New test program for libselinux/utils that helped with testing MLS/Role/Level coding

New test program for libselinux/utils that helped with testing MLS/Role/Level coding

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 16 bytes --]

getdefaultcon.c

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 2125 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getdefaultcon.c libselinux-1.33.4/utils/getdefaultcon.c
--- nsalibselinux/utils/getdefaultcon.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.33.4/utils/getdefaultcon.c	2007-01-11 14:24:24.000000000 -0500
@@ -0,0 +1,75 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <ctype.h>
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+
+void usage(char *name, char *detail, int rc)
+{
+	fprintf(stderr, "usage:  %s [-l level] user fromcon\n", name);
+	if (detail)
+		fprintf(stderr, "%s:  %s\n", name, detail);
+	exit(rc);
+}
+
+int main(int argc, char **argv)
+{
+	security_context_t usercon = NULL, cur_context = NULL;
+	char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL;
+	int ret, opt;
+
+	while ((opt = getopt(argc, argv, "l:r:")) > 0) {
+		switch (opt) {
+		case 'l':
+			level = strdup(optarg);
+			break;
+		case 'r':
+			role = strdup(optarg);
+			break;
+		default:
+			usage(argv[0], "invalid option", 1);
+		}
+	}
+
+	if (((argc - optind) < 1) || ((argc - optind) > 2))
+		usage(argv[0], "invalid number of arguments", 2);
+
+	/* If selinux isn't available, bail out. */
+	if (!is_selinux_enabled()) {
+		fprintf(stderr,
+			"%s may be used only on a SELinux kernel.\n", argv[0]);
+		return 1;
+	}
+
+	user = argv[optind];
+
+	/* If a context wasn't passed, use the current context. */
+	if (((argc - optind) < 2)) {
+		if (getcon(&cur_context) < 0) {
+			fprintf(stderr, "Couldn't get current context.\n");
+			return 2;
+		}
+	} else
+		cur_context = argv[optind + 1];
+
+	if (getseuserbyname(user, &seuser, &level)==0) {
+		if (role != NULL && role[0]) 
+			ret=get_default_context_with_rolelevel(seuser, role, level,cur_context,&usercon);
+		else
+			ret=get_default_context_with_level(seuser, level, cur_context,&usercon);
+	}
+	if (ret < 0)
+		perror(argv[0]);
+	else
+		printf("%s: %s from %s %s %s %s -> %s\n", argv[0], user, cur_context, seuser, role, level, usercon);
+
+
+	free(usercon);
+
+	return 0;
+}

Re: New test program for libselinux/utils that helped with testing MLS/Role/Level coding

[Stephen Smalley]

On Thu, 2007-01-11 at 14:25 -0500, Daniel J Walsh wrote:
> getdefaultcon.c
> plain text document attachment (diff)
> diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getdefaultcon.c libselinux-1.33.4/utils/getdefaultcon.c
> --- nsalibselinux/utils/getdefaultcon.c	1969-12-31 19:00:00.000000000 -0500
> +++ libselinux-1.33.4/utils/getdefaultcon.c	2007-01-11 14:24:24.000000000 -0500
> @@ -0,0 +1,75 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <errno.h>
> +#include <string.h>
> +#include <ctype.h>
> +#include <selinux/selinux.h>
> +#include <selinux/get_context_list.h>
> +
> +void usage(char *name, char *detail, int rc)
> +{
> +	fprintf(stderr, "usage:  %s [-l level] user fromcon\n", name);
> +	if (detail)
> +		fprintf(stderr, "%s:  %s\n", name, detail);
> +	exit(rc);
> +}
> +
> +int main(int argc, char **argv)
> +{
> +	security_context_t usercon = NULL, cur_context = NULL;
> +	char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL;
> +	int ret, opt;
> +
> +	while ((opt = getopt(argc, argv, "l:r:")) > 0) {
> +		switch (opt) {
> +		case 'l':
> +			level = strdup(optarg);
> +			break;
> +		case 'r':
> +			role = strdup(optarg);
> +			break;
> +		default:
> +			usage(argv[0], "invalid option", 1);
> +		}
> +	}
> +
> +	if (((argc - optind) < 1) || ((argc - optind) > 2))
> +		usage(argv[0], "invalid number of arguments", 2);
> +
> +	/* If selinux isn't available, bail out. */
> +	if (!is_selinux_enabled()) {
> +		fprintf(stderr,
> +			"%s may be used only on a SELinux kernel.\n", argv[0]);
> +		return 1;
> +	}
> +
> +	user = argv[optind];
> +
> +	/* If a context wasn't passed, use the current context. */
> +	if (((argc - optind) < 2)) {
> +		if (getcon(&cur_context) < 0) {
> +			fprintf(stderr, "Couldn't get current context.\n");
> +			return 2;
> +		}
> +	} else
> +		cur_context = argv[optind + 1];
> +
> +	if (getseuserbyname(user, &seuser, &level)==0) {

