[PATCH] libsetrans

[PATCH] libsetrans

[Chad Hanson]

[-- Attachment #1: Type: text/plain, Size: 448 bytes --]


The following proposed patch to libsetrans incorporates the following
changes:

- Make libsetrans generic by creating a setrans config file
- Add translation config file for MLS policy
- Fix to handle translation for same level range string without separate
definition (e.g. SystemHigh-SystemHigh)
- move libsetrans disable option from translation config file
(mcs.conf/mls.conf) to setrans config file
- Some comment updates for mcs.conf

-Chad


[-- Attachment #2: libsetrans.spec.patch --]
[-- Type: application/octet-stream, Size: 1314 bytes --]

--- libsetrans_ori.spec	2005-10-24 11:05:31.000000000 -0500
+++ libsetrans.spec	2005-10-24 15:30:24.730920732 -0500
@@ -7,9 +7,12 @@
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
 Source1: mcs.conf
+Source2: mls.conf
+Source3: setrans
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
 BuildRequires: libselinux-devel >= %{libselinuxver}
 Requires: libselinux >= %{libselinuxver}
+Patch: libsetrans-0.1.7-mls.patch
 
 %description
 Security-enhanced Linux is a feature of the Linux® kernel and a number
@@ -27,6 +30,7 @@
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 make CFLAGS="-g %{optflags}"
@@ -37,6 +41,8 @@
 mkdir -p ${RPM_BUILD_ROOT}/%{_libdir} 
 make DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="${RPM_BUILD_ROOT}%{_libdir}" SHLIBDIR="${RPM_BUILD_ROOT}/%{_lib}" install
 install -D -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}/etc/mcs.conf
+install -D -m 644 %{SOURCE2} ${RPM_BUILD_ROOT}/etc/mls.conf
+install -D -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/etc/sysconfig/setrans
 rm -f ${RPM_BUILD_ROOT}%{_sbindir}/*
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/*.a
 
@@ -53,6 +59,8 @@
 /%{_libdir}/libsetrans.so
 %{_bindir}/chcat
 %config(noreplace) /etc/mcs.conf
+%config(noreplace) /etc/mls.conf
+%config(noreplace) /etc/sysconfig/setrans
 %{_mandir}/man8/*
 
 %changelog

[-- Attachment #3: libsetrans-0.1.7-mls.patch --]
[-- Type: application/octet-stream, Size: 8407 bytes --]

diff -ur libsetrans-0.1.7_ori/src/setrans.c libsetrans-0.1.7/src/setrans.c
--- libsetrans-0.1.7_ori/src/setrans.c	2005-09-19 12:30:27.000000000 -0500
+++ libsetrans-0.1.7/src/setrans.c	2005-10-19 07:28:33.000000000 -0500
@@ -7,21 +7,22 @@
 #include <selinux/selinux.h>
 #include <selinux/context.h>
 
-#define CATEGORYFILE "/etc/mcs.conf"
+#define CONFIGFILE "/etc/sysconfig/setrans"
+#define DEFAULT_TRANSFILE "/etc/mcs.conf"
 
 /* Define data structures */
-typedef struct selevel {
+typedef struct selabel {
 	char* name;
 	char* sename;
-} selevel_t;
+} selabel_t;
 
-/* catlist is a simple linked list of selevels extracted from the CATEGORYFILE */
-typedef struct cat {
-	struct cat *next;
-	selevel_t level;
-} cat_t;
+/* labellist is a simple linked list of selabels extracted from the translation file */
+typedef struct labels {
+	struct labels *next;
+	selabel_t label;
+} labels_t;
 
-static cat_t *catlist=NULL;
+static labels_t *labellist=NULL;
 
