* [PATCH] selinuxfs to globally disable dontaudit rules
@ 2007-08-09 21:58 Eric Paris
2007-08-09 22:28 ` James Morris
0 siblings, 1 reply; 22+ messages in thread
From: Eric Paris @ 2007-08-09 21:58 UTC (permalink / raw)
To: selinux; +Cc: sds, jmorris, dwalsh
Currently to disable dontaudit rules best you can do it to load the
enableaudit.pp base policy. Which still doesn't remove the dontaudit
rules from modules. This patch introduces a /selinux interface
"allaudit" which ignores dontaudit rules. (I'm open to suggestions for
a good name 'enabledisabledontaudit' seemed like a good name to me, but
I don't know if everyone would agree)
I decided to use the same security permission as setenforce and as a
result did a little bit of code merging in selinuxfs between enforcing
and allaudit.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 0e69adf..bfd979a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -117,6 +117,7 @@ struct avc_callback_node {
/* Exported via selinufs */
unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD;
+unsigned int selinux_allaudit = 0;
#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 };
@@ -537,7 +538,7 @@ void avc_audit(u32 ssid, u32 tsid,
denied = requested & ~avd->allowed;
if (denied) {
audited = denied;
- if (!(audited & avd->auditdeny))
+ if (!(audited & avd->auditdeny) && !selinux_allaudit)
return;
} else if (result) {
audited = denied = requested;
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index e145f6e..99b31ec 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -130,6 +130,7 @@ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
/* Exported to selinuxfs */
int avc_get_hash_stats(char *page);
extern unsigned int avc_cache_threshold;
+extern unsigned int selinux_allaudit;
#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index c9e92da..89f11b9 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -60,6 +60,14 @@ static int __init selinux_compat_net_setup(char *str)
__setup("selinux_compat_net=", selinux_compat_net_setup);
+static int __init selinux_allaudit_setup(char *str)
+{
+ selinux_allaudit = simple_strtoul(str,NULL,0) ? 1 : 0;
+ return 1;
+}
+__setup("selinux_allaudit=", selinux_allaudit_setup);
+
+
static DEFINE_MUTEX(sel_mutex);
/* global data for booleans */
@@ -103,6 +111,7 @@ enum sel_inos {
SEL_MEMBER, /* compute polyinstantiation membership decision */
SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
SEL_COMPAT_NET, /* whether to use old compat network packet controls */
+ SEL_ALLAUDIT, /* globally disable donaudit */
SEL_INO_NEXT, /* The next inode number to use */
};
@@ -114,19 +123,31 @@ static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
#define SEL_INO_MASK 0x00ffffff
#define TMPBUFLEN 12
-static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
- size_t count, loff_t *ppos)
+static ssize_t sel_read_generic(struct file *filp, char __user *buf,
+ size_t count, loff_t *ppos, int *to_change)
{
char tmpbuf[TMPBUFLEN];
ssize_t length;
- length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_enforcing);
+ length = scnprintf(tmpbuf, TMPBUFLEN, "%d", *to_change);
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}
+static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ return sel_read_generic(filp, buf, count, ppos, &selinux_enforcing);
+}
+
+static ssize_t sel_read_allaudit(struct file *filp, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ return sel_read_generic(filp, buf, count, ppos, &selinux_allaudit);
+}
+
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
- size_t count, loff_t *ppos)
+static ssize_t sel_write_enforce_generic(struct file * file, const char __user * buf,
+ size_t count, loff_t *ppos, int *to_change)
{
char *page;
@@ -150,26 +171,58 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
if (sscanf(page, "%d", &new_value) != 1)
goto out;
- if (new_value != selinux_enforcing) {
+ if (new_value != *to_change) {
length = task_has_security(current, SECURITY__SETENFORCE);
if (length)
goto out;
+ *to_change = new_value;
+ }
+ length = count;
+out:
+ free_page((unsigned long) page);
+ return length;
+}
+
+static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
+ size_t count, loff_t *ppos)
+
+{
+ int old_value = selinux_enforcing;
+
+ int rc = sel_write_enforce_generic(file, buf, count, ppos,
+ &selinux_enforcing);
+
+ if ((rc > 0) && (old_value != selinux_enforcing)) {
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
- "enforcing=%d old_enforcing=%d auid=%u", new_value,
- selinux_enforcing,
+ "enforcing=%d old_enforcing=%d auid=%u",
+ selinux_enforcing, old_value,
audit_get_loginuid(current->audit_context));
- selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
selnl_notify_setenforce(selinux_enforcing);
}
- length = count;
-out:
- free_page((unsigned long) page);
- return length;
+ return rc;
+}
+
+static ssize_t sel_write_allaudit(struct file * file, const char __user * buf,
+ size_t count, loff_t *ppos)
+
+{
+ int old_value = selinux_allaudit;
+
+ int rc = sel_write_enforce_generic(file, buf, count, ppos,
+ &selinux_allaudit);
+
+ if ((rc > 0) && (old_value != selinux_allaudit))
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+ "allaudit=%d old_allaudit=%d auid=%u",
+ selinux_allaudit, old_value,
+ audit_get_loginuid(current->audit_context));
+ return rc;
}
#else
#define sel_write_enforce NULL
+#define sel_write_allaudit NULL
#endif
static const struct file_operations sel_enforce_ops = {
@@ -177,6 +230,11 @@ static const struct file_operations sel_enforce_ops = {
.write = sel_write_enforce,
};
+static const struct file_operations sel_allaudit_ops = {
+ .read = sel_read_allaudit,
+ .write = sel_write_allaudit,
+};
+
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static ssize_t sel_write_disable(struct file * file, const char __user * buf,
size_t count, loff_t *ppos)
@@ -1575,6 +1633,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
+ [SEL_ALLAUDIT] = {"allaudit", &sel_allaudit_ops, S_IRUGO|S_IWUSR},
/* last one */ {""}
};
ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-09 21:58 [PATCH] selinuxfs to globally disable dontaudit rules Eric Paris
@ 2007-08-09 22:28 ` James Morris
2007-08-10 0:14 ` Joshua Brindle
0 siblings, 1 reply; 22+ messages in thread
From: James Morris @ 2007-08-09 22:28 UTC (permalink / raw)
To: Eric Paris; +Cc: selinux, sds, dwalsh
On Thu, 9 Aug 2007, Eric Paris wrote:
> Currently to disable dontaudit rules best you can do it to load the
> enableaudit.pp base policy. Which still doesn't remove the dontaudit
> rules from modules.
Are we sure this can't be done in userspace? Like, mangle all the
existing policy and reload it?
> This patch introduces a /selinux interface
> "allaudit" which ignores dontaudit rules. (I'm open to suggestions for
> a good name 'enabledisabledontaudit' seemed like a good name to me, but
> I don't know if everyone would agree)
'disable_dontaudit'
>
> I decided to use the same security permission as setenforce and as a
> result did a little bit of code merging in selinuxfs between enforcing
> and allaudit.
Please do this in a separate patch.
--
James Morris
<jmorris@namei.org>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-09 22:28 ` James Morris
@ 2007-08-10 0:14 ` Joshua Brindle
2007-08-10 1:22 ` Joshua Brindle
0 siblings, 1 reply; 22+ messages in thread
From: Joshua Brindle @ 2007-08-10 0:14 UTC (permalink / raw)
To: James Morris; +Cc: Eric Paris, selinux, sds, dwalsh
James Morris wrote:
> On Thu, 9 Aug 2007, Eric Paris wrote:
>
>
>> Currently to disable dontaudit rules best you can do it to load the
>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
>> rules from modules.
>>
>
> Are we sure this can't be done in userspace? Like, mangle all the
> existing policy and reload it?
>
>
I agree, the infrastructure is certainly in place to do it, just add
something in the sepol_handle that says dontaudits should be discarded,
then make an interface in libsemanage that uses that and rebuild the policy.
If noone beats me to it I will see if my conclusions about it being
fairly simple are accurate this weekend :)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-10 0:14 ` Joshua Brindle
@ 2007-08-10 1:22 ` Joshua Brindle
2007-08-10 12:01 ` Stephen Smalley
2007-08-16 17:28 ` Stephen Smalley
0 siblings, 2 replies; 22+ messages in thread
From: Joshua Brindle @ 2007-08-10 1:22 UTC (permalink / raw)
To: James Morris; +Cc: Eric Paris, selinux, sds, dwalsh
Joshua Brindle wrote:
> James Morris wrote:
>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>
>>
>>> Currently to disable dontaudit rules best you can do it to load the
>>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
>>> rules from modules.
>>>
>>
>> Are we sure this can't be done in userspace? Like, mangle all the
>> existing policy and reload it?
>>
>>
> I agree, the infrastructure is certainly in place to do it, just add
> something in the sepol_handle that says dontaudits should be
> discarded, then make an interface in libsemanage that uses that and
> rebuild the policy.
>
> If noone beats me to it I will see if my conclusions about it being
> fairly simple are accurate this weekend :)
>
I changed my mind, patch below
it compiles and seems to work after semodule -DB:
[root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
dontaudit
TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
Type 0, Modified 0)
Added TE Rules: 0
Added TE Rules because of new type: 0
Removed TE Rules: 326583
Removed TE Rules because of missing type: 0
Modified TE Rules: 0
Index: libsemanage/include/semanage/handle.h
===================================================================
--- libsemanage/include/semanage/handle.h (revision 2511)
+++ libsemanage/include/semanage/handle.h (working copy)
@@ -69,6 +69,9 @@
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
+/* Set whether or not to disable dontaudits upon commit */
+void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
+
/* Check whether policy is managed via libsemanage on this system.
* Must be called prior to trying to connect.
* Return 1 if policy is managed via libsemanage on this system,
Index: libsemanage/src/libsemanage.map
===================================================================
--- libsemanage/src/libsemanage.map (revision 2511)
+++ libsemanage/src/libsemanage.map (working copy)
@@ -13,6 +13,6 @@
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
- semanage_is_connected;
+ semanage_is_connected; semanage_set_disable_dontaudit;
local: *;
};
Index: libsemanage/src/handle.c
===================================================================
--- libsemanage/src/handle.c (revision 2511)
+++ libsemanage/src/handle.c (working copy)
@@ -109,6 +109,14 @@
return;
}
+void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
+{
+ assert(sh != NULL);
+
+ sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+ return;
+}
+
int semanage_is_connected(semanage_handle_t * sh)
{
assert(sh != NULL);
Index: libsepol/include/sepol/handle.h
===================================================================
--- libsepol/include/sepol/handle.h (revision 2511)
+++ libsepol/include/sepol/handle.h (working copy)
@@ -7,6 +7,10 @@
/* Create and return a sepol handle. */
sepol_handle_t *sepol_handle_create(void);
+/* Set whether or not to disable dontaudits, 0 is default and does
+ * not disable dontaudits, 1 disables them */
+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
+
/* Destroy a sepol handle. */
void sepol_handle_destroy(sepol_handle_t *);
Index: libsepol/src/handle.h
===================================================================
--- libsepol/src/handle.h (revision 2511)
+++ libsepol/src/handle.h (working copy)
@@ -14,6 +14,9 @@
void (*msg_callback) (void *varg,
sepol_handle_t * handle, const char *fmt, ...);
void *msg_callback_arg;
+
+ int disable_dontaudit;
+
};
#endif
Index: libsepol/src/libsepol.map
===================================================================
--- libsepol/src/libsepol.map (revision 2511)
+++ libsepol/src/libsepol.map (working copy)
@@ -12,5 +12,6 @@
sepol_policydb_*; sepol_set_policydb_from_file;
sepol_policy_kern_*;
sepol_policy_file_*;
+ sepol_set_disable_dontaudit;
local: *;
};
Index: libsepol/src/expand.c
===================================================================
--- libsepol/src/expand.c (revision 2511)
+++ libsepol/src/expand.c (working copy)
@@ -1367,6 +1367,8 @@
} else if (specified & AVRULE_AUDITDENY) {
spec = AVTAB_AUDITDENY;
} else if (specified & AVRULE_DONTAUDIT) {
+ if (handle->disable_dontaudit)
+ return EXPAND_RULE_SUCCESS;
spec = AVTAB_AUDITDENY;
} else if (specified & AVRULE_NEVERALLOW) {
spec = AVTAB_NEVERALLOW;
Index: libsepol/src/handle.c
===================================================================
--- libsepol/src/handle.c (revision 2511)
+++ libsepol/src/handle.c (working copy)
@@ -1,4 +1,5 @@
#include <stdlib.h>
+#include <assert.h>
#include "handle.h"
#include "debug.h"
@@ -13,9 +14,18 @@
sh->msg_callback = sepol_msg_default_handler;
sh->msg_callback_arg = NULL;
+ /* by default do not disable dontaudits */
+ sh->disable_dontaudit = 0;
+
return sh;
}
+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
+{
+ assert(sh !=NULL);
+ sh->disable_dontaudit = disable_dontaudit;
+}
+
void sepol_handle_destroy(sepol_handle_t * sh)
{
free(sh);
Index: policycoreutils/semodule/semodule.c
===================================================================
--- policycoreutils/semodule/semodule.c (revision 2511)
+++ policycoreutils/semodule/semodule.c (working copy)
@@ -44,6 +44,7 @@
static int no_reload;
static int create_store;
static int build;
+static int disable_dontaudit;
static semanage_handle_t *sh = NULL;
static char *store;
@@ -131,6 +132,7 @@
printf(" -n,--noreload do not reload policy after commit\n");
printf(" -h,--help print this message and quit\n");
printf(" -v,--verbose be verbose\n");
+ printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -173,6 +175,7 @@
{"reload", 0, NULL, 'R'},
{"noreload", 0, NULL, 'n'},
{"build", 0, NULL, 'B'},
+ {"disable_dontaudit", 0, NULL, 'D'},
{NULL, 0, NULL, 0}
};
int i;
@@ -181,7 +184,7 @@
no_reload = 0;
create_store = 0;
while ((i =
- getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
+ getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -218,6 +221,9 @@
case 'B':
build = 1;
break;
+ case 'D':
+ disable_dontaudit = 1;
+ break;
case '?':
default:{
usage(argv[0]);
@@ -441,6 +447,8 @@
semanage_set_reload(sh, 0);
if (build)
semanage_set_rebuild(sh, 1);
+ if (disable_dontaudit)
+ semanage_set_disable_dontaudit(sh, 1);
result = semanage_commit(sh);
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-10 1:22 ` Joshua Brindle
@ 2007-08-10 12:01 ` Stephen Smalley
2007-08-10 15:29 ` Daniel J Walsh
2007-08-16 17:28 ` Stephen Smalley
1 sibling, 1 reply; 22+ messages in thread
From: Stephen Smalley @ 2007-08-10 12:01 UTC (permalink / raw)
To: Joshua Brindle; +Cc: James Morris, Eric Paris, selinux, dwalsh
On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> Joshua Brindle wrote:
> > James Morris wrote:
> >> On Thu, 9 Aug 2007, Eric Paris wrote:
> >>
> >>
> >>> Currently to disable dontaudit rules best you can do it to load the
> >>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
> >>> rules from modules.
> >>>
> >>
> >> Are we sure this can't be done in userspace? Like, mangle all the
> >> existing policy and reload it?
