SELinux context patch

SELinux context patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 331 bytes --]

This patch adds context files for virtual_domain and virtual_image, 
these are both being used to locat the default context to be executed by 
svirt.

I also included the subs patch which I submitted before.  This patch 
allows us to substitute prefixes to matchpathcon.

So we can say /export/home == /home

and

/web == /var/www

[-- Attachment #2: libselinux_context.patch --]
[-- Type: text/plain, Size: 5998 bytes --]

--- nsalibselinux/src/selinux_config.c	2009-03-06 14:41:45.000000000 -0500
+++ libselinux-2.0.81/src/selinux_config.c	2009-05-18 14:04:07.000000000 -0400
@@ -40,7 +40,10 @@
 #define SECURETTY_TYPES   18
 #define X_CONTEXTS        19
 #define COLORS            20
-#define NEL               21
+#define VIRTUAL_DOMAIN    21
+#define VIRTUAL_IMAGE     22
+#define FILE_CONTEXT_SUBS 23
+#define NEL               24
 
 /* New layout is relative to SELINUXDIR/policytype. */
 static char *file_paths[NEL];
@@ -391,3 +394,24 @@
 }
 
 hidden_def(selinux_x_context_path)
+
+const char *selinux_virtual_domain_context_path()
+{
+	return get_path(VIRTUAL_DOMAIN);
+}
+
+hidden_def(selinux_virtual_domain_context_path)
+
+const char *selinux_virtual_image_context_path()
+{
+	return get_path(VIRTUAL_IMAGE);
+}
+
+hidden_def(selinux_virtual_image_context_path)
+
+const char * selinux_file_context_subs_path(void) {
+	return get_path(FILE_CONTEXT_SUBS);
+}
+
+hidden_def(selinux_file_context_subs_path)
+
--- nsalibselinux/include/selinux/selinux.h	2009-04-08 09:06:23.000000000 -0400
+++ libselinux-2.0.81/include/selinux/selinux.h	2009-05-18 14:04:07.000000000 -0400
@@ -481,8 +481,11 @@
 extern const char *selinux_file_context_path(void);
 extern const char *selinux_file_context_homedir_path(void);
 extern const char *selinux_file_context_local_path(void);
+extern const char *selinux_file_context_subs_path(void);
 extern const char *selinux_homedir_context_path(void);
 extern const char *selinux_media_context_path(void);
+extern const char *selinux_virtual_domain_context_path(void);
+extern const char *selinux_virtual_image_context_path(void);
 extern const char *selinux_x_context_path(void);
 extern const char *selinux_contexts_path(void);
 extern const char *selinux_securetty_types_path(void);
--- nsalibselinux/src/file_path_suffixes.h	2009-03-06 14:41:45.000000000 -0500
+++ libselinux-2.0.81/src/file_path_suffixes.h	2009-05-18 14:04:07.000000000 -0400
@@ -20,3 +20,6 @@
     S_(FILE_CONTEXTS_LOCAL, "/contexts/files/file_contexts.local")
     S_(X_CONTEXTS, "/contexts/x_contexts")
     S_(COLORS, "/secolor.conf")
+    S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
+    S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
+    S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
--- nsalibselinux/src/selinux_internal.h	2009-04-08 09:06:23.000000000 -0400
+++ libselinux-2.0.81/src/selinux_internal.h	2009-05-18 14:04:07.000000000 -0400
@@ -59,9 +59,12 @@
     hidden_proto(selinux_securetty_types_path)
     hidden_proto(selinux_failsafe_context_path)
     hidden_proto(selinux_removable_context_path)
+    hidden_proto(selinux_virtual_domain_context_path)
+    hidden_proto(selinux_virtual_image_context_path)
     hidden_proto(selinux_file_context_path)
     hidden_proto(selinux_file_context_homedir_path)
     hidden_proto(selinux_file_context_local_path)
+    hidden_proto(selinux_file_context_subs_path)
     hidden_proto(selinux_netfilter_context_path)
     hidden_proto(selinux_homedir_context_path)
     hidden_proto(selinux_user_contexts_path)
--- nsalibselinux/src/label.c	2009-03-06 14:41:45.000000000 -0500
+++ libselinux-2.0.81/src/label.c	2009-05-18 14:04:07.000000000 -0400
@@ -5,10 +5,12 @@
  */
 
 #include <sys/types.h>
+#include <ctype.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <selinux/selinux.h>
 #include "callbacks.h"
 #include "label_internal.h"
 
@@ -23,6 +25,96 @@
 	&selabel_x_init
 };
 
