[ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 1727 bytes --]


>>
>> Converting setsebool to using libsemanage is the highest priority,
>> followed by a policy package that is based on refpolicy and that has the
>> necessary migration steps in its %post scriptlet.  Everything else is
>> less critical to initial deployment in test1 IMHO.
>
> I'm not sure why it's so critical, given that we already have working 
> boolean support in libselinux. However, if no one else is working on 
> this, I can try to convert the permanent update (-P) to use 
> libsemanage...
Patch attached.
Changes:

- move manpage and setsebools into policycoreutils package
- change manpage not to mention /etc/selinux/?/booleans
- link against libsemanage
- cleanup warnings exposed by -Werror in new Makefile
- implement preservebools=1 via a function similar to the selinux one
- always pass preservebools = 0 to the libselinux fn
- separate code paths for error and success (don't like fallthrough - 
error-prone)
- always return -1 on failure. I highly dislike any creativity with the 
return value. If I could change the retval of all the libselinux and 
libsepol code to be -1 on failure everywhere (or better...using the 
internal status codes), I would be very happy.

Note1:  this does not yet work, because now load_policy tries to 
sabotage my boolean load (by setting preservebools to 1 by default, and 
not loading anything). What should I do about that? Should anything be 
done at all, or should we respect the user load_policy flags in 
/etc/selinux.conf? (which right now I see are undocumented...)

Note2: if I go and force libsemanage to pass -b flag, it works just 
fine, but takes forever (10sec) to complete. It's not my fault, the 
module expand function is just really really slow.






[-- Attachment #2: setsebools.to_libsemanage.diff --]
[-- Type: text/x-patch, Size: 12193 bytes --]

diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libselinux/man/man8/setsebool.8 new/libselinux/man/man8/setsebool.8
--- old/libselinux/man/man8/setsebool.8	2005-11-04 00:25:58.000000000 -0500
+++ new/libselinux/man/man8/setsebool.8	1969-12-31 19:00:00.000000000 -0500
@@ -1,28 +0,0 @@
-.TH "setsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
-.SH "NAME"
-setsebool \- set SELinux boolean value
-
-.SH "SYNOPSIS"
-.B setsebool
-.I "[ -P ] boolean value | bool1=val1 bool2=val2 ..."
-
-.SH "DESCRIPTION"
-.B setsebool 
-sets the current state of a particular SELinux boolean or a list of booleans 
-to a given value. The value may be 1 or true to enable the boolean, or 0 or 
-false to disable it. 
-
-Without the -P option, only the current boolean value is 
-affected; the boot-time default settings defined by
-.I /etc/selinux/SELINUXTYPE/booleans
-are not changed. 
-
-If the -P option is given, all pending values are written to
-the boolean file on disk.
-
-.SH AUTHOR	
-This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-The program was written by Tresys Technology.
-
-.SH "SEE ALSO"
-getsebool(8), booleans(8), togglesebool(8)
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libselinux/utils/setsebool.c new/libselinux/utils/setsebool.c
--- old/libselinux/utils/setsebool.c	2005-11-04 00:25:59.000000000 -0500
+++ new/libselinux/utils/setsebool.c	1969-12-31 19:00:00.000000000 -0500
@@ -1,172 +0,0 @@
-#include <unistd.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <syslog.h>
-#include <pwd.h>
-#include <selinux/selinux.h>
-#include <errno.h>
-
-int permanent = 0;
-
-int setbool(char **list, size_t start, size_t end);
-
-
-void usage(void)
-{
-	fputs("\nUsage:  setsebool [ -P ] boolean value | bool1=val1 bool2=val2...\n\n", stderr);
-	exit(1);
-}
-
-int main(int argc, char **argv)
-{
-	size_t rc, start;
-
-	if (argc < 2) 
-		usage();
-
-	if (is_selinux_enabled() <= 0) {
-		fputs("setsebool:  SELinux is disabled.\n", stderr);
-		return 1;
-	}
-
-	if (strcmp(argv[1], "-P") == 0) {
-		permanent = 1;
-		if (argc < 3) 
-			usage();
-		start = 2;
-	}
-	else
-		start = 1;
-
-	/* Check to see which way we are being called. If a '=' is passed,
-	   we'll enforce the list syntax. If not we'll enforce the original
-	   syntax for backward compatibility. */
-	if (strchr(argv[start], '=') == 0) {
-		int len;
-		char *bool_list[1];
-
-		if ((argc - start) != 2)
-			usage();
-
-		/* Add 1 for the '=' */
-		len = strlen(argv[start]) + strlen(argv[start+1]) + 2;
-		bool_list[0]=(char *)malloc(len);
-		if (bool_list[0] == 0) {
-			fputs("Out of memory - aborting\n", stderr);
-			return 1;
-		}
-		snprintf(bool_list[0], len, "%s=%s", argv[start], 
-							argv[start+1]);
-		rc = setbool(bool_list, 0, 1);
-		free(bool_list[0]);
-	}
-	else 
-		rc = setbool(argv, start, argc);
-
-	return rc;
-}
-
-/* Given an array of strings in the form "boolname=value", a start index,
-   and a finish index...walk the list and set the bool. */
-int setbool(char **list, size_t start, size_t end)
-{
-	char *name, *value_ptr;
-	int i=start, value;
-	int ret=0;
-	int j=0;
-	size_t boolcnt=end-start;
-	struct passwd *pwd;
-	SELboolean *vallist=calloc(boolcnt, sizeof(SELboolean));
-	if (!vallist) {
-		fprintf(stderr, 
-			"Error setting booleans: %s\n", strerror(errno));
-		return 1;
-	}
-	while (i < end) {
-		name = list[i];
-		value_ptr = strchr(list[i], '=');
-		if (value_ptr == 0) {
-			fprintf(stderr, 
-			"setsebool: '=' not found in boolean expression %s\n",
-				list[i]);
-			ret=4;
-			goto error_label;
-		}
-		*value_ptr = 0;
-		value_ptr++;
-		if (strcmp(value_ptr, "1") == 0 || 
-				strcasecmp(value_ptr, "true") == 0)
-			value = 1;
-		else if (strcmp(value_ptr, "0") == 0 || 
-				strcasecmp(value_ptr, "false") == 0)
-			value = 0;
-		else {
-			fprintf(stderr, "setsebool: illegal boolean value %s\n",
-				value_ptr);
-			ret=1;
-			goto error_label;
-		}
-
-		vallist[j].value = value;
-		vallist[j].name = strdup(name);
-		if (!vallist[j].name) {
-			fprintf(stderr, 
-				"Error setting boolean %s to value %d (%s)\n", 
-				name, value, strerror(errno));
-			ret= 2;
-			goto error_label;
-		}
-		i++;
-		j++;
-
-		/* Now put it back */
-		value_ptr--;
-		*value_ptr = '=';
-	}
-
-	ret=security_set_boolean_list(boolcnt, vallist, permanent);
-
- error_label:
-	for (i=0; i < boolcnt; i++) 
-		if (vallist[i].name) free(vallist[i].name);
-	free(vallist);
-
-	if (ret) {
-		if (errno==ENOENT) {
-			fprintf(stderr, 
-				"Error setting boolean: Invalid boolean\n");
-		} else {
-			if (errno) 
-				perror("Error setting booleans");
-		}
-		return ret;
-	}
-
-	/* Now log what was done */
-	pwd = getpwuid(getuid());
-	i = start;
-	while (i < end) {
-		/* Error checking shouldn't be needed since we just did
-		   this above and aborted if something went wrong. */
-		name = list[i];
-		value_ptr = strchr(name, '=');
-		*value_ptr = 0;
-		value_ptr++;
-		if (pwd && pwd->pw_name)
-			syslog(LOG_NOTICE, 
-			    "The %s policy boolean was changed to %s by %s",
-				name, value_ptr, pwd->pw_name);
-		else
-			syslog(LOG_NOTICE, 
-			    "The %s policy boolean was changed to %s by uid:%d",
-				name, value_ptr, getuid());
-		i++;
-	}
-
-	return 0;
-}
-
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/policycoreutils/setsebool/setsebool.8 new/policycoreutils/setsebool/setsebool.8
--- old/policycoreutils/setsebool/setsebool.8	1969-12-31 19:00:00.000000000 -0500
+++ new/policycoreutils/setsebool/setsebool.8	2005-11-03 23:24:48.000000000 -0500
@@ -0,0 +1,27 @@
+.TH "setsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+setsebool \- set SELinux boolean value
+
+.SH "SYNOPSIS"
+.B setsebool
+.I "[ -P ] boolean value | bool1=val1 bool2=val2 ..."
+
+.SH "DESCRIPTION"
+.B setsebool 
+sets the current state of a particular SELinux boolean or a list of booleans 
+to a given value. The value may be 1 or true to enable the boolean, or 0 or 
+false to disable it. 
+
+Without the -P option, only the current boolean value is 
+affected; the boot-time default settings defined by
+are not changed. 
+
+If the -P option is given, all pending values are written to
+the boolean file on disk.
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+The program was written by Tresys Technology.
+
+.SH "SEE ALSO"
+getsebool(8), booleans(8), togglesebool(8)
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/policycoreutils/setsebool/setsebool.c new/policycoreutils/setsebool/setsebool.c
--- old/policycoreutils/setsebool/setsebool.c	1969-12-31 19:00:00.000000000 -0500
+++ new/policycoreutils/setsebool/setsebool.c	2005-11-03 23:31:37.000000000 -0500
@@ -0,0 +1,232 @@
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <syslog.h>
+#include <pwd.h>
+#include <selinux/selinux.h>
+#include <semanage/booleans_local.h>
+#include <semanage/boolean_record.h>
+#include <errno.h>
+
+int permanent = 0;
+
+int setbool(char **list, size_t start, size_t end);
+
+
+void usage(void)
+{
+	fputs("\nUsage:  setsebool [ -P ] boolean value | bool1=val1 bool2=val2...\n\n", stderr);
+	exit(1);
+}
+
+int main(int argc, char **argv)
+{
+	size_t rc, start;
+
+	if (argc < 2) 
+		usage();
+
+	if (is_selinux_enabled() <= 0) {
+		fputs("setsebool:  SELinux is disabled.\n", stderr);
+		return 1;
+	}
+
+	if (strcmp(argv[1], "-P") == 0) {
+		permanent = 1;
+		if (argc < 3) 
+			usage();
+		start = 2;
+	}
+	else
+		start = 1;
+
+	/* Check to see which way we are being called. If a '=' is passed,
+	   we'll enforce the list syntax. If not we'll enforce the original
+	   syntax for backward compatibility. */
+	if (strchr(argv[start], '=') == 0) {
+		int len;
+		char *bool_list[1];
+
+		if ((argc - start) != 2)
+			usage();
+
+		/* Add 1 for the '=' */
+		len = strlen(argv[start]) + strlen(argv[start+1]) + 2;
+		bool_list[0]=(char *)malloc(len);
+		if (bool_list[0] == 0) {
+			fputs("Out of memory - aborting\n", stderr);
+			return 1;
+		}
+		snprintf(bool_list[0], len, "%s=%s", argv[start], 
+							argv[start+1]);
+		rc = setbool(bool_list, 0, 1);
+		free(bool_list[0]);
+	}
+	else 
+		rc = setbool(argv, start, argc);
+
+	return rc;
+}
+
+/* Helper function: applies permanent changes to policy via libsemanage */
+int semanage_set_boolean_list(size_t boolcnt, SELboolean *boollist) {
+
+	size_t j;
+	semanage_handle_t* handle = NULL;
+	semanage_bool_t* boolean = NULL;
+	semanage_bool_key_t* bool_key = NULL;
+
+	handle = semanage_handle_create();
+	if (handle == NULL) {
+		fprintf(stderr, "Could not create semanage library handle\n"); 
+		goto err;
+	}
+
+	if (semanage_connect(handle) < 0)
+		goto err;
+
+	if (semanage_begin_transaction(handle) < 0)
+		goto err;
+
+	for (j = 0; j < boolcnt; j++) {
+		
+		if (semanage_bool_create(handle, &boolean) < 0)
+			goto err;
+
+		if (semanage_bool_set_name(handle, boolean, boollist[j].name) < 0)
+			goto err;
+
+		semanage_bool_set_value(boolean, boollist[j].value);
+
+		if (semanage_bool_key_extract(handle, boolean, &bool_key) < 0)
+			goto err;
+
+		if (semanage_bool_modify_local(handle, bool_key, boolean) < 0)
+			goto err;
+
+		semanage_bool_key_free(bool_key);
+		bool_key = NULL;
+		boolean = NULL;
+	}	
+
+	if (semanage_commit(handle) < 0)
+		goto err;
+
+	semanage_disconnect(handle);
+	semanage_handle_destroy(handle);
+	return 0;
+
+	err:
+	semanage_bool_key_free(bool_key);
+	semanage_bool_free(boolean);
+	semanage_handle_destroy(handle);
+	fprintf(stderr, "Could not apply permanent policy change");
+	return -1;
+}
+
+/* Given an array of strings in the form "boolname=value", a start index,
+   and a finish index...walk the list and set the bool. */
+int setbool(char **list, size_t start, size_t end)
+{
+	char *name, *value_ptr;
+	int ret=0, j=0, value;
+	size_t i = start;
+	size_t boolcnt=end-start;
+	struct passwd *pwd;
+	SELboolean *vallist=calloc(boolcnt, sizeof(SELboolean));
+	if (!vallist) {
+		fprintf(stderr, 
+			"Error setting booleans: %s\n", strerror(errno));
+		return 1;
+	}
+	while (i < end) {
+		name = list[i];
+		value_ptr = strchr(list[i], '=');
+		if (value_ptr == 0) {
+			fprintf(stderr, 
+			"setsebool: '=' not found in boolean expression %s\n",
+				list[i]);
+			ret=4;
+			goto err;
+		}
+		*value_ptr = 0;
+		value_ptr++;
+		if (strcmp(value_ptr, "1") == 0 || 
+				strcasecmp(value_ptr, "true") == 0)
+			value = 1;
+		else if (strcmp(value_ptr, "0") == 0 || 
+				strcasecmp(value_ptr, "false") == 0)
+			value = 0;
+		else {
+			fprintf(stderr, "setsebool: illegal boolean value %s\n",
+				value_ptr);
+			ret=1;
+			goto err;
+		}
+
+		vallist[j].value = value;
+		vallist[j].name = strdup(name);
+		if (!vallist[j].name) {
+			fprintf(stderr, 
+				"Error setting boolean %s to value %d (%s)\n", 
+				name, value, strerror(errno));
+			ret= 2;
+			goto err;
+		}
+		i++;
+		j++;
+
+		/* Now put it back */
+		value_ptr--;
+		*value_ptr = '=';
+	} 
+
+	if (permanent) {
+		if (semanage_set_boolean_list(boolcnt, vallist) < 0)
+			goto err;
+
+	} else {
+		if (security_set_boolean_list(boolcnt, vallist, 0)) {
+			if (errno == ENOENT) 
+				fprintf(stderr, "Error setting boolean: "
+					"Invalid boolean\n");
+			else if (errno)
+				perror("Error setting booleans");
+
+			goto err;			
+		}
+	}
+
+	/* Now log what was done */
+	pwd = getpwuid(getuid());
+	i = start;
+	while (i < end) {
+		name = list[i];
+		value_ptr = strchr(name, '=');
+		*value_ptr = 0;
+		value_ptr++;
+		if (pwd && pwd->pw_name)
+			syslog(LOG_NOTICE,
+				"The %s policy boolean was changed to %s by %s",
+				name, value_ptr, pwd->pw_name);
+		else
+			syslog(LOG_NOTICE,
+				"The %s policy boolean was changed to %s by uid:%d",
+				name, value_ptr, getuid());
+		i++;
+	}
+
+	return 0;
+				
+	err:
+	for (i=0; i < boolcnt; i++) 
+		if (vallist[i].name) free(vallist[i].name);
+	free(vallist);
+
+	return -1;
+}
+

