[Fwd: policycoreutils patches]

[Fwd: policycoreutils patches]

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 473 bytes --]

Moved audit2allow to sbin to match audit2why.

Fix chcat to handle case where there are no categories.

Change fixfiles to run setfiles in quiet mode

Change genhomedircon to verify context before setting homedir file
context. This can happen if you have different user types, where one
type has a homedir file context while another one does not.

restorecond init script does not return status properly

Fix output of restorecon.c errors to show correct error message.




[-- Attachment #2: audit2allow.patch --]
[-- Type: text/x-patch, Size: 374 bytes --]

--- nsapolicycoreutils/audit2allow/Makefile	2007-02-07 12:11:49.000000000 -0500
+++ policycoreutils-2.0.7/audit2allow/Makefile	2007-03-23 09:03:56.000000000 -0400
@@ -1,6 +1,6 @@
 # Installation directories.
 PREFIX ?= ${DESTDIR}/usr
-BINDIR ?= $(PREFIX)/bin
+BINDIR ?= $(PREFIX)/sbin
 LIBDIR ?= $(PREFIX)/lib
 MANDIR ?= $(PREFIX)/share/man
 LOCALEDIR ?= /usr/share/locale


[-- Attachment #3: chcat.patch --]
[-- Type: text/x-patch, Size: 1266 bytes --]

--- nsapolicycoreutils/scripts/chcat	2007-02-22 08:53:22.000000000 -0500
+++ policycoreutils-2.0.7/scripts/chcat	2007-03-23 09:03:56.000000000 -0400
@@ -74,9 +74,11 @@
             if i not in cats:
                 cats.append(i)
 
-        new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ","))
-        if new_serange[-1:] == ":":
-            new_serange = new_serange[:-1]
+            
+        if len(cats) > 0:
+            new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
+        else
+            new_serange = "%s-%s" % (serange[0], top[0])
             
         if add_ind:
             cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
@@ -151,10 +153,11 @@
             if i in cats:
                 cats.remove(i)
 
-        new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ","))
-        if new_serange[-1:] == ":":
-            new_serange = new_serange[:-1]
-        
+        if len(cats) > 0:
+            new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
+        else
+            new_serange = "%s-%s" % (serange[0], top[0])
+            
         if add_ind:
             cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
         else:


[-- Attachment #4: fixfiles.patch --]
[-- Type: text/x-patch, Size: 413 bytes --]

--- nsapolicycoreutils/scripts/fixfiles	2007-01-11 08:56:30.000000000 -0500
+++ policycoreutils-2.0.7/scripts/fixfiles	2007-03-23 14:24:15.000000000 -0400
@@ -138,7 +138,7 @@
     exit $?
 fi
 LogReadOnly
-${SETFILES} ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
+${SETFILES} -q ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
 exit $?
 }
 


[-- Attachment #5: genhomedircon.patch --]
[-- Type: text/x-patch, Size: 674 bytes --]

--- nsapolicycoreutils/scripts/genhomedircon	2006-11-28 09:24:33.000000000 -0500
+++ policycoreutils-2.0.7/scripts/genhomedircon	2007-04-09 15:44:47.000000000 -0400
@@ -26,6 +26,7 @@
 
 import sys, os, pwd, string, getopt, re
 from semanage import *;
+import selinux
 import gettext
 gettext.install('policycoreutils')
 
@@ -249,7 +250,10 @@
 				i = i.replace("HOME_DIR", home)
 				i = i.replace("ROLE", prefix)
 				i = i.replace("system_u", seuser)
-				ret = ret+i
+				# Validate if the generated context exists.  Some user types may not exist
+				scon = i.split()[-1]
+				if selinux.security_check_context(scon) == 0:
+					ret = ret+i
 		fd.close()
 		return ret


[-- Attachment #6: restorecon.patch --]
[-- Type: text/x-patch, Size: 427 bytes --]

--- nsapolicycoreutils/restorecon/restorecon.c	2006-11-16 17:14:26.000000000 -0500
+++ policycoreutils-2.0.7/restorecon/restorecon.c	2007-03-23 09:03:56.000000000 -0400
@@ -336,8 +336,8 @@
 				if (!file_exist && errno == ENOENT)
 					return;
 				fprintf(stderr,
-					"%s:  error while labeling files under %s\n",
-					progname, buf);
+					"%s: %s: %s\n",
+					progname, buf, strerror(errno));
 				errors++;
 			}
 		}