getseuserbyname() sets level to the level contained in the seusers
record. It will ignore any value already set for level, so that makes
your -l option useless here.  You would have to save that elsewhere and
replace level with it after calling getseuserbyname if you wanted that
functionality.

> +		if (role != NULL && role[0]) 
> +			ret=get_default_context_with_rolelevel(seuser, role, level,cur_context,&usercon);
> +		else
> +			ret=get_default_context_with_level(seuser, level, cur_context,&usercon);
> +	}

This is very similar to the existing getseuser utility that likewise
does a getseuserbyname() but then calls
get_ordered_context_list_with_level() and displays all of the contexts
in it.  Differences are that you permit specification of the role (and
level, if fixed) via options and you only get the default value rather
than the entire list.

> +	if (ret < 0)
> +		perror(argv[0]);
> +	else
> +		printf("%s: %s from %s %s %s %s -> %s\n", argv[0], user, cur_context, seuser, role, level, usercon);
> +
> +
> +	free(usercon);
> +
> +	return 0;
> +}

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New test program for libselinux/utils that helped with testing MLS/Role/Level coding

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 757 bytes --]

Fixed level part of patch

> This is very similar to the existing getseuser utility that likewise
> does a getseuserbyname() but then calls
> get_ordered_context_list_with_level() and displays all of the contexts
> in it.  Differences are that you permit specification of the role (and
> level, if fixed) via options and you only get the default value rather
> than the entire list.
I found this test program much easier to figure out what the application 
(locallogin, sshd ...) would do when I logged in.

Probably be worth while adding some of the mls constraints tests in 
also.  IE Make sure mls is working so if I have a process running s0:s0 
it can't generate a SystemHigh user, as well as a user with s0:s0 can 
not ask for a level of SystemHigh.


[-- Attachment #2: libselinux-getdefaultcon.patch --]
[-- Type: text/x-patch, Size: 2139 bytes --]

--- nsalibselinux/utils/getdefaultcon.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.33.4/utils/getdefaultcon.c	2007-01-12 11:28:22.000000000 -0500
@@ -0,0 +1,80 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <ctype.h>
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+
+void usage(char *name, char *detail, int rc)
+{
+	fprintf(stderr, "usage:  %s [-l level] user fromcon\n", name);
+	if (detail)
+		fprintf(stderr, "%s:  %s\n", name, detail);
+	exit(rc);
+}
+
+int main(int argc, char **argv)
+{
+	security_context_t usercon = NULL, cur_context = NULL;
+	char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL, *dlevel=NULL;
+	int ret, opt;
+
+	while ((opt = getopt(argc, argv, "l:r:")) > 0) {
+		switch (opt) {
+		case 'l':
+			level = strdup(optarg);
+			break;
+		case 'r':
+			role = strdup(optarg);
+			break;
+		default:
+			usage(argv[0], "invalid option", 1);
+		}
+	}
+
+	if (((argc - optind) < 1) || ((argc - optind) > 2))
+		usage(argv[0], "invalid number of arguments", 2);
+
+	/* If selinux isn't available, bail out. */
+	if (!is_selinux_enabled()) {
+		fprintf(stderr,
+			"%s may be used only on a SELinux kernel.\n", argv[0]);
+		return 1;
+	}
+
+	user = argv[optind];
+
+	/* If a context wasn't passed, use the current context. */
+	if (((argc - optind) < 2)) {
+		if (getcon(&cur_context) < 0) {
+			fprintf(stderr, "Couldn't get current context.\n");
+			return 2;
+		}
+	} else
+		cur_context = argv[optind + 1];
+
+	if (getseuserbyname(user, &seuser, &dlevel)==0) {
+		if (! level) level=dlevel;
+		if (role != NULL && role[0]) 
+			ret=get_default_context_with_rolelevel(seuser, role, level,cur_context,&usercon);
+		else
+			ret=get_default_context_with_level(seuser, level, cur_context,&usercon);
+	}
+	if (ret < 0)
+		perror(argv[0]);
+	else
+		printf("%s: %s from %s %s %s %s -> %s\n", argv[0], user, cur_context, seuser, role, level, usercon);
+
+
+	free(role);
+	free(seuser);
+	if (level != dlevel) free(level);
+	free(dlevel);
+	free(usercon);
+
+	return 0;
+}