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 00:55 -0500, Ivan Gyurdiev wrote:
> Note1:  this does not yet work, because now load_policy tries to 
> sabotage my boolean load (by setting preservebools to 1 by default, and 
> not loading anything). What should I do about that? Should anything be 
> done at all, or should we respect the user load_policy flags in 
> /etc/selinux.conf? (which right now I see are undocumented...)

I'm not sure I understand the question.  load_policy is supposed to
preserve current boolean settings across a reload so that a transient
boolean change isn't affected by a policy update.  Examples of transient
boolean changes might include setting of booleans from cron jobs for
time-of-day policies, manual setting of booleans without -P by an admin
to reflect some external event, setting of booleans by an IDS in
response to some detected attack, etc.  That behavior isn't supposed to
change even with the introduction of libsemanage and the use of
SETLOCALDEFS=0 (which only turns off setting the booleans from the
booleans* files upon initial policy load, as they are now set in the
generated kernel binary policy file by libsemanage).

> Note2: if I go and force libsemanage to pass -b flag, it works just 
> fine, but takes forever (10sec) to complete. It's not my fault, the 
> module expand function is just really really slow.

echo "expand-check = 0" >> /etc/selinux/semanage.conf, as I noted
earlier, for development/debugging purposes.  We may want to allow
setting the expand check state on a per-handle basis to disable for
certain kinds of transactions, just as one can presently disable
immediate reload for certain transactions.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 09:22 -0500, Ivan Gyurdiev wrote:
> So, how do I specify that this is not a transient change, and I want my 
> booleans loaded into policy immediately?

Ah, I see - setsebool -P wants to both update the saved settings and
load the result rather than preserving current settings.  So it wants
libsemanage to call load_policy with -b, unlike semodule.  Options are:
- add a semanage interface to set a property on the handle to control
whether booleans are preserved or not (by altering the args to
load_policy for that handle), similar to the existing interface for
controlling whether reloads are performed, or
- do that automatically within your boolean_local interfaces so that all
boolean manipulations via libsemanage will trigger a load_policy -b upon
commit.   

> I think I'll try to add all kinds of shortcuts by tracking exactly what 
> the user is trying to do...
> If there are no module changes, we can reuse the old "base.expanded" file.
> If there are no policy changes, we can skip rebuilding the policy. So, 
> if only seusers
> were changed, we only need to read the policy.kern, instead of 
> reconstructing it.

As a simpler first step, you can simply set sh->conf->expand_check = 0
if there are no module changes, as the expand-time assertion and
hierarchy checking should be unaffected by anything other than a module
change, IIRC.  The heaviest operation is the expand time checking.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Ivan Gyurdiev]

> I'm not sure I understand the question.  load_policy is supposed to
> preserve current boolean settings across a reload so that a transient
> boolean change isn't affected by a policy update.  Examples of transient
> boolean changes might include setting of booleans from cron jobs for
> time-of-day policies, manual setting of booleans without -P by an admin
> to reflect some external event, setting of booleans by an IDS in
> response to some detected attack, etc.  That behavior isn't supposed to
> change even with the introduction of libsemanage and the use of
> SETLOCALDEFS=0 (which only turns off setting the booleans from the
> booleans* files upon initial policy load, as they are now set in the
> generated kernel binary policy file by libsemanage).
>   
So, how do I specify that this is not a transient change, and I want my 
booleans loaded into policy immediately?
>> Note2: if I go and force libsemanage to pass -b flag, it works just 
>> fine, but takes forever (10sec) to complete. It's not my fault, the 
>> module expand function is just really really slow.
>>     
>
> echo "expand-check = 0" >> /etc/selinux/semanage.conf, as I noted
> earlier, for development/debugging purposes.  We may want to allow
> setting the expand check state on a per-handle basis to disable for
> certain kinds of transactions, just as one can presently disable
> immediate reload for certain transactions.
>   
I think I'll try to add all kinds of shortcuts by tracking exactly what 
the user is trying to do...
If there are no module changes, we can reuse the old "base.expanded" file.
If there are no policy changes, we can skip rebuilding the policy. So, 
if only seusers
were changed, we only need to read the policy.kern, instead of 
reconstructing it.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 00:55 -0500, Ivan Gyurdiev wrote:
> - separate code paths for error and success (don't like fallthrough - 
> error-prone)

On this point, please see "Chapter 6:  Centralized exiting of functions"
in Documentation/CodingStyle in the kernel tree.  Note that in splitting
the code paths, it looks like you have introduced a memory leak, as you
no longer free the vallist on the success path?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 00:55 -0500, Ivan Gyurdiev wrote:
> - cleanup warnings exposed by -Werror in new Makefile

Hmm...there was no Makefile in your patch for setsebool (previously
covered by the generic utils Makefile in libselinux), so I adapted the
one from semodule, and also added setsebool to the SUBDIRS list in the
top-level policycoreutils Makefile.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 10:43 -0500, Ivan Gyurdiev wrote:
> So, now that this is taken care of:
> 
> TODO:
> - optimize commit in various ways - do not do unnecessary work, disable 
> checking as you mentioned, move seuser validation inside the section 
> where policydb doesn't have to be re-read back in
> - more seuser validation (MLS fields not currently validated)
> - fix ports, and enable those
> - reduce error message verbosity (do not blindly print the call stack - 
> report only info that adds value)

First, we need to adjust setsebool and/or libsemanage to ensure that
load_policy is called with -b when changing booleans, per the earlier
message.  That should then give us working boolean support via
libsemanage.

BTW, the new setsebool presumes a system that is "managed" via
libsemanage and already has its policy in the sandbox, so it will break
if used on a system that hasn't been converted to that model.  Do we
care?  Do we need to support the old behavior (direct manipulation of
the installed booleans.local file via libselinux) as a fallback on a
non-managed system?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Ivan Gyurdiev]

Stephen Smalley wrote:
> On Fri, 2005-11-04 at 00:55 -0500, Ivan Gyurdiev wrote:
>   
>> - separate code paths for error and success (don't like fallthrough - 
>> error-prone)
>>     
>
> On this point, please see "Chapter 6:  Centralized exiting of functions"
> in Documentation/CodingStyle in the kernel tree. 
I think it's cleaner when the recovery section is small...
>  Note that in splitting
> the code paths, it looks like you have introduced a memory leak, as you
> no longer free the vallist on the success path?
>
>   
Yes I did :) ...but see - I also got rid of logging code from the error 
path, which didn't belong there - I think this makes the code simpler. 
The common path should not contain large sections of code that are not 
shared with the success path.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 00:55 -0500, Ivan Gyurdiev wrote:
> - always return -1 on failure. I highly dislike any creativity with the 
> return value.

