[Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 371 bytes --]

Creates a empty file disable_dontaudit in the polciy directory
(/etc/selinux/<policytype>). Checks for the existance of this file to
set the sepol disable don't audit upon handle creation. Also provides
the function "int semanage_get_disable_dontaudit()" which returns the
don't audit property of the current policy.

Signed-off-by: Christopher Pardy <cpardy@redhat.com>

[-- Attachment #2: libsemanage.patch --]
[-- Type: text/plain, Size: 2375 bytes --]

diff -r selinux/libsemanage/include/semanage/handle.h selinux.old/libsemanage/include/semanage/handle.h
72,74d71
< /* Get the whether or not dontaudits are disabled upon commit */
< int semanage_get_disable_dontudit();
< 
Only in selinux/libsemanage/src: boolean_record.o
Only in selinux/libsemanage/src: booleans_activedb.o
Only in selinux/libsemanage/src: booleans_active.o
Only in selinux/libsemanage/src: booleans_file.o
Only in selinux/libsemanage/src: booleans_local.o
Only in selinux/libsemanage/src: booleans_policydb.o
Only in selinux/libsemanage/src: booleans_policy.o
Only in selinux/libsemanage/src: context_record.o
Only in selinux/libsemanage/src: database_activedb.o
Only in selinux/libsemanage/src: database_file.o
Only in selinux/libsemanage/src: database_join.o
Only in selinux/libsemanage/src: database_llist.o
Only in selinux/libsemanage/src: database.o
Only in selinux/libsemanage/src: database_policydb.o
Only in selinux/libsemanage/src: debug.o
Only in selinux/libsemanage/src: direct_api.o
Only in selinux/libsemanage/src: fcontext_record.o
Only in selinux/libsemanage/src: fcontexts_file.o
Only in selinux/libsemanage/src: fcontexts_local.o
Only in selinux/libsemanage/src: fcontexts_policy.o
diff -r selinux/libsemanage/src/handle.c selinux.old/libsemanage/src/handle.c
30d29
< #include <unistd.h>
80,82d78
< 	/* Set disable dontaudit */
< 	sepol_set_disable_dontaudit(sh->sepolh,semanage_get_disable_dontaudit())
< 
117,135d112
< int semanage_get_disable_dontaudit()
< {
< 	/*get the policy type*/
< 	char *poltype;
< 	selinux_getpolicytype(&poltype);
< 	/*create a pathname*/
< 	char path[255];
< 	strcpy(path,"/etc/selinux/");
< 	strcat(path,poltype);
< 	strcat(path,"/disable_dontaudit");
< 	/*free the string poltype string*/
< 	free(poltype);
< 	/*check for the files existance*/
< 	if (access(path,F_OK) == 0)
< 		return 1;
< 	else
< 		return 0;
< }
< 
141,158d117
< 	/*get the policy type*/
< 	char *poltype;
< 	selinux_getpolicytype(&poltype);
< 	/*create a pathname*/
< 	char path[255];
< 	strcpy(path,"/etc/selinux/");
< 	strcat(path,poltype);
< 	strcat(path,"/disable_dontaudit");
< 	/*free the string poltype string*/
< 	free(poltype);
< 	/*touch or delete the file*/
< 	if (disable_dontaudit != 0){
< 		FILE *touch;
< 		touch = fopen(path,"w");
< 		fclose(touch);
< 	}else
< 		remove(path);
< 
Only in selinux/libsepol/tests: debug.o

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Stephen Smalley]

On Wed, 2009-07-01 at 09:32 -0400, Christopher Pardy wrote:
> Creates a empty file disable_dontaudit in the polciy directory
> (/etc/selinux/<policytype>). Checks for the existance of this file to
> set the sepol disable don't audit upon handle creation. Also provides
> the function "int semanage_get_disable_dontaudit()" which returns the
> don't audit property of the current policy.
> 
> Signed-off-by: Christopher Pardy <cpardy@redhat.com>

Your patch is not correctly generated.  Please read
http://userweb.kernel.org/~akpm/stuff/tpp.txt

In your description, please explain the rationale for the patch, not
just what it does - we can discover the latter from reading the code,
but not the former.

