crond, etc are going to directly invoke these
>new interfaces, I think they have to go into libselinux.
>
>  
>
Correct and this translation would be purely option from libselinux 
point of view.  pam and other freinds need it.

>>First release will probably be a flat file that defaults to returning 
>>"u_default" entry.
>>for targeted something like...
>>u_default=user_u:system_r:unconfined_t:s0
>>for strict something like:
>>u_default=user_u:user_r:user_t:s0
>>    
>>
>
>One issue to keep in mind here is that the current default_contexts
>scheme allows for different default contexts based on the fromcon, so
>local root login can default to sysadm_r while remote root login can
>default to staff_r, and cron jobs can run in derived domains (e.g.
>staff_r:staff_crond_t) with a more limited permission set.  This new
>scheme doesn't take the fromcon into account.
>
>  
>
Yes.  This might be a reason to change the function call, although as 
your example showed it
might it be disconcerting from the user to request he logs in as role 
(nurse_r) but gets user_r when logging in locally.



-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Doing testing with MCS looks like we get initial roles/levels by using fromcon.

[Stephen Smalley]

On Fri, 2005-09-16 at 14:39 -0400, Daniel J Walsh wrote:
> Not sure how the admim would set this up.  I was thinking the admin 
> would just state that
> when dwalsh logs in I want this as his preferred context.  Policy could 
> allow or modify the preferred context
> as it sees fit.

No, I don't think we want them specifying a full context.  Considering
it further, I don't think they should even specify the role.  They can
just specify a SELinux username and a range, and let the rest of the
context (role, type) be computed based on policy in the usual manner, so
that we can still have per-fromcon roles and types for a given user.

> Correct and this translation would be purely option from libselinux 
> point of view.  pam and other freinds need it.

But if pam and other SELinux userland depends on it and you put it into
libsetrans, then it has to be provided by every libsetrans
implementation, not just yours.  At which point it would be better to
have it in a separate library that doesn't have multiple instances.  

> Yes.  This might be a reason to change the function call, although as 
> your example showed it
> might it be disconcerting from the user to request he logs in as role 
> (nurse_r) but gets user_r when logging in locally.

Admin should just specify that the Linux user default to nurse_u and
s0:c0,c3 and let the usual rules apply to role and type selection for
nurse_u.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Doing testing with MCS looks like we get initial roles/levels by using fromcon.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2005-09-16 at 14:39 -0400, Daniel J Walsh wrote:
>  
>
>>Not sure how the admim would set this up.  I was thinking the admin 
>>would just state that
>>when dwalsh logs in I want this as his preferred context.  Policy could 
>>allow or modify the preferred context
>>as it sees fit.
>>    
>>
>
>No, I don't think we want them specifying a full context.  Considering
>it further, I don't think they should even specify the role.  They can
>just specify a SELinux username and a range, and let the rest of the
>context (role, type) be computed based on policy in the usual manner, so
>that we can still have per-fromcon roles and types for a given user.
>
>  
>
>>Correct and this translation would be purely option from libselinux 
>>point of view.  pam and other freinds need it.
>>    
>>
>
>But if pam and other SELinux userland depends on it and you put it into
>libsetrans, then it has to be provided by every libsetrans
>implementation, not just yours.  At which point it would be better to
>have it in a separate library that doesn't have multiple instances.  
>
>  
>
>>Yes.  This might be a reason to change the function call, although as 
>>your example showed it
>>might it be disconcerting from the user to request he logs in as role 
>>(nurse_r) but gets user_r when logging in locally.
>>    
>>
>
>Admin should just specify that the Linux user default to nurse_u and
>s0:c0,c3 and let the usual rules apply to role and type selection for
>nurse_u.
>
>  
>
Ok do you want a function like the following

int get_ordered_context_list_with_level (const char *user,
                     security_context_t fromcon,     
                     const char *level,
                     security_context_t **list)
{
    int rc;
    int freefrom = 0;
    security_context_t newcon=NULL;
    context_t con;

    if (!fromcon) {
    rc = getcon(&fromcon);
    if (rc < 0)
        return rc;
    freefrom = 1;
    }
    con=context_new(fromcon);
    context_range_set(con, level);
    newcon=strdup(context_str(con));
    context_free(con);

    rc = get_ordered_context_list (user, newcon, list);
    freecon(newcon);
    if (freefrom)
        freecon(fromcon);
    return rc;
}

