setools is still broken in rawhide.

setools is still broken in rawhide.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 701 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This patch fixes two functions in libqpol/util.c

is_binpol_valid should return true if the policy version is greater than
or equal to the policy installed in the kernel.

search_binary_policy_file

Should return 0 on success, meaning it found a policy.

And return 1 if the return code is < 0;



Making these changes allows seinfo and sesearch to find policy.22 on a
machine running policy.21
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkej8yYACgkQrlYvE4MpobOeJQCfSLBDBI51Y/cpBqlauoN1GuOd
3EAAoMBfpuMexQ6XIXgJMYILwzYwMsXv
=Ggke
-----END PGP SIGNATURE-----

[-- Attachment #2: setools-3.3.2-validpol.patch --]
[-- Type: text/plain, Size: 757 bytes --]

diff -up setools-3.3.2/libqpol/src/util.c.validpol setools-3.3.2/libqpol/src/util.c
--- setools-3.3.2/libqpol/src/util.c.validpol	2008-02-01 23:28:54.000000000 -0500
+++ setools-3.3.2/libqpol/src/util.c	2008-02-01 23:28:58.000000000 -0500
@@ -74,7 +74,7 @@ static int is_binpol_valid(const char *p
 	}
 	ret_version = qpol_binpol_version(policy_fp);
 	fclose(policy_fp);
-	return (ret_version == version);
+	return (ret_version >= version);
 }
 
 static int search_for_policyfile_with_ver(const char *binary_path, const int version, char **path)
@@ -198,7 +198,7 @@ static int search_binary_policy_file(cha
 	}
 	free(*path);
 	if ((rt = search_for_policyfile_with_ver(bin_path, current_version, path)) != 0) {
-		return rt;
+		return rt < 0;
 	}
 #endif
 

[-- Attachment #3: setools-3.3.2-validpol.patch.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]

Re: setools is still broken in rawhide.

[Jeremy A. Mowery]

On Friday 01 February 2008 23:35:51 Daniel J Walsh wrote:
> This patch fixes two functions in libqpol/util.c
> 
> is_binpol_valid should return true if the policy version is greater than
> or equal to the policy installed in the kernel.
> 

This function is used to assert that the version of the policy matches
the version for which we were looking. The name may be a bit misleading;
previous versions had more complex validation logic we no longer need
as this logic already exists in libsepol.

> search_binary_policy_file
> 
> Should return 0 on success, meaning it found a policy.
> 
> And return 1 if the return code is < 0;

This change would prevent tools from handling errors in policy searching 
correctly; the difference in a negative and positive return code is
used to distinguish the case where a default policy could not be found
and the case where searching for the policy could not be completed.
> 
> 
> 
> Making these changes allows seinfo and sesearch to find policy.22 on a
> machine running policy.21
> 

This is intentionally not done. If the system cannot load a version 22 policy,
SETools will only search for a policy of version 21 or less.  SETools 
intentionally does not use the policy downgrade code when loading policies;
this would break the assertion that the policy is analyzed "as is" and not
altered by the libraries.


Jeremy A. Mowery
Tresys Technology
410-290-1411 x148

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setools is still broken in rawhide.

[Stephen Smalley]

On Mon, 2008-02-04 at 10:34 -0500, Jeremy A. Mowery wrote:
> On Friday 01 February 2008 23:35:51 Daniel J Walsh wrote:
> > This patch fixes two functions in libqpol/util.c
> > 
> > is_binpol_valid should return true if the policy version is greater than
> > or equal to the policy installed in the kernel.
> > 
> 
> This function is used to assert that the version of the policy matches
> the version for which we were looking. The name may be a bit misleading;
> previous versions had more complex validation logic we no longer need
> as this logic already exists in libsepol.
> 
> > search_binary_policy_file
> > 
> > Should return 0 on success, meaning it found a policy.
> > 
> > And return 1 if the return code is < 0;
> 
> This change would prevent tools from handling errors in policy searching 
> correctly; the difference in a negative and positive return code is
> used to distinguish the case where a default policy could not be found
> and the case where searching for the policy could not be completed.
> > 
> > 
> > 
> > Making these changes allows seinfo and sesearch to find policy.22 on a
> > machine running policy.21
> > 
> 
> This is intentionally not done. If the system cannot load a version 22 policy,
> SETools will only search for a policy of version 21 or less.  SETools 
> intentionally does not use the policy downgrade code when loading policies;
> this would break the assertion that the policy is analyzed "as is" and not
> altered by the libraries.

