[PATCH] selinuxfs to globally disable dontaudit rules

[PATCH] selinuxfs to globally disable dontaudit rules

[Eric Paris]

Currently to disable dontaudit rules best you can do it to load the
enableaudit.pp base policy.  Which still doesn't remove the dontaudit
rules from modules.  This patch introduces a /selinux interface
"allaudit" which ignores dontaudit rules.  (I'm open to suggestions for
a good name 'enabledisabledontaudit' seemed like a good name to me, but
I don't know if everyone would agree)

I decided to use the same security permission as setenforce and as a
result did a little bit of code merging in selinuxfs between enforcing
and allaudit.

Signed-off-by: Eric Paris <eparis@redhat.com>

---

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 0e69adf..bfd979a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -117,6 +117,7 @@ struct avc_callback_node {
 
 /* Exported via selinufs */
 unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD;
+unsigned int selinux_allaudit = 0;
 
 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
 DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 };
@@ -537,7 +538,7 @@ void avc_audit(u32 ssid, u32 tsid,
 	denied = requested & ~avd->allowed;
 	if (denied) {
 		audited = denied;
-		if (!(audited & avd->auditdeny))
+		if (!(audited & avd->auditdeny) && !selinux_allaudit)
 			return;
 	} else if (result) {
 		audited = denied = requested;
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index e145f6e..99b31ec 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -130,6 +130,7 @@ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
 /* Exported to selinuxfs */
 int avc_get_hash_stats(char *page);
 extern unsigned int avc_cache_threshold;
+extern unsigned int selinux_allaudit;
 
 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
 DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index c9e92da..89f11b9 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -60,6 +60,14 @@ static int __init selinux_compat_net_setup(char *str)
 __setup("selinux_compat_net=", selinux_compat_net_setup);
 
 
+static int __init selinux_allaudit_setup(char *str)
+{
+	selinux_allaudit = simple_strtoul(str,NULL,0) ? 1 : 0;
+	return 1;
+}
+__setup("selinux_allaudit=", selinux_allaudit_setup);
+
+
 static DEFINE_MUTEX(sel_mutex);
 
 /* global data for booleans */
@@ -103,6 +111,7 @@ enum sel_inos {
 	SEL_MEMBER,	/* compute polyinstantiation membership decision */
 	SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
 	SEL_COMPAT_NET,	/* whether to use old compat network packet controls */
+	SEL_ALLAUDIT,	/* globally disable donaudit */
 	SEL_INO_NEXT,	/* The next inode number to use */
 };
 
@@ -114,19 +123,31 @@ static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
 #define SEL_INO_MASK		0x00ffffff
 
 #define TMPBUFLEN	12
-static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
-				size_t count, loff_t *ppos)
+static ssize_t sel_read_generic(struct file *filp, char __user *buf,
+				size_t count, loff_t *ppos, int *to_change)
 {
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;
 
-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_enforcing);
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", *to_change);
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }
 
+static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
+				size_t count, loff_t *ppos)
+{
+	return sel_read_generic(filp, buf, count, ppos, &selinux_enforcing);
+}
+
+static ssize_t sel_read_allaudit(struct file *filp, char __user *buf,
+				size_t count, loff_t *ppos)
+{
+	return sel_read_generic(filp, buf, count, ppos, &selinux_allaudit);
+}
+
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
-				 size_t count, loff_t *ppos)
+static ssize_t sel_write_enforce_generic(struct file * file, const char __user * buf,
+				 size_t count, loff_t *ppos, int *to_change)
 
 {
 	char *page;
@@ -150,26 +171,58 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
 	if (sscanf(page, "%d", &new_value) != 1)
 		goto out;
 
-	if (new_value != selinux_enforcing) {
+	if (new_value != *to_change) {
 		length = task_has_security(current, SECURITY__SETENFORCE);
 		if (length)
 			goto out;
+		*to_change = new_value;
+	}
+	length = count;
+out:
+	free_page((unsigned long) page);
+	return length;
+}
+
+static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
+				 size_t count, loff_t *ppos)
+
+{
+	int old_value = selinux_enforcing;
+
+	int rc = sel_write_enforce_generic(file, buf, count, ppos,
+					   &selinux_enforcing);
+
+	if ((rc > 0) && (old_value != selinux_enforcing)) {
 		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-			"enforcing=%d old_enforcing=%d auid=%u", new_value, 
-			selinux_enforcing,
+			"enforcing=%d old_enforcing=%d auid=%u",
+			selinux_enforcing, old_value,
 			audit_get_loginuid(current->audit_context));
-		selinux_enforcing = new_value;
 		if (selinux_enforcing)
 			avc_ss_reset(0);
 		selnl_notify_setenforce(selinux_enforcing);
 	}
-	length = count;
-out:
-	free_page((unsigned long) page);
-	return length;
+	return rc;
+}
+
+static ssize_t sel_write_allaudit(struct file * file, const char __user * buf,
+				 size_t count, loff_t *ppos)
+
+{
+	int old_value = selinux_allaudit;
+
+	int rc = sel_write_enforce_generic(file, buf, count, ppos,
+					   &selinux_allaudit);
+
+	if ((rc > 0) && (old_value != selinux_allaudit))
+		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+			"allaudit=%d old_allaudit=%d auid=%u",
+			selinux_allaudit, old_value,
+			audit_get_loginuid(current->audit_context));
+	return rc;
 }
 #else
 #define sel_write_enforce NULL
+#define sel_write_allaudit NULL
 #endif
 
 static const struct file_operations sel_enforce_ops = {
@@ -177,6 +230,11 @@ static const struct file_operations sel_enforce_ops = {
 	.write		= sel_write_enforce,
 };
 
+static const struct file_operations sel_allaudit_ops = {
+	.read		= sel_read_allaudit,
+	.write		= sel_write_allaudit,
+};
+
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 static ssize_t sel_write_disable(struct file * file, const char __user * buf,
 				 size_t count, loff_t *ppos)
@@ -1575,6 +1633,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
 		[SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
 		[SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
 		[SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
+		[SEL_ALLAUDIT] = {"allaudit", &sel_allaudit_ops, S_IRUGO|S_IWUSR},
 		/* last one */ {""}
 	};
 	ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[James Morris]

On Thu, 9 Aug 2007, Eric Paris wrote:

> Currently to disable dontaudit rules best you can do it to load the
> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
> rules from modules.

Are we sure this can't be done in userspace?  Like, mangle all the 
existing policy and reload it?

>  This patch introduces a /selinux interface
> "allaudit" which ignores dontaudit rules.  (I'm open to suggestions for
> a good name 'enabledisabledontaudit' seemed like a good name to me, but
> I don't know if everyone would agree)

'disable_dontaudit'

> 
> I decided to use the same security permission as setenforce and as a
> result did a little bit of code merging in selinuxfs between enforcing
> and allaudit.

Please do this in a separate patch.

-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Joshua Brindle]

James Morris wrote:
> On Thu, 9 Aug 2007, Eric Paris wrote:
>
>   
>> Currently to disable dontaudit rules best you can do it to load the
>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
>> rules from modules.
>>     
>
> Are we sure this can't be done in userspace?  Like, mangle all the 
> existing policy and reload it?
>
>   
I agree, the infrastructure is certainly in place to do it, just add 
something in the sepol_handle that says dontaudits should be discarded, 
then make an interface in libsemanage that uses that and rebuild the policy.

If noone beats me to it I will see if my conclusions about it being 
fairly simple are accurate this weekend :)




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Joshua Brindle]

Joshua Brindle wrote:
> James Morris wrote:
>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>
>>  
>>> Currently to disable dontaudit rules best you can do it to load the
>>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
>>> rules from modules.
>>>     
>>
>> Are we sure this can't be done in userspace?  Like, mangle all the 
>> existing policy and reload it?
>>
>>   
> I agree, the infrastructure is certainly in place to do it, just add 
> something in the sepol_handle that says dontaudits should be 
> discarded, then make an interface in libsemanage that uses that and 
> rebuild the policy.
>
> If noone beats me to it I will see if my conclusions about it being 
> fairly simple are accurate this weekend :)
>

I changed my mind, patch below

it compiles and seems to work after semodule -DB:

[root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
dontaudit
TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
Type 0, Modified 0)
 Added TE Rules: 0
 Added TE Rules because of new type: 0
 Removed TE Rules: 326583
 Removed TE Rules because of missing type: 0
 Modified TE Rules: 0

Index: libsemanage/include/semanage/handle.h
===================================================================
--- libsemanage/include/semanage/handle.h	(revision 2511)
+++ libsemanage/include/semanage/handle.h	(working copy)
@@ -69,6 +69,9 @@
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/* Set whether or not to disable dontaudits upon commit */
+void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
+
 /* Check whether policy is managed via libsemanage on this system.
  * Must be called prior to trying to connect.
  * Return 1 if policy is managed via libsemanage on this system,
Index: libsemanage/src/libsemanage.map
===================================================================
--- libsemanage/src/libsemanage.map	(revision 2511)
+++ libsemanage/src/libsemanage.map	(working copy)
@@ -13,6 +13,6 @@
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected;
+	  semanage_is_connected; semanage_set_disable_dontaudit;
   local: *;
 };
Index: libsemanage/src/handle.c
===================================================================
--- libsemanage/src/handle.c	(revision 2511)
+++ libsemanage/src/handle.c	(working copy)
@@ -109,6 +109,14 @@
 	return;
 }
 
+void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
+{
+	assert(sh != NULL);
+	
+	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	return;
+}
+
 int semanage_is_connected(semanage_handle_t * sh)
 {
 	assert(sh != NULL);
Index: libsepol/include/sepol/handle.h
===================================================================
--- libsepol/include/sepol/handle.h	(revision 2511)
+++ libsepol/include/sepol/handle.h	(working copy)
@@ -7,6 +7,10 @@
 /* Create and return a sepol handle. */
 sepol_handle_t *sepol_handle_create(void);
 
+/* Set whether or not to disable dontaudits, 0 is default and does 
+ * not disable dontaudits, 1 disables them */
+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
+
 /* Destroy a sepol handle. */
 void sepol_handle_destroy(sepol_handle_t *);
 
Index: libsepol/src/handle.h
===================================================================
--- libsepol/src/handle.h	(revision 2511)
+++ libsepol/src/handle.h	(working copy)
@@ -14,6 +14,9 @@
 	void (*msg_callback) (void *varg,
 			      sepol_handle_t * handle, const char *fmt, ...);
 	void *msg_callback_arg;
+
+	int disable_dontaudit;
+
 };
 
 #endif
Index: libsepol/src/libsepol.map
===================================================================
--- libsepol/src/libsepol.map	(revision 2511)
+++ libsepol/src/libsepol.map	(working copy)
@@ -12,5 +12,6 @@
 	sepol_policydb_*; sepol_set_policydb_from_file; 
 	sepol_policy_kern_*;
 	sepol_policy_file_*;
+	sepol_set_disable_dontaudit;
   local: *;
 };
Index: libsepol/src/expand.c
===================================================================
--- libsepol/src/expand.c	(revision 2511)
+++ libsepol/src/expand.c	(working copy)
@@ -1367,6 +1367,8 @@
 	} else if (specified & AVRULE_AUDITDENY) {
 		spec = AVTAB_AUDITDENY;
 	} else if (specified & AVRULE_DONTAUDIT) {
+		if (handle->disable_dontaudit)
+			return EXPAND_RULE_SUCCESS;
 		spec = AVTAB_AUDITDENY;
 	} else if (specified & AVRULE_NEVERALLOW) {
 		spec = AVTAB_NEVERALLOW;
Index: libsepol/src/handle.c
===================================================================
--- libsepol/src/handle.c	(revision 2511)
+++ libsepol/src/handle.c	(working copy)
@@ -1,4 +1,5 @@
 #include <stdlib.h>
+#include <assert.h>
 #include "handle.h"
 #include "debug.h"
 
@@ -13,9 +14,18 @@
 	sh->msg_callback = sepol_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
+	/* by default do not disable dontaudits */
+	sh->disable_dontaudit = 0;
+
 	return sh;
 }
 
+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
+{
+	assert(sh !=NULL);
+	sh->disable_dontaudit = disable_dontaudit;
+}
+
 void sepol_handle_destroy(sepol_handle_t * sh)
 {
 	free(sh);
Index: policycoreutils/semodule/semodule.c
===================================================================
--- policycoreutils/semodule/semodule.c	(revision 2511)
+++ policycoreutils/semodule/semodule.c	(working copy)
@@ -44,6 +44,7 @@
 static int no_reload;
 static int create_store;
 static int build;
+static int disable_dontaudit;
 
 static semanage_handle_t *sh = NULL;
 static char *store;
@@ -131,6 +132,7 @@
 	printf("  -n,--noreload	   do not reload policy after commit\n");
 	printf("  -h,--help        print this message and quit\n");
 	printf("  -v,--verbose     be verbose\n");
+	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
 }
 
 /* Sets the global mode variable to new_mode, but only if no other
@@ -173,6 +175,7 @@
 		{"reload", 0, NULL, 'R'},
 		{"noreload", 0, NULL, 'n'},
 		{"build", 0, NULL, 'B'},
+		{"disable_dontaudit", 0, NULL, 'D'},
 		{NULL, 0, NULL, 0}
 	};
 	int i;
@@ -181,7 +184,7 @@
 	no_reload = 0;
 	create_store = 0;
 	while ((i =
-		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
+		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
 			    NULL)) != -1) {
 		switch (i) {
 		case 'b':
@@ -218,6 +221,9 @@
 		case 'B':
 			build = 1;
 			break;
+		case 'D':
+			disable_dontaudit = 1;
+			break;
 		case '?':
 		default:{
 				usage(argv[0]);
@@ -441,6 +447,8 @@
 			semanage_set_reload(sh, 0);
 		if (build)
 			semanage_set_rebuild(sh, 1);
+		if (disable_dontaudit)
+			semanage_set_disable_dontaudit(sh, 1);
 		result = semanage_commit(sh);
 	}
 




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Stephen Smalley]

On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> Joshua Brindle wrote:
> > James Morris wrote:
> >> On Thu, 9 Aug 2007, Eric Paris wrote:
> >>
> >>  
> >>> Currently to disable dontaudit rules best you can do it to load the
> >>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
> >>> rules from modules.
> >>>     
> >>
> >> Are we sure this can't be done in userspace?  Like, mangle all the 
> >> existing policy and reload it?
> >>
> >>   
> > I agree, the infrastructure is certainly in place to do it, just add 
> > something in the sepol_handle that says dontaudits should be 
> > discarded, then make an interface in libsemanage that uses that and 
> > rebuild the policy.
> >
> > If noone beats me to it I will see if my conclusions about it being 
> > fairly simple are accurate this weekend :)
> >
> 
> I changed my mind, patch below
> 
> it compiles and seems to work after semodule -DB:

Hmm...doing it this way means that the "disable_dontaudit" behavior
won't persist across subsequent policy changes, so if I e.g. then change
a boolean persistently, I'll get back all of the dontaudit rules too.

Is that what you want, or do you want this flag saved in the policy
module store and settable/clearable via semanage to be applied to all
subsequent policy builds?