 /* Remove excess white space */
 static char *strtrim(char *dest, char *source, int size) {
@@ -41,29 +42,29 @@
 }
 
 void finish_context_translations(void) {
-	cat_t *ptr=NULL;
-	cat_t *current=NULL;
-	if (!catlist) return;
-	ptr=catlist;
+	labels_t *ptr=NULL;
+	labels_t *current=NULL;
+	if (!labellist) return;
+	ptr=labellist;
 	while(ptr) {
-		if (ptr->level.name) free(ptr->level.name);
-		if (ptr->level.sename) free(ptr->level.sename);
+		if (ptr->label.name) free(ptr->label.name);
+		if (ptr->label.sename) free(ptr->label.sename);
 	        current=ptr;
 		ptr=current->next;
 		free(current);
 	}
-	catlist=NULL;
+	labellist=NULL;
 }
 
-/* Process line from CATEGORYFILE. 
+/* Process line from translation file. 
    Remove white space and set name do data before the "=" and sename to data
    after it */
-static int process_category(const char *buffer, cat_t **cat) {
+static int process_label(const char *buffer, labels_t **labels) {
 	char name[BUFSIZ];
 	char name1[BUFSIZ];
 	char *newbuf=strdup(buffer);
 	int namesize=sizeof(name);
-	cat_t *next=NULL;
+	labels_t *next=NULL;
 	char *ptr;
 	int rc=0;
 	
@@ -78,14 +79,14 @@
 	if (!tok) goto err;
 	while (isspace(*tok)) tok++;
 
-	next=(cat_t *) calloc(1, sizeof(cat_t));
+	next=(labels_t *) calloc(1, sizeof(labels_t));
 	if (!next) { 
 		rc=-1; 
 		goto err;
 	}
 
-	next->level.name=strdup(name);
-	if (!next->level.name) {
+	next->label.name=strdup(name);
+	if (!next->label.name) {
 		free(next);
 		rc=-1; 
 		goto err;
@@ -93,77 +94,151 @@
 
 	strncpy(name1,tok, BUFSIZ-1);
 	strtrim(name,name1,namesize-1);
-	next->level.sename=strdup(name);
-	if (!next->level.sename) {
-		free(next->level.name);
+	next->label.sename=strdup(name);
+	if (!next->label.sename) {
+		free(next->label.name);
 		free(next);
 		rc=-1; 
 		goto err;
 	}
-	*cat=next;
+	*labels=next;
 	rc=1;
 err:		
 	free(newbuf);
 	return rc;
 }
 
-/* Look for selevel via internal name */
-static char *translate(const char *cat) {
-	cat_t *ptr=NULL;
-	if (catlist) 
-		for (ptr=catlist->next;ptr; ptr=ptr->next) 
-			if (strcmp(cat,ptr->level.name)==0) {
-				if (strlen(ptr->level.sename)==0)
+/* Search entry string and return value string from CONFIGFILE
+ * value buffer need to be allocated ahead.
+ * Return:
+ *  Success: 0
+ *  Fail : 1 */
+static int get_config_value(const char *entry, char *value)
+{
+	FILE *fp=NULL;
+	char *cfgbuf=NULL;
+	size_t size=0;
+	char *tok;
+	char token[BUFSIZ];
+	char token_raw[BUFSIZ];
+	int tokensize=sizeof(token);
+	char *ptr;
+	int ret=0;
+
+	fp = fopen(CONFIGFILE,"r");
+	if (fp) {
+		while ( getline(&cfgbuf, &size, fp) > 0) {
+			/* ignore comment line */
+			if ( cfgbuf[0]=='#' ) {
+				continue;
+			}
+
+			tok=strtok_r(cfgbuf,"=",&ptr);
+			if (!tok) {
+				ret=1;
+				goto exit1;
+			}
+			strncpy(token_raw,tok, BUFSIZ-1);
+			strtrim(token,token_raw,tokensize-1);
+
+			/* ignore meaningless line */
+			tok=strtok_r(NULL,"\0",&ptr);
+			if (!tok) {
+				continue;
+			}
+			while (isspace(*tok)) tok++;
+
+			if(strcasecmp(token,entry)==0)
+			{
+				strncpy(token_raw,tok, BUFSIZ-1);
+				strtrim(token,token_raw,tokensize-1);
+				strcpy(value, token);
+				break;
+			}
+                }
+        }
+        else {
+		ret=1;
+		goto exit2;
+        }
+
+exit1:
+	free(cfgbuf);
+	fclose(fp);
+exit2:
+	return ret;
+}
+
+
+
+
+/* Look for selabel via internal name */
+static char *translate(const char *labels) {
+	labels_t *ptr=NULL;
+	if (labellist) 
+		for (ptr=labellist->next;ptr; ptr=ptr->next) 
+			if (strcmp(labels,ptr->label.name)==0) {
+				if (strlen(ptr->label.sename)==0)
 					return NULL;
 				else
-					return strdup(ptr->level.sename); 
+					return strdup(ptr->label.sename); 
 			}
-	return strdup(cat);
+	return strdup(labels);
 }
 
