Adding local nodecon's through semanage

Adding local nodecon's through semanage

[Christian Kuester]

Hi List,

I had a small conversation with Stephen Smalley on the
fedora-selinux-list about an easy way to add
(local) nodecon's on a SELinux enabled system. As this is not
implemented in semanage yet
he gave me the advice to revive a discussion[1] on this list from 2006.
It began because a patch against
semanage was posted which enabled nodecon support. It seems that the
patch never got commited
because it didn't work as expected.

I writing because I would like to know if there's any chance to get that
fully working. I played around
with the patch and I could set labels to nodes and my SELinux seems to
respect these settings.
f.i
# semanage node -t blacknetwork_node_t -a -p 0 -M 255.255.255.255
192.168.100.54
$ ./socat -u TCP4-LISTEN:5555,bind=192.168.100.54,reuseaddr,fork -
...
type=AVC msg=audit(1215085777.002:689775728): avc:  denied  { node_bind
} for  pid=26627 comm="socat" saddr=192.168.100.54 src=5555
scontext=user_u:user_r:exe_t:s0
tcontext=system_u:object_r:blacknetwork_node_t:s0 tclass=tcp_socket

So, this seems to work. But I run into problems when I told semanage
about the
*actual* netmask of this node, which is 255.255.255.0. The tcontext
string switched from
"blacknetwork_node_t" to the generic "node_t".

Kind regards,
Chris

[1] http://www.nsa.gov/selinux/list-archive/0609/16754.cfm




-- 
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH

Heilsbachstr. 24, 53123 Bonn  | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0       | fon: +49(30) / 27594853
fax: +49(228) / 52675-25      | fax: +49(30) / 78709617

Geschäftsführer
Boris Esser, Elmar Geese
HRB AG Bonn 5168
Ust-ID: DE122264941


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding local nodecon's through semanage

[Paul Moore]

On Thursday 03 July 2008 9:47:58 am Christian Kuester wrote:
> Hi List,
>
> I had a small conversation with Stephen Smalley on the
> fedora-selinux-list about an easy way to add
> (local) nodecon's on a SELinux enabled system. As this is not
> implemented in semanage yet
> he gave me the advice to revive a discussion[1] on this list from
> 2006. It began because a patch against
> semanage was posted which enabled nodecon support. It seems that the
> patch never got commited
> because it didn't work as expected.

Hello,

I think the idea of adding network node support to semanage is a good 
one.  Unfortunately I have no experience with python or semanage so I'm 
probably not the best person to provide coding advice or help.

Who does look after semanage these days?

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding local nodecon's through semanage

[Stephen Smalley]

On Thu, 2008-07-03 at 10:32 -0400, Paul Moore wrote:
> On Thursday 03 July 2008 9:47:58 am Christian Kuester wrote:
> > Hi List,
> >
> > I had a small conversation with Stephen Smalley on the
> > fedora-selinux-list about an easy way to add
> > (local) nodecon's on a SELinux enabled system. As this is not
> > implemented in semanage yet
> > he gave me the advice to revive a discussion[1] on this list from
> > 2006. It began because a patch against
> > semanage was posted which enabled nodecon support. It seems that the
> > patch never got commited
> > because it didn't work as expected.
> 
> Hello,
> 
> I think the idea of adding network node support to semanage is a good 
> one.  Unfortunately I have no experience with python or semanage so I'm 
> probably not the best person to provide coding advice or help.
> 
> Who does look after semanage these days?

Yes, I agree that we ought to support this functionality, especially as
libsemanage already provides the interfaces even if there are lingering
issues in the implementation.

Joshua can likely help with the libsemanage/libsepol side and Dan with
the semanage front end side.

Christian - do you have a re-based copy of the patch against the svn
trunk that you were testing with?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding local nodecon's through semanage

[Paul Moore]

On Thursday 03 July 2008 12:16:27 pm Stephen Smalley wrote:
> On Thu, 2008-07-03 at 10:32 -0400, Paul Moore wrote:
> > On Thursday 03 July 2008 9:47:58 am Christian Kuester wrote:
> > > Hi List,
> > >
> > > I had a small conversation with Stephen Smalley on the
> > > fedora-selinux-list about an easy way to add
> > > (local) nodecon's on a SELinux enabled system. As this is not
> > > implemented in semanage yet
> > > he gave me the advice to revive a discussion[1] on this list from
> > > 2006. It began because a patch against
> > > semanage was posted which enabled nodecon support. It seems that
> > > the patch never got commited
> > > because it didn't work as expected.
> >
> > Hello,
> >
> > I think the idea of adding network node support to semanage is a
> > good one.  Unfortunately I have no experience with python or
> > semanage so I'm probably not the best person to provide coding
> > advice or help.
> >
> > Who does look after semanage these days?
>
> Yes, I agree that we ought to support this functionality, especially
> as libsemanage already provides the interfaces even if there are
> lingering issues in the implementation.
>
> Joshua can likely help with the libsemanage/libsepol side and Dan
> with the semanage front end side.

Great, I'll try to help out as much as I can - this could be motivation 
to try and learn some python.

> Christian - do you have a re-based copy of the patch against the svn
> trunk that you were testing with?

Christian, if you do have an updated/re-based patch, would you mind 
posting it?

