In the midst of doing a conversion of audit2why to python

In the midst of doing a conversion of audit2why to python

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 682 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I want to make this code available to audit2why/audit2allow,
setroubleshoot and potentially system-config-selinux.

I have two questions,


Is there a way for audit2why to figure out whether an AVC would be
dontaudited by the current policy?

If we add audit2why python bindings should I put it in libselinux?
sepolgen?


Attached .h file describes functions and constants.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeDzlcACgkQrlYvE4MpobPCjwCgueX3P6iolC2wjwhRGoYRR5pT
S98An21rXxPf//hNoP1iDivDJw9AlhsL
=cTHu
-----END PGP SIGNATURE-----

[-- Attachment #2: audit2why.h --]
[-- Type: text/x-chdr, Size: 510 bytes --]

#include <selinux/selinux.h>
#define BADSCON -1
#define BADTCON -2
#define BADTCLASS -3
#define BADPERM -4
#define BADCOMPUTE -5
#define NOPOLICY -6
#define ALLOWED 0
#define TERULE 1
#define BOOLEAN 2
#define CONSTRAINT 3
#define RBAC 4

struct boolean_t {
	char *name;
	int active;
};

extern void policy_finish(void);
extern int policy_init(const char *init_path);
extern int audit2why(const security_context_t scon, const security_context_t tcon, char *tclassstr, char *permstr, struct boolean_t **bools);

[-- Attachment #3: audit2why.h.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]

Re: In the midst of doing a conversion of audit2why to python

[Stephen Smalley]

On Tue, 2008-01-08 at 14:26 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I want to make this code available to audit2why/audit2allow,
> setroubleshoot and potentially system-config-selinux.
> 
> I have two questions,
> 
> 
> Is there a way for audit2why to figure out whether an AVC would be
> dontaudited by the current policy?

The avd returned by sepol_compute_av_reason() includes all of the access
vectors.  avd.auditdeny is the set of permissions that would be audited
if denied, i.e. the complement of the dontaudit rules. Something like if
(~avd.auditdeny & av) then printf("would be dontaudit'd");

> If we add audit2why python bindings should I put it in libselinux?
> sepolgen?
> 
> 
> Attached .h file describes functions and constants.

I'm not sure what you are doing - auditwhy presently is a program that
links in the static libsepol, since the libsepol interfaces being used
by it are not provided by the shared libsepol (as they aren't properly
encapsulated).

> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkeDzlcACgkQrlYvE4MpobPCjwCgueX3P6iolC2wjwhRGoYRR5pT
> S98An21rXxPf//hNoP1iDivDJw9AlhsL
> =cTHu
> -----END PGP SIGNATURE-----
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In the midst of doing a conversion of audit2why to python

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Tue, 2008-01-08 at 14:26 -0500, Daniel J Walsh wrote:
> I want to make this code available to audit2why/audit2allow,
> setroubleshoot and potentially system-config-selinux.
> 
> I have two questions,
> 
> 
> Is there a way for audit2why to figure out whether an AVC would be
> dontaudited by the current policy?
> 
>> The avd returned by sepol_compute_av_reason() includes all of the access
>> vectors.  avd.auditdeny is the set of permissions that would be audited
>> if denied, i.e. the complement of the dontaudit rules. Something like if
>> (~avd.auditdeny & av) then printf("would be dontaudit'd");
> 
> If we add audit2why python bindings should I put it in libselinux?
> sepolgen?
> 
> 
> Attached .h file describes functions and constants.
> 
>> I'm not sure what you are doing - auditwhy presently is a program that
>> links in the static libsepol, since the libsepol interfaces being used
>> by it are not provided by the shared libsepol (as they aren't properly
>> encapsulated).
> 
I want to be able to take an AVC message and tell why it happened.  I
want to do this by analyzing the online policy.  If a boolean exists
that would have allowed the behaviour I want to tell the user this.  I
also want to use the commands myself, to analyze multiple policies.
Tell me if this AVC effects RHEL5, FC7, FC8, Rawhide

I guess we can link against the libsepol.a file when building it.  I
don;t really care to use C against these functions, so making a C
Library interface is not that important to me.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeD46cACgkQrlYvE4MpobPmNACfaVVi6FqCApczQ+UvYDfvSAAD
O7cAniCzP9cmESmBGm9FXblXZXOOqYCW
=rlEW
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In the midst of doing a conversion of audit2why to python

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Tue, 2008-01-08 at 14:26 -0500, Daniel J Walsh wrote:
> I want to make this code available to audit2why/audit2allow,
> setroubleshoot and potentially system-config-selinux.
> 
> I have two questions,
> 
> 
> Is there a way for audit2why to figure out whether an AVC would be
> dontaudited by the current policy?
> 
>> The avd returned by sepol_compute_av_reason() includes all of the access
>> vectors.  avd.auditdeny is the set of permissions that would be audited
>> if denied, i.e. the complement of the dontaudit rules. Something like if
>> (~avd.auditdeny & av) then printf("would be dontaudit'd");
> 
> If we add audit2why python bindings should I put it in libselinux?
> sepolgen?
> 
> 
> Attached .h file describes functions and constants.
> 
>> I'm not sure what you are doing - auditwhy presently is a program that
>> links in the static libsepol, since the libsepol interfaces being used
>> by it are not provided by the shared libsepol (as they aren't properly
>> encapsulated).
> 
What is the field 	sepol_access_vector_t decided;
used for?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeE+mUACgkQrlYvE4MpobPkWQCgp3+WVMNygNHiU64LRDFCT5NX
fzcAoJMxAFFyVivV9d8v7YjMrAPRDkdM
=/yN7
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In the midst of doing a conversion of audit2why to python

[Stephen Smalley]

On Wed, 2008-01-09 at 11:46 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stephen Smalley wrote:
> > On Tue, 2008-01-08 at 14:26 -0500, Daniel J Walsh wrote:
> > I want to make this code available to audit2why/audit2allow,
> > setroubleshoot and potentially system-config-selinux.
> > 
> > I have two questions,
> > 
> > 
> > Is there a way for audit2why to figure out whether an AVC would be
> > dontaudited by the current policy?
> > 
> >> The avd returned by sepol_compute_av_reason() includes all of the access
> >> vectors.  avd.auditdeny is the set of permissions that would be audited
> >> if denied, i.e. the complement of the dontaudit rules. Something like if
> >> (~avd.auditdeny & av) then printf("would be dontaudit'd");
> > 
> > If we add audit2why python bindings should I put it in libselinux?
> > sepolgen?
> > 
> > 
> > Attached .h file describes functions and constants.
> > 
> >> I'm not sure what you are doing - auditwhy presently is a program that
> >> links in the static libsepol, since the libsepol interfaces being used
> >> by it are not provided by the shared libsepol (as they aren't properly
> >> encapsulated).
> > 
> What is the field 	sepol_access_vector_t decided;
> used for?

It indicates what permissions were computed/decided by the security
server.  It is always guaranteed to at least contain all of the
'requested' permissions passed into the compute_av call, but not
necessarily any others.  For your purposes, it shouldn't matter.  It is
there to support certain kinds of dynamic policies, not presently in use
by our existing security server.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.