* roles in base module
@ 2008-05-06 22:21 Martin Orr
2008-05-08 12:08 ` Stephen Smalley
0 siblings, 1 reply; 14+ messages in thread
From: Martin Orr @ 2008-05-06 22:21 UTC (permalink / raw)
To: SELinux List
[-- Attachment #1: Type: text/plain, Size: 623 bytes --]
Should I be able to build trunk refpolicy with the user roles included in
the base module? I can build it with the roles as modules, but if I try
building them into base I get
/usr/bin/checkmodule -M base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
libsepol.expand_module: Error while indexing out symbols
/usr/bin/checkmodule: expand module failed
I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
attached the modules.conf I am using, which seems to be the minimum number
of things I need to build in to be able to build in roles.
--
Martin Orr
[-- Attachment #2: modules.conf --]
[-- Type: text/plain, Size: 24813 bytes --]
#
# This file contains a listing of available modules.
# To prevent a module from being used in policy
# creation, set the module name to "off".
#
# For monolithic policies, modules set to "base" and "module"
# will be built into the policy.
#
# For modular policies, modules set to "base" will be
# included in the base module. "module" will be compiled
# as individual loadable modules.
#
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: kernel
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Layer: kernel
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: kernel
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: kernel
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Layer: kernel
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,
# and unlabeled processes and objects.
#
kernel = base
# Layer: kernel
# Module: mcs
# Required in base
#
# Multicategory security policy
#
mcs = base
# Layer: kernel
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Layer: kernel
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: admin
# Module: acct
#
# Berkeley process accounting
#
acct = module
# Layer: admin
# Module: alsa
#
# Ainit ALSA configuration tool
#
alsa = module
# Layer: admin
# Module: amanda
#
# Automated backup program.
#
amanda = module
# Layer: admin
# Module: amtu
#
# Abstract Machine Test Utility
#
amtu = module
# Layer: admin
# Module: anaconda
#
# Policy for the Anaconda installer.
#
anaconda = module
# Layer: admin
# Module: apt
#
# APT advanced package toll.
#
apt = module
# Layer: admin
# Module: backup
#
# System backup scripts
#
backup = module
# Layer: admin
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: admin
# Module: brctl
#
# Utilities for configuring the linux ethernet bridge
#
brctl = module
# Layer: admin
# Module: certwatch
#
# Digital Certificate Tracking
#
certwatch = module
# Layer: admin
# Module: consoletype
#
# Determine of the console connected to the controlling terminal.
#
consoletype = module
# Layer: admin
# Module: ddcprobe
#
# ddcprobe retrieves monitor and graphics card information
#
ddcprobe = module
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: dmidecode
#
# Decode DMI data for x86/ia64 bioses.
#
dmidecode = module
# Layer: admin
# Module: dpkg
#
# Policy for the Debian package manager.
#
dpkg = module
# Layer: admin
# Module: firstboot
#
# Final system configuration run during the first boot
# after installation of Red Hat/Fedora systems.
#
firstboot = module
# Layer: admin
# Module: kudzu
#
# Hardware detection and configuration tools
#
kudzu = module
# Layer: admin
# Module: logrotate
#
# Rotate and archive system logs
#
logrotate = module
# Layer: admin
# Module: logwatch
#
# System log analyzer and reporter
#
logwatch = module
# Layer: admin
# Module: mrtg
#
# Network traffic graphing
#
mrtg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: portage
#
# Portage Package Management System. The primary package management and
# distribution system for Gentoo.
#
portage = module
# Layer: admin
# Module: prelink
#
# Prelink ELF shared library mappings.
#
prelink = module
# Layer: admin
# Module: quota
#
# File system quota management
#
quota = module
# Layer: admin
# Module: readahead
#
# Readahead, read files into page cache for improved performance
#
readahead = module
# Layer: admin
# Module: rpm
#
# Policy for the RPM package manager.
#
rpm = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: sxid
#
# SUID/SGID program monitoring
#
sxid = module
# Layer: admin
# Module: tmpreaper
#
# Manage temporary directory sizes and file ages
#
tmpreaper = module
# Layer: admin
# Module: tripwire
#
# Tripwire file integrity checker.
#
tripwire = module
# Layer: admin
# Module: tzdata
#
# Time zone updater
#
tzdata = module
# Layer: admin
# Module: updfstab
#
# Red Hat utility to change /etc/fstab.
#
updfstab = module
# Layer: admin
# Module: usbmodules
#
# List kernel modules of USB devices
#
usbmodules = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: admin
# Module: vbetool
#
# run real-mode video BIOS code to alter hardware state
#
vbetool = module
# Layer: admin
# Module: vpn
#
# Virtual Private Networking client
#
vpn = module
# Layer: apps
# Module: ada
#
# GNAT Ada95 compiler
#
ada = module
# Layer: apps
# Module: authbind
#
# Tool for non-root processes to bind to reserved ports
#
authbind = module
# Layer: apps
# Module: awstats
#
# AWStats is a free powerful and featureful tool that generates advanced
# web, streaming, ftp or mail server statistics, graphically.
#
awstats = module
# Layer: apps
# Module: calamaris
#
# Squid log analysis
#
calamaris = module
# Layer: apps
# Module: cdrecord
#
# Policy for cdrecord
#
cdrecord = module
# Layer: apps
# Module: ethereal
#
# Ethereal packet capture tool.
#
ethereal = module
# Layer: apps
# Module: evolution
#
# Evolution email client
#
evolution = module
# Layer: apps
# Module: games
#
# Games
#
games = module
# Layer: apps
# Module: gift
#
# giFT peer to peer file sharing tool
#
gift = module
# Layer: apps
# Module: gnome
#
# GNU network object model environment (GNOME)
#
gnome = module
# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
#
gpg = module
# Layer: apps
# Module: irc
#
# IRC client policy
#
irc = module
# Layer: apps
# Module: java
#
# Java virtual machine
#
java = module
# Layer: apps
# Module: loadkeys
#
# Load keyboard mappings.
#
loadkeys = module
# Layer: apps
# Module: lockdev
#
# device locking policy for lockdev
#
lockdev = module
# Layer: apps
# Module: mono
#
# Run .NET server and client applications on Linux.
#
mono = module
# Layer: apps
# Module: mozilla
#
# Policy for Mozilla and related web browsers
#
mozilla = module
# Layer: apps
# Module: mplayer
#
# Mplayer media player and encoder
#
mplayer = module
# Layer: apps
# Module: rssh
#
# Restricted (scp/sftp) only shell
#
rssh = module
# Layer: apps
# Module: screen
#
# GNU terminal multiplexer
#
screen = module
# Layer: apps
# Module: slocate
#
# Update database for mlocate
#
slocate = module
# Layer: apps
# Module: thunderbird
#
# Thunderbird email client
#
thunderbird = module
# Layer: apps
# Module: tvtime
#
# tvtime - a high quality television application
#
tvtime = module
# Layer: apps
# Module: uml
#
# Policy for UML
#
uml = module
# Layer: apps
# Module: userhelper
#
# SELinux utility to run a shell with a new role
#
userhelper = module
# Layer: apps
# Module: usernetctl
#
# User network interface configuration helper
#
usernetctl = module
# Layer: apps
# Module: vmware
#
# VMWare Workstation virtual machines
#
vmware = module
# Layer: apps
# Module: webalizer
#
# Web server log analysis
#
webalizer = module
# Layer: apps
# Module: wine
#
# Wine Is Not an Emulator. Run Windows programs in Linux.
#
wine = module
# Layer: apps
# Module: wireshark
#
# Wireshark packet capture tool.
#
wireshark = module
# Layer: apps
# Module: yam
#
# Yum/Apt Mirroring
#
yam = module
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Layer: roles
# Module: auditadm
#
# Audit administrator role
#
auditadm = module
# Layer: roles
# Module: secadm
#
# Security administrator role
#
secadm = module
# Layer: roles
# Module: staff
#
# Administrator's unprivileged user role
#
staff = base
# Layer: roles
# Module: sysadm
#
# General system administration role
#
sysadm = base
# Layer: roles
# Module: unprivuser
#
# Generic unprivileged user role
#
unprivuser = base
# Layer: services
# Module: afs
#
# Andrew Filesystem server
#
afs = module
# Layer: services
# Module: aide
#
# Aide filesystem integrity checker
#
aide = module
# Layer: services
# Module: amavis
#
# Daemon that interfaces mail transfer agents and content
# checkers, such as virus scanners.
#
amavis = module
# Layer: services
# Module: apache
#
# Apache web server
#
apache = module
# Layer: services
# Module: apcupsd
#
# APC UPS monitoring daemon
#
apcupsd = module
# Layer: services
# Module: apm
#
# Advanced power management daemon
#
apm = module
# Layer: services
# Module: arpwatch
#
# Ethernet activity monitor.
#
arpwatch = module
# Layer: services
# Module: asterisk
#
# Asterisk IP telephony server
#
asterisk = module
# Layer: services
# Module: audioentropy
#
# Generate entropy from audio input
#
audioentropy = module
# Layer: services
# Module: automount
#
# Filesystem automounter service.
#
automount = module
# Layer: services
# Module: avahi
#
# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
#
avahi = module
# Layer: services
# Module: bind
#
# Berkeley internet name domain DNS server.
#
bind = module
# Layer: services
# Module: bitlbee
#
# Bitlbee service
#
bitlbee = module
# Layer: services
# Module: bluetooth
#
# Bluetooth tools and system services.
#
bluetooth = module
# Layer: services
# Module: canna
#
# Canna - kana-kanji conversion server
#
canna = module
# Layer: services
# Module: ccs
#
# Cluster Configuration System
#
ccs = module
# Layer: services
# Module: cipe
#
# Encrypted tunnel daemon
#
cipe = module
# Layer: services
# Module: clamav
#
# ClamAV Virus Scanner
#
clamav = module
# Layer: services
# Module: clockspeed
#
# Clockspeed simple network time protocol client
#
clockspeed = module
# Layer: services
# Module: comsat
#
# Comsat, a biff server.
#
comsat = module
# Layer: services
# Module: consolekit
#
# Framework for facilitating multiple user sessions on desktops.
#
consolekit = module
# Layer: services
# Module: courier
#
# Courier IMAP and POP3 email servers
#
courier = module
# Layer: services
# Module: cpucontrol
#
# Services for loading CPU microcode and CPU frequency scaling.
#
cpucontrol = module
# Layer: services
# Module: cron
#
# Periodic execution of scheduled commands.
#
cron = module
# Layer: services
# Module: cups
#
# Common UNIX printing system
#
cups = module
# Layer: services
# Module: cvs
#
# Concurrent versions system
#
cvs = module
# Layer: services
# Module: cyrus
#
# Cyrus is an IMAP service intended to be run on sealed servers
#
cyrus = module
# Layer: services
# Module: dante
#
# Dante msproxy and socks4/5 proxy server
#
dante = module
# Layer: services
# Module: dbskk
#
# Dictionary server for the SKK Japanese input method system.
#
dbskk = module
# Layer: services
# Module: dbus
#
# Desktop messaging bus
#
dbus = module
# Layer: services
# Module: dcc
#
# Distributed checksum clearinghouse spam filtering
#
dcc = module
# Layer: services
# Module: ddclient
#
# Update dynamic IP address at DynDNS.org
#
ddclient = module
# Layer: services
# Module: dhcp
#
# Dynamic host configuration protocol (DHCP) server
#
dhcp = module
# Layer: services
# Module: dictd
#
# Dictionary daemon
#
dictd = module
# Layer: services
# Module: distcc
#
# Distributed compiler daemon
#
distcc = module
# Layer: services
# Module: djbdns
#
# small and secure DNS daemon
#
djbdns = module
# Layer: services
# Module: dnsmasq
#
# dnsmasq DNS forwarder and DHCP server
#
dnsmasq = module
# Layer: services
# Module: dovecot
#
# Dovecot POP and IMAP mail server
#
dovecot = module
# Layer: services
# Module: exim
#
# Exim mail transfer agent
#
exim = module
# Layer: services
# Module: fail2ban
#
# Update firewall filtering to ban IP addresses with too many password failures.
#
fail2ban = module
# Layer: services
# Module: fetchmail
#
# Remote-mail retrieval and forwarding utility
#
fetchmail = module
# Layer: services
# Module: finger
#
# Finger user information service.
#
finger = module
# Layer: services
# Module: ftp
#
# File transfer protocol service
#
ftp = module
# Layer: services
# Module: gatekeeper
#
# OpenH.323 Voice-Over-IP Gatekeeper
#
gatekeeper = module
# Layer: services
# Module: gpm
#
# General Purpose Mouse driver
#
gpm = module
# Layer: services
# Module: hal
#
# Hardware abstraction layer
#
hal = module
# Layer: services
# Module: howl
#
# Port of Apple Rendezvous multicast DNS
#
howl = module
# Layer: services
# Module: i18n_input
#
# IIIMF htt server
#
i18n_input = module
# Layer: services
# Module: imaze
#
# iMaze game server
#
imaze = module
# Layer: services
# Module: inetd
#
# Internet services daemon.
#
inetd = module
# Layer: services
# Module: inn
#
# Internet News NNTP server
#
inn = module
# Layer: services
# Module: ircd
#
# IRC server
#
ircd = module
# Layer: services
# Module: irqbalance
#
# IRQ balancing daemon
#
irqbalance = module
# Layer: services
# Module: jabber
#
# Jabber instant messaging server
#
jabber = module
# Layer: services
# Module: kerberos
#
# MIT Kerberos admin and KDC
#
kerberos = module
# Layer: services
# Module: ktalk
#
# KDE Talk daemon
#
ktalk = module
# Layer: services
# Module: ldap
#
# OpenLDAP directory server
#
ldap = module
# Layer: services
# Module: lpd
#
# Line printer daemon
#
lpd = module
# Layer: services
# Module: mailman
#
# Mailman is for managing electronic mail discussion and e-newsletter lists
#
mailman = module
# Layer: services
# Module: monop
#
# Monopoly daemon
#
monop = module
# Layer: services
# Module: mta
#
# Policy common to all email tranfer agents.
#
mta = module
# Layer: services
# Module: munin
#
# Munin network-wide load graphing (formerly LRRD)
#
munin = module
# Layer: services
# Module: mysql
#
# Policy for MySQL
#
mysql = module
# Layer: services
# Module: nagios
#
# Net Saint / NAGIOS - network monitoring server
#
nagios = module
# Layer: services
# Module: nessus
#
# Nessus network scanning daemon
#
nessus = module
# Layer: services
# Module: networkmanager
#
# Manager for dynamically switching between networks.
#
networkmanager = module
# Layer: services
# Module: nis
#
# Policy for NIS (YP) servers and clients
#
nis = module
# Layer: services
# Module: nscd
#
# Name service cache daemon
#
nscd = module
# Layer: services
# Module: nsd
#
# Authoritative only name server
#
nsd = module
# Layer: services
# Module: ntop
#
# Network Top
#
ntop = module
# Layer: services
# Module: ntp
#
# Network time protocol daemon
#
ntp = module
# Layer: services
# Module: nx
#
# NX remote desktop
#
nx = module
# Layer: services
# Module: oav
#
# Open AntiVirus scannerdaemon and signature update
#
oav = module
# Layer: services
# Module: oddjob
#
# Oddjob provides a mechanism by which unprivileged applications can
# request that specified privileged operations be performed on their
# behalf.
#
oddjob = module
# Layer: services
# Module: openca
#
# OpenCA - Open Certificate Authority
#
openca = module
# Layer: services
# Module: openct
#
# Service for handling smart card readers.
#
openct = module
# Layer: services
# Module: openvpn
#
# full-featured SSL VPN solution
#
openvpn = module
# Layer: services
# Module: pcscd
#
# PCSC smart card service
#
pcscd = module
# Layer: services
# Module: pegasus
#
# The Open Group Pegasus CIM/WBEM Server.
#
pegasus = module
# Layer: services
# Module: perdition
#
# Perdition POP and IMAP proxy
#
perdition = module
# Layer: services
# Module: portmap
#
# RPC port mapping service.
#
portmap = module
# Layer: services
# Module: portslave
#
# Portslave terminal server software
#
portslave = module
# Layer: services
# Module: postfix
#
# Postfix email server
#
postfix = module
# Layer: services
# Module: postfixpolicyd
#
# Postfix policy server
#
postfixpolicyd = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: postgrey
#
# Postfix grey-listing server
#
postgrey = module
# Layer: services
# Module: ppp
#
# Point to Point Protocol daemon creates links in ppp networks
#
ppp = module
# Layer: services
# Module: privoxy
#
# Privacy enhancing web proxy.
#
privoxy = module
# Layer: services
# Module: procmail
#
# Procmail mail delivery agent
#
procmail = module
# Layer: services
# Module: publicfile
#
# publicfile supplies files to the public through HTTP and FTP
#
publicfile = module
# Layer: services
# Module: pxe
#
# Server for the PXE network boot protocol
#
pxe = module
# Layer: services
# Module: pyzor
#
# Pyzor is a distributed, collaborative spam detection and filtering network.
#
pyzor = module
# Layer: services
# Module: qmail
#
# Qmail Mail Server
#
qmail = module
# Layer: services
# Module: radius
#
# RADIUS authentication and accounting server.
#
radius = module
# Layer: services
# Module: radvd
#
# IPv6 router advertisement daemon
#
radvd = module
# Layer: services
# Module: razor
#
# A distributed, collaborative, spam detection and filtering network.
#
razor = module
# Layer: services
# Module: rdisc
#
# Network router discovery daemon
#
rdisc = module
# Layer: services
# Module: remotelogin
#
# Policy for rshd, rlogind, and telnetd.
#
remotelogin = module
# Layer: services
# Module: resmgr
#
# Resource management daemon
#
resmgr = module
# Layer: services
# Module: rhgb
#
# Red Hat Graphical Boot
#
rhgb = module
# Layer: services
# Module: ricci
#
# Ricci cluster management agent
#
ricci = module
# Layer: services
# Module: rlogin
#
# Remote login daemon
#
rlogin = module
# Layer: services
# Module: roundup
#
# Roundup Issue Tracking System policy
#
roundup = module
# Layer: services
# Module: rpc
#
# Remote Procedure Call Daemon for managment of network based process communication
#
rpc = module
# Layer: services
# Module: rpcbind
#
# Universal Addresses to RPC Program Number Mapper
#
rpcbind = module
# Layer: services
# Module: rshd
#
# Remote shell service.
#
rshd = module
