* [PATCH] policycoreutils semanage for nodes
@ 2006-09-05 18:27 Rodrigo Vivi
2006-09-08 13:47 ` Karl MacMillan
2006-09-08 13:54 ` Joshua Brindle
0 siblings, 2 replies; 7+ messages in thread
From: Rodrigo Vivi @ 2006-09-05 18:27 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 506 bytes --]
Hi all,
Since libsemanage support node context management and semanage command for
policycoreutils does not, I thought that was a good idea to implement this.
This patch provide all that semanage command needs to manage nodes context.
(including a man page updated)
However I know that SECMARK mechanism largely obsoletes the use of
netif and node contexts going forward, but I did this patch because I was
missing the node management at semanage command.
Thanks,
Rodrigo Vivi.
(vivijim at #selinux)
[-- Attachment #2: node.patch --]
[-- Type: text/x-diff, Size: 11643 bytes --]
diff -ruN policycoreutils-1.30.26/semanage/semanage policycoreutils-dev/semanage/semanage
--- policycoreutils-1.30.26/semanage/semanage 2006-08-12 09:21:39.000000000 -0300
+++ policycoreutils-dev/semanage/semanage 2006-09-03 05:05:41.000000000 -0300
@@ -41,6 +41,7 @@
semanage user -{a|d|m} [-LrRP] selinux_name\n\
semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\
semanage interface -{a|d|m} [-tr] interface_spec\n\
+semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr\n\
semanage fcontext -{a|d|m} [-frst] file_spec\n\
semanage translation -{a|d|m} [-T] level\n\n\
\
@@ -65,7 +66,8 @@
-l (symbolic link) \n\
-p (named pipe) \n\n\
\
- -p, --proto Port protocol (tcp or udp)\n\
+ -p, --protocol Port protocol (tcp or udp)\n\
+ -M, --mask Netmask\n\
-P, --prefix Prefix for home directory labeling\n\
-L, --level Default SELinux Level (MLS/MCS Systems only)\n\
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
@@ -94,7 +96,9 @@
valid_option["port"] = []
valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ]
valid_option["interface"] = []
- valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
+ valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
+ valid_option["node"] = []
+ valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol' ]
valid_option["fcontext"] = []
valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
valid_option["translation"] = []
@@ -110,6 +114,7 @@
serange = ""
port = ""
proto = ""
+ mask = ""
selevel = ""
setype = ""
ftype = ""
@@ -134,7 +139,7 @@
args = sys.argv[2:]
gopts, cmds = getopt.getopt(args,
- 'adf:lhmnp:s:R:L:r:t:T:P:',
+ 'adf:lhmnp:s:R:L:r:t:T:P:M:',
['add',
'delete',
'ftype=',
@@ -149,7 +154,8 @@
'roles=',
'type=',
'trans=',
- 'prefix='
+ 'prefix=',
+ 'mask='
])
for o, a in gopts:
if o not in option_dict[object]:
@@ -194,6 +200,9 @@
if o == "-p" or o == '--proto':
proto = a
+ if o == "-M" or o == '--mask':
+ mask = a
+
if o == "-P" or o == '--prefix':
prefix = a
@@ -220,6 +229,9 @@
if object == "interface":
OBJECT = seobject.interfaceRecords()
+
+ if object == "node":
+ OBJECT = seobject.nodeRecords()
if object == "fcontext":
OBJECT = seobject.fcontextRecords()
@@ -257,6 +269,9 @@
if object == "interface":
OBJECT.add(target, serange, setype)
+ if object == "node":
+ OBJECT.add(target, mask, proto, serange, setype)
+
if object == "fcontext":
OBJECT.add(target, setype, ftype, serange, seuser)
sys.exit(0);
@@ -278,6 +293,9 @@
if object == "interface":
OBJECT.modify(target, serange, setype)
+ if object == "node":
+ OBJECT.modify(target, mask, proto, serange, setype)
+
if object == "fcontext":
OBJECT.modify(target, setype, ftype, serange, seuser)
@@ -290,6 +308,9 @@
elif object == "fcontext":
OBJECT.delete(target, ftype)
+ elif object == "node":
+ OBJECT.delete(target, mask, proto)
+
else:
OBJECT.delete(target)
diff -ruN policycoreutils-1.30.26/semanage/semanage.8 policycoreutils-dev/semanage/semanage.8
--- policycoreutils-1.30.26/semanage/semanage.8 2006-08-12 09:21:39.000000000 -0300
+++ policycoreutils-dev/semanage/semanage.8 2006-09-05 15:12:44.000000000 -0300
@@ -3,7 +3,7 @@
semanage \- SELinux Policy Management tool
.SH "SYNOPSIS"
-.B semanage {login|user|port|interface|fcontext|translation} \-l [\-n]
+.B semanage {login|user|port|interface|node|fcontext|translation} \-l [\-n]
.br
.B semanage login \-{a|d|m} [\-sr] login_name
.br
@@ -13,6 +13,8 @@
.br