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding local nodecon's through semanage

[Stephen Smalley]

On Thu, 2008-07-03 at 12:45 -0400, Paul Moore wrote:
> On Thursday 03 July 2008 12:16:27 pm Stephen Smalley wrote:
> > On Thu, 2008-07-03 at 10:32 -0400, Paul Moore wrote:
> > > On Thursday 03 July 2008 9:47:58 am Christian Kuester wrote:
> > > > Hi List,
> > > >
> > > > I had a small conversation with Stephen Smalley on the
> > > > fedora-selinux-list about an easy way to add
> > > > (local) nodecon's on a SELinux enabled system. As this is not
> > > > implemented in semanage yet
> > > > he gave me the advice to revive a discussion[1] on this list from
> > > > 2006. It began because a patch against
> > > > semanage was posted which enabled nodecon support. It seems that
> > > > the patch never got commited
> > > > because it didn't work as expected.
> > >
> > > Hello,
> > >
> > > I think the idea of adding network node support to semanage is a
> > > good one.  Unfortunately I have no experience with python or
> > > semanage so I'm probably not the best person to provide coding
> > > advice or help.
> > >
> > > Who does look after semanage these days?
> >
> > Yes, I agree that we ought to support this functionality, especially
> > as libsemanage already provides the interfaces even if there are
> > lingering issues in the implementation.
> >
> > Joshua can likely help with the libsemanage/libsepol side and Dan
> > with the semanage front end side.
> 
> Great, I'll try to help out as much as I can - this could be motivation 
> to try and learn some python.

A few tips:
- checkpolicy presently orders node context entries from most specific
to least specific based on netmask, see define_ipv4_node_context and
define_ipv6_node_context in checkpolicy/policy_define.c.
- The kernel preserves the order provided in the policy and uses the
first match it encounters.
- libsemanage sorts the node contexts in the node dbase (MODE_SORT in
libsemanage/src/policy_components.c) using semanage_node_compare2_qsort
in libsemanage/src/node_record.c as the ordering function.  In turn,
this calls sepol_node_compare2 in libsepol/src/node_record.c
- sepol_node_compare2 looks suspect to me - I'm not sure why he is
sorting on both mask and addr there.
- Any bugs are Ivan's fault ;)

> > Christian - do you have a re-based copy of the patch against the svn
> > trunk that you were testing with?
> 
> Christian, if you do have an updated/re-based patch, would you mind 
> posting it?


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding local nodecon's through semanage

[Christian Kuester]

[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

Stephen Smalley schrieb:

Hi List,

> On Thu, 2008-07-03 at 12:45 -0400, Paul Moore wrote: 
>>> Christian - do you have a re-based copy of the patch against the svn
>>> trunk that you were testing with?
>> Christian, if you do have an updated/re-based patch, would you mind 
>> posting it?

I only tried the old patch against policycoreutils 1.32, but I did some
effort into making it apply against the SVN trunk. I did not had the
time to do the man page fix which was included in the original version
of the patch.

Re-based patch is attached.


Christian





-- 
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH

Heilsbachstr. 24, 53123 Bonn  | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0       | fon: +49(30) / 27594853
fax: +49(228) / 52675-25      | fax: +49(30) / 78709617

Geschäftsführer
Boris Esser, Elmar Geese
HRB AG Bonn 5168
Ust-ID: DE122264941

[-- Attachment #2: semanage-svn.patch --]
[-- Type: text/x-diff, Size: 12961 bytes --]

diff -r -u semanage.orig/semanage semanage/semanage
--- semanage.orig/semanage	2008-07-04 08:34:12.000000000 +0200
+++ semanage/semanage	2008-07-04 08:36:58.000000000 +0200
@@ -49,6 +49,7 @@
 semanage user -{a|d|m} [-LrRP] selinux_name
 semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
 semanage interface -{a|d|m} [-tr] interface_spec
+semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr\n\
 semanage fcontext -{a|d|m} [-frst] file_spec
 semanage translation -{a|d|m} [-T] level
 semanage boolean -{d|m} boolean
@@ -80,6 +81,7 @@
 		-p (named pipe) 
 
 	-p, --proto      Port protocol (tcp or udp)
+	-M, --mask       Netmask\n\
 	-P, --prefix     Prefix for home directory labeling
 	-L, --level      Default SELinux Level (MLS/MCS Systems only)
 	-R, --roles      SELinux Roles (ex: "sysadm_r staff_r")
@@ -109,6 +111,8 @@
 		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
 		valid_option["interface"] = []
 		valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
+		valid_option["node"] = []
+		valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol' ]
 		valid_option["fcontext"] = []
 		valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser',  '-t', '--type', '-r', '--range'] 
 		valid_option["translation"] = []
@@ -128,6 +132,7 @@
 		serange = ""
 		port = ""
 		proto = ""
+		maske = ""
 		selevel = ""
 		setype = ""
 		ftype = ""
@@ -155,7 +160,7 @@
 		args = sys.argv[2:]
 
 		gopts, cmds = getopt.getopt(args,
-					    '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
+				'01adf:lhmnp:s:CDR:L:r:t:T:P:S:M:',
 					    ['add',
 					     'delete',
 					     'deleteall',
@@ -175,7 +180,8 @@
 					     'roles=',
 					     'type=',
 					     'trans=',
-					     'prefix='
+					     'prefix=',
+					     'mask='
 					     ])
 		for o, a in gopts:
 			if o not in option_dict[object]:
@@ -230,6 +236,9 @@
 			if o == "-p" or o == '--proto':
 				proto = a
 
+			if o == "-M" or o == '--mask':
+				mask = a
+
 			if o == "-P" or o == '--prefix':
 				prefix = a
 
@@ -261,6 +270,9 @@
 		
 		if object == "interface":
 			OBJECT = seobject.interfaceRecords(store)
+
+		if object == "node":
+			OBJECT = seobject.nodeRecords(store)
 		
 		if object == "fcontext":
 			OBJECT = seobject.fcontextRecords(store)
@@ -308,6 +320,9 @@
 			if object == "interface":
 				OBJECT.add(target, serange, setype)
 