> >>
> >>
> > I agree, the infrastructure is certainly in place to do it, just add
> > something in the sepol_handle that says dontaudits should be
> > discarded, then make an interface in libsemanage that uses that and
> > rebuild the policy.
> >
> > If noone beats me to it I will see if my conclusions about it being
> > fairly simple are accurate this weekend :)
> >
>
> I changed my mind, patch below
>
> it compiles and seems to work after semodule -DB:
Hmm...doing it this way means that the "disable_dontaudit" behavior
won't persist across subsequent policy changes, so if I e.g. then change
a boolean persistently, I'll get back all of the dontaudit rules too.
Is that what you want, or do you want this flag saved in the policy
module store and settable/clearable via semanage to be applied to all
subsequent policy builds?
>
> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> dontaudit
> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> Type 0, Modified 0)
> Added TE Rules: 0
> Added TE Rules because of new type: 0
> Removed TE Rules: 326583
> Removed TE Rules because of missing type: 0
> Modified TE Rules: 0
>
> Index: libsemanage/include/semanage/handle.h
> ===================================================================
> --- libsemanage/include/semanage/handle.h (revision 2511)
> +++ libsemanage/include/semanage/handle.h (working copy)
> @@ -69,6 +69,9 @@
> * 1 for yes, 0 for no (default) */
> void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>
> +/* Set whether or not to disable dontaudits upon commit */
> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> +
> /* Check whether policy is managed via libsemanage on this system.
> * Must be called prior to trying to connect.
> * Return 1 if policy is managed via libsemanage on this system,
> Index: libsemanage/src/libsemanage.map
> ===================================================================
> --- libsemanage/src/libsemanage.map (revision 2511)
> +++ libsemanage/src/libsemanage.map (working copy)
> @@ -13,6 +13,6 @@
> semanage_iface_*; semanage_port_*; semanage_context_*;
> semanage_node_*;
> semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> - semanage_is_connected;
> + semanage_is_connected; semanage_set_disable_dontaudit;
> local: *;
> };
> Index: libsemanage/src/handle.c
> ===================================================================
> --- libsemanage/src/handle.c (revision 2511)
> +++ libsemanage/src/handle.c (working copy)
> @@ -109,6 +109,14 @@
> return;
> }
>
> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> +{
> + assert(sh != NULL);
> +
> + sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> + return;
> +}
> +
> int semanage_is_connected(semanage_handle_t * sh)
> {
> assert(sh != NULL);
> Index: libsepol/include/sepol/handle.h
> ===================================================================
> --- libsepol/include/sepol/handle.h (revision 2511)
> +++ libsepol/include/sepol/handle.h (working copy)
> @@ -7,6 +7,10 @@
> /* Create and return a sepol handle. */
> sepol_handle_t *sepol_handle_create(void);
>
> +/* Set whether or not to disable dontaudits, 0 is default and does
> + * not disable dontaudits, 1 disables them */
> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> +
> /* Destroy a sepol handle. */
> void sepol_handle_destroy(sepol_handle_t *);
>
> Index: libsepol/src/handle.h
> ===================================================================
> --- libsepol/src/handle.h (revision 2511)
> +++ libsepol/src/handle.h (working copy)
> @@ -14,6 +14,9 @@
> void (*msg_callback) (void *varg,
> sepol_handle_t * handle, const char *fmt, ...);
> void *msg_callback_arg;
> +
> + int disable_dontaudit;
> +
> };
>
> #endif
> Index: libsepol/src/libsepol.map
> ===================================================================
> --- libsepol/src/libsepol.map (revision 2511)
> +++ libsepol/src/libsepol.map (working copy)
> @@ -12,5 +12,6 @@
> sepol_policydb_*; sepol_set_policydb_from_file;
> sepol_policy_kern_*;
> sepol_policy_file_*;
> + sepol_set_disable_dontaudit;
> local: *;
> };
> Index: libsepol/src/expand.c
> ===================================================================
> --- libsepol/src/expand.c (revision 2511)
> +++ libsepol/src/expand.c (working copy)
> @@ -1367,6 +1367,8 @@
> } else if (specified & AVRULE_AUDITDENY) {
> spec = AVTAB_AUDITDENY;
> } else if (specified & AVRULE_DONTAUDIT) {
> + if (handle->disable_dontaudit)
> + return EXPAND_RULE_SUCCESS;
> spec = AVTAB_AUDITDENY;
> } else if (specified & AVRULE_NEVERALLOW) {
> spec = AVTAB_NEVERALLOW;
> Index: libsepol/src/handle.c
> ===================================================================
> --- libsepol/src/handle.c (revision 2511)
> +++ libsepol/src/handle.c (working copy)
> @@ -1,4 +1,5 @@
> #include <stdlib.h>
> +#include <assert.h>
> #include "handle.h"
> #include "debug.h"
>
> @@ -13,9 +14,18 @@
> sh->msg_callback = sepol_msg_default_handler;
> sh->msg_callback_arg = NULL;
>
> + /* by default do not disable dontaudits */
> + sh->disable_dontaudit = 0;
> +
> return sh;
> }
>
> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> +{
> + assert(sh !=NULL);
> + sh->disable_dontaudit = disable_dontaudit;
> +}
> +
> void sepol_handle_destroy(sepol_handle_t * sh)
> {
> free(sh);
> Index: policycoreutils/semodule/semodule.c
> ===================================================================
> --- policycoreutils/semodule/semodule.c (revision 2511)
> +++ policycoreutils/semodule/semodule.c (working copy)
> @@ -44,6 +44,7 @@
> static int no_reload;
> static int create_store;
> static int build;
> +static int disable_dontaudit;
>
> static semanage_handle_t *sh = NULL;
> static char *store;
> @@ -131,6 +132,7 @@
> printf(" -n,--noreload do not reload policy after commit\n");
> printf(" -h,--help print this message and quit\n");
> printf(" -v,--verbose be verbose\n");
> + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
> }
>
> /* Sets the global mode variable to new_mode, but only if no other
> @@ -173,6 +175,7 @@
> {"reload", 0, NULL, 'R'},
> {"noreload", 0, NULL, 'n'},
> {"build", 0, NULL, 'B'},
> + {"disable_dontaudit", 0, NULL, 'D'},
> {NULL, 0, NULL, 0}
> };
> int i;
> @@ -181,7 +184,7 @@
> no_reload = 0;
> create_store = 0;
> while ((i =
> - getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> + getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
> NULL)) != -1) {
> switch (i) {
> case 'b':
> @@ -218,6 +221,9 @@
> case 'B':
> build = 1;
> break;
> + case 'D':
> + disable_dontaudit = 1;
> + break;
> case '?':
> default:{
> usage(argv[0]);
> @@ -441,6 +447,8 @@
> semanage_set_reload(sh, 0);
> if (build)
> semanage_set_rebuild(sh, 1);
> + if (disable_dontaudit)
> + semanage_set_disable_dontaudit(sh, 1);
> result = semanage_commit(sh);
> }
>
>
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-10 12:01 ` Stephen Smalley
@ 2007-08-10 15:29 ` Daniel J Walsh
2007-08-10 15:58 ` Joshua Brindle
0 siblings, 1 reply; 22+ messages in thread
From: Daniel J Walsh @ 2007-08-10 15:29 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Joshua Brindle, James Morris, Eric Paris, selinux
Stephen Smalley wrote:
> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>
>> Joshua Brindle wrote:
>>
>>> James Morris wrote:
>>>
>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>
>>>>
>>>>
>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
>>>>> rules from modules.
>>>>>
>>>>>
>>>> Are we sure this can't be done in userspace? Like, mangle all the
>>>> existing policy and reload it?
>>>>
>>>>
>>>>
>>> I agree, the infrastructure is certainly in place to do it, just add
>>> something in the sepol_handle that says dontaudits should be
>>> discarded, then make an interface in libsemanage that uses that and
>>> rebuild the policy.
>>>
>>> If noone beats me to it I will see if my conclusions about it being
>>> fairly simple are accurate this weekend :)
>>>
>>>
>> I changed my mind, patch below
>>
>> it compiles and seems to work after semodule -DB:
>>
>
> Hmm...doing it this way means that the "disable_dontaudit" behavior
> won't persist across subsequent policy changes, so if I e.g. then change
> a boolean persistently, I'll get back all of the dontaudit rules too.
>
> Is that what you want, or do you want this flag saved in the policy
> module store and settable/clearable via semanage to be applied to all
> subsequent policy builds?
>
>
This looks great but it needs to survive a policy rebuild as Stephen says.
>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
>> dontaudit
>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
>> Type 0, Modified 0)
>> Added TE Rules: 0
>> Added TE Rules because of new type: 0
>> Removed TE Rules: 326583
>> Removed TE Rules because of missing type: 0
>> Modified TE Rules: 0
>>
>> Index: libsemanage/include/semanage/handle.h
>> ===================================================================
>> --- libsemanage/include/semanage/handle.h (revision 2511)
>> +++ libsemanage/include/semanage/handle.h (working copy)
>> @@ -69,6 +69,9 @@
>> * 1 for yes, 0 for no (default) */
>> void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>
>> +/* Set whether or not to disable dontaudits upon commit */
>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>> +
>> /* Check whether policy is managed via libsemanage on this system.
>> * Must be called prior to trying to connect.
>> * Return 1 if policy is managed via libsemanage on this system,
>> Index: libsemanage/src/libsemanage.map
>> ===================================================================
>> --- libsemanage/src/libsemanage.map (revision 2511)
>> +++ libsemanage/src/libsemanage.map (working copy)
>> @@ -13,6 +13,6 @@
>> semanage_iface_*; semanage_port_*; semanage_context_*;
>> semanage_node_*;
>> semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
>> - semanage_is_connected;
>> + semanage_is_connected; semanage_set_disable_dontaudit;
>> local: *;
>> };
>> Index: libsemanage/src/handle.c
>> ===================================================================
>> --- libsemanage/src/handle.c (revision 2511)
>> +++ libsemanage/src/handle.c (working copy)
>> @@ -109,6 +109,14 @@
>> return;
>> }
>>
>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>> +{
>> + assert(sh != NULL);
>> +
>> + sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>> + return;
>> +}
>> +
>> int semanage_is_connected(semanage_handle_t * sh)
>> {
>> assert(sh != NULL);
>> Index: libsepol/include/sepol/handle.h
>> ===================================================================
>> --- libsepol/include/sepol/handle.h (revision 2511)
>> +++ libsepol/include/sepol/handle.h (working copy)
>> @@ -7,6 +7,10 @@
>> /* Create and return a sepol handle. */
>> sepol_handle_t *sepol_handle_create(void);
>>
>> +/* Set whether or not to disable dontaudits, 0 is default and does
>> + * not disable dontaudits, 1 disables them */
>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
>> +
>> /* Destroy a sepol handle. */
>> void sepol_handle_destroy(sepol_handle_t *);
>>
>> Index: libsepol/src/handle.h
>> ===================================================================
>> --- libsepol/src/handle.h (revision 2511)
>> +++ libsepol/src/handle.h (working copy)
>> @@ -14,6 +14,9 @@
>> void (*msg_callback) (void *varg,
>> sepol_handle_t * handle, const char *fmt, ...);
>> void *msg_callback_arg;
>> +
>> + int disable_dontaudit;
>> +
>> };
>>
>> #endif
>> Index: libsepol/src/libsepol.map
>> ===================================================================
>> --- libsepol/src/libsepol.map (revision 2511)
>> +++ libsepol/src/libsepol.map (working copy)
>> @@ -12,5 +12,6 @@
>> sepol_policydb_*; sepol_set_policydb_from_file;
>> sepol_policy_kern_*;
>> sepol_policy_file_*;
>> + sepol_set_disable_dontaudit;
>> local: *;
>> };
>> Index: libsepol/src/expand.c
>> ===================================================================
>> --- libsepol/src/expand.c (revision 2511)
>> +++ libsepol/src/expand.c (working copy)
>> @@ -1367,6 +1367,8 @@
>> } else if (specified & AVRULE_AUDITDENY) {
>> spec = AVTAB_AUDITDENY;
>> } else if (specified & AVRULE_DONTAUDIT) {
>> + if (handle->disable_dontaudit)
>> + return EXPAND_RULE_SUCCESS;
>> spec = AVTAB_AUDITDENY;
>> } else if (specified & AVRULE_NEVERALLOW) {
>> spec = AVTAB_NEVERALLOW;
>> Index: libsepol/src/handle.c
>> ===================================================================
>> --- libsepol/src/handle.c (revision 2511)
>> +++ libsepol/src/handle.c (working copy)
>> @@ -1,4 +1,5 @@
>> #include <stdlib.h>
>> +#include <assert.h>
>> #include "handle.h"
>> #include "debug.h"
>>
>> @@ -13,9 +14,18 @@
>> sh->msg_callback = sepol_msg_default_handler;
>> sh->msg_callback_arg = NULL;
>>
>> + /* by default do not disable dontaudits */
>> + sh->disable_dontaudit = 0;
>> +
>> return sh;
>> }
>>
>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
>> +{
>> + assert(sh !=NULL);
>> + sh->disable_dontaudit = disable_dontaudit;
>> +}
>> +
>> void sepol_handle_destroy(sepol_handle_t * sh)
>> {
>> free(sh);
>> Index: policycoreutils/semodule/semodule.c
>> ===================================================================
>> --- policycoreutils/semodule/semodule.c (revision 2511)
>> +++ policycoreutils/semodule/semodule.c (working copy)
>> @@ -44,6 +44,7 @@
>> static int no_reload;
>> static int create_store;
>> static int build;
>> +static int disable_dontaudit;
>>
>> static semanage_handle_t *sh = NULL;
>> static char *store;
>> @@ -131,6 +132,7 @@
>> printf(" -n,--noreload do not reload policy after commit\n");
>> printf(" -h,--help print this message and quit\n");
>> printf(" -v,--verbose be verbose\n");
>> + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
>> }
>>
>> /* Sets the global mode variable to new_mode, but only if no other
>> @@ -173,6 +175,7 @@
>> {"reload", 0, NULL, 'R'},
>> {"noreload", 0, NULL, 'n'},
>> {"build", 0, NULL, 'B'},
>> + {"disable_dontaudit", 0, NULL, 'D'},
>> {NULL, 0, NULL, 0}
>> };
>> int i;
>> @@ -181,7 +184,7 @@
>> no_reload = 0;
>> create_store = 0;
>> while ((i =
>> - getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
>> + getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>> NULL)) != -1) {
>> switch (i) {
>> case 'b':
>> @@ -218,6 +221,9 @@
>> case 'B':
>> build = 1;
>> break;
>> + case 'D':
>> + disable_dontaudit = 1;
>> + break;
>> case '?':
>> default:{
>> usage(argv[0]);
>> @@ -441,6 +447,8 @@
>> semanage_set_reload(sh, 0);
>> if (build)
>> semanage_set_rebuild(sh, 1);
>> + if (disable_dontaudit)
>> + semanage_set_disable_dontaudit(sh, 1);
>> result = semanage_commit(sh);
>> }
>>
>>
>>
>>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-10 15:29 ` Daniel J Walsh
@ 2007-08-10 15:58 ` Joshua Brindle
2007-08-10 18:16 ` Daniel J Walsh
0 siblings, 1 reply; 22+ messages in thread
From: Joshua Brindle @ 2007-08-10 15:58 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, James Morris, Eric Paris, selinux
Daniel J Walsh wrote:
> Stephen Smalley wrote:
>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>
>>> Joshua Brindle wrote:
>>>
>>>> James Morris wrote:
>>>>
>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>>> enableaudit.pp base policy. Which still doesn't remove the
>>>>>> dontaudit
>>>>>> rules from modules.