> 
> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> dontaudit
> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> Type 0, Modified 0)
>  Added TE Rules: 0
>  Added TE Rules because of new type: 0
>  Removed TE Rules: 326583
>  Removed TE Rules because of missing type: 0
>  Modified TE Rules: 0
> 
> Index: libsemanage/include/semanage/handle.h
> ===================================================================
> --- libsemanage/include/semanage/handle.h	(revision 2511)
> +++ libsemanage/include/semanage/handle.h	(working copy)
> @@ -69,6 +69,9 @@
>   * 1 for yes, 0 for no (default) */
>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>  
> +/* Set whether or not to disable dontaudits upon commit */
> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> +
>  /* Check whether policy is managed via libsemanage on this system.
>   * Must be called prior to trying to connect.
>   * Return 1 if policy is managed via libsemanage on this system,
> Index: libsemanage/src/libsemanage.map
> ===================================================================
> --- libsemanage/src/libsemanage.map	(revision 2511)
> +++ libsemanage/src/libsemanage.map	(working copy)
> @@ -13,6 +13,6 @@
>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
>  	  semanage_node_*;
>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> -	  semanage_is_connected;
> +	  semanage_is_connected; semanage_set_disable_dontaudit;
>    local: *;
>  };
> Index: libsemanage/src/handle.c
> ===================================================================
> --- libsemanage/src/handle.c	(revision 2511)
> +++ libsemanage/src/handle.c	(working copy)
> @@ -109,6 +109,14 @@
>  	return;
>  }
>  
> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> +{
> +	assert(sh != NULL);
> +	
> +	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> +	return;
> +}
> +
>  int semanage_is_connected(semanage_handle_t * sh)
>  {
>  	assert(sh != NULL);
> Index: libsepol/include/sepol/handle.h
> ===================================================================
> --- libsepol/include/sepol/handle.h	(revision 2511)
> +++ libsepol/include/sepol/handle.h	(working copy)
> @@ -7,6 +7,10 @@
>  /* Create and return a sepol handle. */
>  sepol_handle_t *sepol_handle_create(void);
>  
> +/* Set whether or not to disable dontaudits, 0 is default and does 
> + * not disable dontaudits, 1 disables them */
> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> +
>  /* Destroy a sepol handle. */
>  void sepol_handle_destroy(sepol_handle_t *);
>  
> Index: libsepol/src/handle.h
> ===================================================================
> --- libsepol/src/handle.h	(revision 2511)
> +++ libsepol/src/handle.h	(working copy)
> @@ -14,6 +14,9 @@
>  	void (*msg_callback) (void *varg,
>  			      sepol_handle_t * handle, const char *fmt, ...);
>  	void *msg_callback_arg;
> +
> +	int disable_dontaudit;
> +
>  };
>  
>  #endif
> Index: libsepol/src/libsepol.map
> ===================================================================
> --- libsepol/src/libsepol.map	(revision 2511)
> +++ libsepol/src/libsepol.map	(working copy)
> @@ -12,5 +12,6 @@
>  	sepol_policydb_*; sepol_set_policydb_from_file; 
>  	sepol_policy_kern_*;
>  	sepol_policy_file_*;
> +	sepol_set_disable_dontaudit;
>    local: *;
>  };
> Index: libsepol/src/expand.c
> ===================================================================
> --- libsepol/src/expand.c	(revision 2511)
> +++ libsepol/src/expand.c	(working copy)
> @@ -1367,6 +1367,8 @@
>  	} else if (specified & AVRULE_AUDITDENY) {
>  		spec = AVTAB_AUDITDENY;
>  	} else if (specified & AVRULE_DONTAUDIT) {
> +		if (handle->disable_dontaudit)
> +			return EXPAND_RULE_SUCCESS;
>  		spec = AVTAB_AUDITDENY;
>  	} else if (specified & AVRULE_NEVERALLOW) {
>  		spec = AVTAB_NEVERALLOW;
> Index: libsepol/src/handle.c
> ===================================================================
> --- libsepol/src/handle.c	(revision 2511)
> +++ libsepol/src/handle.c	(working copy)
> @@ -1,4 +1,5 @@
>  #include <stdlib.h>
> +#include <assert.h>
>  #include "handle.h"
>  #include "debug.h"
>  
> @@ -13,9 +14,18 @@
>  	sh->msg_callback = sepol_msg_default_handler;
>  	sh->msg_callback_arg = NULL;
>  
> +	/* by default do not disable dontaudits */
> +	sh->disable_dontaudit = 0;
> +
>  	return sh;
>  }
>  
> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> +{
> +	assert(sh !=NULL);
> +	sh->disable_dontaudit = disable_dontaudit;
> +}
> +
>  void sepol_handle_destroy(sepol_handle_t * sh)
>  {
>  	free(sh);
> Index: policycoreutils/semodule/semodule.c
> ===================================================================
> --- policycoreutils/semodule/semodule.c	(revision 2511)
> +++ policycoreutils/semodule/semodule.c	(working copy)
> @@ -44,6 +44,7 @@
>  static int no_reload;
>  static int create_store;
>  static int build;
> +static int disable_dontaudit;
>  
>  static semanage_handle_t *sh = NULL;
>  static char *store;
> @@ -131,6 +132,7 @@
>  	printf("  -n,--noreload	   do not reload policy after commit\n");
>  	printf("  -h,--help        print this message and quit\n");
>  	printf("  -v,--verbose     be verbose\n");
> +	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
>  }
>  
>  /* Sets the global mode variable to new_mode, but only if no other
> @@ -173,6 +175,7 @@
>  		{"reload", 0, NULL, 'R'},
>  		{"noreload", 0, NULL, 'n'},
>  		{"build", 0, NULL, 'B'},
> +		{"disable_dontaudit", 0, NULL, 'D'},
>  		{NULL, 0, NULL, 0}
>  	};
>  	int i;
> @@ -181,7 +184,7 @@
>  	no_reload = 0;
>  	create_store = 0;
>  	while ((i =
> -		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> +		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>  			    NULL)) != -1) {
>  		switch (i) {
>  		case 'b':
> @@ -218,6 +221,9 @@
>  		case 'B':
>  			build = 1;
>  			break;
> +		case 'D':
> +			disable_dontaudit = 1;
> +			break;
>  		case '?':
>  		default:{
>  				usage(argv[0]);
> @@ -441,6 +447,8 @@
>  			semanage_set_reload(sh, 0);
>  		if (build)
>  			semanage_set_rebuild(sh, 1);
> +		if (disable_dontaudit)
> +			semanage_set_disable_dontaudit(sh, 1);
>  		result = semanage_commit(sh);
>  	}
>  
> 
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Daniel J Walsh]

Stephen Smalley wrote:
> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>   
>> Joshua Brindle wrote:
>>     
>>> James Morris wrote:
>>>       
>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>
>>>>  
>>>>         
>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
>>>>> rules from modules.
>>>>>     
>>>>>           
>>>> Are we sure this can't be done in userspace?  Like, mangle all the 
>>>> existing policy and reload it?
>>>>
>>>>   
>>>>         
>>> I agree, the infrastructure is certainly in place to do it, just add 
>>> something in the sepol_handle that says dontaudits should be 
>>> discarded, then make an interface in libsemanage that uses that and 
>>> rebuild the policy.
>>>
>>> If noone beats me to it I will see if my conclusions about it being 
>>> fairly simple are accurate this weekend :)
>>>
>>>       
>> I changed my mind, patch below
>>
>> it compiles and seems to work after semodule -DB:
>>     
>
> Hmm...doing it this way means that the "disable_dontaudit" behavior
> won't persist across subsequent policy changes, so if I e.g. then change
> a boolean persistently, I'll get back all of the dontaudit rules too.
>
> Is that what you want, or do you want this flag saved in the policy
> module store and settable/clearable via semanage to be applied to all
> subsequent policy builds?
>
>   
This looks great but it needs to survive a policy rebuild as Stephen says.


>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
>> dontaudit
>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
>> Type 0, Modified 0)
>>  Added TE Rules: 0
>>  Added TE Rules because of new type: 0
>>  Removed TE Rules: 326583
>>  Removed TE Rules because of missing type: 0
>>  Modified TE Rules: 0
>>
>> Index: libsemanage/include/semanage/handle.h
>> ===================================================================
>> --- libsemanage/include/semanage/handle.h	(revision 2511)
>> +++ libsemanage/include/semanage/handle.h	(working copy)
>> @@ -69,6 +69,9 @@
>>   * 1 for yes, 0 for no (default) */
>>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>  
>> +/* Set whether or not to disable dontaudits upon commit */
>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>> +
>>  /* Check whether policy is managed via libsemanage on this system.
>>   * Must be called prior to trying to connect.
>>   * Return 1 if policy is managed via libsemanage on this system,
>> Index: libsemanage/src/libsemanage.map
>> ===================================================================
>> --- libsemanage/src/libsemanage.map	(revision 2511)
>> +++ libsemanage/src/libsemanage.map	(working copy)
>> @@ -13,6 +13,6 @@
>>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
>>  	  semanage_node_*;
>>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
>> -	  semanage_is_connected;
>> +	  semanage_is_connected; semanage_set_disable_dontaudit;
>>    local: *;
>>  };
>> Index: libsemanage/src/handle.c
>> ===================================================================
>> --- libsemanage/src/handle.c	(revision 2511)
>> +++ libsemanage/src/handle.c	(working copy)
>> @@ -109,6 +109,14 @@
>>  	return;
>>  }
>>  
>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>> +{
>> +	assert(sh != NULL);
>> +	
>> +	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>> +	return;
>> +}
>> +
>>  int semanage_is_connected(semanage_handle_t * sh)
>>  {
>>  	assert(sh != NULL);
>> Index: libsepol/include/sepol/handle.h
>> ===================================================================
>> --- libsepol/include/sepol/handle.h	(revision 2511)
>> +++ libsepol/include/sepol/handle.h	(working copy)
>> @@ -7,6 +7,10 @@
>>  /* Create and return a sepol handle. */
>>  sepol_handle_t *sepol_handle_create(void);
>>  
>> +/* Set whether or not to disable dontaudits, 0 is default and does 
>> + * not disable dontaudits, 1 disables them */
>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
>> +
>>  /* Destroy a sepol handle. */
>>  void sepol_handle_destroy(sepol_handle_t *);
>>  
>> Index: libsepol/src/handle.h
>> ===================================================================
>> --- libsepol/src/handle.h	(revision 2511)
>> +++ libsepol/src/handle.h	(working copy)
>> @@ -14,6 +14,9 @@
>>  	void (*msg_callback) (void *varg,
>>  			      sepol_handle_t * handle, const char *fmt, ...);
>>  	void *msg_callback_arg;
>> +
>> +	int disable_dontaudit;
>> +
>>  };
>>  
>>  #endif
>> Index: libsepol/src/libsepol.map
>> ===================================================================
>> --- libsepol/src/libsepol.map	(revision 2511)
>> +++ libsepol/src/libsepol.map	(working copy)
>> @@ -12,5 +12,6 @@
>>  	sepol_policydb_*; sepol_set_policydb_from_file; 
>>  	sepol_policy_kern_*;
>>  	sepol_policy_file_*;
>> +	sepol_set_disable_dontaudit;
>>    local: *;
>>  };
>> Index: libsepol/src/expand.c
>> ===================================================================
>> --- libsepol/src/expand.c	(revision 2511)
>> +++ libsepol/src/expand.c	(working copy)
>> @@ -1367,6 +1367,8 @@
>>  	} else if (specified & AVRULE_AUDITDENY) {
>>  		spec = AVTAB_AUDITDENY;
>>  	} else if (specified & AVRULE_DONTAUDIT) {
>> +		if (handle->disable_dontaudit)
>> +			return EXPAND_RULE_SUCCESS;
>>  		spec = AVTAB_AUDITDENY;
>>  	} else if (specified & AVRULE_NEVERALLOW) {
>>  		spec = AVTAB_NEVERALLOW;
>> Index: libsepol/src/handle.c
>> ===================================================================
>> --- libsepol/src/handle.c	(revision 2511)
>> +++ libsepol/src/handle.c	(working copy)
>> @@ -1,4 +1,5 @@
>>  #include <stdlib.h>
>> +#include <assert.h>
>>  #include "handle.h"
>>  #include "debug.h"
>>  
>> @@ -13,9 +14,18 @@
>>  	sh->msg_callback = sepol_msg_default_handler;
>>  	sh->msg_callback_arg = NULL;
>>  
>> +	/* by default do not disable dontaudits */
>> +	sh->disable_dontaudit = 0;
>> +
>>  	return sh;
>>  }
>>  
>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
>> +{
>> +	assert(sh !=NULL);
>> +	sh->disable_dontaudit = disable_dontaudit;
>> +}
>> +
>>  void sepol_handle_destroy(sepol_handle_t * sh)
>>  {
>>  	free(sh);
>> Index: policycoreutils/semodule/semodule.c
>> ===================================================================
>> --- policycoreutils/semodule/semodule.c	(revision 2511)
>> +++ policycoreutils/semodule/semodule.c	(working copy)
>> @@ -44,6 +44,7 @@
>>  static int no_reload;
>>  static int create_store;
>>  static int build;
>> +static int disable_dontaudit;
>>  
>>  static semanage_handle_t *sh = NULL;
>>  static char *store;
>> @@ -131,6 +132,7 @@
>>  	printf("  -n,--noreload	   do not reload policy after commit\n");
>>  	printf("  -h,--help        print this message and quit\n");
>>  	printf("  -v,--verbose     be verbose\n");
>> +	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
>>  }
>>  
>>  /* Sets the global mode variable to new_mode, but only if no other
>> @@ -173,6 +175,7 @@
>>  		{"reload", 0, NULL, 'R'},
>>  		{"noreload", 0, NULL, 'n'},
>>  		{"build", 0, NULL, 'B'},
>> +		{"disable_dontaudit", 0, NULL, 'D'},
>>  		{NULL, 0, NULL, 0}
>>  	};
>>  	int i;
>> @@ -181,7 +184,7 @@
>>  	no_reload = 0;
>>  	create_store = 0;
>>  	while ((i =
>> -		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
>> +		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>>  			    NULL)) != -1) {
>>  		switch (i) {
>>  		case 'b':
>> @@ -218,6 +221,9 @@
>>  		case 'B':
>>  			build = 1;
>>  			break;
>> +		case 'D':
>> +			disable_dontaudit = 1;
>> +			break;
>>  		case '?':
>>  		default:{
>>  				usage(argv[0]);
>> @@ -441,6 +447,8 @@
>>  			semanage_set_reload(sh, 0);
>>  		if (build)
>>  			semanage_set_rebuild(sh, 1);
>> +		if (disable_dontaudit)
>> +			semanage_set_disable_dontaudit(sh, 1);
>>  		result = semanage_commit(sh);
>>  	}
>>  
>>
>>
>>     


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Joshua Brindle]

Daniel J Walsh wrote:
> Stephen Smalley wrote:
>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>  
>>> Joshua Brindle wrote:
>>>    
>>>> James Morris wrote:
>>>>      
>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>
>>>>>  
>>>>>        
>>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>>> enableaudit.pp base policy.  Which still doesn't remove the 
>>>>>> dontaudit
>>>>>> rules from modules.
>>>>>>               
>>>>> Are we sure this can't be done in userspace?  Like, mangle all the 
>>>>> existing policy and reload it?
>>>>>
>>>>>           
>>>> I agree, the infrastructure is certainly in place to do it, just 
>>>> add something in the sepol_handle that says dontaudits should be 
>>>> discarded, then make an interface in libsemanage that uses that and 
>>>> rebuild the policy.
>>>>
>>>> If noone beats me to it I will see if my conclusions about it being 
>>>> fairly simple are accurate this weekend :)
>>>>
>>>>       
>>> I changed my mind, patch below
>>>
>>> it compiles and seems to work after semodule -DB:
>>>     
>>
>> Hmm...doing it this way means that the "disable_dontaudit" behavior
>> won't persist across subsequent policy changes, so if I e.g. then change
>> a boolean persistently, I'll get back all of the dontaudit rules too.
>>
>> Is that what you want, or do you want this flag saved in the policy
>> module store and settable/clearable via semanage to be applied to all
>> subsequent policy builds?
>>
>>   
> This looks great but it needs to survive a policy rebuild as Stephen 
> says.
>

Hrm... I'm trying to figure out if that is really the behavior we want. 
The purpose of this was to let someone get some denials from (possibly) 
dontaudits hiding behavior. After switching dontaudits off the user will 
generate a module with the rules and insert it. Assuming they exercised 
enough of the app he won't want the dontaudits off anymore and will 
happily go about running the app. Are there other use cases where 
dontaudits should be persistently disabled?

