Critical bug in semanage

Critical bug in semanage

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 508 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

homedirs in /var and /usr/local were not being matched, causing bad
context to be added.

genhomedircon port problem.

An extra / at the end of the regex was causing the problem

Geesh I love 'C'.  :^P
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh/k8IACgkQrlYvE4MpobPojgCggaXEFTVV+JdunE/jLOjhiTff
+E4AoOSIYWVPVlRJ2w7LAo7ewCmt/+KY
=xb2w
-----END PGP SIGNATURE-----

[-- Attachment #2: libsemanage-rhat.patch --]
[-- Type: text/plain, Size: 500 bytes --]

diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.25/src/genhomedircon.c
--- nsalibsemanage/src/genhomedircon.c	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.25/src/genhomedircon.c	2008-07-17 14:32:45.000000000 -0400
@@ -192,6 +193,11 @@
 			goto done;
 	}
 
+	if (ustr_cmp_suffix_cstr_eq(expr, "/")) {
+		if (!ustr_del(&expr, 1))
+			goto done;
+	}
+
 	/* Append pattern to eat up trailing slashes */
 	if (!ustr_add_cstr(&expr, "/*$"))
 		goto done;

[-- Attachment #3: libsemanage-rhat.patch.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]

Re: Critical bug in semanage

[Joshua Brindle]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> homedirs in /var and /usr/local were not being matched, causing bad
> context to be added.
> 
> genhomedircon port problem.
> 
> An extra / at the end of the regex was causing the problem
> 
> Geesh I love 'C'.  :^P

It has less to do with C and more to do with crazy string libraries :)

I'm not sure what the intention is here though, the comment directly below your patch says
" 	/* Append pattern to eat up trailing slashes */"

How is that not what you are trying to do?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Critical bug in semanage

[Stephen Smalley]

On Fri, 2008-07-18 at 11:36 -0400, Joshua Brindle wrote:
> Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > homedirs in /var and /usr/local were not being matched, causing bad
> > context to be added.
> > 
> > genhomedircon port problem.
> > 
> > An extra / at the end of the regex was causing the problem
> > 
> > Geesh I love 'C'.  :^P
> 
> It has less to do with C and more to do with crazy string libraries :)
> 
> I'm not sure what the intention is here though, the comment directly below your patch says
> " 	/* Append pattern to eat up trailing slashes */"
> 
> How is that not what you are trying to do?

Trailing / in the pathname regex versus trailing / in the pathname being
matched, IIUC.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Critical bug in semanage

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Fri, 2008-07-18 at 11:36 -0400, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> homedirs in /var and /usr/local were not being matched, causing bad
>>> context to be added.
>>>
>>> genhomedircon port problem.
>>>
>>> An extra / at the end of the regex was causing the problem
>>>
>>> Geesh I love 'C'.  :^P
>> It has less to do with C and more to do with crazy string libraries :)
>>
>> I'm not sure what the intention is here though, the comment directly below your patch says
>> " 	/* Append pattern to eat up trailing slashes */"
>>
>> How is that not what you are trying to do?
> 
> Trailing / in the pathname regex versus trailing / in the pathname being
> matched, IIUC.
> 
Yes the problem wat the tool was not matching

/var/.* system_u:object_r:var_t:s0

Ended up trying to compare
/var/ to /var

And failing to see the similarities.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiA0/AACgkQrlYvE4MpobMG0ACfSKO9rfQC9iB44zxC5mrIMqKF
anIAn1pKhwbklwdVUPtAElYjEoN6s4t1
=hEeI
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Setting login context for multiple Linux users using single semanage command...

[Hasan Rezaul-CHR010]

Hi All,

If I wanted to map multiple Linux users (Test1, Test2, and Test3), to a
single SELinux user (staff_u),

Can I use a single semanage command to do this, instead of executing
multiple semanage commands?

In other words,instead of executing:  
semanage login -a -s staff_u Test1
semanage login -a -s staff_u Test2
semanage login -a -s staff_u Test3

Can I do something like:   semanage login -a -s staff_u 'Test1 Test2
Test3'

Thanks as always for your help,

- Rezaul.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Setting login context for multiple Linux users using single semanage command...

[Stephen Smalley]

On Mon, 2008-07-21 at 13:41 -0400, Hasan Rezaul-CHR010 wrote:
> Hi All,
> 
> If I wanted to map multiple Linux users (Test1, Test2, and Test3), to a
> single SELinux user (staff_u),
> 
> Can I use a single semanage command to do this, instead of executing
> multiple semanage commands?
> 
> In other words,instead of executing:  
> semanage login -a -s staff_u Test1
> semanage login -a -s staff_u Test2
> semanage login -a -s staff_u Test3
> 
> Can I do something like:   semanage login -a -s staff_u 'Test1 Test2
> Test3'
> 
> Thanks as always for your help,

Abstractly, that would be possible to do, but I doubt the semanage
command today supports that syntax.  The underpinnings of it
(libsemanage) certainly would support applying several changes in the
same transaction, just as you can install multiple policy modules on the
same transaction using semodule.  So I'd call this a deficiency of the
semanage UI and patches of course are always welcome.  I think we'd want
something clearer though than just the quoted list.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Setting login context for multiple Linux users using single semanage command...

[Daniel J Walsh]

Stephen Smalley wrote:
> On Mon, 2008-07-21 at 13:41 -0400, Hasan Rezaul-CHR010 wrote:
>> Hi All,
>>
>> If I wanted to map multiple Linux users (Test1, Test2, and Test3), to a
>> single SELinux user (staff_u),
>>
>> Can I use a single semanage command to do this, instead of executing
>> multiple semanage commands?
>>
>> In other words,instead of executing:  
>> semanage login -a -s staff_u Test1
>> semanage login -a -s staff_u Test2
>> semanage login -a -s staff_u Test3
>>
>> Can I do something like:   semanage login -a -s staff_u 'Test1 Test2
>> Test3'
>>
>> Thanks as always for your help,
> 
> Abstractly, that would be possible to do, but I doubt the semanage
> command today supports that syntax.  The underpinnings of it
> (libsemanage) certainly would support applying several changes in the
> same transaction, just as you can install multiple policy modules on the
> same transaction using semodule.  So I'd call this a deficiency of the
> semanage UI and patches of course are always welcome.  I think we'd want
> something clearer though than just the quoted list.
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
A mere matter of coding.  I have begun doing some of this with booleans.

I think the tool needs a way to set multiple and extract the custom
settings so that they can be sent to other machines.

IE Extract all customizations from this machine and make all other
machines match.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.