>>>>>>
>>>>> Are we sure this can't be done in userspace? Like, mangle all the
>>>>> existing policy and reload it?
>>>>>
>>>>>
>>>> I agree, the infrastructure is certainly in place to do it, just
>>>> add something in the sepol_handle that says dontaudits should be
>>>> discarded, then make an interface in libsemanage that uses that and
>>>> rebuild the policy.
>>>>
>>>> If noone beats me to it I will see if my conclusions about it being
>>>> fairly simple are accurate this weekend :)
>>>>
>>>>
>>> I changed my mind, patch below
>>>
>>> it compiles and seems to work after semodule -DB:
>>>
>>
>> Hmm...doing it this way means that the "disable_dontaudit" behavior
>> won't persist across subsequent policy changes, so if I e.g. then change
>> a boolean persistently, I'll get back all of the dontaudit rules too.
>>
>> Is that what you want, or do you want this flag saved in the policy
>> module store and settable/clearable via semanage to be applied to all
>> subsequent policy builds?
>>
>>
> This looks great but it needs to survive a policy rebuild as Stephen
> says.
>
Hrm... I'm trying to figure out if that is really the behavior we want.
The purpose of this was to let someone get some denials from (possibly)
dontaudits hiding behavior. After switching dontaudits off the user will
generate a module with the rules and insert it. Assuming they exercised
enough of the app he won't want the dontaudits off anymore and will
happily go about running the app. Are there other use cases where
dontaudits should be persistently disabled?
If dontaudits are to be persistently disabled I'd rather do it in the
kernel with eric's patch, mainly because eric's will at least only
persist until reboot whereas if I added something to libsemanage to make
it persist it would last across reboots.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-10 15:58 ` Joshua Brindle
@ 2007-08-10 18:16 ` Daniel J Walsh
2007-08-13 23:27 ` Joshua Brindle
0 siblings, 1 reply; 22+ messages in thread
From: Daniel J Walsh @ 2007-08-10 18:16 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Stephen Smalley, James Morris, Eric Paris, selinux
Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Stephen Smalley wrote:
>>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>>
>>>> Joshua Brindle wrote:
>>>>
>>>>> James Morris wrote:
>>>>>
>>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>>>> enableaudit.pp base policy. Which still doesn't remove the
>>>>>>> dontaudit
>>>>>>> rules from modules.
>>>>>>>
>>>>>> Are we sure this can't be done in userspace? Like, mangle all
>>>>>> the existing policy and reload it?
>>>>>>
>>>>>>
>>>>> I agree, the infrastructure is certainly in place to do it, just
>>>>> add something in the sepol_handle that says dontaudits should be
>>>>> discarded, then make an interface in libsemanage that uses that
>>>>> and rebuild the policy.
>>>>>
>>>>> If noone beats me to it I will see if my conclusions about it
>>>>> being fairly simple are accurate this weekend :)
>>>>>
>>>>>
>>>> I changed my mind, patch below
>>>>
>>>> it compiles and seems to work after semodule -DB:
>>>>
>>>
>>> Hmm...doing it this way means that the "disable_dontaudit" behavior
>>> won't persist across subsequent policy changes, so if I e.g. then
>>> change
>>> a boolean persistently, I'll get back all of the dontaudit rules too.
>>>
>>> Is that what you want, or do you want this flag saved in the policy
>>> module store and settable/clearable via semanage to be applied to all
>>> subsequent policy builds?
>>>
>>>
>> This looks great but it needs to survive a policy rebuild as Stephen
>> says.
>>
>
> Hrm... I'm trying to figure out if that is really the behavior we
> want. The purpose of this was to let someone get some denials from
> (possibly) dontaudits hiding behavior. After switching dontaudits off
> the user will generate a module with the rules and insert it. Assuming
> they exercised enough of the app he won't want the dontaudits off
> anymore and will happily go about running the app. Are there other use
> cases where dontaudits should be persistently disabled?
>
> If dontaudits are to be persistently disabled I'd rather do it in the
> kernel with eric's patch, mainly because eric's will at least only
> persist until reboot whereas if I added something to libsemanage to
> make it persist it would last across reboots.
>
Actually I was thinking of the case where you would put an setsebool in
an init script and you might want to boot with enableaudit and this
would replace it, but you wouldn't put a setsebool -P in an init script,
so this is not a problem. I would guess we would just have to document
that this is to temporarily disable dontaudit rules, until the next time
the policy is rebuilt.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-10 18:16 ` Daniel J Walsh
@ 2007-08-13 23:27 ` Joshua Brindle
0 siblings, 0 replies; 22+ messages in thread
From: Joshua Brindle @ 2007-08-13 23:27 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, James Morris, Eric Paris, selinux
Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> Stephen Smalley wrote:
>>>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>>>
>>>>> Joshua Brindle wrote:
>>>>>
>>>>>> James Morris wrote:
>>>>>>
>>>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Currently to disable dontaudit rules best you can do it to load
>>>>>>>> the
>>>>>>>> enableaudit.pp base policy. Which still doesn't remove the
>>>>>>>> dontaudit
>>>>>>>> rules from modules.
>>>>>>>>
>>>>>>> Are we sure this can't be done in userspace? Like, mangle all
>>>>>>> the existing policy and reload it?
>>>>>>>
>>>>>>>
>>>>>> I agree, the infrastructure is certainly in place to do it, just
>>>>>> add something in the sepol_handle that says dontaudits should be
>>>>>> discarded, then make an interface in libsemanage that uses that
>>>>>> and rebuild the policy.
>>>>>>
>>>>>> If noone beats me to it I will see if my conclusions about it
>>>>>> being fairly simple are accurate this weekend :)
>>>>>>
>>>>>>
>>>>> I changed my mind, patch below
>>>>>
>>>>> it compiles and seems to work after semodule -DB:
>>>>>
>>>>
>>>> Hmm...doing it this way means that the "disable_dontaudit" behavior
>>>> won't persist across subsequent policy changes, so if I e.g. then
>>>> change
>>>> a boolean persistently, I'll get back all of the dontaudit rules too.
>>>>
>>>> Is that what you want, or do you want this flag saved in the policy
>>>> module store and settable/clearable via semanage to be applied to all
>>>> subsequent policy builds?
>>>>
>>>>
>>> This looks great but it needs to survive a policy rebuild as Stephen
>>> says.
>>>
>>
>> Hrm... I'm trying to figure out if that is really the behavior we
>> want. The purpose of this was to let someone get some denials from
>> (possibly) dontaudits hiding behavior. After switching dontaudits off
>> the user will generate a module with the rules and insert it.
>> Assuming they exercised enough of the app he won't want the
>> dontaudits off anymore and will happily go about running the app. Are
>> there other use cases where dontaudits should be persistently disabled?
>>
>> If dontaudits are to be persistently disabled I'd rather do it in the
>> kernel with eric's patch, mainly because eric's will at least only
>> persist until reboot whereas if I added something to libsemanage to
>> make it persist it would last across reboots.
>>
> Actually I was thinking of the case where you would put an setsebool
> in an init script and you might want to boot with enableaudit and this
> would replace it, but you wouldn't put a setsebool -P in an init
> script, so this is not a problem. I would guess we would just have to
> document that this is to temporarily disable dontaudit rules, until
> the next time the policy is rebuilt.
So is there any consensus on which approach we want to go with? We have:
1) use conditionals, doesn't work with third party modules, could have
mistakes where dontaudits aren't in conditionals, etc
2) use the kernel patch from Eric, makes it easier to turn it on and off
without rebuilding/reloading policy, faster and some people worried
about policy modification would be happier.
3) use my patch and do it from userland, puts the complexity in
userspace, modifies the on-disk policy (persistent across reboots if
policy isn't rebuild without the option, slower to use, not persistent
across any options that rebuild policy such as persistent boolean
changes, etc).
I'm split between 2 and 3, both have advantages and disadvantages,
anyone else want to ring their opinion in?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-10 1:22 ` Joshua Brindle
2007-08-10 12:01 ` Stephen Smalley
@ 2007-08-16 17:28 ` Stephen Smalley
2007-08-16 17:45 ` Joshua Brindle
1 sibling, 1 reply; 22+ messages in thread
From: Stephen Smalley @ 2007-08-16 17:28 UTC (permalink / raw)
To: Joshua Brindle; +Cc: James Morris, Eric Paris, selinux, dwalsh
On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> Joshua Brindle wrote:
> > James Morris wrote:
> >> On Thu, 9 Aug 2007, Eric Paris wrote:
> >>
> >>
> >>> Currently to disable dontaudit rules best you can do it to load the
> >>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
> >>> rules from modules.
> >>>
> >>
> >> Are we sure this can't be done in userspace? Like, mangle all the
> >> existing policy and reload it?
> >>
> >>
> > I agree, the infrastructure is certainly in place to do it, just add
> > something in the sepol_handle that says dontaudits should be
> > discarded, then make an interface in libsemanage that uses that and
> > rebuild the policy.
> >
> > If noone beats me to it I will see if my conclusions about it being
> > fairly simple are accurate this weekend :)
> >
>
> I changed my mind, patch below
>
> it compiles and seems to work after semodule -DB:
>
> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> dontaudit
> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> Type 0, Modified 0)
> Added TE Rules: 0
> Added TE Rules because of new type: 0
> Removed TE Rules: 326583
> Removed TE Rules because of missing type: 0
> Modified TE Rules: 0
>
> Index: libsemanage/include/semanage/handle.h
> ===================================================================
> --- libsemanage/include/semanage/handle.h (revision 2511)
> +++ libsemanage/include/semanage/handle.h (working copy)
> @@ -69,6 +69,9 @@
> * 1 for yes, 0 for no (default) */
> void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>
> +/* Set whether or not to disable dontaudits upon commit */
> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> +
> /* Check whether policy is managed via libsemanage on this system.
> * Must be called prior to trying to connect.
> * Return 1 if policy is managed via libsemanage on this system,
> Index: libsemanage/src/libsemanage.map
> ===================================================================
> --- libsemanage/src/libsemanage.map (revision 2511)
> +++ libsemanage/src/libsemanage.map (working copy)
> @@ -13,6 +13,6 @@
> semanage_iface_*; semanage_port_*; semanage_context_*;
> semanage_node_*;
> semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> - semanage_is_connected;
> + semanage_is_connected; semanage_set_disable_dontaudit;
> local: *;
> };
> Index: libsemanage/src/handle.c
> ===================================================================
> --- libsemanage/src/handle.c (revision 2511)
> +++ libsemanage/src/handle.c (working copy)
> @@ -109,6 +109,14 @@
> return;
> }
>
> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> +{
> + assert(sh != NULL);
> +
> + sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> + return;
> +}
> +
> int semanage_is_connected(semanage_handle_t * sh)
> {
> assert(sh != NULL);
> Index: libsepol/include/sepol/handle.h
> ===================================================================
> --- libsepol/include/sepol/handle.h (revision 2511)
> +++ libsepol/include/sepol/handle.h (working copy)
> @@ -7,6 +7,10 @@
> /* Create and return a sepol handle. */
> sepol_handle_t *sepol_handle_create(void);
>
> +/* Set whether or not to disable dontaudits, 0 is default and does
> + * not disable dontaudits, 1 disables them */
> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> +
> /* Destroy a sepol handle. */
> void sepol_handle_destroy(sepol_handle_t *);
>
> Index: libsepol/src/handle.h
> ===================================================================
> --- libsepol/src/handle.h (revision 2511)
> +++ libsepol/src/handle.h (working copy)
> @@ -14,6 +14,9 @@
> void (*msg_callback) (void *varg,
> sepol_handle_t * handle, const char *fmt, ...);
> void *msg_callback_arg;
> +
> + int disable_dontaudit;
> +
> };
>
> #endif
> Index: libsepol/src/libsepol.map
> ===================================================================
> --- libsepol/src/libsepol.map (revision 2511)
> +++ libsepol/src/libsepol.map (working copy)
> @@ -12,5 +12,6 @@
> sepol_policydb_*; sepol_set_policydb_from_file;
> sepol_policy_kern_*;
> sepol_policy_file_*;
> + sepol_set_disable_dontaudit;
> local: *;
> };
> Index: libsepol/src/expand.c
> ===================================================================
> --- libsepol/src/expand.c (revision 2511)
> +++ libsepol/src/expand.c (working copy)
> @@ -1367,6 +1367,8 @@
> } else if (specified & AVRULE_AUDITDENY) {
> spec = AVTAB_AUDITDENY;
> } else if (specified & AVRULE_DONTAUDIT) {
> + if (handle->disable_dontaudit)
> + return EXPAND_RULE_SUCCESS;
> spec = AVTAB_AUDITDENY;
> } else if (specified & AVRULE_NEVERALLOW) {
> spec = AVTAB_NEVERALLOW;
> Index: libsepol/src/handle.c
> ===================================================================
> --- libsepol/src/handle.c (revision 2511)
> +++ libsepol/src/handle.c (working copy)
> @@ -1,4 +1,5 @@
> #include <stdlib.h>
> +#include <assert.h>
> #include "handle.h"
> #include "debug.h"
>
> @@ -13,9 +14,18 @@
> sh->msg_callback = sepol_msg_default_handler;
> sh->msg_callback_arg = NULL;
>
> + /* by default do not disable dontaudits */
> + sh->disable_dontaudit = 0;
> +
> return sh;
> }
>
> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> +{
> + assert(sh !=NULL);
> + sh->disable_dontaudit = disable_dontaudit;
> +}
> +
> void sepol_handle_destroy(sepol_handle_t * sh)
> {
> free(sh);
> Index: policycoreutils/semodule/semodule.c
> ===================================================================
> --- policycoreutils/semodule/semodule.c (revision 2511)
> +++ policycoreutils/semodule/semodule.c (working copy)
> @@ -44,6 +44,7 @@
> static int no_reload;
> static int create_store;
> static int build;
> +static int disable_dontaudit;
>
> static semanage_handle_t *sh = NULL;
> static char *store;
> @@ -131,6 +132,7 @@
> printf(" -n,--noreload do not reload policy after commit\n");
> printf(" -h,--help print this message and quit\n");
> printf(" -v,--verbose be verbose\n");
> + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
> }
>
> /* Sets the global mode variable to new_mode, but only if no other
> @@ -173,6 +175,7 @@
> {"reload", 0, NULL, 'R'},
> {"noreload", 0, NULL, 'n'},
> {"build", 0, NULL, 'B'},
> + {"disable_dontaudit", 0, NULL, 'D'},
> {NULL, 0, NULL, 0}
> };
> int i;
> @@ -181,7 +184,7 @@
> no_reload = 0;
> create_store = 0;
> while ((i =
> - getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> + getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
> NULL)) != -1) {
> switch (i) {
> case 'b':
> @@ -218,6 +221,9 @@
> case 'B':
> build = 1;
> break;
> + case 'D':
> + disable_dontaudit = 1;
> + break;
> case '?':
> default:{
> usage(argv[0]);
> @@ -441,6 +447,8 @@
> semanage_set_reload(sh, 0);
> if (build)
> semanage_set_rebuild(sh, 1);
> + if (disable_dontaudit)
> + semanage_set_disable_dontaudit(sh, 1);
> result = semanage_commit(sh);
> }
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Merge at will.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-16 17:28 ` Stephen Smalley
@ 2007-08-16 17:45 ` Joshua Brindle
2007-08-16 17:47 ` Stephen Smalley
0 siblings, 1 reply; 22+ messages in thread
From: Joshua Brindle @ 2007-08-16 17:45 UTC (permalink / raw)
To: Stephen Smalley; +Cc: James Morris, Eric Paris, selinux, dwalsh
Stephen Smalley wrote:
> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>
>> Joshua Brindle wrote:
>>
>>> James Morris wrote:
>>>
>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>
>>>>
>>>>
>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
>>>>> rules from modules.
