[SEMANAGE][SEPOL] Enable ports

[SEMANAGE][SEPOL] Enable ports

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 1483 bytes --]

Ok, I've tried get ports working enough times now, that I think my 
approach is making it too difficult. I've been trying to put too much 
logic into the port key - for example, I wanted the add() function to 
detect overlapping ranges, and complain about it (the range key 
represents all ports from low to high). I wanted the query function to 
match inexactly (if you query port 80, 10-1024 to match...)
I wanted del() to match a range, and clear only the specified sub-range. 
But... this is too difficult to do, and adds lots of extra complexity, 
and we need to get ports working.

So, this patch takes the simplest possible approach - a key matches if 
low = low2, high = high2, and proto = proto2. This means that at the key 
level, ranges 10-20, and 15-30 are completely different, even though 
they overlap and represent the same ports. Two ranges with matching 
bounds and protocol are not allowed, but they can overlap inexactly. In 
that case, the one added later takes precedence, and is written at the 
end of the file (and pushed at the beginning of the list in the 
policydb). If additional overlap checks are needed, they should be 
implemented at the libsemanage client.

This brings up an interesting point - if ordering of records matters, 
then some thought should go into which way iterate() loops over the 
records... (and what order list() returns). Currently for files, the 
ordering is backwards to what appears in the file (not sure what 
policydb does).

[-- Attachment #2: libsemanage8.libsepol2.ports.diff --]
[-- Type: text/x-patch, Size: 6433 bytes --]

diff -Naurp --exclude-from excludes old/libsemanage/include/semanage/semanage.h new/libsemanage/include/semanage/semanage.h
--- old/libsemanage/include/semanage/semanage.h	2005-12-23 15:01:08.000000000 -0500
+++ new/libsemanage/include/semanage/semanage.h	2005-12-23 20:28:55.000000000 -0500
@@ -32,9 +32,7 @@
 #include <semanage/seuser_record.h>
 #include <semanage/context_record.h>
 #include <semanage/iface_record.h>
-#if 0
 #include <semanage/port_record.h>
-#endif
 
 /* Dbase */
 #include <semanage/booleans_local.h>
@@ -43,10 +41,8 @@
 #include <semanage/users_local.h>
 #include <semanage/users_policy.h>
 #include <semanage/seusers.h>
-#if 0
 #include <semanage/ports_local.h>
 #include <semanage/ports_policy.h>
-#endif
 #include <semanage/interfaces_local.h>
 #include <semanage/interfaces_policy.h>
 
diff -Naurp --exclude-from excludes old/libsemanage/src/libsemanage.map new/libsemanage/src/libsemanage.map
--- old/libsemanage/src/libsemanage.map	2005-12-23 15:01:09.000000000 -0500
+++ new/libsemanage/src/libsemanage.map	2005-12-23 20:28:39.000000000 -0500
@@ -10,6 +10,6 @@ LIBSEMANAGE_1.0 {
 	  semanage_module_get_version; semanage_select_store;
 	  semanage_reload_policy; semanage_set_reload; semanage_set_rebuild;
 	  semanage_user_*; semanage_bool_*; semanage_seuser_*;
-	  semanage_iface_*; semanage_context_*;
+	  semanage_iface_*; semanage_port_*; semanage_context_*;
   local: *;
 };
diff -Naurp --exclude-from excludes old/libsemanage/src/policy_components.c new/libsemanage/src/policy_components.c
--- old/libsemanage/src/policy_components.c	2005-12-23 15:01:09.000000000 -0500
+++ new/libsemanage/src/policy_components.c	2005-12-23 20:28:24.000000000 -0500
@@ -127,10 +127,10 @@ int semanage_base_merge_components(
 
 		{ semanage_user_dbase_local(handle),
 		  semanage_user_dbase_policy(handle), MODE_MODIFY },
-#if 0
+
 		{ semanage_port_dbase_local(handle),
 		  semanage_port_dbase_policy(handle), MODE_MODIFY },
-#endif
+
 		{ semanage_iface_dbase_local(handle),
 		  semanage_iface_dbase_policy(handle), MODE_MODIFY },
 	