[-- Attachment #7: restorecond.patch --]
[-- Type: text/x-patch, Size: 288 bytes --]

--- nsapolicycoreutils/restorecond/restorecond.init	2007-03-01 17:23:40.000000000 -0500
+++ policycoreutils-2.0.7/restorecond/restorecond.init	2007-03-23 09:03:56.000000000 -0400
@@ -73,6 +73,7 @@
         ;;
   status)
 	status restorecond
+	RETVAL=$?
 	;;
   restart|reload)
 	restart

Re: [Fwd: policycoreutils patches]

[Stephen Smalley]

On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
> Moved audit2allow to sbin to match audit2why.

(one patch per message would be nicer)

I actually don't like having so many of the programs in /sbin
or /usr/sbin, as they aren't in normal user paths and make it more
painful to find the commands.  And moving them can cause user confusion
and/or script breakage.  

> Fix chcat to handle case where there are no categories.
> 
> Change fixfiles to run setfiles in quiet mode
> 
> Change genhomedircon to verify context before setting homedir file
> context. This can happen if you have different user types, where one
> type has a homedir file context while another one does not.

Not sure I understand - what does it mean to not have a homedir file
context for a given user type?   I can understand that multiple user
roles/types might share the same homedir file context, but not lacking
one altogether.

> restorecond init script does not return status properly
> 
> Fix output of restorecon.c errors to show correct error message.

Adding a ": %s" with strerror(errno) is fine, but I don't think you want
to drop the existing error message altogether, as errno isn't always set
properly. 

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
>   
>> Moved audit2allow to sbin to match audit2why.
>>     
>
> (one patch per message would be nicer)
>
> I actually don't like having so many of the programs in /sbin
> or /usr/sbin, as they aren't in normal user paths and make it more
> painful to find the commands.  And moving them can cause user confusion
> and/or script breakage.  
>
>   
Then for consistency we should move audit2why to the same directory as 
audit2allow.
>> Fix chcat to handle case where there are no categories.
>>
>> Change fixfiles to run setfiles in quiet mode
>>
>> Change genhomedircon to verify context before setting homedir file
>> context. This can happen if you have different user types, where one
>> type has a homedir file context while another one does not.
>>     
>
> Not sure I understand - what does it mean to not have a homedir file
> context for a given user type?   I can understand that multiple user
> roles/types might share the same homedir file context, but not lacking
> one altogether.
>   
Example.  I am about to release a policy creating a guest_t.  This user 
will have very little privs on a system.  The goal of this user type is 
that it will only be used for ssh accounts.  So it will not have a 
guest_mozilla_home_t.  Since it can not even use X-Windows.   Currently 
if I had mozilla policy installed genhomedircon will try to generate 
file context with guest_mozilla_home_t.
>   
>> restorecond init script does not return status properly
>>
>> Fix output of restorecon.c errors to show correct error message.
>>     
>
> Adding a ": %s" with strerror(errno) is fine, but I don't think you want
> to drop the existing error message altogether, as errno isn't always set
> properly. 
>
>   

That error message is misleading and happens on messages that have 
nothing to do " error while labeling files under".



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Stephen Smalley]

On Fri, 2007-04-13 at 10:39 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
> >   
> >> Moved audit2allow to sbin to match audit2why.
> >>     
> >
> > (one patch per message would be nicer)
> >
> > I actually don't like having so many of the programs in /sbin
> > or /usr/sbin, as they aren't in normal user paths and make it more
> > painful to find the commands.  And moving them can cause user confusion
> > and/or script breakage.  
> >
> >   
> Then for consistency we should move audit2why to the same directory as 
> audit2allow.

My real preference would be that the audit2why functionality would be
replicated (and improved) in sepolgen, and audit2allow would directly
use that functionality to identify the cause of the denial as part of
generating policy.  Then audit2allow could directly generate refpolicy
interface calls to e.g. add an attribute to a domain so that it passes
some constraint, or generate a role allow rule.  auditwhy in its current
form is really only to help you; it isn't very useful for end users
(doesn't provide enough information).