Why do we want this functionality?  Why is it better than the existing
semodule -DB to disable dontaudit rules and semodule -B to re-enable
them?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Stephen Smalley]

On Wed, 2009-07-01 at 10:06 -0400, Stephen Smalley wrote:
> On Wed, 2009-07-01 at 09:32 -0400, Christopher Pardy wrote:
> > Creates a empty file disable_dontaudit in the polciy directory
> > (/etc/selinux/<policytype>). Checks for the existance of this file to
> > set the sepol disable don't audit upon handle creation. Also provides
> > the function "int semanage_get_disable_dontaudit()" which returns the
> > don't audit property of the current policy.
> > 
> > Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> 
> Your patch is not correctly generated.  Please read
> http://userweb.kernel.org/~akpm/stuff/tpp.txt

Oh, and also:
http://lxr.linux.no/linux/Documentation/SubmittingPatches

> In your description, please explain the rationale for the patch, not
> just what it does - we can discover the latter from reading the code,
> but not the former.
> 
> Why do we want this functionality?  Why is it better than the existing
> semodule -DB to disable dontaudit rules and semodule -B to re-enable
> them?
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 370 bytes --]

This patch allows for the disable_dontaudit setting to be maintained 
between calls to compile policy. Currently if policy is recompiled 
dontaudit rules are automatically turned on unless they are specifically 
disabled. Additionally this patch provides the ability to check weather 
dontaudit rules are turned on.

Signed-off-by: Christopher Pardy <cpardy@redhat.com>

[-- Attachment #2: libsemanage[2].patch --]
[-- Type: text/plain, Size: 2501 bytes --]

diff -uprN --exclude='*.o' selinux/libsemanage/include/semanage/handle.h selinux.old/libsemanage/include/semanage/handle.h
--- selinux/libsemanage/include/semanage/handle.h	2009-07-01 09:15:05.470541448 -0400
+++ selinux.old/libsemanage/include/semanage/handle.h	2009-07-01 07:35:33.397536085 -0400
@@ -69,9 +69,6 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
-/* Get the whether or not dontaudits are disabled upon commit */
-int semanage_get_disable_dontudit();
-
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -uprN --exclude='*.o' selinux/libsemanage/src/handle.c selinux.old/libsemanage/src/handle.c
--- selinux/libsemanage/src/handle.c	2009-07-01 09:10:05.741293868 -0400
+++ selinux.old/libsemanage/src/handle.c	2009-07-01 07:35:33.462536710 -0400
@@ -27,7 +27,6 @@
 #include <assert.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <unistd.h>
 #include <string.h>
 #include <sys/time.h>
 
@@ -77,9 +76,6 @@ semanage_handle_t *semanage_handle_creat
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
-	/* Set disable dontaudit */
-	sepol_set_disable_dontaudit(sh->sepolh,semanage_get_disable_dontaudit())
-
 	return sh;
 
       err:
@@ -114,48 +110,11 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
-int semanage_get_disable_dontaudit()
-{
-	/*get the policy type*/
-	char *poltype;
-	selinux_getpolicytype(&poltype);
-	/*create a pathname*/
-	char path[255];
-	strcpy(path,"/etc/selinux/");
-	strcat(path,poltype);
-	strcat(path,"/disable_dontaudit");
-	/*free the string poltype string*/
-	free(poltype);
-	/*check for the files existance*/
-	if (access(path,F_OK) == 0)
-		return 1;
-	else
-		return 0;
-}
-
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
 	
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
-	/*get the policy type*/
-	char *poltype;
-	selinux_getpolicytype(&poltype);
-	/*create a pathname*/
-	char path[255];
-	strcpy(path,"/etc/selinux/");
-	strcat(path,poltype);
-	strcat(path,"/disable_dontaudit");
-	/*free the string poltype string*/
-	free(poltype);
-	/*touch or delete the file*/
-	if (disable_dontaudit != 0){
-		FILE *touch;
-		touch = fopen(path,"w");
-		fclose(touch);
-	}else
-		remove(path);
-
 	return;
 }
 

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Stephen Smalley]

On Wed, 2009-07-01 at 11:52 -0400, Christopher Pardy wrote:
> This patch allows for the disable_dontaudit setting to be maintained 
> between calls to compile policy. Currently if policy is recompiled 
> dontaudit rules are automatically turned on unless they are specifically 
> disabled. Additionally this patch provides the ability to check weather 
> dontaudit rules are turned on.
> 
> Signed-off-by: Christopher Pardy <cpardy@redhat.com>

Better description, thanks.  s/weather/whether/

Patches should be inlined though so that we can reply and comment on
them inline.