If dontaudits are to be persistently disabled I'd rather do it in the 
kernel with eric's patch, mainly because eric's will at least only 
persist until reboot whereas if I added something to libsemanage to make 
it persist it would last across reboots.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Stephen Smalley wrote:
>>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>>  
>>>> Joshua Brindle wrote:
>>>>   
>>>>> James Morris wrote:
>>>>>     
>>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>>
>>>>>>  
>>>>>>       
>>>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>>>> enableaudit.pp base policy.  Which still doesn't remove the 
>>>>>>> dontaudit
>>>>>>> rules from modules.
>>>>>>>               
>>>>>> Are we sure this can't be done in userspace?  Like, mangle all 
>>>>>> the existing policy and reload it?
>>>>>>
>>>>>>           
>>>>> I agree, the infrastructure is certainly in place to do it, just 
>>>>> add something in the sepol_handle that says dontaudits should be 
>>>>> discarded, then make an interface in libsemanage that uses that 
>>>>> and rebuild the policy.
>>>>>
>>>>> If noone beats me to it I will see if my conclusions about it 
>>>>> being fairly simple are accurate this weekend :)
>>>>>
>>>>>       
>>>> I changed my mind, patch below
>>>>
>>>> it compiles and seems to work after semodule -DB:
>>>>     
>>>
>>> Hmm...doing it this way means that the "disable_dontaudit" behavior
>>> won't persist across subsequent policy changes, so if I e.g. then 
>>> change
>>> a boolean persistently, I'll get back all of the dontaudit rules too.
>>>
>>> Is that what you want, or do you want this flag saved in the policy
>>> module store and settable/clearable via semanage to be applied to all
>>> subsequent policy builds?
>>>
>>>   
>> This looks great but it needs to survive a policy rebuild as Stephen 
>> says.
>>
>
> Hrm... I'm trying to figure out if that is really the behavior we 
> want. The purpose of this was to let someone get some denials from 
> (possibly) dontaudits hiding behavior. After switching dontaudits off 
> the user will generate a module with the rules and insert it. Assuming 
> they exercised enough of the app he won't want the dontaudits off 
> anymore and will happily go about running the app. Are there other use 
> cases where dontaudits should be persistently disabled?
>
> If dontaudits are to be persistently disabled I'd rather do it in the 
> kernel with eric's patch, mainly because eric's will at least only 
> persist until reboot whereas if I added something to libsemanage to 
> make it persist it would last across reboots.
>
Actually I was thinking of the case where you would put an setsebool in 
an init script and you might want to boot with enableaudit and this 
would replace it, but you wouldn't put a setsebool -P in an init script, 
so this is not a problem.  I would guess we would just have to document 
that this is to temporarily disable dontaudit rules, until the next time 
the policy is rebuilt.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Joshua Brindle]

Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> Stephen Smalley wrote:
>>>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>>>  
>>>>> Joshua Brindle wrote:
>>>>>  
>>>>>> James Morris wrote:
>>>>>>    
>>>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>>>
>>>>>>>  
>>>>>>>      
>>>>>>>> Currently to disable dontaudit rules best you can do it to load 
>>>>>>>> the
>>>>>>>> enableaudit.pp base policy.  Which still doesn't remove the 
>>>>>>>> dontaudit
>>>>>>>> rules from modules.
>>>>>>>>               
>>>>>>> Are we sure this can't be done in userspace?  Like, mangle all 
>>>>>>> the existing policy and reload it?
>>>>>>>
>>>>>>>           
>>>>>> I agree, the infrastructure is certainly in place to do it, just 
>>>>>> add something in the sepol_handle that says dontaudits should be 
>>>>>> discarded, then make an interface in libsemanage that uses that 
>>>>>> and rebuild the policy.
>>>>>>
>>>>>> If noone beats me to it I will see if my conclusions about it 
>>>>>> being fairly simple are accurate this weekend :)
>>>>>>
>>>>>>       
>>>>> I changed my mind, patch below
>>>>>
>>>>> it compiles and seems to work after semodule -DB:
>>>>>     
>>>>
>>>> Hmm...doing it this way means that the "disable_dontaudit" behavior
>>>> won't persist across subsequent policy changes, so if I e.g. then 
>>>> change
>>>> a boolean persistently, I'll get back all of the dontaudit rules too.
>>>>
>>>> Is that what you want, or do you want this flag saved in the policy
>>>> module store and settable/clearable via semanage to be applied to all
>>>> subsequent policy builds?
>>>>
>>>>   
>>> This looks great but it needs to survive a policy rebuild as Stephen 
>>> says.
>>>
>>
>> Hrm... I'm trying to figure out if that is really the behavior we 
>> want. The purpose of this was to let someone get some denials from 
>> (possibly) dontaudits hiding behavior. After switching dontaudits off 
>> the user will generate a module with the rules and insert it. 
>> Assuming they exercised enough of the app he won't want the 
>> dontaudits off anymore and will happily go about running the app. Are 
>> there other use cases where dontaudits should be persistently disabled?
>>
>> If dontaudits are to be persistently disabled I'd rather do it in the 
>> kernel with eric's patch, mainly because eric's will at least only 
>> persist until reboot whereas if I added something to libsemanage to 
>> make it persist it would last across reboots.
>>
> Actually I was thinking of the case where you would put an setsebool 
> in an init script and you might want to boot with enableaudit and this 
> would replace it, but you wouldn't put a setsebool -P in an init 
> script, so this is not a problem.  I would guess we would just have to 
> document that this is to temporarily disable dontaudit rules, until 
> the next time the policy is rebuilt.


So is there any consensus on which approach we want to go with? We have:

1) use conditionals, doesn't work with third party modules, could have 
mistakes where dontaudits aren't in conditionals, etc
2) use the kernel patch from Eric, makes it easier to turn it on and off 
without rebuilding/reloading policy, faster and some people worried 
about policy modification would be happier.
3) use my patch and do it from userland, puts the complexity in 
userspace, modifies the on-disk policy (persistent across reboots if 
policy isn't rebuild without the option, slower to use, not persistent 
across any options that rebuild policy such as persistent boolean 
changes, etc).



I'm split between 2 and 3, both have advantages and disadvantages, 
anyone else want to ring their opinion in?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Stephen Smalley]

On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> Joshua Brindle wrote:
> > James Morris wrote:
> >> On Thu, 9 Aug 2007, Eric Paris wrote:
> >>
> >>  
> >>> Currently to disable dontaudit rules best you can do it to load the
> >>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
> >>> rules from modules.
> >>>     
> >>
> >> Are we sure this can't be done in userspace?  Like, mangle all the 
> >> existing policy and reload it?
> >>
> >>   
> > I agree, the infrastructure is certainly in place to do it, just add 
> > something in the sepol_handle that says dontaudits should be 
> > discarded, then make an interface in libsemanage that uses that and 
> > rebuild the policy.
> >
> > If noone beats me to it I will see if my conclusions about it being 
> > fairly simple are accurate this weekend :)
> >
> 
> I changed my mind, patch below
> 
> it compiles and seems to work after semodule -DB:
> 
> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> dontaudit
> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> Type 0, Modified 0)
>  Added TE Rules: 0
>  Added TE Rules because of new type: 0
>  Removed TE Rules: 326583
>  Removed TE Rules because of missing type: 0
>  Modified TE Rules: 0
> 
> Index: libsemanage/include/semanage/handle.h
> ===================================================================
> --- libsemanage/include/semanage/handle.h	(revision 2511)
> +++ libsemanage/include/semanage/handle.h	(working copy)
> @@ -69,6 +69,9 @@
>   * 1 for yes, 0 for no (default) */
>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>  
> +/* Set whether or not to disable dontaudits upon commit */
> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> +
>  /* Check whether policy is managed via libsemanage on this system.
>   * Must be called prior to trying to connect.
>   * Return 1 if policy is managed via libsemanage on this system,
> Index: libsemanage/src/libsemanage.map
> ===================================================================
> --- libsemanage/src/libsemanage.map	(revision 2511)
> +++ libsemanage/src/libsemanage.map	(working copy)
> @@ -13,6 +13,6 @@
>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
>  	  semanage_node_*;
>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> -	  semanage_is_connected;
> +	  semanage_is_connected; semanage_set_disable_dontaudit;
>    local: *;
>  };
> Index: libsemanage/src/handle.c
> ===================================================================
> --- libsemanage/src/handle.c	(revision 2511)
> +++ libsemanage/src/handle.c	(working copy)
> @@ -109,6 +109,14 @@
>  	return;
>  }
>  
> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> +{
> +	assert(sh != NULL);
> +	
> +	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> +	return;
> +}
> +
>  int semanage_is_connected(semanage_handle_t * sh)
>  {
>  	assert(sh != NULL);
> Index: libsepol/include/sepol/handle.h
> ===================================================================
> --- libsepol/include/sepol/handle.h	(revision 2511)
> +++ libsepol/include/sepol/handle.h	(working copy)
> @@ -7,6 +7,10 @@
>  /* Create and return a sepol handle. */
>  sepol_handle_t *sepol_handle_create(void);
>  
> +/* Set whether or not to disable dontaudits, 0 is default and does 
> + * not disable dontaudits, 1 disables them */
> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> +
>  /* Destroy a sepol handle. */
>  void sepol_handle_destroy(sepol_handle_t *);
>  
> Index: libsepol/src/handle.h
> ===================================================================
> --- libsepol/src/handle.h	(revision 2511)
> +++ libsepol/src/handle.h	(working copy)
> @@ -14,6 +14,9 @@
>  	void (*msg_callback) (void *varg,
>  			      sepol_handle_t * handle, const char *fmt, ...);
>  	void *msg_callback_arg;
> +
> +	int disable_dontaudit;
> +
>  };
>  
>  #endif
> Index: libsepol/src/libsepol.map
> ===================================================================
> --- libsepol/src/libsepol.map	(revision 2511)
> +++ libsepol/src/libsepol.map	(working copy)
> @@ -12,5 +12,6 @@
>  	sepol_policydb_*; sepol_set_policydb_from_file; 
>  	sepol_policy_kern_*;
>  	sepol_policy_file_*;
> +	sepol_set_disable_dontaudit;
>    local: *;
>  };
> Index: libsepol/src/expand.c
> ===================================================================
> --- libsepol/src/expand.c	(revision 2511)
> +++ libsepol/src/expand.c	(working copy)
> @@ -1367,6 +1367,8 @@
>  	} else if (specified & AVRULE_AUDITDENY) {
>  		spec = AVTAB_AUDITDENY;
>  	} else if (specified & AVRULE_DONTAUDIT) {
> +		if (handle->disable_dontaudit)
> +			return EXPAND_RULE_SUCCESS;
>  		spec = AVTAB_AUDITDENY;
>  	} else if (specified & AVRULE_NEVERALLOW) {
>  		spec = AVTAB_NEVERALLOW;
> Index: libsepol/src/handle.c
> ===================================================================
> --- libsepol/src/handle.c	(revision 2511)
> +++ libsepol/src/handle.c	(working copy)
> @@ -1,4 +1,5 @@
>  #include <stdlib.h>
> +#include <assert.h>
>  #include "handle.h"
>  #include "debug.h"
>  
> @@ -13,9 +14,18 @@
>  	sh->msg_callback = sepol_msg_default_handler;
>  	sh->msg_callback_arg = NULL;
>  
> +	/* by default do not disable dontaudits */
> +	sh->disable_dontaudit = 0;
> +
>  	return sh;
>  }
>  
> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> +{
> +	assert(sh !=NULL);
> +	sh->disable_dontaudit = disable_dontaudit;
> +}
> +
>  void sepol_handle_destroy(sepol_handle_t * sh)
>  {
>  	free(sh);
> Index: policycoreutils/semodule/semodule.c
> ===================================================================
> --- policycoreutils/semodule/semodule.c	(revision 2511)
> +++ policycoreutils/semodule/semodule.c	(working copy)
> @@ -44,6 +44,7 @@
>  static int no_reload;
>  static int create_store;
>  static int build;
> +static int disable_dontaudit;
>  
>  static semanage_handle_t *sh = NULL;
>  static char *store;
> @@ -131,6 +132,7 @@
>  	printf("  -n,--noreload	   do not reload policy after commit\n");
>  	printf("  -h,--help        print this message and quit\n");
>  	printf("  -v,--verbose     be verbose\n");
> +	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
>  }
>  
>  /* Sets the global mode variable to new_mode, but only if no other
> @@ -173,6 +175,7 @@
>  		{"reload", 0, NULL, 'R'},
>  		{"noreload", 0, NULL, 'n'},
>  		{"build", 0, NULL, 'B'},
> +		{"disable_dontaudit", 0, NULL, 'D'},
>  		{NULL, 0, NULL, 0}
>  	};
>  	int i;
> @@ -181,7 +184,7 @@
>  	no_reload = 0;
>  	create_store = 0;
>  	while ((i =
> -		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> +		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>  			    NULL)) != -1) {
>  		switch (i) {
>  		case 'b':
> @@ -218,6 +221,9 @@
>  		case 'B':
>  			build = 1;
>  			break;
> +		case 'D':
> +			disable_dontaudit = 1;
> +			break;
>  		case '?':
>  		default:{
>  				usage(argv[0]);
> @@ -441,6 +447,8 @@
>  			semanage_set_reload(sh, 0);
>  		if (build)
>  			semanage_set_rebuild(sh, 1);
> +		if (disable_dontaudit)
> +			semanage_set_disable_dontaudit(sh, 1);
>  		result = semanage_commit(sh);
>  	}

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

Merge at will.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Joshua Brindle]