.B semanage interface \-{a|d|m} [\-tr] interface_spec
.br
+.B semanage node \-{a|d|m} [\-tr] [-M netmask] [-p protocol] address
+.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
.B semanage translation \-{a|d|m} [\-T] level
@@ -93,6 +95,8 @@
$ semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
+# Add node context to 192.168.0.1 / 255.255.255.0
+$ semanage node -a -M 255.255.255.0 -t compat_ipv4_node_t 192.168.0.1
.fi
.SH "AUTHOR"
diff -ruN policycoreutils-1.30.26/semanage/seobject.py policycoreutils-dev/semanage/seobject.py
--- policycoreutils-1.30.26/semanage/seobject.py 2006-08-12 09:21:39.000000000 -0300
+++ policycoreutils-dev/semanage/seobject.py 2006-09-05 11:41:06.000000000 -0300
@@ -1002,6 +1002,213 @@
else:
for k in keys:
print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
+
+class nodeRecords(semanageRecords):
+ def __init__(self):
+ semanageRecords.__init__(self)
+
+ def add(self, addr, mask, proto, serange, ctype):
+ if addr == "":
+ raise ValueError(_("Node Address is required"))
+
+ if mask == "":
+ raise ValueError(_("Node Netmask is required"))
+
+ if proto == "":
+ proto = 0
+ else:
+ proto = int(proto)
+
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ serange = untranslate(serange)
+
+ if ctype == "":
+ raise ValueError(_("SELinux Type is required"))
+
+ (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+ (rc,exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if exists:
+ raise ValueError(_("Addr %s already defined") % addr)
+
+ (rc,node) = semanage_node_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create addr for %s") % addr)
+
+ rc = semanage_node_set_addr(self.sh, node, proto, addr)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s") % addr)
+
+ rc = semanage_node_set_mask(self.sh, node, proto, mask)
+ if rc < 0:
+ raise ValueError(_("Could not set mask for %s") % addr)
+
+
+ rc = semanage_context_set_user(self.sh, con, "system_u")
+ if rc < 0:
+ raise ValueError(_("Could not set user in addr context for %s") % addr)
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in addr context for %s") % addr)
+
+ rc = semanage_context_set_type(self.sh, con, ctype)
+ if rc < 0:
+ raise ValueError(_("Could not set type in addr context for %s") % addr)
+
+ if serange != "":
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in addr context for %s") % addr)
+
+ rc = semanage_node_set_con(self.sh, node, con)
+ if rc < 0:
+ raise ValueError(_("Could not set addr context for %s") % addr)
+
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not start semanage transaction"))
+
+ rc = semanage_node_modify_local(self.sh, k, node)
+ if rc < 0:
+ raise ValueError(_("Could not add addr %s") % addr)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not add addr %s") % addr)
+
+ semanage_context_free(con)
+ semanage_node_key_free(k)
+ semanage_node_free(node)
+
+ def modify(self, addr, mask, proto, serange, setype):
+ if addr == "":
+ raise ValueError(_("Node Address is required"))
+
+ if mask == "":
+ raise ValueError(_("Node Netmask is required"))
+
+ if proto == "":
+ proto = 0
+ else:
+ proto = int(proto)
+
+ if serange == "" and setype == "":
+ raise ValueError(_("Requires setype or serange"))
+
+ (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+
+ (rc,exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if not exists:
+ raise ValueError(_("Addr %s is not defined") % addr)
+
+ (rc,node) = semanage_node_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query addr %s") % addr)
+
+ con = semanage_node_get_con(node)
+
+ if serange != "":
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not start semanage transaction"))
+
+ rc = semanage_node_modify_local(self.sh, k, node)
+ if rc < 0:
+ raise ValueError(_("Could not modify addr %s") % addr)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not modify addr %s") % addr)
+
+ semanage_node_key_free(k)
+ semanage_node_free(node)
+
+ def delete(self, addr, mask, proto):
+ if addr == "":
+ raise ValueError(_("Node Address is required"))
+
+ if mask == "":
+ raise ValueError(_("Node Netmask is required"))
+
+ if proto == "":
+ proto = 0
+ else:
+ proto = int(proto)
+
+ (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+
+ (rc,exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if not exists:
+ raise ValueError(_("Addr %s is not defined") % addr)
+
+ (rc,exists) = semanage_node_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if not exists:
+ raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr)
+
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not start semanage transaction"))
+
+ rc = semanage_node_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete addr %s") % addr)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not delete addr %s") % addr)
+
+ semanage_node_key_free(k)
+
+ def get_all(self):
+ ddict = {}
+ (rc, self.ilist) = semanage_node_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list addrs"))
+
+ for node in self.ilist:
+ con = semanage_node_get_con(node)
+ addr = semanage_node_get_addr(self.sh, node)
+ mask = semanage_node_get_mask(self.sh, node)
+ proto = semanage_node_get_proto(node)
+ ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
+
+ return ddict
+
+ def list(self, heading = 1):
+ if heading:
+ print "%-50s %s\n" % ("SELinux Addr", "Context")
+ ddict = self.get_all()
+ keys = ddict.keys()
+ keys.sort()
+ if is_mls_enabled:
+ for k in keys:
+ print "%-50s %s:%s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False))
+ else:
+ for k in keys:
+ print "%-50s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
+
class fcontextRecords(semanageRecords):
def __init__(self):
@@ -1280,3 +1487,5 @@
for k in keys:
if ddict[k]:
print "%-50s %-18s " % (k[0], ddict[k][0])
+
+
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils semanage for nodes
2006-09-05 18:27 [PATCH] policycoreutils semanage for nodes Rodrigo Vivi
@ 2006-09-08 13:47 ` Karl MacMillan
2006-09-08 13:54 ` Joshua Brindle
1 sibling, 0 replies; 7+ messages in thread
From: Karl MacMillan @ 2006-09-08 13:47 UTC (permalink / raw)
To: Rodrigo Vivi; +Cc: SE Linux
On Tue, 2006-09-05 at 15:27 -0300, Rodrigo Vivi wrote:
> Hi all,
>
> Since libsemanage support node context management and semanage command for
> policycoreutils does not, I thought that was a good idea to implement this.
>
> This patch provide all that semanage command needs to manage nodes context.
> (including a man page updated)
>
> However I know that SECMARK mechanism largely obsoletes the use of
> netif and node contexts going forward, but I did this patch because I was
> missing the node management at semanage command.
>
I think that netif and node will be around for a while and node in
particular is useful for bind(2).
> Thanks,
> Rodrigo Vivi.
> (vivijim at #selinux)
> diff -ruN policycoreutils-1.30.26/semanage/semanage
> policycoreutils-dev/semanage/semanage
> --- policycoreutils-1.30.26/semanage/semanage 2006-08-12
> 09:21:39.000000000 -0300
> +++ policycoreutils-dev/semanage/semanage 2006-09-03
> 05:05:41.000000000 -0300
> @@ -41,6 +41,7 @@
> semanage user -{a|d|m} [-LrRP] selinux_name\n\
> semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\
> semanage interface -{a|d|m} [-tr] interface_spec\n\
> +semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr\n\
> semanage fcontext -{a|d|m} [-frst] file_spec\n\
> semanage translation -{a|d|m} [-T] level\n\n\
> \
> @@ -65,7 +66,8 @@
> -l (symbolic link) \n\
> -p (named pipe) \n\n\
> \
> - -p, --proto Port protocol (tcp or udp)\n\
> + -p, --protocol Port protocol (tcp or udp)\n\
Did you mean to make this change? It doesn't appear in the argument
parsing below. Additionally, I don't think that it is a good idea to
change the arguments at this point even if they are better.
Otherwise this looks good - thanks for also making the manpage change.
If you are OK with the change above being dropped I don't think there is
a reason to resubmit.
Acked-by Karl MacMillan <kmacmillan@mentalrootkit.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils semanage for nodes
2006-09-05 18:27 [PATCH] policycoreutils semanage for nodes Rodrigo Vivi
2006-09-08 13:47 ` Karl MacMillan
@ 2006-09-08 13:54 ` Joshua Brindle
2006-09-08 15:12 ` Karl MacMillan
1 sibling, 1 reply; 7+ messages in thread
From: Joshua Brindle @ 2006-09-08 13:54 UTC (permalink / raw)
To: Rodrigo Vivi; +Cc: SE Linux
Rodrigo Vivi wrote:
> Hi all,
>
> Since libsemanage support node context management and semanage command for
> policycoreutils does not, I thought that was a good idea to implement this.