Hmmm...so the 'ret' value is now unused, but those error codes were
being propagated all the way up to the exit status of the program.  So
this constitutes an "interface change".  Question is whether any caller
was using those individual ret values for any purpose - Dan?  Does
system-config-securitylevel distinguish error codes from setsebool?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Ivan Gyurdiev]

Stephen Smalley wrote:
> On Fri, 2005-11-04 at 00:55 -0500, Ivan Gyurdiev wrote:
>   
>> - cleanup warnings exposed by -Werror in new Makefile
>>     
>
> Hmm...there was no Makefile in your patch for setsebool (previously
> covered by the generic utils Makefile in libselinux), so I adapted the
> one from semodule, and also added setsebool to the SUBDIRS list in the
> top-level policycoreutils Makefile.
>   
Allright, thank you. Yes, --exclude tends to have some undesired effects...

So, now that this is taken care of:

TODO:
- optimize commit in various ways - do not do unnecessary work, disable 
checking as you mentioned, move seuser validation inside the section 
where policydb doesn't have to be re-read back in
- more seuser validation (MLS fields not currently validated)
- fix ports, and enable those
- reduce error message verbosity (do not blindly print the call stack - 
report only info that adds value)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2005-11-04 at 00:55 -0500, Ivan Gyurdiev wrote:
>   
>> - always return -1 on failure. I highly dislike any creativity with the 
>> return value.
>>     
>
> Hmmm...so the 'ret' value is now unused, but those error codes were
> being propagated all the way up to the exit status of the program.  So
> this constitutes an "interface change".  Question is whether any caller
> was using those individual ret values for any purpose - Dan?  Does
> system-config-securitylevel distinguish error codes from setsebool?
>
>   
Nope it is ignored.


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2005-11-04 at 10:43 -0500, Ivan Gyurdiev wrote:
>   
>> So, now that this is taken care of:
>>
>> TODO:
>> - optimize commit in various ways - do not do unnecessary work, disable 
>> checking as you mentioned, move seuser validation inside the section 
>> where policydb doesn't have to be re-read back in
>> - more seuser validation (MLS fields not currently validated)
>> - fix ports, and enable those
>> - reduce error message verbosity (do not blindly print the call stack - 
>> report only info that adds value)
>>     
>
> First, we need to adjust setsebool and/or libsemanage to ensure that
> load_policy is called with -b when changing booleans, per the earlier
> message.  That should then give us working boolean support via
> libsemanage.
>
> BTW, the new setsebool presumes a system that is "managed" via
> libsemanage and already has its policy in the sandbox, so it will break
> if used on a system that hasn't been converted to that model.  Do we
> care?  Do we need to support the old behavior (direct manipulation of
> the installed booleans.local file via libselinux) as a fallback on a
> non-managed system?
>
>   
Yes I think we need to maintain the previous setsebool, otherwise we 
will need to tie. policycoreutils to policy version.



-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 11:08 -0500, Daniel J Walsh wrote:
> > BTW, the new setsebool presumes a system that is "managed" via
> > libsemanage and already has its policy in the sandbox, so it will break
> > if used on a system that hasn't been converted to that model.  Do we
> > care?  Do we need to support the old behavior (direct manipulation of
> > the installed booleans.local file via libselinux) as a fallback on a
> > non-managed system?
> >
> >   
> Yes I think we need to maintain the previous setsebool, otherwise we 
> will need to tie. policycoreutils to policy version.

Then the options would seem to be:
1) Have libsemanage internally detect whether the sandbox has been
initialized, and if not, fall back to calling the libselinux function to
manipulate booleans.local, or
2) Have libsemanage provide an interface (is_semanage_enabled?) to allow
setsebool to detect whether the system is "managed" via libsemanage
(i.e. has the sandbox been initialized via prior semodule -b), and have
setsebool use that interface and fall back to calling the libselinux
function if it is not enabled.

Note that libsemanage (and thus semanage.conf) will be present on the
system regardless of whether or not the system is "managed" using it
since policycoreutils depends on it now.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 11:12 -0500, Stephen Smalley wrote:
> Then the options would seem to be:
> 1) Have libsemanage internally detect whether the sandbox has been
> initialized, and if not, fall back to calling the libselinux function to
> manipulate booleans.local, or
> 2) Have libsemanage provide an interface (is_semanage_enabled?) to allow
> setsebool to detect whether the system is "managed" via libsemanage
> (i.e. has the sandbox been initialized via prior semodule -b), and have
> setsebool use that interface and fall back to calling the libselinux
> function if it is not enabled.
> 
> Note that libsemanage (and thus semanage.conf) will be present on the
> system regardless of whether or not the system is "managed" using it
> since policycoreutils depends on it now.

I think I favor #1, as this is a legacy issue that is only going to
exist for booleans.  When someone creates a setseport or setseinterface
or ..., they are just going to use the semanage interfaces, and if the
system isn't managed via libsemanage, it simply isn't going to work
(i.e. there is no fallback mechanism, as such support didn't exist prior
to the introduction of libsemanage).  Thus, setsebool should likewise
unconditionally use the semanage interfaces, and libsemanage should
internally route the requests to the old libselinux interfaces if the
system isn't managed for legacy support.

Note btw that even the setsebool w/o -P case should eventually go
through libsemanage as well, IIUC, even though that will not regenerate
the binary policy file, but we don't have interfaces for that purpose
yet.  Likewise for togglesebool and getsebool.  But that isn't critical
right now.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 12:08 -0500, Ivan Gyurdiev wrote:
> > Note btw that even the setsebool w/o -P case should eventually go
> > through libsemanage as well, IIUC, even though that will not regenerate
> > the binary policy file, but we don't have interfaces for that purpose
> > yet.  Likewise for togglesebool and getsebool.  But that isn't critical
> > right now.
> >   
> Can you explain why that is?  I'm trying to understand what kind of 
> interface is needed. Do you need a single function (set()), or do you 
> need a full backend implementing the entire dbase API? Specifically, do 
> you need queries in libsemanage? What's the justification for runtime 
> policy changes like that to go through libsemanage?

Partly access control (via the policy server), although the kernel can
handle that directly for any boolean in the kernel policy by configuring
individual types on the booleans in genfs_contexts and using the file
access controls.  Partly to support userspace-only booleans, I suspect,
for the policies for userspace object managers (e.g. X, dbusd) that
don't need to be loaded into the kernel at all once you have a userspace
security server.  So I think you'd need the full API.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 11:59 -0500, Stephen Smalley wrote:
> On Fri, 2005-11-04 at 12:08 -0500, Ivan Gyurdiev wrote:
> > > Note btw that even the setsebool w/o -P case should eventually go
> > > through libsemanage as well, IIUC, even though that will not regenerate
> > > the binary policy file, but we don't have interfaces for that purpose
> > > yet.  Likewise for togglesebool and getsebool.  But that isn't critical
> > > right now.
> > >   
> > Can you explain why that is?  I'm trying to understand what kind of 
> > interface is needed. Do you need a single function (set()), or do you 
> > need a full backend implementing the entire dbase API? Specifically, do 
> > you need queries in libsemanage? What's the justification for runtime 
> > policy changes like that to go through libsemanage?
> 
> Partly access control (via the policy server), although the kernel can
> handle that directly for any boolean in the kernel policy by configuring
> individual types on the booleans in genfs_contexts and using the file
> access controls.  Partly to support userspace-only booleans, I suspect,
> for the policies for userspace object managers (e.g. X, dbusd) that
> don't need to be loaded into the kernel at all once you have a userspace
> security server.  So I think you'd need the full API.