Stephen Smalley wrote:
> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>   
>> Joshua Brindle wrote:
>>     
>>> James Morris wrote:
>>>       
>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>
>>>>  
>>>>         
>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
>>>>> rules from modules.
>>>>>     
>>>>>           
>>>> Are we sure this can't be done in userspace?  Like, mangle all the 
>>>> existing policy and reload it?
>>>>
>>>>   
>>>>         
>>> I agree, the infrastructure is certainly in place to do it, just add 
>>> something in the sepol_handle that says dontaudits should be 
>>> discarded, then make an interface in libsemanage that uses that and 
>>> rebuild the policy.
>>>
>>> If noone beats me to it I will see if my conclusions about it being 
>>> fairly simple are accurate this weekend :)
>>>
>>>       
>> I changed my mind, patch below
>>
>> it compiles and seems to work after semodule -DB:
>>
>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
>> dontaudit
>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
>> Type 0, Modified 0)
>>  Added TE Rules: 0
>>  Added TE Rules because of new type: 0
>>  Removed TE Rules: 326583
>>  Removed TE Rules because of missing type: 0
>>  Modified TE Rules: 0
>>
>> Index: libsemanage/include/semanage/handle.h
>> ===================================================================
>> --- libsemanage/include/semanage/handle.h	(revision 2511)
>> +++ libsemanage/include/semanage/handle.h	(working copy)
>> @@ -69,6 +69,9 @@
>>   * 1 for yes, 0 for no (default) */
>>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>  
>> +/* Set whether or not to disable dontaudits upon commit */
>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>> +
>>  /* Check whether policy is managed via libsemanage on this system.
>>   * Must be called prior to trying to connect.
>>   * Return 1 if policy is managed via libsemanage on this system,
>> Index: libsemanage/src/libsemanage.map
>> ===================================================================
>> --- libsemanage/src/libsemanage.map	(revision 2511)
>> +++ libsemanage/src/libsemanage.map	(working copy)
>> @@ -13,6 +13,6 @@
>>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
>>  	  semanage_node_*;
>>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
>> -	  semanage_is_connected;
>> +	  semanage_is_connected; semanage_set_disable_dontaudit;
>>    local: *;
>>  };
>> Index: libsemanage/src/handle.c
>> ===================================================================
>> --- libsemanage/src/handle.c	(revision 2511)
>> +++ libsemanage/src/handle.c	(working copy)
>> @@ -109,6 +109,14 @@
>>  	return;
>>  }
>>  
>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>> +{
>> +	assert(sh != NULL);
>> +	
>> +	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>> +	return;
>> +}
>> +
>>  int semanage_is_connected(semanage_handle_t * sh)
>>  {
>>  	assert(sh != NULL);
>> Index: libsepol/include/sepol/handle.h
>> ===================================================================
>> --- libsepol/include/sepol/handle.h	(revision 2511)
>> +++ libsepol/include/sepol/handle.h	(working copy)
>> @@ -7,6 +7,10 @@
>>  /* Create and return a sepol handle. */
>>  sepol_handle_t *sepol_handle_create(void);
>>  
>> +/* Set whether or not to disable dontaudits, 0 is default and does 
>> + * not disable dontaudits, 1 disables them */
>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
>> +
>>  /* Destroy a sepol handle. */
>>  void sepol_handle_destroy(sepol_handle_t *);
>>  
>> Index: libsepol/src/handle.h
>> ===================================================================
>> --- libsepol/src/handle.h	(revision 2511)
>> +++ libsepol/src/handle.h	(working copy)
>> @@ -14,6 +14,9 @@
>>  	void (*msg_callback) (void *varg,
>>  			      sepol_handle_t * handle, const char *fmt, ...);
>>  	void *msg_callback_arg;
>> +
>> +	int disable_dontaudit;
>> +
>>  };
>>  
>>  #endif
>> Index: libsepol/src/libsepol.map
>> ===================================================================
>> --- libsepol/src/libsepol.map	(revision 2511)
>> +++ libsepol/src/libsepol.map	(working copy)
>> @@ -12,5 +12,6 @@
>>  	sepol_policydb_*; sepol_set_policydb_from_file; 
>>  	sepol_policy_kern_*;
>>  	sepol_policy_file_*;
>> +	sepol_set_disable_dontaudit;
>>    local: *;
>>  };
>> Index: libsepol/src/expand.c
>> ===================================================================
>> --- libsepol/src/expand.c	(revision 2511)
>> +++ libsepol/src/expand.c	(working copy)
>> @@ -1367,6 +1367,8 @@
>>  	} else if (specified & AVRULE_AUDITDENY) {
>>  		spec = AVTAB_AUDITDENY;
>>  	} else if (specified & AVRULE_DONTAUDIT) {
>> +		if (handle->disable_dontaudit)
>> +			return EXPAND_RULE_SUCCESS;
>>  		spec = AVTAB_AUDITDENY;
>>  	} else if (specified & AVRULE_NEVERALLOW) {
>>  		spec = AVTAB_NEVERALLOW;
>> Index: libsepol/src/handle.c
>> ===================================================================
>> --- libsepol/src/handle.c	(revision 2511)
>> +++ libsepol/src/handle.c	(working copy)
>> @@ -1,4 +1,5 @@
>>  #include <stdlib.h>
>> +#include <assert.h>
>>  #include "handle.h"
>>  #include "debug.h"
>>  
>> @@ -13,9 +14,18 @@
>>  	sh->msg_callback = sepol_msg_default_handler;
>>  	sh->msg_callback_arg = NULL;
>>  
>> +	/* by default do not disable dontaudits */
>> +	sh->disable_dontaudit = 0;
>> +
>>  	return sh;
>>  }
>>  
>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
>> +{
>> +	assert(sh !=NULL);
>> +	sh->disable_dontaudit = disable_dontaudit;
>> +}
>> +
>>  void sepol_handle_destroy(sepol_handle_t * sh)
>>  {
>>  	free(sh);
>> Index: policycoreutils/semodule/semodule.c
>> ===================================================================
>> --- policycoreutils/semodule/semodule.c	(revision 2511)
>> +++ policycoreutils/semodule/semodule.c	(working copy)
>> @@ -44,6 +44,7 @@
>>  static int no_reload;
>>  static int create_store;
>>  static int build;
>> +static int disable_dontaudit;
>>  
>>  static semanage_handle_t *sh = NULL;
>>  static char *store;
>> @@ -131,6 +132,7 @@
>>  	printf("  -n,--noreload	   do not reload policy after commit\n");
>>  	printf("  -h,--help        print this message and quit\n");
>>  	printf("  -v,--verbose     be verbose\n");
>> +	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
>>  }
>>  
>>  /* Sets the global mode variable to new_mode, but only if no other
>> @@ -173,6 +175,7 @@
>>  		{"reload", 0, NULL, 'R'},
>>  		{"noreload", 0, NULL, 'n'},
>>  		{"build", 0, NULL, 'B'},
>> +		{"disable_dontaudit", 0, NULL, 'D'},
>>  		{NULL, 0, NULL, 0}
>>  	};
>>  	int i;
>> @@ -181,7 +184,7 @@
>>  	no_reload = 0;
>>  	create_store = 0;
>>  	while ((i =
>> -		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
>> +		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>>  			    NULL)) != -1) {
>>  		switch (i) {
>>  		case 'b':
>> @@ -218,6 +221,9 @@
>>  		case 'B':
>>  			build = 1;
>>  			break;
>> +		case 'D':
>> +			disable_dontaudit = 1;
>> +			break;
>>  		case '?':
>>  		default:{
>>  				usage(argv[0]);
>> @@ -441,6 +447,8 @@
>>  			semanage_set_reload(sh, 0);
>>  		if (build)
>>  			semanage_set_rebuild(sh, 1);
>> +		if (disable_dontaudit)
>> +			semanage_set_disable_dontaudit(sh, 1);
>>  		result = semanage_commit(sh);
>>  	}
>>     
>
> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
>
> Merge at will.
>   

So did we decide that the disadvantages of this approach are fine? The 
one that bothers me is that rebooting doesn't reset the dontaudit state 
(like it would with Eric's patch)...


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Stephen Smalley]

On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> >   
> >> Joshua Brindle wrote:
> >>     
> >>> James Morris wrote:
> >>>       
> >>>> On Thu, 9 Aug 2007, Eric Paris wrote:
> >>>>
> >>>>  
> >>>>         
> >>>>> Currently to disable dontaudit rules best you can do it to load the
> >>>>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
> >>>>> rules from modules.
> >>>>>     
> >>>>>           
> >>>> Are we sure this can't be done in userspace?  Like, mangle all the 
> >>>> existing policy and reload it?
> >>>>
> >>>>   
> >>>>         
> >>> I agree, the infrastructure is certainly in place to do it, just add 
> >>> something in the sepol_handle that says dontaudits should be 
> >>> discarded, then make an interface in libsemanage that uses that and 
> >>> rebuild the policy.
> >>>
> >>> If noone beats me to it I will see if my conclusions about it being 
> >>> fairly simple are accurate this weekend :)
> >>>
> >>>       
> >> I changed my mind, patch below
> >>
> >> it compiles and seems to work after semodule -DB:
> >>
> >> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> >> dontaudit
> >> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> >> Type 0, Modified 0)
> >>  Added TE Rules: 0
> >>  Added TE Rules because of new type: 0
> >>  Removed TE Rules: 326583
> >>  Removed TE Rules because of missing type: 0
> >>  Modified TE Rules: 0
> >>
> >> Index: libsemanage/include/semanage/handle.h
> >> ===================================================================
> >> --- libsemanage/include/semanage/handle.h	(revision 2511)
> >> +++ libsemanage/include/semanage/handle.h	(working copy)
> >> @@ -69,6 +69,9 @@
> >>   * 1 for yes, 0 for no (default) */
> >>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
> >>  
> >> +/* Set whether or not to disable dontaudits upon commit */
> >> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> >> +
> >>  /* Check whether policy is managed via libsemanage on this system.
> >>   * Must be called prior to trying to connect.
> >>   * Return 1 if policy is managed via libsemanage on this system,
> >> Index: libsemanage/src/libsemanage.map
> >> ===================================================================
> >> --- libsemanage/src/libsemanage.map	(revision 2511)
> >> +++ libsemanage/src/libsemanage.map	(working copy)
> >> @@ -13,6 +13,6 @@
> >>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
> >>  	  semanage_node_*;
> >>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> >> -	  semanage_is_connected;
> >> +	  semanage_is_connected; semanage_set_disable_dontaudit;
> >>    local: *;
> >>  };
> >> Index: libsemanage/src/handle.c
> >> ===================================================================
> >> --- libsemanage/src/handle.c	(revision 2511)
> >> +++ libsemanage/src/handle.c	(working copy)
> >> @@ -109,6 +109,14 @@
> >>  	return;
> >>  }
> >>  
> >> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> >> +{
> >> +	assert(sh != NULL);
> >> +	
> >> +	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> >> +	return;
> >> +}
> >> +
> >>  int semanage_is_connected(semanage_handle_t * sh)
> >>  {
> >>  	assert(sh != NULL);
> >> Index: libsepol/include/sepol/handle.h
> >> ===================================================================
> >> --- libsepol/include/sepol/handle.h	(revision 2511)
> >> +++ libsepol/include/sepol/handle.h	(working copy)
> >> @@ -7,6 +7,10 @@
> >>  /* Create and return a sepol handle. */
> >>  sepol_handle_t *sepol_handle_create(void);
> >>  
> >> +/* Set whether or not to disable dontaudits, 0 is default and does 
> >> + * not disable dontaudits, 1 disables them */
> >> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> >> +
> >>  /* Destroy a sepol handle. */
> >>  void sepol_handle_destroy(sepol_handle_t *);
> >>  
> >> Index: libsepol/src/handle.h
> >> ===================================================================
> >> --- libsepol/src/handle.h	(revision 2511)
> >> +++ libsepol/src/handle.h	(working copy)
> >> @@ -14,6 +14,9 @@
> >>  	void (*msg_callback) (void *varg,
> >>  			      sepol_handle_t * handle, const char *fmt, ...);
> >>  	void *msg_callback_arg;
> >> +
> >> +	int disable_dontaudit;
> >> +
> >>  };
> >>  
> >>  #endif
> >> Index: libsepol/src/libsepol.map
> >> ===================================================================
> >> --- libsepol/src/libsepol.map	(revision 2511)
> >> +++ libsepol/src/libsepol.map	(working copy)
> >> @@ -12,5 +12,6 @@
> >>  	sepol_policydb_*; sepol_set_policydb_from_file; 
> >>  	sepol_policy_kern_*;
> >>  	sepol_policy_file_*;
> >> +	sepol_set_disable_dontaudit;
> >>    local: *;
> >>  };
> >> Index: libsepol/src/expand.c
> >> ===================================================================
> >> --- libsepol/src/expand.c	(revision 2511)
> >> +++ libsepol/src/expand.c	(working copy)
> >> @@ -1367,6 +1367,8 @@
> >>  	} else if (specified & AVRULE_AUDITDENY) {
> >>  		spec = AVTAB_AUDITDENY;
> >>  	} else if (specified & AVRULE_DONTAUDIT) {
> >> +		if (handle->disable_dontaudit)
> >> +			return EXPAND_RULE_SUCCESS;
> >>  		spec = AVTAB_AUDITDENY;
> >>  	} else if (specified & AVRULE_NEVERALLOW) {
> >>  		spec = AVTAB_NEVERALLOW;
> >> Index: libsepol/src/handle.c
> >> ===================================================================
> >> --- libsepol/src/handle.c	(revision 2511)
> >> +++ libsepol/src/handle.c	(working copy)
> >> @@ -1,4 +1,5 @@
> >>  #include <stdlib.h>
> >> +#include <assert.h>
> >>  #include "handle.h"
> >>  #include "debug.h"
> >>  
> >> @@ -13,9 +14,18 @@
> >>  	sh->msg_callback = sepol_msg_default_handler;
> >>  	sh->msg_callback_arg = NULL;
> >>  
> >> +	/* by default do not disable dontaudits */
> >> +	sh->disable_dontaudit = 0;
> >> +
> >>  	return sh;
> >>  }
> >>  
> >> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> >> +{
> >> +	assert(sh !=NULL);
> >> +	sh->disable_dontaudit = disable_dontaudit;
> >> +}
> >> +
> >>  void sepol_handle_destroy(sepol_handle_t * sh)
> >>  {
> >>  	free(sh);
> >> Index: policycoreutils/semodule/semodule.c
> >> ===================================================================
> >> --- policycoreutils/semodule/semodule.c	(revision 2511)
> >> +++ policycoreutils/semodule/semodule.c	(working copy)
> >> @@ -44,6 +44,7 @@
> >>  static int no_reload;
> >>  static int create_store;
> >>  static int build;
> >> +static int disable_dontaudit;
> >>  
> >>  static semanage_handle_t *sh = NULL;
> >>  static char *store;
> >> @@ -131,6 +132,7 @@
> >>  	printf("  -n,--noreload	   do not reload policy after commit\n");
> >>  	printf("  -h,--help        print this message and quit\n");
> >>  	printf("  -v,--verbose     be verbose\n");
> >> +	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
> >>  }
> >>  
> >>  /* Sets the global mode variable to new_mode, but only if no other
> >> @@ -173,6 +175,7 @@
> >>  		{"reload", 0, NULL, 'R'},
> >>  		{"noreload", 0, NULL, 'n'},
> >>  		{"build", 0, NULL, 'B'},
> >> +		{"disable_dontaudit", 0, NULL, 'D'},
> >>  		{NULL, 0, NULL, 0}
> >>  	};
> >>  	int i;
> >> @@ -181,7 +184,7 @@
> >>  	no_reload = 0;
> >>  	create_store = 0;
> >>  	while ((i =
> >> -		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> >> +		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
> >>  			    NULL)) != -1) {
> >>  		switch (i) {
> >>  		case 'b':
> >> @@ -218,6 +221,9 @@
> >>  		case 'B':
> >>  			build = 1;
> >>  			break;
> >> +		case 'D':
> >> +			disable_dontaudit = 1;
> >> +			break;
> >>  		case '?':
> >>  		default:{
> >>  				usage(argv[0]);
> >> @@ -441,6 +447,8 @@
> >>  			semanage_set_reload(sh, 0);
> >>  		if (build)
> >>  			semanage_set_rebuild(sh, 1);
> >> +		if (disable_dontaudit)
> >> +			semanage_set_disable_dontaudit(sh, 1);
> >>  		result = semanage_commit(sh);
> >>  	}
> >>     
> >
> > Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> >
> > Merge at will.
> >   
> 
> So did we decide that the disadvantages of this approach are fine? The 
> one that bothers me is that rebooting doesn't reset the dontaudit state 
> (like it would with Eric's patch)...