+			if object == "node":
+				OBJECT.add(target, mask, proto, serange, setype)
+
 			if object == "fcontext":
 				OBJECT.add(target, setype, ftype, serange, seuser)
 			if object == "permissive":
@@ -335,6 +350,9 @@
 			if object == "interface":
 				OBJECT.modify(target, serange, setype)
 
+			if object == "node":
+				OBJECT.modify(target, mask, proto, serange, setype)
+
 			if object == "fcontext":
 				OBJECT.modify(target, setype, ftype, serange, seuser)
 
@@ -347,6 +365,9 @@
 			elif object == "fcontext":
 				OBJECT.delete(target, ftype)
 
+			elif object == "node":
+				OBJECT.delete(target, mask, proto)
+
 			else:
 				OBJECT.delete(target)
 
diff -r -u semanage.orig/seobject.py semanage/seobject.py
--- semanage.orig/seobject.py	2008-07-04 08:34:12.000000000 +0200
+++ semanage/seobject.py	2008-07-04 08:36:58.000000000 +0200
@@ -339,8 +339,8 @@
 			rc = semanage_module_remove(self.sh, "permissive_%s" % n)
 			if rc < 0:
 	                        raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name)
-               rc = semanage_commit(self.sh)
-               if rc < 0:
+		rc = semanage_commit(self.sh)		
+		if rc < 0:
                        raise ValueError(_("Could not remove permissive domain %s (commit failed)") % name)
 			
 
@@ -1202,7 +1202,216 @@
 		else:
 			for k in keys:
 				print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
-			
+
+
+class nodeRecords(semanageRecords):
+       def __init__(self, store = ""):
+               semanageRecords.__init__(self,store)
+              
+       def add(self, addr, mask, proto, serange, ctype):
+               if addr == "":
+                       raise ValueError(_("Node Address is required"))
+               
+               if mask == "":
+                       raise ValueError(_("Node Netmask is required"))
+                
+               if proto == "":
+                       proto = 0
+               else:
+                       proto = int(proto)
+                
+               if is_mls_enabled == 1:
+                       if serange == "":
+                               serange = "s0"
+                       else:
+                               serange = untranslate(serange)
+
+               if ctype == "":
+                       raise ValueError(_("SELinux Type is required"))
+
+               (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+               if rc < 0:
+                       raise ValueError(_("Could not create key for %s") % addr)
+               if rc < 0:
+                       raise ValueError(_("Could not check if addr %s is defined") % addr)
+
+               (rc,exists) = semanage_node_exists(self.sh, k)
+	       if exists:
+                       raise ValueError(_("Addr %s already defined") % addr)
+
+               (rc,node) = semanage_node_create(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not create addr for %s") % addr)
+               
+               rc = semanage_node_set_addr(self.sh, node, proto, addr)
+               (rc, con) = semanage_context_create(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not create context for %s") % addr)
+
+               rc = semanage_node_set_mask(self.sh, node, proto, mask)
+               if rc < 0:
+                       raise ValueError(_("Could not set mask for %s") % addr)
+    
+
+               rc = semanage_context_set_user(self.sh, con, "system_u")
+               if rc < 0:
+                       raise ValueError(_("Could not set user in addr context for %s") % addr)
+
+               rc = semanage_context_set_role(self.sh, con, "object_r")
+               if rc < 0:
+                       raise ValueError(_("Could not set role in addr context for %s") % addr)
+
+               rc = semanage_context_set_type(self.sh, con, ctype)
+               if rc < 0:
+                       raise ValueError(_("Could not set type in addr context for %s") % addr)
+
+               if serange != "":
+                       rc = semanage_context_set_mls(self.sh, con, serange)
+                       if rc < 0:
+                               raise ValueError(_("Could not set mls fields in addr context for %s") % addr)
+
+               rc = semanage_node_set_con(self.sh, node, con)
+               if rc < 0:
+                       raise ValueError(_("Could not set addr context for %s") % addr)
+
+               rc = semanage_begin_transaction(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not start semanage transaction"))
+
+               rc = semanage_node_modify_local(self.sh, k, node)
+               if rc < 0:
+                       raise ValueError(_("Could not add addr %s") % addr)
+
+               rc = semanage_commit(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not add addr %s") % addr)
+
+               semanage_context_free(con)
+               semanage_node_key_free(k)
+               semanage_node_free(node)
+
+       def modify(self, addr, mask, proto, serange, setype):
+               if addr == "":
+                       raise ValueError(_("Node Address is required"))
+               
+               if mask == "":
+                       raise ValueError(_("Node Netmask is required"))
+                
+               if proto == "":
+                       proto = 0
+               else:
+                       proto = int(proto)
+                      
+               if serange == "" and setype == "":
+                       raise ValueError(_("Requires setype or serange"))
+
+               (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+               if rc < 0:
+                       raise ValueError(_("Could not create key for %s") % addr)
+
+               (rc,exists) = semanage_node_exists(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not check if addr %s is defined") % addr)
+               if not exists:
+                       raise ValueError(_("Addr %s is not defined") % addr)
+       
+               (rc,node) = semanage_node_query(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not query addr %s") % addr)
+
+               con = semanage_node_get_con(node)
+                       
+               if serange != "":
+                       semanage_context_set_mls(self.sh, con, untranslate(serange))
+               if setype != "":
+                       semanage_context_set_type(self.sh, con, setype)
+
+               rc = semanage_begin_transaction(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not start semanage transaction"))
+
+               rc = semanage_node_modify_local(self.sh, k, node)
+               if rc < 0:
+                       raise ValueError(_("Could not modify addr %s") % addr)
+               
+               rc = semanage_commit(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not modify addr %s") % addr)
+
+               semanage_node_key_free(k)
+               semanage_node_free(node)
+
+       def delete(self, addr, mask, proto):
+               if addr == "":
+                       raise ValueError(_("Node Address is required"))
+               
+               if mask == "":
+                       raise ValueError(_("Node Netmask is required"))
+                
+               if proto == "":
+                       proto = 0
+               else:
+                       proto = int(proto)
+ 
+               (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+               if rc < 0:
+                       raise ValueError(_("Could not create key for %s") % addr)
+
+               (rc,exists) = semanage_node_exists(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not check if addr %s is defined") % addr)
+               if not exists:
+                       raise ValueError(_("Addr %s is not defined") % addr)
+
+               (rc,exists) = semanage_node_exists_local(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not check if addr %s is defined") % addr)
+               if not exists:
+                       raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr)
+
+               rc = semanage_begin_transaction(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not start semanage transaction"))
+
+               rc = semanage_node_del_local(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not delete addr %s") % addr)
+
+               rc = semanage_commit(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not delete addr %s") % addr)
+               
+               semanage_node_key_free(k)
+
+       def get_all(self):
+               ddict = {}
+               (rc, self.ilist) = semanage_node_list(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not list addrs"))
+
+               for node in self.ilist:
+                       con = semanage_node_get_con(node)
+                       addr = semanage_node_get_addr(self.sh, node)
+                       mask = semanage_node_get_mask(self.sh, node)
+                       proto = semanage_node_get_proto(node)
+                       ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
+
+               return ddict
+                       
+       def list(self, heading = 1):
+               if heading:
+                       print "%-50s %s\n" % ("SELinux Addr", "Context")
+               ddict = self.get_all()
+               keys = ddict.keys()
+               keys.sort()
+               if is_mls_enabled:
+                       for k in keys:
+                               print "%-50s %s:%s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False))
+               else:
+                       for k in keys:
+                               print "%-50s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
+
+
 class fcontextRecords(semanageRecords):
 	def __init__(self, store = ""):
 		semanageRecords.__init__(self, store)

