From: Christopher Pardy <cpardy@redhat.com>
To: selinux@tycho.nsa.gov
Subject: Re: [Patch 2/2] libsemanage: remember and retrieve dontaudit settings
Date: Wed, 01 Jul 2009 22:13:37 -0400 [thread overview]
Message-ID: <4A4C17D1.3060208@redhat.com> (raw)
In-Reply-To: <4A4C168C.2040900@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 6159 bytes --]
On 07/01/2009 10:08 PM, Christopher Pardy wrote:
> This is a heavily modified version of the patch I recently submitted.
> It provides 3 new functions: in libsepol sepol_get_disable_dontaudit;
> in libsemanage semanage_get_disable_dontaudit; in libselinux
> is_dontaudit_disabled. It also fixes issues with the previous patch.
>
> The justification for this patch is the same as the one I posted
> earlier. Simply, there is currently no way to know if dontaudit rules
> are enabled. Additionally once don't audit rules are turned they turn
> themselves off after policy rebuild (is that the desired
> functionality?) This patch provides a way to check on both the
> current and pending state of the dontaudit rules and it maintains this
> state between policy rebuilds.
>
> Signed-off-by Christopher Pardy <cpardy@redhat.com>
This patch implements the functions in libsemanage and libselinux.
diff -urN selinux.orig2/libselinux/include/selinux/selinux.h
selinux/libselinux/include/selinux/selinux.h
--- selinux.orig2/libselinux/include/selinux/selinux.h 2009-07-01
21:15:17.009238289 -0400
+++ selinux/libselinux/include/selinux/selinux.h 2009-07-01
21:44:57.264509874 -0400
@@ -8,6 +8,9 @@
extern "C" {
#endif
+/* Return 1 if the dont audit rules have been turned off or 0 if not. */
+extern int is_dontaudit_disabled(void);
+
/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1
if we get an error. */
extern int is_selinux_enabled(void);
/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
diff -urN selinux.orig2/libselinux/src/dontaudit.c
selinux/libselinux/src/dontaudit.c
--- selinux.orig2/libselinux/src/dontaudit.c 1969-12-31
19:00:00.000000000 -0500
+++ selinux/libselinux/src/dontaudit.c 2009-07-01 21:48:48.635521208
-0400
@@ -0,0 +1,21 @@
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include "selinux_internal.h"
+#include <stdlib.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+int is_dontaudit_disabled(void)
+{
+ char path[PATH_MAX];
+ snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+
+ if (access(path,F_OK) == 0)
+ return 1;
+ else
+ return 0;
+}
+
+hidden_def(is_dontaudit_disabled)
diff -urN selinux.orig2/libselinux/src/selinux_internal.h
selinux/libselinux/src/selinux_internal.h
--- selinux.orig2/libselinux/src/selinux_internal.h 2009-07-01
21:15:17.074235819 -0400
+++ selinux/libselinux/src/selinux_internal.h 2009-07-01
21:44:57.272486689 -0400
@@ -24,6 +24,7 @@
hidden_proto(security_compute_create_raw)
hidden_proto(security_compute_member_raw)
hidden_proto(security_compute_relabel_raw)
+ hidden_proto(is_dontaudit_disabled)
hidden_proto(is_selinux_enabled)
hidden_proto(is_selinux_mls_enabled)
hidden_proto(freecon)
diff -urN selinux.orig2/libsemanage/include/semanage/handle.h
selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h 2009-07-01
21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h 2009-07-01
21:44:57.274484577 -0400
@@ -69,6 +69,9 @@
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int
create_store);
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
/* Set whether or not to disable dontaudits upon commit */
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int
disable_dontaudit);
diff -urN selinux.orig2/libsemanage/src/handle.c
selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c 2009-07-01
21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c 2009-07-01 21:55:04.525487189 -0400
@@ -29,6 +29,7 @@
#include <stdio.h>
#include <string.h>
#include <sys/time.h>
+#include <limits.h>
#include "direct_api.h"
#include "handle.h"
@@ -58,6 +59,9 @@
if (!sh->sepolh)
goto err;
sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
+
+ /* Set the disable_dont audit to the system default */
+ semanage_set_disable_dontaudit(sh,is_dontaudit_disabled());
/* By default do not rebuild the policy on commit
* If any changes are made, this flag is ignored */