That could be an advantage - suppose that you want to collect full audit
information on the initialization itself.  And it isn't different than
the old 'make enableaudit load' approach.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Joshua Brindle]

Stephen Smalley wrote:
> On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
>   
>> Stephen Smalley wrote:
>>     
>>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>>   
>>>       
>>>> Joshua Brindle wrote:
>>>>     
>>>>         
>>>>> James Morris wrote:
>>>>>       
>>>>>           
>>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>>
>>>>>>  
>>>>>>         
>>>>>>             
>>>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>>>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
>>>>>>> rules from modules.
>>>>>>>     
>>>>>>>           
>>>>>>>               
>>>>>> Are we sure this can't be done in userspace?  Like, mangle all the 
>>>>>> existing policy and reload it?
>>>>>>
>>>>>>   
>>>>>>         
>>>>>>             
>>>>> I agree, the infrastructure is certainly in place to do it, just add 
>>>>> something in the sepol_handle that says dontaudits should be 
>>>>> discarded, then make an interface in libsemanage that uses that and 
>>>>> rebuild the policy.
>>>>>
>>>>> If noone beats me to it I will see if my conclusions about it being 
>>>>> fairly simple are accurate this weekend :)
>>>>>
>>>>>       
>>>>>           
>>>> I changed my mind, patch below
>>>>
>>>> it compiles and seems to work after semodule -DB:
>>>>
>>>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
>>>> dontaudit
>>>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
>>>> Type 0, Modified 0)
>>>>  Added TE Rules: 0
>>>>  Added TE Rules because of new type: 0
>>>>  Removed TE Rules: 326583
>>>>  Removed TE Rules because of missing type: 0
>>>>  Modified TE Rules: 0
>>>>
>>>> Index: libsemanage/include/semanage/handle.h
>>>> ===================================================================
>>>> --- libsemanage/include/semanage/handle.h	(revision 2511)
>>>> +++ libsemanage/include/semanage/handle.h	(working copy)
>>>> @@ -69,6 +69,9 @@
>>>>   * 1 for yes, 0 for no (default) */
>>>>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>>>  
>>>> +/* Set whether or not to disable dontaudits upon commit */
>>>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>>>> +
>>>>  /* Check whether policy is managed via libsemanage on this system.
>>>>   * Must be called prior to trying to connect.
>>>>   * Return 1 if policy is managed via libsemanage on this system,
>>>> Index: libsemanage/src/libsemanage.map
>>>> ===================================================================
>>>> --- libsemanage/src/libsemanage.map	(revision 2511)
>>>> +++ libsemanage/src/libsemanage.map	(working copy)
>>>> @@ -13,6 +13,6 @@
>>>>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
>>>>  	  semanage_node_*;
>>>>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
>>>> -	  semanage_is_connected;
>>>> +	  semanage_is_connected; semanage_set_disable_dontaudit;
>>>>    local: *;
>>>>  };
>>>> Index: libsemanage/src/handle.c
>>>> ===================================================================
>>>> --- libsemanage/src/handle.c	(revision 2511)
>>>> +++ libsemanage/src/handle.c	(working copy)
>>>> @@ -109,6 +109,14 @@
>>>>  	return;
>>>>  }
>>>>  
>>>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>>>> +{
>>>> +	assert(sh != NULL);
>>>> +	
>>>> +	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>>>> +	return;
>>>> +}
>>>> +
>>>>  int semanage_is_connected(semanage_handle_t * sh)
>>>>  {
>>>>  	assert(sh != NULL);
>>>> Index: libsepol/include/sepol/handle.h
>>>> ===================================================================
>>>> --- libsepol/include/sepol/handle.h	(revision 2511)
>>>> +++ libsepol/include/sepol/handle.h	(working copy)
>>>> @@ -7,6 +7,10 @@
>>>>  /* Create and return a sepol handle. */
>>>>  sepol_handle_t *sepol_handle_create(void);
>>>>  
>>>> +/* Set whether or not to disable dontaudits, 0 is default and does 
>>>> + * not disable dontaudits, 1 disables them */
>>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
>>>> +
>>>>  /* Destroy a sepol handle. */
>>>>  void sepol_handle_destroy(sepol_handle_t *);
>>>>  
>>>> Index: libsepol/src/handle.h
>>>> ===================================================================
>>>> --- libsepol/src/handle.h	(revision 2511)
>>>> +++ libsepol/src/handle.h	(working copy)
>>>> @@ -14,6 +14,9 @@
>>>>  	void (*msg_callback) (void *varg,
>>>>  			      sepol_handle_t * handle, const char *fmt, ...);
>>>>  	void *msg_callback_arg;
>>>> +
>>>> +	int disable_dontaudit;
>>>> +
>>>>  };
>>>>  
>>>>  #endif
>>>> Index: libsepol/src/libsepol.map
>>>> ===================================================================
>>>> --- libsepol/src/libsepol.map	(revision 2511)
>>>> +++ libsepol/src/libsepol.map	(working copy)
>>>> @@ -12,5 +12,6 @@
>>>>  	sepol_policydb_*; sepol_set_policydb_from_file; 
>>>>  	sepol_policy_kern_*;
>>>>  	sepol_policy_file_*;
>>>> +	sepol_set_disable_dontaudit;
>>>>    local: *;
>>>>  };
>>>> Index: libsepol/src/expand.c
>>>> ===================================================================
>>>> --- libsepol/src/expand.c	(revision 2511)
>>>> +++ libsepol/src/expand.c	(working copy)
>>>> @@ -1367,6 +1367,8 @@
>>>>  	} else if (specified & AVRULE_AUDITDENY) {
>>>>  		spec = AVTAB_AUDITDENY;
>>>>  	} else if (specified & AVRULE_DONTAUDIT) {
>>>> +		if (handle->disable_dontaudit)
>>>> +			return EXPAND_RULE_SUCCESS;
>>>>  		spec = AVTAB_AUDITDENY;
>>>>  	} else if (specified & AVRULE_NEVERALLOW) {
>>>>  		spec = AVTAB_NEVERALLOW;
>>>> Index: libsepol/src/handle.c
>>>> ===================================================================
>>>> --- libsepol/src/handle.c	(revision 2511)
>>>> +++ libsepol/src/handle.c	(working copy)
>>>> @@ -1,4 +1,5 @@
>>>>  #include <stdlib.h>
>>>> +#include <assert.h>
>>>>  #include "handle.h"
>>>>  #include "debug.h"
>>>>  
>>>> @@ -13,9 +14,18 @@
>>>>  	sh->msg_callback = sepol_msg_default_handler;
>>>>  	sh->msg_callback_arg = NULL;
>>>>  
>>>> +	/* by default do not disable dontaudits */
>>>> +	sh->disable_dontaudit = 0;
>>>> +
>>>>  	return sh;
>>>>  }
>>>>  
>>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
>>>> +{
>>>> +	assert(sh !=NULL);
>>>> +	sh->disable_dontaudit = disable_dontaudit;
>>>> +}
>>>> +
>>>>  void sepol_handle_destroy(sepol_handle_t * sh)
>>>>  {
>>>>  	free(sh);
>>>> Index: policycoreutils/semodule/semodule.c
>>>> ===================================================================
>>>> --- policycoreutils/semodule/semodule.c	(revision 2511)
>>>> +++ policycoreutils/semodule/semodule.c	(working copy)
>>>> @@ -44,6 +44,7 @@
>>>>  static int no_reload;
>>>>  static int create_store;
>>>>  static int build;
>>>> +static int disable_dontaudit;
>>>>  
>>>>  static semanage_handle_t *sh = NULL;
>>>>  static char *store;
>>>> @@ -131,6 +132,7 @@
>>>>  	printf("  -n,--noreload	   do not reload policy after commit\n");
>>>>  	printf("  -h,--help        print this message and quit\n");
>>>>  	printf("  -v,--verbose     be verbose\n");
>>>> +	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
>>>>  }
>>>>  
>>>>  /* Sets the global mode variable to new_mode, but only if no other
>>>> @@ -173,6 +175,7 @@
>>>>  		{"reload", 0, NULL, 'R'},
>>>>  		{"noreload", 0, NULL, 'n'},
>>>>  		{"build", 0, NULL, 'B'},
>>>> +		{"disable_dontaudit", 0, NULL, 'D'},
>>>>  		{NULL, 0, NULL, 0}
>>>>  	};
>>>>  	int i;
>>>> @@ -181,7 +184,7 @@
>>>>  	no_reload = 0;
>>>>  	create_store = 0;
>>>>  	while ((i =
>>>> -		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
>>>> +		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>>>>  			    NULL)) != -1) {
>>>>  		switch (i) {
>>>>  		case 'b':
>>>> @@ -218,6 +221,9 @@
>>>>  		case 'B':
>>>>  			build = 1;
>>>>  			break;
>>>> +		case 'D':
>>>> +			disable_dontaudit = 1;
>>>> +			break;
>>>>  		case '?':
>>>>  		default:{
>>>>  				usage(argv[0]);
>>>> @@ -441,6 +447,8 @@
>>>>  			semanage_set_reload(sh, 0);
>>>>  		if (build)
>>>>  			semanage_set_rebuild(sh, 1);
>>>> +		if (disable_dontaudit)
>>>> +			semanage_set_disable_dontaudit(sh, 1);
>>>>  		result = semanage_commit(sh);
>>>>  	}
>>>>     
>>>>         
>>> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
>>>
>>> Merge at will.
>>>   
>>>       
>> So did we decide that the disadvantages of this approach are fine? The 
>> one that bothers me is that rebooting doesn't reset the dontaudit state 
>> (like it would with Eric's patch)...
>>     
>
> That could be an advantage - suppose that you want to collect full audit
> information on the initialization itself.  And it isn't different than
> the old 'make enableaudit load' approach.
>   

Good point, ok, I'll merge this in a bit, are there any other pending 
merges?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Stephen Smalley]