Re: New test program for libselinux/utils that helped with testing MLS/Role/Level coding

[Ted X Toth]

Daniel J Walsh wrote:
> getdefaultcon.c
> ------------------------------------------------------------------------
>
> diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getdefaultcon.c libselinux-1.33.4/utils/getdefaultcon.c
> --- nsalibselinux/utils/getdefaultcon.c	1969-12-31 19:00:00.000000000 -0500
> +++ libselinux-1.33.4/utils/getdefaultcon.c	2007-01-11 14:24:24.000000000 -0500
> @@ -0,0 +1,75 @@
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <errno.h>
> +#include <string.h>
> +#include <ctype.h>
> +#include <selinux/selinux.h>
> +#include <selinux/get_context_list.h>
> +
> +void usage(char *name, char *detail, int rc)
> +{
> +	fprintf(stderr, "usage:  %s [-l level] user fromcon\n", name);
> +	if (detail)
> +		fprintf(stderr, "%s:  %s\n", name, detail);
> +	exit(rc);
> +}
> +
> +int main(int argc, char **argv)
> +{
> +	security_context_t usercon = NULL, cur_context = NULL;
> +	char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL;
> +	int ret, opt;
> +
> +	while ((opt = getopt(argc, argv, "l:r:")) > 0) {
> +		switch (opt) {
> +		case 'l':
> +			level = strdup(optarg);
> +			break;
> +		case 'r':
> +			role = strdup(optarg);
> +			break;
> +		default:
> +			usage(argv[0], "invalid option", 1);
> +		}
> +	}
> +
> +	if (((argc - optind) < 1) || ((argc - optind) > 2))
> +		usage(argv[0], "invalid number of arguments", 2);
> +
> +	/* If selinux isn't available, bail out. */
> +	if (!is_selinux_enabled()) {
> +		fprintf(stderr,
> +			"%s may be used only on a SELinux kernel.\n", argv[0]);
> +		return 1;
> +	}
> +
> +	user = argv[optind];
> +
> +	/* If a context wasn't passed, use the current context. */
> +	if (((argc - optind) < 2)) {
> +		if (getcon(&cur_context) < 0) {
> +			fprintf(stderr, "Couldn't get current context.\n");
> +			return 2;
> +		}
> +	} else
> +		cur_context = argv[optind + 1];
> +
> +	if (getseuserbyname(user, &seuser, &level)==0) {
> +		if (role != NULL && role[0]) 
> +			ret=get_default_context_with_rolelevel(seuser, role, level,cur_context,&usercon);
> +		else
> +			ret=get_default_context_with_level(seuser, level, cur_context,&usercon);
> +	}
> +	if (ret < 0)
> +		perror(argv[0]);
> +	else
> +		printf("%s: %s from %s %s %s %s -> %s\n", argv[0], user, cur_context, seuser, role, level, usercon);
> +
> +
> +	free(usercon);
> +
> +	return 0;
> +}
>   
I tried running this test program on RHEL 5 and 
get_default_context_with_level fails with "Invalid argument". I supplied 
a valid linux user name and verified that getseuserbyname returned 
'user_u' and  's0' for the user and level respectively. I did this 
because some other code which runs on fc6 where  I use 
get_default_context_with_level also failed with the same error when I 
ran it on RHEL 5.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New test program for libselinux/utils that helped with testing MLS/Role/Level coding

[Ted X Toth]