Doesn't that mean that users won't be able to use setools on systems
where the kernel supports an older policy version than the userland,
since libsemanage only generates the latest policy version supported by
the toolchain?  There will be no policy.21 file around to analyze.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setools is still broken in rawhide.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy A. Mowery wrote:
> On Friday 01 February 2008 23:35:51 Daniel J Walsh wrote:
>> This patch fixes two functions in libqpol/util.c
>>
>> is_binpol_valid should return true if the policy version is greater than
>> or equal to the policy installed in the kernel.
>>
> 
> This function is used to assert that the version of the policy matches
> the version for which we were looking. The name may be a bit misleading;
> previous versions had more complex validation logic we no longer need
> as this logic already exists in libsepol.
> 
>> search_binary_policy_file
>>
>> Should return 0 on success, meaning it found a policy.
>>
>> And return 1 if the return code is < 0;
> 
> This change would prevent tools from handling errors in policy searching 
> correctly; the difference in a negative and positive return code is
> used to distinguish the case where a default policy could not be found
> and the case where searching for the policy could not be completed.
>>
>>
>> Making these changes allows seinfo and sesearch to find policy.22 on a
>> machine running policy.21
>>
> 
> This is intentionally not done. If the system cannot load a version 22 policy,
> SETools will only search for a policy of version 21 or less.  SETools 
> intentionally does not use the policy downgrade code when loading policies;
> this would break the assertion that the policy is analyzed "as is" and not
> altered by the libraries.
> 
> 
> Jeremy A. Mowery
> Tresys Technology
> 410-290-1411 x148

So when we have a legitimate case like, we have now the user is out of
Luck.  There should be an option that says I want exact match, or the
default to search for a close enough match.  Tools are starting to use
seinfo/sesearch and we give this to users as a way to examine policy.

Why sacrifice usability for the goal of having an exact match.  My fix
might not be correct but sesearch/seinfo have got to work, in the
situation where the kernel has downgraded the policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkenNtsACgkQrlYvE4MpobMqnACfc9PBYX0rhEd3NZDsp/SrC30x
hBEAoObjwYXvk2Blmhyu1R1Jf/RlmV9m
=TWVy
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setools is still broken in rawhide.

[Jeremy A. Mowery]

On Monday 04 February 2008 11:00:04 Stephen Smalley wrote:
> 
> On Mon, 2008-02-04 at 10:34 -0500, Jeremy A. Mowery wrote:
> > On Friday 01 February 2008 23:35:51 Daniel J Walsh wrote:
> > > This patch fixes two functions in libqpol/util.c
> > > 
> > > is_binpol_valid should return true if the policy version is greater than
> > > or equal to the policy installed in the kernel.
> > > 
> > 
> > This function is used to assert that the version of the policy matches
> > the version for which we were looking. The name may be a bit misleading;
> > previous versions had more complex validation logic we no longer need
> > as this logic already exists in libsepol.
> > 
> > > search_binary_policy_file
> > > 
> > > Should return 0 on success, meaning it found a policy.
> > > 
> > > And return 1 if the return code is < 0;
> > 
> > This change would prevent tools from handling errors in policy searching 
> > correctly; the difference in a negative and positive return code is
> > used to distinguish the case where a default policy could not be found
> > and the case where searching for the policy could not be completed.
> > > 
> > > 
> > > 
> > > Making these changes allows seinfo and sesearch to find policy.22 on a
> > > machine running policy.21
> > > 
> > 
> > This is intentionally not done. If the system cannot load a version 22 policy,
> > SETools will only search for a policy of version 21 or less.  SETools 
> > intentionally does not use the policy downgrade code when loading policies;
> > this would break the assertion that the policy is analyzed "as is" and not
> > altered by the libraries.
> 
> Doesn't that mean that users won't be able to use setools on systems
> where the kernel supports an older policy version than the userland,
> since libsemanage only generates the latest policy version supported by
> the toolchain?  There will be no policy.21 file around to analyze.
> 

This means the user will have to specify the policy to load rather than
rely on the auto-detect feature in this case. If libsepol can load the policy,
the tools can read it; the tools will not, however, downgrade it.