@@ -110,6 +114,14 @@
return;
}
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+ assert(sh != NULL);
+
+ return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
+
void semanage_set_disable_dontaudit(semanage_handle_t * sh, int
disable_dontaudit)
{
assert(sh != NULL);
@@ -264,11 +276,22 @@
assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
if (!sh->is_in_transaction) {
ERR(sh,
- "Will not commit because caller does not have a tranaction
lock yet.");
+ "Will not commit because caller does not have a transaction
lock yet.");
return -1;
}
retval = sh->funcs->commit(sh);
sh->is_in_transaction = 0;
sh->modules_modified = 0;
+ if (retval == 0){
+ char path[PATH_MAX];
+
snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+ if(semanage_get_disable_dontaudit(sh) == 1){
+ FILE *touch;
+ touch = fopen(path,"w");
+ fclose(touch);
+ }else{
+ remove(path);
+ }
+ }
return retval;
}
diff -urN selinux.orig2/libsemanage/src/libsemanage.map
selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map 2009-07-01
21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map 2009-07-01
21:44:57.278485521 -0400
@@ -15,7 +15,7 @@
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check;
semanage_set_create_store;
- semanage_is_connected; semanage_set_disable_dontaudit;
+ semanage_is_connected; semanage_get_disable_dontaudit;
semanage_set_disable_dontaudit;
semanage_mls_enabled;
local: *;
};
[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 4958 bytes --]
diff -urN selinux.orig2/libselinux/include/selinux/selinux.h selinux/libselinux/include/selinux/selinux.h
--- selinux.orig2/libselinux/include/selinux/selinux.h 2009-07-01 21:15:17.009238289 -0400
+++ selinux/libselinux/include/selinux/selinux.h 2009-07-01 21:44:57.264509874 -0400
@@ -8,6 +8,9 @@
extern "C" {
#endif
+/* Return 1 if the dont audit rules have been turned off or 0 if not. */
+extern int is_dontaudit_disabled(void);
+
/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
extern int is_selinux_enabled(void);
/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
diff -urN selinux.orig2/libselinux/src/dontaudit.c selinux/libselinux/src/dontaudit.c
--- selinux.orig2/libselinux/src/dontaudit.c 1969-12-31 19:00:00.000000000 -0500
+++ selinux/libselinux/src/dontaudit.c 2009-07-01 21:48:48.635521208 -0400
@@ -0,0 +1,21 @@
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include "selinux_internal.h"
+#include <stdlib.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+int is_dontaudit_disabled(void)
+{
+ char path[PATH_MAX];
+ snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+
+ if (access(path,F_OK) == 0)
+ return 1;
+ else
+ return 0;
+}
+
+hidden_def(is_dontaudit_disabled)
diff -urN selinux.orig2/libselinux/src/selinux_internal.h selinux/libselinux/src/selinux_internal.h
--- selinux.orig2/libselinux/src/selinux_internal.h 2009-07-01 21:15:17.074235819 -0400
+++ selinux/libselinux/src/selinux_internal.h 2009-07-01 21:44:57.272486689 -0400
@@ -24,6 +24,7 @@
hidden_proto(security_compute_create_raw)
hidden_proto(security_compute_member_raw)
hidden_proto(security_compute_relabel_raw)
+ hidden_proto(is_dontaudit_disabled)
hidden_proto(is_selinux_enabled)
hidden_proto(is_selinux_mls_enabled)
hidden_proto(freecon)
diff -urN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h 2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h 2009-07-01 21:44:57.274484577 -0400
@@ -69,6 +69,9 @@
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
/* Set whether or not to disable dontaudits upon commit */
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
diff -urN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c 2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c 2009-07-01 21:55:04.525487189 -0400
@@ -29,6 +29,7 @@
#include <stdio.h>
#include <string.h>
#include <sys/time.h>
+#include <limits.h>
#include "direct_api.h"
#include "handle.h"
@@ -58,6 +59,9 @@
if (!sh->sepolh)
goto err;
sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
+
+ /* Set the disable_dont audit to the system default */
+ semanage_set_disable_dontaudit(sh,is_dontaudit_disabled());
/* By default do not rebuild the policy on commit
* If any changes are made, this flag is ignored */
@@ -110,6 +114,14 @@