Ted X Toth wrote:
> Daniel J Walsh wrote:
>> getdefaultcon.c
>> ------------------------------------------------------------------------
>>
>> diff --exclude-from=exclude -N -u -r 
>> nsalibselinux/utils/getdefaultcon.c 
>> libselinux-1.33.4/utils/getdefaultcon.c
>> --- nsalibselinux/utils/getdefaultcon.c    1969-12-31 
>> 19:00:00.000000000 -0500
>> +++ libselinux-1.33.4/utils/getdefaultcon.c    2007-01-11 
>> 14:24:24.000000000 -0500
>> @@ -0,0 +1,75 @@
>> +#include <unistd.h>
>> +#include <sys/types.h>
>> +#include <fcntl.h>
>> +#include <stdio.h>
>> +#include <stdlib.h>
>> +#include <errno.h>
>> +#include <string.h>
>> +#include <ctype.h>
>> +#include <selinux/selinux.h>
>> +#include <selinux/get_context_list.h>
>> +
>> +void usage(char *name, char *detail, int rc)
>> +{
>> +    fprintf(stderr, "usage:  %s [-l level] user fromcon\n", name);
>> +    if (detail)
>> +        fprintf(stderr, "%s:  %s\n", name, detail);
>> +    exit(rc);
>> +}
>> +
>> +int main(int argc, char **argv)
>> +{
>> +    security_context_t usercon = NULL, cur_context = NULL;
>> +    char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL;
>> +    int ret, opt;
>> +
>> +    while ((opt = getopt(argc, argv, "l:r:")) > 0) {
>> +        switch (opt) {
>> +        case 'l':
>> +            level = strdup(optarg);
>> +            break;
>> +        case 'r':
>> +            role = strdup(optarg);
>> +            break;
>> +        default:
>> +            usage(argv[0], "invalid option", 1);
>> +        }
>> +    }
>> +
>> +    if (((argc - optind) < 1) || ((argc - optind) > 2))
>> +        usage(argv[0], "invalid number of arguments", 2);
>> +
>> +    /* If selinux isn't available, bail out. */
>> +    if (!is_selinux_enabled()) {
>> +        fprintf(stderr,
>> +            "%s may be used only on a SELinux kernel.\n", argv[0]);
>> +        return 1;
>> +    }
>> +
>> +    user = argv[optind];
>> +
>> +    /* If a context wasn't passed, use the current context. */
>> +    if (((argc - optind) < 2)) {
>> +        if (getcon(&cur_context) < 0) {
>> +            fprintf(stderr, "Couldn't get current context.\n");
>> +            return 2;
>> +        }
>> +    } else
>> +        cur_context = argv[optind + 1];
>> +
>> +    if (getseuserbyname(user, &seuser, &level)==0) {
>> +        if (role != NULL && role[0]) +            
>> ret=get_default_context_with_rolelevel(seuser, role, 
>> level,cur_context,&usercon);
>> +        else
>> +            ret=get_default_context_with_level(seuser, level, 
>> cur_context,&usercon);
>> +    }
>> +    if (ret < 0)
>> +        perror(argv[0]);
>> +    else
>> +        printf("%s: %s from %s %s %s %s -> %s\n", argv[0], user, 
>> cur_context, seuser, role, level, usercon);
>> +
>> +
>> +    free(usercon);
>> +
>> +    return 0;
>> +}
>>   
> I tried running this test program on RHEL 5 and 
> get_default_context_with_level fails with "Invalid argument". I 
> supplied a valid linux user name and verified that getseuserbyname 
> returned 'user_u' and  's0' for the user and level respectively. I did 
> this because some other code which runs on fc6 where  I use 
> get_default_context_with_level also failed with the same error when I 
> ran it on RHEL 5.
>
I worked on figuring out exactly when this failure occurs and have 
narrowed it down to running MLS policy on rhel5 updated with LSPP rpms 
from Steve Grubbs repo. Here are the exact steps I took to get to the 
failure.

1) installed rhel5, test code succeeds
2) update from sgrubb repo . reboot. test code succeeds (mls policy not 
updated because it is not installed as part of rhel5)
3) install mls policy from sgrubb repo and reconfigure system to use it. 
reboot. test code fails

Ted

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New test program for libselinux/utils that helped with testing MLS/Role/Level coding

[Xavier Toth]

[-- Attachment #1: Type: text/plain, Size: 4021 bytes --]

Here's an strace log. A write to /selinux/context is failing, any idea why?