> >> Fix chcat to handle case where there are no categories.
> >>
> >> Change fixfiles to run setfiles in quiet mode
> >>
> >> Change genhomedircon to verify context before setting homedir file
> >> context. This can happen if you have different user types, where one
> >> type has a homedir file context while another one does not.
> >>     
> >
> > Not sure I understand - what does it mean to not have a homedir file
> > context for a given user type?   I can understand that multiple user
> > roles/types might share the same homedir file context, but not lacking
> > one altogether.
> >   
> Example.  I am about to release a policy creating a guest_t.  This user 
> will have very little privs on a system.  The goal of this user type is 
> that it will only be used for ssh accounts.  So it will not have a 
> guest_mozilla_home_t.  Since it can not even use X-Windows.   Currently 
> if I had mozilla policy installed genhomedircon will try to generate 
> file context with guest_mozilla_home_t.

Ok, so the user type has homedir contexts, just not all of them.  

> >> restorecond init script does not return status properly
> >>
> >> Fix output of restorecon.c errors to show correct error message.
> >>     
> >
> > Adding a ": %s" with strerror(errno) is fine, but I don't think you want
> > to drop the existing error message altogether, as errno isn't always set
> > properly. 
> >
> >   
> 
> That error message is misleading and happens on messages that have 
> nothing to do " error while labeling files under".

Hmm..that seems to be due to the fact that apply_spec() doesn't return
its error status to the caller, so nftw() doesn't see it (and thus just
proceeds).  Which I suppose is what you want in some cases (e.g. skip
that file and continue to the rest), but not always.

Regardless, the errors would still come from ntftw, which is the file
tree walk - what kinds of errors are you seeing?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Stephen Smalley]

On Fri, 2007-04-13 at 10:49 -0400, Stephen Smalley wrote:
> On Fri, 2007-04-13 at 10:39 -0400, Daniel J Walsh wrote:
> > Stephen Smalley wrote:
> > > On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
> > >   
> > >> Moved audit2allow to sbin to match audit2why.
> > >>     
> > >
> > > (one patch per message would be nicer)
> > >
> > > I actually don't like having so many of the programs in /sbin
> > > or /usr/sbin, as they aren't in normal user paths and make it more
> > > painful to find the commands.  And moving them can cause user confusion
> > > and/or script breakage.  
> > >
> > >   
> > Then for consistency we should move audit2why to the same directory as 
> > audit2allow.
> 
> My real preference would be that the audit2why functionality would be
> replicated (and improved) in sepolgen, and audit2allow would directly
> use that functionality to identify the cause of the denial as part of
> generating policy.  Then audit2allow could directly generate refpolicy
> interface calls to e.g. add an attribute to a domain so that it passes
> some constraint, or generate a role allow rule.

...or generate a role types statement.  Or tell the user that they just
need to enable boolean B to allow it.  Via analysis of the audit message
against the policy rather than heuristics.