Re: Adding local nodecon's through semanage

[Stephen Smalley]

On Thu, 2008-07-03 at 15:47 +0200, Christian Kuester wrote:
> Hi List,
> 
> I had a small conversation with Stephen Smalley on the
> fedora-selinux-list about an easy way to add
> (local) nodecon's on a SELinux enabled system. As this is not
> implemented in semanage yet
> he gave me the advice to revive a discussion[1] on this list from 2006.
> It began because a patch against
> semanage was posted which enabled nodecon support. It seems that the
> patch never got commited
> because it didn't work as expected.
> 
> I writing because I would like to know if there's any chance to get that
> fully working. I played around
> with the patch and I could set labels to nodes and my SELinux seems to
> respect these settings.
> f.i
> # semanage node -t blacknetwork_node_t -a -p 0 -M 255.255.255.255
> 192.168.100.54
> $ ./socat -u TCP4-LISTEN:5555,bind=192.168.100.54,reuseaddr,fork -
> ...
> type=AVC msg=audit(1215085777.002:689775728): avc:  denied  { node_bind
> } for  pid=26627 comm="socat" saddr=192.168.100.54 src=5555
> scontext=user_u:user_r:exe_t:s0
> tcontext=system_u:object_r:blacknetwork_node_t:s0 tclass=tcp_socket
> 
> So, this seems to work. But I run into problems when I told semanage
> about the
> *actual* netmask of this node, which is 255.255.255.0. The tcontext
> string switched from
> "blacknetwork_node_t" to the generic "node_t".

Ok, this isn't actually a bug in the code at all.

The mask is not supposed to be the "netmask" of the host.  It is merely
the portion of the address that you wish to match against.  So you do
want it to be 255.255.255.255 if you want to match that exact address in
its entirety.

Specifying 255.255.255.0 means that you want to map the entire subnet to
that type.  But then you should only specify the prefix for the address,
i.e. 192.168.100.0, because the matching code does this:
	if (c->u.node.addr == (addr & c->u.node.mask))
		break;

It presumes that the specified address only has bits set within the
specified mask already.

Arguably semanage and checkpolicy should apply the mask to the address
as a precaution against misconfiguration by the user.  That's easy
enough to do.

Other tidbits on the semanage patch that I noticed:
- semanage node -l was broken, requires additional argument that has
been added to the list methods subsequently.  Also would be nice to
support locallist/-C option.
- semanage node -p option should take a string rather than an integer
and map it to the proper symbolic constant for ipv4/ipv6.

The ordering issue is a red herring at least for this example as the
sort is only applied to the local entries, and then they are merged to
the front of the policy-provided definitions.  Which may become an issue
down the road particularly if we move object contexts to modules. 

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding local nodecon's through semanage

[Christian Kuester]

Stephen Smalley schrieb:
>> [ netmask semantic in nodecon ]
> Ok, this isn't actually a bug in the code at all.

I see. Thanks for clearing that up for me!

> Arguably semanage and checkpolicy should apply the mask to the address
> as a precaution against misconfiguration by the user.  That's easy
> enough to do.
> 
> Other tidbits on the semanage patch that I noticed:
> - semanage node -l was broken, requires additional argument that has
> been added to the list methods subsequently.  Also would be nice to
> support locallist/-C option.
> - semanage node -p option should take a string rather than an integer
> and map it to the proper symbolic constant for ipv4/ipv6.
> The ordering issue is a red herring at least for this example as the
> sort is only applied to the local entries, and then they are merged to
> the front of the policy-provided definitions.  Which may become an issue
> down the road particularly if we move object contexts to modules. 