Then we defined a functions

getseuserinfo(const char *username,  char **seusername,  char **selevel)


so pam calls
getseuserinfo(dwalsh, &sename, &selevel);
get_ordered_context_list_with_level(sename, 0, level, &conlist);

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Doing testing with MCS looks like we get initial roles/levels by using fromcon.

[Stephen Smalley]

On Fri, 2005-09-16 at 15:23 -0400, Daniel J Walsh wrote:
> Ok do you want a function like the following
> 
> int get_ordered_context_list_with_level (const char *user,
>                      security_context_t fromcon,     
>                      const char *level,
>                      security_context_t **list)
> {
>     int rc;
>     int freefrom = 0;
>     security_context_t newcon=NULL;
>     context_t con;
> 
>     if (!fromcon) {
>     rc = getcon(&fromcon);
>     if (rc < 0)
>         return rc;
>     freefrom = 1;
>     }
>     con=context_new(fromcon);
>     context_range_set(con, level);
>     newcon=strdup(context_str(con));
>     context_free(con);
> 
>     rc = get_ordered_context_list (user, newcon, list);
>     freecon(newcon);
>     if (freefrom)
>         freecon(fromcon);
>     return rc;
> }

Yes, but with more error checking (context_range_set, context_str, and
strdup could all fail above).  You could also avoid the extra memory
allocation/copy for newcon by just deferring the context_free until
after the get_ordered_context_list call.

> Then we defined a functions
> 
> getseuserinfo(const char *username,  char **seusername,  char **selevel)
> 
> 
> so pam calls
> getseuserinfo(dwalsh, &sename, &selevel);
> get_ordered_context_list_with_level(sename, 0, selevel, &conlist);

Right.

Note btw that putting getseuserinfo into libsetrans doesn't help with
avoiding the whole ldap dependency for libselinux users since libselinux
dlopen's libsetrans, so you might as well just put it into libselinux
unless you are going to create yet another library for it.
  
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Doing testing with MCS looks like we get initial roles/levels by using fromcon.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 545 bytes --]

Ok how about this patch for libselinux.

Includes STRIP_LEVEL for removing :s0* from matchpathcon if non MLS 
system.   This is needed for upgrading machines to MCS/MLS

Added selinux_getpolicytype(), even though not used yet by external 
apps, it could be used in the future.

Added  int get_ordered_context_list_with_level (const char *user,
                                        const char *level,
                                        security_context_t fromcon,
                                        security_context_t **list)

-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 6445 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.26/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2005-09-01 11:17:40.000000000 -0400
+++ libselinux-1.26/include/selinux/selinux.h	2005-09-16 14:16:26.000000000 -0400
@@ -304,6 +304,12 @@
 extern int selinux_getenforcemode(int *enforce);
 
 /*
+  selinux_getpolicytype reads the /etc/selinux/config file and determines 
+  whether the policy tyep for this machine, type must be freed.
+ */
+extern void selinux_getpolicytype(char **type);
+
+/*
   selinux_policy_root reads the /etc/selinux/config file and returns 
   the directory path under which the compiled policy file and context 
   configuration files exist.
diff --exclude-from=exclude -N -u -r nsalibselinux/src/get_context_list.c libselinux-1.26/src/get_context_list.c
--- nsalibselinux/src/get_context_list.c	2005-08-11 22:41:15.000000000 -0400
+++ libselinux-1.26/src/get_context_list.c	2005-09-16 16:22:03.000000000 -0400
@@ -288,6 +288,40 @@
 	return strcmp(c1->con, c2->con);
 }
 