>
> This patch provide all that semanage command needs to manage nodes context.
> (including a man page updated)
>
> However I know that SECMARK mechanism largely obsoletes the use of
> netif and node contexts going forward, but I did this patch because I was
> missing the node management at semanage command.
>
> Thanks,
> Rodrigo Vivi.
> (vivijim at #selinux)
>
>
In addition to the comments below, I tried this patch out and while it
indeed added the nodecon it didn't seem to have a net effect on the
system. This is probably because of ordering issues which IIRC is why we
never had this support to begin with.
> ------------------------------------------------------------------------
>
> diff -ruN policycoreutils-1.30.26/semanage/semanage policycoreutils-dev/semanage/semanage
> --- policycoreutils-1.30.26/semanage/semanage 2006-08-12 09:21:39.000000000 -0300
> +++ policycoreutils-dev/semanage/semanage 2006-09-03 05:05:41.000000000 -0300
> @@ -41,6 +41,7 @@
> semanage user -{a|d|m} [-LrRP] selinux_name\n\
> semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\
> semanage interface -{a|d|m} [-tr] interface_spec\n\
> +semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr\n\
>
what does [ -p protocol ] mean for node? nodecon's don't have protocols
You also didn't add node to the line above these:
semanage {login|user|port|interface|fcontext|translation} -l [-n]
> semanage fcontext -{a|d|m} [-frst] file_spec\n\
> semanage translation -{a|d|m} [-T] level\n\n\
> \
> @@ -65,7 +66,8 @@
> -l (symbolic link) \n\
> -p (named pipe) \n\n\
> \
> - -p, --proto Port protocol (tcp or udp)\n\
> + -p, --protocol Port protocol (tcp or udp)\n\
>
why change this?
> + -M, --mask Netmask\n\
> -P, --prefix Prefix for home directory labeling\n\
> -L, --level Default SELinux Level (MLS/MCS Systems only)\n\
> -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
> @@ -94,7 +96,9 @@
> valid_option["port"] = []
> valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ]
> valid_option["interface"] = []
> - valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
> + valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
> + valid_option["node"] = []
> + valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol' ]
>
I don't think protocol is valid for everyone
> valid_option["fcontext"] = []
> valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
>
<snip>
> valid_option["translation"] = []
>
> + def list(self, heading = 1):
> + if heading:
> + print "%-50s %s\n" % ("SELinux Addr", "Context")
> + ddict = self.get_all()
> + keys = ddict.keys()
> + keys.sort()
> + if is_mls_enabled:
> + for k in keys:
> + print "%-50s %s:%s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3],
I don't think ddict[k][3] is what you think it is..
> False))
> + else:
> + for k in keys:
> + print "%-50s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
> +
>
> class fcontextRecords(semanageRecords):
> def __init__(self):
> @@ -1280,3 +1487,5 @@
> for k in keys:
> if ddict[k]:
> print "%-50s %-18s " % (k[0], ddict[k][0])
> +
> +
>
whitespace?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils semanage for nodes
2006-09-08 13:54 ` Joshua Brindle
@ 2006-09-08 15:12 ` Karl MacMillan
2006-09-08 15:46 ` Joshua Brindle
0 siblings, 1 reply; 7+ messages in thread
From: Karl MacMillan @ 2006-09-08 15:12 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Rodrigo Vivi, SE Linux
On Fri, 2006-09-08 at 09:54 -0400, Joshua Brindle wrote:
> Rodrigo Vivi wrote:
> > Hi all,
> >
> > Since libsemanage support node context management and semanage command for
> > policycoreutils does not, I thought that was a good idea to implement this.
> >
> > This patch provide all that semanage command needs to manage nodes context.
> > (including a man page updated)
> >
> > However I know that SECMARK mechanism largely obsoletes the use of
> > netif and node contexts going forward, but I did this patch because I was
> > missing the node management at semanage command.
> >
> > Thanks,
> > Rodrigo Vivi.
> > (vivijim at #selinux)
> >
> >
> In addition to the comments below, I tried this patch out and while it
> indeed added the nodecon it didn't seem to have a net effect on the
> system. This is probably because of ordering issues which IIRC is why we
> never had this support to begin with.