>   auditwhy in its current
> form is really only to help you; it isn't very useful for end users
> (doesn't provide enough information).
> 
> > >> Fix chcat to handle case where there are no categories.
> > >>
> > >> Change fixfiles to run setfiles in quiet mode
> > >>
> > >> Change genhomedircon to verify context before setting homedir file
> > >> context. This can happen if you have different user types, where one
> > >> type has a homedir file context while another one does not.
> > >>     
> > >
> > > Not sure I understand - what does it mean to not have a homedir file
> > > context for a given user type?   I can understand that multiple user
> > > roles/types might share the same homedir file context, but not lacking
> > > one altogether.
> > >   
> > Example.  I am about to release a policy creating a guest_t.  This user 
> > will have very little privs on a system.  The goal of this user type is 
> > that it will only be used for ssh accounts.  So it will not have a 
> > guest_mozilla_home_t.  Since it can not even use X-Windows.   Currently 
> > if I had mozilla policy installed genhomedircon will try to generate 
> > file context with guest_mozilla_home_t.
> 
> Ok, so the user type has homedir contexts, just not all of them.  
> 
> > >> restorecond init script does not return status properly
> > >>
> > >> Fix output of restorecon.c errors to show correct error message.
> > >>     
> > >
> > > Adding a ": %s" with strerror(errno) is fine, but I don't think you want
> > > to drop the existing error message altogether, as errno isn't always set
> > > properly. 
> > >
> > >   
> > 
> > That error message is misleading and happens on messages that have 
> > nothing to do " error while labeling files under".
> 
> Hmm..that seems to be due to the fact that apply_spec() doesn't return
> its error status to the caller, so nftw() doesn't see it (and thus just
> proceeds).  Which I suppose is what you want in some cases (e.g. skip
> that file and continue to the rest), but not always.
> 
> Regardless, the errors would still come from ntftw, which is the file
> tree walk - what kinds of errors are you seeing?
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2007-04-13 at 10:49 -0400, Stephen Smalley wrote:
>   
>> On Fri, 2007-04-13 at 10:39 -0400, Daniel J Walsh wrote:
>>     
>>> Stephen Smalley wrote:
>>>       
>>>> On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
>>>>   
>>>>         
>>>>> Moved audit2allow to sbin to match audit2why.
>>>>>     
>>>>>           
>>>> (one patch per message would be nicer)
>>>>
>>>> I actually don't like having so many of the programs in /sbin
>>>> or /usr/sbin, as they aren't in normal user paths and make it more
>>>> painful to find the commands.  And moving them can cause user confusion
>>>> and/or script breakage.  
>>>>
>>>>   
>>>>         
>>> Then for consistency we should move audit2why to the same directory as 
>>> audit2allow.
>>>       
>> My real preference would be that the audit2why functionality would be
>> replicated (and improved) in sepolgen, and audit2allow would directly
>> use that functionality to identify the cause of the denial as part of
>> generating policy.  Then audit2allow could directly generate refpolicy
>> interface calls to e.g. add an attribute to a domain so that it passes
>> some constraint, or generate a role allow rule.
>>     
>
>   
Yes I agree.  But for now we have two tools, in different directories.  
You can ignore this error and
we can drop audit2why when audit2allow has this functionality.  BTW the 
MLS crowd use audit2why all the time, to tell if the denial is because 
of TE or MLS.
> ...or generate a role types statement.  Or tell the user that they just
> need to enable boolean B to allow it.  Via analysis of the audit message
> against the policy rather than heuristics.
>
>   
>>   auditwhy in its current
>> form is really only to help you; it isn't very useful for end users
>> (doesn't provide enough information).
>>
>>     
>>>>> Fix chcat to handle case where there are no categories.
>>>>>
>>>>> Change fixfiles to run setfiles in quiet mode
>>>>>
>>>>> Change genhomedircon to verify context before setting homedir file
>>>>> context. This can happen if you have different user types, where one
>>>>> type has a homedir file context while another one does not.
>>>>>     
>>>>>           
>>>> Not sure I understand - what does it mean to not have a homedir file
>>>> context for a given user type?   I can understand that multiple user
>>>> roles/types might share the same homedir file context, but not lacking
>>>> one altogether.
>>>>   
>>>>         
>>> Example.  I am about to release a policy creating a guest_t.  This user 
>>> will have very little privs on a system.  The goal of this user type is 
>>> that it will only be used for ssh accounts.  So it will not have a 
>>> guest_mozilla_home_t.  Since it can not even use X-Windows.   Currently 
>>> if I had mozilla policy installed genhomedircon will try to generate 
>>> file context with guest_mozilla_home_t.
>>>       
>> Ok, so the user type has homedir contexts, just not all of them.  
>>
>>     
>>>>> restorecond init script does not return status properly
>>>>>
>>>>> Fix output of restorecon.c errors to show correct error message.
>>>>>     
>>>>>           
>>>> Adding a ": %s" with strerror(errno) is fine, but I don't think you want
>>>> to drop the existing error message altogether, as errno isn't always set
>>>> properly. 
>>>>
>>>>   
>>>>         
>>> That error message is misleading and happens on messages that have 
>>> nothing to do " error while labeling files under".
>>>       
>> Hmm..that seems to be due to the fact that apply_spec() doesn't return
>> its error status to the caller, so nftw() doesn't see it (and thus just
>> proceeds).  Which I suppose is what you want in some cases (e.g. skip
>> that file and continue to the rest), but not always.
>>
>> Regardless, the errors would still come from ntftw, which is the file
>> tree walk - what kinds of errors are you seeing?
>>
>>     
I think you get this error even if you choose a directory that does not 
exist. 

