From: Christopher Pardy <cpardy@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov
Subject: Re: [Patch 2/2] libsemanage, libselinux: Get don't audit settings from handle and remember settings after commit.
Date: Thu, 02 Jul 2009 10:16:00 -0400 [thread overview]
Message-ID: <4A4CC120.9010603@redhat.com> (raw)
In-Reply-To: <4A4CBC6C.5090709@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 5886 bytes --]
Fixed location of file, removed hiddendef and hiddenproto.
This patch provide an libselinux call to check if dontaudit rules are
disabled after rebuilding policy. It also includes a libsemange call to
check if dontaudit rules will be disabled after policy rebuild. This
functionality is required firstly by administrators who wish to know if
dontaudit rules are disabled, secondly by programs which will
manipulate this data and may want to check it's settings.
Signed-off-by Christopher Pardy <cpardy@redhat.com>
diff -urN selinux.orig2/libselinux/include/selinux/selinux.h selinux/libselinux/include/selinux/selinux.h
--- selinux.orig2/libselinux/include/selinux/selinux.h 2009-07-01 21:15:17.009238289 -0400
+++ selinux/libselinux/include/selinux/selinux.h 2009-07-01 21:44:57.264509874 -0400
@@ -8,6 +8,9 @@
extern "C" {
#endif
+/* Return 1 if the dont audit rules have been turned off or 0 if not. */
+extern int is_dontaudit_disabled(void);
+
/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
extern int is_selinux_enabled(void);
/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
diff -urN selinux.orig2/libselinux/src/dontaudit.c selinux/libselinux/src/dontaudit.c
--- selinux.orig2/libselinux/src/dontaudit.c 1969-12-31 19:00:00.000000000 -0500
+++ selinux/libselinux/src/dontaudit.c 2009-07-01 21:48:48.635521208 -0400
@@ -0,0 +1,21 @@
+#include<unistd.h>
+#include<selinux/selinux.h>
+#include "selinux_internal.h"
+#include<stdlib.h>
+#include<limits.h>
+#include<stdarg.h>
+#include<stdio.h>
+#include<string.h>
+
+int is_dontaudit_disabled(void)
+{
+ char path[PATH_MAX];
+ snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+
+ if (access(path,F_OK) == 0)
+ return 1;
+ else
+ return 0;
+}
+
+hidden_def(is_dontaudit_disabled)
diff -urN selinux.orig2/libselinux/src/selinux_internal.h selinux/libselinux/src/selinux_internal.h
--- selinux.orig2/libselinux/src/selinux_internal.h 2009-07-01 21:15:17.074235819 -0400
+++ selinux/libselinux/src/selinux_internal.h 2009-07-01 21:44:57.272486689 -0400
@@ -24,6 +24,7 @@
hidden_proto(security_compute_create_raw)
hidden_proto(security_compute_member_raw)
hidden_proto(security_compute_relabel_raw)
+ hidden_proto(is_dontaudit_disabled)
hidden_proto(is_selinux_enabled)
hidden_proto(is_selinux_mls_enabled)
hidden_proto(freecon)
diff -urN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h 2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h 2009-07-01 21:44:57.274484577 -0400
@@ -69,6 +69,9 @@
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
/* Set whether or not to disable dontaudits upon commit */
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
diff -urN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c 2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c 2009-07-01 21:55:04.525487189 -0400
@@ -29,6 +29,7 @@
#include<stdio.h>
#include<string.h>
#include<sys/time.h>
+#include<limits.h>
#include "direct_api.h"
#include "handle.h"
@@ -58,6 +59,9 @@
if (!sh->sepolh)
goto err;
sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
+
+ /* Set the disable_dont audit to the system default */
+ semanage_set_disable_dontaudit(sh,is_dontaudit_disabled());
/* By default do not rebuild the policy on commit
* If any changes are made, this flag is ignored */
@@ -110,6 +114,14 @@
return;
}
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+ assert(sh != NULL);