Your patch was reversed.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Daniel J Walsh]

On 07/01/2009 10:06 AM, Stephen Smalley wrote:
> On Wed, 2009-07-01 at 09:32 -0400, Christopher Pardy wrote:
>> Creates a empty file disable_dontaudit in the polciy directory
>> (/etc/selinux/<policytype>). Checks for the existance of this file to
>> set the sepol disable don't audit upon handle creation. Also provides
>> the function "int semanage_get_disable_dontaudit()" which returns the
>> don't audit property of the current policy.
>>
>> Signed-off-by: Christopher Pardy<cpardy@redhat.com>
>
> Your patch is not correctly generated.  Please read
> http://userweb.kernel.org/~akpm/stuff/tpp.txt
>
> In your description, please explain the rationale for the patch, not
> just what it does - we can discover the latter from reading the code,
> but not the former.
>
> Why do we want this functionality?  Why is it better than the existing
> semodule -DB to disable dontaudit rules and semodule -B to re-enable
> them?
>
He is not changing the behaviour of semodule -DB or semodule -B

His goal is to maintain the state and be able to show the state to a user.

semodule -DB
semodule -i module

Are the dontaudits enabled or disabled?

THey are enabled, which I believe is wrong.

The goal of Chris's patch is to maintain the disable until you execute 
semodule -B

And to be able to show in a gui whether or not you have disabled the 
dontaudit rules.

We talked about his patch and he will be sending another pass at this 
shortly.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 459 bytes --]

On 07/01/2009 09:32 AM, Christopher Pardy wrote:
> Creates a empty file disable_dontaudit in the polciy directory
> (/etc/selinux/<policytype>). Checks for the existance of this file to
> set the sepol disable don't audit upon handle creation. Also provides
> the function "int semanage_get_disable_dontaudit()" which returns the
> don't audit property of the current policy.
>
> Signed-off-by: Christopher Pardy <cpardy@redhat.com>

Better version of patch.

[-- Attachment #2: libsemanage.patch --]
[-- Type: text/plain, Size: 2472 bytes --]

diff --exclude-from=exclude -N -u -r nsalibsemanage/include/semanage/handle.h libsemanage-2.0.32/include/semanage/handle.h
--- nsalibsemanage/include/semanage/handle.h	2008-11-14 17:10:15.000000000 -0500
+++ libsemanage-2.0.32/include/semanage/handle.h	2009-07-01 11:29:25.000000000 -0400
@@ -72,6 +72,9 @@
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
+/* Get the whether or not dontaudits are disabled upon commit */
+int semanage_get_disable_dontudit();
+ 
 /* Check whether policy is managed via libsemanage on this system.
  * Must be called prior to trying to connect.
  * Return 1 if policy is managed via libsemanage on this system,
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/handle.c libsemanage-2.0.32/src/handle.c
--- nsalibsemanage/src/handle.c	2008-11-14 17:10:15.000000000 -0500
+++ libsemanage-2.0.32/src/handle.c	2009-07-01 11:49:20.000000000 -0400
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -76,7 +77,10 @@
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
-	return sh;
+ 	/* Set disable dontaudit */
+ 	sepol_set_disable_dontaudit(sh->sepolh,semanage_get_disable_dontaudit());
+
+ 	return sh;
 
       err:
 	semanage_handle_destroy(sh);
@@ -110,11 +114,32 @@
 	return;
 }
 
+int semanage_get_disable_dontaudit()
+{
+ 	char path[PATH_MAX];
+	snprintf(path, PATH_MAX, "%s/disable_dontaudit", selinux_policy_root());
+	
+	/*check for the files existance*/
+	return (access(path,F_OK) == 0);
+}
+ 
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
+
+ 	char path[PATH_MAX];
+	snprintf(path, PATH_MAX, "%s/disable_dontaudit", selinux_policy_root());
 	
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+
+ 	/*touch or delete the file*/
+ 	if (disable_dontaudit != 0){
+ 		FILE *touch;
+ 		touch = fopen(path,"w");
+ 		fclose(touch);
+ 	}else
+ 		remove(path);
+
 	return;
 }
 
@@ -264,7 +289,7 @@
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Stephen Smalley]

On Wed, 2009-07-01 at 11:57 -0400, Daniel J Walsh wrote:
> On 07/01/2009 09:32 AM, Christopher Pardy wrote:
> > Creates a empty file disable_dontaudit in the polciy directory
> > (/etc/selinux/<policytype>). Checks for the existance of this file to
> > set the sepol disable don't audit upon handle creation. Also provides
> > the function "int semanage_get_disable_dontaudit()" which returns the
> > don't audit property of the current policy.
> >
> > Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> 
> Better version of patch.