+int get_ordered_context_list_with_level (const char *user, 
+					 const char *level, 
+					 security_context_t fromcon, 
+					 security_context_t **list)
+{
+    int rc;
+    int freefrom = 0;
+    context_t con;
+
+    if (!level) 
+	    return get_ordered_context_list (user, fromcon, list);
+
+    if (!fromcon) {
+	rc = getcon(&fromcon);
+	if (rc < 0)
+		return rc;
+	freefrom = 1;
+    }
+
+    con=context_new(fromcon);
+    if (con) {
+	    context_range_set(con, level);
+	    rc = get_ordered_context_list (user, context_str(con), list);
+	    context_free(con);
+    } 
+    else
+	    rc=-1;
+
+    if (freefrom) 
+	    freecon(fromcon);
+
+    return rc;
+}
+
 int get_ordered_context_list (const char *user, 
 			      security_context_t fromcon, 
 			      security_context_t **list)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.26/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c	2005-08-24 09:07:11.000000000 -0400
+++ libselinux-1.26/src/matchpathcon.c	2005-09-16 15:54:01.000000000 -0400
@@ -12,6 +12,7 @@
 #include <regex.h>
 #include <stdarg.h>
 #include "policy.h"
+#include <selinux/context.h>
 
 static void 
 #ifdef __GNUC__
@@ -25,6 +26,19 @@
 	va_end(ap);
 }
 
+#define STRIP_LEVEL(CON)      \
+		if (! mls_enabled) { \
+			security_context_t newcon;	\
+			context_t con=context_new(CON); \
+			if (con) {			\
+			context_range_set(con,NULL);	\
+			newcon=strdup(context_str(con));\
+			context_free(con);		\
+			freecon(CON);			\
+			CON=newcon;			\
+			}				\
+		}
+
 static void (*myprintf)(const char *fmt, ...) = &default_printf;
 
 void set_matchpathcon_printf(void (*f)(const char *fmt, ...))
@@ -415,7 +429,7 @@
 	}
 	return;
 }
-static int process_line( const char *path, char *line_buf, int pass, unsigned lineno) {
+static int process_line( const char *path, char *line_buf, int pass, unsigned lineno, int mls_enabled) {
 	int items, len, regerr;
 	char *buf_p;
 	char *regex, *type, *context;
@@ -438,6 +452,7 @@
 	} else if (items == 2) {
 		/* The type field is optional. */
 		free(context);
+		STRIP_LEVEL(type)
 		context = type;
 		type = 0;
 	}
@@ -510,7 +525,7 @@
 		}
 		
 	skip_type:
-		
+		STRIP_LEVEL(context)
 		spec_arr[nspec].context = context;
 		
 		if (strcmp(context, "<<none>>")) {
@@ -557,6 +572,7 @@
 	unsigned int lineno, pass, i, j, maxnspec;
 	spec_t *spec_copy=NULL;
 	int status=-1;
+	int mls_enabled=is_selinux_mls_enabled();
 
 	/* Open the specification file. */
 	if (!path)
@@ -590,20 +606,20 @@
 		lineno = 0;
 		nspec = 0;
 		while (getline(&line_buf, &line_len, fp) > 0 && nspec < maxnspec) {
-			if (process_line(path, line_buf, pass, ++lineno) != 0)
+			if (process_line(path, line_buf, pass, ++lineno, mls_enabled) != 0)
 				goto finish;
 		}
 		lineno = 0;
 		if (homedirfp) 
 			while (getline(&line_buf, &line_len, homedirfp) > 0 && nspec < maxnspec) {
-				if (process_line(homedir_path, line_buf, pass, ++lineno) != 0)
+				if (process_line(homedir_path, line_buf, pass, ++lineno, mls_enabled) != 0)
 					goto finish;
 			}
 
 		lineno = 0;
 		if (localfp) 
 			while (getline(&line_buf, &line_len, localfp) > 0 && nspec < maxnspec) {
-				if (process_line(local_path, line_buf, pass, ++lineno) != 0)
+				if (process_line(local_path, line_buf, pass, ++lineno, mls_enabled) != 0)
 					goto finish;
 			}
 