I think I could do the changes to at least the semanage code, if there
is still interest in it.

But I must admit, that my understanding of the "ordering issue" is quiet
limited and my list research on an explaination was unsuccessful so far.
Is this a blocker for general semanage support of nodecons?



Christian


-- 
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH

Heilsbachstr. 24, 53123 Bonn  | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0       | fon: +49(30) / 27594853
fax: +49(228) / 52675-25      | fax: +49(30) / 78709617

Geschäftsführer
Boris Esser, Elmar Geese
HRB AG Bonn 5168
Ust-ID: DE122264941

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding local nodecon's through semanage

[Stephen Smalley]

On Tue, 2008-07-08 at 12:13 +0200, Christian Kuester wrote:
> Stephen Smalley schrieb:
> >> [ netmask semantic in nodecon ]
> > Ok, this isn't actually a bug in the code at all.
> 
> I see. Thanks for clearing that up for me!
> 
> > Arguably semanage and checkpolicy should apply the mask to the address
> > as a precaution against misconfiguration by the user.  That's easy
> > enough to do.
> > 
> > Other tidbits on the semanage patch that I noticed:
> > - semanage node -l was broken, requires additional argument that has
> > been added to the list methods subsequently.  Also would be nice to
> > support locallist/-C option.
> > - semanage node -p option should take a string rather than an integer
> > and map it to the proper symbolic constant for ipv4/ipv6.
> > The ordering issue is a red herring at least for this example as the
> > sort is only applied to the local entries, and then they are merged to
> > the front of the policy-provided definitions.  Which may become an issue
> > down the road particularly if we move object contexts to modules. 
> 
> I think I could do the changes to at least the semanage code, if there
> is still interest in it.
> 
> But I must admit, that my understanding of the "ordering issue" is quiet
> limited and my list research on an explaination was unsuccessful so far.
> Is this a blocker for general semanage support of nodecons?

I think it is fine to proceed with merging the semanage support, and
then we can further investigate and seek to resolve the ordering issues.

Please be sure to test each of the nodeRecords methods.

Dan and/or Joshua - it would help if you could look it over as well.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding local nodecon's through semanage

[Joshua Brindle]

Christian Kuester wrote:
> Stephen Smalley schrieb:
>>> [ netmask semantic in nodecon ]
>> Ok, this isn't actually a bug in the code at all.
> 
> I see. Thanks for clearing that up for me!
> 
>> Arguably semanage and checkpolicy should apply the mask to the address
>> as a precaution against misconfiguration by the user.  That's easy
>> enough to do.
>>
>> Other tidbits on the semanage patch that I noticed:
>> - semanage node -l was broken, requires additional argument that has
>> been added to the list methods subsequently.  Also would be nice to
>> support locallist/-C option.
>> - semanage node -p option should take a string rather than an integer
>> and map it to the proper symbolic constant for ipv4/ipv6.
>> The ordering issue is a red herring at least for this example as the
>> sort is only applied to the local entries, and then they are merged to
>> the front of the policy-provided definitions.  Which may become an issue
>> down the road particularly if we move object contexts to modules. 
> 
> I think I could do the changes to at least the semanage code, if there
> is still interest in it.
> 
> But I must admit, that my understanding of the "ordering issue" is quiet
> limited and my list research on an explaination was unsuccessful so far.
> Is this a blocker for general semanage support of nodecons?
> 

The ordering issue only comes up when you have overlapping masks. This may not be an issue in practice though, I suppose we'll see.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding local nodecon's through semanage

[Stephen Smalley]

On Tue, 2008-07-08 at 08:30 -0400, Stephen Smalley wrote:
> On Tue, 2008-07-08 at 12:13 +0200, Christian Kuester wrote:
> > Stephen Smalley schrieb:
> > >> [ netmask semantic in nodecon ]
> > > Ok, this isn't actually a bug in the code at all.
> > 
> > I see. Thanks for clearing that up for me!
> > 
> > > Arguably semanage and checkpolicy should apply the mask to the address
> > > as a precaution against misconfiguration by the user.  That's easy
> > > enough to do.
> > > 
> > > Other tidbits on the semanage patch that I noticed:
> > > - semanage node -l was broken, requires additional argument that has
> > > been added to the list methods subsequently.  Also would be nice to
> > > support locallist/-C option.
> > > - semanage node -p option should take a string rather than an integer
> > > and map it to the proper symbolic constant for ipv4/ipv6.
> > > The ordering issue is a red herring at least for this example as the
> > > sort is only applied to the local entries, and then they are merged to
> > > the front of the policy-provided definitions.  Which may become an issue
> > > down the road particularly if we move object contexts to modules. 
> > 
> > I think I could do the changes to at least the semanage code, if there
> > is still interest in it.
> > 
> > But I must admit, that my understanding of the "ordering issue" is quiet
> > limited and my list research on an explaination was unsuccessful so far.
> > Is this a blocker for general semanage support of nodecons?
> 
> I think it is fine to proceed with merging the semanage support, and
> then we can further investigate and seek to resolve the ordering issues.
> 
> Please be sure to test each of the nodeRecords methods.

Are you still pursuing getting this cleaned up and merged?