# Layer: services
# Module: rsync
#
# Fast incremental file transfer for synchronization
#
rsync = module
# Layer: services
# Module: rwho
#
# Who is logged in on other machines?
#
rwho = module
# Layer: services
# Module: samba
#
# SMB and CIFS client/server programs for UNIX and
# name Service Switch daemon for resolving names
# from Windows NT servers.
#
samba = module
# Layer: services
# Module: sasl
#
# SASL authentication server
#
sasl = module
# Layer: services
# Module: sendmail
#
# Policy for sendmail.
#
sendmail = module
# Layer: services
# Module: setroubleshoot
#
# SELinux troubleshooting service
#
setroubleshoot = module
# Layer: services
# Module: slrnpull
#
# Service for downloading news feeds the slrn newsreader.
#
slrnpull = module
# Layer: services
# Module: smartmon
#
# Smart disk monitoring daemon policy
#
smartmon = module
# Layer: services
# Module: snmp
#
# Simple network management protocol services
#
snmp = module
# Layer: services
# Module: snort
#
# Snort network intrusion detection system
#
snort = module
# Layer: services
# Module: soundserver
#
# sound server for network audio server programs, nasd, yiff, etc
#
soundserver = module
# Layer: services
# Module: spamassassin
#
# Filter used for removing unsolicited email.
#
spamassassin = module
# Layer: services
# Module: speedtouch
#
# Alcatel speedtouch USB ADSL modem
#
speedtouch = module
# Layer: services
# Module: squid
#
# Squid caching http proxy server
#
squid = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: stunnel
#
# SSL Tunneling Proxy
#
stunnel = module
# Layer: services
# Module: sysstat
#
# Policy for sysstat. Reports on various system states
#
sysstat = module
# Layer: services
# Module: tcpd
#
# Policy for TCP daemon.
#
tcpd = module
# Layer: services
# Module: telnet
#
# Telnet daemon
#
telnet = module
# Layer: services
# Module: tftp
#
# Trivial file transfer protocol daemon
#
tftp = module
# Layer: services
# Module: timidity
#
# MIDI to WAV converter and player configured as a service
#
timidity = module
# Layer: services
# Module: tor
#
# TOR, the onion router
#
tor = module
# Layer: services
# Module: transproxy
#
# HTTP transperant proxy
#
transproxy = module
# Layer: services
# Module: ucspitcp
#
# ucspitcp policy
#
ucspitcp = module
# Layer: services
# Module: uptime
#
# Uptime daemon
#
uptime = module
# Layer: services
# Module: uucp
#
# Unix to Unix Copy
#
uucp = module
# Layer: services
# Module: uwimap
#
# University of Washington IMAP toolkit POP3 and IMAP mail server
#
uwimap = module
# Layer: services
# Module: watchdog
#
# Software watchdog
#
watchdog = module
# Layer: services
# Module: xfs
#
# X Windows Font Server
#
xfs = module
# Layer: services
# Module: xprint
#
# X print server
#
xprint = module
# Layer: services
# Module: xserver
#
# X Windows Server
#
xserver = module
# Layer: services
# Module: zabbix
#
# Distributed infrastructure monitoring
#
zabbix = module
# Layer: services
# Module: zebra
#
# Zebra border gateway protocol network routing service
#
zebra = module
# Layer: system
# Module: application
#
# Policy for user executable applications.
#
application = base
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = base
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: daemontools
#
# Collection of tools for managing UNIX services
#
daemontools = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: hotplug
#
# Policy for hotplug system, for supporting the
# connection and disconnection of devices at runtime.
#
hotplug = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = base
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: iscsi
#
# Establish connections to iSCSI devices
#
iscsi = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = base
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = base
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = base
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = base
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = base
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# NetLabel/CIPSO labeled networking management
#
netlabel = module
# Layer: system
# Module: pcmcia
#
# PCMCIA card management services
#
pcmcia = module
# Layer: system
# Module: raid
#
# RAID array management tools
#
raid = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = base
# Layer: system
# Module: setrans
#
# SELinux MLS/MCS label translation service.
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = base
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = base
# Layer: system
# Module: xen
#
# Xen hypervisor
#
xen = module
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: roles in base module
2008-05-06 22:21 roles in base module Martin Orr
@ 2008-05-08 12:08 ` Stephen Smalley
2008-05-16 23:50 ` Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: Stephen Smalley @ 2008-05-08 12:08 UTC (permalink / raw)
To: Martin Orr
Cc: SELinux List, Christopher J. PeBenito, Joshua Brindle,
Karl MacMillan
On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
> Should I be able to build trunk refpolicy with the user roles included in
> the base module? I can build it with the roles as modules, but if I try
> building them into base I get
> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> libsepol.expand_module: Error while indexing out symbols
> /usr/bin/checkmodule: expand module failed
>
> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
> attached the modules.conf I am using, which seems to be the minimum number
> of things I need to build in to be able to build in roles.
Reproduced here as well, and naturally one should be able to build roles
into base.
We've seen this error condition in the past - it indicates that there is
a hole in the symbol table, and requires mapping support in the expand
code for roles to correctly handle it. So that represents a
bug/limitation of the current policy compiler.
Walking through it I see that it is omitting the auditadm_r and secadm_r
roles during the expand, and this is leaving the holes in the symbol
table.
Fixing the compiler requires adding mapping support for the roles
similar to what Karl did for booleans in r2308.
Hopefully though Chris can work around it in the policy in the interim.
> plain text document attachment (modules.conf)
> #
> # This file contains a listing of available modules.
> # To prevent a module from being used in policy
> # creation, set the module name to "off".
> #
> # For monolithic policies, modules set to "base" and "module"
> # will be built into the policy.
> #
> # For modular policies, modules set to "base" will be
> # included in the base module. "module" will be compiled
> # as individual loadable modules.
> #
>
> # Layer: kernel
> # Module: corecommands
> # Required in base
> #
> # Core policy for shells, and generic programs
> # in /bin, /sbin, /usr/bin, and /usr/sbin.
> #
> corecommands = base
>
> # Layer: kernel
> # Module: corenetwork
> # Required in base
> #
> # Policy controlling access to network objects
> #
> corenetwork = base
>
> # Layer: kernel
> # Module: devices
> # Required in base
> #
> # Device nodes and interfaces for many basic system devices.
> #
> devices = base
>
> # Layer: kernel
> # Module: domain
> # Required in base
> #
> # Core policy for domains.
> #
> domain = base
>
> # Layer: kernel
> # Module: files
> # Required in base
> #
> # Basic filesystem types and interfaces.
> #
> files = base
>
> # Layer: kernel
> # Module: filesystem
> # Required in base
> #
> # Policy for filesystems.
> #
> filesystem = base
>
> # Layer: kernel
> # Module: kernel
> # Required in base
> #
> # Policy for kernel threads, proc filesystem,
> # and unlabeled processes and objects.
> #
> kernel = base
>
> # Layer: kernel
> # Module: mcs
> # Required in base
> #
> # Multicategory security policy
> #
> mcs = base
>
> # Layer: kernel
> # Module: mls
> # Required in base
> #
> # Multilevel security policy
> #
> mls = base
>
> # Layer: kernel
> # Module: selinux
> # Required in base
> #
> # Policy for kernel security interface, in particular, selinuxfs.
> #
> selinux = base
>
> # Layer: kernel
> # Module: terminal
> # Required in base
> #
> # Policy for terminals.
> #
> terminal = base
>
> # Layer: admin
> # Module: acct
> #
> # Berkeley process accounting
> #
> acct = module
>
> # Layer: admin
> # Module: alsa
> #
> # Ainit ALSA configuration tool
> #
> alsa = module
>
> # Layer: admin
> # Module: amanda
> #
> # Automated backup program.
> #
> amanda = module
>
> # Layer: admin
> # Module: amtu
> #
> # Abstract Machine Test Utility
> #
> amtu = module
>
> # Layer: admin
> # Module: anaconda
> #
> # Policy for the Anaconda installer.
> #
> anaconda = module
>
> # Layer: admin
> # Module: apt
> #
> # APT advanced package toll.
> #
> apt = module
>
> # Layer: admin
> # Module: backup
> #
> # System backup scripts
> #
> backup = module
>
> # Layer: admin
> # Module: bootloader
> #
> # Policy for the kernel modules, kernel image, and bootloader.
> #
> bootloader = module
>
> # Layer: admin
> # Module: brctl
> #
> # Utilities for configuring the linux ethernet bridge
> #
> brctl = module
>
> # Layer: admin
> # Module: certwatch
> #
> # Digital Certificate Tracking
> #
> certwatch = module
>
> # Layer: admin
> # Module: consoletype
> #
> # Determine of the console connected to the controlling terminal.
> #
> consoletype = module
>
> # Layer: admin
> # Module: ddcprobe
> #
> # ddcprobe retrieves monitor and graphics card information
> #
> ddcprobe = module
>
> # Layer: admin
> # Module: dmesg
> #
> # Policy for dmesg.
> #
> dmesg = module
>
> # Layer: admin
> # Module: dmidecode
> #
> # Decode DMI data for x86/ia64 bioses.
> #
> dmidecode = module
>
> # Layer: admin
> # Module: dpkg
> #
> # Policy for the Debian package manager.
> #
> dpkg = module
>
> # Layer: admin
> # Module: firstboot
> #
> # Final system configuration run during the first boot
> # after installation of Red Hat/Fedora systems.
> #
> firstboot = module
>
> # Layer: admin
> # Module: kudzu
> #
> # Hardware detection and configuration tools
> #
> kudzu = module
>
> # Layer: admin
> # Module: logrotate
> #
> # Rotate and archive system logs
> #
> logrotate = module
>
> # Layer: admin
> # Module: logwatch
> #
> # System log analyzer and reporter
> #
> logwatch = module
>
> # Layer: admin
> # Module: mrtg
> #
> # Network traffic graphing
> #
> mrtg = module
>
> # Layer: admin
> # Module: netutils
> #
> # Network analysis utilities
> #
> netutils = module
>
> # Layer: admin
> # Module: portage
> #
> # Portage Package Management System. The primary package management and
> # distribution system for Gentoo.
> #
> portage = module
>
> # Layer: admin
> # Module: prelink
> #
> # Prelink ELF shared library mappings.
> #
> prelink = module
>
> # Layer: admin
> # Module: quota
> #
> # File system quota management
> #
> quota = module
>
> # Layer: admin
> # Module: readahead
> #
> # Readahead, read files into page cache for improved performance
> #
> readahead = module
>
> # Layer: admin
> # Module: rpm
> #
> # Policy for the RPM package manager.
> #
> rpm = module
>
> # Layer: admin
> # Module: su
> #
> # Run shells with substitute user and group
> #
> su = module
>
> # Layer: admin
> # Module: sudo
> #
> # Execute a command with a substitute user
> #
> sudo = module
>
> # Layer: admin
> # Module: sxid
> #
> # SUID/SGID program monitoring
> #
> sxid = module
>
> # Layer: admin
> # Module: tmpreaper
> #
> # Manage temporary directory sizes and file ages
> #
> tmpreaper = module
>
> # Layer: admin
> # Module: tripwire
> #
> # Tripwire file integrity checker.
> #
> tripwire = module
>
> # Layer: admin
> # Module: tzdata
> #
> # Time zone updater
> #
> tzdata = module
>
> # Layer: admin
> # Module: updfstab
> #
> # Red Hat utility to change /etc/fstab.
> #
> updfstab = module
>
> # Layer: admin
> # Module: usbmodules
> #
> # List kernel modules of USB devices
> #
> usbmodules = module
>
> # Layer: admin
> # Module: usermanage
> #
> # Policy for managing user accounts.
> #
> usermanage = module
>
> # Layer: admin
> # Module: vbetool
> #
> # run real-mode video BIOS code to alter hardware state
> #
> vbetool = module
>
> # Layer: admin
> # Module: vpn
> #
> # Virtual Private Networking client
> #
> vpn = module
>
> # Layer: apps
> # Module: ada
> #
> # GNAT Ada95 compiler
> #
> ada = module
>
> # Layer: apps
> # Module: authbind
> #
> # Tool for non-root processes to bind to reserved ports
> #
> authbind = module
>
> # Layer: apps
> # Module: awstats
> #
> # AWStats is a free powerful and featureful tool that generates advanced
> # web, streaming, ftp or mail server statistics, graphically.
> #
> awstats = module
>
> # Layer: apps
> # Module: calamaris
> #
> # Squid log analysis
> #
> calamaris = module
>
> # Layer: apps
> # Module: cdrecord
> #
> # Policy for cdrecord
> #
> cdrecord = module
>
> # Layer: apps
> # Module: ethereal
> #
> # Ethereal packet capture tool.
> #
> ethereal = module
>
> # Layer: apps
> # Module: evolution
> #
> # Evolution email client
> #
> evolution = module
>
> # Layer: apps
> # Module: games
> #
> # Games
> #
> games = module
>
> # Layer: apps
> # Module: gift
> #
> # giFT peer to peer file sharing tool
> #
> gift = module
>
> # Layer: apps
> # Module: gnome
> #
> # GNU network object model environment (GNOME)
> #
> gnome = module
>
> # Layer: apps
> # Module: gpg
> #
> # Policy for GNU Privacy Guard and related programs.
> #
> gpg = module
>
> # Layer: apps
> # Module: irc
> #
> # IRC client policy
> #
> irc = module
>
> # Layer: apps
> # Module: java
> #
> # Java virtual machine
> #
> java = module
>
> # Layer: apps
> # Module: loadkeys
> #
> # Load keyboard mappings.
> #
> loadkeys = module
>
> # Layer: apps
> # Module: lockdev
> #
> # device locking policy for lockdev
> #
> lockdev = module
>
> # Layer: apps
> # Module: mono
> #
> # Run .NET server and client applications on Linux.
> #
> mono = module
>
> # Layer: apps
> # Module: mozilla
> #
> # Policy for Mozilla and related web browsers
> #
> mozilla = module
>
> # Layer: apps
> # Module: mplayer
> #
> # Mplayer media player and encoder
> #
> mplayer = module
>
> # Layer: apps
> # Module: rssh
> #
> # Restricted (scp/sftp) only shell
> #
> rssh = module
>
> # Layer: apps
> # Module: screen
> #
> # GNU terminal multiplexer
> #
> screen = module
>
> # Layer: apps
> # Module: slocate
> #
> # Update database for mlocate
> #
> slocate = module
>
> # Layer: apps
> # Module: thunderbird
> #
> # Thunderbird email client
> #
> thunderbird = module
>
> # Layer: apps
> # Module: tvtime
> #
> # tvtime - a high quality television application
> #
> tvtime = module
>
> # Layer: apps
> # Module: uml
> #
> # Policy for UML
> #
> uml = module
>
> # Layer: apps
> # Module: userhelper
> #
> # SELinux utility to run a shell with a new role
> #
> userhelper = module
>
> # Layer: apps
> # Module: usernetctl
> #
> # User network interface configuration helper
> #
> usernetctl = module
>
> # Layer: apps
> # Module: vmware
> #
> # VMWare Workstation virtual machines
> #
> vmware = module
>
> # Layer: apps
> # Module: webalizer
> #
> # Web server log analysis
> #
> webalizer = module
>
> # Layer: apps
> # Module: wine
> #
> # Wine Is Not an Emulator. Run Windows programs in Linux.
> #
> wine = module
>
> # Layer: apps
> # Module: wireshark
> #
> # Wireshark packet capture tool.
> #
> wireshark = module
>
> # Layer: apps
> # Module: yam
> #
> # Yum/Apt Mirroring
> #
> yam = module
>
> # Layer: kernel
> # Module: storage
> #
> # Policy controlling access to storage devices
> #
> storage = base
>
> # Layer: roles
> # Module: auditadm
> #
> # Audit administrator role
> #
> auditadm = module
>
> # Layer: roles
> # Module: secadm
> #
> # Security administrator role
> #
> secadm = module
>
> # Layer: roles
> # Module: staff
> #
> # Administrator's unprivileged user role
> #
> staff = base
>
> # Layer: roles
> # Module: sysadm
> #
> # General system administration role
> #
> sysadm = base
>
> # Layer: roles
> # Module: unprivuser
> #
> # Generic unprivileged user role
> #
> unprivuser = base
>
> # Layer: services
> # Module: afs
> #
> # Andrew Filesystem server
> #
> afs = module
>
> # Layer: services
> # Module: aide
> #
> # Aide filesystem integrity checker
> #
> aide = module
>
> # Layer: services
> # Module: amavis
> #
> # Daemon that interfaces mail transfer agents and content
> # checkers, such as virus scanners.
> #
> amavis = module
>
> # Layer: services
> # Module: apache
> #
> # Apache web server
> #
> apache = module
>
> # Layer: services
> # Module: apcupsd
> #
> # APC UPS monitoring daemon
> #
> apcupsd = module
>
> # Layer: services
> # Module: apm
> #
> # Advanced power management daemon
> #
> apm = module
>
> # Layer: services
> # Module: arpwatch
> #
> # Ethernet activity monitor.
> #
> arpwatch = module
>
> # Layer: services
> # Module: asterisk
> #
> # Asterisk IP telephony server
> #
> asterisk = module
>
> # Layer: services
> # Module: audioentropy
> #
> # Generate entropy from audio input
> #
> audioentropy = module
>
> # Layer: services
> # Module: automount
> #
> # Filesystem automounter service.
> #
> automount = module
>
> # Layer: services
> # Module: avahi
> #
> # mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
> #
> avahi = module
>
> # Layer: services
> # Module: bind
> #
> # Berkeley internet name domain DNS server.
> #
> bind = module
>
> # Layer: services
> # Module: bitlbee
> #
> # Bitlbee service
> #
> bitlbee = module
>
> # Layer: services
> # Module: bluetooth
> #
> # Bluetooth tools and system services.
> #
> bluetooth = module
>
> # Layer: services
> # Module: canna
> #
> # Canna - kana-kanji conversion server
> #
> canna = module
>
> # Layer: services
> # Module: ccs
> #
> # Cluster Configuration System
> #
> ccs = module
>
> # Layer: services
> # Module: cipe
> #
> # Encrypted tunnel daemon
> #
> cipe = module
>
> # Layer: services
> # Module: clamav
> #
> # ClamAV Virus Scanner
> #
> clamav = module
>
> # Layer: services
> # Module: clockspeed
> #
> # Clockspeed simple network time protocol client
> #
> clockspeed = module
>
> # Layer: services
> # Module: comsat
> #
> # Comsat, a biff server.