How does one then re-enable dontaudit rules using semodule or semanage?

We've trained our users to do the following sequence:
	semodule -DB
	<trigger AVC denials>
	semodule -B

With the patch, the latter step will not re-enable dontaudit rules
unless you also change semodule, right?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Daniel J Walsh]

On 07/01/2009 01:04 PM, Stephen Smalley wrote:
> On Wed, 2009-07-01 at 11:57 -0400, Daniel J Walsh wrote:
>> On 07/01/2009 09:32 AM, Christopher Pardy wrote:
>>> Creates a empty file disable_dontaudit in the polciy directory
>>> (/etc/selinux/<policytype>). Checks for the existance of this file to
>>> set the sepol disable don't audit upon handle creation. Also provides
>>> the function "int semanage_get_disable_dontaudit()" which returns the
>>> don't audit property of the current policy.
>>>
>>> Signed-off-by: Christopher Pardy<cpardy@redhat.com>
>> Better version of patch.
>
> How does one then re-enable dontaudit rules using semodule or semanage?
>
> We've trained our users to do the following sequence:
> 	semodule -DB
> 	<trigger AVC denials>
> 	semodule -B
>
> With the patch, the latter step will not re-enable dontaudit rules
> unless you also change semodule, right?
>
Ok you are right, We need to change semodule -B to enable set turn the 
flag off.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1077 bytes --]

On 07/01/2009 01:04 PM, Stephen Smalley wrote:
> On Wed, 2009-07-01 at 11:57 -0400, Daniel J Walsh wrote:
>> On 07/01/2009 09:32 AM, Christopher Pardy wrote:
>>> Creates a empty file disable_dontaudit in the polciy directory
>>> (/etc/selinux/<policytype>). Checks for the existance of this file to
>>> set the sepol disable don't audit upon handle creation. Also provides
>>> the function "int semanage_get_disable_dontaudit()" which returns the
>>> don't audit property of the current policy.
>>>
>>> Signed-off-by: Christopher Pardy<cpardy@redhat.com>
>> Better version of patch.
>
> How does one then re-enable dontaudit rules using semodule or semanage?
>
> We've trained our users to do the following sequence:
> 	semodule -DB
> 	<trigger AVC denials>
> 	semodule -B
>
> With the patch, the latter step will not re-enable dontaudit rules
> unless you also change semodule, right?
>
Patch for semodule command

semodule -B

Will now turn on dontaudit rules

semodule -DB

Will turn off dontaudit rules.

With other patch all other semanage commands will maintain state.



[-- Attachment #2: policycoreutils-dontaudit.patch --]
[-- Type: text/plain, Size: 617 bytes --]

diff -up policycoreutils-2.0.64/semodule/semodule.c~ policycoreutils-2.0.64/semodule/semodule.c
--- policycoreutils-2.0.64/semodule/semodule.c~	2009-06-23 15:36:25.000000000 -0400
+++ policycoreutils-2.0.64/semodule/semodule.c	2009-07-01 13:34:42.027229000 -0400
@@ -417,8 +418,10 @@ int main(int argc, char *argv[])
 			printf("Committing changes:\n");
 		if (no_reload)
 			semanage_set_reload(sh, 0);
-		if (build)
+		if (build) {
+			semanage_set_disable_dontaudit(sh, 0);
 			semanage_set_rebuild(sh, 1);
+		}
 		if (disable_dontaudit)
 			semanage_set_disable_dontaudit(sh, 1);
 		result = semanage_commit(sh);

Re:[Patch 0/2] libsemanage: remember and retrieve dontaudit settings

[Christopher Pardy]

This is a heavily modified version of the patch I recently submitted. It 
provides 3 new functions: in libsepol sepol_get_disable_dontaudit; in 
libsemanage semanage_get_disable_dontaudit; in libselinux 
is_dontaudit_disabled. It also fixes issues with the previous patch.

The justification for this patch is the same as the one I posted 
earlier. Simply, there is currently no way to know if dontaudit rules 
are  enabled. Additionally once don't audit rules are turned they turn 
themselves off after policy rebuild (is that the desired functionality?) 
This patch provides  a way to check on both the current and pending 
state of the dontaudit rules and it maintains this state between policy 
rebuilds.

