secon (Was: Policycoreutils patch)

secon (Was: Policycoreutils patch)

[Stephen Smalley]

On Fri, 2006-05-05 at 16:39 -0400, Daniel J Walsh wrote:
> Broken audit2allow into two packages including avc.py so that other 
> tools can use it.
> 
> Began adding code to allow it to analyze AVC message and use plugin 
> architecture to translate avc messages.
> 
> Internationailization code added.
> 
> Some po files translated.
> 
> Fixes for semanage
> 
> Cleanup of code

What is the purpose of the secon utility added by this patch?
Assuming that it is useful, a few quick comments on the implementation:
- The my_getXcon_raw functions should be moved into libselinux (without
the my_ prefix, of course) so that we don't need any code outside of
libselinux directly reading /proc/pid/attr files.
- Falling back to the current context when the exec or fscreate context
is not set is not correct.  Absence of exec or fscreate context just
means that the default policy behavior (e.g. type_transition or default
inheritance) will be applied.  While default inheritance would mean that
the current context is applied for exec, there could be a
type_transition, and it makes no sense at all for fscreate (where
default inheritance combines information from the current context with
the parent directory context).  I think you just want to report NULL /
none or similar to the user.
- The call to selinux_trans_to_raw_context() doesn't make sense since
you are already calling the _raw functions.  If opt->disp_raw is set,
then no further processing should be required, right?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: secon (Was: Policycoreutils patch)

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2006-05-05 at 16:39 -0400, Daniel J Walsh wrote:
>   
>> Broken audit2allow into two packages including avc.py so that other 
>> tools can use it.
>>
>> Began adding code to allow it to analyze AVC message and use plugin 
>> architecture to translate avc messages.
>>
>> Internationailization code added.
>>
>> Some po files translated.
>>
>> Fixes for semanage
>>
>> Cleanup of code
>>     
>
> What is the purpose of the secon utility added by this patch?
>   
The idea is to be able to use utility within bash to show what role/type 
you are in at the prompt.
James Antill built it and is experimenting with some other features.  We 
could obviously do this with python bindings, but wanted something light 
weight to handle MLS type situations.
> Assuming that it is useful, a few quick comments on the implementation:
> - The my_getXcon_raw functions should be moved into libselinux (without
> the my_ prefix, of course) so that we don't need any code outside of
> libselinux directly reading /proc/pid/attr files.
> - Falling back to the current context when the exec or fscreate context
> is not set is not correct.  Absence of exec or fscreate context just
> means that the default policy behavior (e.g. type_transition or default
> inheritance) will be applied.  While default inheritance would mean that
> the current context is applied for exec, there could be a
> type_transition, and it makes no sense at all for fscreate (where
> default inheritance combines information from the current context with
> the parent directory context).  I think you just want to report NULL /
> none or similar to the user.
> - The call to selinux_trans_to_raw_context() doesn't make sense since
> you are already calling the _raw functions.  If opt->disp_raw is set,
> then no further processing should be required, right?
>
>   
I have passed on your comments and we will get out a patch.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: secon (Was: Policycoreutils patch)

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 2112 bytes --]

On Mon, 2006-05-08 at 10:54 -0400, Stephen Smalley wrote:
> What is the purpose of the secon utility added by this patch?
> Assuming that it is useful, a few quick comments on the implementation:
> - The my_getXcon_raw functions should be moved into libselinux (without
> the my_ prefix, of course) so that we don't need any code outside of
> libselinux directly reading /proc/pid/attr files.

 Yes, I'd known about that ... I'll be providing changes for libselinux
in the next day or so.
 The initial version with my_ functions was simply to make it easier for
others to be able to compile the code.


> - Falling back to the current context when the exec or fscreate context
> is not set is not correct.  Absence of exec or fscreate context just
> means that the default policy behavior (e.g. type_transition or default
> inheritance) will be applied.  While default inheritance would mean that
> the current context is applied for exec, there could be a
> type_transition, and it makes no sense at all for fscreate (where
> default inheritance combines information from the current context with
> the parent directory context).  I think you just want to report NULL /
> none or similar to the user.