> #
> comsat = module
>
> # Layer: services
> # Module: consolekit
> #
> # Framework for facilitating multiple user sessions on desktops.
> #
> consolekit = module
>
> # Layer: services
> # Module: courier
> #
> # Courier IMAP and POP3 email servers
> #
> courier = module
>
> # Layer: services
> # Module: cpucontrol
> #
> # Services for loading CPU microcode and CPU frequency scaling.
> #
> cpucontrol = module
>
> # Layer: services
> # Module: cron
> #
> # Periodic execution of scheduled commands.
> #
> cron = module
>
> # Layer: services
> # Module: cups
> #
> # Common UNIX printing system
> #
> cups = module
>
> # Layer: services
> # Module: cvs
> #
> # Concurrent versions system
> #
> cvs = module
>
> # Layer: services
> # Module: cyrus
> #
> # Cyrus is an IMAP service intended to be run on sealed servers
> #
> cyrus = module
>
> # Layer: services
> # Module: dante
> #
> # Dante msproxy and socks4/5 proxy server
> #
> dante = module
>
> # Layer: services
> # Module: dbskk
> #
> # Dictionary server for the SKK Japanese input method system.
> #
> dbskk = module
>
> # Layer: services
> # Module: dbus
> #
> # Desktop messaging bus
> #
> dbus = module
>
> # Layer: services
> # Module: dcc
> #
> # Distributed checksum clearinghouse spam filtering
> #
> dcc = module
>
> # Layer: services
> # Module: ddclient
> #
> # Update dynamic IP address at DynDNS.org
> #
> ddclient = module
>
> # Layer: services
> # Module: dhcp
> #
> # Dynamic host configuration protocol (DHCP) server
> #
> dhcp = module
>
> # Layer: services
> # Module: dictd
> #
> # Dictionary daemon
> #
> dictd = module
>
> # Layer: services
> # Module: distcc
> #
> # Distributed compiler daemon
> #
> distcc = module
>
> # Layer: services
> # Module: djbdns
> #
> # small and secure DNS daemon
> #
> djbdns = module
>
> # Layer: services
> # Module: dnsmasq
> #
> # dnsmasq DNS forwarder and DHCP server
> #
> dnsmasq = module
>
> # Layer: services
> # Module: dovecot
> #
> # Dovecot POP and IMAP mail server
> #
> dovecot = module
>
> # Layer: services
> # Module: exim
> #
> # Exim mail transfer agent
> #
> exim = module
>
> # Layer: services
> # Module: fail2ban
> #
> # Update firewall filtering to ban IP addresses with too many password failures.
> #
> fail2ban = module
>
> # Layer: services
> # Module: fetchmail
> #
> # Remote-mail retrieval and forwarding utility
> #
> fetchmail = module
>
> # Layer: services
> # Module: finger
> #
> # Finger user information service.
> #
> finger = module
>
> # Layer: services
> # Module: ftp
> #
> # File transfer protocol service
> #
> ftp = module
>
> # Layer: services
> # Module: gatekeeper
> #
> # OpenH.323 Voice-Over-IP Gatekeeper
> #
> gatekeeper = module
>
> # Layer: services
> # Module: gpm
> #
> # General Purpose Mouse driver
> #
> gpm = module
>
> # Layer: services
> # Module: hal
> #
> # Hardware abstraction layer
> #
> hal = module
>
> # Layer: services
> # Module: howl
> #
> # Port of Apple Rendezvous multicast DNS
> #
> howl = module
>
> # Layer: services
> # Module: i18n_input
> #
> # IIIMF htt server
> #
> i18n_input = module
>
> # Layer: services
> # Module: imaze
> #
> # iMaze game server
> #
> imaze = module
>
> # Layer: services
> # Module: inetd
> #
> # Internet services daemon.
> #
> inetd = module
>
> # Layer: services
> # Module: inn
> #
> # Internet News NNTP server
> #
> inn = module
>
> # Layer: services
> # Module: ircd
> #
> # IRC server
> #
> ircd = module
>
> # Layer: services
> # Module: irqbalance
> #
> # IRQ balancing daemon
> #
> irqbalance = module
>
> # Layer: services
> # Module: jabber
> #
> # Jabber instant messaging server
> #
> jabber = module
>
> # Layer: services
> # Module: kerberos
> #
> # MIT Kerberos admin and KDC
> #
> kerberos = module
>
> # Layer: services
> # Module: ktalk
> #
> # KDE Talk daemon
> #
> ktalk = module
>
> # Layer: services
> # Module: ldap
> #
> # OpenLDAP directory server
> #
> ldap = module
>
> # Layer: services
> # Module: lpd
> #
> # Line printer daemon
> #
> lpd = module
>
> # Layer: services
> # Module: mailman
> #
> # Mailman is for managing electronic mail discussion and e-newsletter lists
> #
> mailman = module
>
> # Layer: services
> # Module: monop
> #
> # Monopoly daemon
> #
> monop = module
>
> # Layer: services
> # Module: mta
> #
> # Policy common to all email tranfer agents.
> #
> mta = module
>
> # Layer: services
> # Module: munin
> #
> # Munin network-wide load graphing (formerly LRRD)
> #
> munin = module
>
> # Layer: services
> # Module: mysql
> #
> # Policy for MySQL
> #
> mysql = module
>
> # Layer: services
> # Module: nagios
> #
> # Net Saint / NAGIOS - network monitoring server
> #
> nagios = module
>
> # Layer: services
> # Module: nessus
> #
> # Nessus network scanning daemon
> #
> nessus = module
>
> # Layer: services
> # Module: networkmanager
> #
> # Manager for dynamically switching between networks.
> #
> networkmanager = module
>
> # Layer: services
> # Module: nis
> #
> # Policy for NIS (YP) servers and clients
> #
> nis = module
>
> # Layer: services
> # Module: nscd
> #
> # Name service cache daemon
> #
> nscd = module
>
> # Layer: services
> # Module: nsd
> #
> # Authoritative only name server
> #
> nsd = module
>
> # Layer: services
> # Module: ntop
> #
> # Network Top
> #
> ntop = module
>
> # Layer: services
> # Module: ntp
> #
> # Network time protocol daemon
> #
> ntp = module
>
> # Layer: services
> # Module: nx
> #
> # NX remote desktop
> #
> nx = module
>
> # Layer: services
> # Module: oav
> #
> # Open AntiVirus scannerdaemon and signature update
> #
> oav = module
>
> # Layer: services
> # Module: oddjob
> #
> # Oddjob provides a mechanism by which unprivileged applications can
> # request that specified privileged operations be performed on their
> # behalf.
> #
> oddjob = module
>
> # Layer: services
> # Module: openca
> #
> # OpenCA - Open Certificate Authority
> #
> openca = module
>
> # Layer: services
> # Module: openct
> #
> # Service for handling smart card readers.
> #
> openct = module
>
> # Layer: services
> # Module: openvpn
> #
> # full-featured SSL VPN solution
> #
> openvpn = module
>
> # Layer: services
> # Module: pcscd
> #
> # PCSC smart card service
> #
> pcscd = module
>
> # Layer: services
> # Module: pegasus
> #
> # The Open Group Pegasus CIM/WBEM Server.
> #
> pegasus = module
>
> # Layer: services
> # Module: perdition
> #
> # Perdition POP and IMAP proxy
> #
> perdition = module
>
> # Layer: services
> # Module: portmap
> #
> # RPC port mapping service.
> #
> portmap = module
>
> # Layer: services
> # Module: portslave
> #
> # Portslave terminal server software
> #
> portslave = module
>
> # Layer: services
> # Module: postfix
> #
> # Postfix email server
> #
> postfix = module
>
> # Layer: services
> # Module: postfixpolicyd
> #
> # Postfix policy server
> #
> postfixpolicyd = module
>
> # Layer: services
> # Module: postgresql
> #
> # PostgreSQL relational database
> #
> postgresql = module
>
> # Layer: services
> # Module: postgrey
> #
> # Postfix grey-listing server
> #
> postgrey = module
>
> # Layer: services
> # Module: ppp
> #
> # Point to Point Protocol daemon creates links in ppp networks
> #
> ppp = module
>
> # Layer: services
> # Module: privoxy
> #
> # Privacy enhancing web proxy.
> #
> privoxy = module
>
> # Layer: services
> # Module: procmail
> #
> # Procmail mail delivery agent
> #
> procmail = module
>
> # Layer: services
> # Module: publicfile
> #
> # publicfile supplies files to the public through HTTP and FTP
> #
> publicfile = module
>
> # Layer: services
> # Module: pxe
> #
> # Server for the PXE network boot protocol
> #
> pxe = module
>
> # Layer: services
> # Module: pyzor
> #
> # Pyzor is a distributed, collaborative spam detection and filtering network.
> #
> pyzor = module
>
> # Layer: services
> # Module: qmail
> #
> # Qmail Mail Server
> #
> qmail = module
>
> # Layer: services
> # Module: radius
> #
> # RADIUS authentication and accounting server.
> #
> radius = module
>
> # Layer: services
> # Module: radvd
> #
> # IPv6 router advertisement daemon
> #
> radvd = module
>
> # Layer: services
> # Module: razor
> #
> # A distributed, collaborative, spam detection and filtering network.
> #
> razor = module
>
> # Layer: services
> # Module: rdisc
> #
> # Network router discovery daemon
> #
> rdisc = module
>
> # Layer: services
> # Module: remotelogin
> #
> # Policy for rshd, rlogind, and telnetd.
> #
> remotelogin = module
>
> # Layer: services
> # Module: resmgr
> #
> # Resource management daemon
> #
> resmgr = module
>
> # Layer: services
> # Module: rhgb
> #
> # Red Hat Graphical Boot
> #
> rhgb = module
>
> # Layer: services
> # Module: ricci
> #
> # Ricci cluster management agent
> #
> ricci = module
>
> # Layer: services
> # Module: rlogin
> #
> # Remote login daemon
> #
> rlogin = module
>
> # Layer: services
> # Module: roundup
> #
> # Roundup Issue Tracking System policy
> #
> roundup = module
>
> # Layer: services
> # Module: rpc
> #
> # Remote Procedure Call Daemon for managment of network based process communication
> #
> rpc = module
>
> # Layer: services
> # Module: rpcbind
> #
> # Universal Addresses to RPC Program Number Mapper
> #
> rpcbind = module
>
> # Layer: services
> # Module: rshd
> #
> # Remote shell service.
> #
> rshd = module
>
> # Layer: services
> # Module: rsync
> #
> # Fast incremental file transfer for synchronization
> #
> rsync = module
>
> # Layer: services
> # Module: rwho
> #
> # Who is logged in on other machines?
> #
> rwho = module
>
> # Layer: services
> # Module: samba
> #
> # SMB and CIFS client/server programs for UNIX and
> # name Service Switch daemon for resolving names
> # from Windows NT servers.
> #
> samba = module
>
> # Layer: services
> # Module: sasl
> #
> # SASL authentication server
> #
> sasl = module
>
> # Layer: services
> # Module: sendmail
> #
> # Policy for sendmail.
> #
> sendmail = module
>
> # Layer: services
> # Module: setroubleshoot
> #
> # SELinux troubleshooting service
> #
> setroubleshoot = module
>
> # Layer: services
> # Module: slrnpull
> #
> # Service for downloading news feeds the slrn newsreader.
> #
> slrnpull = module
>
> # Layer: services
> # Module: smartmon
> #
> # Smart disk monitoring daemon policy
> #
> smartmon = module
>
> # Layer: services
> # Module: snmp
> #
> # Simple network management protocol services
> #
> snmp = module
>
> # Layer: services
> # Module: snort
> #
> # Snort network intrusion detection system
> #
> snort = module
>
> # Layer: services
> # Module: soundserver
> #
> # sound server for network audio server programs, nasd, yiff, etc
> #
> soundserver = module
>
> # Layer: services
> # Module: spamassassin
> #
> # Filter used for removing unsolicited email.
> #
> spamassassin = module
>
> # Layer: services
> # Module: speedtouch
> #
> # Alcatel speedtouch USB ADSL modem
> #
> speedtouch = module
>
> # Layer: services
> # Module: squid
> #
> # Squid caching http proxy server
> #
> squid = module
>
> # Layer: services
> # Module: ssh
> #
> # Secure shell client and server policy.
> #
> ssh = module
>
> # Layer: services
> # Module: stunnel
> #
> # SSL Tunneling Proxy
> #
> stunnel = module
>
> # Layer: services
> # Module: sysstat
> #
> # Policy for sysstat. Reports on various system states
> #
> sysstat = module
>
> # Layer: services
> # Module: tcpd
> #
> # Policy for TCP daemon.
> #
> tcpd = module
>
> # Layer: services
> # Module: telnet
> #
> # Telnet daemon
> #
> telnet = module
>
> # Layer: services
> # Module: tftp
> #
> # Trivial file transfer protocol daemon
> #
> tftp = module
>
> # Layer: services
> # Module: timidity
> #
> # MIDI to WAV converter and player configured as a service
> #
> timidity = module
>
> # Layer: services
> # Module: tor
> #
> # TOR, the onion router
> #
> tor = module
>
> # Layer: services
> # Module: transproxy
> #
> # HTTP transperant proxy
> #
> transproxy = module
>
> # Layer: services
> # Module: ucspitcp
> #
> # ucspitcp policy
> #
> ucspitcp = module
>
> # Layer: services
> # Module: uptime
> #
> # Uptime daemon
> #
> uptime = module
>
> # Layer: services
> # Module: uucp
> #
> # Unix to Unix Copy
> #
> uucp = module
>
> # Layer: services
> # Module: uwimap
> #
> # University of Washington IMAP toolkit POP3 and IMAP mail server
> #
> uwimap = module
>
> # Layer: services
> # Module: watchdog
> #
> # Software watchdog
> #
> watchdog = module
>
> # Layer: services
> # Module: xfs
> #
> # X Windows Font Server
> #
> xfs = module
>
> # Layer: services
> # Module: xprint
> #
> # X print server
> #
> xprint = module
>
> # Layer: services
> # Module: xserver
> #
> # X Windows Server
> #
> xserver = module
>
> # Layer: services
> # Module: zabbix
> #
> # Distributed infrastructure monitoring
> #
> zabbix = module
>
> # Layer: services
> # Module: zebra
> #
> # Zebra border gateway protocol network routing service
> #
> zebra = module
>
> # Layer: system
> # Module: application
> #
> # Policy for user executable applications.
> #
> application = base
>
> # Layer: system
> # Module: authlogin
> #
> # Common policy for authentication and user login.
> #
> authlogin = base
>
> # Layer: system
> # Module: clock
> #
> # Policy for reading and setting the hardware clock.
> #
> clock = module
>
> # Layer: system
> # Module: daemontools
> #
> # Collection of tools for managing UNIX services
> #
> daemontools = module
>
> # Layer: system
> # Module: fstools
> #
> # Tools for filesystem management, such as mkfs and fsck.
> #
> fstools = module
>
> # Layer: system
> # Module: getty
> #
> # Policy for getty.
> #
> getty = module
>
> # Layer: system
> # Module: hostname
> #
> # Policy for changing the system host name.
> #
> hostname = module
>
> # Layer: system
> # Module: hotplug
> #
> # Policy for hotplug system, for supporting the
> # connection and disconnection of devices at runtime.
> #
> hotplug = module
>
> # Layer: system
> # Module: init
> #
> # System initialization programs (init and init scripts).
> #
> init = base
>
> # Layer: system
> # Module: ipsec
> #
> # TCP/IP encryption
> #
> ipsec = module
>
> # Layer: system
> # Module: iptables
> #
> # Policy for iptables.
> #
> iptables = module
>
> # Layer: system
> # Module: iscsi
> #
> # Establish connections to iSCSI devices
> #
> iscsi = module
>
> # Layer: system
> # Module: libraries
> #
> # Policy for system libraries.
> #
> libraries = base
>
> # Layer: system
> # Module: locallogin
> #
> # Policy for local logins.
> #
> locallogin = base
>
> # Layer: system
> # Module: logging
> #
> # Policy for the kernel message logger and system logging daemon.
> #
> logging = base
>
> # Layer: system
> # Module: lvm
> #
> # Policy for logical volume management programs.
> #
> lvm = module
>
> # Layer: system
> # Module: miscfiles
> #
> # Miscelaneous files.
> #
> miscfiles = base
>
> # Layer: system
> # Module: modutils
> #
> # Policy for kernel module utilities
> #
> modutils = base
>
> # Layer: system
> # Module: mount
> #
> # Policy for mount.
> #
> mount = module
>
> # Layer: system
> # Module: netlabel
> #
> # NetLabel/CIPSO labeled networking management
> #
> netlabel = module
>
> # Layer: system
> # Module: pcmcia
> #
> # PCMCIA card management services
> #
> pcmcia = module
>
> # Layer: system
> # Module: raid
> #
> # RAID array management tools
> #
> raid = module
>
> # Layer: system
> # Module: selinuxutil
> #
> # Policy for SELinux policy and userland applications.
> #
> selinuxutil = base
>
> # Layer: system
> # Module: setrans
> #
> # SELinux MLS/MCS label translation service.
> #
> setrans = module
>
> # Layer: system
> # Module: sysnetwork
> #
> # Policy for network configuration: ifconfig and dhcp client.
> #
> sysnetwork = base
>
> # Layer: system
> # Module: udev
> #
> # Policy for udev.
> #
> udev = module
>
> # Layer: system
> # Module: unconfined
> #
> # The unconfined domain.