+typedef struct selabel_sub {
+	char *src;
+	int slen;
+	char *dst;
+	struct selabel_sub *next;
+} SELABELSUB;
+
+SELABELSUB *selabelsublist = NULL;
+
+static void selabel_subs_fini(void)
+{
+	SELABELSUB *ptr = selabelsublist;
+	SELABELSUB *next = NULL;
+	while (ptr) {
+		next = ptr->next;
+		free(ptr->src);
+		free(ptr->dst);
+		free(ptr);
+		ptr = next;
+	}
+	selabelsublist = NULL;
+}
+
+static char *selabel_sub(const char *src) 
+{
+	char *dst = NULL;
+	SELABELSUB *ptr = selabelsublist;
+	while (ptr) {
+		if (strncmp(src, ptr->src, ptr->slen) == 0 ) {
+			if (src[ptr->slen] == '/' || 
+			    src[ptr->slen] == 0) {
+				asprintf(&dst, "%s%s", ptr->dst, &src[ptr->slen]);
+				return dst;
+			}
+		}
+		ptr = ptr->next;
+	}
+	return NULL;
+}
+
+static int selabel_subs_init(void)
+{
+	char buf[1024];
+	FILE *cfg = fopen(selinux_file_context_subs_path(), "r");
+	if (cfg) {
+		while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) {
+			char *ptr = NULL;
+			char *src = buf;
+			char *dst = NULL;
+
+			while (*src && isspace(*src))
+				src++;
+			if (src[0] == '#') continue;
+			ptr = src;
+			while (*ptr && ! isspace(*ptr))
+				ptr++;
+			*ptr++ = 0;
+			if (! *src) continue;
+
+			dst = ptr;
+			while (*dst && isspace(*dst))
+				dst++;
+			ptr=dst;
+			while (*ptr && ! isspace(*ptr))
+				ptr++;
+			*ptr=0;
+			if (! *dst) continue;
+
+			SELABELSUB *sub = (SELABELSUB*) malloc(sizeof(SELABELSUB));
+			if (! sub) return -1;
+			sub->src=strdup(src);
+			if (! sub->src) {
+				free(sub);
+				return -1;
+			}
+			sub->dst=strdup(dst);
+			if (! sub->dst) {
+				free(sub);
+				free(sub->src);
+				return -1;
+			}
+			sub->slen = strlen(src);
+			sub->next = selabelsublist;
+			selabelsublist = sub;
+		}
+		fclose(cfg);
+	}
+	return 0;
+}
+
 /*
  * Validation functions
  */
@@ -67,6 +159,8 @@
 		goto out;
 	}
 
+	selabel_subs_init();
+
 	rec = (struct selabel_handle *)malloc(sizeof(*rec));
 	if (!rec)
 		goto out;
@@ -88,7 +182,14 @@
 selabel_lookup_common(struct selabel_handle *rec, int translating,
 		      const char *key, int type)
 {
-	struct selabel_lookup_rec *lr = rec->func_lookup(rec, key, type);
+	struct selabel_lookup_rec *lr;
+	char *ptr = selabel_sub(key);
+	if (ptr) {
+		lr = rec->func_lookup(rec, ptr, type); 
+		free(ptr);
+	} else {
+		lr = rec->func_lookup(rec, key, type); 
+	}
 	if (!lr)
 		return NULL;
 
@@ -132,6 +233,8 @@
 {
 	rec->func_close(rec);
 	free(rec);
+
+	selabel_subs_fini();
 }
 
 void selabel_stats(struct selabel_handle *rec)

Re: SELinux context patch

[Chad Sellers]

On 5/18/09 2:16 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:

> This patch adds context files for virtual_domain and virtual_image,
> these are both being used to locat the default context to be executed by
> svirt.
> 
> I also included the subs patch which I submitted before.  This patch
> allows us to substitute prefixes to matchpathcon.
> 
> So we can say /export/home == /home
> 
> and
> 
> /web == /var/www

I'm surprised that the subs patch didn't get much discussion before. Any
thoughts on this? Any worries that it might not meld well with the work
currently being done to integrate FCGlob?

Thanks,
Chad


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux context patch

[Caleb Case]

On Wed, May 20, 2009 at 12:08 PM, Chad Sellers <csellers@tresys.com> wrote:
> On 5/18/09 2:16 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
>
>> This patch adds context files for virtual_domain and virtual_image,
>> these are both being used to locat the default context to be executed by
>> svirt.
>>
>> I also included the subs patch which I submitted before.  This patch
>> allows us to substitute prefixes to matchpathcon.
>>
>> So we can say /export/home == /home
>>
>> and
>>
>> /web == /var/www
>
> I'm surprised that the subs patch didn't get much discussion before. Any
> thoughts on this? Any worries that it might not meld well with the work
> currently being done to integrate FCGlob?
>
> Thanks,
> Chad
>

I don't think it will adversely affect FCGlob integration.