On 7/20/07, Ted X Toth <txtoth@gmail.com> wrote:
> Ted X Toth wrote:
> > Daniel J Walsh wrote:
> >> getdefaultcon.c
> >> ------------------------------------------------------------------------
> >>
> >> diff --exclude-from=exclude -N -u -r
> >> nsalibselinux/utils/getdefaultcon.c
> >> libselinux-1.33.4/utils/getdefaultcon.c
> >> --- nsalibselinux/utils/getdefaultcon.c    1969-12-31
> >> 19:00:00.000000000 -0500
> >> +++ libselinux-1.33.4/utils/getdefaultcon.c    2007-01-11
> >> 14:24:24.000000000 -0500
> >> @@ -0,0 +1,75 @@
> >> +#include <unistd.h>
> >> +#include <sys/types.h>
> >> +#include <fcntl.h>
> >> +#include <stdio.h>
> >> +#include <stdlib.h>
> >> +#include <errno.h>
> >> +#include <string.h>
> >> +#include <ctype.h>
> >> +#include <selinux/selinux.h>
> >> +#include <selinux/get_context_list.h>
> >> +
> >> +void usage(char *name, char *detail, int rc)
> >> +{
> >> +    fprintf(stderr, "usage:  %s [-l level] user fromcon\n", name);
> >> +    if (detail)
> >> +        fprintf(stderr, "%s:  %s\n", name, detail);
> >> +    exit(rc);
> >> +}
> >> +
> >> +int main(int argc, char **argv)
> >> +{
> >> +    security_context_t usercon = NULL, cur_context = NULL;
> >> +    char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL;
> >> +    int ret, opt;
> >> +
> >> +    while ((opt = getopt(argc, argv, "l:r:")) > 0) {
> >> +        switch (opt) {
> >> +        case 'l':
> >> +            level = strdup(optarg);
> >> +            break;
> >> +        case 'r':
> >> +            role = strdup(optarg);
> >> +            break;
> >> +        default:
> >> +            usage(argv[0], "invalid option", 1);
> >> +        }
> >> +    }
> >> +
> >> +    if (((argc - optind) < 1) || ((argc - optind) > 2))
> >> +        usage(argv[0], "invalid number of arguments", 2);
> >> +
> >> +    /* If selinux isn't available, bail out. */
> >> +    if (!is_selinux_enabled()) {
> >> +        fprintf(stderr,
> >> +            "%s may be used only on a SELinux kernel.\n", argv[0]);
> >> +        return 1;
> >> +    }
> >> +
> >> +    user = argv[optind];
> >> +
> >> +    /* If a context wasn't passed, use the current context. */
> >> +    if (((argc - optind) < 2)) {
> >> +        if (getcon(&cur_context) < 0) {
> >> +            fprintf(stderr, "Couldn't get current context.\n");
> >> +            return 2;
> >> +        }
> >> +    } else
> >> +        cur_context = argv[optind + 1];
> >> +
> >> +    if (getseuserbyname(user, &seuser, &level)==0) {
> >> +        if (role != NULL && role[0]) +
> >> ret=get_default_context_with_rolelevel(seuser, role,
> >> level,cur_context,&usercon);
> >> +        else
> >> +            ret=get_default_context_with_level(seuser, level,
> >> cur_context,&usercon);
> >> +    }
> >> +    if (ret < 0)
> >> +        perror(argv[0]);
> >> +    else
> >> +        printf("%s: %s from %s %s %s %s -> %s\n", argv[0], user,
> >> cur_context, seuser, role, level, usercon);
> >> +
> >> +
> >> +    free(usercon);
> >> +
> >> +    return 0;
> >> +}
> >>
> > I tried running this test program on RHEL 5 and
> > get_default_context_with_level fails with "Invalid argument". I
> > supplied a valid linux user name and verified that getseuserbyname
> > returned 'user_u' and  's0' for the user and level respectively. I did
> > this because some other code which runs on fc6 where  I use
> > get_default_context_with_level also failed with the same error when I
> > ran it on RHEL 5.
> >
> I worked on figuring out exactly when this failure occurs and have
> narrowed it down to running MLS policy on rhel5 updated with LSPP rpms
> from Steve Grubbs repo. Here are the exact steps I took to get to the
> failure.
>
> 1) installed rhel5, test code succeeds
> 2) update from sgrubb repo . reboot. test code succeeds (mls policy not
> updated because it is not installed as part of rhel5)
> 3) install mls policy from sgrubb repo and reconfigure system to use it.
> reboot. test code fails
>
> Ted
>