restorecon -R -v /some/nonexisting/dir
restorecon:  error while labeling files under /some/nonexisting/dir


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229040

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Karl MacMillan]

On Fri, 2007-04-13 at 10:49 -0400, Stephen Smalley wrote:
> On Fri, 2007-04-13 at 10:39 -0400, Daniel J Walsh wrote:
> > Stephen Smalley wrote:
> > > On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
> > >   
> > >> Moved audit2allow to sbin to match audit2why.
> > >>     
> > >
> > > (one patch per message would be nicer)
> > >
> > > I actually don't like having so many of the programs in /sbin
> > > or /usr/sbin, as they aren't in normal user paths and make it more
> > > painful to find the commands.  And moving them can cause user confusion
> > > and/or script breakage.  
> > >
> > >   
> > Then for consistency we should move audit2why to the same directory as 
> > audit2allow.
> 
> My real preference would be that the audit2why functionality would be
> replicated (and improved) in sepolgen, and audit2allow would directly
> use that functionality to identify the cause of the denial as part of
> generating policy.  Then audit2allow could directly generate refpolicy
> interface calls to e.g. add an attribute to a domain so that it passes
> some constraint, or generate a role allow rule.  auditwhy in its current
> form is really only to help you; it isn't very useful for end users
> (doesn't provide enough information).
> 

I would like to see that as well. We have also discussed moving the
setroubleshoot plugins into sepolgen to gain broader review and improved
maintenance. The current audit2why only provides part of the picture (as
you say), we really want to start telling users when they should relabel
a file, flib a boolean, or take some action _other_ than allowing the
access via allow rules of refpolicy interfaces.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Stephen Smalley]

On Fri, 2007-04-13 at 11:10 -0400, Daniel J Walsh wrote:
> >>>>> Fix output of restorecon.c errors to show correct error message.
> >>>>>     
> >>>>>           
> >>>> Adding a ": %s" with strerror(errno) is fine, but I don't think you want
> >>>> to drop the existing error message altogether, as errno isn't always set
> >>>> properly. 
> >>>>
> >>>>   
> >>>>         
> >>> That error message is misleading and happens on messages that have 
> >>> nothing to do " error while labeling files under".
> >>>       
> >> Hmm..that seems to be due to the fact that apply_spec() doesn't return
> >> its error status to the caller, so nftw() doesn't see it (and thus just
> >> proceeds).  Which I suppose is what you want in some cases (e.g. skip
> >> that file and continue to the rest), but not always.
> >>
> >> Regardless, the errors would still come from ntftw, which is the file
> >> tree walk - what kinds of errors are you seeing?
> >>
> >>     
> I think you get this error even if you choose a directory that does not 
> exist. 
> 
> restorecon -R -v /some/nonexisting/dir
> restorecon:  error while labeling files under /some/nonexisting/dir
> 
> 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229040

Ok, but I think you still want some prefix to handle other kinds of
error messages, e.g. it would be just as confusing to see:
	restorecon:  /foobar:  too many open files 
which could happen if nftw() ran out of descriptors during the file tree
walk.

So I think you want something like:
	fprintf(stderr,	"%s:  error while traversing %s:  %s", argv[0], buf,
strerror(errno));

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Karl MacMillan]

On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
> Moved audit2allow to sbin to match audit2why.
> 

I think I would rather move audit2why to bin. Both tools can run and are
useful without any privilege.

Karl




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Stephen Smalley]

On Fri, 2007-04-13 at 11:17 -0400, Karl MacMillan wrote:
> On Fri, 2007-04-13 at 10:49 -0400, Stephen Smalley wrote:
> > On Fri, 2007-04-13 at 10:39 -0400, Daniel J Walsh wrote:
> > > Stephen Smalley wrote:
> > > > On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
> > > >   
> > > >> Moved audit2allow to sbin to match audit2why.
> > > >>     
> > > >
> > > > (one patch per message would be nicer)
> > > >
> > > > I actually don't like having so many of the programs in /sbin
> > > > or /usr/sbin, as they aren't in normal user paths and make it more
> > > > painful to find the commands.  And moving them can cause user confusion
> > > > and/or script breakage.  
> > > >
> > > >   
> > > Then for consistency we should move audit2why to the same directory as 
> > > audit2allow.
> > 
> > My real preference would be that the audit2why functionality would be
> > replicated (and improved) in sepolgen, and audit2allow would directly
> > use that functionality to identify the cause of the denial as part of
> > generating policy.  Then audit2allow could directly generate refpolicy
> > interface calls to e.g. add an attribute to a domain so that it passes
> > some constraint, or generate a role allow rule.  auditwhy in its current
> > form is really only to help you; it isn't very useful for end users
> > (doesn't provide enough information).
> > 
> 
> I would like to see that as well. We have also discussed moving the
> setroubleshoot plugins into sepolgen to gain broader review and improved
> maintenance. The current audit2why only provides part of the picture (as
> you say), we really want to start telling users when they should relabel
> a file, flib a boolean, or take some action _other_ than allowing the
> access via allow rules of refpolicy interfaces.