>>>>>
>>>>>
>>>> Are we sure this can't be done in userspace? Like, mangle all the
>>>> existing policy and reload it?
>>>>
>>>>
>>>>
>>> I agree, the infrastructure is certainly in place to do it, just add
>>> something in the sepol_handle that says dontaudits should be
>>> discarded, then make an interface in libsemanage that uses that and
>>> rebuild the policy.
>>>
>>> If noone beats me to it I will see if my conclusions about it being
>>> fairly simple are accurate this weekend :)
>>>
>>>
>> I changed my mind, patch below
>>
>> it compiles and seems to work after semodule -DB:
>>
>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
>> dontaudit
>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
>> Type 0, Modified 0)
>> Added TE Rules: 0
>> Added TE Rules because of new type: 0
>> Removed TE Rules: 326583
>> Removed TE Rules because of missing type: 0
>> Modified TE Rules: 0
>>
>> Index: libsemanage/include/semanage/handle.h
>> ===================================================================
>> --- libsemanage/include/semanage/handle.h (revision 2511)
>> +++ libsemanage/include/semanage/handle.h (working copy)
>> @@ -69,6 +69,9 @@
>> * 1 for yes, 0 for no (default) */
>> void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>
>> +/* Set whether or not to disable dontaudits upon commit */
>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>> +
>> /* Check whether policy is managed via libsemanage on this system.
>> * Must be called prior to trying to connect.
>> * Return 1 if policy is managed via libsemanage on this system,
>> Index: libsemanage/src/libsemanage.map
>> ===================================================================
>> --- libsemanage/src/libsemanage.map (revision 2511)
>> +++ libsemanage/src/libsemanage.map (working copy)
>> @@ -13,6 +13,6 @@
>> semanage_iface_*; semanage_port_*; semanage_context_*;
>> semanage_node_*;
>> semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
>> - semanage_is_connected;
>> + semanage_is_connected; semanage_set_disable_dontaudit;
>> local: *;
>> };
>> Index: libsemanage/src/handle.c
>> ===================================================================
>> --- libsemanage/src/handle.c (revision 2511)
>> +++ libsemanage/src/handle.c (working copy)
>> @@ -109,6 +109,14 @@
>> return;
>> }
>>
>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>> +{
>> + assert(sh != NULL);
>> +
>> + sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>> + return;
>> +}
>> +
>> int semanage_is_connected(semanage_handle_t * sh)
>> {
>> assert(sh != NULL);
>> Index: libsepol/include/sepol/handle.h
>> ===================================================================
>> --- libsepol/include/sepol/handle.h (revision 2511)
>> +++ libsepol/include/sepol/handle.h (working copy)
>> @@ -7,6 +7,10 @@
>> /* Create and return a sepol handle. */
>> sepol_handle_t *sepol_handle_create(void);
>>
>> +/* Set whether or not to disable dontaudits, 0 is default and does
>> + * not disable dontaudits, 1 disables them */
>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
>> +
>> /* Destroy a sepol handle. */
>> void sepol_handle_destroy(sepol_handle_t *);
>>
>> Index: libsepol/src/handle.h
>> ===================================================================
>> --- libsepol/src/handle.h (revision 2511)
>> +++ libsepol/src/handle.h (working copy)
>> @@ -14,6 +14,9 @@
>> void (*msg_callback) (void *varg,
>> sepol_handle_t * handle, const char *fmt, ...);
>> void *msg_callback_arg;
>> +
>> + int disable_dontaudit;
>> +
>> };
>>
>> #endif
>> Index: libsepol/src/libsepol.map
>> ===================================================================
>> --- libsepol/src/libsepol.map (revision 2511)
>> +++ libsepol/src/libsepol.map (working copy)
>> @@ -12,5 +12,6 @@
>> sepol_policydb_*; sepol_set_policydb_from_file;
>> sepol_policy_kern_*;
>> sepol_policy_file_*;
>> + sepol_set_disable_dontaudit;
>> local: *;
>> };
>> Index: libsepol/src/expand.c
>> ===================================================================
>> --- libsepol/src/expand.c (revision 2511)
>> +++ libsepol/src/expand.c (working copy)
>> @@ -1367,6 +1367,8 @@
>> } else if (specified & AVRULE_AUDITDENY) {
>> spec = AVTAB_AUDITDENY;
>> } else if (specified & AVRULE_DONTAUDIT) {
>> + if (handle->disable_dontaudit)
>> + return EXPAND_RULE_SUCCESS;
>> spec = AVTAB_AUDITDENY;
>> } else if (specified & AVRULE_NEVERALLOW) {
>> spec = AVTAB_NEVERALLOW;
>> Index: libsepol/src/handle.c
>> ===================================================================
>> --- libsepol/src/handle.c (revision 2511)
>> +++ libsepol/src/handle.c (working copy)
>> @@ -1,4 +1,5 @@
>> #include <stdlib.h>
>> +#include <assert.h>
>> #include "handle.h"
>> #include "debug.h"
>>
>> @@ -13,9 +14,18 @@
>> sh->msg_callback = sepol_msg_default_handler;
>> sh->msg_callback_arg = NULL;
>>
>> + /* by default do not disable dontaudits */
>> + sh->disable_dontaudit = 0;
>> +
>> return sh;
>> }
>>
>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
>> +{
>> + assert(sh !=NULL);
>> + sh->disable_dontaudit = disable_dontaudit;
>> +}
>> +
>> void sepol_handle_destroy(sepol_handle_t * sh)
>> {
>> free(sh);
>> Index: policycoreutils/semodule/semodule.c
>> ===================================================================
>> --- policycoreutils/semodule/semodule.c (revision 2511)
>> +++ policycoreutils/semodule/semodule.c (working copy)
>> @@ -44,6 +44,7 @@
>> static int no_reload;
>> static int create_store;
>> static int build;
>> +static int disable_dontaudit;
>>
>> static semanage_handle_t *sh = NULL;
>> static char *store;
>> @@ -131,6 +132,7 @@
>> printf(" -n,--noreload do not reload policy after commit\n");
>> printf(" -h,--help print this message and quit\n");
>> printf(" -v,--verbose be verbose\n");
>> + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
>> }
>>
>> /* Sets the global mode variable to new_mode, but only if no other
>> @@ -173,6 +175,7 @@
>> {"reload", 0, NULL, 'R'},
>> {"noreload", 0, NULL, 'n'},
>> {"build", 0, NULL, 'B'},
>> + {"disable_dontaudit", 0, NULL, 'D'},
>> {NULL, 0, NULL, 0}
>> };
>> int i;
>> @@ -181,7 +184,7 @@
>> no_reload = 0;
>> create_store = 0;
>> while ((i =
>> - getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
>> + getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>> NULL)) != -1) {
>> switch (i) {
>> case 'b':
>> @@ -218,6 +221,9 @@
>> case 'B':
>> build = 1;
>> break;
>> + case 'D':
>> + disable_dontaudit = 1;
>> + break;
>> case '?':
>> default:{
>> usage(argv[0]);
>> @@ -441,6 +447,8 @@
>> semanage_set_reload(sh, 0);
>> if (build)
>> semanage_set_rebuild(sh, 1);
>> + if (disable_dontaudit)
>> + semanage_set_disable_dontaudit(sh, 1);
>> result = semanage_commit(sh);
>> }
>>
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> Merge at will.
>
So did we decide that the disadvantages of this approach are fine? The
one that bothers me is that rebooting doesn't reset the dontaudit state
(like it would with Eric's patch)...
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-16 17:45 ` Joshua Brindle
@ 2007-08-16 17:47 ` Stephen Smalley
2007-08-16 17:53 ` Joshua Brindle
0 siblings, 1 reply; 22+ messages in thread
From: Stephen Smalley @ 2007-08-16 17:47 UTC (permalink / raw)
To: Joshua Brindle; +Cc: James Morris, Eric Paris, selinux, dwalsh
On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> >
> >> Joshua Brindle wrote:
> >>
> >>> James Morris wrote:
> >>>
> >>>> On Thu, 9 Aug 2007, Eric Paris wrote:
> >>>>
> >>>>
> >>>>
> >>>>> Currently to disable dontaudit rules best you can do it to load the
> >>>>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
> >>>>> rules from modules.
> >>>>>
> >>>>>
> >>>> Are we sure this can't be done in userspace? Like, mangle all the
> >>>> existing policy and reload it?
> >>>>
> >>>>
> >>>>
> >>> I agree, the infrastructure is certainly in place to do it, just add
> >>> something in the sepol_handle that says dontaudits should be
> >>> discarded, then make an interface in libsemanage that uses that and
> >>> rebuild the policy.
> >>>
> >>> If noone beats me to it I will see if my conclusions about it being
> >>> fairly simple are accurate this weekend :)
> >>>
> >>>
> >> I changed my mind, patch below
> >>
> >> it compiles and seems to work after semodule -DB:
> >>
> >> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> >> dontaudit
> >> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> >> Type 0, Modified 0)
> >> Added TE Rules: 0
> >> Added TE Rules because of new type: 0
> >> Removed TE Rules: 326583
> >> Removed TE Rules because of missing type: 0
> >> Modified TE Rules: 0
> >>
> >> Index: libsemanage/include/semanage/handle.h
> >> ===================================================================
> >> --- libsemanage/include/semanage/handle.h (revision 2511)
> >> +++ libsemanage/include/semanage/handle.h (working copy)
> >> @@ -69,6 +69,9 @@
> >> * 1 for yes, 0 for no (default) */
> >> void semanage_set_create_store(semanage_handle_t * handle, int create_store);
> >>
> >> +/* Set whether or not to disable dontaudits upon commit */
> >> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> >> +
> >> /* Check whether policy is managed via libsemanage on this system.
> >> * Must be called prior to trying to connect.
> >> * Return 1 if policy is managed via libsemanage on this system,
> >> Index: libsemanage/src/libsemanage.map
> >> ===================================================================
> >> --- libsemanage/src/libsemanage.map (revision 2511)
> >> +++ libsemanage/src/libsemanage.map (working copy)
> >> @@ -13,6 +13,6 @@
> >> semanage_iface_*; semanage_port_*; semanage_context_*;
> >> semanage_node_*;
> >> semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> >> - semanage_is_connected;
> >> + semanage_is_connected; semanage_set_disable_dontaudit;
> >> local: *;
> >> };
> >> Index: libsemanage/src/handle.c
> >> ===================================================================
> >> --- libsemanage/src/handle.c (revision 2511)
> >> +++ libsemanage/src/handle.c (working copy)
> >> @@ -109,6 +109,14 @@
> >> return;
> >> }
> >>
> >> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> >> +{
> >> + assert(sh != NULL);
> >> +
> >> + sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> >> + return;
> >> +}
> >> +
> >> int semanage_is_connected(semanage_handle_t * sh)
> >> {
> >> assert(sh != NULL);
> >> Index: libsepol/include/sepol/handle.h
> >> ===================================================================
> >> --- libsepol/include/sepol/handle.h (revision 2511)
> >> +++ libsepol/include/sepol/handle.h (working copy)
> >> @@ -7,6 +7,10 @@
> >> /* Create and return a sepol handle. */
> >> sepol_handle_t *sepol_handle_create(void);
> >>
> >> +/* Set whether or not to disable dontaudits, 0 is default and does
> >> + * not disable dontaudits, 1 disables them */
> >> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> >> +
> >> /* Destroy a sepol handle. */
> >> void sepol_handle_destroy(sepol_handle_t *);
> >>
> >> Index: libsepol/src/handle.h
> >> ===================================================================
> >> --- libsepol/src/handle.h (revision 2511)
> >> +++ libsepol/src/handle.h (working copy)
> >> @@ -14,6 +14,9 @@
> >> void (*msg_callback) (void *varg,
> >> sepol_handle_t * handle, const char *fmt, ...);
> >> void *msg_callback_arg;
> >> +
> >> + int disable_dontaudit;
> >> +
> >> };
> >>
> >> #endif
> >> Index: libsepol/src/libsepol.map
> >> ===================================================================
> >> --- libsepol/src/libsepol.map (revision 2511)
> >> +++ libsepol/src/libsepol.map (working copy)
> >> @@ -12,5 +12,6 @@
> >> sepol_policydb_*; sepol_set_policydb_from_file;
> >> sepol_policy_kern_*;
> >> sepol_policy_file_*;
> >> + sepol_set_disable_dontaudit;
> >> local: *;
> >> };
> >> Index: libsepol/src/expand.c
> >> ===================================================================
> >> --- libsepol/src/expand.c (revision 2511)
> >> +++ libsepol/src/expand.c (working copy)
> >> @@ -1367,6 +1367,8 @@
> >> } else if (specified & AVRULE_AUDITDENY) {
> >> spec = AVTAB_AUDITDENY;
> >> } else if (specified & AVRULE_DONTAUDIT) {
> >> + if (handle->disable_dontaudit)
> >> + return EXPAND_RULE_SUCCESS;
> >> spec = AVTAB_AUDITDENY;
> >> } else if (specified & AVRULE_NEVERALLOW) {
> >> spec = AVTAB_NEVERALLOW;
> >> Index: libsepol/src/handle.c
> >> ===================================================================
> >> --- libsepol/src/handle.c (revision 2511)
> >> +++ libsepol/src/handle.c (working copy)
> >> @@ -1,4 +1,5 @@
> >> #include <stdlib.h>
> >> +#include <assert.h>
> >> #include "handle.h"
> >> #include "debug.h"
> >>
> >> @@ -13,9 +14,18 @@
> >> sh->msg_callback = sepol_msg_default_handler;
> >> sh->msg_callback_arg = NULL;
> >>
> >> + /* by default do not disable dontaudits */
> >> + sh->disable_dontaudit = 0;
> >> +
> >> return sh;
> >> }
> >>
> >> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> >> +{
> >> + assert(sh !=NULL);
> >> + sh->disable_dontaudit = disable_dontaudit;
> >> +}
> >> +
> >> void sepol_handle_destroy(sepol_handle_t * sh)
> >> {
> >> free(sh);
> >> Index: policycoreutils/semodule/semodule.c
> >> ===================================================================
> >> --- policycoreutils/semodule/semodule.c (revision 2511)
> >> +++ policycoreutils/semodule/semodule.c (working copy)
> >> @@ -44,6 +44,7 @@
> >> static int no_reload;
> >> static int create_store;
> >> static int build;
> >> +static int disable_dontaudit;
> >>
> >> static semanage_handle_t *sh = NULL;
> >> static char *store;
> >> @@ -131,6 +132,7 @@
> >> printf(" -n,--noreload do not reload policy after commit\n");
> >> printf(" -h,--help print this message and quit\n");
> >> printf(" -v,--verbose be verbose\n");
> >> + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
> >> }
> >>
> >> /* Sets the global mode variable to new_mode, but only if no other
> >> @@ -173,6 +175,7 @@
> >> {"reload", 0, NULL, 'R'},
> >> {"noreload", 0, NULL, 'n'},
> >> {"build", 0, NULL, 'B'},
> >> + {"disable_dontaudit", 0, NULL, 'D'},
> >> {NULL, 0, NULL, 0}
> >> };
> >> int i;
> >> @@ -181,7 +184,7 @@
> >> no_reload = 0;
> >> create_store = 0;
> >> while ((i =
> >> - getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> >> + getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
> >> NULL)) != -1) {
> >> switch (i) {
> >> case 'b':
> >> @@ -218,6 +221,9 @@
> >> case 'B':
> >> build = 1;
> >> break;
> >> + case 'D':
> >> + disable_dontaudit = 1;
> >> + break;
> >> case '?':
> >> default:{
> >> usage(argv[0]);
> >> @@ -441,6 +447,8 @@
> >> semanage_set_reload(sh, 0);
> >> if (build)
> >> semanage_set_rebuild(sh, 1);
> >> + if (disable_dontaudit)
> >> + semanage_set_disable_dontaudit(sh, 1);
> >> result = semanage_commit(sh);
> >> }
> >>
> >
> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> >
> > Merge at will.