Signed-off-by Christopher Pardy <cpardy@redhat.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 1/2] libsemanage: remember and retrieve dontaudit settings

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 2780 bytes --]

On 07/01/2009 10:08 PM, Christopher Pardy wrote:
> This is a heavily modified version of the patch I recently submitted. 
> It provides 3 new functions: in libsepol sepol_get_disable_dontaudit; 
> in libsemanage semanage_get_disable_dontaudit; in libselinux 
> is_dontaudit_disabled. It also fixes issues with the previous patch.
>
> The justification for this patch is the same as the one I posted 
> earlier. Simply, there is currently no way to know if dontaudit rules 
> are  enabled. Additionally once don't audit rules are turned they turn 
> themselves off after policy rebuild (is that the desired 
> functionality?) This patch provides  a way to check on both the 
> current and pending state of the dontaudit rules and it maintains this 
> state between policy rebuilds.
>
> Signed-off-by Christopher Pardy <cpardy@redhat.com>
Patch 1 implements libsepol function. Including inline and attaching in 
case thunderbird messes up tabs.

diff -urN selinux.orig/libsepol/include/sepol/handle.h 
selinux/libsepol/include/sepol/handle.h
--- selinux.orig/libsepol/include/sepol/handle.h    2009-07-01 
21:05:26.823235749 -0400
+++ selinux/libsepol/include/sepol/handle.h    2009-07-01 
21:08:33.277237031 -0400
@@ -7,6 +7,12 @@
  /* Create and return a sepol handle. */
  sepol_handle_t *sepol_handle_create(void);

+/* Get whether or not dontaudits will be disabled, same values as
+ * specified by disable dont audit. This value reflects the state
+ * your system will be set to upon commit, not nessesarily it's
+ * current state.*/
+int sepol_get_disable_dontaudit(sepol_handle_t * sh);
+
  /* Set whether or not to disable dontaudits, 0 is default and does
   * not disable dontaudits, 1 disables them */
  void sepol_set_disable_dontaudit(sepol_handle_t * sh, int 
disable_dontaudit);
diff -urN selinux.orig/libsepol/src/handle.c selinux/libsepol/src/handle.c
--- selinux.orig/libsepol/src/handle.c    2009-07-01 21:05:26.854236864 
-0400
+++ selinux/libsepol/src/handle.c    2009-07-01 21:07:15.532236991 -0400
@@ -21,6 +21,12 @@
      return sh;
  }

+int sepol_get_disable_dontaudit(sepol_handle_t *sh)
+{
+    assert(sh !=NULL);
+    return sh->disable_dontaudit;
+}
+
  void sepol_set_disable_dontaudit(sepol_handle_t * sh, int 
disable_dontaudit)
  {
      assert(sh !=NULL);
diff -urN selinux.orig/libsepol/src/libsepol.map 
selinux/libsepol/src/libsepol.map
--- selinux.orig/libsepol/src/libsepol.map    2009-07-01 
21:05:26.848236011 -0400
+++ selinux/libsepol/src/libsepol.map    2009-07-01 21:07:45.948485729 -0400
@@ -12,6 +12,7 @@
      sepol_policydb_*; sepol_set_policydb_from_file;
      sepol_policy_kern_*;
      sepol_policy_file_*;
+    sepol_get_disable_dontaudit;
      sepol_set_disable_dontaudit;
      sepol_set_expand_consume_base;
    local: *;

[-- Attachment #2: selinux.patch1 --]
[-- Type: text/plain, Size: 1768 bytes --]

diff -urN selinux.orig/libsepol/include/sepol/handle.h selinux/libsepol/include/sepol/handle.h
--- selinux.orig/libsepol/include/sepol/handle.h	2009-07-01 21:05:26.823235749 -0400
+++ selinux/libsepol/include/sepol/handle.h	2009-07-01 21:08:33.277237031 -0400
@@ -7,6 +7,12 @@
 /* Create and return a sepol handle. */
 sepol_handle_t *sepol_handle_create(void);
 