return;
}
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+ assert(sh != NULL);
+
+ return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
+
void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
{
assert(sh != NULL);
@@ -264,11 +276,22 @@
assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
if (!sh->is_in_transaction) {
ERR(sh,
- "Will not commit because caller does not have a tranaction lock yet.");
+ "Will not commit because caller does not have a transaction lock yet.");
return -1;
}
retval = sh->funcs->commit(sh);
sh->is_in_transaction = 0;
sh->modules_modified = 0;
+ if (retval == 0){
+ char path[PATH_MAX];
+ snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+ if(semanage_get_disable_dontaudit(sh) == 1){
+ FILE *touch;
+ touch = fopen(path,"w");
+ fclose(touch);
+ }else{
+ remove(path);
+ }
+ }
return retval;
}
diff -urN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map 2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map 2009-07-01 21:44:57.278485521 -0400
@@ -15,7 +15,7 @@
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
- semanage_is_connected; semanage_set_disable_dontaudit;
+ semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
semanage_mls_enabled;
local: *;
};
next prev parent reply other threads:[~2009-07-02 2:13 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-01 13:32 [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings] Christopher Pardy
2009-07-01 14:06 ` Stephen Smalley
2009-07-01 14:16 ` Stephen Smalley
2009-07-01 15:52 ` Christopher Pardy
2009-07-01 17:01 ` Stephen Smalley
2009-07-01 16:47 ` Daniel J Walsh
2009-07-01 15:57 ` Daniel J Walsh
2009-07-01 17:04 ` Stephen Smalley
2009-07-01 17:16 ` Daniel J Walsh
2009-07-01 17:40 ` Daniel J Walsh
2009-07-02 2:08 ` Re:[Patch 0/2] libsemanage: remember and retrieve dontaudit settings Christopher Pardy
2009-07-02 2:11 ` [Patch 1/2] " Christopher Pardy
2009-07-02 12:39 ` Stephen Smalley
2009-07-02 13:40 ` Christopher Pardy
2009-07-02 2:13 ` Christopher Pardy [this message]
2009-07-02 12:46 ` [Patch 2/2] " Stephen Smalley
2009-07-02 13:55 ` Christopher Pardy
2009-07-02 14:13 ` Stephen Smalley
2009-07-02 14:30 ` Christopher Pardy
2009-07-02 14:35 ` Stephen Smalley
2009-07-02 15:32 ` [Patch 2/2] libsemanage: create a don't audit flag Christopher Pardy
2009-07-02 17:09 ` Stephen Smalley
2009-07-06 12:26 ` Christopher Pardy
2009-07-06 12:31 ` Christopher Pardy
2009-07-06 13:46 ` Stephen Smalley
2009-07-06 13:52 ` Stephen Smalley
2009-07-06 14:42 ` [Patch 1/2] libsepol: method to check disable dontaudit flag Christopher Pardy
2009-07-06 14:54 ` [Patch 2/2] libsemanage: maintain disable dontaudit state between handle commits Christopher Pardy
2009-07-06 15:03 ` Stephen Smalley
2009-07-06 15:17 ` Daniel J Walsh
2009-07-06 15:54 ` Christopher Pardy
2009-07-06 16:55 ` Stephen Smalley
2009-07-06 17:37 ` [Patch 2/2 v2] " Christopher Pardy
2009-07-06 18:07 ` Stephen Smalley
2009-07-06 18:12 ` Stephen Smalley
2009-07-06 19:10 ` [Patch 2/2 v3] " Christopher Pardy
2009-07-06 19:30 ` Stephen Smalley
2009-07-07 11:45 ` Stephen Smalley
2009-07-07 12:47 ` Christopher Pardy
2009-07-07 12:54 ` Stephen Smalley
2009-07-07 13:48 ` [Patch 2/2 v4] " Christopher Pardy
2009-07-07 14:20 ` Stephen Smalley
2009-07-07 14:41 ` Christopher Pardy
2009-07-07 14:53 ` Stephen Smalley
2009-07-07 14:59 ` Joshua Brindle
2009-07-07 16:07 ` Christopher Pardy
2009-07-07 16:55 ` Stephen Smalley
2009-07-07 17:30 ` [Patch 2/2 v6] " Christopher Pardy
2009-07-06 17:41 ` [Patch 3/2] semodule: maintain old functionality Christopher Pardy
2009-07-06 17:49 ` Joshua Brindle
2009-07-06 18:01 ` [Patch 3/2 v2] " Christopher Pardy
2009-07-02 14:16 ` [Patch 2/2] libsemanage, libselinux: Get don't audit settings from handle and remember settings after commit Christopher Pardy
2009-07-02 12:33 ` Re:[Patch 0/2] libsemanage: remember and retrieve dontaudit settings Stephen Smalley
2009-07-02 14:01 ` [Patch " Christopher Pardy
2009-07-02 12:40 ` Stephen Smalley
2009-07-01 19:19 ` [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings] Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A4C17D1.3060208@redhat.com \
--to=cpardy@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.