Yes, although I'm not sure the heuristic/plugin model is the right one.
Given the right support in libsepol, audit2allow/sepolgen should be able
to search the conditional avtab for conditional rules that would have
allowed the access and discover the right boolean directly from policy.
For file labeling, it might be able to probe what types are accessible
to the domain in question, and try to propose one.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Karl MacMillan]

On Fri, 2007-04-13 at 14:43 -0400, Stephen Smalley wrote:
> On Fri, 2007-04-13 at 11:17 -0400, Karl MacMillan wrote:
> > On Fri, 2007-04-13 at 10:49 -0400, Stephen Smalley wrote:
> > > On Fri, 2007-04-13 at 10:39 -0400, Daniel J Walsh wrote:
> > > > Stephen Smalley wrote:
> > > > > On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
> > > > >   
> > > > >> Moved audit2allow to sbin to match audit2why.
> > > > >>     
> > > > >
> > > > > (one patch per message would be nicer)
> > > > >
> > > > > I actually don't like having so many of the programs in /sbin
> > > > > or /usr/sbin, as they aren't in normal user paths and make it more
> > > > > painful to find the commands.  And moving them can cause user confusion
> > > > > and/or script breakage.  
> > > > >
> > > > >   
> > > > Then for consistency we should move audit2why to the same directory as 
> > > > audit2allow.
> > > 
> > > My real preference would be that the audit2why functionality would be
> > > replicated (and improved) in sepolgen, and audit2allow would directly
> > > use that functionality to identify the cause of the denial as part of
> > > generating policy.  Then audit2allow could directly generate refpolicy
> > > interface calls to e.g. add an attribute to a domain so that it passes
> > > some constraint, or generate a role allow rule.  auditwhy in its current
> > > form is really only to help you; it isn't very useful for end users
> > > (doesn't provide enough information).
> > > 
> > 
> > I would like to see that as well. We have also discussed moving the
> > setroubleshoot plugins into sepolgen to gain broader review and improved
> > maintenance. The current audit2why only provides part of the picture (as
> > you say), we really want to start telling users when they should relabel
> > a file, flib a boolean, or take some action _other_ than allowing the
> > access via allow rules of refpolicy interfaces.
> 
> Yes, although I'm not sure the heuristic/plugin model is the right one.
> Given the right support in libsepol, audit2allow/sepolgen should be able
> to search the conditional avtab for conditional rules that would have
> allowed the access and discover the right boolean directly from policy.
> For file labeling, it might be able to probe what types are accessible
> to the domain in question, and try to propose one.
> 

That's certainly true and I plan to explore those approaches. There are
times, however, when the heuristics might give better explanations. So I
think that we should plan to work on this functionality and import
setroubleshoot plugins as needed. I'll work with John (the
setroubleshoot author) to move over to using sepolgen at the right time.

Karl



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: policycoreutils patches]

[Stephen Smalley]

On Fri, 2007-04-13 at 08:53 -0400, Daniel J Walsh wrote:
> Moved audit2allow to sbin to match audit2why.
> 
> Fix chcat to handle case where there are no categories.
> 
> Change fixfiles to run setfiles in quiet mode
> 
> Change genhomedircon to verify context before setting homedir file
> context. This can happen if you have different user types, where one
> type has a homedir file context while another one does not.
> 
> restorecond init script does not return status properly
> 
> Fix output of restorecon.c errors to show correct error message.

Merged, except for the audit2allow -> /sbin change.  Also added a prefix
to the restorecon error message as discussed.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.