-/* Look for selevel via external name */
+/* Look for selabel via external name */
 static char *untranslate(const char *sename) {
-	cat_t *ptr=NULL;
-	if (catlist) 
-		for(ptr=catlist->next;ptr; ptr=ptr->next) 
-			if (strcmp(sename,ptr->level.sename)==0) 
-				return strdup(ptr->level.name); 
+	labels_t *ptr=NULL;
+	if (labellist) 
+		for(ptr=labellist->next;ptr; ptr=ptr->next) 
+			if (strcmp(sename,ptr->label.sename)==0) 
+				return strdup(ptr->label.name); 
 	return strdup(sename);
 }
 
-/* Read in CATEGORYFILE Only runs once per process.  
+/* Read in translation file Only runs once per process.  
    Might want to change to some kind of reload eventually, for long running
    processes.
  */
 int init_context_translations(void) {
 	FILE *cfg=NULL;
-	cat_t *ptr=NULL;
-	cat_t *next=NULL;
+	labels_t *ptr=NULL;
+	labels_t *next=NULL;
 	size_t size=0;
 	char *buffer=NULL;
+	char transfile[BUFSIZ];
+	int ret;
 
 	if (is_selinux_mls_enabled() <= 0 ) {
 		return 1;
 	}
 
-	cfg = fopen(CATEGORYFILE,"r");
-	if (!cfg) return 1;
+	ret=get_config_value("disable", transfile);
+	if (ret==0) {
+		if (strcmp(transfile,"1") == 0) {
+			return 1;
+		}
+	}
+	ret=get_config_value("TRANSTABLE", transfile);
+	if (ret==0) {
+		cfg = fopen(transfile,"r");
+		if (!cfg) return 1;
+	}
+	else {
+		cfg = fopen(DEFAULT_TRANSFILE,"r");
+		if (!cfg) return 1;
+	}
 
-	ptr=catlist=calloc(1,sizeof(cat_t));
+	ptr=labellist=calloc(1,sizeof(labels_t));
 	if (!ptr) {
 		fclose(cfg);
 		return 1;
 	}
 
 	while (getline(&buffer, &size, cfg) > 0) {
-		if(process_category(buffer, &next)) {
+		if(process_label(buffer, &next)) {
 			ptr->next=next;
 			ptr=next;
-			if ((strcasecmp(next->level.name,"disable")==0) &&
-			    (strcmp(next->level.sename,"1") == 0)) {
-				finish_context_translations();		
-				break;
-			}
 		}
 	}
 	if (buffer) free(buffer);
@@ -172,14 +247,14 @@
 	return 0;
 }
 
-/* Look for selevel via external name */
+/* Look for selabel via external name */
 int translate_context( const security_context_t oldcon, security_context_t *rcon) {
 	const char *range=NULL;
 	context_t con=context_new(oldcon);
 
 	if (! con) return -1;
 
-	if (catlist) {
+	if (labellist) {
 		range=context_range_get(con);
 		if (range) {
 			context_range_set(con,translate(range));
@@ -190,17 +265,35 @@
 	return 0;
 }
 