> #
> unconfined = module
>
> # Layer: system
> # Module: userdomain
> #
> # Policy for user domains
> #
> userdomain = base
>
> # Layer: system
> # Module: xen
> #
> # Xen hypervisor
> #
> xen = module
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: roles in base module
2008-05-08 12:08 ` Stephen Smalley
@ 2008-05-16 23:50 ` Joshua Brindle
2008-05-19 12:10 ` Stephen Smalley
2008-05-19 18:07 ` File_contexts file and semanage Hasan Rezaul-CHR010
0 siblings, 2 replies; 14+ messages in thread
From: Joshua Brindle @ 2008-05-16 23:50 UTC (permalink / raw)
To: Stephen Smalley
Cc: Martin Orr, SELinux List, Christopher J. PeBenito, Karl MacMillan
Stephen Smalley wrote:
> On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
>> Should I be able to build trunk refpolicy with the user roles included in
>> the base module? I can build it with the roles as modules, but if I try
>> building them into base I get
>> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
>> /usr/bin/checkmodule: loading policy configuration from base.conf
>> libsepol.expand_module: Error while indexing out symbols
>> /usr/bin/checkmodule: expand module failed
>>
>> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
>> attached the modules.conf I am using, which seems to be the minimum number
>> of things I need to build in to be able to build in roles.
>
> Reproduced here as well, and naturally one should be able to build roles
> into base.
>
> We've seen this error condition in the past - it indicates that there is
> a hole in the symbol table, and requires mapping support in the expand
> code for roles to correctly handle it. So that represents a
> bug/limitation of the current policy compiler.
>
> Walking through it I see that it is omitting the auditadm_r and secadm_r
> roles during the expand, and this is leaving the holes in the symbol
> table.
>
> Fixing the compiler requires adding mapping support for the roles
> similar to what Karl did for booleans in r2308.
>
> Hopefully though Chris can work around it in the policy in the interim.
>
Patch below should fix both user and role mapping issues.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
diff -pruN -x .svn trunk.old/checkpolicy/policy_define.c trunk/checkpolicy/policy_define.c
--- trunk.old/checkpolicy/policy_define.c 2008-05-14 06:03:32.588668393 -0400
+++ trunk/checkpolicy/policy_define.c 2008-05-14 02:08:43.876143370 -0400
@@ -2006,7 +2006,7 @@ int define_role_trans(void)
}
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
- if (role_set_expand(&roles, &e_roles, policydbp))
+ if (role_set_expand(&roles, &e_roles, policydbp, NULL))
goto bad;
if (type_set_expand(&types, &e_types, policydbp, 1))
diff -pruN -x .svn trunk.old/libsepol/include/sepol/policydb/expand.h trunk/libsepol/include/sepol/policydb/expand.h
--- trunk.old/libsepol/include/sepol/policydb/expand.h 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/include/sepol/policydb/expand.h 2008-05-14 01:50:32.859685635 -0400
@@ -59,7 +59,7 @@ extern int expand_convert_type_set(polic
unsigned char alwaysexpand);
extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
unsigned char alwaysexpand);
-extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
+extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap);
extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
policydb_t *p, sepol_handle_t *h);
extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
diff -pruN -x .svn trunk.old/libsepol/src/expand.c trunk/libsepol/src/expand.c
--- trunk.old/libsepol/src/expand.c 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/src/expand.c 2008-05-14 06:05:22.090320200 -0400
@@ -41,6 +41,7 @@ typedef struct expand_state {
int verbose;
uint32_t *typemap;
uint32_t *boolmap;
+ uint32_t *rolemap;
policydb_t *base;
policydb_t *out;
sepol_handle_t *handle;
@@ -150,7 +151,7 @@ static int attr_convert_callback(hashtab
ERR(state->handle, "attribute %s vanished!", id);
return -1;
}
- if (convert_type_ebitmap(&type->types, &tmp_union, state->typemap)) {
+ if (map_ebitmap(&type->types, &tmp_union, state->typemap)) {
ERR(state->handle, "out of memory");
return -1;
}
@@ -552,8 +553,9 @@ static int role_copy_callback(hashtab_ke
return -1;
}
- new_role->s.value = role->s.value;
state->out->p_roles.nprim++;
+ new_role->s.value = state->out->p_roles.nprim;
+ state->rolemap[role->s.value - 1] = new_role->s.value;
ret = hashtab_insert(state->out->p_roles.table,
(hashtab_key_t) new_id,
(hashtab_datum_t) new_role);
@@ -692,8 +694,8 @@ static int user_copy_callback(hashtab_ke
}
memset(new_user, 0, sizeof(user_datum_t));
- new_user->s.value = user->s.value;
state->out->p_users.nprim++;
+ new_user->s.value = state->out->p_users.nprim;
new_id = strdup(id);
if (!new_id) {
@@ -756,7 +758,7 @@ static int user_copy_callback(hashtab_ke
ebitmap_init(&tmp_union);
/* get global roles for this user */
- if (role_set_expand(&user->roles, &tmp_union, state->base)) {
+ if (role_set_expand(&user->roles, &tmp_union, state->base, state->rolemap)) {
ERR(state->handle, "Out of memory!");
ebitmap_destroy(&tmp_union);
return -1;
@@ -938,14 +940,16 @@ static int copy_role_allows(expand_state
ebitmap_init(&roles);
ebitmap_init(&new_roles);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
- if (role_set_expand(&cur->new_roles, &new_roles, state->out)) {
+
+ if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
+
ebitmap_for_each_bit(&roles, snode, i) {
if (!ebitmap_node_get_bit(snode, i))
continue;
@@ -1005,7 +1009,7 @@ static int copy_role_trans(expand_state_
ebitmap_init(&roles);
ebitmap_init(&types);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
@@ -1842,7 +1846,7 @@ static int type_attr_remove(hashtab_key_
return 0;
}
-int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * typemap)
+static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
{
unsigned int i;
ebitmap_node_t *tnode;
@@ -1851,9 +1855,9 @@ int convert_type_ebitmap(ebitmap_t * src
ebitmap_for_each_bit(src, tnode, i) {
if (!ebitmap_node_get_bit(tnode, i))
continue;
- if (!typemap[i])
+ if (!map[i])
continue;
- if (ebitmap_set_bit(dst, typemap[i] - 1, 1))
+ if (ebitmap_set_bit(dst, map[i] - 1, 1))
return -1;
}
return 0;
@@ -1870,10 +1874,10 @@ int expand_convert_type_set(policydb_t *
type_set_init(&tmpset);
- if (convert_type_ebitmap(&set->types, &tmpset.types, typemap))
+ if (map_ebitmap(&set->types, &tmpset.types, typemap))
return -1;
- if (convert_type_ebitmap(&set->negset, &tmpset.negset, typemap))
+ if (map_ebitmap(&set->negset, &tmpset.negset, typemap))
return -1;
tmpset.flags = set->flags;
@@ -1915,12 +1919,14 @@ int expand_rule(sepol_handle_t * handle,
return retval;
}
-int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p)
+int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap)
{
unsigned int i;
ebitmap_node_t *rnode;
+ ebitmap_t mapped_roles;
ebitmap_init(r);
+ ebitmap_init(&mapped_roles);
if (x->flags & ROLE_STAR) {
for (i = 0; i < p->p_roles.nprim++; i++)
@@ -1929,13 +1935,23 @@ int role_set_expand(role_set_t * x, ebit
return 0;
}
- ebitmap_for_each_bit(&x->roles, rnode, i) {
+ if (rolemap) {
+ if (map_ebitmap(&x->roles, &mapped_roles, rolemap))
+ return -1;
+ } else {
+ if (ebitmap_cpy(&mapped_roles, &x->roles))
+ return -1;
+ }
+
+ ebitmap_for_each_bit(&mapped_roles, rnode, i) {
if (ebitmap_node_get_bit(rnode, i)) {
if (ebitmap_set_bit(r, i, 1))
return -1;
}
}
+ ebitmap_destroy(&mapped_roles);
+
/* if role is to be complimented, invert the entire bitmap here */
if (x->flags & ROLE_COMP) {
for (i = 0; i < ebitmap_length(r); i++) {
@@ -2309,6 +2325,12 @@ int expand_module(sepol_handle_t * handl
goto cleanup;
}
+ state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t));
+ if (!state.rolemap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
/* order is important - types must be first */
/* copy types */
@@ -2464,6 +2486,7 @@ int expand_module(sepol_handle_t * handl
cleanup:
free(state.typemap);
free(state.boolmap);
+ free(state.rolemap);
return retval;
}
diff -pruN -x .svn trunk.old/libsepol/src/policydb.c trunk/libsepol/src/policydb.c
--- trunk.old/libsepol/src/policydb.c 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/src/policydb.c 2008-05-14 01:52:40.361608972 -0400
@@ -559,7 +559,7 @@ int policydb_user_cache(hashtab_key_t ke
p = (policydb_t *) arg;
ebitmap_destroy(&user->cache);
- if (role_set_expand(&user->roles, &user->cache, p)) {
+ if (role_set_expand(&user->roles, &user->cache, p, NULL)) {
return -1;
}
diff -pruN -x .svn trunk.old/libsepol/src/users.c trunk/libsepol/src/users.c
--- trunk.old/libsepol/src/users.c 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/src/users.c 2008-05-14 01:48:17.857649160 -0400
@@ -260,7 +260,7 @@ int sepol_user_modify(sepol_handle_t * h
/* Expand roles */
if (role_set_expand
- (&usrdatum->roles, &usrdatum->cache, policydb)) {
+ (&usrdatum->roles, &usrdatum->cache, policydb, NULL)) {
ERR(handle, "unable to expand role set");
goto err;
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: roles in base module
2008-05-16 23:50 ` Joshua Brindle
@ 2008-05-19 12:10 ` Stephen Smalley
2008-05-19 21:59 ` Joshua Brindle
2008-05-19 18:07 ` File_contexts file and semanage Hasan Rezaul-CHR010
1 sibling, 1 reply; 14+ messages in thread
From: Stephen Smalley @ 2008-05-19 12:10 UTC (permalink / raw)
To: Joshua Brindle
Cc: Martin Orr, SELinux List, Christopher J. PeBenito, Karl MacMillan
On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
> >> Should I be able to build trunk refpolicy with the user roles included in
> >> the base module? I can build it with the roles as modules, but if I try
> >> building them into base I get
> >> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
> >> /usr/bin/checkmodule: loading policy configuration from base.conf
> >> libsepol.expand_module: Error while indexing out symbols
> >> /usr/bin/checkmodule: expand module failed
> >>
> >> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
> >> attached the modules.conf I am using, which seems to be the minimum number
> >> of things I need to build in to be able to build in roles.
> >
> > Reproduced here as well, and naturally one should be able to build roles
> > into base.
> >
> > We've seen this error condition in the past - it indicates that there is
> > a hole in the symbol table, and requires mapping support in the expand
> > code for roles to correctly handle it. So that represents a
> > bug/limitation of the current policy compiler.
> >
> > Walking through it I see that it is omitting the auditadm_r and secadm_r
> > roles during the expand, and this is leaving the holes in the symbol
> > table.
> >
> > Fixing the compiler requires adding mapping support for the roles
> > similar to what Karl did for booleans in r2308.
> >
> > Hopefully though Chris can work around it in the policy in the interim.
> >
>
> Patch below should fix both user and role mapping issues.
Why is it that we don't need a usermap too?
>
> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>
> diff -pruN -x .svn trunk.old/checkpolicy/policy_define.c trunk/checkpolicy/policy_define.c
> --- trunk.old/checkpolicy/policy_define.c 2008-05-14 06:03:32.588668393 -0400
> +++ trunk/checkpolicy/policy_define.c 2008-05-14 02:08:43.876143370 -0400
> @@ -2006,7 +2006,7 @@ int define_role_trans(void)
> }
>
> /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
> - if (role_set_expand(&roles, &e_roles, policydbp))
> + if (role_set_expand(&roles, &e_roles, policydbp, NULL))
> goto bad;
>
> if (type_set_expand(&types, &e_types, policydbp, 1))
> diff -pruN -x .svn trunk.old/libsepol/include/sepol/policydb/expand.h trunk/libsepol/include/sepol/policydb/expand.h
> --- trunk.old/libsepol/include/sepol/policydb/expand.h 2008-05-14 06:03:34.088691020 -0400
> +++ trunk/libsepol/include/sepol/policydb/expand.h 2008-05-14 01:50:32.859685635 -0400
> @@ -59,7 +59,7 @@ extern int expand_convert_type_set(polic
> unsigned char alwaysexpand);
> extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
> unsigned char alwaysexpand);
> -extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
> +extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap);
> extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
> policydb_t *p, sepol_handle_t *h);
> extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
> diff -pruN -x .svn trunk.old/libsepol/src/expand.c trunk/libsepol/src/expand.c
> --- trunk.old/libsepol/src/expand.c 2008-05-14 06:03:34.088691020 -0400
> +++ trunk/libsepol/src/expand.c 2008-05-14 06:05:22.090320200 -0400
> @@ -41,6 +41,7 @@ typedef struct expand_state {
> int verbose;
> uint32_t *typemap;
> uint32_t *boolmap;
> + uint32_t *rolemap;
> policydb_t *base;
> policydb_t *out;
> sepol_handle_t *handle;
> @@ -150,7 +151,7 @@ static int attr_convert_callback(hashtab
> ERR(state->handle, "attribute %s vanished!", id);
> return -1;
> }
> - if (convert_type_ebitmap(&type->types, &tmp_union, state->typemap)) {
> + if (map_ebitmap(&type->types, &tmp_union, state->typemap)) {
> ERR(state->handle, "out of memory");
> return -1;
> }
> @@ -552,8 +553,9 @@ static int role_copy_callback(hashtab_ke
> return -1;
> }
>
> - new_role->s.value = role->s.value;
> state->out->p_roles.nprim++;
> + new_role->s.value = state->out->p_roles.nprim;
> + state->rolemap[role->s.value - 1] = new_role->s.value;
> ret = hashtab_insert(state->out->p_roles.table,
> (hashtab_key_t) new_id,
> (hashtab_datum_t) new_role);
> @@ -692,8 +694,8 @@ static int user_copy_callback(hashtab_ke
> }
> memset(new_user, 0, sizeof(user_datum_t));
>
> - new_user->s.value = user->s.value;
> state->out->p_users.nprim++;
> + new_user->s.value = state->out->p_users.nprim;
>
> new_id = strdup(id);
> if (!new_id) {
> @@ -756,7 +758,7 @@ static int user_copy_callback(hashtab_ke
> ebitmap_init(&tmp_union);
>
> /* get global roles for this user */
> - if (role_set_expand(&user->roles, &tmp_union, state->base)) {
> + if (role_set_expand(&user->roles, &tmp_union, state->base, state->rolemap)) {
> ERR(state->handle, "Out of memory!");
> ebitmap_destroy(&tmp_union);
> return -1;
> @@ -938,14 +940,16 @@ static int copy_role_allows(expand_state
> ebitmap_init(&roles);
> ebitmap_init(&new_roles);
>
> - if (role_set_expand(&cur->roles, &roles, state->out)) {
> + if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
> ERR(state->handle, "Out of memory!");
> return -1;
> }
> - if (role_set_expand(&cur->new_roles, &new_roles, state->out)) {
> +
> + if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->rolemap)) {
> ERR(state->handle, "Out of memory!");
> return -1;
> }
> +
> ebitmap_for_each_bit(&roles, snode, i) {
> if (!ebitmap_node_get_bit(snode, i))
> continue;
> @@ -1005,7 +1009,7 @@ static int copy_role_trans(expand_state_
> ebitmap_init(&roles);
> ebitmap_init(&types);
>
> - if (role_set_expand(&cur->roles, &roles, state->out)) {
> + if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
> ERR(state->handle, "Out of memory!");
> return -1;
> }
> @@ -1842,7 +1846,7 @@ static int type_attr_remove(hashtab_key_
> return 0;
> }
>
> -int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * typemap)
> +static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
> {
> unsigned int i;
> ebitmap_node_t *tnode;
> @@ -1851,9 +1855,9 @@ int convert_type_ebitmap(ebitmap_t * src
> ebitmap_for_each_bit(src, tnode, i) {
> if (!ebitmap_node_get_bit(tnode, i))
> continue;
> - if (!typemap[i])
> + if (!map[i])
> continue;
> - if (ebitmap_set_bit(dst, typemap[i] - 1, 1))
> + if (ebitmap_set_bit(dst, map[i] - 1, 1))
> return -1;
> }
> return 0;
> @@ -1870,10 +1874,10 @@ int expand_convert_type_set(policydb_t *
>
> type_set_init(&tmpset);
>
> - if (convert_type_ebitmap(&set->types, &tmpset.types, typemap))
> + if (map_ebitmap(&set->types, &tmpset.types, typemap))
> return -1;
>
> - if (convert_type_ebitmap(&set->negset, &tmpset.negset, typemap))
> + if (map_ebitmap(&set->negset, &tmpset.negset, typemap))
> return -1;
>
> tmpset.flags = set->flags;
> @@ -1915,12 +1919,14 @@ int expand_rule(sepol_handle_t * handle,
> return retval;
> }
>
> -int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p)
> +int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap)
> {
> unsigned int i;
> ebitmap_node_t *rnode;
> + ebitmap_t mapped_roles;
>
> ebitmap_init(r);
> + ebitmap_init(&mapped_roles);
>
> if (x->flags & ROLE_STAR) {
> for (i = 0; i < p->p_roles.nprim++; i++)
> @@ -1929,13 +1935,23 @@ int role_set_expand(role_set_t * x, ebit
> return 0;
> }
>
> - ebitmap_for_each_bit(&x->roles, rnode, i) {
> + if (rolemap) {
> + if (map_ebitmap(&x->roles, &mapped_roles, rolemap))
> + return -1;
> + } else {
> + if (ebitmap_cpy(&mapped_roles, &x->roles))
> + return -1;
> + }
> +
> + ebitmap_for_each_bit(&mapped_roles, rnode, i) {
> if (ebitmap_node_get_bit(rnode, i)) {
> if (ebitmap_set_bit(r, i, 1))
> return -1;
> }
> }
>
> + ebitmap_destroy(&mapped_roles);
> +
> /* if role is to be complimented, invert the entire bitmap here */
> if (x->flags & ROLE_COMP) {
> for (i = 0; i < ebitmap_length(r); i++) {
> @@ -2309,6 +2325,12 @@ int expand_module(sepol_handle_t * handl
> goto cleanup;
> }
>
> + state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t));
> + if (!state.rolemap) {
> + ERR(handle, "Out of memory!");
> + goto cleanup;
> + }
> +
> /* order is important - types must be first */
>
> /* copy types */
> @@ -2464,6 +2486,7 @@ int expand_module(sepol_handle_t * handl
> cleanup:
> free(state.typemap);
> free(state.boolmap);
> + free(state.rolemap);
> return retval;
> }
>
> diff -pruN -x .svn trunk.old/libsepol/src/policydb.c trunk/libsepol/src/policydb.c
> --- trunk.old/libsepol/src/policydb.c 2008-05-14 06:03:34.088691020 -0400
> +++ trunk/libsepol/src/policydb.c 2008-05-14 01:52:40.361608972 -0400
> @@ -559,7 +559,7 @@ int policydb_user_cache(hashtab_key_t ke
> p = (policydb_t *) arg;
>
> ebitmap_destroy(&user->cache);
> - if (role_set_expand(&user->roles, &user->cache, p)) {
> + if (role_set_expand(&user->roles, &user->cache, p, NULL)) {
> return -1;
> }
>
> diff -pruN -x .svn trunk.old/libsepol/src/users.c trunk/libsepol/src/users.c
> --- trunk.old/libsepol/src/users.c 2008-05-14 06:03:34.088691020 -0400
> +++ trunk/libsepol/src/users.c 2008-05-14 01:48:17.857649160 -0400
> @@ -260,7 +260,7 @@ int sepol_user_modify(sepol_handle_t * h
>
> /* Expand roles */
> if (role_set_expand
> - (&usrdatum->roles, &usrdatum->cache, policydb)) {
> + (&usrdatum->roles, &usrdatum->cache, policydb, NULL)) {
> ERR(handle, "unable to expand role set");
> goto err;
> }
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: roles in base module
@ 2008-05-19 17:46 Joshua Brindle
2008-05-19 18:57 ` Martin Orr
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2008-05-19 17:46 UTC (permalink / raw)
To: Stephen Smalley
Cc: Martin Orr, SELinux List, Christopher J.PeBenito, Karl MacMillan
Sorry if this is badly formatted, writing it from my phone :)
Anyway, the usermap wasn't used so i removed it but now that i think about it constraint_clone_node needs to map both roles and users, ill get an update out when i can-----Original Message-----
From: Stephen Smalley <sds@tycho.nsa.gov>
Sent: Monday, May 19, 2008 5:10 AM
To: Joshua Brindle <method@manicmethod.com>
Cc: Martin Orr <martin@martinorr.name>; SELinux List <selinux@tycho.nsa.gov>; Christopher J. PeBenito <cpebenito@tresys.com>; Karl MacMillan <kmacmillan@tresys.com>
Subject: Re: roles in base module
On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
> >> Should I be able to build trunk refpolicy with the user roles included in
> >> the base module? I can build it with the roles as modules, but if I try
> >> building them into base I get
> >> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
> >> /usr/bin/checkmodule: loading policy configuration from base.conf
> >> libsepol.expand_module: Error while indexing out symbols
> >> /usr/bin/checkmodule: expand module failed
> >>
> >> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
> >> attached the modules.conf I am using, which seems to be the minimum number
> >> of things I need to build in to be able to build in roles.