> Dan and/or Joshua - it would help if you could look it over as well.
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] Revised Patch for local nodecon support in semanage (was: Adding local nodecon's through semanage)

[Christian Kuester]

[-- Attachment #1: Type: text/plain, Size: 1266 bytes --]

Stephen Smalley schrieb:

Hi List,

> On Tue, 2008-07-08 at 08:30 -0400, Stephen Smalley wrote:
>> On Tue, 2008-07-08 at 12:13 +0200, Christian Kuester wrote:
>>>> Other tidbits on the semanage patch that I noticed:
>>>> - semanage node -l was broken, requires additional argument that has
>>>> been added to the list methods subsequently.  Also would be nice to
>>>> support locallist/-C option.
>>>> - semanage node -p option should take a string rather than an integer
>>>> and map it to the proper symbolic constant for ipv4/ipv6.
>> Please be sure to test each of the nodeRecords methods.
> Are you still pursuing getting this cleaned up and merged?

Sorry, it took some time. The revised patch for nodecon support in
the semanage tool is attached.

It now takes strings as arguments for the ip protocol. list/locallist
work as expected and output is more readable. I also made changes for
the semanage.8 man page.


Kind Regards,
Christian

-- 
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH

Heilsbachstr. 24, 53123 Bonn  | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0       | fon: +49(30) / 27594853
fax: +49(228) / 52675-25      | fax: +49(30) / 78709617

Geschäftsführer
Boris Esser, Elmar Geese
HRB AG Bonn 5168
Ust-ID: DE122264941

[-- Attachment #2: semanage-patch-revised.patch --]
[-- Type: text/x-diff, Size: 14903 bytes --]

diff -u -r semanage/semanage semanage-new/semanage
--- semanage/semanage	2008-08-13 17:50:41.000000000 +0200
+++ semanage-new/semanage	2008-08-14 09:14:57.000000000 +0200
@@ -44,11 +44,12 @@
 
 	def usage(message = ""):
 		print _("""
-semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] 
+semanage {boolean|login|user|port|interface|node|fcontext|translation} -{l|D} [-n] 
 semanage login -{a|d|m} [-sr] login_name | %groupname
 semanage user -{a|d|m} [-LrRP] selinux_name
 semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
 semanage interface -{a|d|m} [-tr] interface_spec
+semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
 semanage fcontext -{a|d|m} [-frst] file_spec
 semanage translation -{a|d|m} [-T] level
 semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
@@ -80,7 +81,8 @@
 		-p (named pipe) 
 
         -F, --file       Treat target as an input file for command, change multiple settings
-	-p, --proto      Port protocol (tcp or udp)
+	-p, --proto      Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
+	-M, --mask       Netmask
 	-P, --prefix     Prefix for home directory labeling
 	-L, --level      Default SELinux Level (MLS/MCS Systems only)
 	-R, --roles      SELinux Roles (ex: "sysadm_r staff_r")
@@ -109,7 +111,9 @@
 		valid_option["port"] = []
 		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
 		valid_option["interface"] = []
-		valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
+		valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
+		valid_option["node"] = []
+		valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
 		valid_option["fcontext"] = []
 		valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser',  '-t', '--type', '-r', '--range'] 
 		valid_option["translation"] = []
@@ -129,6 +133,7 @@
 		serange = ""
 		port = ""
 		proto = ""
+		mask = ""
 		selevel = ""
 		setype = ""
 		ftype = ""
@@ -157,7 +162,7 @@
 		args = sys.argv[2:]
 
 		gopts, cmds = getopt.getopt(args,
-					    '01adf:lhmnp:s:FCDR:L:r:t:T:P:S:',
+					    '01adf:lhmnp:s:FCDR:L:r:t:T:P:S:M:',
 					    ['add',
 					     'delete',
 					     'deleteall',
@@ -178,7 +183,8 @@
 					     'roles=',
 					     'type=',
 					     'trans=',
-					     'prefix='
+					     'prefix=',
+                         'mask='
 					     ])
 		for o, a in gopts:
 			if o not in option_dict[object]:
@@ -245,6 +251,9 @@
 
 			if o == "-s" or o == "--seuser":
 				seuser = a
+                
+			if o == "-M" or o == '--mask':
+				mask = a
 
 			if o == "-t" or o == "--type":
 				setype = a
@@ -268,6 +277,9 @@
 		
 		if object == "interface":
 			OBJECT = seobject.interfaceRecords(store)
+            
+		if object == "node":
+			OBJECT = seobject.nodeRecords(store)
 		
 		if object == "fcontext":
 			OBJECT = seobject.fcontextRecords(store)
@@ -316,6 +328,9 @@
 			if object == "interface":
 				OBJECT.add(target, serange, setype)
 
+			if object == "node":
+				OBJECT.add(target, mask, proto, serange, setype)
+
 			if object == "fcontext":
 				OBJECT.add(target, setype, ftype, serange, seuser)
 			if object == "permissive":
@@ -342,6 +357,9 @@
 
 			if object == "interface":
 				OBJECT.modify(target, serange, setype)
+                
+			if object == "node":
+				OBJECT.modify(target, mask, proto, serange, setype)
 
 			if object == "fcontext":
 				OBJECT.modify(target, setype, ftype, serange, seuser)
@@ -354,6 +372,9 @@
 
 			elif object == "fcontext":
 				OBJECT.delete(target, ftype)
+                
+			elif object == "node":
+				OBJECT.delete(target, mask, proto)
 
 			else:
 				OBJECT.delete(target)
diff -u -r semanage/semanage.8 semanage-new/semanage.8
--- semanage/semanage.8	2008-08-13 17:50:41.000000000 +0200
+++ semanage-new/semanage.8	2008-08-14 09:00:19.000000000 +0200
@@ -3,7 +3,7 @@
 semanage \- SELinux Policy Management tool
 