 I was wary of reporting just a blank, but it's a simple change to fix
that.


> - The call to selinux_trans_to_raw_context() doesn't make sense since
> you are already calling the _raw functions.  If opt->disp_raw is set,
> then no further processing should be required, right?

 If the context comes from the user (Ie. stdin or argument), we don't
know if the context is raw or translated. So we always convert. This
allows:

id -Z | secon -R -

...to output the right thing.
 The other thing we are looking at is what the default should be, Steve
Grubb suggested that reading from stdin should be it ... but I don't
like that from a UI POV and that most cases are better handled otherwise
(Ie. ls -Z is never going to be parsable, IMO, so secon -f is much
better).

-- 
James Antill
<james.antill@redhat.com>

-- 
James Antill
<james.antill@redhat.com>


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

Re: secon (Was: Policycoreutils patch)

[James Antill]

[-- Attachment #1.1: Type: text/plain, Size: 944 bytes --]

On Tue, 2006-05-23 at 08:54 -0400, Stephen Smalley wrote:
> On Mon, 2006-05-22 at 17:08 -0400, James Antill wrote:

> >  This is due to context_new(), can I fix this inside that function (Ie.
> > don't fail out when the passed value == "")?
> 
> Seems like the caller should handle it instead.  "" isn't a valid
> context, after all.

 Fair enough.

> BTW, working off the sourceforge selinux subversion tree is preferred,
> svn co https://svn.sourceforge.net/svnroot/selinux/trunk selinux-usr

 Ok, I can do that :).

> Note that we update the ChangeLog and VERSION files ourselves upon
> merging patches, no need to touch those.

 Ok, here's the latest changes for secon. It's the above fixes and man
pages changes with sensitivity/clearance naming changes. Also a couple
of typos.
 I've also re-included the policycoreutils change for setfiles, against
the selinux svn tree.

-- 
James Antill <jantill@redhat.com>

[-- Attachment #1.2: selinux-secon-con_new+clearance.patch --]
[-- Type: text/x-patch, Size: 8650 bytes --]

Index: policycoreutils/secon/secon.1
===================================================================
--- policycoreutils/secon/secon.1	(revision 19)
+++ policycoreutils/secon/secon.1	(working copy)
@@ -3,7 +3,7 @@
 secon \- See a context, from a file, program or user input.
 .SH SYNOPSIS
 .B secon
-[\fB-hVurtlmPRfLp\fR]
+[\fB-hVurtscmPRfLp\fR]
 [\fICONTEXT\fR]
 .br
 [\fB--file\fR]
@@ -39,11 +39,14 @@
 \fB\-t\fR, \fB\-\-type\fR
 show the type of the security context
 .TP
-\fB\-l\fR, \fB\-\-level\fR
+\fB\-s\fR, \fB\-\-sensitivity\fR
 show the sensitivity level of the security context
 .TP
+\fB\-c\fR, \fB\-\-clearance\fR
+show the clearance level of the security context
+.TP
 \fB\-m\fR, \fB\-\-mls-range\fR
-show the sensitivity level and clearance of the security context
+show the sensitivity level and clearance, as a range, of the security context
 .TP
 \fB\-R\fR, \fB\-\-raw\fR
 outputs  the sensitivity level and clearance in an untranslated format.
Index: policycoreutils/secon/secon.c
===================================================================
--- policycoreutils/secon/secon.c	(revision 19)
+++ policycoreutils/secon/secon.c	(working copy)
@@ -19,8 +19,8 @@
 #define FALSE 0
 
