From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux <selinux@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
James Morris <jmorris@namei.org>
Subject: Re: Correct manner to handler undefined classes/permissions? (Re: Some ideas in SE-PostgreSQL enhancement)
Date: Thu, 02 Apr 2009 09:28:10 +0900 [thread overview]
Message-ID: <49D4069A.9000600@ak.jp.nec.com> (raw)
In-Reply-To: <1238589935.24074.3.camel@localhost.localdomain>
[-- Attachment #1: Type: text/plain, Size: 920 bytes --]
Stephen Smalley wrote:
>> My preference is filling up the undefined access vectores with
>> policydb.allow_unknown. It seems to me quite natural.
>
> I believe that is what the kernel does during policy load, by defining
> the policydb->undefined_perms[] array.
Oops, I misread the kernel code.
>> Userspace object managers also have same issue.
>> Now it's unclear for me what is the preferable behavior.
>> For example, how should it handle the db_database:{superuser}
>> on the older security policy?
It is useful for userspace object manager, if libselinux has an
interface something like: int security_deny_unknown(void);
This interface can suggest applications preferable behavior when
string_to_security_class() or string_to_av_perm() returns invalid
value which means the security policy does not define required
ones.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: libselinux-security_deny_unknown.patch --]
[-- Type: text/x-patch, Size: 3415 bytes --]
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
--
libselinux/include/selinux/selinux.h | 3 ++
libselinux/man/man3/security_deny_unknown.3 | 21 ++++++++++++++
libselinux/src/deny_unknown.c | 40 +++++++++++++++++++++++++++
libselinux/src/selinux_internal.h | 1 +
4 files changed, 65 insertions(+), 0 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index fab083e..01a8912 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -301,6 +301,9 @@ extern int security_disable(void);
/* Get the policy version number. */
extern int security_policyvers(void);
+/* Get the behavior for undefined classes/permissions */
+extern int security_deny_unknown(void);
+
/* Get the boolean names */
extern int security_get_boolean_names(char ***names, int *len);
diff --git a/libselinux/man/man3/security_deny_unknown.3 b/libselinux/man/man3/security_deny_unknown.3
index e69de29..1fce3eb 100644
--- a/libselinux/man/man3/security_deny_unknown.3
+++ b/libselinux/man/man3/security_deny_unknown.3
@@ -0,0 +1,21 @@
+.TH "security_deny_unknown" "3" "2 April 2009" "kaigai@ak.jp.nec.com" "SELinux API documentation"
+.SH "NAME"
+security_deny_unknown \- get the preferable behavior on undefined object classes and access vectores
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B int security_deny_unknown(void);
+
+.SH "DESCRIPTION"
+.B security_deny_unknown
+returns 0 if SELinux allows undefined actions or actions on undefined object classes, 1 if not allowed, and -1 on error.
+Application should perform according to the result when
+.B string_to_security_class
+or
+.B string_to_av_perm
+return invalid value which means the current policy does not support required ones.
+
+.SH "SEE ALSO"
+.BR string_to_security_class (3),
+.BR string_to_av_perm (3),
+.BR selinux (8)
diff --git a/libselinux/src/deny_unknown.c b/libselinux/src/deny_unknown.c
index e69de29..c93998a 100644
--- a/libselinux/src/deny_unknown.c
+++ b/libselinux/src/deny_unknown.c
@@ -0,0 +1,40 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include <stdio.h>
+#include <limits.h>
+
+int security_deny_unknown(void)
+{
+ int fd, ret, deny_unknown = 0;
+ char path[PATH_MAX];
+ char buf[20];
+
+ if (!selinux_mnt) {
+ errno = ENOENT;
+ return -1;
+ }
+
+ snprintf(path, sizeof(path), "%s/deny_unknown", selinux_mnt);
+ fd = open(path, O_RDONLY);
+ if (fd < 0)
+ return -1;
+
+ memset(buf, 0, sizeof(buf));
+ ret = read(fd, buf, sizeof(buf) - 1);