Jeremy A. Mowery
Tresys Technology
410-290-1411 x148

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setools is still broken in rawhide.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy A. Mowery wrote:
> On Monday 04 February 2008 11:00:04 Stephen Smalley wrote:
>> On Mon, 2008-02-04 at 10:34 -0500, Jeremy A. Mowery wrote:
>>> On Friday 01 February 2008 23:35:51 Daniel J Walsh wrote:
>>>> This patch fixes two functions in libqpol/util.c
>>>>
>>>> is_binpol_valid should return true if the policy version is greater than
>>>> or equal to the policy installed in the kernel.
>>>>
>>> This function is used to assert that the version of the policy matches
>>> the version for which we were looking. The name may be a bit misleading;
>>> previous versions had more complex validation logic we no longer need
>>> as this logic already exists in libsepol.
>>>
>>>> search_binary_policy_file
>>>>
>>>> Should return 0 on success, meaning it found a policy.
>>>>
>>>> And return 1 if the return code is < 0;
>>> This change would prevent tools from handling errors in policy searching 
>>> correctly; the difference in a negative and positive return code is
>>> used to distinguish the case where a default policy could not be found
>>> and the case where searching for the policy could not be completed.
>>>>
>>>>
>>>> Making these changes allows seinfo and sesearch to find policy.22 on a
>>>> machine running policy.21
>>>>
>>> This is intentionally not done. If the system cannot load a version 22 policy,
>>> SETools will only search for a policy of version 21 or less.  SETools 
>>> intentionally does not use the policy downgrade code when loading policies;
>>> this would break the assertion that the policy is analyzed "as is" and not
>>> altered by the libraries.
>> Doesn't that mean that users won't be able to use setools on systems
>> where the kernel supports an older policy version than the userland,
>> since libsemanage only generates the latest policy version supported by
>> the toolchain?  There will be no policy.21 file around to analyze.
>>
> 
> This means the user will have to specify the policy to load rather than
> rely on the auto-detect feature in this case. If libsepol can load the policy,
> the tools can read it; the tools will not, however, downgrade it.
> 
> Jeremy A. Mowery
> Tresys Technology
> 410-290-1411 x148
Then this is unacceptable from a usability point of view.  If you expect
your tools to be used then you can not rely on the user having to figure
out why they are broken.  And they are broken.  seinfo and sesearch are
tools used to analyze the "default policy"

man seinfo
...

       If no policy file is  provided,  seinfo  will  search  for  the
system
       default  policy:  checking first for a source policy, next for a
binary
       policy matching the running kernel’s preferred version, and
finally for
       the  highest  version  that  can  be found.  If no policy can be
found,
       seinfo will print an error message and exit.

So the tool better find the same policy that the kernel/init found.  If
you force me to carry a patch, we will, but I think this is
unreasonable.  These tools are being used by people who barely
understand SELinux and forcing them to search for a path like
/etc/selinux/targeted/policy/policy.22 is wrong.  Also you will force
other tools like system-config-selinux to build in the smarts to figure
out what policy is used.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkenX7wACgkQrlYvE4MpobMQfgCeLTKjoYlODW36rbptSxDkNjYQ
4hIAoJq+6rt3NBRif9WfAZSH9uUTPduK
=hHJj
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setools is still broken in rawhide.