 #define SECON_CONF_PROG_NAME "secon" /* default program name */
-#define SECON_OPTS_SM "hVurtlmPRfLp"    /* small options available, printing */
-#define SECON_OPTS_GO "hVurtlmPRf:L:p:" /* small options available, getopt */
+#define SECON_OPTS_SM "hVurtscmPRfLp"     /* small options available, print */
+#define SECON_OPTS_GO "hVurtlscmPRf:L:p:" /* small options available, getopt */
 
 #define OPTS_FROM_ARG      0
 #define OPTS_FROM_FILE     1
@@ -35,17 +35,18 @@
 
 struct 
 {
- unsigned int disp_user  :  1;
- unsigned int disp_role  :  1;
- unsigned int disp_type  :  1;
- unsigned int disp_level :  1;
- unsigned int disp_mlsr  :  1;
+ unsigned int disp_user :  1;
+ unsigned int disp_role :  1;
+ unsigned int disp_type :  1;
+ unsigned int disp_sen  :  1;
+ unsigned int disp_clr  :  1;
+ unsigned int disp_mlsr :  1;
  
- unsigned int disp_raw   :  1;
+ unsigned int disp_raw  :  1;
 
  unsigned int disp_prompt : 1; /* no return, use : to sep */
 
- unsigned int from_type  :  9; /* 16 bits */
+ unsigned int from_type  :  8; /* 16 bits, uses 4 bits */
 
  union 
  {
@@ -54,7 +55,7 @@
   const char *link;
   const char *arg;
  } f;
-} opts[1] = {{FALSE, FALSE, FALSE, FALSE, FALSE,
+} opts[1] = {{FALSE, FALSE, FALSE, FALSE, FALSE, FALSE,
               FALSE, FALSE, OPTS_FROM_ARG, {0}}};
 
 
@@ -62,16 +63,17 @@
 {
   fprintf(exit_code ? stderr : stdout,
           "  Usage: %s [-%s] [ context | - ]\n"
-"          --help      -h       Show this message.\n"
-"          --version   -V       Show the version.\n"
-"          --prompt    -P       Output in a format good for a prompt.\n"
-"          --user      -u       Show the user of the context.\n"
-"          --role      -r       Show the role of the context.\n"
-"          --type      -t       Show the type of the context.\n"
-"          --level     -l       Show the sensitivity level of the context.\n"
-"          --mls-range -m       Show the sensitivity level and clearance of \n"
+"          --help        -h     Show this message.\n"
+"          --version     -V     Show the version.\n"
+"          --prompt      -P     Output in a format good for a prompt.\n"
+"          --user        -u     Show the user of the context.\n"
+"          --role        -r     Show the role of the context.\n"
+"          --type        -t     Show the type of the context.\n"
+"          --sensitivity -s     Show the sensitivity level of the context.\n"
+"          --clearance   -c     Show the clearance level of the context.\n"
+"          --mls-range   -m     Show the sensitivity to clearance range of \n"
 "                               the context.\n"
-"          --raw       -R       Show the context in \"raw\" format.\n"
+"          --raw         -R     Show the context in \"raw\" format.\n"
 "          --current            Get the context for the current process.\n"
 "          --self               Get the context for the current process.\n"
 "          --self-exec          Get the exec context for the current process.\n"
@@ -113,7 +115,8 @@
   num += opts->disp_user;
   num += opts->disp_role;
   num += opts->disp_type;
-  num += opts->disp_level;
+  num += opts->disp_sen;
+  num += opts->disp_clr;
   num += opts->disp_mlsr;
   
   return (num);
@@ -143,8 +146,10 @@
      {"user",      no_argument, NULL, 'u'},
      {"role",      no_argument, NULL, 'r'},
      {"type",      no_argument, NULL, 't'},
-     {"level",     no_argument, NULL, 'l'},
+     {"level",     no_argument, NULL, 'l'}, /* compat. */
+     {"sensitivity", no_argument, NULL, 's'},
      {"range",     no_argument, NULL, 'm'},
+     {"clearance", no_argument, NULL, 'c'},
      {"mls-range", no_argument, NULL, 'm'},
      