+/* Get whether or not dontaudits will be disabled, same values as
+ * specified by disable dont audit. This value reflects the state
+ * your system will be set to upon commit, not nessesarily it's
+ * current state.*/
+int sepol_get_disable_dontaudit(sepol_handle_t * sh);
+
 /* Set whether or not to disable dontaudits, 0 is default and does 
  * not disable dontaudits, 1 disables them */
 void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
diff -urN selinux.orig/libsepol/src/handle.c selinux/libsepol/src/handle.c
--- selinux.orig/libsepol/src/handle.c	2009-07-01 21:05:26.854236864 -0400
+++ selinux/libsepol/src/handle.c	2009-07-01 21:07:15.532236991 -0400
@@ -21,6 +21,12 @@
 	return sh;
 }
 
+int sepol_get_disable_dontaudit(sepol_handle_t *sh)
+{
+	assert(sh !=NULL);
+	return sh->disable_dontaudit;
+}
+
 void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh !=NULL);
diff -urN selinux.orig/libsepol/src/libsepol.map selinux/libsepol/src/libsepol.map
--- selinux.orig/libsepol/src/libsepol.map	2009-07-01 21:05:26.848236011 -0400
+++ selinux/libsepol/src/libsepol.map	2009-07-01 21:07:45.948485729 -0400
@@ -12,6 +12,7 @@
 	sepol_policydb_*; sepol_set_policydb_from_file; 
 	sepol_policy_kern_*;
 	sepol_policy_file_*;
+	sepol_get_disable_dontaudit;
 	sepol_set_disable_dontaudit;
 	sepol_set_expand_consume_base;
   local: *;

Re: [Patch 1/2] libsemanage: remember and retrieve dontaudit settings

[Stephen Smalley]

On Wed, 2009-07-01 at 22:11 -0400, Christopher Pardy wrote:
> On 07/01/2009 10:08 PM, Christopher Pardy wrote:
> > This is a heavily modified version of the patch I recently submitted. 
> > It provides 3 new functions: in libsepol sepol_get_disable_dontaudit; 
> > in libsemanage semanage_get_disable_dontaudit; in libselinux 
> > is_dontaudit_disabled. It also fixes issues with the previous patch.
> >
> > The justification for this patch is the same as the one I posted 
> > earlier. Simply, there is currently no way to know if dontaudit rules 
> > are  enabled. Additionally once don't audit rules are turned they turn 
> > themselves off after policy rebuild (is that the desired 
> > functionality?) This patch provides  a way to check on both the 
> > current and pending state of the dontaudit rules and it maintains this 
> > state between policy rebuilds.
> >
> > Signed-off-by Christopher Pardy <cpardy@redhat.com>
> Patch 1 implements libsepol function. Including inline and attaching in 
> case thunderbird messes up tabs.

It did.  But allegedly one can configure it to work, e.g. read:
http://lxr.linux.no/linux+v2.6.30/Documentation/email-clients.txt

> 
> diff -urN selinux.orig/libsepol/include/sepol/handle.h 
> selinux/libsepol/include/sepol/handle.h
> --- selinux.orig/libsepol/include/sepol/handle.h    2009-07-01 
> 21:05:26.823235749 -0400
> +++ selinux/libsepol/include/sepol/handle.h    2009-07-01 
> 21:08:33.277237031 -0400
> @@ -7,6 +7,12 @@
>   /* Create and return a sepol handle. */
>   sepol_handle_t *sepol_handle_create(void);
> 
> +/* Get whether or not dontaudits will be disabled, same values as
> + * specified by disable dont audit. This value reflects the state
> + * your system will be set to upon commit, not nessesarily it's
> + * current state.*/
> +int sepol_get_disable_dontaudit(sepol_handle_t * sh);

I don't understand why we would export this, as it is a transient
setting only meaningful within a transaction and the caller should know
whether or not he has set or cleared it already.

> +
>   /* Set whether or not to disable dontaudits, 0 is default and does
>    * not disable dontaudits, 1 disables them */
>   void sepol_set_disable_dontaudit(sepol_handle_t * sh, int 
> disable_dontaudit);
> diff -urN selinux.orig/libsepol/src/handle.c selinux/libsepol/src/handle.c
> --- selinux.orig/libsepol/src/handle.c    2009-07-01 21:05:26.854236864 
> -0400
> +++ selinux/libsepol/src/handle.c    2009-07-01 21:07:15.532236991 -0400
> @@ -21,6 +21,12 @@
>       return sh;
>   }
> 
> +int sepol_get_disable_dontaudit(sepol_handle_t *sh)
> +{
> +    assert(sh !=NULL);
> +    return sh->disable_dontaudit;
> +}
> +
>   void sepol_set_disable_dontaudit(sepol_handle_t * sh, int 
> disable_dontaudit)
>   {
>       assert(sh !=NULL);
> diff -urN selinux.orig/libsepol/src/libsepol.map 
> selinux/libsepol/src/libsepol.map
> --- selinux.orig/libsepol/src/libsepol.map    2009-07-01 
> 21:05:26.848236011 -0400
> +++ selinux/libsepol/src/libsepol.map    2009-07-01 21:07:45.948485729 -0400
> @@ -12,6 +12,7 @@
>       sepol_policydb_*; sepol_set_policydb_from_file;
>       sepol_policy_kern_*;
>       sepol_policy_file_*;
> +    sepol_get_disable_dontaudit;
>       sepol_set_disable_dontaudit;
>       sepol_set_expand_consume_base;
>     local: *;
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 1/2] libsemanage: remember and retrieve dontaudit settings