[Stephen Smalley]

On Mon, 2008-02-04 at 13:19 -0500, Jeremy A. Mowery wrote:
> On Monday 04 February 2008 11:00:04 Stephen Smalley wrote:
> > 
> > On Mon, 2008-02-04 at 10:34 -0500, Jeremy A. Mowery wrote:
> > > On Friday 01 February 2008 23:35:51 Daniel J Walsh wrote:
> > > > This patch fixes two functions in libqpol/util.c
> > > > 
> > > > is_binpol_valid should return true if the policy version is greater than
> > > > or equal to the policy installed in the kernel.
> > > > 
> > > 
> > > This function is used to assert that the version of the policy matches
> > > the version for which we were looking. The name may be a bit misleading;
> > > previous versions had more complex validation logic we no longer need
> > > as this logic already exists in libsepol.
> > > 
> > > > search_binary_policy_file
> > > > 
> > > > Should return 0 on success, meaning it found a policy.
> > > > 
> > > > And return 1 if the return code is < 0;
> > > 
> > > This change would prevent tools from handling errors in policy searching 
> > > correctly; the difference in a negative and positive return code is
> > > used to distinguish the case where a default policy could not be found
> > > and the case where searching for the policy could not be completed.
> > > > 
> > > > 
> > > > 
> > > > Making these changes allows seinfo and sesearch to find policy.22 on a
> > > > machine running policy.21
> > > > 
> > > 
> > > This is intentionally not done. If the system cannot load a version 22 policy,
> > > SETools will only search for a policy of version 21 or less.  SETools 
> > > intentionally does not use the policy downgrade code when loading policies;
> > > this would break the assertion that the policy is analyzed "as is" and not
> > > altered by the libraries.
> > 
> > Doesn't that mean that users won't be able to use setools on systems
> > where the kernel supports an older policy version than the userland,
> > since libsemanage only generates the latest policy version supported by
> > the toolchain?  There will be no policy.21 file around to analyze.
> > 
> 
> This means the user will have to specify the policy to load rather than
> rely on the auto-detect feature in this case. If libsepol can load the policy,
> the tools can read it; the tools will not, however, downgrade it.

Seems like a usability problem.  You can always warn the user that you
had to downgrade the policy if you like.

If you are more generally against the notion of libselinux downgrading
policies at load time (as that will soon be the only remaining mutation
of policy at load time - with managed policy handling booleans and
users, and preservebools support now in the kernel), then we should have
a separate discussion of how libsemanage and libselinux should work in a
way that preserves compatibility as people update kernels and userland.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setools is still broken in rawhide.

[Christopher J. PeBenito]

On Mon, 2008-02-04 at 13:55 -0500, Daniel J Walsh wrote:
> Jeremy A. Mowery wrote:
> > On Monday 04 February 2008 11:00:04 Stephen Smalley wrote:
> >> On Mon, 2008-02-04 at 10:34 -0500, Jeremy A. Mowery wrote:
> >>> On Friday 01 February 2008 23:35:51 Daniel J Walsh wrote:
> >>>> This patch fixes two functions in libqpol/util.c
> >>>>
> >>>> is_binpol_valid should return true if the policy version is greater than
> >>>> or equal to the policy installed in the kernel.
> >>>>
> >>> This function is used to assert that the version of the policy matches
> >>> the version for which we were looking. The name may be a bit misleading;
> >>> previous versions had more complex validation logic we no longer need
> >>> as this logic already exists in libsepol.
> >>>
> >>>> search_binary_policy_file
> >>>>
> >>>> Should return 0 on success, meaning it found a policy.
> >>>>
> >>>> And return 1 if the return code is < 0;
> >>> This change would prevent tools from handling errors in policy searching 
> >>> correctly; the difference in a negative and positive return code is
> >>> used to distinguish the case where a default policy could not be found
> >>> and the case where searching for the policy could not be completed.
> >>>>
> >>>>
> >>>> Making these changes allows seinfo and sesearch to find policy.22 on a
> >>>> machine running policy.21
> >>>>
> >>> This is intentionally not done. If the system cannot load a version 22 policy,
> >>> SETools will only search for a policy of version 21 or less.  SETools 
> >>> intentionally does not use the policy downgrade code when loading policies;
> >>> this would break the assertion that the policy is analyzed "as is" and not
> >>> altered by the libraries.
> >> Doesn't that mean that users won't be able to use setools on systems
> >> where the kernel supports an older policy version than the userland,
> >> since libsemanage only generates the latest policy version supported by
> >> the toolchain?  There will be no policy.21 file around to analyze.
> > 
> > This means the user will have to specify the policy to load rather than
> > rely on the auto-detect feature in this case. If libsepol can load the policy,
> > the tools can read it; the tools will not, however, downgrade it.
> > 
> Then this is unacceptable from a usability point of view.  If you expect
> your tools to be used then you can not rely on the user having to figure
> out why they are broken.  And they are broken.  seinfo and sesearch are
> tools used to analyze the "default policy"