But note that this isn't as high a priority as other tasks; it only
makes sense once the policy server comes into the picture.  Likewise for
setenforce/getenforce.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Ivan Gyurdiev]

> Note btw that even the setsebool w/o -P case should eventually go
> through libsemanage as well, IIUC, even though that will not regenerate
> the binary policy file, but we don't have interfaces for that purpose
> yet.  Likewise for togglesebool and getsebool.  But that isn't critical
> right now.
>   
Can you explain why that is?  I'm trying to understand what kind of 
interface is needed. Do you need a single function (set()), or do you 
need a full backend implementing the entire dbase API? Specifically, do 
you need queries in libsemanage? What's the justification for runtime 
policy changes like that to go through libsemanage?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 11:31 -0500, Stephen Smalley wrote:
> On Fri, 2005-11-04 at 11:12 -0500, Stephen Smalley wrote:
> > Then the options would seem to be:
> > 1) Have libsemanage internally detect whether the sandbox has been
> > initialized, and if not, fall back to calling the libselinux function to
> > manipulate booleans.local, or
> > 2) Have libsemanage provide an interface (is_semanage_enabled?) to allow
> > setsebool to detect whether the system is "managed" via libsemanage
> > (i.e. has the sandbox been initialized via prior semodule -b), and have
> > setsebool use that interface and fall back to calling the libselinux
> > function if it is not enabled.
> > 
> > Note that libsemanage (and thus semanage.conf) will be present on the
> > system regardless of whether or not the system is "managed" using it
> > since policycoreutils depends on it now.
> 
> I think I favor #1, as this is a legacy issue that is only going to
> exist for booleans.  When someone creates a setseport or setseinterface
> or ..., they are just going to use the semanage interfaces, and if the
> system isn't managed via libsemanage, it simply isn't going to work
> (i.e. there is no fallback mechanism, as such support didn't exist prior
> to the introduction of libsemanage).  Thus, setsebool should likewise
> unconditionally use the semanage interfaces, and libsemanage should
> internally route the requests to the old libselinux interfaces if the
> system isn't managed for legacy support.

On the other hand, #2 looks a lot simpler to implement, as setsebool can
then just call security_set_boolean_list() on the entire list when
semanage is disabled.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Ivan Gyurdiev]

Stephen Smalley wrote:
> On Fri, 2005-11-04 at 11:12 -0500, Stephen Smalley wrote:
>   
>> Then the options would seem to be:
>> 1) Have libsemanage internally detect whether the sandbox has been
>> initialized, and if not, fall back to calling the libselinux function to
>> manipulate booleans.local, or
>> 2) Have libsemanage provide an interface (is_semanage_enabled?) to allow
>> setsebool to detect whether the system is "managed" via libsemanage
>> (i.e. has the sandbox been initialized via prior semodule -b), and have
>> setsebool use that interface and fall back to calling the libselinux
>> function if it is not enabled.
>>
>> Note that libsemanage (and thus semanage.conf) will be present on the
>> system regardless of whether or not the system is "managed" using it
>> since policycoreutils depends on it now.
>>     
>
> I think I favor #1, as this is a legacy issue that is only going to
> exist for booleans.  When someone creates a setseport or setseinterface
> or ..., they are just going to use the semanage interfaces, and if the
> system isn't managed via libsemanage, it simply isn't going to work
> (i.e. there is no fallback mechanism, as such support didn't exist prior
> to the introduction of libsemanage).  Thus, setsebool should likewise
> unconditionally use the semanage interfaces, and libsemanage should
> internally route the requests to the old libselinux interfaces if the
> system isn't managed for legacy support.
>   
I'm not sure that this makes sense... let's get to back to the reason 
_why_ the sandbox is uninitialized - it's because we haven't copied the 
proper files into the sandbox yet. Falling back to other functions seems 
equivalent to doing the initialization ourselves - copy the proper files 
into the sandbox. We could just do that instead, but I'm not sure it's a 
good idea. It would require the same privileges....


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Ivan Gyurdiev]

Ivan Gyurdiev wrote:
> Stephen Smalley wrote:
>> On Fri, 2005-11-04 at 11:12 -0500, Stephen Smalley wrote:
>>  
>>> Then the options would seem to be:
>>> 1) Have libsemanage internally detect whether the sandbox has been
>>> initialized, and if not, fall back to calling the libselinux 
>>> function to
>>> manipulate booleans.local, or
>>> 2) Have libsemanage provide an interface (is_semanage_enabled?) to 
>>> allow
>>> setsebool to detect whether the system is "managed" via libsemanage
>>> (i.e. has the sandbox been initialized via prior semodule -b), and have
>>> setsebool use that interface and fall back to calling the libselinux
>>> function if it is not enabled.
>>>
>>> Note that libsemanage (and thus semanage.conf) will be present on the
>>> system regardless of whether or not the system is "managed" using it
>>> since policycoreutils depends on it now.
>>>     
>>
>> I think I favor #1, as this is a legacy issue that is only going to
>> exist for booleans.  When someone creates a setseport or setseinterface
>> or ..., they are just going to use the semanage interfaces, and if the
>> system isn't managed via libsemanage, it simply isn't going to work
>> (i.e. there is no fallback mechanism, as such support didn't exist prior
>> to the introduction of libsemanage).  Thus, setsebool should likewise
>> unconditionally use the semanage interfaces, and libsemanage should
>> internally route the requests to the old libselinux interfaces if the
>> system isn't managed for legacy support.
>>   
> I'm not sure that this makes sense... let's get to back to the reason 
> _why_ the sandbox is uninitialized - it's because we haven't copied 
> the proper files into the sandbox yet. Falling back to other functions 
> seems equivalent to doing the initialization ourselves - copy the 
> proper files into the sandbox. We could just do that instead, but I'm 
> not sure it's a good idea. It would require the same privileges....
I am also wondering whether migration code should go into the 
libsemanage %post script, rather than the policy %post script.
Then we don't have to deal with this issue, because the fact that you're 
linking to the library, means it's installed, and %post was executed - 
haven't thought much about this, so maybe it's a stupid idea, but ... 
what do you think?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[ LIBSEMANAGE ] Runtime control over preservebools argument

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 1227 bytes --]

Stephen Smalley wrote:
> On Fri, 2005-11-04 at 09:22 -0500, Ivan Gyurdiev wrote:
>   
>> So, how do I specify that this is not a transient change, and I want my 
>> booleans loaded into policy immediately?
>>     
>
> Ah, I see - setsebool -P wants to both update the saved settings and
> load the result rather than preserving current settings.  So it wants
> libsemanage to call load_policy with -b, unlike semodule.  Options are:
> - add a semanage interface to set a property on the handle to control
> whether booleans are preserved or not (by altering the args to
> load_policy for that handle), similar to the existing interface for
> controlling whether reloads are performed, or
>   
Editing an argument string for programs in C is... probably one of the 
most uncool patches I've ever written.
I guess the end justifies the means...