+
+ return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
+
void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
{
assert(sh != NULL);
@@ -264,11 +276,22 @@
assert(sh != NULL&& sh->funcs != NULL&& sh->funcs->commit != NULL);
if (!sh->is_in_transaction) {
ERR(sh,
- "Will not commit because caller does not have a tranaction lock yet.");
+ "Will not commit because caller does not have a transaction lock yet.");
return -1;
}
retval = sh->funcs->commit(sh);
sh->is_in_transaction = 0;
sh->modules_modified = 0;
+ if (retval == 0){
+ char path[PATH_MAX];
+ snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+ if(semanage_get_disable_dontaudit(sh) == 1){
+ FILE *touch;
+ touch = fopen(path,"w");
+ fclose(touch);
+ }else{
+ remove(path);
+ }
+ }
return retval;
}
diff -urN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map 2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map 2009-07-01 21:44:57.278485521 -0400
@@ -15,7 +15,7 @@
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
- semanage_is_connected; semanage_set_disable_dontaudit;
+ semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
semanage_mls_enabled;
local: *;
};
[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 4361 bytes --]
diff -urN selinux.orig2/libselinux/include/selinux/selinux.h selinux/libselinux/include/selinux/selinux.h
--- selinux.orig2/libselinux/include/selinux/selinux.h 2009-07-01 21:15:17.009238289 -0400
+++ selinux/libselinux/include/selinux/selinux.h 2009-07-01 21:44:57.264509874 -0400
@@ -8,6 +8,9 @@
extern "C" {
#endif
+/* Return 1 if the dont audit rules have been turned off or 0 if not. */
+extern int is_dontaudit_disabled(void);
+
/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
extern int is_selinux_enabled(void);
/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
diff -urN selinux.orig2/libselinux/src/dontaudit.c selinux/libselinux/src/dontaudit.c
--- selinux.orig2/libselinux/src/dontaudit.c 1969-12-31 19:00:00.000000000 -0500
+++ selinux/libselinux/src/dontaudit.c 2009-07-01 21:48:48.635521208 -0400
@@ -0,0 +1,21 @@
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include "selinux_internal.h"
+#include <stdlib.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+int is_dontaudit_disabled(void)
+{
+ char path[PATH_MAX];
+ snprintf(path,PATH_MAX,"%s/modules/disable_dontaudit",selinux_policy_root());
+
+ if (access(path,F_OK) == 0)
+ return 1;
+ else
+ return 0;
+}
+
diff -urN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h 2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h 2009-07-01 21:44:57.274484577 -0400
@@ -69,6 +69,9 @@
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
/* Set whether or not to disable dontaudits upon commit */
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
diff -urN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c 2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c 2009-07-01 21:55:04.525487189 -0400
@@ -29,6 +29,7 @@
#include <stdio.h>
#include <string.h>
#include <sys/time.h>
+#include <limits.h>
#include "direct_api.h"
#include "handle.h"
@@ -58,6 +59,9 @@
if (!sh->sepolh)
goto err;
sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
+
+ /* Set the disable_dont audit to the system default */
+ semanage_set_disable_dontaudit(sh,is_dontaudit_disabled());
/* By default do not rebuild the policy on commit
* If any changes are made, this flag is ignored */
@@ -110,6 +114,14 @@
return;
}
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+ assert(sh != NULL);
+
+ return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
+
void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
{
assert(sh != NULL);
@@ -264,11 +276,22 @@
assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
if (!sh->is_in_transaction) {
ERR(sh,