 .SH "SYNOPSIS"
-.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|D} [\-n] [\-S store] 
+.B semanage {boolean|login|user|port|interface|node|fcontext|translation} \-{l|D} [\-n] [\-S store] 
 .br
 .B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file
 .br
@@ -15,6 +15,8 @@
 .br
 .B semanage interface \-{a|d|m} [\-tr] interface_spec
 .br
+.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address
+.br
 .B semanage fcontext \-{a|d|m} [\-frst] file_spec
 .br
 .B semanage permissive \-{a|d} type
@@ -78,7 +80,7 @@
 Do not print heading when listing OBJECTS.
 .TP
 .I                \-p, \-\-proto
-Protocol for the specified port (tcp|udp).
+Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
 .TP
 .I                \-r, \-\-range      
 MLS/MCS Security Range (MLS/MCS Systems only)
diff -u -r semanage/seobject.py semanage-new/seobject.py
--- semanage/seobject.py	2008-08-13 17:50:41.000000000 +0200
+++ semanage-new/seobject.py	2008-08-13 18:20:25.000000000 +0200
@@ -1030,6 +1030,231 @@
 			for p in ddict[i][1:]:
 				rec += ", %s" % p
 			print rec
+            
+class nodeRecords(semanageRecords):
+       def __init__(self, store = ""):
+               semanageRecords.__init__(self,store)
+              
+       def add(self, addr, mask, proto, serange, ctype):
+               if addr == "":
+                       raise ValueError(_("Node Address is required"))
+               
+               if mask == "":
+                       raise ValueError(_("Node Netmask is required"))
+                
+	       if proto == "ipv4":
+                       proto = 0
+               elif proto == "ipv6":
+                       proto = 1
+               else:
+                      raise ValueError(_("Unknown or missing protocol"))
+
+                
+               if is_mls_enabled == 1:
+                       if serange == "":
+                               serange = "s0"
+                       else:
+                               serange = untranslate(serange)
+
+               if ctype == "":
+                       raise ValueError(_("SELinux Type is required"))
+
+               (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+               if rc < 0:
+                       raise ValueError(_("Could not create key for %s") % addr)
+               if rc < 0:
+                       raise ValueError(_("Could not check if addr %s is defined") % addr)
+
+               (rc,exists) = semanage_node_exists(self.sh, k)
+               if exists:
+                       raise ValueError(_("Addr %s already defined") % addr)
+
+               (rc,node) = semanage_node_create(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not create addr for %s") % addr)
+               
+               rc = semanage_node_set_addr(self.sh, node, proto, addr)
+               (rc, con) = semanage_context_create(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not create context for %s") % addr)
+
+               rc = semanage_node_set_mask(self.sh, node, proto, mask)
+               if rc < 0:
+                       raise ValueError(_("Could not set mask for %s") % addr)
+    
+
+               rc = semanage_context_set_user(self.sh, con, "system_u")
+               if rc < 0:
+                       raise ValueError(_("Could not set user in addr context for %s") % addr)
+
+               rc = semanage_context_set_role(self.sh, con, "object_r")
+               if rc < 0:
+                       raise ValueError(_("Could not set role in addr context for %s") % addr)
+
+               rc = semanage_context_set_type(self.sh, con, ctype)
+               if rc < 0:
+                       raise ValueError(_("Could not set type in addr context for %s") % addr)
+
+               if serange != "":
+                       rc = semanage_context_set_mls(self.sh, con, serange)
+                       if rc < 0:
+                               raise ValueError(_("Could not set mls fields in addr context for %s") % addr)
+
+               rc = semanage_node_set_con(self.sh, node, con)
+               if rc < 0:
+                       raise ValueError(_("Could not set addr context for %s") % addr)
+
+               rc = semanage_begin_transaction(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not start semanage transaction"))
+
+               rc = semanage_node_modify_local(self.sh, k, node)
+               if rc < 0:
+                       raise ValueError(_("Could not add addr %s") % addr)
+
+               rc = semanage_commit(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not add addr %s") % addr)
+
+               semanage_context_free(con)
+               semanage_node_key_free(k)
+               semanage_node_free(node)
+
+       def modify(self, addr, mask, proto, serange, setype):
+               if addr == "":
+                       raise ValueError(_("Node Address is required"))
+               
+               if mask == "":
+                       raise ValueError(_("Node Netmask is required"))
+               if proto == "ipv4":
+                       proto = 0
+               elif proto == "ipv6":
+                       proto = 1
+	       else:
+		      raise ValueError(_("Unknown or missing protocol"))
+			
+                      
+               if serange == "" and setype == "":
+                       raise ValueError(_("Requires setype or serange"))
+
+               (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+               if rc < 0:
+                       raise ValueError(_("Could not create key for %s") % addr)
+
+               (rc,exists) = semanage_node_exists(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not check if addr %s is defined") % addr)
+               if not exists:
+                       raise ValueError(_("Addr %s is not defined") % addr)
+       
+               (rc,node) = semanage_node_query(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not query addr %s") % addr)
+
+               con = semanage_node_get_con(node)
+                       
+               if serange != "":
+                       semanage_context_set_mls(self.sh, con, untranslate(serange))
+               if setype != "":
+                       semanage_context_set_type(self.sh, con, setype)
+
+               rc = semanage_begin_transaction(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not start semanage transaction"))
+
+               rc = semanage_node_modify_local(self.sh, k, node)
+               if rc < 0:
+                       raise ValueError(_("Could not modify addr %s") % addr)
+               
+               rc = semanage_commit(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not modify addr %s") % addr)
+
+               semanage_node_key_free(k)
+               semanage_node_free(node)
+
+       def delete(self, addr, mask, proto):
+               if addr == "":
+                       raise ValueError(_("Node Address is required"))
+               
+               if mask == "":
+                       raise ValueError(_("Node Netmask is required"))
+              
+	       if proto == "ipv4":
+                       proto = 0
+               elif proto == "ipv6":
+                       proto = 1
+               else:
+                      raise ValueError(_("Unknown or missing protocol"))
+  
+               (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto)
+               if rc < 0:
+                       raise ValueError(_("Could not create key for %s") % addr)
+
+               (rc,exists) = semanage_node_exists(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not check if addr %s is defined") % addr)
+               if not exists:
+                       raise ValueError(_("Addr %s is not defined") % addr)
+
+               (rc,exists) = semanage_node_exists_local(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not check if addr %s is defined") % addr)
+               if not exists:
+                       raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr)
+
+               rc = semanage_begin_transaction(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not start semanage transaction"))
+
+               rc = semanage_node_del_local(self.sh, k)
+               if rc < 0:
+                       raise ValueError(_("Could not delete addr %s") % addr)
+
+               rc = semanage_commit(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not delete addr %s") % addr)
+               
+               semanage_node_key_free(k)
+
+       def get_all(self, locallist = 0):
+               ddict = {}
+	       if locallist :
+			(rc, self.ilist) = semanage_node_list_local(self.sh)
+	       else:
+	                (rc, self.ilist) = semanage_node_list(self.sh)
+               if rc < 0:
+                       raise ValueError(_("Could not list addrs"))
+
+               for node in self.ilist:
+                       con = semanage_node_get_con(node)
+                       addr = semanage_node_get_addr(self.sh, node)
+                       mask = semanage_node_get_mask(self.sh, node)
+                       proto = semanage_node_get_proto(node)
+		       if proto == 0:
+				proto = "ipv4"
+		       elif proto == 1:
+				proto = "ipv6"
+                       ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
+
+               return ddict
+                       
+       def list(self, heading = 1, locallist = 0):
+               if heading:
+                       print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context")
+               ddict = self.get_all()
+               keys = ddict.keys()
+               keys.sort()
+               if is_mls_enabled:
+			for k in keys:
+				val = ''
+				for fields in k:
+					val = val + '\t' + str(fields)
+                                print "%-18s %-18s %-5s %s:%s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False))
+               else:
+                       for k in keys:
+                               print "%-18s %-18s %-5s %s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2])
+
 