Should pass valgrind, and work when called repeatedly with values 0 or 
1. Maybe the reload=0 case is a bit wrong - argument string cannot 
contain "-b" anywhere.

I also fixed the memory leak in setsebool - see other patch (which 
should be applied first).

Now booleans update correctly (minus migration issues - see other mail).
Next: make them update in less than 10 seconds :)


[-- Attachment #2: libsemanage.preserve_bools.diff --]
[-- Type: text/x-patch, Size: 3665 bytes --]

diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/include/semanage/handle.h new/libsemanage/include/semanage/handle.h
--- old/libsemanage/include/semanage/handle.h	2005-10-25 08:25:32.000000000 -0400
+++ new/libsemanage/include/semanage/handle.h	2005-11-05 01:16:44.000000000 -0500
@@ -59,6 +59,10 @@ int semanage_reload_policy(semanage_hand
  * 1 for yes (default), 0 for no */
 void semanage_set_reload(semanage_handle_t *handle, int do_reload);
 
+/* set whether to reload the boolean settings after a commit,
+ * 1 for yes, 0 for no (default */
+int semanage_set_reload_bools(semanage_handle_t *sh, int do_reload);
+
 /* "Connect" to a manager based on the configuration and 
  * associate the provided handle with the connection.
  * If the connect fails then this function returns a negative value, 
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/src/handle.c new/libsemanage/src/handle.c
--- old/libsemanage/src/handle.c	2005-11-04 23:45:39.000000000 -0500
+++ new/libsemanage/src/handle.c	2005-11-05 01:44:39.000000000 -0500
@@ -25,6 +25,7 @@
 
 #include <stdarg.h>
 #include <assert.h>
+#include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <sys/time.h>
@@ -76,6 +77,38 @@ void semanage_set_reload(semanage_handle
 	return;
 }
 
+int semanage_set_reload_bools(semanage_handle_t *sh, int do_reload) {
+
+	assert(sh != NULL);
+
+	semanage_conf_t* conf = sh->conf;
+
+	if (do_reload) {
+		char* prev_args = conf->load_policy->args;
+		int len = (prev_args == NULL)? 0: strlen(prev_args);
+		char* ptr = (char*) realloc(prev_args, len + 4);
+
+		if (!ptr) {
+			ERR(sh, "out of memory, could not configure "
+				"boolean reload");
+			return STATUS_ERR;
+		}
+		strcpy(ptr + len, " -b");
+		conf->load_policy->args = ptr;
+
+	} else {
+		char* ptr = conf->load_policy->args;
+
+		while(*ptr++) {
+			if (!strcmp(ptr, "-b")) {
+				*ptr++ = ' ';	
+				*ptr++ = ' ';
+			}
+		}
+	}
+	return STATUS_SUCCESS;
+}
+
 void semanage_select_store(semanage_handle_t *sh, char *storename,
 			  enum semanage_connect_type storetype) {
 	
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/src/libsemanage.map new/libsemanage/src/libsemanage.map
--- old/libsemanage/src/libsemanage.map	2005-11-03 12:48:03.000000000 -0500
+++ new/libsemanage/src/libsemanage.map	2005-11-05 01:21:21.000000000 -0500
@@ -8,7 +8,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_module_list; semanage_module_info_datum_destroy;
 	  semanage_module_list_nth; semanage_module_get_name;
 	  semanage_module_get_version; semanage_select_store;
-	  semanage_reload_policy; semanage_set_reload;
+	  semanage_reload_policy; semanage_set_reload; semanage_set_reload_bools;
 	  semanage_user_*; semanage_bool_*; semanage_seuser_*;
 	  semanage_iface_*; semanage_context_*;
   local: *;
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/policycoreutils/setsebool/setsebool.c new/policycoreutils/setsebool/setsebool.c
--- old/policycoreutils/setsebool/setsebool.c	2005-11-05 00:29:59.000000000 -0500
+++ new/policycoreutils/setsebool/setsebool.c	2005-11-05 01:49:50.000000000 -0500
@@ -10,6 +10,7 @@
 #include <selinux/selinux.h>
 #include <semanage/booleans_local.h>
 #include <semanage/boolean_record.h>
+#include <semanage/handle.h>
 #include <errno.h>
 
 int permanent = 0;
@@ -113,6 +114,10 @@ int semanage_set_boolean_list(size_t boo
 		boolean = NULL;
 	}	
 
+	semanage_set_reload(handle, 1);
+	if (semanage_set_reload_bools(handle, 1) < 0)
+		goto err;
+
 	if (semanage_commit(handle) < 0)
 		goto err;
 

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Fri, 2005-11-04 at 16:59 -0500, Ivan Gyurdiev wrote:
> > I'm not sure that this makes sense... let's get to back to the reason 
> > _why_ the sandbox is uninitialized - it's because we haven't copied 
> > the proper files into the sandbox yet. Falling back to other functions 
> > seems equivalent to doing the initialization ourselves - copy the 
> > proper files into the sandbox. We could just do that instead, but I'm 
> > not sure it's a good idea. It would require the same privileges....

Let me clarify:  setsebool needs to fall back to the original behavior
(i.e. direct call to security_set_boolean_list with permanent=1) if the
system policy is not managed via libsemanage.  So I'm not talking about
having libsemanage and/or setsebool automatically initialize the
sandbox; I'm just talking about having a fall back to the original
behavior for setting persistent boolean values on non-managed systems.
In order to do this, we need to be able to detect whether the system
policy is managed via libsemanage.  Which leads us to the next point...

> I am also wondering whether migration code should go into the 
> libsemanage %post script, rather than the policy %post script.
> Then we don't have to deal with this issue, because the fact that you're 
> linking to the library, means it's installed, and %post was executed - 
> haven't thought much about this, so maybe it's a stupid idea, but ... 
> what do you think?

No, the presence of libsemanage or even a particular version of
libsemanage doesn't tell us whether the system policy is managed via
libsemanage.  It only tells us that some code on the system is linked
against libsemanage.  Conversion of a system to being managed via
libsemanage is a change in the policy package, not a change in
libsemanage.  In particular, it involves converting the policy package
to using policy modules and using semodule.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ LIBSEMANAGE ] Runtime control over preservebools argument

[Joshua Brindle]

Ivan Gyurdiev wrote:
> Stephen Smalley wrote:
> 
>> On Fri, 2005-11-04 at 09:22 -0500, Ivan Gyurdiev wrote:
>>  
>>
>>> So, how do I specify that this is not a transient change, and I want 
>>> my booleans loaded into policy immediately?
>>>     
>>
>>
>> Ah, I see - setsebool -P wants to both update the saved settings and
>> load the result rather than preserving current settings.  So it wants
>> libsemanage to call load_policy with -b, unlike semodule.  Options are:
>> - add a semanage interface to set a property on the handle to control
>> whether booleans are preserved or not (by altering the args to
>> load_policy for that handle), similar to the existing interface for
>> controlling whether reloads are performed, or
>>   
> 
> Editing an argument string for programs in C is... probably one of the 
> most uncool patches I've ever written.
> I guess the end justifies the means...
> 
> Should pass valgrind, and work when called repeatedly with values 0 or 
> 1. Maybe the reload=0 case is a bit wrong - argument string cannot 
> contain "-b" anywhere.
> 
> I also fixed the memory leak in setsebool - see other patch (which 
> should be applied first).
> 
> Now booleans update correctly (minus migration issues - see other mail).
> Next: make them update in less than 10 seconds :)
> 
> 
<snip>