On Thu, 2007-08-16 at 13:53 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
> >   
> >> Stephen Smalley wrote:
> >>     
> >>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> >>>   
> >>>       
> >>>> Joshua Brindle wrote:
> >>>>     
> >>>>         
> >>>>> James Morris wrote:
> >>>>>       
> >>>>>           
> >>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
> >>>>>>
> >>>>>>  
> >>>>>>         
> >>>>>>             
> >>>>>>> Currently to disable dontaudit rules best you can do it to load the
> >>>>>>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
> >>>>>>> rules from modules.
> >>>>>>>     
> >>>>>>>           
> >>>>>>>               
> >>>>>> Are we sure this can't be done in userspace?  Like, mangle all the 
> >>>>>> existing policy and reload it?
> >>>>>>
> >>>>>>   
> >>>>>>         
> >>>>>>             
> >>>>> I agree, the infrastructure is certainly in place to do it, just add 
> >>>>> something in the sepol_handle that says dontaudits should be 
> >>>>> discarded, then make an interface in libsemanage that uses that and 
> >>>>> rebuild the policy.
> >>>>>
> >>>>> If noone beats me to it I will see if my conclusions about it being 
> >>>>> fairly simple are accurate this weekend :)
> >>>>>
> >>>>>       
> >>>>>           
> >>>> I changed my mind, patch below
> >>>>
> >>>> it compiles and seems to work after semodule -DB:
> >>>>
> >>>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> >>>> dontaudit
> >>>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> >>>> Type 0, Modified 0)
> >>>>  Added TE Rules: 0
> >>>>  Added TE Rules because of new type: 0
> >>>>  Removed TE Rules: 326583
> >>>>  Removed TE Rules because of missing type: 0
> >>>>  Modified TE Rules: 0
> >>>>
> >>>> Index: libsemanage/include/semanage/handle.h
> >>>> ===================================================================
> >>>> --- libsemanage/include/semanage/handle.h	(revision 2511)
> >>>> +++ libsemanage/include/semanage/handle.h	(working copy)
> >>>> @@ -69,6 +69,9 @@
> >>>>   * 1 for yes, 0 for no (default) */
> >>>>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
> >>>>  
> >>>> +/* Set whether or not to disable dontaudits upon commit */
> >>>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> >>>> +
> >>>>  /* Check whether policy is managed via libsemanage on this system.
> >>>>   * Must be called prior to trying to connect.
> >>>>   * Return 1 if policy is managed via libsemanage on this system,
> >>>> Index: libsemanage/src/libsemanage.map
> >>>> ===================================================================
> >>>> --- libsemanage/src/libsemanage.map	(revision 2511)
> >>>> +++ libsemanage/src/libsemanage.map	(working copy)
> >>>> @@ -13,6 +13,6 @@
> >>>>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
> >>>>  	  semanage_node_*;
> >>>>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> >>>> -	  semanage_is_connected;
> >>>> +	  semanage_is_connected; semanage_set_disable_dontaudit;
> >>>>    local: *;
> >>>>  };
> >>>> Index: libsemanage/src/handle.c
> >>>> ===================================================================
> >>>> --- libsemanage/src/handle.c	(revision 2511)
> >>>> +++ libsemanage/src/handle.c	(working copy)
> >>>> @@ -109,6 +109,14 @@
> >>>>  	return;
> >>>>  }
> >>>>  
> >>>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> >>>> +{
> >>>> +	assert(sh != NULL);
> >>>> +	
> >>>> +	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> >>>> +	return;
> >>>> +}
> >>>> +
> >>>>  int semanage_is_connected(semanage_handle_t * sh)
> >>>>  {
> >>>>  	assert(sh != NULL);
> >>>> Index: libsepol/include/sepol/handle.h
> >>>> ===================================================================
> >>>> --- libsepol/include/sepol/handle.h	(revision 2511)
> >>>> +++ libsepol/include/sepol/handle.h	(working copy)
> >>>> @@ -7,6 +7,10 @@
> >>>>  /* Create and return a sepol handle. */
> >>>>  sepol_handle_t *sepol_handle_create(void);
> >>>>  
> >>>> +/* Set whether or not to disable dontaudits, 0 is default and does 
> >>>> + * not disable dontaudits, 1 disables them */
> >>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> >>>> +
> >>>>  /* Destroy a sepol handle. */
> >>>>  void sepol_handle_destroy(sepol_handle_t *);
> >>>>  
> >>>> Index: libsepol/src/handle.h
> >>>> ===================================================================
> >>>> --- libsepol/src/handle.h	(revision 2511)
> >>>> +++ libsepol/src/handle.h	(working copy)
> >>>> @@ -14,6 +14,9 @@
> >>>>  	void (*msg_callback) (void *varg,
> >>>>  			      sepol_handle_t * handle, const char *fmt, ...);
> >>>>  	void *msg_callback_arg;
> >>>> +
> >>>> +	int disable_dontaudit;
> >>>> +
> >>>>  };
> >>>>  
> >>>>  #endif
> >>>> Index: libsepol/src/libsepol.map
> >>>> ===================================================================
> >>>> --- libsepol/src/libsepol.map	(revision 2511)
> >>>> +++ libsepol/src/libsepol.map	(working copy)
> >>>> @@ -12,5 +12,6 @@
> >>>>  	sepol_policydb_*; sepol_set_policydb_from_file; 
> >>>>  	sepol_policy_kern_*;
> >>>>  	sepol_policy_file_*;
> >>>> +	sepol_set_disable_dontaudit;
> >>>>    local: *;
> >>>>  };
> >>>> Index: libsepol/src/expand.c
> >>>> ===================================================================
> >>>> --- libsepol/src/expand.c	(revision 2511)
> >>>> +++ libsepol/src/expand.c	(working copy)
> >>>> @@ -1367,6 +1367,8 @@
> >>>>  	} else if (specified & AVRULE_AUDITDENY) {
> >>>>  		spec = AVTAB_AUDITDENY;
> >>>>  	} else if (specified & AVRULE_DONTAUDIT) {
> >>>> +		if (handle->disable_dontaudit)
> >>>> +			return EXPAND_RULE_SUCCESS;
> >>>>  		spec = AVTAB_AUDITDENY;
> >>>>  	} else if (specified & AVRULE_NEVERALLOW) {
> >>>>  		spec = AVTAB_NEVERALLOW;
> >>>> Index: libsepol/src/handle.c
> >>>> ===================================================================
> >>>> --- libsepol/src/handle.c	(revision 2511)
> >>>> +++ libsepol/src/handle.c	(working copy)
> >>>> @@ -1,4 +1,5 @@
> >>>>  #include <stdlib.h>
> >>>> +#include <assert.h>
> >>>>  #include "handle.h"
> >>>>  #include "debug.h"
> >>>>  
> >>>> @@ -13,9 +14,18 @@
> >>>>  	sh->msg_callback = sepol_msg_default_handler;
> >>>>  	sh->msg_callback_arg = NULL;
> >>>>  
> >>>> +	/* by default do not disable dontaudits */
> >>>> +	sh->disable_dontaudit = 0;
> >>>> +
> >>>>  	return sh;
> >>>>  }
> >>>>  
> >>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> >>>> +{
> >>>> +	assert(sh !=NULL);
> >>>> +	sh->disable_dontaudit = disable_dontaudit;
> >>>> +}
> >>>> +
> >>>>  void sepol_handle_destroy(sepol_handle_t * sh)
> >>>>  {
> >>>>  	free(sh);
> >>>> Index: policycoreutils/semodule/semodule.c
> >>>> ===================================================================
> >>>> --- policycoreutils/semodule/semodule.c	(revision 2511)
> >>>> +++ policycoreutils/semodule/semodule.c	(working copy)
> >>>> @@ -44,6 +44,7 @@
> >>>>  static int no_reload;
> >>>>  static int create_store;
> >>>>  static int build;
> >>>> +static int disable_dontaudit;
> >>>>  
> >>>>  static semanage_handle_t *sh = NULL;
> >>>>  static char *store;
> >>>> @@ -131,6 +132,7 @@
> >>>>  	printf("  -n,--noreload	   do not reload policy after commit\n");
> >>>>  	printf("  -h,--help        print this message and quit\n");
> >>>>  	printf("  -v,--verbose     be verbose\n");
> >>>> +	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
> >>>>  }
> >>>>  
> >>>>  /* Sets the global mode variable to new_mode, but only if no other
> >>>> @@ -173,6 +175,7 @@
> >>>>  		{"reload", 0, NULL, 'R'},
> >>>>  		{"noreload", 0, NULL, 'n'},
> >>>>  		{"build", 0, NULL, 'B'},
> >>>> +		{"disable_dontaudit", 0, NULL, 'D'},
> >>>>  		{NULL, 0, NULL, 0}
> >>>>  	};
> >>>>  	int i;
> >>>> @@ -181,7 +184,7 @@
> >>>>  	no_reload = 0;
> >>>>  	create_store = 0;
> >>>>  	while ((i =
> >>>> -		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> >>>> +		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
> >>>>  			    NULL)) != -1) {
> >>>>  		switch (i) {
> >>>>  		case 'b':
> >>>> @@ -218,6 +221,9 @@
> >>>>  		case 'B':
> >>>>  			build = 1;
> >>>>  			break;
> >>>> +		case 'D':
> >>>> +			disable_dontaudit = 1;
> >>>> +			break;
> >>>>  		case '?':
> >>>>  		default:{
> >>>>  				usage(argv[0]);
> >>>> @@ -441,6 +447,8 @@
> >>>>  			semanage_set_reload(sh, 0);
> >>>>  		if (build)
> >>>>  			semanage_set_rebuild(sh, 1);
> >>>> +		if (disable_dontaudit)
> >>>> +			semanage_set_disable_dontaudit(sh, 1);
> >>>>  		result = semanage_commit(sh);
> >>>>  	}
> >>>>     
> >>>>         
> >>> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> >>>
> >>> Merge at will.
> >>>   
> >>>       
> >> So did we decide that the disadvantages of this approach are fine? The 
> >> one that bothers me is that rebooting doesn't reset the dontaudit state 
> >> (like it would with Eric's patch)...
> >>     
> >
> > That could be an advantage - suppose that you want to collect full audit
> > information on the initialization itself.  And it isn't different than
> > the old 'make enableaudit load' approach.
> >   
> 
> Good point, ok, I'll merge this in a bit, are there any other pending 
> merges?

Some of Dan's policycoreutils patches are trivial or simple bug fixes.
Others are less clear to me.

I was going to test the libsemanage genhomedircon patches, but haven't
done so yet.  I don't have a problem with them conceptually.  Have you
verified that they yield no change in output under -targeted and -strict
policy?  And run them under valgrind?

Eric's handle unknown patches are still outstanding.  Dan, if we merged
that support, would you use it in building future policies?

Karl's sepolgen bug fix looks fine to merge.

I (or someone) have to rework libsepol in stable and trunk to avoid
unaligned accesses (as per the wrong magic number thread).  Already did
it once for the kernel.  Sigh.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Stephen Smalley]

On Thu, 2007-08-16 at 14:04 -0400, Stephen Smalley wrote:
> On Thu, 2007-08-16 at 13:53 -0400, Joshua Brindle wrote:
> > Stephen Smalley wrote:
> > > On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
> > >   
> > >> Stephen Smalley wrote:
> > >>     
> > >>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
> > >>>   
> > >>>       
> > >>>> Joshua Brindle wrote:
> > >>>>     
> > >>>>         
> > >>>>> James Morris wrote:
> > >>>>>       
> > >>>>>           
> > >>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
> > >>>>>>
> > >>>>>>  
> > >>>>>>         
> > >>>>>>             
> > >>>>>>> Currently to disable dontaudit rules best you can do it to load the
> > >>>>>>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
> > >>>>>>> rules from modules.
> > >>>>>>>     
> > >>>>>>>           
> > >>>>>>>               
> > >>>>>> Are we sure this can't be done in userspace?  Like, mangle all the 
> > >>>>>> existing policy and reload it?
> > >>>>>>
> > >>>>>>   
> > >>>>>>         
> > >>>>>>             
> > >>>>> I agree, the infrastructure is certainly in place to do it, just add 
> > >>>>> something in the sepol_handle that says dontaudits should be 
> > >>>>> discarded, then make an interface in libsemanage that uses that and 
> > >>>>> rebuild the policy.
> > >>>>>
> > >>>>> If noone beats me to it I will see if my conclusions about it being 
> > >>>>> fairly simple are accurate this weekend :)
> > >>>>>
> > >>>>>       
> > >>>>>           
> > >>>> I changed my mind, patch below
> > >>>>
> > >>>> it compiles and seems to work after semodule -DB:
> > >>>>
> > >>>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
> > >>>> dontaudit
> > >>>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
> > >>>> Type 0, Modified 0)
> > >>>>  Added TE Rules: 0
> > >>>>  Added TE Rules because of new type: 0
> > >>>>  Removed TE Rules: 326583
> > >>>>  Removed TE Rules because of missing type: 0
> > >>>>  Modified TE Rules: 0
> > >>>>
> > >>>> Index: libsemanage/include/semanage/handle.h
> > >>>> ===================================================================
> > >>>> --- libsemanage/include/semanage/handle.h	(revision 2511)
> > >>>> +++ libsemanage/include/semanage/handle.h	(working copy)
> > >>>> @@ -69,6 +69,9 @@
> > >>>>   * 1 for yes, 0 for no (default) */
> > >>>>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
> > >>>>  
> > >>>> +/* Set whether or not to disable dontaudits upon commit */
> > >>>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
> > >>>> +
> > >>>>  /* Check whether policy is managed via libsemanage on this system.
> > >>>>   * Must be called prior to trying to connect.
> > >>>>   * Return 1 if policy is managed via libsemanage on this system,
> > >>>> Index: libsemanage/src/libsemanage.map
> > >>>> ===================================================================
> > >>>> --- libsemanage/src/libsemanage.map	(revision 2511)
> > >>>> +++ libsemanage/src/libsemanage.map	(working copy)
> > >>>> @@ -13,6 +13,6 @@
> > >>>>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
> > >>>>  	  semanage_node_*;
> > >>>>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> > >>>> -	  semanage_is_connected;
> > >>>> +	  semanage_is_connected; semanage_set_disable_dontaudit;
> > >>>>    local: *;
> > >>>>  };
> > >>>> Index: libsemanage/src/handle.c
> > >>>> ===================================================================
> > >>>> --- libsemanage/src/handle.c	(revision 2511)
> > >>>> +++ libsemanage/src/handle.c	(working copy)
> > >>>> @@ -109,6 +109,14 @@
> > >>>>  	return;
> > >>>>  }
> > >>>>  
> > >>>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> > >>>> +{
> > >>>> +	assert(sh != NULL);
> > >>>> +	
> > >>>> +	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> > >>>> +	return;
> > >>>> +}
> > >>>> +
> > >>>>  int semanage_is_connected(semanage_handle_t * sh)
> > >>>>  {
> > >>>>  	assert(sh != NULL);
> > >>>> Index: libsepol/include/sepol/handle.h
> > >>>> ===================================================================
> > >>>> --- libsepol/include/sepol/handle.h	(revision 2511)
> > >>>> +++ libsepol/include/sepol/handle.h	(working copy)
> > >>>> @@ -7,6 +7,10 @@
> > >>>>  /* Create and return a sepol handle. */
> > >>>>  sepol_handle_t *sepol_handle_create(void);
> > >>>>  
> > >>>> +/* Set whether or not to disable dontaudits, 0 is default and does 
> > >>>> + * not disable dontaudits, 1 disables them */
> > >>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
> > >>>> +
> > >>>>  /* Destroy a sepol handle. */
> > >>>>  void sepol_handle_destroy(sepol_handle_t *);
> > >>>>  
> > >>>> Index: libsepol/src/handle.h
> > >>>> ===================================================================
> > >>>> --- libsepol/src/handle.h	(revision 2511)
> > >>>> +++ libsepol/src/handle.h	(working copy)
> > >>>> @@ -14,6 +14,9 @@
> > >>>>  	void (*msg_callback) (void *varg,
> > >>>>  			      sepol_handle_t * handle, const char *fmt, ...);
> > >>>>  	void *msg_callback_arg;
> > >>>> +
> > >>>> +	int disable_dontaudit;
> > >>>> +
> > >>>>  };
> > >>>>  
> > >>>>  #endif
> > >>>> Index: libsepol/src/libsepol.map
> > >>>> ===================================================================
> > >>>> --- libsepol/src/libsepol.map	(revision 2511)
> > >>>> +++ libsepol/src/libsepol.map	(working copy)
> > >>>> @@ -12,5 +12,6 @@
> > >>>>  	sepol_policydb_*; sepol_set_policydb_from_file; 
> > >>>>  	sepol_policy_kern_*;
> > >>>>  	sepol_policy_file_*;
> > >>>> +	sepol_set_disable_dontaudit;
> > >>>>    local: *;
> > >>>>  };
> > >>>> Index: libsepol/src/expand.c
> > >>>> ===================================================================
> > >>>> --- libsepol/src/expand.c	(revision 2511)
> > >>>> +++ libsepol/src/expand.c	(working copy)
> > >>>> @@ -1367,6 +1367,8 @@
> > >>>>  	} else if (specified & AVRULE_AUDITDENY) {
> > >>>>  		spec = AVTAB_AUDITDENY;
> > >>>>  	} else if (specified & AVRULE_DONTAUDIT) {
> > >>>> +		if (handle->disable_dontaudit)
> > >>>> +			return EXPAND_RULE_SUCCESS;
> > >>>>  		spec = AVTAB_AUDITDENY;
> > >>>>  	} else if (specified & AVRULE_NEVERALLOW) {
> > >>>>  		spec = AVTAB_NEVERALLOW;
> > >>>> Index: libsepol/src/handle.c
> > >>>> ===================================================================
> > >>>> --- libsepol/src/handle.c	(revision 2511)
> > >>>> +++ libsepol/src/handle.c	(working copy)
> > >>>> @@ -1,4 +1,5 @@
> > >>>>  #include <stdlib.h>
> > >>>> +#include <assert.h>
> > >>>>  #include "handle.h"
> > >>>>  #include "debug.h"
> > >>>>  
> > >>>> @@ -13,9 +14,18 @@
> > >>>>  	sh->msg_callback = sepol_msg_default_handler;
> > >>>>  	sh->msg_callback_arg = NULL;
> > >>>>  
> > >>>> +	/* by default do not disable dontaudits */
> > >>>> +	sh->disable_dontaudit = 0;
> > >>>> +
> > >>>>  	return sh;
> > >>>>  }
> > >>>>  
> > >>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
> > >>>> +{
> > >>>> +	assert(sh !=NULL);
> > >>>> +	sh->disable_dontaudit = disable_dontaudit;
> > >>>> +}
> > >>>> +
> > >>>>  void sepol_handle_destroy(sepol_handle_t * sh)
> > >>>>  {
> > >>>>  	free(sh);
> > >>>> Index: policycoreutils/semodule/semodule.c
> > >>>> ===================================================================
> > >>>> --- policycoreutils/semodule/semodule.c	(revision 2511)
> > >>>> +++ policycoreutils/semodule/semodule.c	(working copy)
> > >>>> @@ -44,6 +44,7 @@
> > >>>>  static int no_reload;
> > >>>>  static int create_store;
> > >>>>  static int build;
> > >>>> +static int disable_dontaudit;
> > >>>>  
> > >>>>  static semanage_handle_t *sh = NULL;
> > >>>>  static char *store;
> > >>>> @@ -131,6 +132,7 @@
> > >>>>  	printf("  -n,--noreload	   do not reload policy after commit\n");
> > >>>>  	printf("  -h,--help        print this message and quit\n");
> > >>>>  	printf("  -v,--verbose     be verbose\n");
> > >>>> +	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
> > >>>>  }
> > >>>>  
> > >>>>  /* Sets the global mode variable to new_mode, but only if no other
> > >>>> @@ -173,6 +175,7 @@
> > >>>>  		{"reload", 0, NULL, 'R'},
> > >>>>  		{"noreload", 0, NULL, 'n'},
> > >>>>  		{"build", 0, NULL, 'B'},
> > >>>> +		{"disable_dontaudit", 0, NULL, 'D'},
> > >>>>  		{NULL, 0, NULL, 0}
> > >>>>  	};
> > >>>>  	int i;
> > >>>> @@ -181,7 +184,7 @@
> > >>>>  	no_reload = 0;
> > >>>>  	create_store = 0;
> > >>>>  	while ((i =
> > >>>> -		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
> > >>>> +		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
> > >>>>  			    NULL)) != -1) {
> > >>>>  		switch (i) {
> > >>>>  		case 'b':
> > >>>> @@ -218,6 +221,9 @@
> > >>>>  		case 'B':
> > >>>>  			build = 1;
> > >>>>  			break;
> > >>>> +		case 'D':
> > >>>> +			disable_dontaudit = 1;
> > >>>> +			break;
> > >>>>  		case '?':
> > >>>>  		default:{
> > >>>>  				usage(argv[0]);
> > >>>> @@ -441,6 +447,8 @@
> > >>>>  			semanage_set_reload(sh, 0);
> > >>>>  		if (build)
> > >>>>  			semanage_set_rebuild(sh, 1);
> > >>>> +		if (disable_dontaudit)
> > >>>> +			semanage_set_disable_dontaudit(sh, 1);
> > >>>>  		result = semanage_commit(sh);
> > >>>>  	}
> > >>>>     
> > >>>>         
> > >>> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> > >>>
> > >>> Merge at will.
> > >>>   
> > >>>       
> > >> So did we decide that the disadvantages of this approach are fine? The 
> > >> one that bothers me is that rebooting doesn't reset the dontaudit state 
> > >> (like it would with Eric's patch)...
> > >>     
> > >
> > > That could be an advantage - suppose that you want to collect full audit
> > > information on the initialization itself.  And it isn't different than
> > > the old 'make enableaudit load' approach.
> > >   
> > 
> > Good point, ok, I'll merge this in a bit, are there any other pending 
> > merges?
> 
> Some of Dan's policycoreutils patches are trivial or simple bug fixes.
> Others are less clear to me.
> 
> I was going to test the libsemanage genhomedircon patches, but haven't
> done so yet.  I don't have a problem with them conceptually.  Have you
> verified that they yield no change in output under -targeted and -strict
> policy?  And run them under valgrind?