[-- Attachment #2: test1.log --]
[-- Type: text/x-log, Size: 9522 bytes --]

execve("./test1", ["./test1"], [/* 35 vars */]) = 0
brk(0)                                  = 0x837c000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fce000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=61046, ...}) = 0
mmap2(NULL, 61046, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fbf000
close(3)                                = 0
open("/lib/libselinux.so.1", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20e>\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=93512, ...}) = 0
mmap2(0x3e3000, 93016, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3e3000
mmap2(0x3f8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15) = 0x3f8000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000o\21"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1576952, ...}) = 0
mmap2(0x101000, 1295780, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x216000
mmap2(0x34d000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x137) = 0x34d000
mmap2(0x350000, 9636, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x350000
close(3)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0Pj\327\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=16528, ...}) = 0
mmap2(0xd76000, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xd76000
mmap2(0xd78000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xd78000
close(3)                                = 0
open("/lib/libsepol.so.1", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\336"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=242880, ...}) = 0
mmap2(0x39b000, 286624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x39b000
mmap2(0x3d6000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3a) = 0x3d6000
mmap2(0x3d7000, 40864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3d7000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fbe000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fbd000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7fbd6d0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xd78000, 4096, PROT_READ)     = 0
mprotect(0x34d000, 8192, PROT_READ)     = 0
mprotect(0x397000, 4096, PROT_READ)     = 0
munmap(0xb7fbf000, 61046)               = 0
access("/etc/selinux/", F_OK)           = 0
brk(0)                                  = 0x837c000
brk(0x839d000)                          = 0x839d000
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=508, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fcd000
read(3, "# This file controls the state o"..., 4096) = 508
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb7fcd000, 4096)                = 0
open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fcd000
read(3, "rootfs / rootfs rw 0 0\n/dev/root"..., 4096) = 577
close(3)                                = 0
munmap(0xb7fcd000, 4096)                = 0
open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3
read(3, "1", 19)                        = 1
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"}, 110) = 0
sendmsg(3, {msg_name(0)=NULL, msg_iov(5)=[{"\1\0\0\0", 4}, {"\1\0\0\0", 4}, {"\1\0\0\0", 4}, {"\0", 1}, {"\0", 1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 14
readv(3, [{"\1\0\0\0", 4}, {"\1\0\0\0", 4}, {"\0\0\0\0", 4}], 3) = 12
readv(3, [{"\0", 1}], 1)                = 1
close(3)                                = 0
open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3
read(3, "1", 19)                        = 1
close(3)                                = 0
open("/etc/selinux/mls/seusers", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=82, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fcd000
read(3, "system_u:system_u:s0-s15:c0.c102"..., 4096) = 82
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb7fcd000, 4096)                = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fcd000
write(1, "user_u s0\n", 10)             = 10
gettid()                                = 2401
open("/proc/self/task/2401/attr/current", O_RDONLY|O_LARGEFILE) = 3
read(3, "root:sysadm_r:sysadm_t:s0\0", 4095) = 26
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"}, 110) = 0
sendmsg(3, {msg_name(0)=NULL, msg_iov(5)=[{"\2\0\0\0", 4}, {"\32\0\0\0", 4}, {"\1\0\0\0", 4}, {"root:sysadm_r:sysadm_t:s0\0", 26}, {"\0", 1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 39