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 3951 bytes --]

On 07/02/2009 08:39 AM, Stephen Smalley wrote:
> On Wed, 2009-07-01 at 22:11 -0400, Christopher Pardy wrote:
>    
>> On 07/01/2009 10:08 PM, Christopher Pardy wrote:
>>      
>>> This is a heavily modified version of the patch I recently submitted.
>>> It provides 3 new functions: in libsepol sepol_get_disable_dontaudit;
>>> in libsemanage semanage_get_disable_dontaudit; in libselinux
>>> is_dontaudit_disabled. It also fixes issues with the previous patch.
>>>
>>> The justification for this patch is the same as the one I posted
>>> earlier. Simply, there is currently no way to know if dontaudit rules
>>> are  enabled. Additionally once don't audit rules are turned they turn
>>> themselves off after policy rebuild (is that the desired
>>> functionality?) This patch provides  a way to check on both the
>>> current and pending state of the dontaudit rules and it maintains this
>>> state between policy rebuilds.
>>>
>>> Signed-off-by Christopher Pardy<cpardy@redhat.com>
>>>        
>> Patch 1 implements libsepol function. Including inline and attaching in
>> case thunderbird messes up tabs.
>>      
>
> It did.  But allegedly one can configure it to work, e.g. read:
> http://lxr.linux.no/linux+v2.6.30/Documentation/email-clients.txt
>
>    
>> diff -urN selinux.orig/libsepol/include/sepol/handle.h
>> selinux/libsepol/include/sepol/handle.h
>> --- selinux.orig/libsepol/include/sepol/handle.h    2009-07-01
>> 21:05:26.823235749 -0400
>> +++ selinux/libsepol/include/sepol/handle.h    2009-07-01
>> 21:08:33.277237031 -0400
>> @@ -7,6 +7,12 @@
>>    /* Create and return a sepol handle. */
>>    sepol_handle_t *sepol_handle_create(void);
>>
>> +/* Get whether or not dontaudits will be disabled, same values as
>> + * specified by disable dont audit. This value reflects the state
>> + * your system will be set to upon commit, not nessesarily it's
>> + * current state.*/
>> +int sepol_get_disable_dontaudit(sepol_handle_t * sh);
>>      
>
> I don't understand why we would export this, as it is a transient
> setting only meaningful within a transaction and the caller should know
> whether or not he has set or cleared it already.
>
>    
Yes the caller should know, this patch simply provides function symmetry 
between get and set functions. It also allows the other part of this 
patch to actually work as the caller might not know what the value has 
been set to by default. Also although we assume the caller has 
remembered when using the terminal commands when programs are modifying 
this value it seems redundant to force them to store a flag when the 
ability to read the flag in the handle is so trivial.
>> +
>>    /* Set whether or not to disable dontaudits, 0 is default and does
>>     * not disable dontaudits, 1 disables them */
>>    void sepol_set_disable_dontaudit(sepol_handle_t * sh, int
>> disable_dontaudit);
>> diff -urN selinux.orig/libsepol/src/handle.c selinux/libsepol/src/handle.c
>> --- selinux.orig/libsepol/src/handle.c    2009-07-01 21:05:26.854236864
>> -0400
>> +++ selinux/libsepol/src/handle.c    2009-07-01 21:07:15.532236991 -0400
>> @@ -21,6 +21,12 @@
>>        return sh;
>>    }
>>
>> +int sepol_get_disable_dontaudit(sepol_handle_t *sh)
>> +{
>> +    assert(sh !=NULL);
>> +    return sh->disable_dontaudit;
>> +}
>> +
>>    void sepol_set_disable_dontaudit(sepol_handle_t * sh, int
>> disable_dontaudit)
>>    {
>>        assert(sh !=NULL);
>> diff -urN selinux.orig/libsepol/src/libsepol.map
>> selinux/libsepol/src/libsepol.map
>> --- selinux.orig/libsepol/src/libsepol.map    2009-07-01
>> 21:05:26.848236011 -0400
>> +++ selinux/libsepol/src/libsepol.map    2009-07-01 21:07:45.948485729 -0400
>> @@ -12,6 +12,7 @@
>>        sepol_policydb_*; sepol_set_policydb_from_file;
>>        sepol_policy_kern_*;
>>        sepol_policy_file_*;
>> +    sepol_get_disable_dontaudit;
>>        sepol_set_disable_dontaudit;
>>        sepol_set_expand_consume_base;
>>      local: *;
>>      