> >
>
> So did we decide that the disadvantages of this approach are fine? The
> one that bothers me is that rebooting doesn't reset the dontaudit state
> (like it would with Eric's patch)...
That could be an advantage - suppose that you want to collect full audit
information on the initialization itself. And it isn't different than
the old 'make enableaudit load' approach.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-16 17:47 ` Stephen Smalley
@ 2007-08-16 17:53 ` Joshua Brindle
2007-08-16 18:04 ` Stephen Smalley
0 siblings, 1 reply; 22+ messages in thread
From: Joshua Brindle @ 2007-08-16 17:53 UTC (permalink / raw)
To: Stephen Smalley; +Cc: James Morris, Eric Paris, selinux, dwalsh
Stephen Smalley wrote:
> On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
>
>> Stephen Smalley wrote:
>>
>>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>>
>>>
>>>> Joshua Brindle wrote:
>>>>
>>>>
>>>>> James Morris wrote:
>>>>>
>>>>>
>>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>>>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
>>>>>>> rules from modules.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Are we sure this can't be done in userspace? Like, mangle all the
>>>>>> existing policy and reload it?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> I agree, the infrastructure is certainly in place to do it, just add
>>>>> something in the sepol_handle that says dontaudits should be
>>>>> discarded, then make an interface in libsemanage that uses that and
>>>>> rebuild the policy.
>>>>>
>>>>> If noone beats me to it I will see if my conclusions about it being
>>>>> fairly simple are accurate this weekend :)
>>>>>
>>>>>
>>>>>
>>>> I changed my mind, patch below
>>>>
>>>> it compiles and seems to work after semodule -DB:
>>>>
>>>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
>>>> dontaudit
>>>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
>>>> Type 0, Modified 0)
>>>> Added TE Rules: 0
>>>> Added TE Rules because of new type: 0
>>>> Removed TE Rules: 326583
>>>> Removed TE Rules because of missing type: 0
>>>> Modified TE Rules: 0
>>>>
>>>> Index: libsemanage/include/semanage/handle.h
>>>> ===================================================================
>>>> --- libsemanage/include/semanage/handle.h (revision 2511)
>>>> +++ libsemanage/include/semanage/handle.h (working copy)
>>>> @@ -69,6 +69,9 @@
>>>> * 1 for yes, 0 for no (default) */
>>>> void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>>>
>>>> +/* Set whether or not to disable dontaudits upon commit */
>>>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>>>> +
>>>> /* Check whether policy is managed via libsemanage on this system.
>>>> * Must be called prior to trying to connect.
>>>> * Return 1 if policy is managed via libsemanage on this system,
>>>> Index: libsemanage/src/libsemanage.map
>>>> ===================================================================
>>>> --- libsemanage/src/libsemanage.map (revision 2511)
>>>> +++ libsemanage/src/libsemanage.map (working copy)
>>>> @@ -13,6 +13,6 @@
>>>> semanage_iface_*; semanage_port_*; semanage_context_*;
>>>> semanage_node_*;
>>>> semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
>>>> - semanage_is_connected;
>>>> + semanage_is_connected; semanage_set_disable_dontaudit;
>>>> local: *;
>>>> };
>>>> Index: libsemanage/src/handle.c
>>>> ===================================================================
>>>> --- libsemanage/src/handle.c (revision 2511)
>>>> +++ libsemanage/src/handle.c (working copy)
>>>> @@ -109,6 +109,14 @@
>>>> return;
>>>> }
>>>>
>>>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>>>> +{
>>>> + assert(sh != NULL);
>>>> +
>>>> + sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>>>> + return;
>>>> +}
>>>> +
>>>> int semanage_is_connected(semanage_handle_t * sh)
>>>> {
>>>> assert(sh != NULL);
>>>> Index: libsepol/include/sepol/handle.h
>>>> ===================================================================
>>>> --- libsepol/include/sepol/handle.h (revision 2511)
>>>> +++ libsepol/include/sepol/handle.h (working copy)
>>>> @@ -7,6 +7,10 @@
>>>> /* Create and return a sepol handle. */
>>>> sepol_handle_t *sepol_handle_create(void);
>>>>
>>>> +/* Set whether or not to disable dontaudits, 0 is default and does
>>>> + * not disable dontaudits, 1 disables them */
>>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
>>>> +
>>>> /* Destroy a sepol handle. */
>>>> void sepol_handle_destroy(sepol_handle_t *);
>>>>
>>>> Index: libsepol/src/handle.h
>>>> ===================================================================
>>>> --- libsepol/src/handle.h (revision 2511)
>>>> +++ libsepol/src/handle.h (working copy)
>>>> @@ -14,6 +14,9 @@
>>>> void (*msg_callback) (void *varg,
>>>> sepol_handle_t * handle, const char *fmt, ...);
>>>> void *msg_callback_arg;
>>>> +
>>>> + int disable_dontaudit;
>>>> +
>>>> };
>>>>
>>>> #endif
>>>> Index: libsepol/src/libsepol.map
>>>> ===================================================================
>>>> --- libsepol/src/libsepol.map (revision 2511)
>>>> +++ libsepol/src/libsepol.map (working copy)
>>>> @@ -12,5 +12,6 @@
>>>> sepol_policydb_*; sepol_set_policydb_from_file;
>>>> sepol_policy_kern_*;
>>>> sepol_policy_file_*;
>>>> + sepol_set_disable_dontaudit;
>>>> local: *;
>>>> };
>>>> Index: libsepol/src/expand.c
>>>> ===================================================================
>>>> --- libsepol/src/expand.c (revision 2511)
>>>> +++ libsepol/src/expand.c (working copy)
>>>> @@ -1367,6 +1367,8 @@
>>>> } else if (specified & AVRULE_AUDITDENY) {
>>>> spec = AVTAB_AUDITDENY;
>>>> } else if (specified & AVRULE_DONTAUDIT) {
>>>> + if (handle->disable_dontaudit)
>>>> + return EXPAND_RULE_SUCCESS;
>>>> spec = AVTAB_AUDITDENY;
>>>> } else if (specified & AVRULE_NEVERALLOW) {
>>>> spec = AVTAB_NEVERALLOW;
>>>> Index: libsepol/src/handle.c
>>>> ===================================================================
>>>> --- libsepol/src/handle.c (revision 2511)
>>>> +++ libsepol/src/handle.c (working copy)
>>>> @@ -1,4 +1,5 @@
>>>> #include <stdlib.h>
>>>> +#include <assert.h>
>>>> #include "handle.h"
>>>> #include "debug.h"
>>>>
>>>> @@ -13,9 +14,18 @@
>>>> sh->msg_callback = sepol_msg_default_handler;
>>>> sh->msg_callback_arg = NULL;
>>>>
>>>> + /* by default do not disable dontaudits */
>>>> + sh->disable_dontaudit = 0;
>>>> +
>>>> return sh;
>>>> }
>>>>
>>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
>>>> +{
>>>> + assert(sh !=NULL);
>>>> + sh->disable_dontaudit = disable_dontaudit;
>>>> +}
>>>> +
>>>> void sepol_handle_destroy(sepol_handle_t * sh)
>>>> {
>>>> free(sh);
>>>> Index: policycoreutils/semodule/semodule.c
>>>> ===================================================================
>>>> --- policycoreutils/semodule/semodule.c (revision 2511)
>>>> +++ policycoreutils/semodule/semodule.c (working copy)
>>>> @@ -44,6 +44,7 @@
>>>> static int no_reload;
>>>> static int create_store;
>>>> static int build;
>>>> +static int disable_dontaudit;
>>>>
>>>> static semanage_handle_t *sh = NULL;
>>>> static char *store;
>>>> @@ -131,6 +132,7 @@
>>>> printf(" -n,--noreload do not reload policy after commit\n");
>>>> printf(" -h,--help print this message and quit\n");
>>>> printf(" -v,--verbose be verbose\n");
>>>> + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
>>>> }
>>>>
>>>> /* Sets the global mode variable to new_mode, but only if no other
>>>> @@ -173,6 +175,7 @@
>>>> {"reload", 0, NULL, 'R'},
>>>> {"noreload", 0, NULL, 'n'},
>>>> {"build", 0, NULL, 'B'},
>>>> + {"disable_dontaudit", 0, NULL, 'D'},
>>>> {NULL, 0, NULL, 0}
>>>> };
>>>> int i;
>>>> @@ -181,7 +184,7 @@
>>>> no_reload = 0;
>>>> create_store = 0;
>>>> while ((i =
>>>> - getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
>>>> + getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>>>> NULL)) != -1) {
>>>> switch (i) {
>>>> case 'b':
>>>> @@ -218,6 +221,9 @@
>>>> case 'B':
>>>> build = 1;
>>>> break;
>>>> + case 'D':
>>>> + disable_dontaudit = 1;
>>>> + break;
>>>> case '?':
>>>> default:{
>>>> usage(argv[0]);
>>>> @@ -441,6 +447,8 @@
>>>> semanage_set_reload(sh, 0);
>>>> if (build)
>>>> semanage_set_rebuild(sh, 1);
>>>> + if (disable_dontaudit)
>>>> + semanage_set_disable_dontaudit(sh, 1);
>>>> result = semanage_commit(sh);
>>>> }
>>>>
>>>>
>>> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>
>>> Merge at will.
>>>
>>>
>> So did we decide that the disadvantages of this approach are fine? The
>> one that bothers me is that rebooting doesn't reset the dontaudit state
>> (like it would with Eric's patch)...
>>
>
> That could be an advantage - suppose that you want to collect full audit
> information on the initialization itself. And it isn't different than
> the old 'make enableaudit load' approach.
>
Good point, ok, I'll merge this in a bit, are there any other pending
merges?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-16 17:53 ` Joshua Brindle
@ 2007-08-16 18:04 ` Stephen Smalley
2007-08-16 19:18 ` Stephen Smalley
2007-08-16 19:26 ` Joshua Brindle
0 siblings, 2 replies; 22+ messages in thread
From: Stephen Smalley @ 2007-08-16 18:04 UTC (permalink / raw)
To: Joshua Brindle; +Cc: James Morris, Eric Paris, selinux, dwalsh
On Thu, 2007-08-16 at 13:53 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
> >
> >> Stephen Smalley wrote:
> >>
> >>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> >>>
> >>>
> >>>> Joshua Brindle wrote:
> >>>>
> >>>>
> >>>>> James Morris wrote:
> >>>>>
> >>>>>
> >>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> Currently to disable dontaudit rules best you can do it to load the
> >>>>>>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
> >>>>>>> rules from modules.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> Are we sure this can't be done in userspace? Like, mangle all the
> >>>>>> existing policy and reload it?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> I agree, the infrastructure is certainly in place to do it, just add
> >>>>> something in the sepol_handle that says dontaudits should be
> >>>>> discarded, then make an interface in libsemanage that uses that and
> >>>>> rebuild the policy.
> >>>>>
> >>>>> If noone beats me to it I will see if my conclusions about it being
> >>>>> fairly simple are accurate this weekend :)
> >>>>>
> >>>>>
> >>>>>
> >>>> I changed my mind, patch below
> >>>>
> >>>> it compiles and seems to work after semodule -DB:
> >>>>
> >>>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> >>>> dontaudit
> >>>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> >>>> Type 0, Modified 0)
> >>>> Added TE Rules: 0
> >>>> Added TE Rules because of new type: 0
> >>>> Removed TE Rules: 326583
> >>>> Removed TE Rules because of missing type: 0
> >>>> Modified TE Rules: 0
> >>>>
> >>>> Index: libsemanage/include/semanage/handle.h
> >>>> ===================================================================
> >>>> --- libsemanage/include/semanage/handle.h (revision 2511)
> >>>> +++ libsemanage/include/semanage/handle.h (working copy)
> >>>> @@ -69,6 +69,9 @@
> >>>> * 1 for yes, 0 for no (default) */
> >>>> void semanage_set_create_store(semanage_handle_t * handle, int create_store);
> >>>>
> >>>> +/* Set whether or not to disable dontaudits upon commit */
> >>>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> >>>> +
> >>>> /* Check whether policy is managed via libsemanage on this system.
> >>>> * Must be called prior to trying to connect.