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.26/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c	2005-03-17 14:56:21.000000000 -0500
+++ libselinux-1.26/src/selinux_config.c	2005-09-16 14:16:26.000000000 -0400
@@ -85,6 +85,29 @@
 
 static int use_compat_file_path;
 
+void selinux_getpolicytype(char **rtype) {
+	char *type=SELINUXDEFAULT;
+	char buf[4097];
+	int i=0;
+	int len=sizeof(SELINUXTYPETAG)-1;
+	FILE *cfg = fopen(SELINUXCONFIG,"r");
+	if (cfg) {
+		while (fgets_unlocked(buf, 4096, cfg)) {
+			if (strncmp(buf,SELINUXTYPETAG,len)==0) {
+				type=buf+len;
+				break;
+			}
+		}
+		fclose(cfg);
+	}
+	i=strlen(type)-1;
+	while ((i>=0) && 
+	       (isspace(type[i]) || iscntrl(type[i]))) {
+		type[i]=0;
+		i--;
+	}
+	*rtype=strdup(type);
+}
 int selinux_getenforcemode(int *enforce) {
   int ret=-1;
   FILE *cfg = fopen(SELINUXCONFIG,"r");
@@ -122,38 +145,24 @@
 
 static void init_selinux_policyroot(void)
 {
-  char *type=SELINUXDEFAULT;
-  int i=0, len=sizeof(SELINUXTYPETAG)-1, len2;
-  char buf[4097];
-  FILE *cfg;
+  char *type=NULL;
+  int i=0, len, len2;
   if (selinux_policyroot) return;
   if (access(SELINUXDIR, F_OK) != 0) {
 	  selinux_policyroot = SECURITYDIR;
 	  use_compat_file_path = 1;
 	  return;
   }
-  cfg = fopen(SELINUXCONFIG,"r");
-  if (cfg) {
-    while (fgets_unlocked(buf, 4096, cfg)) {
-      if (strncmp(buf,SELINUXTYPETAG,len)==0) {
-	type=buf+len;
-	break;
-      }
-    }
-    fclose(cfg);
-  }
-  i=strlen(type)-1;
-  while ((i>=0) && 
-	 (isspace(type[i]) || iscntrl(type[i]))) {
-    type[i]=0;
-    i--;
-  }
+  selinux_getpolicytype(&type);
+  if (!type) return;
   len=sizeof(SELINUXDIR) + strlen(type);
   selinux_policyroot=malloc(len);
-  if (!selinux_policyroot)
+  if (!selinux_policyroot) {
+	  free(type);
 	  return;
+  }
   snprintf(selinux_policyroot,len, "%s%s", SELINUXDIR, type);
-  
+  free(type);
   for (i = 0; i < NEL; i++) {
 	  len2 = len + strlen(file_path_suffixes_data.str
 			      + file_path_suffixes_idx[i])+1;

Re: Doing testing with MCS looks like we get initial roles/levels by using fromcon.

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1976 bytes --]

On Fri, 2005-09-16 at 16:30 -0400, Daniel J Walsh wrote:
> Ok how about this patch for libselinux.
> 
> Includes STRIP_LEVEL for removing :s0* from matchpathcon if non MLS 
> system.   This is needed for upgrading machines to MCS/MLS

- I think that the first STRIP_LEVEL call is unnecessary, as you only
need to do this once prior to calling the myinvalidcon callback for
context validation.
- The second STRIP_LEVEL call should be moved into the if block so that
it isn't applied to <<none>>.  This also means we should move down the
assignment to the spec array until after that block so that we use the
final stripped value.
- I don't think that the STRIP_LEVEL call should occur if context
translations are enabled.  
- STRIP_LEVEL can fail upon memory allocation failures in context_str
and strdup, so we need to check errors there and propagate them to the
caller.