@@ -187,7 +187,7 @@ int semanage_commit_components(
 		semanage_iface_dbase_local(handle),
 		semanage_bool_dbase_local(handle),
 		semanage_user_dbase_local(handle),
-		/* semanage_port_dbase_local(handle), */
+		semanage_port_dbase_local(handle),
 		semanage_seuser_dbase(handle),
 		semanage_bool_dbase_active(handle),
 	};
diff -Naurp --exclude-from excludes old/libsemanage/src/port_record.c new/libsemanage/src/port_record.c
--- old/libsemanage/src/port_record.c	2005-12-23 01:01:49.000000000 -0500
+++ new/libsemanage/src/port_record.c	2005-12-23 20:26:51.000000000 -0500
@@ -23,24 +23,6 @@ typedef semanage_port_key_t record_key_t
 #include "handle.h"
 #include "database.h"
 
-/* FIXME:  Remove when sepol port interface is stabilized and exported. */
-#define sepol_port_compare(port, key) -1
-#define sepol_port_key_create(handle, low, high, proto, key) -1
-#define sepol_port_key_extract(handle, port, key) -1
-#define sepol_port_key_free(key)
-#define sepol_port_get_proto(port) -1
-#define sepol_port_set_proto(port, proto)
-#define sepol_port_get_proto_str(port) NULL
-#define sepol_port_get_low(port) -1
-#define sepol_port_get_high(port) -1
-#define sepol_port_set_port(port, num)
-#define sepol_port_set_range(port, low, high)
-#define sepol_port_get_con(port) NULL
-#define sepol_port_set_con(port, con)
-#define sepol_port_create(handle, port) -1
-#define sepol_port_clone(handle, port1, port2) -1
-#define sepol_port_free(port)
-
 /* Key */
 int semanage_port_compare(
 	semanage_port_t* port, 
diff -Naurp --exclude-from excludes old/libsemanage/src/ports_policydb.c new/libsemanage/src/ports_policydb.c
--- old/libsemanage/src/ports_policydb.c	2005-12-14 11:04:25.000000000 -0500
+++ new/libsemanage/src/ports_policydb.c	2005-12-23 20:27:39.000000000 -0500
@@ -16,13 +16,6 @@ typedef struct dbase_policydb dbase_t;
 #include "debug.h"
 #include "database_policydb.h"
 
-/* FIXME:  Remove when sepol port interface is stabilized and exported. */
-#define sepol_port_modify NULL
-#define sepol_port_query NULL
-#define sepol_port_count NULL
-#define sepol_port_exists NULL
-#define sepol_port_iterate NULL
-
 /* PORT RECORD (SEPOL): POLICYDB extension : method table */
 record_policydb_table_t SEMANAGE_PORT_POLICYDB_RTABLE = {
 	.add         = NULL, 
diff -Naurp --exclude-from excludes old/libsepol/src/libsepol.map new/libsepol/src/libsepol.map
--- old/libsepol/src/libsepol.map	2005-11-15 08:06:55.000000000 -0500
+++ new/libsepol/src/libsepol.map	2005-11-23 18:36:54.000000000 -0500
@@ -4,6 +4,7 @@
 	sepol_bool_*; sepol_genbools*; 
 	sepol_context*; sepol_check_context;
 	sepol_iface_*; 
+	sepol_port_*;
 	sepol_user_*; sepol_genusers; sepol_set_delusers;
 	sepol_msg_*; sepol_debug;
 	sepol_handle_*;
diff -Naurp --exclude-from excludes old/libsepol/src/port_record.c new/libsepol/src/port_record.c
--- old/libsepol/src/port_record.c	2005-12-23 01:51:54.000000000 -0500
+++ new/libsepol/src/port_record.c	2005-12-23 20:25:18.000000000 -0500
@@ -86,8 +86,8 @@ int sepol_port_compare(
 
 	/* FIXME: needs to support ordering of ports (-1, 0, 1) */
 
-	if ((port->low <= key->low) && 
-	    (port->high >= key->high) &&
+	if ((port->low == key->low) && 
+	    (port->high == key->high) &&
 	    (port->proto == key->proto))
 		return 0;
 
diff -Naurp --exclude-from excludes old/libsepol/src/ports.c new/libsepol/src/ports.c
--- old/libsepol/src/ports.c	2005-11-04 15:37:13.000000000 -0500
+++ new/libsepol/src/ports.c	2005-12-23 20:26:07.000000000 -0500
@@ -182,7 +182,7 @@ int sepol_port_exists (
 		int low2 = c->u.port.low_port;
 		int high2 = c->u.port.high_port;
 