> +	if (do_reload) {
> +		char* prev_args = conf->load_policy->args;
> +		int len = (prev_args == NULL)? 0: strlen(prev_args);
> +		char* ptr = (char*) realloc(prev_args, len + 4);
> +
> +		if (!ptr) {
> +			ERR(sh, "out of memory, could not configure "
> +				"boolean reload");
> +			return STATUS_ERR;
> +		}
> +		strcpy(ptr + len, " -b");
> +		conf->load_policy->args = ptr;
> +
> +	} else {
> +		char* ptr = conf->load_policy->args;
> +
> +		while(*ptr++) {
> +			if (!strcmp(ptr, "-b")) {
> +				*ptr++ = ' ';	
> +				*ptr++ = ' ';
> +			}
> +		}
> +	}
> +	return STATUS_SUCCESS;
> +}
> +
I think you are doing this in the wrong place. Rather than mangling the 
argument string every time this function is called you should just add 
something to the handle that indicates whether or not to preserve 
booleans, and do this at load time.

However, I don't know if this is the right approach anyway. If someone 
sets a boolean without -P , foo, and then sets another boolean with -P 
you will revert foo when loading the new policy.

IMHO while we will need to regenerate the policy we should not load it 
and instead just set the runtime state. This will work for the common 
case but there is something of a corner case where the above scenerio 
happens and a module is also inserted in the same transaction, not sure 
how to handle that one.

Joshua

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 725 bytes --]

On Mon, 2005-11-07 at 08:48 -0500, Stephen Smalley wrote:
> Let me clarify:  setsebool needs to fall back to the original behavior
> (i.e. direct call to security_set_boolean_list with permanent=1) if the
> system policy is not managed via libsemanage.  So I'm not talking about
> having libsemanage and/or setsebool automatically initialize the
> sandbox; I'm just talking about having a fall back to the original
> behavior for setting persistent boolean values on non-managed systems.
> In order to do this, we need to be able to detect whether the system
> policy is managed via libsemanage.  Which leads us to the next point...

Something like the patch below (un-tested):


-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: ismanaged.patch --]
[-- Type: text/x-patch, Size: 5876 bytes --]

Index: libsemanage/include/semanage/handle.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsemanage/include/semanage/handle.h,v
retrieving revision 1.4
diff -u -p -r1.4 handle.h
--- libsemanage/include/semanage/handle.h	7 Nov 2005 15:12:44 -0000	1.4
+++ libsemanage/include/semanage/handle.h	7 Nov 2005 15:38:01 -0000
@@ -63,6 +63,13 @@ void semanage_set_reload(semanage_handle
  * 1 for yes, 0 for no (default */
 int semanage_set_reload_bools(semanage_handle_t *sh, int do_reload);
 
+/* Check whether policy is managed via libsemanage on this system.
+ * Must be called prior to trying to connect.
+ * Return 1 if policy is managed via libsemanage on this system,
+ * 0 if policy is not managed, or -1 on error.
+ */
+int semanage_is_managed(semanage_handle_t *);
+
 /* "Connect" to a manager based on the configuration and 
  * associate the provided handle with the connection.
  * If the connect fails then this function returns a negative value, 
Index: libsemanage/src/direct_api.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsemanage/src/direct_api.c,v
retrieving revision 1.21
diff -u -p -r1.21 direct_api.c
--- libsemanage/src/direct_api.c	4 Nov 2005 16:16:35 -0000	1.21
+++ libsemanage/src/direct_api.c	7 Nov 2005 15:39:23 -0000
@@ -74,6 +74,24 @@ static struct semanage_policy_table dire
 	.list = semanage_direct_list
 };
 
+int semanage_direct_is_managed(semanage_handle_t *sh) {
+	char polpath[PATH_MAX];
+
+	snprintf(polpath, PATH_MAX, "%s%s", selinux_path(), sh->conf->store_path);
+	
+	if (semanage_check_init(polpath))
+		goto err;
+
+	if (semanage_create_store(sh, 0) < 0) 
+		return 0;
+
+	return 1;
+
+	err:
+	ERR(sh, "could not check whether policy is managed");
+	return STATUS_ERR;	
+}
+
 /* Check that the module store exists, creating it if necessary.
  */
 int semanage_direct_connect(semanage_handle_t *sh) {
Index: libsemanage/src/direct_api.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsemanage/src/direct_api.h,v
retrieving revision 1.2
diff -u -p -r1.2 direct_api.h
--- libsemanage/src/direct_api.h	30 Sep 2005 19:23:36 -0000	1.2
+++ libsemanage/src/direct_api.h	7 Nov 2005 15:24:08 -0000
@@ -23,5 +23,6 @@
 #include "handle.h"
 
 int semanage_direct_connect(semanage_handle_t *sh);
+int semanage_direct_is_managed(semanage_handle_t *sh);
 
 #endif
Index: libsemanage/src/handle.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsemanage/src/handle.c,v
retrieving revision 1.17
diff -u -p -r1.17 handle.c
--- libsemanage/src/handle.c	7 Nov 2005 15:12:44 -0000	1.17
+++ libsemanage/src/handle.c	7 Nov 2005 15:40:09 -0000
@@ -122,6 +122,23 @@ void semanage_select_store(semanage_hand
 	return;
 }
 
+int semanage_is_managed(semanage_handle_t *sh)
+{
+	assert(sh != NULL);
+	if (sh->is_connected) {
+		ERR(sh, "Already connected.");
+		return -1;
+	}
+	switch (sh->conf->store_type) {
+	case SEMANAGE_CON_DIRECT:
+		return semanage_direct_is_managed(sh);
+	default:
+		ERR(sh, "The connection type specified within your semanage.conf file has not been implemented yet.");
+		/* fall through */
+	}
+	return -1;
+}
+
 int semanage_connect(semanage_handle_t *sh) {
 	assert(sh != NULL);
 	switch (sh->conf->store_type) {
@@ -132,8 +149,8 @@ int semanage_connect(semanage_handle_t *
 		break;
 	}
 	default: {
-		fprintf(stderr, "The connection type specified within your semanage.conf file has not been implemented yet.\n");
-		exit(EXIT_FAILURE);
+		ERR(sh, "The connection type specified within your semanage.conf file has not been implemented yet.");
+		return -1;
 	}
 	}
 	sh->is_connected = 1;
Index: libsemanage/src/libsemanage.map
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsemanage/src/libsemanage.map,v
retrieving revision 1.6
diff -u -p -r1.6 libsemanage.map
--- libsemanage/src/libsemanage.map	7 Nov 2005 15:12:44 -0000	1.6
+++ libsemanage/src/libsemanage.map	7 Nov 2005 15:41:50 -0000
@@ -1,6 +1,6 @@
 LIBSEMANAGE_1.0 {
   global: semanage_handle_create; semanage_handle_destroy; 
-          semanage_connect; semanage_disconnect; 
+          semanage_is_managed; semanage_connect; semanage_disconnect; 
 	  semanage_msg_*;
           semanage_begin_transaction; semanage_commit;
           semanage_module_install; semanage_module_upgrade;
Index: policycoreutils/setsebool/setsebool.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/setsebool/setsebool.c,v
retrieving revision 1.2
diff -u -p -r1.2 setsebool.c
--- policycoreutils/setsebool/setsebool.c	7 Nov 2005 15:12:45 -0000	1.2
+++ policycoreutils/setsebool/setsebool.c	7 Nov 2005 15:40:40 -0000
@@ -80,6 +80,7 @@ int semanage_set_boolean_list(size_t boo
 	semanage_handle_t* handle = NULL;
 	semanage_bool_t* boolean = NULL;
 	semanage_bool_key_t* bool_key = NULL;
+	int managed;
 
 	handle = semanage_handle_create();
 	if (handle == NULL) {
@@ -87,6 +88,22 @@ int semanage_set_boolean_list(size_t boo
 		goto err;
 	}
 