> >>>> * Return 1 if policy is managed via libsemanage on this system,
> >>>> Index: libsemanage/src/libsemanage.map
> >>>> ===================================================================
> >>>> --- libsemanage/src/libsemanage.map (revision 2511)
> >>>> +++ libsemanage/src/libsemanage.map (working copy)
> >>>> @@ -13,6 +13,6 @@
> >>>> semanage_iface_*; semanage_port_*; semanage_context_*;
> >>>> semanage_node_*;
> >>>> semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> >>>> - semanage_is_connected;
> >>>> + semanage_is_connected; semanage_set_disable_dontaudit;
> >>>> local: *;
> >>>> };
> >>>> Index: libsemanage/src/handle.c
> >>>> ===================================================================
> >>>> --- libsemanage/src/handle.c (revision 2511)
> >>>> +++ libsemanage/src/handle.c (working copy)
> >>>> @@ -109,6 +109,14 @@
> >>>> return;
> >>>> }
> >>>>
> >>>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> >>>> +{
> >>>> + assert(sh != NULL);
> >>>> +
> >>>> + sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> >>>> + return;
> >>>> +}
> >>>> +
> >>>> int semanage_is_connected(semanage_handle_t * sh)
> >>>> {
> >>>> assert(sh != NULL);
> >>>> Index: libsepol/include/sepol/handle.h
> >>>> ===================================================================
> >>>> --- libsepol/include/sepol/handle.h (revision 2511)
> >>>> +++ libsepol/include/sepol/handle.h (working copy)
> >>>> @@ -7,6 +7,10 @@
> >>>> /* Create and return a sepol handle. */
> >>>> sepol_handle_t *sepol_handle_create(void);
> >>>>
> >>>> +/* Set whether or not to disable dontaudits, 0 is default and does
> >>>> + * not disable dontaudits, 1 disables them */
> >>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> >>>> +
> >>>> /* Destroy a sepol handle. */
> >>>> void sepol_handle_destroy(sepol_handle_t *);
> >>>>
> >>>> Index: libsepol/src/handle.h
> >>>> ===================================================================
> >>>> --- libsepol/src/handle.h (revision 2511)
> >>>> +++ libsepol/src/handle.h (working copy)
> >>>> @@ -14,6 +14,9 @@
> >>>> void (*msg_callback) (void *varg,
> >>>> sepol_handle_t * handle, const char *fmt, ...);
> >>>> void *msg_callback_arg;
> >>>> +
> >>>> + int disable_dontaudit;
> >>>> +
> >>>> };
> >>>>
> >>>> #endif
> >>>> Index: libsepol/src/libsepol.map
> >>>> ===================================================================
> >>>> --- libsepol/src/libsepol.map (revision 2511)
> >>>> +++ libsepol/src/libsepol.map (working copy)
> >>>> @@ -12,5 +12,6 @@
> >>>> sepol_policydb_*; sepol_set_policydb_from_file;
> >>>> sepol_policy_kern_*;
> >>>> sepol_policy_file_*;
> >>>> + sepol_set_disable_dontaudit;
> >>>> local: *;
> >>>> };
> >>>> Index: libsepol/src/expand.c
> >>>> ===================================================================
> >>>> --- libsepol/src/expand.c (revision 2511)
> >>>> +++ libsepol/src/expand.c (working copy)
> >>>> @@ -1367,6 +1367,8 @@
> >>>> } else if (specified & AVRULE_AUDITDENY) {
> >>>> spec = AVTAB_AUDITDENY;
> >>>> } else if (specified & AVRULE_DONTAUDIT) {
> >>>> + if (handle->disable_dontaudit)
> >>>> + return EXPAND_RULE_SUCCESS;
> >>>> spec = AVTAB_AUDITDENY;
> >>>> } else if (specified & AVRULE_NEVERALLOW) {
> >>>> spec = AVTAB_NEVERALLOW;
> >>>> Index: libsepol/src/handle.c
> >>>> ===================================================================
> >>>> --- libsepol/src/handle.c (revision 2511)
> >>>> +++ libsepol/src/handle.c (working copy)
> >>>> @@ -1,4 +1,5 @@
> >>>> #include <stdlib.h>
> >>>> +#include <assert.h>
> >>>> #include "handle.h"
> >>>> #include "debug.h"
> >>>>
> >>>> @@ -13,9 +14,18 @@
> >>>> sh->msg_callback = sepol_msg_default_handler;
> >>>> sh->msg_callback_arg = NULL;
> >>>>
> >>>> + /* by default do not disable dontaudits */
> >>>> + sh->disable_dontaudit = 0;
> >>>> +
> >>>> return sh;
> >>>> }
> >>>>
> >>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> >>>> +{
> >>>> + assert(sh !=NULL);
> >>>> + sh->disable_dontaudit = disable_dontaudit;
> >>>> +}
> >>>> +
> >>>> void sepol_handle_destroy(sepol_handle_t * sh)
> >>>> {
> >>>> free(sh);
> >>>> Index: policycoreutils/semodule/semodule.c
> >>>> ===================================================================
> >>>> --- policycoreutils/semodule/semodule.c (revision 2511)
> >>>> +++ policycoreutils/semodule/semodule.c (working copy)
> >>>> @@ -44,6 +44,7 @@
> >>>> static int no_reload;
> >>>> static int create_store;
> >>>> static int build;
> >>>> +static int disable_dontaudit;
> >>>>
> >>>> static semanage_handle_t *sh = NULL;
> >>>> static char *store;
> >>>> @@ -131,6 +132,7 @@
> >>>> printf(" -n,--noreload do not reload policy after commit\n");
> >>>> printf(" -h,--help print this message and quit\n");
> >>>> printf(" -v,--verbose be verbose\n");
> >>>> + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
> >>>> }
> >>>>
> >>>> /* Sets the global mode variable to new_mode, but only if no other
> >>>> @@ -173,6 +175,7 @@
> >>>> {"reload", 0, NULL, 'R'},
> >>>> {"noreload", 0, NULL, 'n'},
> >>>> {"build", 0, NULL, 'B'},
> >>>> + {"disable_dontaudit", 0, NULL, 'D'},
> >>>> {NULL, 0, NULL, 0}
> >>>> };
> >>>> int i;
> >>>> @@ -181,7 +184,7 @@
> >>>> no_reload = 0;
> >>>> create_store = 0;
> >>>> while ((i =
> >>>> - getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> >>>> + getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
> >>>> NULL)) != -1) {
> >>>> switch (i) {
> >>>> case 'b':
> >>>> @@ -218,6 +221,9 @@
> >>>> case 'B':
> >>>> build = 1;
> >>>> break;
> >>>> + case 'D':
> >>>> + disable_dontaudit = 1;
> >>>> + break;
> >>>> case '?':
> >>>> default:{
> >>>> usage(argv[0]);
> >>>> @@ -441,6 +447,8 @@
> >>>> semanage_set_reload(sh, 0);
> >>>> if (build)
> >>>> semanage_set_rebuild(sh, 1);
> >>>> + if (disable_dontaudit)
> >>>> + semanage_set_disable_dontaudit(sh, 1);
> >>>> result = semanage_commit(sh);
> >>>> }
> >>>>
> >>>>
> >>> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> >>>
> >>> Merge at will.
> >>>
> >>>
> >> So did we decide that the disadvantages of this approach are fine? The
> >> one that bothers me is that rebooting doesn't reset the dontaudit state
> >> (like it would with Eric's patch)...
> >>
> >
> > That could be an advantage - suppose that you want to collect full audit
> > information on the initialization itself. And it isn't different than
> > the old 'make enableaudit load' approach.
> >
>
> Good point, ok, I'll merge this in a bit, are there any other pending
> merges?
Some of Dan's policycoreutils patches are trivial or simple bug fixes.
Others are less clear to me.
I was going to test the libsemanage genhomedircon patches, but haven't
done so yet. I don't have a problem with them conceptually. Have you
verified that they yield no change in output under -targeted and -strict
policy? And run them under valgrind?
Eric's handle unknown patches are still outstanding. Dan, if we merged
that support, would you use it in building future policies?
Karl's sepolgen bug fix looks fine to merge.
I (or someone) have to rework libsepol in stable and trunk to avoid
unaligned accesses (as per the wrong magic number thread). Already did
it once for the kernel. Sigh.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-16 18:04 ` Stephen Smalley
@ 2007-08-16 19:18 ` Stephen Smalley
2007-08-16 19:30 ` Joshua Brindle
2007-08-16 19:26 ` Joshua Brindle
1 sibling, 1 reply; 22+ messages in thread
From: Stephen Smalley @ 2007-08-16 19:18 UTC (permalink / raw)
To: Joshua Brindle; +Cc: James Morris, Eric Paris, selinux, dwalsh
On Thu, 2007-08-16 at 14:04 -0400, Stephen Smalley wrote:
> On Thu, 2007-08-16 at 13:53 -0400, Joshua Brindle wrote:
> > Stephen Smalley wrote:
> > > On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
> > >
> > >> Stephen Smalley wrote:
> > >>
> > >>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> > >>>
> > >>>
> > >>>> Joshua Brindle wrote:
> > >>>>
> > >>>>
> > >>>>> James Morris wrote:
> > >>>>>
> > >>>>>
> > >>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>> Currently to disable dontaudit rules best you can do it to load the
> > >>>>>>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
> > >>>>>>> rules from modules.
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>> Are we sure this can't be done in userspace? Like, mangle all the
> > >>>>>> existing policy and reload it?
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>> I agree, the infrastructure is certainly in place to do it, just add
> > >>>>> something in the sepol_handle that says dontaudits should be
> > >>>>> discarded, then make an interface in libsemanage that uses that and
> > >>>>> rebuild the policy.
> > >>>>>
> > >>>>> If noone beats me to it I will see if my conclusions about it being
> > >>>>> fairly simple are accurate this weekend :)
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>> I changed my mind, patch below
> > >>>>
> > >>>> it compiles and seems to work after semodule -DB:
> > >>>>
> > >>>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> > >>>> dontaudit
> > >>>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> > >>>> Type 0, Modified 0)
> > >>>> Added TE Rules: 0
> > >>>> Added TE Rules because of new type: 0
> > >>>> Removed TE Rules: 326583
> > >>>> Removed TE Rules because of missing type: 0
> > >>>> Modified TE Rules: 0
> > >>>>
> > >>>> Index: libsemanage/include/semanage/handle.h
> > >>>> ===================================================================
> > >>>> --- libsemanage/include/semanage/handle.h (revision 2511)
> > >>>> +++ libsemanage/include/semanage/handle.h (working copy)
> > >>>> @@ -69,6 +69,9 @@
> > >>>> * 1 for yes, 0 for no (default) */
> > >>>> void semanage_set_create_store(semanage_handle_t * handle, int create_store);
> > >>>>
> > >>>> +/* Set whether or not to disable dontaudits upon commit */
> > >>>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> > >>>> +
> > >>>> /* Check whether policy is managed via libsemanage on this system.
> > >>>> * Must be called prior to trying to connect.
> > >>>> * Return 1 if policy is managed via libsemanage on this system,
> > >>>> Index: libsemanage/src/libsemanage.map
> > >>>> ===================================================================
> > >>>> --- libsemanage/src/libsemanage.map (revision 2511)
> > >>>> +++ libsemanage/src/libsemanage.map (working copy)
> > >>>> @@ -13,6 +13,6 @@
> > >>>> semanage_iface_*; semanage_port_*; semanage_context_*;
> > >>>> semanage_node_*;
> > >>>> semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> > >>>> - semanage_is_connected;
> > >>>> + semanage_is_connected; semanage_set_disable_dontaudit;
> > >>>> local: *;
> > >>>> };
> > >>>> Index: libsemanage/src/handle.c
> > >>>> ===================================================================
> > >>>> --- libsemanage/src/handle.c (revision 2511)
> > >>>> +++ libsemanage/src/handle.c (working copy)
> > >>>> @@ -109,6 +109,14 @@
> > >>>> return;
> > >>>> }
> > >>>>
> > >>>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> > >>>> +{
> > >>>> + assert(sh != NULL);
> > >>>> +
> > >>>> + sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> > >>>> + return;
> > >>>> +}
> > >>>> +
> > >>>> int semanage_is_connected(semanage_handle_t * sh)
> > >>>> {
> > >>>> assert(sh != NULL);
> > >>>> Index: libsepol/include/sepol/handle.h
> > >>>> ===================================================================
> > >>>> --- libsepol/include/sepol/handle.h (revision 2511)
> > >>>> +++ libsepol/include/sepol/handle.h (working copy)
> > >>>> @@ -7,6 +7,10 @@
> > >>>> /* Create and return a sepol handle. */
> > >>>> sepol_handle_t *sepol_handle_create(void);
> > >>>>
> > >>>> +/* Set whether or not to disable dontaudits, 0 is default and does
> > >>>> + * not disable dontaudits, 1 disables them */
> > >>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> > >>>> +
> > >>>> /* Destroy a sepol handle. */
> > >>>> void sepol_handle_destroy(sepol_handle_t *);
> > >>>>
> > >>>> Index: libsepol/src/handle.h
> > >>>> ===================================================================
> > >>>> --- libsepol/src/handle.h (revision 2511)
> > >>>> +++ libsepol/src/handle.h (working copy)
> > >>>> @@ -14,6 +14,9 @@
> > >>>> void (*msg_callback) (void *varg,
> > >>>> sepol_handle_t * handle, const char *fmt, ...);
> > >>>> void *msg_callback_arg;
> > >>>> +
> > >>>> + int disable_dontaudit;
> > >>>> +
> > >>>> };
> > >>>>
> > >>>> #endif
> > >>>> Index: libsepol/src/libsepol.map
> > >>>> ===================================================================
> > >>>> --- libsepol/src/libsepol.map (revision 2511)
> > >>>> +++ libsepol/src/libsepol.map (working copy)
> > >>>> @@ -12,5 +12,6 @@
> > >>>> sepol_policydb_*; sepol_set_policydb_from_file;
> > >>>> sepol_policy_kern_*;
> > >>>> sepol_policy_file_*;
> > >>>> + sepol_set_disable_dontaudit;
> > >>>> local: *;
> > >>>> };
> > >>>> Index: libsepol/src/expand.c
> > >>>> ===================================================================
> > >>>> --- libsepol/src/expand.c (revision 2511)
> > >>>> +++ libsepol/src/expand.c (working copy)
> > >>>> @@ -1367,6 +1367,8 @@
> > >>>> } else if (specified & AVRULE_AUDITDENY) {
> > >>>> spec = AVTAB_AUDITDENY;
> > >>>> } else if (specified & AVRULE_DONTAUDIT) {
> > >>>> + if (handle->disable_dontaudit)
> > >>>> + return EXPAND_RULE_SUCCESS;
> > >>>> spec = AVTAB_AUDITDENY;
> > >>>> } else if (specified & AVRULE_NEVERALLOW) {
> > >>>> spec = AVTAB_NEVERALLOW;
> > >>>> Index: libsepol/src/handle.c
> > >>>> ===================================================================
> > >>>> --- libsepol/src/handle.c (revision 2511)
> > >>>> +++ libsepol/src/handle.c (working copy)
> > >>>> @@ -1,4 +1,5 @@
> > >>>> #include <stdlib.h>
> > >>>> +#include <assert.h>
> > >>>> #include "handle.h"
> > >>>> #include "debug.h"
> > >>>>
> > >>>> @@ -13,9 +14,18 @@
> > >>>> sh->msg_callback = sepol_msg_default_handler;
> > >>>> sh->msg_callback_arg = NULL;
> > >>>>
> > >>>> + /* by default do not disable dontaudits */
> > >>>> + sh->disable_dontaudit = 0;
> > >>>> +
> > >>>> return sh;
> > >>>> }
> > >>>>
> > >>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> > >>>> +{
> > >>>> + assert(sh !=NULL);
> > >>>> + sh->disable_dontaudit = disable_dontaudit;
> > >>>> +}
> > >>>> +
> > >>>> void sepol_handle_destroy(sepol_handle_t * sh)
> > >>>> {
> > >>>> free(sh);
> > >>>> Index: policycoreutils/semodule/semodule.c
> > >>>> ===================================================================
> > >>>> --- policycoreutils/semodule/semodule.c (revision 2511)
> > >>>> +++ policycoreutils/semodule/semodule.c (working copy)
> > >>>> @@ -44,6 +44,7 @@
> > >>>> static int no_reload;
> > >>>> static int create_store;
> > >>>> static int build;
> > >>>> +static int disable_dontaudit;
> > >>>>
> > >>>> static semanage_handle_t *sh = NULL;
> > >>>> static char *store;
> > >>>> @@ -131,6 +132,7 @@
> > >>>> printf(" -n,--noreload do not reload policy after commit\n");
> > >>>> printf(" -h,--help print this message and quit\n");
> > >>>> printf(" -v,--verbose be verbose\n");
> > >>>> + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
> > >>>> }
> > >>>>
> > >>>> /* Sets the global mode variable to new_mode, but only if no other
> > >>>> @@ -173,6 +175,7 @@
> > >>>> {"reload", 0, NULL, 'R'},
> > >>>> {"noreload", 0, NULL, 'n'},
> > >>>> {"build", 0, NULL, 'B'},
> > >>>> + {"disable_dontaudit", 0, NULL, 'D'},
> > >>>> {NULL, 0, NULL, 0}
> > >>>> };
> > >>>> int i;
> > >>>> @@ -181,7 +184,7 @@
> > >>>> no_reload = 0;
> > >>>> create_store = 0;
> > >>>> while ((i =
> > >>>> - getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> > >>>> + getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
> > >>>> NULL)) != -1) {
> > >>>> switch (i) {
> > >>>> case 'b':
> > >>>> @@ -218,6 +221,9 @@
> > >>>> case 'B':
> > >>>> build = 1;
> > >>>> break;
> > >>>> + case 'D':
> > >>>> + disable_dontaudit = 1;
> > >>>> + break;
> > >>>> case '?':
> > >>>> default:{
> > >>>> usage(argv[0]);
> > >>>> @@ -441,6 +447,8 @@
> > >>>> semanage_set_reload(sh, 0);
> > >>>> if (build)
> > >>>> semanage_set_rebuild(sh, 1);
> > >>>> + if (disable_dontaudit)
> > >>>> + semanage_set_disable_dontaudit(sh, 1);
> > >>>> result = semanage_commit(sh);
> > >>>> }
> > >>>>
> > >>>>
> > >>> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> > >>>
> > >>> Merge at will.