Revised patch for STRIP_LEVEL attached, separated from the rest of the
patch.  Please review.

> Added selinux_getpolicytype(), even though not used yet by external 
> apps, it could be used in the future.

I think that I will omit this until we have a real user, and if we do
find a real user, I'd suggest making it consistent with the other
selinux* functions there, i.e. return the string as the return value
rather than as a pointer argument.

> Added  int get_ordered_context_list_with_level (const char *user,
>                                         const char *level,
>                                         security_context_t fromcon,
>                                         security_context_t **list)

- context_range_set and context_str can fail on memory allocation, so
you need to separate them out and check for errors.

Revised patch for get_ordered_context_list_with_level attached, with
function prototypes added, get_default_context_with_level helper added,
and changes to the getconlist utility to allow testing it.  Please
review.


-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: getconlist.patch --]
[-- Type: text/x-patch, Size: 6105 bytes --]

Index: libselinux/src/get_context_list.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/get_context_list.c,v
retrieving revision 1.27
diff -u -p -r1.27 get_context_list.c
--- libselinux/src/get_context_list.c	11 Aug 2005 13:58:28 -0000	1.27
+++ libselinux/src/get_context_list.c	19 Sep 2005 14:43:40 -0000
@@ -288,6 +288,71 @@ static int order_compare(const void *A, 
 	return strcmp(c1->con, c2->con);
 }
 
+int get_ordered_context_list_with_level (const char *user, 
+					 const char *level, 
+					 security_context_t fromcon, 
+					 security_context_t **list)
+{
+    int rc;
+    int freefrom = 0;
+    context_t con;
+    char *newfromcon;
+
+    if (!level) 
+	    return get_ordered_context_list (user, fromcon, list);
+
+    if (!fromcon) {
+	rc = getcon(&fromcon);
+	if (rc < 0)
+		return rc;
+	freefrom = 1;
+    }
+
+    rc = -1;
+    con=context_new(fromcon);
+    if (!con)
+	    goto out;
+
+    if (context_range_set(con, level)) {
+	    rc = -1;
+	    goto out;
+    }
+
+    newfromcon = context_str(con);
+    if (!newfromcon) {
+	    rc = -1;
+	    goto out;
+    }
+
+    rc = get_ordered_context_list (user, newfromcon, list);
+
+out:
+    context_free(con);
+    if (freefrom) 
+	    freecon(fromcon);
+    return rc;
+}
+hidden_def(get_ordered_context_list_with_level)
+
+int get_default_context_with_level(const char *user, 
+				   const char *level,
+				   security_context_t fromcon,
+				   security_context_t *newcon)
+{
+    security_context_t *conary;
+    int rc;
+
+    rc = get_ordered_context_list_with_level(user, level, fromcon, &conary);
+    if (rc <= 0)
+	    return -1;
+
+    *newcon = strdup(conary[0]);
+    freeconary(conary);
+    if (!(*newcon))
+	    return -1;
+    return 0;
+}
+
 int get_ordered_context_list (const char *user, 
 			      security_context_t fromcon, 
 			      security_context_t **list)
Index: libselinux/src/get_context_list_internal.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/get_context_list_internal.h,v
retrieving revision 1.1
diff -u -p -r1.1 get_context_list_internal.h
--- libselinux/src/get_context_list_internal.h	25 Aug 2004 12:20:47 -0000	1.1
+++ libselinux/src/get_context_list_internal.h	19 Sep 2005 14:43:40 -0000
@@ -2,3 +2,4 @@
 #include "dso.h"
 
 hidden_proto(get_ordered_context_list)
+hidden_proto(get_ordered_context_list_with_level)
Index: libselinux/utils/getconlist.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/utils/getconlist.c,v
retrieving revision 1.3
diff -u -p -r1.3 getconlist.c
--- libselinux/utils/getconlist.c	4 Apr 2005 15:27:09 -0000	1.3
+++ libselinux/utils/getconlist.c	19 Sep 2005 15:00:01 -0000
@@ -9,16 +9,33 @@
 #include <selinux/selinux.h>
 #include <selinux/get_context_list.h>
 