>
How is this different from the port sorting problem? For a simple
example pre-pending the local modifications should have the desired
effect, so this sounds like a general semanage bug to me.
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils semanage for nodes
2006-09-08 15:12 ` Karl MacMillan
@ 2006-09-08 15:46 ` Joshua Brindle
2006-09-08 17:51 ` Karl MacMillan
0 siblings, 1 reply; 7+ messages in thread
From: Joshua Brindle @ 2006-09-08 15:46 UTC (permalink / raw)
To: Karl MacMillan; +Cc: Rodrigo Vivi, SE Linux
Karl MacMillan wrote:
> On Fri, 2006-09-08 at 09:54 -0400, Joshua Brindle wrote:
>
>> Rodrigo Vivi wrote:
>>
>>> Hi all,
>>>
>>> Since libsemanage support node context management and semanage command for
>>> policycoreutils does not, I thought that was a good idea to implement this.
>>>
>>> This patch provide all that semanage command needs to manage nodes context.
>>> (including a man page updated)
>>>
>>> However I know that SECMARK mechanism largely obsoletes the use of
>>> netif and node contexts going forward, but I did this patch because I was
>>> missing the node management at semanage command.
>>>
>>> Thanks,
>>> Rodrigo Vivi.
>>> (vivijim at #selinux)
>>>
>>>
>>>
>> In addition to the comments below, I tried this patch out and while it
>> indeed added the nodecon it didn't seem to have a net effect on the
>> system. This is probably because of ordering issues which IIRC is why we
>> never had this support to begin with.
>>
>>
>
> How is this different from the port sorting problem? For a simple
> example pre-pending the local modifications should have the desired
> effect, so this sounds like a general semanage bug to me.
>
>
Which wasn't fixed in this patch and so shouldn't be merged
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils semanage for nodes
2006-09-08 15:46 ` Joshua Brindle
@ 2006-09-08 17:51 ` Karl MacMillan
2006-09-09 20:54 ` Rodrigo Vivi
0 siblings, 1 reply; 7+ messages in thread
From: Karl MacMillan @ 2006-09-08 17:51 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Rodrigo Vivi, SE Linux
On Fri, 2006-09-08 at 11:46 -0400, Joshua Brindle wrote:
> Karl MacMillan wrote:
> > On Fri, 2006-09-08 at 09:54 -0400, Joshua Brindle wrote:
> >
> >> Rodrigo Vivi wrote:
> >>
> >>> Hi all,
> >>>
> >>> Since libsemanage support node context management and semanage command for
> >>> policycoreutils does not, I thought that was a good idea to implement this.
> >>>
> >>> This patch provide all that semanage command needs to manage nodes context.
> >>> (including a man page updated)
> >>>
> >>> However I know that SECMARK mechanism largely obsoletes the use of
> >>> netif and node contexts going forward, but I did this patch because I was
> >>> missing the node management at semanage command.
> >>>
> >>> Thanks,
> >>> Rodrigo Vivi.
> >>> (vivijim at #selinux)
> >>>
> >>>
> >>>
> >> In addition to the comments below, I tried this patch out and while it
> >> indeed added the nodecon it didn't seem to have a net effect on the
> >> system. This is probably because of ordering issues which IIRC is why we
> >> never had this support to begin with.
> >>
> >>
> >
> > How is this different from the port sorting problem? For a simple
> > example pre-pending the local modifications should have the desired
> > effect, so this sounds like a general semanage bug to me.
> >
> >
> Which wasn't fixed in this patch and so shouldn't be merged
Rodrigo - are you interested in trying to get to the bottom of this?
Otherwise, please file a bug [1] and attach your existing patch.
Thanks,
Karl
[1] http://sourceforge.net/tracker/?group_id=21266&atid=121266
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] policycoreutils semanage for nodes
2006-09-08 17:51 ` Karl MacMillan
@ 2006-09-09 20:54 ` Rodrigo Vivi
0 siblings, 0 replies; 7+ messages in thread
From: Rodrigo Vivi @ 2006-09-09 20:54 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 2518 bytes --]
Hi all,
first of all I'm submitting a new version of this patch that contains some
changes related to the comments that you've sent me:
> - -p, --proto Port protocol (tcp or udp)\n\
> + -p, --protocol Port protocol (tcp or udp)\n\
This were a mistake. Actually what I believe that is really need to change is
that:
- valid_option["port"] += valid_everyone +
[ '-t', '--type', '-r', '--range', '-p', '--protocol' ]
+ valid_option["port"] += valid_everyone +
[ '-t', '--type', '-r', '--range', '-p', '--proto' ]
> what does [ -p protocol ] mean for node? nodecon's don't have protocols
For node protocol must be ipv4 or ipv6. Actually libsemanage consider 0 as
ipv4 and 1 as ipv6.