-/* Look for selevel via external name */
+/* Look for selabel via external name */
 int untranslate_context( const security_context_t oldcon, security_context_t *rcon) {
 	const char *range=NULL;
 	char *newrange=NULL;
+	char tmpbuf[BUFSIZ]="";
+	int i=0;
 	context_t con=context_new(oldcon);
 
 	if (! con) return -1;
-	if (catlist) {
+	if (labellist) {
 		range=context_range_get(con);
-		if (range)
+		if (range) {
+			/* if ranged label */
+			if(strchr(range,'-')) {
+				while (range[i] != '-') tmpbuf[i]=range[i++];
+				tmpbuf[i++]='\0';
+				/* Now tmpbuf has minimum level string
+				 * and &range[i] has clearance level string.
+				 * If minimum and clearance level is same 
+	 			 * use single level string as range.
+	 			 * This removes the need to define same 
+				 * level ranges (ex: SystemHigh-SystemHigh)
+				 * in translation table */
+				if( strcmp(tmpbuf, &range[i])==0 ) {
+					range=&range[i];
+				}
+			}
 			newrange=untranslate(range);
+		}
 		else 
 			newrange=untranslate("");
 		if (newrange) 

[-- Attachment #4: mls.conf --]
[-- Type: application/octet-stream, Size: 1377 bytes --]

#
# Multi-Level Security translation table for SELinux
# 
# Objects can be labeled with one of 16 levels and be categorized with 0-256 
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
#  SystemLow
#  SystemHigh
#  Unclassified 
#  Secret with compartments A and B.
# 
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c255=SystemHigh
s0-s15:c0.c255=SystemLow-SystemHigh

# Unclassified level
s1=Unclassified

# Secret level with compartments
s2=Secret
s2:c0=Secret:A
s2:c1=Secret:B
s2:c0,c1=Secret:AB

# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c255=Unclassified-SystemHigh

# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c255=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c255=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c255=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c255=Secret:AB-SystemHigh

[-- Attachment #5: setrans --]
[-- Type: application/octet-stream, Size: 138 bytes --]

# Uncomment the following to disable translation library
# disable=1

# specify label translation file path
TRANSTABLE=/etc/mls.conf

[-- Attachment #6: mcs.conf.patch --]
[-- Type: application/octet-stream, Size: 940 bytes --]

--- mcs_ori.conf	2005-10-21 14:00:17.000000000 -0500
+++ mcs.conf	2005-10-24 15:02:48.000000000 -0500
@@ -1,13 +1,10 @@
 #
-# Multiple Category System translation table for SELinux
+# Multi-Category Security translation table for SELinux
 # 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-127 categories defined by the admin.
-# Objects can be in more then one categories at a time.
-# Categories are stored in the system as c0-c127.  Users can use this
-# table to translate the categories into a more meaningfull output.
+# Objects can be categorized with 0-256 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c255.  Users can use this
+# table to translate the categories into a more meaningful output.
 # Examples:
 # s0:c0=CompanyConfidential
 # s0:c1=PatientRecord

Re: [PATCH] libsetrans

[Daniel J Walsh]

Chad Hanson wrote:
> The following proposed patch to libsetrans incorporates the following
> changes:
>
> - Make libsetrans generic by creating a setrans config file
> - Add translation config file for MLS policy
> - Fix to handle translation for same level range string without separate
> definition (e.g. SystemHigh-SystemHigh)
> - move libsetrans disable option from translation config file
> (mcs.conf/mls.conf) to setrans config file
> - Some comment updates for mcs.conf
>
> -Chad
>
>   
How about instead of adding another config file, we default the file to 
the current policy that is installed.

/etc/selinux/setrans_mls.conf and /etc/selinux/setrans_targeted.conf

libselinux already reads config file so this will require no additional 
perms, or we just put them into the policy file.

/etc/selinux/TYPE/setrans.conf

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [PATCH] libsetrans

[Chad Hanson]

> How about instead of adding another config file, we default the file to 
> the current policy that is installed.
> 
> /etc/selinux/setrans_mls.conf and /etc/selinux/setrans_targeted.conf
> 
> libselinux already reads config file so this will require no additional 
> perms, or we just put them into the policy file.
> 
> /etc/selinux/TYPE/setrans.conf
> 

Either way seems fine. Initially, I was for the last, but I'm not sure we
want the translation configs in the policy rpm. So if we want to keep this
out of the policy, probably the first even though the second is more
elegant.

-Chad 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.