A valid criticism.  It would be better to have the current behavior for
tools oriented towards analysts and the above behavior for the command
line tools, but the fact is that SETools design doesn't currently allow
it both ways since the policy loading is the same function across all
the tools.

> man seinfo
[...]

Looks like this needs to be updated.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setools is still broken in rawhide.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Mon, 2008-02-04 at 13:55 -0500, Daniel J Walsh wrote:
>> Jeremy A. Mowery wrote:
>>> On Monday 04 February 2008 11:00:04 Stephen Smalley wrote:
>>>> On Mon, 2008-02-04 at 10:34 -0500, Jeremy A. Mowery wrote:
>>>>> On Friday 01 February 2008 23:35:51 Daniel J Walsh wrote:
>>>>>> This patch fixes two functions in libqpol/util.c
>>>>>>
>>>>>> is_binpol_valid should return true if the policy version is greater than
>>>>>> or equal to the policy installed in the kernel.
>>>>>>
>>>>> This function is used to assert that the version of the policy matches
>>>>> the version for which we were looking. The name may be a bit misleading;
>>>>> previous versions had more complex validation logic we no longer need
>>>>> as this logic already exists in libsepol.
>>>>>
>>>>>> search_binary_policy_file
>>>>>>
>>>>>> Should return 0 on success, meaning it found a policy.
>>>>>>
>>>>>> And return 1 if the return code is < 0;
>>>>> This change would prevent tools from handling errors in policy searching 
>>>>> correctly; the difference in a negative and positive return code is
>>>>> used to distinguish the case where a default policy could not be found
>>>>> and the case where searching for the policy could not be completed.
>>>>>>
>>>>>> Making these changes allows seinfo and sesearch to find policy.22 on a
>>>>>> machine running policy.21
>>>>>>
>>>>> This is intentionally not done. If the system cannot load a version 22 policy,
>>>>> SETools will only search for a policy of version 21 or less.  SETools 
>>>>> intentionally does not use the policy downgrade code when loading policies;
>>>>> this would break the assertion that the policy is analyzed "as is" and not
>>>>> altered by the libraries.
>>>> Doesn't that mean that users won't be able to use setools on systems
>>>> where the kernel supports an older policy version than the userland,
>>>> since libsemanage only generates the latest policy version supported by
>>>> the toolchain?  There will be no policy.21 file around to analyze.
>>> This means the user will have to specify the policy to load rather than
>>> rely on the auto-detect feature in this case. If libsepol can load the policy,
>>> the tools can read it; the tools will not, however, downgrade it.
>>>
>> Then this is unacceptable from a usability point of view.  If you expect
>> your tools to be used then you can not rely on the user having to figure
>> out why they are broken.  And they are broken.  seinfo and sesearch are
>> tools used to analyze the "default policy"
> 
> A valid criticism.  It would be better to have the current behavior for
> tools oriented towards analysts and the above behavior for the command
> line tools, but the fact is that SETools design doesn't currently allow
> it both ways since the policy loading is the same function across all
> the tools.
> 
>> man seinfo
> [...]
> 
> Looks like this needs to be updated.
> 
Then lets change the parameter, change the output to say something
warning the user that he is looking a slightly different policy then
what is loaded in the kernel.  (Which he really has no guarantee for).
And then the user can ignore it and get a pretty good approximation of
the info he needs.  Right now we are failing for the minority of people,
who are paid to know the difference and read the warning message.  I am
asking to change the defaults.  And allow the user to specify --exact if
he cares.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeoZA8ACgkQrlYvE4MpobNDJwCcCTUGxEYVMtJmfcbRwgbKsSQl
dbMAoMGLOUa5/UKVKQdazyZ695fFdq1V
=zjIu
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.