Now i did some changes in manpage and in usage string that explain this.
> You also didn't add node to the line above these:
> semanage {login|user|port|interface|fcontext|translation} -l [-n]
done.
> ddict[k][1],ddict[k][2], translate(ddict[k][3],
> I don't think ddict[k][3] is what you think it is..
I didn't understand your point. In get_all() I add the mls context as the
field 3.
> whitespace?
removed. sorry.
> > >> In addition to the comments below, I tried this patch out and while it
> > >> indeed added the nodecon it didn't seem to have a net effect on the
> > >> system. This is probably because of ordering issues which IIRC is why
> > >> we never had this support to begin with.
> > >
> > > How is this different from the port sorting problem? For a simple
> > > example pre-pending the local modifications should have the desired
> > > effect, so this sounds like a general semanage bug to me.
> >
> > Which wasn't fixed in this patch and so shouldn't be merged
>
> Rodrigo - are you interested in trying to get to the bottom of this?
> Otherwise, please file a bug [1] and attach your existing patch.
Yes, I'm very interested in trying to get to the bottom of this. I'm not sure
if I have sufficient experience for that but I can try. And need your help.
So, I coded this patch for node based on interface one and I was sure that for
interface it was working. But I had tried only in permissive mode.
Today I tested in enforcing mode and I'm not sure even if for interface
semanage is working.
because I could send a message from a process in SystemHigh through a tun
interface in SystemLow and a node in SystemLow too.
How is the best way to test this ?
How did you do to test this ?
How can I debug this to see why this is not working ?
Thanks for your help and patience.
[-- Attachment #2: node.patch --]
[-- Type: text/x-diff, Size: 12761 bytes --]
diff -ruN policycoreutils-1.30.26/semanage/semanage policycoreutils-dev/semanage/semanage
--- policycoreutils-1.30.26/semanage/semanage 2006-08-12 09:21:39.000000000 -0300
+++ policycoreutils-dev/semanage/semanage 2006-09-09 17:28:22.000000000 -0300
@@ -36,11 +36,12 @@
def usage(message = ""):
print _('\
-semanage {login|user|port|interface|fcontext|translation} -l [-n] \n\
+semanage {login|user|port|interface|node|fcontext|translation} -l [-n] \n\
semanage login -{a|d|m} [-sr] login_name\n\
semanage user -{a|d|m} [-LrRP] selinux_name\n\
semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\
semanage interface -{a|d|m} [-tr] interface_spec\n\
+semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr\n\
semanage fcontext -{a|d|m} [-frst] file_spec\n\
semanage translation -{a|d|m} [-T] level\n\n\
\
@@ -65,7 +66,8 @@
-l (symbolic link) \n\
-p (named pipe) \n\n\
\
- -p, --proto Port protocol (tcp or udp)\n\
+ -p, --proto Protocol {tcp|udp} for Port or {ipv4|ipv6} for Node\n\
+ -M, --mask Node Netmask\n\
-P, --prefix Prefix for home directory labeling\n\
-L, --level Default SELinux Level (MLS/MCS Systems only)\n\
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
@@ -92,9 +94,11 @@
valid_option["user"] = []
valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
valid_option["port"] = []
- valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ]
+ valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
valid_option["interface"] = []
- valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
+ valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
+ valid_option["node"] = []
+ valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--proto' ]
valid_option["fcontext"] = []
valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
valid_option["translation"] = []
@@ -110,6 +114,7 @@
serange = ""
port = ""
proto = ""
+ mask = ""
selevel = ""
setype = ""
ftype = ""
@@ -134,7 +139,7 @@
args = sys.argv[2:]
gopts, cmds = getopt.getopt(args,
- 'adf:lhmnp:s:R:L:r:t:T:P:',
+ 'adf:lhmnp:s:R:L:r:t:T:P:M:',
['add',
'delete',
'ftype=',
@@ -149,7 +154,8 @@
'roles=',
'type=',
'trans=',
- 'prefix='
+ 'prefix=',
+ 'mask='
])
for o, a in gopts:
if o not in option_dict[object]:
@@ -194,6 +200,9 @@
if o == "-p" or o == '--proto':