> >
> > Reproduced here as well, and naturally one should be able to build roles
> > into base.
> >
> > We've seen this error condition in the past - it indicates that there is
> > a hole in the symbol table, and requires mapping support in the expand
> > code for roles to correctly handle it. So that represents a
> > bug/limitation of the current policy compiler.
> >
> > Walking through it I see that it is omitting the auditadm_r and secadm_r
> > roles during the expand, and this is leaving the holes in the symbol
> > table.
> >
> > Fixing the compiler requires adding mapping support for the roles
> > similar to what Karl did for booleans in r2308.
> >
> > Hopefully though Chris can work around it in the policy in the interim.
> >
>
> Patch below should fix both user and role mapping issues.
Why is it that we don't need a usermap too?
>
> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>
> diff -pruN -x .svn trunk.old/checkpolicy/policy_define.c trunk/checkpolicy/policy_define.c
> --- trunk.old/checkpolicy/policy_define.c 2008-05-14 06:03:32.588668393 -0400
> +++ trunk/checkpolicy/policy_define.c 2008-05-14 02:08:43.876143370 -0400
> @@ -2006,7 +2006,7 @@ int define_role_trans(void)
> }
>
> /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
> - if (role_set_expand(&roles, &e_roles, policydbp))
> + if (role_set_expand(&roles, &e_roles, policydbp, NULL))
> goto bad;
>
> if (type_set_expand(&types, &e_types, policydbp, 1))
> diff -pruN -x .svn trunk.old/libsepol/include/sepol/policydb/expand.h trunk/libsepol/include/sepol/policydb/expand.h
> --- trunk.old/libsepol/include/sepol/policydb/expand.h 2008-05-14 06:03:34.088691020 -0400
> +++ trunk/libsepol/include/sepol/policydb/expand.h 2008-05-14 01:50:32.859685635 -0400
> @@ -59,7 +59,7 @@ extern int expand_convert_type_set(polic
> unsigned char alwaysexpand);
> extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
> unsigned char alwaysexpand);
> -extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
> +extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap);
> extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
> policydb_t *p, sepol_handle_t *h);
> extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
> diff -pruN -x .svn trunk.old/libsepol/src/expand.c trunk/libsepol/src/expand.c
> --- trunk.old/libsepol/src/expand.c 2008-05-14 06:03:34.088691020 -0400
> +++ trunk/libsepol/src/expand.c 2008-05-14 06:05:22.090320200 -0400
> @@ -41,6 +41,7 @@ typedef struct expand_state {
> int verbose;
> uint32_t *typemap;
> uint32_t *boolmap;
> + uint32_t *rolemap;
> policydb_t *base;
> policydb_t *out;
> sepol_handle_t *handle;
> @@ -150,7 +151,7 @@ static int attr_convert_callback(hashtab
> ERR(state->handle, "attribute %s vanished!", id);
> return -1;
> }
> - if (convert_type_ebitmap(&type->types, &tmp_union, state->typemap)) {
> + if (map_ebitmap(&type->types, &tmp_union, state->typemap)) {
> ERR(state->handle, "out of memory");
> return -1;
> }
> @@ -552,8 +553,9 @@ static int role_copy_callback(hashtab_ke
> return -1;
> }
>
> - new_role->s.value = role->s.value;
> state->out->p_roles.nprim++;
> + new_role->s.value = state->out->p_roles.nprim;
> + state->rolemap[role->s.value - 1] = new_role->s.value;
> ret = hashtab_insert(state->out->p_roles.table,
> (hashtab_key_t) new_id,
> (hashtab_datum_t) new_role);
> @@ -692,8 +694,8 @@ static int user_copy_callback(hashtab_ke
> }
> memset(new_user, 0, sizeof(user_datum_t));
>
> - new_user->s.value = user->s.value;
> state->out->p_users.nprim++;
> + new_user->s.value = state->out->p_users.nprim;
>
> new_id = strdup(id);
> if (!new_id) {
> @@ -756,7 +758,7 @@ static int user_copy_callback(hashtab_ke
> ebitmap_init(&tmp_union);
>
> /* get global roles for this user */
> - if (role_set_expand(&user->roles, &tmp_union, state->base)) {
> + if (role_set_expand(&user->roles, &tmp_union, state->base, state->rolemap)) {
> ERR(state->handle, "Out of memory!");
> ebitmap_destroy(&tmp_union);
> return -1;
> @@ -938,14 +940,16 @@ static int copy_role_allows(expand_state
> ebitmap_init(&roles);
> ebitmap_init(&new_roles);
>
> - if (role_set_expand(&cur->roles, &roles, state->out)) {
> + if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
> ERR(state->handle, "Out of memory!");
> return -1;
> }
> - if (role_set_expand(&cur->new_roles, &new_roles, state->out)) {
> +
> + if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->rolemap)) {
> ERR(state->handle, "Out of memory!");
> return -1;
> }
> +
> ebitmap_for_each_bit(&roles, snode, i) {
> if (!ebitmap_node_get_bit(snode, i))
> continue;
> @@ -1005,7 +1009,7 @@ static int copy_role_trans(expand_state_
> ebitmap_init(&roles);
> ebitmap_init(&types);
>
> - if (role_set_expand(&cur->roles, &roles, state->out)) {
> + if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
> ERR(state->handle, "Out of memory!");
> return -1;
> }
> @@ -1842,7 +1846,7 @@ static int type_attr_remove(hashtab_key_
> return 0;
> }
>
> -int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * typemap)
> +static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
> {
> unsigned int i;
> ebitmap_node_t *tnode;
> @@ -1851,9 +1855,9 @@ int convert_type_ebitmap(ebitmap_t * src
> ebitmap_for_each_bit(src, tnode, i) {
> if (!ebitmap_node_get_bit(tnode, i))
> continue;
> - if (!typemap[i])
> + if (!map[i])
> continue;
> - if (ebitmap_set_bit(dst, typemap[i] - 1, 1))
> + if (ebitmap_set_bit(dst, map[i] - 1, 1))
> return -1;
> }
> return 0;
> @@ -1870,10 +1874,10 @@ int expand_convert_type_set(policydb_t *
>
> type_set_init(&tmpset);
>
> - if (convert_type_ebitmap(&set->types, &tmpset.types, typemap))
> + if (map_ebitmap(&set->types, &tmpset.types, typemap))
> return -1;
>
> - if (convert_type_ebitmap(&set->negset, &tmpset.negset, typemap))
> + if (map_ebitmap(&set->negset, &tmpset.negset, typemap))
> return -1;
>
> tmpset.flags = set->flags;
> @@ -1915,12 +1919,14 @@ int expand_rule(sepol_handle_t * handle,
> return retval;
> }
>
> -int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p)
> +int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap)
> {
> unsigned int i;
> ebitmap_node_t *rnode;
> + ebitmap_t mapped_roles;
>
> ebitmap_init(r);
> + ebitmap_init(&mapped_roles);
>
> if (x->flags & ROLE_STAR) {
> for (i = 0; i < p->p_roles.nprim++; i++)
> @@ -1929,13 +1935,23 @@ int role_set_expand(role_set_t * x, ebit
> return 0;
> }
>
> - ebitmap_for_each_bit(&x->roles, rnode, i) {
> + if (rolemap) {
> + if (map_ebitmap(&x->roles, &mapped_roles, rolemap))
> + return -1;
> + } else {
> + if (ebitmap_cpy(&mapped_roles, &x->roles))
> + return -1;
> + }
> +
> + ebitmap_for_each_bit(&mapped_roles, rnode, i) {
> if (ebitmap_node_get_bit(rnode, i)) {
> if (ebitmap_set_bit(r, i, 1))
> return -1;
> }
> }
>
> + ebitmap_destroy(&mapped_roles);
> +
> /* if role is to be complimented, invert the entire bitmap here */
> if (x->flags & ROLE_COMP) {
> for (i = 0; i < ebitmap_length(r); i++) {
> @@ -2309,6 +2325,12 @@ int expand_module(sepol_handle_t * handl
> goto cleanup;
> }
>
> + state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t));
> + if (!state.rolemap) {
> + ERR(handle, "Out of memory!");
> + goto cleanup;
> + }
> +
> /* order is important - types must be first */
>
> /* copy types */
> @@ -2464,6 +2486,7 @@ int expand_module(sepol_handle_t * handl
> cleanup:
> free(state.typemap);
> free(state.boolmap);
> + free(state.rolemap);
> return retval;
> }
>
> diff -pruN -x .svn trunk.old/libsepol/src/policydb.c trunk/libsepol/src/policydb.c
> --- trunk.old/libsepol/src/policydb.c 2008-05-14 06:03:34.088691020 -0400
> +++ trunk/libsepol/src/policydb.c 2008-05-14 01:52:40.361608972 -0400
> @@ -559,7 +559,7 @@ int policydb_user_cache(hashtab_key_t ke
> p = (policydb_t *) arg;
>
> ebitmap_destroy(&user->cache);
> - if (role_set_expand(&user->roles, &user->cache, p)) {
> + if (role_set_expand(&user->roles, &user->cache, p, NULL)) {
> return -1;
> }
>
> diff -pruN -x .svn trunk.old/libsepol/src/users.c trunk/libsepol/src/users.c
> --- trunk.old/libsepol/src/users.c 2008-05-14 06:03:34.088691020 -0400
> +++ trunk/libsepol/src/users.c 2008-05-14 01:48:17.857649160 -0400
> @@ -260,7 +260,7 @@ int sepol_user_modify(sepol_handle_t * h
>
> /* Expand roles */
> if (role_set_expand
> - (&usrdatum->roles, &usrdatum->cache, policydb)) {
> + (&usrdatum->roles, &usrdatum->cache, policydb, NULL)) {
> ERR(handle, "unable to expand role set");
> goto err;
> }
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* File_contexts file and semanage...
2008-05-16 23:50 ` Joshua Brindle
2008-05-19 12:10 ` Stephen Smalley
@ 2008-05-19 18:07 ` Hasan Rezaul-CHR010
2008-05-19 18:33 ` Stephen Smalley
1 sibling, 1 reply; 14+ messages in thread
From: Hasan Rezaul-CHR010 @ 2008-05-19 18:07 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SELinux List
Hi All,
I have some unique directories in my filesystem, that I wanted to label
a certain way. As such, I added a few modifications to the file_contexts
files at the following locations:
/etc/selinux/strict/modules/active/file_contexts
/etc/selinux/strict/modules/active/file_contexts.template
/etc/selinux/strict/contexts/files/file_contexts
When my Linux machine boots up, and I label the entire filesystem,
everything gets labelled correctly.
Later, I have a script that runs the "semanage login -a -s xxx yyy"
command.
I noticed, right after the 'semanage' command is run, the above three
files get reset back to the original defaults ???
Why does this happen, and any way for these file_contexts files to
remain the way I set them initially ???
Ques 2. Initially after the system is labelled the way I want, the
/etc/shadow file is labelled as shadow_t !
Later, some application task on my system is probably running "useradd"
or "userdel", and as a result, I have two files labelled as follows:
/etc/shadow etc_runtime_t
/etc/shadow- shadow_t
It looks like useradd or userdel is creating a backup copy (shadow-),
but I am not interested in that. The shadow file is what I am interested
in, and its label is getting changed to etc_runtime_t. Why could this
be happenning, and how do I stop it ?
Thanks in advance for your help,
- Rezaul.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: File_contexts file and semanage...
2008-05-19 18:07 ` File_contexts file and semanage Hasan Rezaul-CHR010
@ 2008-05-19 18:33 ` Stephen Smalley
0 siblings, 0 replies; 14+ messages in thread
From: Stephen Smalley @ 2008-05-19 18:33 UTC (permalink / raw)
To: Hasan Rezaul-CHR010; +Cc: SELinux List
On Mon, 2008-05-19 at 14:07 -0400, Hasan Rezaul-CHR010 wrote:
> Hi All,
>
> I have some unique directories in my filesystem, that I wanted to label
> a certain way. As such, I added a few modifications to the file_contexts
> files at the following locations:
>
> /etc/selinux/strict/modules/active/file_contexts
> /etc/selinux/strict/modules/active/file_contexts.template
> /etc/selinux/strict/contexts/files/file_contexts
>
> When my Linux machine boots up, and I label the entire filesystem,
> everything gets labelled correctly.
>
> Later, I have a script that runs the "semanage login -a -s xxx yyy"
> command.
> I noticed, right after the 'semanage' command is run, the above three
> files get reset back to the original defaults ???
>
> Why does this happen, and any way for these file_contexts files to
> remain the way I set them initially ???
You shouldn't ever directly edit files under the modules/ subdirectory,
as they are managed by libsemanage, and the files you are touching are
generated based on other files.
Instead, use semanage fcontext -a to add local file contexts entries, or
put a file_contexts file in a policy module package (.pp) file of your
own and insert it via semodule.
> Ques 2. Initially after the system is labelled the way I want, the
> /etc/shadow file is labelled as shadow_t !
> Later, some application task on my system is probably running "useradd"
> or "userdel", and as a result, I have two files labelled as follows:
>
> /etc/shadow etc_runtime_t
> /etc/shadow- shadow_t
>
>
> It looks like useradd or userdel is creating a backup copy (shadow-),
> but I am not interested in that. The shadow file is what I am interested
> in, and its label is getting changed to etc_runtime_t. Why could this
> be happenning, and how do I stop it ?
The shadow file is updated by creating a new copy, creating a hard link
to the old copy, and then renaming the new copy into place such that the
shadow file is always in a valid state and the transaction is atomic.
Normally we preserve the type on the shadow file in two ways:
- policy defines a type transition for programs like useradd such that
any new files created by them will default to shadow_t if not otherwise
specified, and
- programs like useradd and/or the libraries they use to
modify /etc/shadow have been modified to preserve the security context
of the original file when making updates
Are your useradd and/or userdel programs from the shadow-utils package?
What version? Does it include the SELinux modifications?
> Thanks in advance for your help,
>
> - Rezaul.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: roles in base module
2008-05-19 17:46 roles in base module Joshua Brindle
@ 2008-05-19 18:57 ` Martin Orr
0 siblings, 0 replies; 14+ messages in thread
From: Martin Orr @ 2008-05-19 18:57 UTC (permalink / raw)
To: Joshua Brindle
Cc: Stephen Smalley, SELinux List, Christopher J.PeBenito,
Karl MacMillan
On 19/05/08 18:46, Joshua Brindle wrote:
> Sorry if this is badly formatted, writing it from my phone :)
>
> Anyway, the usermap wasn't used so i removed it but now that i think about it constraint_clone_node needs to map both roles and users, ill get an update out when i can-----Original Message-----
> From: Stephen Smalley <sds@tycho.nsa.gov>
> Sent: Monday, May 19, 2008 5:10 AM
> To: Joshua Brindle <method@manicmethod.com>
> Cc: Martin Orr <martin@martinorr.name>; SELinux List <selinux@tycho.nsa.gov>; Christopher J. PeBenito <cpebenito@tresys.com>; Karl MacMillan <kmacmillan@tresys.com>
> Subject: Re: roles in base module
>
>
> On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
>>>> Should I be able to build trunk refpolicy with the user roles included in
>>>> the base module? I can build it with the roles as modules, but if I try
>>>> building them into base I get
>>>> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>>> libsepol.expand_module: Error while indexing out symbols
>>>> /usr/bin/checkmodule: expand module failed
>>>>
>>>> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
>>>> attached the modules.conf I am using, which seems to be the minimum number
>>>> of things I need to build in to be able to build in roles.