+	managed = semanage_is_managed(handle);
+	if (managed < 0) {
+		fprintf(stderr, "Error when checking whether policy is managed\n"); 
+		goto err;
+	} else if (managed == 0) {
+		if (security_set_boolean_list(boolcnt, boollist, 1)) {
+			if (errno == ENOENT) 
+				fprintf(stderr, "Error setting boolean: "
+					"Invalid boolean\n");
+			else if (errno)
+				perror("Error setting booleans");
+			goto err;
+		}
+		goto out;
+	}
+
 	if (semanage_connect(handle) < 0)
 		goto err;
 
@@ -122,6 +139,8 @@ int semanage_set_boolean_list(size_t boo
 		goto err;
 
 	semanage_disconnect(handle);
+
+        out:
 	semanage_handle_destroy(handle);
 	return 0;
 

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Mon, 2005-11-07 at 09:56 -0500, Stephen Smalley wrote:
> On Mon, 2005-11-07 at 08:48 -0500, Stephen Smalley wrote:
> > Let me clarify:  setsebool needs to fall back to the original behavior
> > (i.e. direct call to security_set_boolean_list with permanent=1) if the
> > system policy is not managed via libsemanage.  So I'm not talking about
> > having libsemanage and/or setsebool automatically initialize the
> > sandbox; I'm just talking about having a fall back to the original
> > behavior for setting persistent boolean values on non-managed systems.
> > In order to do this, we need to be able to detect whether the system
> > policy is managed via libsemanage.  Which leads us to the next point...
> 
> Something like the patch below (un-tested):

Ok, compiled and ran a quick test on a system with and without
a /etc/selinux/$SELINUXTYPE/modules tree, and it had the expected
behavior, except for a spurious error message from libsemanage in the
non-managed case:
libsemanage.semanage_create_store: Could not read from module store at /etc/selinux/strict/modules.

I would have expected semanage_create_store to just return -1 silently
w/o error output in the !create case.  I think I can just suppress it in
the !create case.

Does the patch seem sane otherwise?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ LIBSEMANAGE ] Runtime control over preservebools argument

[Daniel J Walsh]

Joshua Brindle wrote:
> Ivan Gyurdiev wrote:
>> Stephen Smalley wrote:
>>
>>> On Fri, 2005-11-04 at 09:22 -0500, Ivan Gyurdiev wrote:
>>>  
>>>
>>>> So, how do I specify that this is not a transient change, and I 
>>>> want my booleans loaded into policy immediately?
>>>>     
>>>
>>>
>>> Ah, I see - setsebool -P wants to both update the saved settings and
>>> load the result rather than preserving current settings.  So it wants
>>> libsemanage to call load_policy with -b, unlike semodule.  Options are:
>>> - add a semanage interface to set a property on the handle to control
>>> whether booleans are preserved or not (by altering the args to
>>> load_policy for that handle), similar to the existing interface for
>>> controlling whether reloads are performed, or
>>>   
>>
>> Editing an argument string for programs in C is... probably one of 
>> the most uncool patches I've ever written.
>> I guess the end justifies the means...
>>
>> Should pass valgrind, and work when called repeatedly with values 0 
>> or 1. Maybe the reload=0 case is a bit wrong - argument string cannot 
>> contain "-b" anywhere.
>>
>> I also fixed the memory leak in setsebool - see other patch (which 
>> should be applied first).
>>
>> Now booleans update correctly (minus migration issues - see other mail).
>> Next: make them update in less than 10 seconds :)
>>
>>
> <snip>
>
>> +    if (do_reload) {
>> +        char* prev_args = conf->load_policy->args;
>> +        int len = (prev_args == NULL)? 0: strlen(prev_args);
>> +        char* ptr = (char*) realloc(prev_args, len + 4);
>> +
>> +        if (!ptr) {
>> +            ERR(sh, "out of memory, could not configure "
>> +                "boolean reload");
>> +            return STATUS_ERR;
>> +        }
>> +        strcpy(ptr + len, " -b");
>> +        conf->load_policy->args = ptr;
>> +
>> +    } else {
>> +        char* ptr = conf->load_policy->args;
>> +
>> +        while(*ptr++) {
>> +            if (!strcmp(ptr, "-b")) {
>> +                *ptr++ = ' ';   
>> +                *ptr++ = ' ';
>> +            }
>> +        }
>> +    }
>> +    return STATUS_SUCCESS;
>> +}
>> +
> I think you are doing this in the wrong place. Rather than mangling 
> the argument string every time this function is called you should just 
> add something to the handle that indicates whether or not to preserve 
> booleans, and do this at load time.
>
> However, I don't know if this is the right approach anyway. If someone 
> sets a boolean without -P , foo, and then sets another boolean with -P 
> you will revert foo when loading the new policy.
>
> IMHO while we will need to regenerate the policy we should not load it 
> and instead just set the runtime state. This will work for the common 
> case but there is something of a corner case where the above scenerio 
> happens and a module is also inserted in the same transaction, not 
> sure how to handle that one.
>
> Joshua

I agree setsebool should not be loading policy.

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Stephen Smalley]

On Mon, 2005-11-07 at 11:40 -0500, Ivan Gyurdiev wrote:
> > No, the presence of libsemanage or even a particular version of
> > libsemanage doesn't tell us whether the system policy is managed via
> > libsemanage.  It only tells us that some code on the system is linked
> > against libsemanage.  Conversion of a system to being managed via
> > libsemanage is a change in the policy package, not a change in
> > libsemanage.  In particular, it involves converting the policy package
> > to using policy modules and using semodule.
> >   
> Does the existance of some random file in /etc/selinux/?/modules/active 
> imply that libsemanage is managing the system. Shouldn't we be looking 
> at /etc/selinux/config instead?

My semanage_is_managed() patch is simply using the same check as
semanage_connect(), except with create=0 so that it doesn't create the
store if it doesn't already exist.  Whether or not that is a "good" test
can be debated, but it is consistent, and it ensures that when you
initialize the store via libsemanage (via semodule),
semanage_is_managed() will return the desired result for subsequent
setsebool invocations.

Putting an indicator in /etc/selinux/config (or relying on the presence
or absence of SETLOCALDEFS= as an indicator) makes it more likely that
you'll have inconsistent states, as a semodule -b isn't going to update
that file, and that file is consulted by libselinux, not libsemanage.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage

[Ivan Gyurdiev]

> No, the presence of libsemanage or even a particular version of
> libsemanage doesn't tell us whether the system policy is managed via
> libsemanage.  It only tells us that some code on the system is linked
> against libsemanage.  Conversion of a system to being managed via
> libsemanage is a change in the policy package, not a change in
> libsemanage.  In particular, it involves converting the policy package
> to using policy modules and using semodule.
>   
Does the existance of some random file in /etc/selinux/?/modules/active 
imply that libsemanage is managing the system. Shouldn't we be looking 
at /etc/selinux/config instead?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.