proto = a
+ if o == "-M" or o == '--mask':
+ mask = a
+
if o == "-P" or o == '--prefix':
prefix = a
@@ -220,6 +229,9 @@
if object == "interface":
OBJECT = seobject.interfaceRecords()
+
+ if object == "node":
+ OBJECT = seobject.nodeRecords()
if object == "fcontext":
OBJECT = seobject.fcontextRecords()
@@ -257,6 +269,9 @@
if object == "interface":
OBJECT.add(target, serange, setype)
+ if object == "node":
+ OBJECT.add(target, mask, proto, serange, setype)
+
if object == "fcontext":
OBJECT.add(target, setype, ftype, serange, seuser)
sys.exit(0);
@@ -278,6 +293,9 @@
if object == "interface":
OBJECT.modify(target, serange, setype)
+ if object == "node":
+ OBJECT.modify(target, mask, proto, serange, setype)
+
if object == "fcontext":
OBJECT.modify(target, setype, ftype, serange, seuser)
@@ -290,6 +308,9 @@
elif object == "fcontext":
OBJECT.delete(target, ftype)
+ elif object == "node":
+ OBJECT.delete(target, mask, proto)
+
else:
OBJECT.delete(target)
diff -ruN policycoreutils-1.30.26/semanage/semanage.8 policycoreutils-dev/semanage/semanage.8
--- policycoreutils-1.30.26/semanage/semanage.8 2006-08-12 09:21:39.000000000 -0300
+++ policycoreutils-dev/semanage/semanage.8 2006-09-09 15:52:50.000000000 -0300
@@ -3,7 +3,7 @@
semanage \- SELinux Policy Management tool
.SH "SYNOPSIS"
-.B semanage {login|user|port|interface|fcontext|translation} \-l [\-n]
+.B semanage {login|user|port|interface|node|fcontext|translation} \-l [\-n]
.br
.B semanage login \-{a|d|m} [\-sr] login_name
.br
@@ -13,6 +13,8 @@
.br
.B semanage interface \-{a|d|m} [\-tr] interface_spec
.br
+.B semanage node \-{a|d|m} [\-tr] [-M netmask] [-p protocol] address
+.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
.B semanage translation \-{a|d|m} [\-T] level
@@ -63,7 +65,7 @@
Do not print heading when listing OBJECTS.
.TP
.I \-p, \-\-proto
-Protocol for the specified port (tcp|udp).
+Protocol for the specified port (tcp|udp) or for the specified node (ipv4|ipv6), ipv4 Default.
.TP
.I \-r, \-\-range
MLS/MCS Security Range (MLS/MCS Systems only)
@@ -93,6 +95,8 @@
$ semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
+# Add node context to 192.168.0.1 / 255.255.255.0
+$ semanage node -a -M 255.255.255.0 -p ipv4 -t compat_ipv4_node_t 192.168.0.1
.fi
.SH "AUTHOR"
diff -ruN policycoreutils-1.30.26/semanage/seobject.py policycoreutils-dev/semanage/seobject.py
--- policycoreutils-1.30.26/semanage/seobject.py 2006-08-12 09:21:39.000000000 -0300
+++ policycoreutils-dev/semanage/seobject.py 2006-09-09 17:30:57.000000000 -0300
@@ -1002,7 +1002,219 @@
else:
for k in keys:
print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
+
+class nodeRecords(semanageRecords):
+ def __init__(self):
+ semanageRecords.__init__(self)
+
+ def add(self, addr, mask, proto, serange, ctype):
+ if addr == "":
+ raise ValueError(_("Node Address is required"))
+
+ if mask == "":
+ raise ValueError(_("Node Netmask is required"))
+
+ if proto == "" or proto == "ipv4":
+ proto = 0
+ elif proto == "ipv6":
+ proto = 1
+ else:
+ raise ValueError(_("Protocol ipv4 or ipv6 is required"))
+
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ serange = untranslate(serange)
+
+ if ctype == "":
+ raise ValueError(_("SELinux Type is required"))
+
+ (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+ (rc,exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if exists:
+ raise ValueError(_("Addr %s already defined") % addr)
+
+ (rc,node) = semanage_node_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create addr for %s") % addr)
+
+ rc = semanage_node_set_addr(self.sh, node, proto, addr)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s") % addr)
+
+ rc = semanage_node_set_mask(self.sh, node, proto, mask)
+ if rc < 0:
+ raise ValueError(_("Could not set mask for %s") % addr)
+
+
+ rc = semanage_context_set_user(self.sh, con, "system_u")
+ if rc < 0:
+ raise ValueError(_("Could not set user in addr context for %s") % addr)
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in addr context for %s") % addr)
+
+ rc = semanage_context_set_type(self.sh, con, ctype)
+ if rc < 0:
+ raise ValueError(_("Could not set type in addr context for %s") % addr)
+
+ if serange != "":
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in addr context for %s") % addr)
+
+ rc = semanage_node_set_con(self.sh, node, con)
+ if rc < 0:
+ raise ValueError(_("Could not set addr context for %s") % addr)
+
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not start semanage transaction"))
+
+ rc = semanage_node_modify_local(self.sh, k, node)
+ if rc < 0:
+ raise ValueError(_("Could not add addr %s") % addr)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not add addr %s") % addr)
+
+ semanage_context_free(con)
+ semanage_node_key_free(k)
+ semanage_node_free(node)
+
+ def modify(self, addr, mask, proto, serange, setype):
+ if addr == "":
+ raise ValueError(_("Node Address is required"))
+
+ if mask == "":
+ raise ValueError(_("Node Netmask is required"))
+
+ if proto == "" or proto == "ipv4":
+ proto = 0
+ elif proto == "ipv6":
+ proto = 1
+ else:
+ raise ValueError(_("Protocol ipv4 or ipv6 is required"))
+
+ if serange == "" and setype == "":
+ raise ValueError(_("Requires setype or serange"))
+
+ (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+
+ (rc,exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if not exists:
+ raise ValueError(_("Addr %s is not defined") % addr)
+
+ (rc,node) = semanage_node_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query addr %s") % addr)
+
+ con = semanage_node_get_con(node)
+ if serange != "":
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not start semanage transaction"))
+
+ rc = semanage_node_modify_local(self.sh, k, node)
+ if rc < 0:
+ raise ValueError(_("Could not modify addr %s") % addr)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not modify addr %s") % addr)
+
+ semanage_node_key_free(k)
+ semanage_node_free(node)
+
+ def delete(self, addr, mask, proto):
+ if addr == "":
+ raise ValueError(_("Node Address is required"))
+
+ if mask == "":
+ raise ValueError(_("Node Netmask is required"))
+
+ if proto == "" or proto == "ipv4":
+ proto = 0
+ elif proto == "ipv6":
+ proto = 1
+ else:
+ raise ValueError(_("Protocol ipv4 or ipv6 is required"))
+
+ (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+
+ (rc,exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if not exists:
+ raise ValueError(_("Addr %s is not defined") % addr)
+
+ (rc,exists) = semanage_node_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if not exists:
+ raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr)
+
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not start semanage transaction"))
+
+ rc = semanage_node_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete addr %s") % addr)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not delete addr %s") % addr)
+
+ semanage_node_key_free(k)
+
+ def get_all(self):
+ ddict = {}
+ (rc, self.ilist) = semanage_node_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list addrs"))
+
+ for node in self.ilist:
+ con = semanage_node_get_con(node)
+ addr = semanage_node_get_addr(self.sh, node)
+ mask = semanage_node_get_mask(self.sh, node)
+ proto = semanage_node_get_proto(node)
+ ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
+
+ return ddict
+
+ def list(self, heading = 1):
+ if heading:
+ print "%-50s %s\n" % ("SELinux Addr", "Context")
+ ddict = self.get_all()
+ keys = ddict.keys()
+ keys.sort()
+ if is_mls_enabled:
+ for k in keys:
+ print "%-50s %s:%s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False))
+ else:
+ for k in keys:
+ print "%-50s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
+
class fcontextRecords(semanageRecords):
def __init__(self):
semanageRecords.__init__(self)
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-09-09 20:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-05 18:27 [PATCH] policycoreutils semanage for nodes Rodrigo Vivi
2006-09-08 13:47 ` Karl MacMillan
2006-09-08 13:54 ` Joshua Brindle
2006-09-08 15:12 ` Karl MacMillan
2006-09-08 15:46 ` Joshua Brindle
2006-09-08 17:51 ` Karl MacMillan
2006-09-09 20:54 ` Rodrigo Vivi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.