>>> Reproduced here as well, and naturally one should be able to build roles
>>> into base.
>>>
>>> We've seen this error condition in the past - it indicates that there is
>>> a hole in the symbol table, and requires mapping support in the expand
>>> code for roles to correctly handle it. So that represents a
>>> bug/limitation of the current policy compiler.
>>>
>>> Walking through it I see that it is omitting the auditadm_r and secadm_r
>>> roles during the expand, and this is leaving the holes in the symbol
>>> table.
>>>
>>> Fixing the compiler requires adding mapping support for the roles
>>> similar to what Karl did for booleans in r2308.
>>>
>>> Hopefully though Chris can work around it in the policy in the interim.
>>>
>> Patch below should fix both user and role mapping issues.
>
> Why is it that we don't need a usermap too?
This patch gives me:
make[1]: Entering directory `/home/martin/selinux/toolchain/trunk/libsepol/src'
cc -Werror -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
-I. -I../include -D_GNU_SOURCE -fPIC -c -o expand.o expand.c
cc1: warnings being treated as errors
expand.c: In function 'attr_convert_callback':
expand.c:154: error: implicit declaration of function 'map_ebitmap'
expand.c: At top level:
expand.c:1849: error: static declaration of 'map_ebitmap' follows non-static
declaration
expand.c:154: error: previous implicit declaration of 'map_ebitmap' was here
make[1]: *** [expand.o] Error 1
I moved map_ebitmap to the top of the file to get something which would
compile. Then I can build the policy, but not install the result:
martin@caligula:~/selinux/refpolicy/quilt$ sudo semodule -n -b base.pp
libsepol.context_read_and_validate: invalid security context
libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
Error reading policy /etc/selinux/refpolicy-debian-martin/policy/policy.22:
Success
libsemanage.semanage_install_active: setfiles returned error code 1
semodule: Failed!
The failure seems to be at the check:
role = p->role_val_to_struct[c->role - 1];
if (!ebitmap_get_bit(&role->cache, c->type - 1))
/* role may not be associated with type */
return 0;
at line 57 of libsepol/src/context.c.
>> Signed-off-by: Joshua Brindle <method@manicmethod.com>
>>
>> diff -pruN -x .svn trunk.old/checkpolicy/policy_define.c trunk/checkpolicy/policy_define.c
>> --- trunk.old/checkpolicy/policy_define.c 2008-05-14 06:03:32.588668393 -0400
>> +++ trunk/checkpolicy/policy_define.c 2008-05-14 02:08:43.876143370 -0400
>> @@ -2006,7 +2006,7 @@ int define_role_trans(void)
>> }
>>
>> /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
>> - if (role_set_expand(&roles, &e_roles, policydbp))
>> + if (role_set_expand(&roles, &e_roles, policydbp, NULL))
>> goto bad;
>>
>> if (type_set_expand(&types, &e_types, policydbp, 1))
>> diff -pruN -x .svn trunk.old/libsepol/include/sepol/policydb/expand.h trunk/libsepol/include/sepol/policydb/expand.h
>> --- trunk.old/libsepol/include/sepol/policydb/expand.h 2008-05-14 06:03:34.088691020 -0400
>> +++ trunk/libsepol/include/sepol/policydb/expand.h 2008-05-14 01:50:32.859685635 -0400
>> @@ -59,7 +59,7 @@ extern int expand_convert_type_set(polic
>> unsigned char alwaysexpand);
>> extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
>> unsigned char alwaysexpand);
>> -extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
>> +extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap);
>> extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
>> policydb_t *p, sepol_handle_t *h);
>> extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
>> diff -pruN -x .svn trunk.old/libsepol/src/expand.c trunk/libsepol/src/expand.c
>> --- trunk.old/libsepol/src/expand.c 2008-05-14 06:03:34.088691020 -0400
>> +++ trunk/libsepol/src/expand.c 2008-05-14 06:05:22.090320200 -0400
>> @@ -41,6 +41,7 @@ typedef struct expand_state {
>> int verbose;
>> uint32_t *typemap;
>> uint32_t *boolmap;
>> + uint32_t *rolemap;
>> policydb_t *base;
>> policydb_t *out;
>> sepol_handle_t *handle;
>> @@ -150,7 +151,7 @@ static int attr_convert_callback(hashtab
>> ERR(state->handle, "attribute %s vanished!", id);
>> return -1;
>> }
>> - if (convert_type_ebitmap(&type->types, &tmp_union, state->typemap)) {
>> + if (map_ebitmap(&type->types, &tmp_union, state->typemap)) {
>> ERR(state->handle, "out of memory");
>> return -1;
>> }
>> @@ -552,8 +553,9 @@ static int role_copy_callback(hashtab_ke
>> return -1;
>> }
>>
>> - new_role->s.value = role->s.value;
>> state->out->p_roles.nprim++;
>> + new_role->s.value = state->out->p_roles.nprim;
>> + state->rolemap[role->s.value - 1] = new_role->s.value;
>> ret = hashtab_insert(state->out->p_roles.table,
>> (hashtab_key_t) new_id,
>> (hashtab_datum_t) new_role);
>> @@ -692,8 +694,8 @@ static int user_copy_callback(hashtab_ke
>> }
>> memset(new_user, 0, sizeof(user_datum_t));
>>
>> - new_user->s.value = user->s.value;
>> state->out->p_users.nprim++;
>> + new_user->s.value = state->out->p_users.nprim;
>>
>> new_id = strdup(id);
>> if (!new_id) {
>> @@ -756,7 +758,7 @@ static int user_copy_callback(hashtab_ke
>> ebitmap_init(&tmp_union);
>>
>> /* get global roles for this user */
>> - if (role_set_expand(&user->roles, &tmp_union, state->base)) {
>> + if (role_set_expand(&user->roles, &tmp_union, state->base, state->rolemap)) {
>> ERR(state->handle, "Out of memory!");
>> ebitmap_destroy(&tmp_union);
>> return -1;
>> @@ -938,14 +940,16 @@ static int copy_role_allows(expand_state
>> ebitmap_init(&roles);
>> ebitmap_init(&new_roles);
>>
>> - if (role_set_expand(&cur->roles, &roles, state->out)) {
>> + if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
>> ERR(state->handle, "Out of memory!");
>> return -1;
>> }
>> - if (role_set_expand(&cur->new_roles, &new_roles, state->out)) {
>> +
>> + if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->rolemap)) {
>> ERR(state->handle, "Out of memory!");
>> return -1;
>> }
>> +
>> ebitmap_for_each_bit(&roles, snode, i) {
>> if (!ebitmap_node_get_bit(snode, i))
>> continue;
>> @@ -1005,7 +1009,7 @@ static int copy_role_trans(expand_state_
>> ebitmap_init(&roles);
>> ebitmap_init(&types);
>>
>> - if (role_set_expand(&cur->roles, &roles, state->out)) {
>> + if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
>> ERR(state->handle, "Out of memory!");
>> return -1;
>> }
>> @@ -1842,7 +1846,7 @@ static int type_attr_remove(hashtab_key_
>> return 0;
>> }
>>
>> -int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * typemap)
>> +static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
>> {
>> unsigned int i;
>> ebitmap_node_t *tnode;
>> @@ -1851,9 +1855,9 @@ int convert_type_ebitmap(ebitmap_t * src
>> ebitmap_for_each_bit(src, tnode, i) {
>> if (!ebitmap_node_get_bit(tnode, i))
>> continue;
>> - if (!typemap[i])
>> + if (!map[i])
>> continue;
>> - if (ebitmap_set_bit(dst, typemap[i] - 1, 1))
>> + if (ebitmap_set_bit(dst, map[i] - 1, 1))
>> return -1;
>> }
>> return 0;
>> @@ -1870,10 +1874,10 @@ int expand_convert_type_set(policydb_t *
>>
>> type_set_init(&tmpset);
>>
>> - if (convert_type_ebitmap(&set->types, &tmpset.types, typemap))
>> + if (map_ebitmap(&set->types, &tmpset.types, typemap))
>> return -1;
>>
>> - if (convert_type_ebitmap(&set->negset, &tmpset.negset, typemap))
>> + if (map_ebitmap(&set->negset, &tmpset.negset, typemap))
>> return -1;
>>
>> tmpset.flags = set->flags;
>> @@ -1915,12 +1919,14 @@ int expand_rule(sepol_handle_t * handle,
>> return retval;
>> }
>>
>> -int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p)
>> +int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap)
>> {
>> unsigned int i;
>> ebitmap_node_t *rnode;
>> + ebitmap_t mapped_roles;
>>
>> ebitmap_init(r);
>> + ebitmap_init(&mapped_roles);
>>
>> if (x->flags & ROLE_STAR) {
>> for (i = 0; i < p->p_roles.nprim++; i++)
>> @@ -1929,13 +1935,23 @@ int role_set_expand(role_set_t * x, ebit
>> return 0;
>> }
>>
>> - ebitmap_for_each_bit(&x->roles, rnode, i) {
>> + if (rolemap) {
>> + if (map_ebitmap(&x->roles, &mapped_roles, rolemap))
>> + return -1;
>> + } else {
>> + if (ebitmap_cpy(&mapped_roles, &x->roles))
>> + return -1;
>> + }
>> +
>> + ebitmap_for_each_bit(&mapped_roles, rnode, i) {
>> if (ebitmap_node_get_bit(rnode, i)) {
>> if (ebitmap_set_bit(r, i, 1))
>> return -1;
>> }
>> }
>>
>> + ebitmap_destroy(&mapped_roles);
>> +
>> /* if role is to be complimented, invert the entire bitmap here */
>> if (x->flags & ROLE_COMP) {
>> for (i = 0; i < ebitmap_length(r); i++) {
>> @@ -2309,6 +2325,12 @@ int expand_module(sepol_handle_t * handl
>> goto cleanup;
>> }
>>
>> + state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t));
>> + if (!state.rolemap) {
>> + ERR(handle, "Out of memory!");
>> + goto cleanup;
>> + }
>> +
>> /* order is important - types must be first */
>>
>> /* copy types */
>> @@ -2464,6 +2486,7 @@ int expand_module(sepol_handle_t * handl
>> cleanup:
>> free(state.typemap);
>> free(state.boolmap);
>> + free(state.rolemap);
>> return retval;
>> }
>>
>> diff -pruN -x .svn trunk.old/libsepol/src/policydb.c trunk/libsepol/src/policydb.c
>> --- trunk.old/libsepol/src/policydb.c 2008-05-14 06:03:34.088691020 -0400
>> +++ trunk/libsepol/src/policydb.c 2008-05-14 01:52:40.361608972 -0400
>> @@ -559,7 +559,7 @@ int policydb_user_cache(hashtab_key_t ke
>> p = (policydb_t *) arg;
>>
>> ebitmap_destroy(&user->cache);
>> - if (role_set_expand(&user->roles, &user->cache, p)) {
>> + if (role_set_expand(&user->roles, &user->cache, p, NULL)) {
>> return -1;
>> }
>>
>> diff -pruN -x .svn trunk.old/libsepol/src/users.c trunk/libsepol/src/users.c
>> --- trunk.old/libsepol/src/users.c 2008-05-14 06:03:34.088691020 -0400
>> +++ trunk/libsepol/src/users.c 2008-05-14 01:48:17.857649160 -0400
>> @@ -260,7 +260,7 @@ int sepol_user_modify(sepol_handle_t * h
>>
>> /* Expand roles */
>> if (role_set_expand
>> - (&usrdatum->roles, &usrdatum->cache, policydb)) {
>> + (&usrdatum->roles, &usrdatum->cache, policydb, NULL)) {
>> ERR(handle, "unable to expand role set");
>> goto err;
>> }
--
Martin Orr
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: roles in base module
2008-05-19 12:10 ` Stephen Smalley
@ 2008-05-19 21:59 ` Joshua Brindle
2008-05-20 17:55 ` Stephen Smalley
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2008-05-19 21:59 UTC (permalink / raw)
To: Stephen Smalley
Cc: Martin Orr, SELinux List, Christopher J. PeBenito, Karl MacMillan
Stephen Smalley wrote:
> On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
>>>> Should I be able to build trunk refpolicy with the user roles included in
>>>> the base module? I can build it with the roles as modules, but if I try
>>>> building them into base I get
>>>> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>>> libsepol.expand_module: Error while indexing out symbols
>>>> /usr/bin/checkmodule: expand module failed
>>>>
>>>> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
>>>> attached the modules.conf I am using, which seems to be the minimum number
>>>> of things I need to build in to be able to build in roles.
>>> Reproduced here as well, and naturally one should be able to build roles
>>> into base.
>>>
>>> We've seen this error condition in the past - it indicates that there is
>>> a hole in the symbol table, and requires mapping support in the expand
>>> code for roles to correctly handle it. So that represents a
>>> bug/limitation of the current policy compiler.
>>>
>>> Walking through it I see that it is omitting the auditadm_r and secadm_r
>>> roles during the expand, and this is leaving the holes in the symbol
>>> table.
>>>
>>> Fixing the compiler requires adding mapping support for the roles
>>> similar to what Karl did for booleans in r2308.
>>>
>>> Hopefully though Chris can work around it in the policy in the interim.
>>>
>> Patch below should fix both user and role mapping issues.
>
> Why is it that we don't need a usermap too?
>
Updated patch includes usermap and mapping in constraint_node_clone, completely untested.
diff -pru -x.svn trunk.old/checkpolicy/policy_define.c trunk/checkpolicy/policy_define.c
--- trunk.old/checkpolicy/policy_define.c 2008-05-14 06:03:32.588668393 -0400
+++ trunk/checkpolicy/policy_define.c 2008-05-16 14:24:32.648766237 -0400
@@ -2006,7 +2006,7 @@ int define_role_trans(void)
}
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
- if (role_set_expand(&roles, &e_roles, policydbp))
+ if (role_set_expand(&roles, &e_roles, policydbp, NULL))
goto bad;
if (type_set_expand(&types, &e_types, policydbp, 1))
diff -pru -x.svn trunk.old/libsepol/include/sepol/policydb/expand.h trunk/libsepol/include/sepol/policydb/expand.h
--- trunk.old/libsepol/include/sepol/policydb/expand.h 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/include/sepol/policydb/expand.h 2008-05-16 14:24:32.648766237 -0400
@@ -59,7 +59,7 @@ extern int expand_convert_type_set(polic
unsigned char alwaysexpand);
extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
unsigned char alwaysexpand);
-extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
+extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap);
extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
policydb_t *p, sepol_handle_t *h);
extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
diff -pru -x.svn trunk.old/libsepol/src/expand.c trunk/libsepol/src/expand.c
--- trunk.old/libsepol/src/expand.c 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/src/expand.c 2008-05-16 14:32:34.156029665 -0400
@@ -41,6 +41,8 @@ typedef struct expand_state {
int verbose;
uint32_t *typemap;
uint32_t *boolmap;
+ uint32_t *rolemap;
+ uint32_t *usermap;
policydb_t *base;
policydb_t *out;
sepol_handle_t *handle;
@@ -52,6 +54,23 @@ static void expand_state_init(expand_sta
memset(state, 0, sizeof(expand_state_t));
}
+static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
+{
+ unsigned int i;
+ ebitmap_node_t *tnode;
+ ebitmap_init(dst);
+
+ ebitmap_for_each_bit(src, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
+ if (!map[i])
+ continue;
+ if (ebitmap_set_bit(dst, map[i] - 1, 1))
+ return -1;
+ }
+ return 0;
+}
+
static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
void *data)
{
@@ -150,7 +169,7 @@ static int attr_convert_callback(hashtab
ERR(state->handle, "attribute %s vanished!", id);
return -1;
}
- if (convert_type_ebitmap(&type->types, &tmp_union, state->typemap)) {
+ if (map_ebitmap(&type->types, &tmp_union, state->typemap)) {
ERR(state->handle, "out of memory");
return -1;
}
@@ -297,6 +316,14 @@ static int constraint_node_clone(constra
names, 1)) {
goto out_of_mem;
}
+ } else if (new_expr->attr & CEXPR_ROLE) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) {
+ goto out_of_mem;
+ }
+ } else if (new_expr->attr & CEXPR_USER) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) {
+ goto out_of_mem;
+ }
} else {
/* Other kinds of sets do not. */
if (ebitmap_cpy(&new_expr->names,
@@ -552,8 +579,9 @@ static int role_copy_callback(hashtab_ke
return -1;
}
- new_role->s.value = role->s.value;
state->out->p_roles.nprim++;
+ new_role->s.value = state->out->p_roles.nprim;
+ state->rolemap[role->s.value - 1] = new_role->s.value;
ret = hashtab_insert(state->out->p_roles.table,
(hashtab_key_t) new_id,
(hashtab_datum_t) new_role);
@@ -692,8 +720,9 @@ static int user_copy_callback(hashtab_ke
}
memset(new_user, 0, sizeof(user_datum_t));
- new_user->s.value = user->s.value;
state->out->p_users.nprim++;
+ new_user->s.value = state->out->p_users.nprim;
+ state->usermap[user->s.value - 1] = new_user->s.value;
new_id = strdup(id);
if (!new_id) {
@@ -756,7 +785,7 @@ static int user_copy_callback(hashtab_ke
ebitmap_init(&tmp_union);
/* get global roles for this user */
- if (role_set_expand(&user->roles, &tmp_union, state->base)) {
+ if (role_set_expand(&user->roles, &tmp_union, state->base, state->rolemap)) {
ERR(state->handle, "Out of memory!");
ebitmap_destroy(&tmp_union);
return -1;
@@ -938,14 +967,16 @@ static int copy_role_allows(expand_state
ebitmap_init(&roles);
ebitmap_init(&new_roles);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
- if (role_set_expand(&cur->new_roles, &new_roles, state->out)) {
+
+ if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
+
ebitmap_for_each_bit(&roles, snode, i) {
if (!ebitmap_node_get_bit(snode, i))
continue;
@@ -1005,7 +1036,7 @@ static int copy_role_trans(expand_state_
ebitmap_init(&roles);
ebitmap_init(&types);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
@@ -1842,23 +1873,6 @@ static int type_attr_remove(hashtab_key_
return 0;
}
-int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * typemap)
-{
- unsigned int i;
- ebitmap_node_t *tnode;
- ebitmap_init(dst);
-
- ebitmap_for_each_bit(src, tnode, i) {
- if (!ebitmap_node_get_bit(tnode, i))
- continue;
- if (!typemap[i])
- continue;
- if (ebitmap_set_bit(dst, typemap[i] - 1, 1))
- return -1;
- }
- return 0;
-}
-
/* converts typeset using typemap and expands into ebitmap_t types using the attributes in the passed in policy.
