Re: [PATCH] libsepol: support the handle_unknown config flag

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
> On Tue, 2007-09-18 at 16:00 -0400, Stephen Smalley wrote:
>> On Thu, 2007-08-23 at 16:27 -0400, Stephen Smalley wrote:
>>> On Wed, 2007-08-01 at 11:52 -0400, Eric Paris wrote:
>>>> Update the policydb definition to contain a handle_unknown flag.  Change
>>>> libsepol to copy the handle_unknown config flag from the base policy to
>>>> the final binary policy.  Also makes libsepol properly read and write
>>>> the flag which dealing with policy modules.
>>>>
>>>> Signed-off-by: Eric Paris <eparis@redhat.com>
>>> Here is a patch on top of yours that allows you to override the base
>>> module setting via semanage.conf, handle-unknown = [deny,reject,allow].
>> Need to make a final decision on this patch - benefit is that the end
>> user can alter the allow/reject/deny behavior for unknown classes/perms
>> without rebuilding their base module, which is also precisely what
>> worries people about it ;)  Could be used by a user to select deny or
>> reject if the distro defaults to allow (e.g. Fedora) for the purpose of
>> "tightening" the system or to select allow if the distro defaults to
>> deny or reject for the purpose of relaxing the system.
> 
> I vote 'yeah' and lets make sure the kernel audits the message
> correctly.  If the certification types really feel we need an old and
> new value (still this is at policy load time) I'm sure I can find some
> way to do it.
> 
> -Eric
>>> ---
>>>
>>>  libsemanage/src/conf-parse.y               |   35 ++++++++++++++++++++---------
>>>  libsemanage/src/conf-scan.l                |    1 
>>>  libsemanage/src/semanage_conf.h            |    1 
>>>  libsemanage/src/semanage_store.c           |    2 +
>>>  libsepol/include/sepol/policydb.h          |    7 +++++
>>>  libsepol/include/sepol/policydb/policydb.h |    6 ++--
>>>  libsepol/src/policydb_public.c             |   18 ++++++++++++++
>>>  7 files changed, 57 insertions(+), 13 deletions(-)
>>>
>>> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-parse.y trunk/libsemanage/src/conf-parse.y
>>> --- eric/libsemanage/src/conf-parse.y	2007-08-23 16:11:02.000000000 -0400
>>> +++ trunk/libsemanage/src/conf-parse.y	2007-08-23 16:03:20.000000000 -0400
>>> @@ -57,7 +57,7 @@
>>>  }
>>>  
>>>  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
>>> -%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON
>>> +%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN
>>>  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
>>>  %token PROG_PATH PROG_ARGS
>>>  %token <s> ARG
>>> @@ -81,6 +81,7 @@
>>>          |       save_previous
>>>          |       save_linked
>>>          |       disable_genhomedircon
>>> +        |       handle_unknown
>>>          ;
>>>  
>>>  module_store:   MODULE_STORE '=' ARG {
>>> @@ -139,15 +140,28 @@
>>>          ;
>>>  
>>>  disable_genhomedircon: DISABLE_GENHOMEDIRCON '=' ARG {
>>> -								if (strcasecmp($3, "false") == 0) {
>>> -										current_conf->disable_genhomedircon = 0;
>>> -									} else if (strcasecmp($3, "true") == 0) {
>>> -										current_conf->disable_genhomedircon = 1;
>>> -									} else {
>>> -										yyerror("disable-genhomedircon can only be 'true' or 'false'");
>>> -									}
>>> -									free($3);
>>> -					  }
>>> +	if (strcasecmp($3, "false") == 0) {
>>> +		current_conf->disable_genhomedircon = 0;
>>> +	} else if (strcasecmp($3, "true") == 0) {
>>> +		current_conf->disable_genhomedircon = 1;
>>> +	} else {
>>> +		yyerror("disable-genhomedircon can only be 'true' or 'false'");
>>> +	}
>>> +	free($3);
>>> + }
>>> +
>>> +handle_unknown: HANDLE_UNKNOWN '=' ARG {
>>> +	if (strcasecmp($3, "deny") == 0) {
>>> +		current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
>>> +	} else if (strcasecmp($3, "reject") == 0) {
>>> +		current_conf->handle_unknown = SEPOL_REJECT_UNKNOWN;
>>> +	} else if (strcasecmp($3, "allow") == 0) {
>>> +		current_conf->handle_unknown = SEPOL_ALLOW_UNKNOWN;
>>> +	} else {
>>> +		yyerror("handle-unknown can only be 'deny', 'reject' or 'allow'");
>>> +	}
>>> +	free($3);
>>> + }
>>>  
>>>  command_block: 
>>>                  command_start external_opts BLOCK_END  {
>>> @@ -214,6 +228,7 @@
>>>  	conf->store_path = strdup(basename(selinux_policy_root()));
>>>  	conf->policyvers = sepol_policy_kern_vers_max();
>>>  	conf->expand_check = 1;
>>> +	conf->handle_unknown = -1;