      {"raw", no_argument, NULL, 'R'},
@@ -184,11 +189,13 @@
                 " %s version %s.\n", program_name, VERSION);
         exit (EXIT_SUCCESS);
 
-      case 'u': done = TRUE; opts->disp_user  = !opts->disp_user;  break;
-      case 'r': done = TRUE; opts->disp_role  = !opts->disp_role;  break;
-      case 't': done = TRUE; opts->disp_type  = !opts->disp_type;  break;
-      case 'l': done = TRUE; opts->disp_level = !opts->disp_level; break;
-      case 'm': done = TRUE; opts->disp_mlsr  = !opts->disp_mlsr; break;
+      case 'u': done = TRUE; opts->disp_user = !opts->disp_user; break;
+      case 'r': done = TRUE; opts->disp_role = !opts->disp_role; break;
+      case 't': done = TRUE; opts->disp_type = !opts->disp_type; break;
+      case 'l': done = TRUE; opts->disp_sen  = !opts->disp_sen;  break;
+      case 's': done = TRUE; opts->disp_sen  = !opts->disp_sen;  break;
+      case 'c': done = TRUE; opts->disp_clr  = !opts->disp_clr;  break;
+      case 'm': done = TRUE; opts->disp_mlsr = !opts->disp_mlsr; break;
 
       case 'P': opts->disp_prompt = !opts->disp_prompt; break;
         
@@ -235,9 +242,11 @@
     opts->disp_user  = TRUE;
     opts->disp_role  = TRUE;
     opts->disp_type  = TRUE;
-    if (!opts->disp_prompt) /* when displaying prompt,
-                               just output "normal" by default */
-      opts->disp_level = TRUE;
+    if (!opts->disp_prompt)
+    { /* when displaying prompt, just output "normal" by default */
+      opts->disp_sen = TRUE;
+      opts->disp_clr = TRUE;
+    }
     opts->disp_mlsr  = TRUE;
   }
   
@@ -459,13 +468,24 @@
 {
   context_t con = NULL;
 
+  if (!*scon)
+  { /* --self-exec and --self-fs etc. */
+    if (opts->disp_user) disp__con_val("user", NULL);
+    if (opts->disp_role) disp__con_val("role", NULL);
+    if (opts->disp_type) disp__con_val("type", NULL);
+    if (opts->disp_sen)  disp__con_val("sensitivity", NULL);
+    if (opts->disp_clr)  disp__con_val("clearance", NULL);
+    if (opts->disp_mlsr) disp__con_val("mls-range", NULL);
+    return;
+  }  
+  
   if (!(con = context_new(scon)))
-    errx(EXIT_FAILURE, "Couln't create context from: %s", scon);
+    errx(EXIT_FAILURE, "Couldn't create context from: %s", scon);
   
   if (opts->disp_user)  disp__con_val("user",      context_user_get(con));
   if (opts->disp_role)  disp__con_val("role",      context_role_get(con));
   if (opts->disp_type)  disp__con_val("type",      context_type_get(con));
-  if (opts->disp_level)
+  if (opts->disp_sen)
   {
     const char *val = NULL;
     char *tmp = NULL;
@@ -476,13 +496,32 @@
     
     tmp = strdup(val);
     if (!tmp)
-      errx(EXIT_FAILURE, "Couln't create context from: %s", scon);
+      errx(EXIT_FAILURE, "Couldn't create context from: %s", scon);
     if (strchr(tmp, '-')) *strchr(tmp, '-') = 0;
     
