Re: adding objects classes and permissions to policy

[Andy Warner <warner@rubix.com>]

[-- Attachment #1: Type: text/plain, Size: 4565 bytes --]



Stephen Smalley wrote:
> On Fri, 2008-10-17 at 16:18 +0200, Andy Warner wrote:
>   
>> Stephen Smalley wrote: 
>>     
>>> On Fri, 2008-10-17 at 11:45 +0200, Andy Warner wrote:
>>>   
>>>       
>>>> Stephen Smalley wrote: 
>>>>     
>>>>         
>>>>> On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
>>>>>   
>>>>>       
>>>>>           
>>>>>> On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
>>>>>>     
>>>>>>         
>>>>>>             
>>>>>>> When adding new object classes and permissions to SELinux policy is it
>>>>>>> necessary to re-create flask.h and av_permissions.h header files so
>>>>>>> that a user-space object manager can access the associated defines? If
>>>>>>> so, would someone give me some pointers as to how these are
>>>>>>> generated? 
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>> You should use the dynamic class/permission lookup facilities for any
>>>>>> new code.  man selinux_set_mapping
>>>>>>
>>>>>> XSELinux and SE-PostgreSQL are already using it I believe.
>>>>>>     
>>>>>>         
>>>>>>             
>>>> I can't find any evidence that my version of libselinux contains the
>>>> selinux_set_mapping function. I am using CentOS 5.1 with libselinux
>>>> version 1.33.4. I have been learning RHEL 5 tends to be a bit behind
>>>> the times with regards to SELinux functionality. Does libselinux
>>>> 1.33.4 not have the dynamic class/permission lookup facilities? If it
>>>> does not, any advice on how to add object classes / permissions to
>>>> policy ? Moving to Fedora is a possibility, maybe it's worth
>>>> considering as this would not be the first issue we have had with an
>>>> outdated SELinux mechanism on RHEL 5 (?). We are integrating SELinux
>>>> TE / MLS with our commercial DBMS, and I have learned that RHEL 5 does
>>>> not have the database related object classes /permissions in the base
>>>> policy where the most recent Fedora does, hence my need to add the
>>>> object classes /permissions in RHEL 5.
>>>>     
>>>>         
>>> To use the object class/perm discovery support, you'd need to use a
>>> modern libselinux (>= 2.0.21) and a modern kernel (>= 2.6.23).
>>>
>>> Note that regardless of whether you use object class/permission
>>> discovery support, you have to add the classes and permissions to the
>>> policy flask definitions and rebuild your policy.  The object class/perm
>>> discovery support just changes how the object manager obtains the values
>>> - whether they are hardcoded into it or dynamically looked up at object
>>> manager startup.  But the policy itself still needs to be taught about
>>> them.
>>>
>>> As Ted said, the old way to teach libselinux about new classes/perms is
>>> described in:
>>> http://selinuxproject.org/page/Adding_New_Permissions
>>>
>>> After updating the policy/flask files, you run make in the flask
>>> subdirectory (different Makefile than the policy build one) and it will
>>> regenerate the header files that are used by libselinux and by the
>>> kernel.  Then you can install the libselinux ones into a libselinux
>>> source tree via make LIBSELINUX_D=/path/to/libselinux tolib, and then
>>> rebuild your libselinux.
>>>
>>>   
>>>       
>> When I install our product on a fresh machine in addition to the
>> actual product and the new policy files, will I also need to install a
>> new version of the libselinux libraries?
>>     
>
> Yes (when using the old way).
>
>   
>>  I assume that the linux kernel needs to somehow access the new object
>> class / permissions defines (I'm guessing there is a potential for
>> pre-existing defines to change through my policy rebuild), would that
>> be through the shared libselinux libraries? Kernel rebuild? (Mucking
>> with Linux itself is way out of my area of knowledge.)
>>     
>
> No, the kernel doesn't need userspace object class/perm definitions,
> because it never references them itself.
>   
My concern was not that the kernel would need to access my userspace 
object class/perm definitions but that through creating a new flask.h I 
would change the definitions of pre-existing object classes. For 
instance, my current flask.h has:

#define SECCLASS_FILE   6

If after I generated a new flask.h this somehow changed to:

#define SECCLASS_FILE   7

I would think this could cause an issue with the kernel if it uses the 
SECCLASS_FILE define in code built with the original flask.h. Is this 
possible or are the pre-existing kernel object class defines guarenteed 
to be consistent accross policy builds which have new object class 
definitions?


[-- Attachment #2: Type: text/html, Size: 5378 bytes --]