> > >>>
> > >>>
> > >> So did we decide that the disadvantages of this approach are fine? The
> > >> one that bothers me is that rebooting doesn't reset the dontaudit state
> > >> (like it would with Eric's patch)...
> > >>
> > >
> > > That could be an advantage - suppose that you want to collect full audit
> > > information on the initialization itself. And it isn't different than
> > > the old 'make enableaudit load' approach.
> > >
> >
> > Good point, ok, I'll merge this in a bit, are there any other pending
> > merges?
>
> Some of Dan's policycoreutils patches are trivial or simple bug fixes.
> Others are less clear to me.
>
> I was going to test the libsemanage genhomedircon patches, but haven't
> done so yet. I don't have a problem with them conceptually. Have you
> verified that they yield no change in output under -targeted and -strict
> policy? And run them under valgrind?
Oh, and what to do about the fact that it won't build anywhere but
rawhide (ustr dependency)?
> Eric's handle unknown patches are still outstanding. Dan, if we merged
> that support, would you use it in building future policies?
>
> Karl's sepolgen bug fix looks fine to merge.
>
> I (or someone) have to rework libsepol in stable and trunk to avoid
> unaligned accesses (as per the wrong magic number thread). Already did
> it once for the kernel. Sigh.
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-16 19:18 ` Stephen Smalley
@ 2007-08-16 19:30 ` Joshua Brindle
2007-08-16 19:33 ` Stephen Smalley
0 siblings, 1 reply; 22+ messages in thread
From: Joshua Brindle @ 2007-08-16 19:30 UTC (permalink / raw)
To: Stephen Smalley; +Cc: James Morris, Eric Paris, selinux, dwalsh
Stephen Smalley wrote:
>> Some of Dan's policycoreutils patches are trivial or simple bug fixes.
>> Others are less clear to me.
>>
>> I was going to test the libsemanage genhomedircon patches, but haven't
>> done so yet. I don't have a problem with them conceptually. Have you
>> verified that they yield no change in output under -targeted and -strict
>> policy? And run them under valgrind?
>>
>
> Oh, and what to do about the fact that it won't build anywhere but
> rawhide (ustr dependency)?
>
>
We can pull the parts of ustr we need into the library, it is designed
to do used that way. This is also trunk though, and we don't guarantee
ABI stability in trunk right? The sepolgen dependency of python 2.5
causes similar problems AFAIK.
>> Eric's handle unknown patches are still outstanding. Dan, if we merged
>> that support, would you use it in building future policies?
>>
>> Karl's sepolgen bug fix looks fine to merge.
>>
>> I (or someone) have to rework libsepol in stable and trunk to avoid
>> unaligned accesses (as per the wrong magic number thread). Already did
>> it once for the kernel. Sigh.
>>
>>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-16 19:30 ` Joshua Brindle
@ 2007-08-16 19:33 ` Stephen Smalley
0 siblings, 0 replies; 22+ messages in thread
From: Stephen Smalley @ 2007-08-16 19:33 UTC (permalink / raw)
To: Joshua Brindle; +Cc: James Morris, Eric Paris, selinux, dwalsh
On Thu, 2007-08-16 at 15:30 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> >> Some of Dan's policycoreutils patches are trivial or simple bug fixes.
> >> Others are less clear to me.
> >>
> >> I was going to test the libsemanage genhomedircon patches, but haven't
> >> done so yet. I don't have a problem with them conceptually. Have you
> >> verified that they yield no change in output under -targeted and -strict
> >> policy? And run them under valgrind?
> >>
> >
> > Oh, and what to do about the fact that it won't build anywhere but
> > rawhide (ustr dependency)?
> >
> >
> We can pull the parts of ustr we need into the library, it is designed
> to do used that way. This is also trunk though, and we don't guarantee
> ABI stability in trunk right? The sepolgen dependency of python 2.5
> causes similar problems AFAIK.
Ok. I just wanted to test on F7, so I just did a yum
--enablerepo=development install ustr ustr-devel and then everything was
happy.
But the more important issue is that it doesn't work (see other mail).
Pity. ENOTEST w/o users added to seusers.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-16 18:04 ` Stephen Smalley
2007-08-16 19:18 ` Stephen Smalley
@ 2007-08-16 19:26 ` Joshua Brindle
2007-08-21 20:41 ` Daniel J Walsh
1 sibling, 1 reply; 22+ messages in thread
From: Joshua Brindle @ 2007-08-16 19:26 UTC (permalink / raw)
To: Stephen Smalley; +Cc: James Morris, Eric Paris, selinux, dwalsh
Stephen Smalley wrote:
> On Thu, 2007-08-16 at 13:53 -0400, Joshua Brindle wrote:
>
>> Stephen Smalley wrote:
>>
>>> On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
>>>
>>>
>>>> Stephen Smalley wrote:
>>>>
>>>>
>>>>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Joshua Brindle wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> James Morris wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>>>>>> enableaudit.pp base policy. Which still doesn't remove the dontaudit
>>>>>>>>> rules from modules.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Are we sure this can't be done in userspace? Like, mangle all the
>>>>>>>> existing policy and reload it?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> I agree, the infrastructure is certainly in place to do it, just add
>>>>>>> something in the sepol_handle that says dontaudits should be
>>>>>>> discarded, then make an interface in libsemanage that uses that and
>>>>>>> rebuild the policy.
>>>>>>>
>>>>>>> If noone beats me to it I will see if my conclusions about it being
>>>>>>> fairly simple are accurate this weekend :)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> I changed my mind, patch below
>>>>>>
>>>>>> it compiles and seems to work after semodule -DB:
>>>>>>
>>>>>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
>>>>>> dontaudit
>>>>>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
>>>>>> Type 0, Modified 0)
>>>>>> Added TE Rules: 0
>>>>>> Added TE Rules because of new type: 0
>>>>>> Removed TE Rules: 326583
>>>>>> Removed TE Rules because of missing type: 0
>>>>>> Modified TE Rules: 0
>>>>>>
>>>>>> Index: libsemanage/include/semanage/handle.h
>>>>>> ===================================================================
>>>>>> --- libsemanage/include/semanage/handle.h (revision 2511)
>>>>>> +++ libsemanage/include/semanage/handle.h (working copy)
>>>>>> @@ -69,6 +69,9 @@
>>>>>> * 1 for yes, 0 for no (default) */
>>>>>> void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>>>>>
>>>>>> +/* Set whether or not to disable dontaudits upon commit */
>>>>>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>>>>>> +
>>>>>> /* Check whether policy is managed via libsemanage on this system.
>>>>>> * Must be called prior to trying to connect.
>>>>>> * Return 1 if policy is managed via libsemanage on this system,
>>>>>> Index: libsemanage/src/libsemanage.map
>>>>>> ===================================================================
>>>>>> --- libsemanage/src/libsemanage.map (revision 2511)
>>>>>> +++ libsemanage/src/libsemanage.map (working copy)
>>>>>> @@ -13,6 +13,6 @@
>>>>>> semanage_iface_*; semanage_port_*; semanage_context_*;
>>>>>> semanage_node_*;
>>>>>> semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
>>>>>> - semanage_is_connected;
>>>>>> + semanage_is_connected; semanage_set_disable_dontaudit;
>>>>>> local: *;
>>>>>> };
>>>>>> Index: libsemanage/src/handle.c
>>>>>> ===================================================================
>>>>>> --- libsemanage/src/handle.c (revision 2511)
>>>>>> +++ libsemanage/src/handle.c (working copy)
>>>>>> @@ -109,6 +109,14 @@
>>>>>> return;
>>>>>> }
>>>>>>
>>>>>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>>>>>> +{
>>>>>> + assert(sh != NULL);
>>>>>> +
>>>>>> + sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>>>>>> + return;
>>>>>> +}
>>>>>> +
>>>>>> int semanage_is_connected(semanage_handle_t * sh)
>>>>>> {
>>>>>> assert(sh != NULL);
>>>>>> Index: libsepol/include/sepol/handle.h
>>>>>> ===================================================================
>>>>>> --- libsepol/include/sepol/handle.h (revision 2511)
>>>>>> +++ libsepol/include/sepol/handle.h (working copy)
>>>>>> @@ -7,6 +7,10 @@
>>>>>> /* Create and return a sepol handle. */
>>>>>> sepol_handle_t *sepol_handle_create(void);
>>>>>>
>>>>>> +/* Set whether or not to disable dontaudits, 0 is default and does
>>>>>> + * not disable dontaudits, 1 disables them */
>>>>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
>>>>>> +
>>>>>> /* Destroy a sepol handle. */
>>>>>> void sepol_handle_destroy(sepol_handle_t *);
>>>>>>
>>>>>> Index: libsepol/src/handle.h
>>>>>> ===================================================================
>>>>>> --- libsepol/src/handle.h (revision 2511)
>>>>>> +++ libsepol/src/handle.h (working copy)
>>>>>> @@ -14,6 +14,9 @@
>>>>>> void (*msg_callback) (void *varg,
>>>>>> sepol_handle_t * handle, const char *fmt, ...);
>>>>>> void *msg_callback_arg;
>>>>>> +
>>>>>> + int disable_dontaudit;
>>>>>> +
>>>>>> };
>>>>>>
>>>>>> #endif
>>>>>> Index: libsepol/src/libsepol.map
>>>>>> ===================================================================
>>>>>> --- libsepol/src/libsepol.map (revision 2511)
>>>>>> +++ libsepol/src/libsepol.map (working copy)
>>>>>> @@ -12,5 +12,6 @@
>>>>>> sepol_policydb_*; sepol_set_policydb_from_file;
>>>>>> sepol_policy_kern_*;
>>>>>> sepol_policy_file_*;
>>>>>> + sepol_set_disable_dontaudit;
>>>>>> local: *;
>>>>>> };
>>>>>> Index: libsepol/src/expand.c
>>>>>> ===================================================================
>>>>>> --- libsepol/src/expand.c (revision 2511)
>>>>>> +++ libsepol/src/expand.c (working copy)
>>>>>> @@ -1367,6 +1367,8 @@
>>>>>> } else if (specified & AVRULE_AUDITDENY) {
>>>>>> spec = AVTAB_AUDITDENY;
>>>>>> } else if (specified & AVRULE_DONTAUDIT) {
>>>>>> + if (handle->disable_dontaudit)
>>>>>> + return EXPAND_RULE_SUCCESS;
>>>>>> spec = AVTAB_AUDITDENY;
>>>>>> } else if (specified & AVRULE_NEVERALLOW) {
>>>>>> spec = AVTAB_NEVERALLOW;
>>>>>> Index: libsepol/src/handle.c
>>>>>> ===================================================================
>>>>>> --- libsepol/src/handle.c (revision 2511)
>>>>>> +++ libsepol/src/handle.c (working copy)
>>>>>> @@ -1,4 +1,5 @@
>>>>>> #include <stdlib.h>
>>>>>> +#include <assert.h>
>>>>>> #include "handle.h"
>>>>>> #include "debug.h"
>>>>>>
>>>>>> @@ -13,9 +14,18 @@
>>>>>> sh->msg_callback = sepol_msg_default_handler;
>>>>>> sh->msg_callback_arg = NULL;
>>>>>>
>>>>>> + /* by default do not disable dontaudits */
>>>>>> + sh->disable_dontaudit = 0;
>>>>>> +
>>>>>> return sh;
>>>>>> }
>>>>>>
>>>>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
>>>>>> +{
>>>>>> + assert(sh !=NULL);
>>>>>> + sh->disable_dontaudit = disable_dontaudit;
>>>>>> +}
>>>>>> +
>>>>>> void sepol_handle_destroy(sepol_handle_t * sh)
>>>>>> {
>>>>>> free(sh);
>>>>>> Index: policycoreutils/semodule/semodule.c
>>>>>> ===================================================================
>>>>>> --- policycoreutils/semodule/semodule.c (revision 2511)
>>>>>> +++ policycoreutils/semodule/semodule.c (working copy)
>>>>>> @@ -44,6 +44,7 @@
>>>>>> static int no_reload;
>>>>>> static int create_store;
>>>>>> static int build;
>>>>>> +static int disable_dontaudit;
>>>>>>
>>>>>> static semanage_handle_t *sh = NULL;
>>>>>> static char *store;
>>>>>> @@ -131,6 +132,7 @@
>>>>>> printf(" -n,--noreload do not reload policy after commit\n");
>>>>>> printf(" -h,--help print this message and quit\n");
>>>>>> printf(" -v,--verbose be verbose\n");
>>>>>> + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
>>>>>> }
>>>>>>
>>>>>> /* Sets the global mode variable to new_mode, but only if no other
>>>>>> @@ -173,6 +175,7 @@
>>>>>> {"reload", 0, NULL, 'R'},
>>>>>> {"noreload", 0, NULL, 'n'},
>>>>>> {"build", 0, NULL, 'B'},
>>>>>> + {"disable_dontaudit", 0, NULL, 'D'},
>>>>>> {NULL, 0, NULL, 0}
>>>>>> };
>>>>>> int i;
>>>>>> @@ -181,7 +184,7 @@
>>>>>> no_reload = 0;
>>>>>> create_store = 0;
>>>>>> while ((i =
>>>>>> - getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
>>>>>> + getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>>>>>> NULL)) != -1) {
>>>>>> switch (i) {
>>>>>> case 'b':
>>>>>> @@ -218,6 +221,9 @@
>>>>>> case 'B':
>>>>>> build = 1;
>>>>>> break;
>>>>>> + case 'D':
>>>>>> + disable_dontaudit = 1;
>>>>>> + break;
>>>>>> case '?':
>>>>>> default:{
>>>>>> usage(argv[0]);
>>>>>> @@ -441,6 +447,8 @@
>>>>>> semanage_set_reload(sh, 0);
>>>>>> if (build)
>>>>>> semanage_set_rebuild(sh, 1);
>>>>>> + if (disable_dontaudit)
>>>>>> + semanage_set_disable_dontaudit(sh, 1);
>>>>>> result = semanage_commit(sh);
>>>>>> }
>>>>>>
>>>>>>
>>>>>>
>>>>> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>>
>>>>> Merge at will.