-    disp__con_val("level", tmp);
+    disp__con_val("sensitivity", tmp);
 
     free(tmp);
   }
+  if (opts->disp_clr)
+  {
+    const char *val = NULL;
+    char *tmp = NULL;
+
+    val = context_range_get(con);
+    if (!val) val = ""; /* targeted has no "level" etc.,
+                           any errors should happen at context_new() time */
+    
+    tmp = strdup(val);
+    if (!tmp)
+      errx(EXIT_FAILURE, "Couldn't create context from: %s", scon);
+    if (strchr(tmp, '-'))
+      disp__con_val("clearance", strchr(tmp, '-') + 1);
+    else
+      disp__con_val("clearance", tmp);
+
+    free(tmp);
+  }
   
   if (opts->disp_mlsr)  disp__con_val("mls-range", context_range_get(con));
 

[-- Attachment #1.3: selinux-audit-mass-relabel.patch --]
[-- Type: text/x-patch, Size: 2704 bytes --]

Index: policycoreutils/setfiles/setfiles.c
===================================================================
--- policycoreutils/setfiles/setfiles.c	(revision 19)
+++ policycoreutils/setfiles/setfiles.c	(working copy)
@@ -75,7 +75,12 @@
 #include <selinux/selinux.h>
 #include <syslog.h> 
 #include <libgen.h>
+#include <libaudit.h>
 
+#ifndef AUDIT_FS_RELABEL
+#define AUDIT_FS_RELABEL 2309
+#endif
+
 static int add_assoc = 1;
 static FILE *outfile=NULL;
 static int force=0;
@@ -395,7 +400,7 @@
 
 	/* trim trailing /, if present */
 	len = strlen(rootpath);
-	while ('/' == rootpath[len - 1])
+	while (len && ('/' == rootpath[len - 1]))
 		rootpath[--len] = 0;
 	rootpathlen = len;
 }
@@ -443,11 +448,35 @@
   return 0;
 }
 
+static void maybe_audit_mass_relabel(int done_root, int errs)
+{
+  int audit_fd = -1;
+  int rc = 0;
+  
+  if (!done_root) /* only audit a forced full relabel */
+    return;
+  
+  audit_fd = audit_open();
+
+  if (audit_fd < 0) {
+    fprintf(stderr, "Error connecting to audit system.\n");
+    return;
+  }
+
+  rc = audit_log_user_message(audit_fd, AUDIT_FS_RELABEL,
+                              "op=mass relabel", NULL, NULL, NULL, !errs);
+  if (rc <= 0) {
+    fprintf(stderr, "Error sending audit message: %s.\n", strerror(errno));
+  }
+  audit_close(audit_fd);
+}
+
 int main(int argc, char **argv)
 {
 	struct stat sb;
 	int opt, rc, i;
-
+        int done_root = 0; /* have we processed the / directory as an arg */
+        
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Validate all file contexts during matchpathcon_init. */
@@ -618,6 +647,8 @@
 	}
 	else for (; optind < argc; optind++)
 	{
+                done_root |= !strcmp(argv[optind], "/");
+                
 		if (NULL != rootpath) {
 			qprintf("%s:  labeling files, pretending %s is /\n",
 				argv[0], rootpath);
@@ -648,6 +679,7 @@
 				fprintf(stderr,
 				"%s:  error while labeling files under %s\n",
 				argv[0], argv[optind]);
+				maybe_audit_mass_relabel(done_root, 1);
 				exit(1);
 			}
 		}
@@ -664,6 +696,8 @@
 		matchpathcon_filespec_destroy();
 	}
 
+        maybe_audit_mass_relabel(done_root, 0);
+
 	if (warn_no_match)
 		matchpathcon_checkmatches(argv[0]);
 
Index: policycoreutils/setfiles/Makefile
===================================================================
--- policycoreutils/setfiles/Makefile	(revision 19)
+++ policycoreutils/setfiles/Makefile	(working copy)
@@ -7,6 +7,7 @@
 CFLAGS = -Werror -Wall -W 
 override CFLAGS += -D_FILE_OFFSET_BITS=64 -I$(PREFIX)/include
 LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+LDLIBS += -laudit
 
 all: setfiles
 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 191 bytes --]