 class interfaceRecords(semanageRecords):
 	def __init__(self, store = ""):

Re: [PATCH] Revised Patch for local nodecon support in semanage (was: Adding local nodecon's through semanage)

[Stephen Smalley]

On Thu, 2008-08-14 at 09:32 +0200, Christian Kuester wrote:
> Stephen Smalley schrieb:
> 
> Hi List,
> 
> > On Tue, 2008-07-08 at 08:30 -0400, Stephen Smalley wrote:
> >> On Tue, 2008-07-08 at 12:13 +0200, Christian Kuester wrote:
> >>>> Other tidbits on the semanage patch that I noticed:
> >>>> - semanage node -l was broken, requires additional argument that has
> >>>> been added to the list methods subsequently.  Also would be nice to
> >>>> support locallist/-C option.
> >>>> - semanage node -p option should take a string rather than an integer
> >>>> and map it to the proper symbolic constant for ipv4/ipv6.
> >> Please be sure to test each of the nodeRecords methods.
> > Are you still pursuing getting this cleaned up and merged?
> 
> Sorry, it took some time. The revised patch for nodecon support in
> the semanage tool is attached.
> 
> It now takes strings as arguments for the ip protocol. list/locallist
> work as expected and output is more readable. I also made changes for
> the semanage.8 man page.

semanage node -lC appears to list all of the entries rather than only
the local modifications (i.e. the ones in the nodes.local file).
Compare with semanage fcontext -lC or port -lC.

Also the patch should be from the top of the tree, preferably appliable
by git-apply.

Thanks.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] Revised Patch for local nodecon support in semanage (was: Adding local nodecon's through semanage)

[Stephen Smalley]

On Thu, 2008-08-21 at 16:59 -0400, Stephen Smalley wrote:
> On Thu, 2008-08-14 at 09:32 +0200, Christian Kuester wrote:
> > Stephen Smalley schrieb:
> > 
> > Hi List,
> > 
> > > On Tue, 2008-07-08 at 08:30 -0400, Stephen Smalley wrote:
> > >> On Tue, 2008-07-08 at 12:13 +0200, Christian Kuester wrote:
> > >>>> Other tidbits on the semanage patch that I noticed:
> > >>>> - semanage node -l was broken, requires additional argument that has
> > >>>> been added to the list methods subsequently.  Also would be nice to
> > >>>> support locallist/-C option.
> > >>>> - semanage node -p option should take a string rather than an integer
> > >>>> and map it to the proper symbolic constant for ipv4/ipv6.
> > >> Please be sure to test each of the nodeRecords methods.
> > > Are you still pursuing getting this cleaned up and merged?
> > 
> > Sorry, it took some time. The revised patch for nodecon support in
> > the semanage tool is attached.
> > 
> > It now takes strings as arguments for the ip protocol. list/locallist
> > work as expected and output is more readable. I also made changes for
> > the semanage.8 man page.
> 
> semanage node -lC appears to list all of the entries rather than only
> the local modifications (i.e. the ones in the nodes.local file).
> Compare with semanage fcontext -lC or port -lC.
> 

Ok, this turned out to be trivial - just needed to pass the localist
value to the get_all() call. Fixed and committed, thanks.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.