Oh, and what to do about the fact that it won't build anywhere but
rawhide (ustr dependency)?

> Eric's handle unknown patches are still outstanding.  Dan, if we merged
> that support, would you use it in building future policies?
> 
> Karl's sepolgen bug fix looks fine to merge.
> 
> I (or someone) have to rework libsepol in stable and trunk to avoid
> unaligned accesses (as per the wrong magic number thread).  Already did
> it once for the kernel.  Sigh.
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Joshua Brindle]

Stephen Smalley wrote:
> On Thu, 2007-08-16 at 13:53 -0400, Joshua Brindle wrote:
>   
>> Stephen Smalley wrote:
>>     
>>> On Thu, 2007-08-16 at 13:45 -0400, Joshua Brindle wrote:
>>>   
>>>       
>>>> Stephen Smalley wrote:
>>>>     
>>>>         
>>>>> On Thu, 2007-08-09 at 21:22 -0400, Joshua Brindle wrote:
>>>>>   
>>>>>       
>>>>>           
>>>>>> Joshua Brindle wrote:
>>>>>>     
>>>>>>         
>>>>>>             
>>>>>>> James Morris wrote:
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>>>> On Thu, 9 Aug 2007, Eric Paris wrote:
>>>>>>>>
>>>>>>>>  
>>>>>>>>         
>>>>>>>>             
>>>>>>>>                 
>>>>>>>>> Currently to disable dontaudit rules best you can do it to load the
>>>>>>>>> enableaudit.pp base policy.  Which still doesn't remove the dontaudit
>>>>>>>>> rules from modules.
>>>>>>>>>     
>>>>>>>>>           
>>>>>>>>>               
>>>>>>>>>                   
>>>>>>>> Are we sure this can't be done in userspace?  Like, mangle all the 
>>>>>>>> existing policy and reload it?
>>>>>>>>
>>>>>>>>   
>>>>>>>>         
>>>>>>>>             
>>>>>>>>                 
>>>>>>> I agree, the infrastructure is certainly in place to do it, just add 
>>>>>>> something in the sepol_handle that says dontaudits should be 
>>>>>>> discarded, then make an interface in libsemanage that uses that and 
>>>>>>> rebuild the policy.
>>>>>>>
>>>>>>> If noone beats me to it I will see if my conclusions about it being 
>>>>>>> fairly simple are accurate this weekend :)
>>>>>>>
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>> I changed my mind, patch below
>>>>>>
>>>>>> it compiles and seems to work after semodule -DB:
>>>>>>
>>>>>> [root@scarecrow policy]# sediff -T policy.21.old \; policy.21 | grep -v
>>>>>> dontaudit
>>>>>> TE Rules (Added 0, Added New Type 0, Removed 326583, Removed Missing
>>>>>> Type 0, Modified 0)
>>>>>>  Added TE Rules: 0
>>>>>>  Added TE Rules because of new type: 0
>>>>>>  Removed TE Rules: 326583
>>>>>>  Removed TE Rules because of missing type: 0
>>>>>>  Modified TE Rules: 0
>>>>>>
>>>>>> Index: libsemanage/include/semanage/handle.h
>>>>>> ===================================================================
>>>>>> --- libsemanage/include/semanage/handle.h	(revision 2511)
>>>>>> +++ libsemanage/include/semanage/handle.h	(working copy)
>>>>>> @@ -69,6 +69,9 @@
>>>>>>   * 1 for yes, 0 for no (default) */
>>>>>>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>>>>>  
>>>>>> +/* Set whether or not to disable dontaudits upon commit */
>>>>>> +void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>>>>>> +
>>>>>>  /* Check whether policy is managed via libsemanage on this system.
>>>>>>   * Must be called prior to trying to connect.
>>>>>>   * Return 1 if policy is managed via libsemanage on this system,
>>>>>> Index: libsemanage/src/libsemanage.map
>>>>>> ===================================================================
>>>>>> --- libsemanage/src/libsemanage.map	(revision 2511)
>>>>>> +++ libsemanage/src/libsemanage.map	(working copy)
>>>>>> @@ -13,6 +13,6 @@
>>>>>>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
>>>>>>  	  semanage_node_*;
>>>>>>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
>>>>>> -	  semanage_is_connected;
>>>>>> +	  semanage_is_connected; semanage_set_disable_dontaudit;
>>>>>>    local: *;
>>>>>>  };
>>>>>> Index: libsemanage/src/handle.c
>>>>>> ===================================================================
>>>>>> --- libsemanage/src/handle.c	(revision 2511)
>>>>>> +++ libsemanage/src/handle.c	(working copy)
>>>>>> @@ -109,6 +109,14 @@
>>>>>>  	return;
>>>>>>  }
>>>>>>  
>>>>>> +void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>>>>>> +{
>>>>>> +	assert(sh != NULL);
>>>>>> +	
>>>>>> +	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>>>>>> +	return;
>>>>>> +}
>>>>>> +
>>>>>>  int semanage_is_connected(semanage_handle_t * sh)
>>>>>>  {
>>>>>>  	assert(sh != NULL);
>>>>>> Index: libsepol/include/sepol/handle.h
>>>>>> ===================================================================
>>>>>> --- libsepol/include/sepol/handle.h	(revision 2511)
>>>>>> +++ libsepol/include/sepol/handle.h	(working copy)
>>>>>> @@ -7,6 +7,10 @@
>>>>>>  /* Create and return a sepol handle. */
>>>>>>  sepol_handle_t *sepol_handle_create(void);
>>>>>>  
>>>>>> +/* Set whether or not to disable dontaudits, 0 is default and does 
>>>>>> + * not disable dontaudits, 1 disables them */
>>>>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
>>>>>> +
>>>>>>  /* Destroy a sepol handle. */
>>>>>>  void sepol_handle_destroy(sepol_handle_t *);
>>>>>>  
>>>>>> Index: libsepol/src/handle.h
>>>>>> ===================================================================
>>>>>> --- libsepol/src/handle.h	(revision 2511)
>>>>>> +++ libsepol/src/handle.h	(working copy)
>>>>>> @@ -14,6 +14,9 @@
>>>>>>  	void (*msg_callback) (void *varg,
>>>>>>  			      sepol_handle_t * handle, const char *fmt, ...);
>>>>>>  	void *msg_callback_arg;
>>>>>> +
>>>>>> +	int disable_dontaudit;
>>>>>> +
>>>>>>  };
>>>>>>  
>>>>>>  #endif
>>>>>> Index: libsepol/src/libsepol.map
>>>>>> ===================================================================
>>>>>> --- libsepol/src/libsepol.map	(revision 2511)
>>>>>> +++ libsepol/src/libsepol.map	(working copy)
>>>>>> @@ -12,5 +12,6 @@
>>>>>>  	sepol_policydb_*; sepol_set_policydb_from_file; 
>>>>>>  	sepol_policy_kern_*;
>>>>>>  	sepol_policy_file_*;
>>>>>> +	sepol_set_disable_dontaudit;
>>>>>>    local: *;
>>>>>>  };
>>>>>> Index: libsepol/src/expand.c
>>>>>> ===================================================================
>>>>>> --- libsepol/src/expand.c	(revision 2511)
>>>>>> +++ libsepol/src/expand.c	(working copy)
>>>>>> @@ -1367,6 +1367,8 @@
>>>>>>  	} else if (specified & AVRULE_AUDITDENY) {
>>>>>>  		spec = AVTAB_AUDITDENY;
>>>>>>  	} else if (specified & AVRULE_DONTAUDIT) {
>>>>>> +		if (handle->disable_dontaudit)
>>>>>> +			return EXPAND_RULE_SUCCESS;
>>>>>>  		spec = AVTAB_AUDITDENY;
>>>>>>  	} else if (specified & AVRULE_NEVERALLOW) {
>>>>>>  		spec = AVTAB_NEVERALLOW;
>>>>>> Index: libsepol/src/handle.c
>>>>>> ===================================================================
>>>>>> --- libsepol/src/handle.c	(revision 2511)
>>>>>> +++ libsepol/src/handle.c	(working copy)
>>>>>> @@ -1,4 +1,5 @@
>>>>>>  #include <stdlib.h>
>>>>>> +#include <assert.h>
>>>>>>  #include "handle.h"
>>>>>>  #include "debug.h"
>>>>>>  
>>>>>> @@ -13,9 +14,18 @@
>>>>>>  	sh->msg_callback = sepol_msg_default_handler;
>>>>>>  	sh->msg_callback_arg = NULL;
>>>>>>  
>>>>>> +	/* by default do not disable dontaudits */
>>>>>> +	sh->disable_dontaudit = 0;
>>>>>> +
>>>>>>  	return sh;
>>>>>>  }
>>>>>>  
>>>>>> +void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
>>>>>> +{
>>>>>> +	assert(sh !=NULL);
>>>>>> +	sh->disable_dontaudit = disable_dontaudit;
>>>>>> +}
>>>>>> +
>>>>>>  void sepol_handle_destroy(sepol_handle_t * sh)
>>>>>>  {
>>>>>>  	free(sh);
>>>>>> Index: policycoreutils/semodule/semodule.c
>>>>>> ===================================================================
>>>>>> --- policycoreutils/semodule/semodule.c	(revision 2511)
>>>>>> +++ policycoreutils/semodule/semodule.c	(working copy)
>>>>>> @@ -44,6 +44,7 @@
>>>>>>  static int no_reload;
>>>>>>  static int create_store;
>>>>>>  static int build;
>>>>>> +static int disable_dontaudit;
>>>>>>  
>>>>>>  static semanage_handle_t *sh = NULL;
>>>>>>  static char *store;
>>>>>> @@ -131,6 +132,7 @@
>>>>>>  	printf("  -n,--noreload	   do not reload policy after commit\n");
>>>>>>  	printf("  -h,--help        print this message and quit\n");
>>>>>>  	printf("  -v,--verbose     be verbose\n");
>>>>>> +	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
>>>>>>  }
>>>>>>  
>>>>>>  /* Sets the global mode variable to new_mode, but only if no other
>>>>>> @@ -173,6 +175,7 @@
>>>>>>  		{"reload", 0, NULL, 'R'},
>>>>>>  		{"noreload", 0, NULL, 'n'},
>>>>>>  		{"build", 0, NULL, 'B'},
>>>>>> +		{"disable_dontaudit", 0, NULL, 'D'},
>>>>>>  		{NULL, 0, NULL, 0}
>>>>>>  	};
>>>>>>  	int i;
>>>>>> @@ -181,7 +184,7 @@
>>>>>>  	no_reload = 0;
>>>>>>  	create_store = 0;
>>>>>>  	while ((i =
>>>>>> -		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
>>>>>> +		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
>>>>>>  			    NULL)) != -1) {
>>>>>>  		switch (i) {
>>>>>>  		case 'b':
>>>>>> @@ -218,6 +221,9 @@
>>>>>>  		case 'B':
>>>>>>  			build = 1;
>>>>>>  			break;
>>>>>> +		case 'D':
>>>>>> +			disable_dontaudit = 1;
>>>>>> +			break;
>>>>>>  		case '?':
>>>>>>  		default:{
>>>>>>  				usage(argv[0]);
>>>>>> @@ -441,6 +447,8 @@
>>>>>>  			semanage_set_reload(sh, 0);
>>>>>>  		if (build)
>>>>>>  			semanage_set_rebuild(sh, 1);
>>>>>> +		if (disable_dontaudit)
>>>>>> +			semanage_set_disable_dontaudit(sh, 1);
>>>>>>  		result = semanage_commit(sh);
>>>>>>  	}
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
>>>>>
>>>>> Merge at will.
>>>>>   
>>>>>       
>>>>>           
>>>> So did we decide that the disadvantages of this approach are fine? The 
>>>> one that bothers me is that rebooting doesn't reset the dontaudit state 
>>>> (like it would with Eric's patch)...
>>>>     
>>>>         
>>> That could be an advantage - suppose that you want to collect full audit
>>> information on the initialization itself.  And it isn't different than
>>> the old 'make enableaudit load' approach.
>>>   
>>>       
>> Good point, ok, I'll merge this in a bit, are there any other pending 
>> merges?
>>     
>
>   
Merged into libsepol 2.0.6, libsemanage 2.0.4 and policycoreutils 2.0.23

> Some of Dan's policycoreutils patches are trivial or simple bug fixes.
> Others are less clear to me.
>
>   
I'll wait until there is a complete patch

> I was going to test the libsemanage genhomedircon patches, but haven't
> done so yet.  I don't have a problem with them conceptually.  Have you
> verified that they yield no change in output under -targeted and -strict
> policy?  And run them under valgrind?
>
>   

targeted yields a change (pointed out in the initial email) which was 
the result of a bug in genhomedircon, its been valgrinded, I'm having 
strict tested now.