It is going to make it harder to understand what a file will get labeled though.

Might be useful for genhomedircon to generate a .subs file and for
refpolicy to provide labeling on a selinux user basis for home
directories:

/root
/home/unconfined_u
/home/sysadm_u
...

with a .subs:

/home/bob /home/unconfined_u
/home/sally /home/sysadm_u
...

It doesn't support directories with spaces in them.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux context patch

[Chad Sellers]

On 6/4/09 3:13 PM, "Caleb Case" <ccase@tresys.com> wrote:
> 
> I don't think it will adversely affect FCGlob integration.
> 
Very good.

<snip>
> 
> It doesn't support directories with spaces in them.

An excellent point, though it looks like file_contexts doesn't support
spaces right now either.

Thanks,
Chad


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux context patch

[Daniel J Walsh]

On 06/04/2009 04:47 PM, Chad Sellers wrote:
> On 6/4/09 3:13 PM, "Caleb Case"<ccase@tresys.com>  wrote:
>>
>> I don't think it will adversely affect FCGlob integration.
>>
> Very good.
>
> <snip>
>>
>> It doesn't support directories with spaces in them.
>
> An excellent point, though it looks like file_contexts doesn't support
> spaces right now either.
>
> Thanks,
> Chad
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
Directories with spaces, are satanic.

Just say no to spaces in Directory names.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux context patch

[Daniel J Walsh]

On 06/04/2009 03:13 PM, Caleb Case wrote:
> On Wed, May 20, 2009 at 12:08 PM, Chad Sellers<csellers@tresys.com>  wrote:
>> On 5/18/09 2:16 PM, "Daniel J Walsh"<dwalsh@redhat.com>  wrote:
>>
>>> This patch adds context files for virtual_domain and virtual_image,
>>> these are both being used to locat the default context to be executed by
>>> svirt.
>>>
>>> I also included the subs patch which I submitted before.  This patch
>>> allows us to substitute prefixes to matchpathcon.
>>>
>>> So we can say /export/home == /home
>>>
>>> and
>>>
>>> /web == /var/www
>>
>> I'm surprised that the subs patch didn't get much discussion before. Any
>> thoughts on this? Any worries that it might not meld well with the work
>> currently being done to integrate FCGlob?
>>
>> Thanks,
>> Chad
>>
>
> I don't think it will adversely affect FCGlob integration.
>
> It is going to make it harder to understand what a file will get labeled though.
>
> Might be useful for genhomedircon to generate a .subs file and for
> refpolicy to provide labeling on a selinux user basis for home
> directories:
>
> /root
> /home/unconfined_u
> /home/sysadm_u
> ...
>
> with a .subs:
>
> /home/bob /home/unconfined_u
> /home/sally /home/sysadm_u
> ...
>
> It doesn't support directories with spaces in them.
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
I would like genhomedircon to just go away totally.   Or make it 
voluntary, not run in every policy update.   getpw() is not guaranteed 
to return all users in a Directory and setting up labeling for 100,000 
users is just kooky.

The beauty of this patch is it allows admin to take back control of 
labeling of homedir.  If they want to put home dirs in a random location 
and have symlinks from the HOMEDIR labeled in /etc/passwd
This will work.  I have had bug reports where people setup different 
HOMEDIR links depending on where the machine is at home or in the office 
or if they have a remove NFS and a local files.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux context patch

[Christopher J. PeBenito]

On Thu, 2009-06-04 at 15:13 -0400, Caleb Case wrote:
> On Wed, May 20, 2009 at 12:08 PM, Chad Sellers <csellers@tresys.com> wrote:
> > On 5/18/09 2:16 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
> >
> >> This patch adds context files for virtual_domain and virtual_image,
> >> these are both being used to locat the default context to be executed by
> >> svirt.
> >>
> >> I also included the subs patch which I submitted before.  This patch
> >> allows us to substitute prefixes to matchpathcon.
> >>
> >> So we can say /export/home == /home
> >>
> >> and
> >>
> >> /web == /var/www
> >
> > I'm surprised that the subs patch didn't get much discussion before. Any
> > thoughts on this? Any worries that it might not meld well with the work
> > currently being done to integrate FCGlob?
> >
> > Thanks,
> > Chad
> >
> 
> I don't think it will adversely affect FCGlob integration.
> 
> It is going to make it harder to understand what a file will get labeled though.
> 
> Might be useful for genhomedircon to generate a .subs file and for
> refpolicy to provide labeling on a selinux user basis for home
> directories:
> 
> /root
> /home/unconfined_u
> /home/sysadm_u
> ...
> 
> with a .subs:
> 
> /home/bob /home/unconfined_u
> /home/sally /home/sysadm_u
> ...