- "Will not commit because caller does not have a tranaction lock yet.");
+ "Will not commit because caller does not have a transaction lock yet.");
return -1;
}
retval = sh->funcs->commit(sh);
sh->is_in_transaction = 0;
sh->modules_modified = 0;
+ if (retval == 0){
+ char path[PATH_MAX];
+ snprintf(path,PATH_MAX,"%s/modules/disable_dontaudit",selinux_policy_root());
+ if(semanage_get_disable_dontaudit(sh) == 1){
+ FILE *touch;
+ touch = fopen(path,"w");
+ fclose(touch);
+ }else{
+ remove(path);
+ }
+ }
return retval;
}
diff -urN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map 2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map 2009-07-01 21:44:57.278485521 -0400
@@ -15,7 +15,7 @@
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
- semanage_is_connected; semanage_set_disable_dontaudit;
+ semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
semanage_mls_enabled;
local: *;
};
next prev parent reply other threads:[~2009-07-02 14:16 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-01 13:32 [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings] Christopher Pardy
2009-07-01 14:06 ` Stephen Smalley
2009-07-01 14:16 ` Stephen Smalley
2009-07-01 15:52 ` Christopher Pardy
2009-07-01 17:01 ` Stephen Smalley
2009-07-01 16:47 ` Daniel J Walsh
2009-07-01 15:57 ` Daniel J Walsh
2009-07-01 17:04 ` Stephen Smalley
2009-07-01 17:16 ` Daniel J Walsh
2009-07-01 17:40 ` Daniel J Walsh
2009-07-02 2:08 ` Re:[Patch 0/2] libsemanage: remember and retrieve dontaudit settings Christopher Pardy
2009-07-02 2:11 ` [Patch 1/2] " Christopher Pardy
2009-07-02 12:39 ` Stephen Smalley
2009-07-02 13:40 ` Christopher Pardy
2009-07-02 2:13 ` [Patch 2/2] " Christopher Pardy
2009-07-02 12:46 ` Stephen Smalley
2009-07-02 13:55 ` Christopher Pardy
2009-07-02 14:13 ` Stephen Smalley
2009-07-02 14:30 ` Christopher Pardy
2009-07-02 14:35 ` Stephen Smalley
2009-07-02 15:32 ` [Patch 2/2] libsemanage: create a don't audit flag Christopher Pardy
2009-07-02 17:09 ` Stephen Smalley
2009-07-06 12:26 ` Christopher Pardy
2009-07-06 12:31 ` Christopher Pardy
2009-07-06 13:46 ` Stephen Smalley
2009-07-06 13:52 ` Stephen Smalley
2009-07-06 14:42 ` [Patch 1/2] libsepol: method to check disable dontaudit flag Christopher Pardy
2009-07-06 14:54 ` [Patch 2/2] libsemanage: maintain disable dontaudit state between handle commits Christopher Pardy
2009-07-06 15:03 ` Stephen Smalley
2009-07-06 15:17 ` Daniel J Walsh
2009-07-06 15:54 ` Christopher Pardy
2009-07-06 16:55 ` Stephen Smalley
2009-07-06 17:37 ` [Patch 2/2 v2] " Christopher Pardy
2009-07-06 18:07 ` Stephen Smalley
2009-07-06 18:12 ` Stephen Smalley
2009-07-06 19:10 ` [Patch 2/2 v3] " Christopher Pardy
2009-07-06 19:30 ` Stephen Smalley
2009-07-07 11:45 ` Stephen Smalley
2009-07-07 12:47 ` Christopher Pardy
2009-07-07 12:54 ` Stephen Smalley
2009-07-07 13:48 ` [Patch 2/2 v4] " Christopher Pardy
2009-07-07 14:20 ` Stephen Smalley
2009-07-07 14:41 ` Christopher Pardy
2009-07-07 14:53 ` Stephen Smalley
2009-07-07 14:59 ` Joshua Brindle
2009-07-07 16:07 ` Christopher Pardy
2009-07-07 16:55 ` Stephen Smalley
2009-07-07 17:30 ` [Patch 2/2 v6] " Christopher Pardy
2009-07-06 17:41 ` [Patch 3/2] semodule: maintain old functionality Christopher Pardy
2009-07-06 17:49 ` Joshua Brindle
2009-07-06 18:01 ` [Patch 3/2 v2] " Christopher Pardy
2009-07-02 14:16 ` Christopher Pardy [this message]
2009-07-02 12:33 ` Re:[Patch 0/2] libsemanage: remember and retrieve dontaudit settings Stephen Smalley
2009-07-02 14:01 ` [Patch " Christopher Pardy
2009-07-02 12:40 ` Stephen Smalley
2009-07-01 19:19 ` [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings] Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A4CC120.9010603@redhat.com \
--to=cpardy@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.