> Eric's handle unknown patches are still outstanding.  Dan, if we merged
> that support, would you use it in building future policies?
>
>   
So we are going forward with this patch?

> Karl's sepolgen bug fix looks fine to merge.
>
>   
merged.

> I (or someone) have to rework libsepol in stable and trunk to avoid
> unaligned accesses (as per the wrong magic number thread).  Already did
> it once for the kernel.  Sigh.
>
>   



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Joshua Brindle]

Stephen Smalley wrote:
>> Some of Dan's policycoreutils patches are trivial or simple bug fixes.
>> Others are less clear to me.
>>
>> I was going to test the libsemanage genhomedircon patches, but haven't
>> done so yet.  I don't have a problem with them conceptually.  Have you
>> verified that they yield no change in output under -targeted and -strict
>> policy?  And run them under valgrind?
>>     
>
> Oh, and what to do about the fact that it won't build anywhere but
> rawhide (ustr dependency)?
>
>   
We can pull the parts of ustr we need into the library, it is designed 
to do used that way. This is also trunk though, and we don't guarantee 
ABI stability in trunk right? The sepolgen dependency of python 2.5 
causes similar problems AFAIK.

>> Eric's handle unknown patches are still outstanding.  Dan, if we merged
>> that support, would you use it in building future policies?
>>
>> Karl's sepolgen bug fix looks fine to merge.
>>
>> I (or someone) have to rework libsepol in stable and trunk to avoid
>> unaligned accesses (as per the wrong magic number thread).  Already did
>> it once for the kernel.  Sigh.
>>
>>     



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Stephen Smalley]

On Thu, 2007-08-16 at 15:30 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> >> Some of Dan's policycoreutils patches are trivial or simple bug fixes.
> >> Others are less clear to me.
> >>
> >> I was going to test the libsemanage genhomedircon patches, but haven't
> >> done so yet.  I don't have a problem with them conceptually.  Have you
> >> verified that they yield no change in output under -targeted and -strict
> >> policy?  And run them under valgrind?
> >>     
> >
> > Oh, and what to do about the fact that it won't build anywhere but
> > rawhide (ustr dependency)?
> >
> >   
> We can pull the parts of ustr we need into the library, it is designed 
> to do used that way. This is also trunk though, and we don't guarantee 
> ABI stability in trunk right? The sepolgen dependency of python 2.5 
> causes similar problems AFAIK.

Ok.  I just wanted to test on F7, so I just did a yum
--enablerepo=development install ustr ustr-devel and then everything was
happy.

But the more important issue is that it doesn't work (see other mail).
Pity.  ENOTEST w/o users added to seusers.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 536 bytes --]

I would like to get these patches into policycoreutils.


Submitted before, but here we go.

Change run_tty and open_init_pty to 755 instead of 555.  Some audit 
tools are reporting this as a problem.  And I see no real value of 555. 
for these to.

Simple bugfix for chcat

Fixes to make sure fixfiles reports errors and handles strange regexes.

Speed enhancement for genhomedircon to only compile regex's once.


I reverted sepolgen-ifgen from sbin to bin, but I doubt many/anyone will 
run it as non root, but I guess you never no.

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 4930 bytes --]

diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/run_init/Makefile policycoreutils-2.0.22/run_init/Makefile
--- nsapolicycoreutils/run_init/Makefile	2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/run_init/Makefile	2007-07-31 15:45:57.000000000 -0400
@@ -34,8 +34,8 @@
 install: all
 	test -d $(SBINDIR)      || install -m 755 -d $(SBINDIR)
 	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
-	install -m 555 run_init $(SBINDIR)
-	install -m 555 open_init_pty $(SBINDIR)
+	install -m 755 run_init $(SBINDIR)
+	install -m 755 open_init_pty $(SBINDIR)
 	install -m 644 run_init.8 $(MANDIR)/man8/
 	install -m 644 open_init_pty.8 $(MANDIR)/man8/
 ifeq (${PAMH}, /usr/include/security/pam_appl.h)
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.22/scripts/chcat
--- nsapolicycoreutils/scripts/chcat	2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/scripts/chcat	2007-07-31 15:45:57.000000000 -0400
@@ -77,7 +77,7 @@
             
         if len(cats) > 0:
             new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
-        else
+        else:
             new_serange = "%s-%s" % (serange[0], top[0])
             
         if add_ind:
@@ -155,7 +155,7 @@
 
         if len(cats) > 0:
             new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
-        else
+        else:
             new_serange = "%s-%s" % (serange[0], top[0])
             
         if add_ind:
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.22/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/scripts/fixfiles	2007-07-31 15:45:57.000000000 -0400
@@ -88,7 +88,7 @@
                   esac; \
                fi; \
             done | \
-	while read pattern ; do find $pattern \
+	while read pattern ; do sh -c "find $pattern" \
 		      ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune  -o \
 		      \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print; \
 		      done 2> /dev/null | \
@@ -108,6 +108,7 @@
 
 rpmlist() {
 rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
+[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
 }
 
 # 
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-2.0.22/scripts/genhomedircon
--- nsapolicycoreutils/scripts/genhomedircon	2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/scripts/genhomedircon	2007-08-01 16:03:41.000000000 -0400
@@ -139,7 +139,22 @@
 		self.default_user = "user_u"
 		self.default_prefix = "user"
 		self.users = self.getUsers()
+		fd = open(self.getFileContextFile())
+		self.fclines=[]
+		for i in fd.readlines():
+		    try:
+			    regex = i.split()[0]
+			    #match a trailing .+
+			    regex = re.sub("\.+$", "", regex)
+			    regex = re.sub("\.\*$", "", regex)
+			    regex = re.sub("\(\/\.\*\)\?", "", regex)
+			    regex = regex + "/*$"
+			    self.fclines.append(re.compile(regex))
+		    except:
+			    continue
 
+		fd.close()
+		
 	def getFileContextDir(self):
 		return self.selinuxdir+self.type+self.filecontextdir
 
@@ -289,20 +304,9 @@
 		return ret+"\n"
 
 	def checkExists(self, home):
-		fd = open(self.getFileContextFile())
-		for i in  fd.readlines():
-                    if len(i) == 0:
-			    continue
+		for i in self.fclines:
 		    try:
-			    regex = i.split()[0]
-			    #match a trailing .+
-			    regex = re.sub("\.+$", "", regex)
-			    regex = re.sub("\.\*$", "", regex)
-			    #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
-			    
-			    regex = re.sub("\(\/\.\*\)\?", "", regex)
-			    regex = regex + "/*$"
-			    if re.search(regex,home, 0):
+			    if i.match(home):
 				    return 1
 		    except:
 			    continue
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.22/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/semanage/semanage	2007-07-31 15:45:57.000000000 -0400
@@ -34,7 +34,10 @@
 sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace')
 
 try:
-       gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1)
+       gettext.install(PROGNAME,
+                       localedir="/usr/share/locale",
+                       unicode=False,
+                       codeset = 'utf-8')
 except IOError:
        import __builtin__
        __builtin__.__dict__['_'] = unicode
 			

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Joshua Brindle]

Daniel J Walsh wrote:
> I would like to get these patches into policycoreutils.
>
>
> Submitted before, but here we go.
>
> Change run_tty and open_init_pty to 755 instead of 555.  Some audit 
> tools are reporting this as a problem.  And I see no real value of 
> 555. for these to.
>
> Simple bugfix for chcat
>
> Fixes to make sure fixfiles reports errors and handles strange regexes.
>
> Speed enhancement for genhomedircon to only compile regex's once.
>
The current plan is to change to a genhomedircon based on C in 
libsemanage. Have you looked at those patches to see if they suffer the 
same problem you are fixing here?

>
> I reverted sepolgen-ifgen from sbin to bin, but I doubt many/anyone 
> will run it as non root, but I guess you never no.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> I would like to get these patches into policycoreutils.
>>
>>
>> Submitted before, but here we go.
>>
>> Change run_tty and open_init_pty to 755 instead of 555.  Some audit 
>> tools are reporting this as a problem.  And I see no real value of 
>> 555. for these to.
>>
>> Simple bugfix for chcat
>>
>> Fixes to make sure fixfiles reports errors and handles strange regexes.
>>
>> Speed enhancement for genhomedircon to only compile regex's once.
>>
> The current plan is to change to a genhomedircon based on C in 
> libsemanage. Have you looked at those patches to see if they suffer 
> the same problem you are fixing here?
No.
>
>>
>> I reverted sepolgen-ifgen from sbin to bin, but I doubt many/anyone 
>> will run it as non root, but I guess you never no.
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinuxfs to globally disable dontaudit rules

[Stephen Smalley]

On Tue, 2007-08-21 at 16:41 -0400, Daniel J Walsh wrote:
> I would like to get these patches into policycoreutils.
> 
> 
> Submitted before, but here we go.

In the future, please post one patch per message.

> Change run_tty and open_init_pty to 755 instead of 555.  Some audit 
> tools are reporting this as a problem.  And I see no real value of 555. 
> for these to.
> 
> Simple bugfix for chcat
> 
> Fixes to make sure fixfiles reports errors and handles strange regexes.
> 
> Speed enhancement for genhomedircon to only compile regex's once.

I merged these to trunk, and the chcat bug fix to stable, but then the
libsemanage genhomedircon patch series removes genhomedircon altogether.
So you can extract the genhomedircon script with this enhancement from
the history, but you won't see any genhomedircon script at all on the
head.

> I reverted sepolgen-ifgen from sbin to bin, but I doubt many/anyone will 
> run it as non root, but I guess you never no.

I actually dislike having things in sbin because normal user paths don't
include it (even after su, unless you do a 'su -').  Regardless, the
real issue is providing stability - changing paths after it has already
been out there for a little while is harmful.

> plain text document attachment (diff)
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/run_init/Makefile policycoreutils-2.0.22/run_init/Makefile
> --- nsapolicycoreutils/run_init/Makefile	2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/run_init/Makefile	2007-07-31 15:45:57.000000000 -0400
> @@ -34,8 +34,8 @@
>  install: all
>  	test -d $(SBINDIR)      || install -m 755 -d $(SBINDIR)
>  	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
> -	install -m 555 run_init $(SBINDIR)
> -	install -m 555 open_init_pty $(SBINDIR)
> +	install -m 755 run_init $(SBINDIR)
> +	install -m 755 open_init_pty $(SBINDIR)
>  	install -m 644 run_init.8 $(MANDIR)/man8/
>  	install -m 644 open_init_pty.8 $(MANDIR)/man8/
>  ifeq (${PAMH}, /usr/include/security/pam_appl.h)
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.22/scripts/chcat
> --- nsapolicycoreutils/scripts/chcat	2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/scripts/chcat	2007-07-31 15:45:57.000000000 -0400
> @@ -77,7 +77,7 @@
>              
>          if len(cats) > 0:
>              new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
> -        else
> +        else:
>              new_serange = "%s-%s" % (serange[0], top[0])
>              
>          if add_ind:
> @@ -155,7 +155,7 @@
>  
>          if len(cats) > 0:
>              new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
> -        else
> +        else:
>              new_serange = "%s-%s" % (serange[0], top[0])
>              
>          if add_ind:
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.22/scripts/fixfiles
> --- nsapolicycoreutils/scripts/fixfiles	2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/scripts/fixfiles	2007-07-31 15:45:57.000000000 -0400
> @@ -88,7 +88,7 @@
>                    esac; \
>                 fi; \
>              done | \
> -	while read pattern ; do find $pattern \
> +	while read pattern ; do sh -c "find $pattern" \
>  		      ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune  -o \
>  		      \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print; \
>  		      done 2> /dev/null | \
> @@ -108,6 +108,7 @@
>  
>  rpmlist() {
>  rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
> +[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
>  }
>  
>  # 
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-2.0.22/scripts/genhomedircon
> --- nsapolicycoreutils/scripts/genhomedircon	2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/scripts/genhomedircon	2007-08-01 16:03:41.000000000 -0400
> @@ -139,7 +139,22 @@
>  		self.default_user = "user_u"
>  		self.default_prefix = "user"
>  		self.users = self.getUsers()
> +		fd = open(self.getFileContextFile())
> +		self.fclines=[]
> +		for i in fd.readlines():
> +		    try:
> +			    regex = i.split()[0]
> +			    #match a trailing .+
> +			    regex = re.sub("\.+$", "", regex)
> +			    regex = re.sub("\.\*$", "", regex)
> +			    regex = re.sub("\(\/\.\*\)\?", "", regex)
> +			    regex = regex + "/*$"
> +			    self.fclines.append(re.compile(regex))
> +		    except:
> +			    continue
>  
> +		fd.close()
> +		
>  	def getFileContextDir(self):
>  		return self.selinuxdir+self.type+self.filecontextdir
>  
> @@ -289,20 +304,9 @@
>  		return ret+"\n"
>  
>  	def checkExists(self, home):
> -		fd = open(self.getFileContextFile())
> -		for i in  fd.readlines():
> -                    if len(i) == 0:
> -			    continue
> +		for i in self.fclines:
>  		    try:
> -			    regex = i.split()[0]
> -			    #match a trailing .+
> -			    regex = re.sub("\.+$", "", regex)
> -			    regex = re.sub("\.\*$", "", regex)
> -			    #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
> -			    
> -			    regex = re.sub("\(\/\.\*\)\?", "", regex)
> -			    regex = regex + "/*$"
> -			    if re.search(regex,home, 0):
> +			    if i.match(home):
>  				    return 1
>  		    except:
>  			    continue
> diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.22/semanage/semanage
> --- nsapolicycoreutils/semanage/semanage	2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/semanage/semanage	2007-07-31 15:45:57.000000000 -0400
> @@ -34,7 +34,10 @@
>  sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace')
>  
>  try:
> -       gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1)
> +       gettext.install(PROGNAME,
> +                       localedir="/usr/share/locale",
> +                       unicode=False,
> +                       codeset = 'utf-8')
>  except IOError:
>         import __builtin__
>         __builtin__.__dict__['_'] = unicode
>  			
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.