Substituting the entire home dir root, like Dan's example /export/home
== /home above, makes sense to me.  However, I do not like the idea of
adding dummy file context entries to the policy like the above example
(/home/unconfined_u and /home/sysadm_u) to make substitution usable for
creating file contexts for individual home dirs.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux context patch

[Christopher J. PeBenito]

On Fri, 2009-06-05 at 13:12 -0400, Christopher J. PeBenito wrote:
> On Thu, 2009-06-04 at 15:13 -0400, Caleb Case wrote:
> > On Wed, May 20, 2009 at 12:08 PM, Chad Sellers <csellers@tresys.com> wrote:
> > > On 5/18/09 2:16 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
> > >
> > >> This patch adds context files for virtual_domain and virtual_image,
> > >> these are both being used to locat the default context to be executed by
> > >> svirt.
> > >>
> > >> I also included the subs patch which I submitted before.  This patch
> > >> allows us to substitute prefixes to matchpathcon.
> > >>
> > >> So we can say /export/home == /home
> > >>
> > >> and
> > >>
> > >> /web == /var/www
> > >
> > > I'm surprised that the subs patch didn't get much discussion before. Any
> > > thoughts on this? Any worries that it might not meld well with the work
> > > currently being done to integrate FCGlob?
> > >
> > > Thanks,
> > > Chad
> > >
> > 
> > I don't think it will adversely affect FCGlob integration.
> > 
> > It is going to make it harder to understand what a file will get labeled though.
> > 
> > Might be useful for genhomedircon to generate a .subs file and for
> > refpolicy to provide labeling on a selinux user basis for home
> > directories:
> > 
> > /root
> > /home/unconfined_u
> > /home/sysadm_u
> > ...
> > 
> > with a .subs:
> > 
> > /home/bob /home/unconfined_u
> > /home/sally /home/sysadm_u
> > ...
> 
> Substituting the entire home dir root, like Dan's example /export/home
> == /home above, makes sense to me.  However, I do not like the idea of
> adding dummy file context entries to the policy like the above example
> (/home/unconfined_u and /home/sysadm_u) to make substitution usable for
> creating file contexts for individual home dirs.

The purpose of genhomedircon is to create these types of entries.  I
don't think we want file contexts in the policy that aren't actually
intended to be used.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux context patch

[Chad Sellers]

On 5/18/09 2:16 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:

> This patch adds context files for virtual_domain and virtual_image,
> these are both being used to locat the default context to be executed by
> svirt.
> 
> I also included the subs patch which I submitted before.  This patch
> allows us to substitute prefixes to matchpathcon.
> 
> So we can say /export/home == /home
> 
> and
> 
> /web == /var/www

The only problem I see with the patch is:

+                       sub->dst=strdup(dst);
+                       if (! sub->dst) {
+                               free(sub);
+                               free(sub->src);
+                               return -1;
+                       }

the free()'s should be reversed in order. Other than that the patch looks
fine. I'll fix this in the merge.

Acked-by: Chad Sellers <csellers@tresys.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux context patch

[Joshua Brindle]

Chad Sellers wrote:
> On 5/18/09 2:16 PM, "Daniel J Walsh"<dwalsh@redhat.com>  wrote:
>
>> This patch adds context files for virtual_domain and virtual_image,
>> these are both being used to locat the default context to be executed by
>> svirt.
>>
>> I also included the subs patch which I submitted before.  This patch
>> allows us to substitute prefixes to matchpathcon.
>>
>> So we can say /export/home == /home
>>
>> and
>>
>> /web == /var/www
>
> The only problem I see with the patch is:
>
> +                       sub->dst=strdup(dst);
> +                       if (! sub->dst) {
> +                               free(sub);
> +                               free(sub->src);
> +                               return -1;
> +                       }
>
> the free()'s should be reversed in order. Other than that the patch looks
> fine. I'll fix this in the merge.
>
> Acked-by: Chad Sellers<csellers@tresys.com>
>

Merged in libselinux 2.0.82

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.