-		if (proto == proto2 && low2 <= low && high2 >= high) {
+		if (proto == proto2 && low2 == low && high2 == high) {
 			*response = 1;
 			return STATUS_SUCCESS;
 		}
@@ -220,7 +220,7 @@ int sepol_port_query(
 		int low2 = c->u.port.low_port;
 		int high2 = c->u.port.high_port;
 
-		if (proto == proto2 && low2 <= low && high2 >= high) {
+		if (proto == proto2 && low2 == low && high2 == high) {
 			if (port_to_record(handle, policydb, c, response) < 0)
 				goto err;
 			return STATUS_SUCCESS;
@@ -263,7 +263,7 @@ int sepol_port_modify(
 		int low2 = c->u.port.low_port;
 		int high2 = c->u.port.high_port;
 
-		if (proto == proto2 && low2 <= low && high2 >= high) {
+		if (proto == proto2 && low2 == low && high2 == high) {
 
 			/* Replace */
 			port->next = c->next;

Re: [SEMANAGE][SEPOL] Enable ports

[Joshua Brindle]

Ivan Gyurdiev wrote:
> Ok, I've tried get ports working enough times now, that I think my 
> approach is making it too difficult. I've been trying to put too much 
> logic into the port key - for example, I wanted the add() function to 
> detect overlapping ranges, and complain about it (the range key 
> represents all ports from low to high). I wanted the query function to 
> match inexactly (if you query port 80, 10-1024 to match...)
> I wanted del() to match a range, and clear only the specified sub-range. 
> But... this is too difficult to do, and adds lots of extra complexity, 
> and we need to get ports working.
> 
> So, this patch takes the simplest possible approach - a key matches if 
> low = low2, high = high2, and proto = proto2. This means that at the key 
> level, ranges 10-20, and 15-30 are completely different, even though 
> they overlap and represent the same ports. Two ranges with matching 
> bounds and protocol are not allowed, but they can overlap inexactly. In 
> that case, the one added later takes precedence, and is written at the 
> end of the file (and pushed at the beginning of the list in the 
> policydb). If additional overlap checks are needed, they should be 
> implemented at the libsemanage client.
> 
> This brings up an interesting point - if ordering of records matters, 
> then some thought should go into which way iterate() loops over the 
> records... (and what order list() returns). Currently for files, the 
> ordering is backwards to what appears in the file (not sure what 
> policydb does).
> 

This should be fixed. the policy parser (policy_parse.y) currently 
preserves the order exactly as specified, with errors in the case of 
duplicate or shadowed entries.

I think a good workaround for now is to only expose exact port labeling 
via libsemanage, that way you can prepend them to the policydb list and 
not worry about sorting, etc. If the user needs to set multiple ports 
the client can expose that functionality, and limited intelligence can 
be added there (error checking and such). the policydb portcons would 
still have ranges so the fallbacks (1-1024, etc) would still be there.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE][SEPOL] Enable ports

[Ivan Gyurdiev]

>
>>
>> This brings up an interesting point - if ordering of records matters, 
>> then some thought should go into which way iterate() loops over the 
>> records... (and what order list() returns). Currently for files, the 
>> ordering is backwards to what appears in the file (not sure what 
>> policydb does).
>>
>
> This should be fixed. the policy parser (policy_parse.y) currently 
> preserves the order exactly as specified, with errors in the case of 
> duplicate or shadowed entries.

I think the order in policy should be correct after my list reversal 
patch (see other patches).
The order in the on-disk file is irrelevant for ports - it's just an 
implementation detail of the library.
More detail on this in my other message in response to File Contexts APIs.