+ close(fd);
+ if (ret < 0)
+ return -1;
+
+ if (sscanf(buf, "%d", &deny_unknown) != 1)
+ return -1;
+
+ return deny_unknown;
+}
+
+hidden_def(security_deny_unknown);
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 8b4c6d4..5c551d4 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -51,6 +51,7 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(setsockcreatecon_raw)
hidden_proto(security_getenforce)
hidden_proto(security_setenforce)
+ hidden_proto(security_deny_unknown)
hidden_proto(selinux_binary_policy_path)
hidden_proto(selinux_default_context_path)
hidden_proto(selinux_securetty_types_path)
next prev parent reply other threads:[~2009-04-02 0:28 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-23 10:37 The status of SE-PostgreSQL KaiGai Kohei
2009-03-23 10:37 ` [refpolicy] " KaiGai Kohei
2009-03-23 14:56 ` Shaz
2009-03-23 14:57 ` Shaz
2009-03-23 15:19 ` Andy Warner
2009-03-24 2:14 ` KaiGai Kohei
2009-03-24 2:14 ` [refpolicy] " KaiGai Kohei
2009-03-25 6:54 ` Some ideas in SE-PostgreSQL enhancement (Re: The status of SE-PostgreSQL) KaiGai Kohei
2009-03-25 6:54 ` [refpolicy] " KaiGai Kohei
2009-03-25 7:45 ` Andy Warner
2009-03-25 8:20 ` KaiGai Kohei
2009-03-25 8:59 ` Andy Warner
2009-03-25 12:00 ` KaiGai Kohei
2009-03-25 17:02 ` Andy Warner
2009-03-26 0:13 ` KaiGai Kohei
2009-03-25 17:43 ` Joshua Brindle
2009-03-25 19:42 ` Andy Warner
2009-03-27 15:43 ` Joshua Brindle
2009-03-27 16:25 ` Andy Warner
2009-03-27 17:15 ` Joshua Brindle
2009-03-27 17:54 ` Andy Warner
2009-03-27 18:12 ` Joshua Brindle
2009-03-27 18:48 ` Andy Warner
2009-03-27 19:53 ` Joshua Brindle
2009-03-27 20:04 ` Andy Warner
2009-03-27 23:59 ` KaiGai Kohei
2009-03-28 7:17 ` Andy Warner
2009-03-30 0:56 ` KaiGai Kohei
2009-03-30 8:21 ` KaiGai Kohei
2009-03-30 9:58 ` Andy Warner
2009-03-30 13:22 ` KaiGai Kohei
2009-04-22 0:08 ` Eamon Walsh
2009-04-22 3:59 ` KaiGai Kohei
2009-05-01 4:54 ` Eamon Walsh
2009-05-07 1:34 ` KaiGai Kohei
2009-05-07 7:24 ` KaiGai Kohei
2009-03-30 9:49 ` Andy Warner
2009-03-26 5:50 ` [PATCH] Expose avc_netlink_loop() for applications (Re: Some ideas in SE-PostgreSQL enhancement) KaiGai Kohei
2009-03-26 23:28 ` Eamon Walsh
2009-03-26 23:41 ` Eamon Walsh
2009-03-27 0:35 ` KaiGai Kohei
2009-03-28 0:54 ` Eamon Walsh
2009-03-28 2:00 ` KaiGai Kohei
2009-03-30 4:56 ` KaiGai Kohei
2009-03-26 6:11 ` [PATCH] database audit integration " KaiGai Kohei
2009-03-26 6:11 ` KaiGai Kohei
2009-03-26 21:45 ` John Dennis
[not found] ` <49CB313B.7020507@redhat.com>
2009-03-27 2:34 ` KaiGai Kohei
2009-03-27 2:34 ` KaiGai Kohei
2009-03-26 8:29 ` [PATCH] Permissive domain in userspace " KaiGai Kohei
2009-03-28 2:41 ` Eamon Walsh
2009-03-30 2:55 ` KaiGai Kohei
2009-03-31 1:45 ` KaiGai Kohei
2009-03-31 16:46 ` Stephen Smalley
2009-04-01 1:07 ` [PATCH] Permissive domain in userspace object manager KaiGai Kohei
2009-04-01 1:41 ` KaiGai Kohei
2009-04-01 12:34 ` Stephen Smalley
2009-04-01 20:07 ` Eric Paris
2009-04-01 22:53 ` James Morris
2009-03-27 8:18 ` [PATCH] Policy rework for SE-PostgreSQL (Re: Some ideas in SE-PostgreSQL enhancement) KaiGai Kohei
2009-03-27 8:18 ` [refpolicy] " KaiGai Kohei
2009-03-27 9:44 ` Andy Warner
2009-03-27 11:20 ` KaiGai Kohei
2009-03-27 11:20 ` [refpolicy] " KaiGai Kohei
2009-03-27 11:45 ` Andy Warner
2009-03-27 11:45 ` [refpolicy] " Andy Warner
2009-03-27 12:17 ` KaiGai Kohei
2009-03-27 12:17 ` [refpolicy] " KaiGai Kohei
2009-04-01 7:26 ` Correct manner to handler undefined classes/permissions? " KaiGai Kohei
2009-04-01 12:45 ` Stephen Smalley
2009-04-02 0:28 ` KaiGai Kohei [this message]
2009-03-23 15:25 ` The status of SE-PostgreSQL Stephen Smalley
2009-03-23 15:25 ` [refpolicy] " Stephen Smalley
2009-03-24 1:13 ` KaiGai Kohei
2009-03-24 1:13 ` [refpolicy] " KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49D4069A.9000600@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.