readv(3, [{"\2\0\0\0", 4}, {"!\0\0\0", 4}, {"\0\0\0\0", 4}], 3) = 12
readv(3, [{"root:sysadm_r:sysadm_t:SystemLow"..., 33}], 1) = 33
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"}, 110) = 0
sendmsg(3, {msg_name(0)=NULL, msg_iov(5)=[{"\3\0\0\0", 4}, {"!\0\0\0", 4}, {"\1\0\0\0", 4}, {"root:sysadm_r:sysadm_t:SystemLow"..., 33}, {"\0", 1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 46
readv(3, [{"\3\0\0\0", 4}, {"\32\0\0\0", 4}, {"\0\0\0\0", 4}], 3) = 12
readv(3, [{"root:sysadm_r:sysadm_t:s0\0", 26}], 1) = 26
close(3)                                = 0
open("/selinux/user", O_RDWR|O_LARGEFILE) = 3
write(3, "root:sysadm_r:sysadm_t:s0 user_u", 32) = 32
read(3, "0\0", 4095)                    = 2
close(3)                                = 0
open("/etc/selinux/mls/contexts/failsafe_context", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=21, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fcc000
read(3, "sysadm_r:sysadm_t:s0\n", 4096) = 21
close(3)                                = 0
munmap(0xb7fcc000, 4096)                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"}, 110) = 0
sendmsg(3, {msg_name(0)=NULL, msg_iov(5)=[{"\3\0\0\0", 4}, {"\34\0\0\0", 4}, {"\1\0\0\0", 4}, {"user_u:sysadm_r:sysadm_t:s0\0", 28}, {"\0", 1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 41
readv(3, [{"\3\0\0\0", 4}, {"\34\0\0\0", 4}, {"\0\0\0\0", 4}], 3) = 12
readv(3, [{"user_u:sysadm_r:sysadm_t:s0\0", 28}], 1) = 28
close(3)                                = 0
open("/selinux/context", O_RDWR|O_LARGEFILE) = 3
write(3, "user_u:sysadm_r:sysadm_t:s0\0", 28) = -1 EINVAL (Invalid argument)
close(3)                                = 0
write(1, "-1 : default context (null) \n", 29) = 29
gettid()                                = 2401
open("/proc/self/task/2401/attr/current", O_RDONLY|O_LARGEFILE) = 3
read(3, "root:sysadm_r:sysadm_t:s0\0", 4095) = 26
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"}, 110) = 0
sendmsg(3, {msg_name(0)=NULL, msg_iov(5)=[{"\3\0\0\0", 4}, {"\32\0\0\0", 4}, {"\1\0\0\0", 4}, {"root:sysadm_r:sysadm_t:s0\0", 26}, {"\0", 1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 39
readv(3, [{"\3\0\0\0", 4}, {"\32\0\0\0", 4}, {"\0\0\0\0", 4}], 3) = 12
readv(3, [{"root:sysadm_r:sysadm_t:s0\0", 26}], 1) = 26
close(3)                                = 0
open("/selinux/user", O_RDWR|O_LARGEFILE) = 3
write(3, "root:sysadm_r:sysadm_t:s0 user_u", 32) = 32
read(3, "0\0", 4095)                    = 2
close(3)                                = 0
open("/etc/selinux/mls/contexts/failsafe_context", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=21, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fcc000
read(3, "sysadm_r:sysadm_t:s0\n", 4096) = 21
close(3)                                = 0
munmap(0xb7fcc000, 4096)                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"}, 110) = 0
sendmsg(3, {msg_name(0)=NULL, msg_iov(5)=[{"\3\0\0\0", 4}, {"\34\0\0\0", 4}, {"\1\0\0\0", 4}, {"user_u:sysadm_r:sysadm_t:s0\0", 28}, {"\0", 1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 41
readv(3, [{"\3\0\0\0", 4}, {"\34\0\0\0", 4}, {"\0\0\0\0", 4}], 3) = 12
readv(3, [{"user_u:sysadm_r:sysadm_t:s0\0", 28}], 1) = 28
close(3)                                = 0
open("/selinux/context", O_RDWR|O_LARGEFILE) = 3
write(3, "user_u:sysadm_r:sysadm_t:s0\0", 28) = -1 EINVAL (Invalid argument)
close(3)                                = 0
write(1, "get_default_context_with_level f"..., 55) = 55
exit_group(55)                          = ?

Re: New test program for libselinux/utils that helped with testing MLS/Role/Level coding

[Stephen Smalley]

On Fri, 2007-07-20 at 09:18 -0500, Xavier Toth wrote:
> Here's an strace log. A write to /selinux/context is failing, any idea why?

It means the kernel rejected the context as being invalid, e.g. user not
authorized for role, role not authorized for type, user not authorized
for level, or any component not defined in policy.  You can emulate in
userspace via checkpolicy -d -b /etc/selinux/mls/policy/policy.20, and
run that under gdb to step through context_to_sid to see the precise
point at which it fails.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.