>>>>>
>>>>>
>>>>>
>>>> So did we decide that the disadvantages of this approach are fine? The
>>>> one that bothers me is that rebooting doesn't reset the dontaudit state
>>>> (like it would with Eric's patch)...
>>>>
>>>>
>>> That could be an advantage - suppose that you want to collect full audit
>>> information on the initialization itself. And it isn't different than
>>> the old 'make enableaudit load' approach.
>>>
>>>
>> Good point, ok, I'll merge this in a bit, are there any other pending
>> merges?
>>
>
>
Merged into libsepol 2.0.6, libsemanage 2.0.4 and policycoreutils 2.0.23
> Some of Dan's policycoreutils patches are trivial or simple bug fixes.
> Others are less clear to me.
>
>
I'll wait until there is a complete patch
> I was going to test the libsemanage genhomedircon patches, but haven't
> done so yet. I don't have a problem with them conceptually. Have you
> verified that they yield no change in output under -targeted and -strict
> policy? And run them under valgrind?
>
>
targeted yields a change (pointed out in the initial email) which was
the result of a bug in genhomedircon, its been valgrinded, I'm having
strict tested now.
> Eric's handle unknown patches are still outstanding. Dan, if we merged
> that support, would you use it in building future policies?
>
>
So we are going forward with this patch?
> Karl's sepolgen bug fix looks fine to merge.
>
>
merged.
> I (or someone) have to rework libsepol in stable and trunk to avoid
> unaligned accesses (as per the wrong magic number thread). Already did
> it once for the kernel. Sigh.
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-16 19:26 ` Joshua Brindle
@ 2007-08-21 20:41 ` Daniel J Walsh
2007-08-21 23:41 ` Joshua Brindle
2007-08-23 15:07 ` Stephen Smalley
0 siblings, 2 replies; 22+ messages in thread
From: Daniel J Walsh @ 2007-08-21 20:41 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Stephen Smalley, James Morris, Eric Paris, selinux
[-- Attachment #1: Type: text/plain, Size: 536 bytes --]
I would like to get these patches into policycoreutils.
Submitted before, but here we go.
Change run_tty and open_init_pty to 755 instead of 555. Some audit
tools are reporting this as a problem. And I see no real value of 555.
for these to.
Simple bugfix for chcat
Fixes to make sure fixfiles reports errors and handles strange regexes.
Speed enhancement for genhomedircon to only compile regex's once.
I reverted sepolgen-ifgen from sbin to bin, but I doubt many/anyone will
run it as non root, but I guess you never no.
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 4930 bytes --]
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/run_init/Makefile policycoreutils-2.0.22/run_init/Makefile
--- nsapolicycoreutils/run_init/Makefile 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/run_init/Makefile 2007-07-31 15:45:57.000000000 -0400
@@ -34,8 +34,8 @@
install: all
test -d $(SBINDIR) || install -m 755 -d $(SBINDIR)
test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
- install -m 555 run_init $(SBINDIR)
- install -m 555 open_init_pty $(SBINDIR)
+ install -m 755 run_init $(SBINDIR)
+ install -m 755 open_init_pty $(SBINDIR)
install -m 644 run_init.8 $(MANDIR)/man8/
install -m 644 open_init_pty.8 $(MANDIR)/man8/
ifeq (${PAMH}, /usr/include/security/pam_appl.h)
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.22/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/scripts/chcat 2007-07-31 15:45:57.000000000 -0400
@@ -77,7 +77,7 @@
if len(cats) > 0:
new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
- else
+ else:
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
@@ -155,7 +155,7 @@
if len(cats) > 0:
new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
- else
+ else:
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.22/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/scripts/fixfiles 2007-07-31 15:45:57.000000000 -0400
@@ -88,7 +88,7 @@
esac; \
fi; \
done | \
- while read pattern ; do find $pattern \
+ while read pattern ; do sh -c "find $pattern" \
! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o \
\( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print; \
done 2> /dev/null | \
@@ -108,6 +108,7 @@
rpmlist() {
rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
+[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
}
#
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-2.0.22/scripts/genhomedircon
--- nsapolicycoreutils/scripts/genhomedircon 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/scripts/genhomedircon 2007-08-01 16:03:41.000000000 -0400
@@ -139,7 +139,22 @@
self.default_user = "user_u"
self.default_prefix = "user"
self.users = self.getUsers()
+ fd = open(self.getFileContextFile())
+ self.fclines=[]
+ for i in fd.readlines():
+ try:
+ regex = i.split()[0]
+ #match a trailing .+
+ regex = re.sub("\.+$", "", regex)
+ regex = re.sub("\.\*$", "", regex)
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
+ regex = regex + "/*$"
+ self.fclines.append(re.compile(regex))
+ except:
+ continue
+ fd.close()
+
def getFileContextDir(self):
return self.selinuxdir+self.type+self.filecontextdir
@@ -289,20 +304,9 @@
return ret+"\n"
def checkExists(self, home):
- fd = open(self.getFileContextFile())
- for i in fd.readlines():
- if len(i) == 0:
- continue
+ for i in self.fclines:
try:
- regex = i.split()[0]
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
-
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex,home, 0):
+ if i.match(home):
return 1
except:
continue
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.22/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/semanage/semanage 2007-07-31 15:45:57.000000000 -0400
@@ -34,7 +34,10 @@
sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace')
try:
- gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1)
+ gettext.install(PROGNAME,
+ localedir="/usr/share/locale",
+ unicode=False,
+ codeset = 'utf-8')
except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-21 20:41 ` Daniel J Walsh
@ 2007-08-21 23:41 ` Joshua Brindle
2007-08-22 15:32 ` Daniel J Walsh
2007-08-23 15:07 ` Stephen Smalley
1 sibling, 1 reply; 22+ messages in thread
From: Joshua Brindle @ 2007-08-21 23:41 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, James Morris, Eric Paris, selinux
Daniel J Walsh wrote:
> I would like to get these patches into policycoreutils.
>
>
> Submitted before, but here we go.
>
> Change run_tty and open_init_pty to 755 instead of 555. Some audit
> tools are reporting this as a problem. And I see no real value of
> 555. for these to.
>
> Simple bugfix for chcat
>
> Fixes to make sure fixfiles reports errors and handles strange regexes.
>
> Speed enhancement for genhomedircon to only compile regex's once.
>
The current plan is to change to a genhomedircon based on C in
libsemanage. Have you looked at those patches to see if they suffer the
same problem you are fixing here?
>
> I reverted sepolgen-ifgen from sbin to bin, but I doubt many/anyone
> will run it as non root, but I guess you never no.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-21 23:41 ` Joshua Brindle
@ 2007-08-22 15:32 ` Daniel J Walsh
0 siblings, 0 replies; 22+ messages in thread
From: Daniel J Walsh @ 2007-08-22 15:32 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Stephen Smalley, James Morris, Eric Paris, selinux
Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> I would like to get these patches into policycoreutils.
>>
>>
>> Submitted before, but here we go.
>>
>> Change run_tty and open_init_pty to 755 instead of 555. Some audit
>> tools are reporting this as a problem. And I see no real value of
>> 555. for these to.
>>
>> Simple bugfix for chcat
>>
>> Fixes to make sure fixfiles reports errors and handles strange regexes.
>>
>> Speed enhancement for genhomedircon to only compile regex's once.
>>
> The current plan is to change to a genhomedircon based on C in
> libsemanage. Have you looked at those patches to see if they suffer
> the same problem you are fixing here?
No.
>
>>
>> I reverted sepolgen-ifgen from sbin to bin, but I doubt many/anyone
>> will run it as non root, but I guess you never no.
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] selinuxfs to globally disable dontaudit rules
2007-08-21 20:41 ` Daniel J Walsh
2007-08-21 23:41 ` Joshua Brindle
@ 2007-08-23 15:07 ` Stephen Smalley
1 sibling, 0 replies; 22+ messages in thread
From: Stephen Smalley @ 2007-08-23 15:07 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Joshua Brindle, James Morris, Eric Paris, selinux
On Tue, 2007-08-21 at 16:41 -0400, Daniel J Walsh wrote:
> I would like to get these patches into policycoreutils.
>
>
> Submitted before, but here we go.
In the future, please post one patch per message.
> Change run_tty and open_init_pty to 755 instead of 555. Some audit
> tools are reporting this as a problem. And I see no real value of 555.
> for these to.
>
> Simple bugfix for chcat
>
> Fixes to make sure fixfiles reports errors and handles strange regexes.
>
> Speed enhancement for genhomedircon to only compile regex's once.
I merged these to trunk, and the chcat bug fix to stable, but then the
libsemanage genhomedircon patch series removes genhomedircon altogether.
So you can extract the genhomedircon script with this enhancement from
the history, but you won't see any genhomedircon script at all on the
head.
> I reverted sepolgen-ifgen from sbin to bin, but I doubt many/anyone will
> run it as non root, but I guess you never no.
I actually dislike having things in sbin because normal user paths don't
include it (even after su, unless you do a 'su -'). Regardless, the
real issue is providing stability - changing paths after it has already
been out there for a little while is harmful.
> plain text document attachment (diff)
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/run_init/Makefile policycoreutils-2.0.22/run_init/Makefile
> --- nsapolicycoreutils/run_init/Makefile 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/run_init/Makefile 2007-07-31 15:45:57.000000000 -0400
> @@ -34,8 +34,8 @@
> install: all
> test -d $(SBINDIR) || install -m 755 -d $(SBINDIR)
> test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
> - install -m 555 run_init $(SBINDIR)
> - install -m 555 open_init_pty $(SBINDIR)
> + install -m 755 run_init $(SBINDIR)
> + install -m 755 open_init_pty $(SBINDIR)
> install -m 644 run_init.8 $(MANDIR)/man8/
> install -m 644 open_init_pty.8 $(MANDIR)/man8/
> ifeq (${PAMH}, /usr/include/security/pam_appl.h)
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.22/scripts/chcat
> --- nsapolicycoreutils/scripts/chcat 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/scripts/chcat 2007-07-31 15:45:57.000000000 -0400
> @@ -77,7 +77,7 @@
>
> if len(cats) > 0:
> new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
> - else
> + else:
> new_serange = "%s-%s" % (serange[0], top[0])
>
> if add_ind:
> @@ -155,7 +155,7 @@
>
> if len(cats) > 0:
> new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
> - else
> + else:
> new_serange = "%s-%s" % (serange[0], top[0])
>
> if add_ind:
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.22/scripts/fixfiles
> --- nsapolicycoreutils/scripts/fixfiles 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/scripts/fixfiles 2007-07-31 15:45:57.000000000 -0400
> @@ -88,7 +88,7 @@
> esac; \
> fi; \
> done | \
> - while read pattern ; do find $pattern \
> + while read pattern ; do sh -c "find $pattern" \
> ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o \
> \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print; \
> done 2> /dev/null | \
> @@ -108,6 +108,7 @@
>
> rpmlist() {
> rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
> +[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
> }
>
> #
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-2.0.22/scripts/genhomedircon
> --- nsapolicycoreutils/scripts/genhomedircon 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/scripts/genhomedircon 2007-08-01 16:03:41.000000000 -0400
> @@ -139,7 +139,22 @@
> self.default_user = "user_u"
> self.default_prefix = "user"
> self.users = self.getUsers()
> + fd = open(self.getFileContextFile())
> + self.fclines=[]
> + for i in fd.readlines():
> + try:
> + regex = i.split()[0]
> + #match a trailing .+
> + regex = re.sub("\.+$", "", regex)
> + regex = re.sub("\.\*$", "", regex)
> + regex = re.sub("\(\/\.\*\)\?", "", regex)
> + regex = regex + "/*$"
> + self.fclines.append(re.compile(regex))
> + except:
> + continue
>
> + fd.close()
> +
> def getFileContextDir(self):
> return self.selinuxdir+self.type+self.filecontextdir
>
> @@ -289,20 +304,9 @@
> return ret+"\n"
>
> def checkExists(self, home):
> - fd = open(self.getFileContextFile())
> - for i in fd.readlines():
> - if len(i) == 0:
> - continue
> + for i in self.fclines:
> try:
> - regex = i.split()[0]
> - #match a trailing .+
> - regex = re.sub("\.+$", "", regex)
> - regex = re.sub("\.\*$", "", regex)
> - #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
> -
> - regex = re.sub("\(\/\.\*\)\?", "", regex)
> - regex = regex + "/*$"
> - if re.search(regex,home, 0):
> + if i.match(home):
> return 1
> except:
> continue
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.22/semanage/semanage
> --- nsapolicycoreutils/semanage/semanage 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/semanage/semanage 2007-07-31 15:45:57.000000000 -0400
> @@ -34,7 +34,10 @@
> sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace')
>
> try:
> - gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1)
> + gettext.install(PROGNAME,
> + localedir="/usr/share/locale",
> + unicode=False,
> + codeset = 'utf-8')
> except IOError:
> import __builtin__
> __builtin__.__dict__['_'] = unicode
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2007-08-23 15:07 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-09 21:58 [PATCH] selinuxfs to globally disable dontaudit rules Eric Paris
2007-08-09 22:28 ` James Morris
2007-08-10 0:14 ` Joshua Brindle
2007-08-10 1:22 ` Joshua Brindle
2007-08-10 12:01 ` Stephen Smalley
2007-08-10 15:29 ` Daniel J Walsh
2007-08-10 15:58 ` Joshua Brindle
2007-08-10 18:16 ` Daniel J Walsh
2007-08-13 23:27 ` Joshua Brindle
2007-08-16 17:28 ` Stephen Smalley
2007-08-16 17:45 ` Joshua Brindle
2007-08-16 17:47 ` Stephen Smalley
2007-08-16 17:53 ` Joshua Brindle
2007-08-16 18:04 ` Stephen Smalley
2007-08-16 19:18 ` Stephen Smalley
2007-08-16 19:30 ` Joshua Brindle
2007-08-16 19:33 ` Stephen Smalley
2007-08-16 19:26 ` Joshua Brindle
2007-08-21 20:41 ` Daniel J Walsh
2007-08-21 23:41 ` Joshua Brindle
2007-08-22 15:32 ` Daniel J Walsh
2007-08-23 15:07 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.