>>>  	conf->file_mode = 0644;
>>>  
>>>  	conf->save_previous = 0;
>>> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-scan.l trunk/libsemanage/src/conf-scan.l
>>> --- eric/libsemanage/src/conf-scan.l	2007-08-23 16:11:02.000000000 -0400
>>> +++ trunk/libsemanage/src/conf-scan.l	2007-08-23 15:53:28.000000000 -0400
>>> @@ -45,6 +45,7 @@
>>>  save-previous     return SAVE_PREVIOUS;
>>>  save-linked       return SAVE_LINKED;
>>>  disable-genhomedircon return DISABLE_GENHOMEDIRCON;
>>> +handle-unknown    return HANDLE_UNKNOWN;
>>>  "[load_policy]"   return LOAD_POLICY_START;
>>>  "[setfiles]"      return SETFILES_START;
>>>  "[verify module]" return VERIFY_MOD_START;
>>> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_conf.h trunk/libsemanage/src/semanage_conf.h
>>> --- eric/libsemanage/src/semanage_conf.h	2007-08-23 16:11:02.000000000 -0400
>>> +++ trunk/libsemanage/src/semanage_conf.h	2007-08-23 15:53:53.000000000 -0400
>>> @@ -38,6 +38,7 @@
>>>  	int save_previous;
>>>  	int save_linked;
>>>  	int disable_genhomedircon;
>>> +	int handle_unknown;
>>>  	mode_t file_mode;
>>>  	struct external_prog *load_policy;
>>>  	struct external_prog *setfiles;
>>> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_store.c trunk/libsemanage/src/semanage_store.c
>>> --- eric/libsemanage/src/semanage_store.c	2007-08-23 16:11:02.000000000 -0400
>>> +++ trunk/libsemanage/src/semanage_store.c	2007-08-23 16:21:53.000000000 -0400
>>> @@ -1619,6 +1619,8 @@
>>>  		ERR(sh, "Unknown/Invalid policy version %d.", policyvers);
>>>  		goto err;
>>>  	}
>>> +	if (sh->conf->handle_unknown >= 0)
>>> +		sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
>>>  
>>>  	*policydb = out;
>>>  	return STATUS_SUCCESS;
>>> diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb/policydb.h trunk/libsepol/include/sepol/policydb/policydb.h
>>> --- eric/libsepol/include/sepol/policydb/policydb.h	2007-08-23 16:11:32.000000000 -0400
>>> +++ trunk/libsepol/include/sepol/policydb/policydb.h	2007-08-23 15:36:06.000000000 -0400
>>> @@ -602,9 +602,9 @@
>>>  #define POLICYDB_CONFIG_MLS    1
>>>  
>>>  /* the config flags related to unknown classes/perms are bits 2 and 3 */
>>> -#define DENY_UNKNOWN	0x00000000
>>> -#define REJECT_UNKNOWN	0x00000002
>>> -#define ALLOW_UNKNOWN 	0x00000004
>>> +#define DENY_UNKNOWN	SEPOL_DENY_UNKNOWN
>>> +#define REJECT_UNKNOWN	SEPOL_REJECT_UNKNOWN
>>> +#define ALLOW_UNKNOWN 	SEPOL_ALLOW_UNKNOWN
>>>  
>>>  #define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
>>>  
>>> diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb.h trunk/libsepol/include/sepol/policydb.h
>>> --- eric/libsepol/include/sepol/policydb.h	2007-08-23 16:11:04.000000000 -0400
>>> +++ trunk/libsepol/include/sepol/policydb.h	2007-08-23 16:27:02.000000000 -0400
>>> @@ -83,6 +83,13 @@
>>>   */
>>>  extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
>>>  
>>> +/* Set how to handle unknown class/perms. */
>>> +#define SEPOL_DENY_UNKNOWN	    0
>>> +#define SEPOL_REJECT_UNKNOWN	    2
>>> +#define SEPOL_ALLOW_UNKNOWN	    4
>>> +extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
>>> +					     unsigned int handle_unknown);
>>> +
>>>  /* 
>>>   * Read a policydb from a policy file.
>>>   * This automatically sets the type and version based on the 
>>> diff -X /home/sds/dontdiff -ru eric/libsepol/src/policydb_public.c trunk/libsepol/src/policydb_public.c
>>> --- eric/libsepol/src/policydb_public.c	2007-08-23 16:11:04.000000000 -0400
>>> +++ trunk/libsepol/src/policydb_public.c	2007-08-23 16:27:40.000000000 -0400
>>> @@ -134,6 +134,24 @@
>>>  	return 0;
>>>  }
>>>  
>>> +int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
>>> +				      unsigned int handle_unknown)
>>> +{
>>> +	struct policydb *p = &sp->p;
>>> +
>>> +	switch (handle_unknown) {
>>> +	case SEPOL_DENY_UNKNOWN:
>>> +	case SEPOL_REJECT_UNKNOWN:
>>> +	case SEPOL_ALLOW_UNKNOWN:
>>> +		break;
>>> +	default:
>>> +		return -1;
>>> +	}
>>> +
>>> +	p->handle_unknown = handle_unknown;		
>>> +	return 0;
>>> +}
>>> +
>>>  int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
>>>  {
>>>  	return policydb_read(&p->p, &pf->pf, 0);
>>>
> 

I doubt anyone would ever change it like just about everything else in
this file.  So put me in the abstain category.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG8DIhrlYvE4MpobMRAsTQAJoDQU2woPDp1/QImyzoqAKdGutp3ACgn84D
1yHcqUySRzqb9JRTqsbvow0=
=6ZZI
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.