>
> I think a good workaround for now is to only expose exact port 
> labeling via libsemanage, that way you can prepend them to the 
> policydb list and not worry about sorting, etc. If the user needs to 
> set multiple ports the client can expose that functionality, and 
> limited intelligence can be added there (error checking and such). the 
> policydb portcons would still have ranges so the fallbacks (1-1024, 
> etc) would still be there.
I think sorting should work after the list reversal patch. It has some 
drawbacks as I've pointed out there, but should work. Adding the 
"limited intelligence" with respect to error checking is much more 
difficult in libsemanage, and I've wasted lots of time on this. It's 
easier to do in the client.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE][SEPOL] Enable ports

[Ivan Gyurdiev]

> . Adding the "limited intelligence" with respect to error checking is 
> much more difficult in libsemanage, and I've wasted lots of time on 
> this. It's easier to do in the client.

Actually.... not true. It's difficult to add at the key level, but error 
checks and warnings and things like that will easily go into a verify 
run on commit (or possibly in sepol). So, now I think I'll focus on:

- seuser validation (mls range valid, mls range subset of selinux user, 
possibly move Unix user check into lib?)
- file context validation (context valid, maybe regexp valid?)
    It should be possible to do those two now, after new additions to 
libsepol interface.

- ports error checking (warn on shadowing, things like that)
- also, did you know that if you originally put a file with duplicate 
records in semanage, it would stay that way, and semanage wouldn't 
complain (it does no duplicate checking when reading in the file - not 
sure if that's a problem).

Also, there's issues with the API, which I posted about on 
SELinux-dev@tresys - if API changes are still allowed I'm considering 
removing the set function, changing the behavior of add, and compare for 
each record. See "API message still ok" for details.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE][SEPOL] Enable ports

[Joshua Brindle]

Ivan Gyurdiev wrote:
>> . Adding the "limited intelligence" with respect to error checking is 
>> much more difficult in libsemanage, and I've wasted lots of time on 
>> this. It's easier to do in the client.
> 
> 
> Actually.... not true. It's difficult to add at the key level, but error 
> checks and warnings and things like that will easily go into a verify 
> run on commit (or possibly in sepol). So, now I think I'll focus on:
> 
Must do it within semanage since sepol won't know where they came from 
and if they are allowed to shadow entries.

> - seuser validation (mls range valid, mls range subset of selinux user, 
> possibly move Unix user check into lib?)
> - file context validation (context valid, maybe regexp valid?)
>    It should be possible to do those two now, after new additions to 
> libsepol interface.
> 
> - ports error checking (warn on shadowing, things like that)
> - also, did you know that if you originally put a file with duplicate 
> records in semanage, it would stay that way, and semanage wouldn't 
> complain (it does no duplicate checking when reading in the file - not 
> sure if that's a problem).
> 
Any local should shadow/override something in the policy without a 
warning, that is the whole point to local settings, particularly with 
ports and interfaces. Any service port (1-1024) will be 'shadowed' by 
something in the policy but should be able to be overridden by ports.local.

> Also, there's issues with the API, which I posted about on 
> SELinux-dev@tresys - if API changes are still allowed I'm considering 
> removing the set function, changing the behavior of add, and compare for 
> each record. See "API message still ok" for details.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE][SEPOL] Enable ports

[Ivan Gyurdiev]

>>
>> Actually.... not true. It's difficult to add at the key level, but 
>> error checks and warnings and things like that will easily go into a 
>> verify run on commit (or possibly in sepol). So, now I think I'll 
>> focus on:
>>
> Must do it within semanage since sepol won't know where they came from 
> and if they are allowed to shadow entries.
Hmm, yes that is true, I'll think about this some more...
It seems like a verify run of some kind on commit is best.

>> - also, did you know that if you originally put a file with duplicate 
>> records in semanage, it would stay that way, and semanage wouldn't 
>> complain (it does no duplicate checking when reading in the file - 
>> not sure if that's a problem).
>>
> Any local should shadow/override something in the policy without a 
> warning, that is the whole point to local settings, particularly with 
> ports and interfaces. Any service port (1-1024) will be 'shadowed' by 
> something in the policy but should be able to be overridden by 
> ports.local.
Yes, I was referring to having multiple entries for the same thing in 
the .local file. In addition to not checking for shadowing of ports, 
semanage won't check for duplicates every time - it will only check for 
duplicates when you add things with API. If the initial file was 
corrupted somehow (i.e. contained two identical keys), it won't complain 
about it. Not sure if that's a problem.






--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.