+void usage(char *name, char *detail, int rc) 
+{
+	fprintf(stderr, "usage:  %s [-l level] user [context]\n", name);
+	if (detail)
+		fprintf(stderr, "%s:  %s\n", name, detail);
+	exit(rc);
+}
+
 int main(int argc, char **argv) 
 {
 	security_context_t *list, usercon = NULL, cur_context = NULL;
-	int ret, i;
+	char *user = NULL, *level = NULL;
+	int ret, i, opt;
 
-	if (argc < 2 || argc > 3) {
-		fprintf(stderr, "usage:  %s user [context]\n", argv[0]);
-		return 1;
+	while ((opt = getopt(argc, argv, "l:")) > 0) {
+		switch (opt) {
+		case 'l':
+			level = strdup(optarg);
+			break;
+		default:
+			usage(argv[0], "invalid option", 1);
+		}
 	}
 
+	if (((argc - optind) < 1) || ((argc - optind) > 2))
+		usage(argv[0], "invalid number of arguments", 2);
+
 	/* If selinux isn't available, bail out. */
 	if( !is_selinux_enabled() ) {
 	    fprintf( stderr,
@@ -26,18 +43,23 @@ int main(int argc, char **argv) 
 	    return 1;
 	}
 
+	user = argv[optind];
+
 	/* If a context wasn't passed, use the current context. */
-	if (argc < 3) {
+	if (((argc - optind) < 2)) {
 		if (getcon(&cur_context) < 0) {
 			fprintf( stderr, "Couldn't get current context.\n" );
 			return 2;
 		}
 	}
 	else
-		cur_context = argv[2];
+		cur_context = argv[optind+1];
 
 	/* Get the list and print it */
-	ret = get_ordered_context_list(argv[1], cur_context, &list);
+	if (level)
+		ret = get_ordered_context_list_with_level(user, level, cur_context, &list);
+	else
+		ret = get_ordered_context_list(user, cur_context, &list);
 	if(ret != -1) {
 		for (i = 0; list[i]; i++)
 			puts (list[i]);
Index: libselinux/include/selinux/get_context_list.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/include/selinux/get_context_list.h,v
retrieving revision 1.6
diff -u -p -r1.6 get_context_list.h
--- libselinux/include/selinux/get_context_list.h	30 Nov 2004 19:38:50 -0000	1.6
+++ libselinux/include/selinux/get_context_list.h	19 Sep 2005 14:43:40 -0000
@@ -21,6 +21,13 @@ extern int get_ordered_context_list(cons
 				    security_context_t fromcon,
 				    security_context_t **list);
 
+/* As above, but use the provided MLS level rather than the
+   default level for the user. */
+int get_ordered_context_list_with_level (const char *user, 
+					 const char *level, 
+					 security_context_t fromcon, 
+					 security_context_t **list);
+
 /* Get the default security context for a user session for 'user'
    spawned by 'fromcon' and set *newcon to refer to it.  The context
    will be one of those authorized by the policy, but the selection
@@ -32,6 +39,13 @@ extern int get_default_context(const cha
 			       security_context_t fromcon,
 			       security_context_t *newcon);
 
+/* As above, but use the provided MLS level rather than the
+   default level for the user. */
+int get_default_context_with_level(const char *user, 
+				   const char *level,
+				   security_context_t fromcon,
+				   security_context_t *newcon);
+
 /* Same as get_default_context, but only return a context
    that has the specified role.  If no reachable context exists
    for the user with that role, then return -1. */

[-- Attachment #3: matchpathcon.diff --]
[-- Type: text/x-patch, Size: 3466 bytes --]