* this should not be called until after all the blocks have been processed and the attributes in target policy
* are complete. */
@@ -1870,10 +1884,10 @@ int expand_convert_type_set(policydb_t *
type_set_init(&tmpset);
- if (convert_type_ebitmap(&set->types, &tmpset.types, typemap))
+ if (map_ebitmap(&set->types, &tmpset.types, typemap))
return -1;
- if (convert_type_ebitmap(&set->negset, &tmpset.negset, typemap))
+ if (map_ebitmap(&set->negset, &tmpset.negset, typemap))
return -1;
tmpset.flags = set->flags;
@@ -1915,12 +1929,14 @@ int expand_rule(sepol_handle_t * handle,
return retval;
}
-int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p)
+int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap)
{
unsigned int i;
ebitmap_node_t *rnode;
+ ebitmap_t mapped_roles;
ebitmap_init(r);
+ ebitmap_init(&mapped_roles);
if (x->flags & ROLE_STAR) {
for (i = 0; i < p->p_roles.nprim++; i++)
@@ -1929,13 +1945,23 @@ int role_set_expand(role_set_t * x, ebit
return 0;
}
- ebitmap_for_each_bit(&x->roles, rnode, i) {
+ if (rolemap) {
+ if (map_ebitmap(&x->roles, &mapped_roles, rolemap))
+ return -1;
+ } else {
+ if (ebitmap_cpy(&mapped_roles, &x->roles))
+ return -1;
+ }
+
+ ebitmap_for_each_bit(&mapped_roles, rnode, i) {
if (ebitmap_node_get_bit(rnode, i)) {
if (ebitmap_set_bit(r, i, 1))
return -1;
}
}
+ ebitmap_destroy(&mapped_roles);
+
/* if role is to be complimented, invert the entire bitmap here */
if (x->flags & ROLE_COMP) {
for (i = 0; i < ebitmap_length(r); i++) {
@@ -2309,6 +2335,18 @@ int expand_module(sepol_handle_t * handl
goto cleanup;
}
+ state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t));
+ if (!state.rolemap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
+ state.usermap = (uint32_t *)calloc(state.base->p_users.nprim, sizeof(uint32_t));
+ if (!state.usermap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
/* order is important - types must be first */
/* copy types */
@@ -2464,6 +2502,8 @@ int expand_module(sepol_handle_t * handl
cleanup:
free(state.typemap);
free(state.boolmap);
+ free(state.rolemap);
+ free(state.usermap);
return retval;
}
diff -pru -x.svn trunk.old/libsepol/src/policydb.c trunk/libsepol/src/policydb.c
--- trunk.old/libsepol/src/policydb.c 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/src/policydb.c 2008-05-16 14:24:33.148773780 -0400
@@ -559,7 +559,7 @@ int policydb_user_cache(hashtab_key_t ke
p = (policydb_t *) arg;
ebitmap_destroy(&user->cache);
- if (role_set_expand(&user->roles, &user->cache, p)) {
+ if (role_set_expand(&user->roles, &user->cache, p, NULL)) {
return -1;
}
diff -pru -x.svn trunk.old/libsepol/src/users.c trunk/libsepol/src/users.c
--- trunk.old/libsepol/src/users.c 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/src/users.c 2008-05-16 14:24:33.148773780 -0400
@@ -260,7 +260,7 @@ int sepol_user_modify(sepol_handle_t * h
/* Expand roles */
if (role_set_expand
- (&usrdatum->roles, &usrdatum->cache, policydb)) {
+ (&usrdatum->roles, &usrdatum->cache, policydb, NULL)) {
ERR(handle, "unable to expand role set");
goto err;
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: roles in base module
2008-05-19 21:59 ` Joshua Brindle
@ 2008-05-20 17:55 ` Stephen Smalley
2008-05-25 2:24 ` [PATCH Take 3] user and role remapping in expander (was Re: roles in base module) Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: Stephen Smalley @ 2008-05-20 17:55 UTC (permalink / raw)
To: Joshua Brindle
Cc: Martin Orr, SELinux List, Christopher J. PeBenito, Karl MacMillan
On Mon, 2008-05-19 at 17:59 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
> >> Stephen Smalley wrote:
> >>> On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
> >>>> Should I be able to build trunk refpolicy with the user roles included in
> >>>> the base module? I can build it with the roles as modules, but if I try
> >>>> building them into base I get
> >>>> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
> >>>> /usr/bin/checkmodule: loading policy configuration from base.conf
> >>>> libsepol.expand_module: Error while indexing out symbols
> >>>> /usr/bin/checkmodule: expand module failed
> >>>>
> >>>> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
> >>>> attached the modules.conf I am using, which seems to be the minimum number
> >>>> of things I need to build in to be able to build in roles.
> >>> Reproduced here as well, and naturally one should be able to build roles
> >>> into base.
> >>>
> >>> We've seen this error condition in the past - it indicates that there is
> >>> a hole in the symbol table, and requires mapping support in the expand
> >>> code for roles to correctly handle it. So that represents a
> >>> bug/limitation of the current policy compiler.
> >>>
> >>> Walking through it I see that it is omitting the auditadm_r and secadm_r
> >>> roles during the expand, and this is leaving the holes in the symbol
> >>> table.
> >>>
> >>> Fixing the compiler requires adding mapping support for the roles
> >>> similar to what Karl did for booleans in r2308.
> >>>
> >>> Hopefully though Chris can work around it in the policy in the interim.
> >>>
> >> Patch below should fix both user and role mapping issues.
> >
> > Why is it that we don't need a usermap too?
> >
>
> Updated patch includes usermap and mapping in constraint_node_clone, completely untested.
Still fails in the same way as reported by Martin upon semodule -b of the base module.
libsepol.context_read_and_validate: invalid security context
libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
Error reading policy /etc/selinux/test/policy/policy.23: Success
libsemanage.semanage_install_active: setfiles returned error code 1.
Also fails upon just trying to semodule -B an existing valid policy
store using the patched libsepol.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH Take 3] user and role remapping in expander (was Re: roles in base module)
2008-05-20 17:55 ` Stephen Smalley
@ 2008-05-25 2:24 ` Joshua Brindle
2008-05-27 16:53 ` Stephen Smalley
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2008-05-25 2:24 UTC (permalink / raw)
To: Stephen Smalley
Cc: Martin Orr, SELinux List, Christopher J. PeBenito, Karl MacMillan,
setools
Stephen Smalley wrote:
> On Mon, 2008-05-19 at 17:59 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
>>>> Stephen Smalley wrote:
>>>>> On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
>>>>>> Should I be able to build trunk refpolicy with the user roles included in
>>>>>> the base module? I can build it with the roles as modules, but if I try
>>>>>> building them into base I get
>>>>>> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
>>>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>>>>> libsepol.expand_module: Error while indexing out symbols
>>>>>> /usr/bin/checkmodule: expand module failed
>>>>>>
>>>>>> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
>>>>>> attached the modules.conf I am using, which seems to be the minimum number
>>>>>> of things I need to build in to be able to build in roles.
>>>>> Reproduced here as well, and naturally one should be able to build roles
>>>>> into base.
>>>>>
>>>>> We've seen this error condition in the past - it indicates that there is
>>>>> a hole in the symbol table, and requires mapping support in the expand
>>>>> code for roles to correctly handle it. So that represents a
>>>>> bug/limitation of the current policy compiler.
>>>>>
>>>>> Walking through it I see that it is omitting the auditadm_r and secadm_r
>>>>> roles during the expand, and this is leaving the holes in the symbol
>>>>> table.
>>>>>
>>>>> Fixing the compiler requires adding mapping support for the roles
>>>>> similar to what Karl did for booleans in r2308.
>>>>>
>>>>> Hopefully though Chris can work around it in the policy in the interim.
>>>>>
>>>> Patch below should fix both user and role mapping issues.
>>> Why is it that we don't need a usermap too?
>>>
>> Updated patch includes usermap and mapping in constraint_node_clone, completely untested.
>
> Still fails in the same way as reported by Martin upon semodule -b of the base module.
> libsepol.context_read_and_validate: invalid security context
> libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
> Error reading policy /etc/selinux/test/policy/policy.23: Success
> libsemanage.semanage_install_active: setfiles returned error code 1.
>
> Also fails upon just trying to semodule -B an existing valid policy
> store using the patched libsepol.
>
Ok, the following patch should address everything, it was more intrusive than I originally thought.
role->dominates will be incorrect when roles are copied and mapped from base into out policy, this is fixed after they've all been copied.
There is a tiny hack concerning object_r, at some point I'd like to address all the object_r hardcoding (both in the kernel and toolchain) but that is pretty low on the list.
expand_module_avrules() which is used by external apps (eg., setools) has changed so those users will need to be fixed.
valgrind and sediff are clean
------
diff -pruN -x .svn trunk.old/checkpolicy/policy_define.c trunk/checkpolicy/policy_define.c
--- trunk.old/checkpolicy/policy_define.c 2008-05-14 06:03:32.588668393 -0400
+++ trunk/checkpolicy/policy_define.c 2008-05-20 04:26:11.820507770 -0400
@@ -2006,7 +2006,7 @@ int define_role_trans(void)
}
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
- if (role_set_expand(&roles, &e_roles, policydbp))
+ if (role_set_expand(&roles, &e_roles, policydbp, NULL))
goto bad;
if (type_set_expand(&types, &e_types, policydbp, 1))
diff -pruN -x .svn trunk.old/libsepol/include/sepol/policydb/expand.h trunk/libsepol/include/sepol/policydb/expand.h
--- trunk.old/libsepol/include/sepol/policydb/expand.h 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/include/sepol/policydb/expand.h 2008-05-20 04:26:11.820507770 -0400
@@ -43,6 +43,7 @@
*/
extern int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
policydb_t * out, uint32_t * typemap, uint32_t * boolmap,
+ uint32_t * rolemap, uint32_t * usermap,
int verbose, int expand_neverallow);
/*
* Expand all parts of a module. Neverallow rules are not expanded (only
@@ -59,7 +60,7 @@ extern int expand_convert_type_set(polic
unsigned char alwaysexpand);
extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
unsigned char alwaysexpand);
-extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
+extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap);
extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
policydb_t *p, sepol_handle_t *h);
extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
diff -pruN -x .svn trunk.old/libsepol/src/expand.c trunk/libsepol/src/expand.c
--- trunk.old/libsepol/src/expand.c 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/src/expand.c 2008-05-20 04:37:12.830478955 -0400
@@ -41,6 +41,8 @@ typedef struct expand_state {
int verbose;
uint32_t *typemap;
uint32_t *boolmap;
+ uint32_t *rolemap;
+ uint32_t *usermap;
policydb_t *base;
policydb_t *out;
sepol_handle_t *handle;
@@ -52,6 +54,23 @@ static void expand_state_init(expand_sta
memset(state, 0, sizeof(expand_state_t));
}
+static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
+{
+ unsigned int i;
+ ebitmap_node_t *tnode;
+ ebitmap_init(dst);
+
+ ebitmap_for_each_bit(src, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
+ if (!map[i])
+ continue;
+ if (ebitmap_set_bit(dst, map[i] - 1, 1))
+ return -1;
+ }
+ return 0;
+}
+
static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
void *data)
{
@@ -150,7 +169,7 @@ static int attr_convert_callback(hashtab
ERR(state->handle, "attribute %s vanished!", id);
return -1;
}
- if (convert_type_ebitmap(&type->types, &tmp_union, state->typemap)) {
+ if (map_ebitmap(&type->types, &tmp_union, state->typemap)) {
ERR(state->handle, "out of memory");
return -1;
}
@@ -297,6 +316,14 @@ static int constraint_node_clone(constra
names, 1)) {
goto out_of_mem;
}
+ } else if (new_expr->attr & CEXPR_ROLE) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) {
+ goto out_of_mem;
+ }
+ } else if (new_expr->attr & CEXPR_USER) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) {
+ goto out_of_mem;
+ }
} else {
/* Other kinds of sets do not. */
if (ebitmap_cpy(&new_expr->names,
@@ -511,6 +538,28 @@ static int alias_copy_callback(hashtab_k
return 0;
}
+static int role_remap_dominates(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *data)
+{
+ ebitmap_t mapped_roles;
+ role_datum_t *role = (role_datum_t *) datum;
+ expand_state_t *state = (expand_state_t *) data;
+
+ if (!(&role->dominates.node))
+ return 0;
+
+ if (map_ebitmap(&role->dominates, &mapped_roles, state->rolemap))
+ return -1;
+
+ ebitmap_destroy(&role->dominates);
+
+ if (ebitmap_cpy(&role->dominates, &mapped_roles))
+ return -1;
+
+ ebitmap_destroy(&mapped_roles);
+
+ return 0;
+}
+
static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
void *data)
{
@@ -525,8 +574,11 @@ static int role_copy_callback(hashtab_ke
role = (role_datum_t *) datum;
state = (expand_state_t *) data;
- if (strcmp(id, OBJECT_R) == 0)
+ if (strcmp(id, OBJECT_R) == 0) {
+ /* object_r is always value 1 */
+ state->rolemap[role->s.value - 1] = 1;
return 0;
+ }
if (!is_id_enabled(id, state->base, SYM_ROLES)) {
/* identifier's scope is not enabled */
@@ -552,8 +604,9 @@ static int role_copy_callback(hashtab_ke
return -1;
}
- new_role->s.value = role->s.value;
state->out->p_roles.nprim++;
+ new_role->s.value = state->out->p_roles.nprim;
+ state->rolemap[role->s.value - 1] = new_role->s.value;
ret = hashtab_insert(state->out->p_roles.table,
(hashtab_key_t) new_id,
(hashtab_datum_t) new_role);
@@ -570,6 +623,10 @@ static int role_copy_callback(hashtab_ke
ebitmap_init(&new_role->dominates);
}
+
+ /* The dominates bitmap is going to be wrong for the moment,
+ * we'll come back later and remap them, after we are sure all
+ * the roles have been added */
if (ebitmap_union(&new_role->dominates, &role->dominates)) {
ERR(state->handle, "Out of memory!");
return -1;
@@ -692,8 +749,9 @@ static int user_copy_callback(hashtab_ke
}
memset(new_user, 0, sizeof(user_datum_t));
- new_user->s.value = user->s.value;
state->out->p_users.nprim++;
+ new_user->s.value = state->out->p_users.nprim;
+ state->usermap[user->s.value - 1] = new_user->s.value;
new_id = strdup(id);
if (!new_id) {
@@ -756,7 +814,7 @@ static int user_copy_callback(hashtab_ke
ebitmap_init(&tmp_union);
/* get global roles for this user */
- if (role_set_expand(&user->roles, &tmp_union, state->base)) {
+ if (role_set_expand(&user->roles, &tmp_union, state->base, state->rolemap)) {
ERR(state->handle, "Out of memory!");
ebitmap_destroy(&tmp_union);
return -1;
@@ -938,14 +996,16 @@ static int copy_role_allows(expand_state
ebitmap_init(&roles);
ebitmap_init(&new_roles);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
- if (role_set_expand(&cur->new_roles, &new_roles, state->out)) {
+
+ if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
+
ebitmap_for_each_bit(&roles, snode, i) {
if (!ebitmap_node_get_bit(snode, i))
continue;
@@ -1005,7 +1065,7 @@ static int copy_role_trans(expand_state_
ebitmap_init(&roles);
ebitmap_init(&types);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
@@ -1058,7 +1118,7 @@ static int copy_role_trans(expand_state_
memset(n, 0, sizeof(role_trans_t));
n->role = i + 1;
n->type = j + 1;
- n->new_role = cur->new_role;
+ n->new_role = state->rolemap[cur->new_role - 1];
if (l) {
l->next = n;
} else {
@@ -1658,8 +1718,8 @@ static int cond_node_copy(expand_state_t
static int context_copy(context_struct_t * dst, context_struct_t * src,
expand_state_t * state)
{
- dst->user = src->user;
- dst->role = src->role;
+ dst->user = state->usermap[src->user - 1];
+ dst->role = state->rolemap[src->role - 1];
dst->type = state->typemap[src->type - 1];
return mls_context_cpy(dst, src);
}
@@ -1842,23 +1902,6 @@ static int type_attr_remove(hashtab_key_
return 0;
}
-int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * typemap)
-{
- unsigned int i;
- ebitmap_node_t *tnode;
- ebitmap_init(dst);
-
- ebitmap_for_each_bit(src, tnode, i) {
- if (!ebitmap_node_get_bit(tnode, i))
- continue;
- if (!typemap[i])
- continue;
- if (ebitmap_set_bit(dst, typemap[i] - 1, 1))
- return -1;
- }
- return 0;
-}
-
/* converts typeset using typemap and expands into ebitmap_t types using the attributes in the passed in policy.