Index: libselinux/src/matchpathcon.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/matchpathcon.c,v
retrieving revision 1.28
diff -u -p -r1.28 matchpathcon.c
--- libselinux/src/matchpathcon.c	23 Aug 2005 16:46:41 -0000	1.28
+++ libselinux/src/matchpathcon.c	19 Sep 2005 15:35:18 -0000
@@ -12,6 +12,7 @@
 #include <regex.h>
 #include <stdarg.h>
 #include "policy.h"
+#include <selinux/context.h>
 
 static void 
 #ifdef __GNUC__
@@ -25,6 +26,41 @@ default_printf(const char *fmt, ...) 
 	va_end(ap);
 }
 
+/* If MLS is disabled, strip any MLS level field from the context.
+   This allows file_contexts with MLS levels to be processed on
+   a non-MLS system that otherwise has the same policy. */
+static inline int STRIP_LEVEL(char **context, int mls_enabled)
+{
+	char *str;
+	context_t con;
+	int rc = -1;
+
+	if (mls_enabled)
+		return 0;
+
+	con = context_new(*context);
+	if (!con)
+		return rc;
+
+	if (context_range_set(con,NULL))
+		goto out;
+
+	str = context_str(con);
+	if (!str)
+		goto out;
+
+	str = strdup(str);
+	if (!str)
+		goto out;
+
+	free(*context);
+	*context = str;
+	rc = 0;
+out:
+	context_free(con);
+	return rc;
+}
+
 static void (*myprintf)(const char *fmt, ...) = &default_printf;
 
 void set_matchpathcon_printf(void (*f)(const char *fmt, ...))
@@ -415,7 +451,7 @@ static void spec_hasMetaChars(struct spe
 	}
 	return;
 }
-static int process_line( const char *path, char *line_buf, int pass, unsigned lineno) {
+static int process_line( const char *path, char *line_buf, int pass, unsigned lineno, int mls_enabled) {
 	int items, len, regerr;
 	char *buf_p;
 	char *regex, *type, *context;
@@ -510,9 +546,6 @@ static int process_line( const char *pat
 		}
 		
 	skip_type:
-		
-		spec_arr[nspec].context = context;
-		
 		if (strcmp(context, "<<none>>")) {
 			if (context_translations) {
 				if (raw_to_trans_context(context,
@@ -524,11 +557,16 @@ static int process_line( const char *pat
 				}
 				free(context);
 				context = spec_arr[nspec].context;
+			} else {
+				if (STRIP_LEVEL(&context, mls_enabled))
+					return -1;
 			}
 
 			if (myinvalidcon(path, lineno, context))
 				return 0;
 		}
+
+		spec_arr[nspec].context = context;
 		
 		/* Determine if specification has 
 		 * any meta characters in the RE */
@@ -557,6 +595,7 @@ int matchpathcon_init(const char *path)
 	unsigned int lineno, pass, i, j, maxnspec;
 	spec_t *spec_copy=NULL;
 	int status=-1;
+	int mls_enabled=is_selinux_mls_enabled();
 
 	/* Open the specification file. */
 	if (!path)
@@ -590,20 +629,20 @@ int matchpathcon_init(const char *path)
 		lineno = 0;
 		nspec = 0;
 		while (getline(&line_buf, &line_len, fp) > 0 && nspec < maxnspec) {
-			if (process_line(path, line_buf, pass, ++lineno) != 0)
+			if (process_line(path, line_buf, pass, ++lineno, mls_enabled) != 0)
 				goto finish;
 		}
 		lineno = 0;
 		if (homedirfp) 
 			while (getline(&line_buf, &line_len, homedirfp) > 0 && nspec < maxnspec) {
-				if (process_line(homedir_path, line_buf, pass, ++lineno) != 0)
+				if (process_line(homedir_path, line_buf, pass, ++lineno, mls_enabled) != 0)
 					goto finish;
 			}
 
 		lineno = 0;
 		if (localfp) 
 			while (getline(&line_buf, &line_len, localfp) > 0 && nspec < maxnspec) {
-				if (process_line(local_path, line_buf, pass, ++lineno) != 0)
+				if (process_line(local_path, line_buf, pass, ++lineno, mls_enabled) != 0)
 					goto finish;
 			}