* this should not be called until after all the blocks have been processed and the attributes in target policy
* are complete. */
@@ -1870,10 +1913,10 @@ int expand_convert_type_set(policydb_t *
type_set_init(&tmpset);
- if (convert_type_ebitmap(&set->types, &tmpset.types, typemap))
+ if (map_ebitmap(&set->types, &tmpset.types, typemap))
return -1;
- if (convert_type_ebitmap(&set->negset, &tmpset.negset, typemap))
+ if (map_ebitmap(&set->negset, &tmpset.negset, typemap))
return -1;
tmpset.flags = set->flags;
@@ -1915,12 +1958,14 @@ int expand_rule(sepol_handle_t * handle,
return retval;
}
-int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p)
+int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap)
{
unsigned int i;
ebitmap_node_t *rnode;
+ ebitmap_t mapped_roles;
ebitmap_init(r);
+ ebitmap_init(&mapped_roles);
if (x->flags & ROLE_STAR) {
for (i = 0; i < p->p_roles.nprim++; i++)
@@ -1929,13 +1974,23 @@ int role_set_expand(role_set_t * x, ebit
return 0;
}
- ebitmap_for_each_bit(&x->roles, rnode, i) {
+ if (rolemap) {
+ if (map_ebitmap(&x->roles, &mapped_roles, rolemap))
+ return -1;
+ } else {
+ if (ebitmap_cpy(&mapped_roles, &x->roles))
+ return -1;
+ }
+
+ ebitmap_for_each_bit(&mapped_roles, rnode, i) {
if (ebitmap_node_get_bit(rnode, i)) {
if (ebitmap_set_bit(r, i, 1))
return -1;
}
}
+ ebitmap_destroy(&mapped_roles);
+
/* if role is to be complimented, invert the entire bitmap here */
if (x->flags & ROLE_COMP) {
for (i = 0; i < ebitmap_length(r); i++) {
@@ -2239,7 +2294,8 @@ static int copy_and_expand_avrule_block(
*/
int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
policydb_t * out, uint32_t * typemap,
- uint32_t * boolmap, int verbose,
+ uint32_t * boolmap, uint32_t * rolemap,
+ uint32_t * usermap, int verbose,
int expand_neverallow)
{
expand_state_t state;
@@ -2250,6 +2306,8 @@ int expand_module_avrules(sepol_handle_t
state.out = out;
state.typemap = typemap;
state.boolmap = boolmap;
+ state.rolemap = rolemap;
+ state.usermap = usermap;
state.handle = handle;
state.verbose = verbose;
state.expand_neverallow = expand_neverallow;
@@ -2309,6 +2367,18 @@ int expand_module(sepol_handle_t * handl
goto cleanup;
}
+ state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t));
+ if (!state.rolemap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
+ state.usermap = (uint32_t *)calloc(state.base->p_users.nprim, sizeof(uint32_t));
+ if (!state.usermap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
/* order is important - types must be first */
/* copy types */
@@ -2405,6 +2475,11 @@ int expand_module(sepol_handle_t * handl
}
+ /* remap role dominates bitmaps */
+ if (hashtab_map(state.out->p_roles.table, role_remap_dominates, &state)) {
+ goto cleanup;
+ }
+
if (copy_and_expand_avrule_block(&state) < 0) {
ERR(handle, "Error during expand");
goto cleanup;
@@ -2464,6 +2539,8 @@ int expand_module(sepol_handle_t * handl
cleanup:
free(state.typemap);
free(state.boolmap);
+ free(state.rolemap);
+ free(state.usermap);
return retval;
}
diff -pruN -x .svn trunk.old/libsepol/src/policydb.c trunk/libsepol/src/policydb.c
--- trunk.old/libsepol/src/policydb.c 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/src/policydb.c 2008-05-20 04:26:11.820507770 -0400
@@ -559,7 +559,7 @@ int policydb_user_cache(hashtab_key_t ke
p = (policydb_t *) arg;
ebitmap_destroy(&user->cache);
- if (role_set_expand(&user->roles, &user->cache, p)) {
+ if (role_set_expand(&user->roles, &user->cache, p, NULL)) {
return -1;
}
diff -pruN -x .svn trunk.old/libsepol/src/users.c trunk/libsepol/src/users.c
--- trunk.old/libsepol/src/users.c 2008-05-14 06:03:34.088691020 -0400
+++ trunk/libsepol/src/users.c 2008-05-20 04:26:11.820507770 -0400
@@ -260,7 +260,7 @@ int sepol_user_modify(sepol_handle_t * h
/* Expand roles */
if (role_set_expand
- (&usrdatum->roles, &usrdatum->cache, policydb)) {
+ (&usrdatum->roles, &usrdatum->cache, policydb, NULL)) {
ERR(handle, "unable to expand role set");
goto err;
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH Take 3] user and role remapping in expander (was Re: roles in base module)
2008-05-25 2:24 ` [PATCH Take 3] user and role remapping in expander (was Re: roles in base module) Joshua Brindle
@ 2008-05-27 16:53 ` Stephen Smalley
2008-05-27 17:50 ` Joshua Brindle
0 siblings, 1 reply; 14+ messages in thread
From: Stephen Smalley @ 2008-05-27 16:53 UTC (permalink / raw)
To: Joshua Brindle
Cc: Martin Orr, SELinux List, Christopher J. PeBenito, Karl MacMillan,
setools
On Sat, 2008-05-24 at 22:24 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Mon, 2008-05-19 at 17:59 -0400, Joshua Brindle wrote:
> >> Stephen Smalley wrote:
> >>> On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
> >>>> Stephen Smalley wrote:
> >>>>> On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
> >>>>>> Should I be able to build trunk refpolicy with the user roles included in
> >>>>>> the base module? I can build it with the roles as modules, but if I try
> >>>>>> building them into base I get
> >>>>>> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
> >>>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
> >>>>>> libsepol.expand_module: Error while indexing out symbols
> >>>>>> /usr/bin/checkmodule: expand module failed
> >>>>>>
> >>>>>> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
> >>>>>> attached the modules.conf I am using, which seems to be the minimum number
> >>>>>> of things I need to build in to be able to build in roles.
> >>>>> Reproduced here as well, and naturally one should be able to build roles
> >>>>> into base.
> >>>>>
> >>>>> We've seen this error condition in the past - it indicates that there is
> >>>>> a hole in the symbol table, and requires mapping support in the expand
> >>>>> code for roles to correctly handle it. So that represents a
> >>>>> bug/limitation of the current policy compiler.
> >>>>>
> >>>>> Walking through it I see that it is omitting the auditadm_r and secadm_r
> >>>>> roles during the expand, and this is leaving the holes in the symbol
> >>>>> table.
> >>>>>
> >>>>> Fixing the compiler requires adding mapping support for the roles
> >>>>> similar to what Karl did for booleans in r2308.
> >>>>>
> >>>>> Hopefully though Chris can work around it in the policy in the interim.
> >>>>>
> >>>> Patch below should fix both user and role mapping issues.
> >>> Why is it that we don't need a usermap too?
> >>>
> >> Updated patch includes usermap and mapping in constraint_node_clone, completely untested.
> >
> > Still fails in the same way as reported by Martin upon semodule -b of the base module.
> > libsepol.context_read_and_validate: invalid security context
> > libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
> > Error reading policy /etc/selinux/test/policy/policy.23: Success
> > libsemanage.semanage_install_active: setfiles returned error code 1.
> >
> > Also fails upon just trying to semodule -B an existing valid policy
> > store using the patched libsepol.
> >
>
> Ok, the following patch should address everything, it was more intrusive than I originally thought.
>
> role->dominates will be incorrect when roles are copied and mapped from base into out policy, this is fixed after they've all been copied.
>
> There is a tiny hack concerning object_r, at some point I'd like to address all the object_r hardcoding (both in the kernel and toolchain) but that is pretty low on the list.
>
> expand_module_avrules() which is used by external apps (eg., setools) has changed so those users will need to be fixed.
>
> valgrind and sediff are clean
>
> ------
>
> diff -pruN -x .svn trunk.old/libsepol/src/expand.c trunk/libsepol/src/expand.c
> --- trunk.old/libsepol/src/expand.c 2008-05-14 06:03:34.088691020 -0400
> +++ trunk/libsepol/src/expand.c 2008-05-20 04:37:12.830478955 -0400
> @@ -511,6 +538,28 @@ static int alias_copy_callback(hashtab_k
> return 0;
> }
>
> +static int role_remap_dominates(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *data)
> +{
> + ebitmap_t mapped_roles;
> + role_datum_t *role = (role_datum_t *) datum;
> + expand_state_t *state = (expand_state_t *) data;
> +
> + if (!(&role->dominates.node))
> + return 0;
That looks very odd. What are you trying to test?
!ebitmap_length(&role->dominates) is a test for empty ebitmap if you
want that.
> +
> + if (map_ebitmap(&role->dominates, &mapped_roles, state->rolemap))
> + return -1;
> +
> + ebitmap_destroy(&role->dominates);
> +
> + if (ebitmap_cpy(&role->dominates, &mapped_roles))
> + return -1;
> +
> + ebitmap_destroy(&mapped_roles);
> +
> + return 0;
> +}
> +
> static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
> void *data)
> {
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH Take 3] user and role remapping in expander (was Re: roles in base module)
2008-05-27 16:53 ` Stephen Smalley
@ 2008-05-27 17:50 ` Joshua Brindle
2008-05-27 20:10 ` Stephen Smalley
0 siblings, 1 reply; 14+ messages in thread
From: Joshua Brindle @ 2008-05-27 17:50 UTC (permalink / raw)
To: Stephen Smalley
Cc: Martin Orr, SELinux List, Christopher J. PeBenito, Karl MacMillan,
setools
Stephen Smalley wrote:
> On Sat, 2008-05-24 at 22:24 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Mon, 2008-05-19 at 17:59 -0400, Joshua Brindle wrote:
>>>> Stephen Smalley wrote:
>>>>> On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
>>>>>> Stephen Smalley wrote:
>>>>>>> On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
>>>>>>>> Should I be able to build trunk refpolicy with the user roles included in
>>>>>>>> the base module? I can build it with the roles as modules, but if I try
>>>>>>>> building them into base I get
>>>>>>>> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
>>>>>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>>>>>>> libsepol.expand_module: Error while indexing out symbols
>>>>>>>> /usr/bin/checkmodule: expand module failed
>>>>>>>>
>>>>>>>> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
>>>>>>>> attached the modules.conf I am using, which seems to be the minimum number
>>>>>>>> of things I need to build in to be able to build in roles.
>>>>>>> Reproduced here as well, and naturally one should be able to build roles
>>>>>>> into base.
>>>>>>>
>>>>>>> We've seen this error condition in the past - it indicates that there is
>>>>>>> a hole in the symbol table, and requires mapping support in the expand
>>>>>>> code for roles to correctly handle it. So that represents a
>>>>>>> bug/limitation of the current policy compiler.
>>>>>>>
>>>>>>> Walking through it I see that it is omitting the auditadm_r and secadm_r
>>>>>>> roles during the expand, and this is leaving the holes in the symbol
>>>>>>> table.
>>>>>>>
>>>>>>> Fixing the compiler requires adding mapping support for the roles
>>>>>>> similar to what Karl did for booleans in r2308.
>>>>>>>
>>>>>>> Hopefully though Chris can work around it in the policy in the interim.
>>>>>>>
>>>>>> Patch below should fix both user and role mapping issues.
>>>>> Why is it that we don't need a usermap too?
>>>>>
>>>> Updated patch includes usermap and mapping in constraint_node_clone, completely untested.
>>> Still fails in the same way as reported by Martin upon semodule -b of the base module.
>>> libsepol.context_read_and_validate: invalid security context
>>> libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
>>> Error reading policy /etc/selinux/test/policy/policy.23: Success
>>> libsemanage.semanage_install_active: setfiles returned error code 1.
>>>
>>> Also fails upon just trying to semodule -B an existing valid policy
>>> store using the patched libsepol.
>>>
>> Ok, the following patch should address everything, it was more intrusive than I originally thought.
>>
>> role->dominates will be incorrect when roles are copied and mapped from base into out policy, this is fixed after they've all been copied.
>>
>> There is a tiny hack concerning object_r, at some point I'd like to address all the object_r hardcoding (both in the kernel and toolchain) but that is pretty low on the list.
>>
>> expand_module_avrules() which is used by external apps (eg., setools) has changed so those users will need to be fixed.
>>
>> valgrind and sediff are clean
>>
>> ------
>>
>
>> diff -pruN -x .svn trunk.old/libsepol/src/expand.c trunk/libsepol/src/expand.c
>> --- trunk.old/libsepol/src/expand.c 2008-05-14 06:03:34.088691020 -0400
>> +++ trunk/libsepol/src/expand.c 2008-05-20 04:37:12.830478955 -0400
>> @@ -511,6 +538,28 @@ static int alias_copy_callback(hashtab_k
>> return 0;
>> }
>>
>> +static int role_remap_dominates(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *data)
>> +{
>> + ebitmap_t mapped_roles;
>> + role_datum_t *role = (role_datum_t *) datum;
>> + expand_state_t *state = (expand_state_t *) data;
>> +
>> + if (!(&role->dominates.node))
>> + return 0;
>
> That looks very odd. What are you trying to test?
> !ebitmap_length(&role->dominates) is a test for empty ebitmap if you
> want that.
>
Right, that was copied from role_copy_callback. looks like there are a few occurrences of this in expand.c, I'll make a patch on top of this to fix them all when I get a chance.
>> +
>> + if (map_ebitmap(&role->dominates, &mapped_roles, state->rolemap))
>> + return -1;
>> +
>> + ebitmap_destroy(&role->dominates);
>> +
>> + if (ebitmap_cpy(&role->dominates, &mapped_roles))
>> + return -1;
>> +
>> + ebitmap_destroy(&mapped_roles);
>> +
>> + return 0;
>> +}
>> +
>> static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
>> void *data)
>> {
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH Take 3] user and role remapping in expander (was Re: roles in base module)
2008-05-27 17:50 ` Joshua Brindle
@ 2008-05-27 20:10 ` Stephen Smalley
0 siblings, 0 replies; 14+ messages in thread
From: Stephen Smalley @ 2008-05-27 20:10 UTC (permalink / raw)
To: Joshua Brindle
Cc: Martin Orr, SELinux List, Christopher J. PeBenito, Karl MacMillan,
setools
On Tue, 2008-05-27 at 13:50 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Sat, 2008-05-24 at 22:24 -0400, Joshua Brindle wrote:
> >> Stephen Smalley wrote:
> >>> On Mon, 2008-05-19 at 17:59 -0400, Joshua Brindle wrote:
> >>>> Stephen Smalley wrote:
> >>>>> On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
> >>>>>> Stephen Smalley wrote:
> >>>>>>> On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
> >>>>>>>> Should I be able to build trunk refpolicy with the user roles included in
> >>>>>>>> the base module? I can build it with the roles as modules, but if I try
> >>>>>>>> building them into base I get
> >>>>>>>> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
> >>>>>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
> >>>>>>>> libsepol.expand_module: Error while indexing out symbols
> >>>>>>>> /usr/bin/checkmodule: expand module failed
> >>>>>>>>
> >>>>>>>> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
> >>>>>>>> attached the modules.conf I am using, which seems to be the minimum number
> >>>>>>>> of things I need to build in to be able to build in roles.
> >>>>>>> Reproduced here as well, and naturally one should be able to build roles
> >>>>>>> into base.
> >>>>>>>
> >>>>>>> We've seen this error condition in the past - it indicates that there is
> >>>>>>> a hole in the symbol table, and requires mapping support in the expand
> >>>>>>> code for roles to correctly handle it. So that represents a
> >>>>>>> bug/limitation of the current policy compiler.
> >>>>>>>
> >>>>>>> Walking through it I see that it is omitting the auditadm_r and secadm_r
> >>>>>>> roles during the expand, and this is leaving the holes in the symbol
> >>>>>>> table.
> >>>>>>>
> >>>>>>> Fixing the compiler requires adding mapping support for the roles
> >>>>>>> similar to what Karl did for booleans in r2308.
> >>>>>>>
> >>>>>>> Hopefully though Chris can work around it in the policy in the interim.
> >>>>>>>
> >>>>>> Patch below should fix both user and role mapping issues.
> >>>>> Why is it that we don't need a usermap too?
> >>>>>
> >>>> Updated patch includes usermap and mapping in constraint_node_clone, completely untested.
> >>> Still fails in the same way as reported by Martin upon semodule -b of the base module.
> >>> libsepol.context_read_and_validate: invalid security context
> >>> libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
> >>> Error reading policy /etc/selinux/test/policy/policy.23: Success
> >>> libsemanage.semanage_install_active: setfiles returned error code 1.
> >>>
> >>> Also fails upon just trying to semodule -B an existing valid policy
> >>> store using the patched libsepol.
> >>>
> >> Ok, the following patch should address everything, it was more intrusive than I originally thought.
> >>
> >> role->dominates will be incorrect when roles are copied and mapped from base into out policy, this is fixed after they've all been copied.
> >>
> >> There is a tiny hack concerning object_r, at some point I'd like to address all the object_r hardcoding (both in the kernel and toolchain) but that is pretty low on the list.
> >>
> >> expand_module_avrules() which is used by external apps (eg., setools) has changed so those users will need to be fixed.
> >>
> >> valgrind and sediff are clean
> >>
> >> ------
> >>
> >
> >> diff -pruN -x .svn trunk.old/libsepol/src/expand.c trunk/libsepol/src/expand.c
> >> --- trunk.old/libsepol/src/expand.c 2008-05-14 06:03:34.088691020 -0400
> >> +++ trunk/libsepol/src/expand.c 2008-05-20 04:37:12.830478955 -0400
> >> @@ -511,6 +538,28 @@ static int alias_copy_callback(hashtab_k
> >> return 0;
> >> }
> >>
> >> +static int role_remap_dominates(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *data)
> >> +{
> >> + ebitmap_t mapped_roles;
> >> + role_datum_t *role = (role_datum_t *) datum;
> >> + expand_state_t *state = (expand_state_t *) data;
> >> +
> >> + if (!(&role->dominates.node))
> >> + return 0;
> >
> > That looks very odd. What are you trying to test?
> > !ebitmap_length(&role->dominates) is a test for empty ebitmap if you
> > want that.
> >
>
> Right, that was copied from role_copy_callback. looks like there are a few occurrences of this in expand.c, I'll make a patch on top of this to fix them all when I get a chance.
Merged with all instances of those always-false branches removed.
AFAICS, they were either entirely useless or premature optimization (and
never executed regardless).
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2008-05-27 20:10 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-06 22:21 roles in base module Martin Orr
2008-05-08 12:08 ` Stephen Smalley
2008-05-16 23:50 ` Joshua Brindle
2008-05-19 12:10 ` Stephen Smalley
2008-05-19 21:59 ` Joshua Brindle
2008-05-20 17:55 ` Stephen Smalley
2008-05-25 2:24 ` [PATCH Take 3] user and role remapping in expander (was Re: roles in base module) Joshua Brindle
2008-05-27 16:53 ` Stephen Smalley
2008-05-27 17:50 ` Joshua Brindle
2008-05-27 20:10 ` Stephen Smalley
2008-05-19 18:07 ` File_contexts file and semanage Hasan Rezaul-CHR010
2008-05-19 18:33 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2008-05-19 17:46 roles in base module Joshua Brindle
2008-05-19 18:57 ` Martin Orr
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.