[-- Attachment #2: Type: text/html, Size: 4700 bytes --]

Re: [Patch 2/2] libsemanage: remember and retrieve dontaudit settings

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 6159 bytes --]

On 07/01/2009 10:08 PM, Christopher Pardy wrote:
> This is a heavily modified version of the patch I recently submitted. 
> It provides 3 new functions: in libsepol sepol_get_disable_dontaudit; 
> in libsemanage semanage_get_disable_dontaudit; in libselinux 
> is_dontaudit_disabled. It also fixes issues with the previous patch.
>
> The justification for this patch is the same as the one I posted 
> earlier. Simply, there is currently no way to know if dontaudit rules 
> are  enabled. Additionally once don't audit rules are turned they turn 
> themselves off after policy rebuild (is that the desired 
> functionality?) This patch provides  a way to check on both the 
> current and pending state of the dontaudit rules and it maintains this 
> state between policy rebuilds.
>
> Signed-off-by Christopher Pardy <cpardy@redhat.com>
This patch implements the functions in libsemanage and libselinux.

diff -urN selinux.orig2/libselinux/include/selinux/selinux.h 
selinux/libselinux/include/selinux/selinux.h
--- selinux.orig2/libselinux/include/selinux/selinux.h    2009-07-01 
21:15:17.009238289 -0400
+++ selinux/libselinux/include/selinux/selinux.h    2009-07-01 
21:44:57.264509874 -0400
@@ -8,6 +8,9 @@
  extern "C" {
  #endif

+/* Return 1 if the dont audit rules have been turned off or 0 if not. */
+extern int is_dontaudit_disabled(void);
+
  /* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 
if we get an error. */
  extern int is_selinux_enabled(void);
  /* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
diff -urN selinux.orig2/libselinux/src/dontaudit.c 
selinux/libselinux/src/dontaudit.c
--- selinux.orig2/libselinux/src/dontaudit.c    1969-12-31 
19:00:00.000000000 -0500
+++ selinux/libselinux/src/dontaudit.c    2009-07-01 21:48:48.635521208 
-0400
@@ -0,0 +1,21 @@
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include "selinux_internal.h"
+#include <stdlib.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+int is_dontaudit_disabled(void)
+{
+    char path[PATH_MAX];
+    snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+
+    if (access(path,F_OK) == 0)
+        return 1;
+    else
+        return 0;
+}
+
+hidden_def(is_dontaudit_disabled)
diff -urN selinux.orig2/libselinux/src/selinux_internal.h 
selinux/libselinux/src/selinux_internal.h
--- selinux.orig2/libselinux/src/selinux_internal.h    2009-07-01 
21:15:17.074235819 -0400
+++ selinux/libselinux/src/selinux_internal.h    2009-07-01 
21:44:57.272486689 -0400
@@ -24,6 +24,7 @@
      hidden_proto(security_compute_create_raw)
      hidden_proto(security_compute_member_raw)
      hidden_proto(security_compute_relabel_raw)
+    hidden_proto(is_dontaudit_disabled)
      hidden_proto(is_selinux_enabled)
      hidden_proto(is_selinux_mls_enabled)
      hidden_proto(freecon)
diff -urN selinux.orig2/libsemanage/include/semanage/handle.h 
selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h    2009-07-01 
21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h    2009-07-01 
21:44:57.274484577 -0400
@@ -69,6 +69,9 @@
   * 1 for yes, 0 for no (default) */
  void semanage_set_create_store(semanage_handle_t * handle, int 
create_store);

+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
  /* Set whether or not to disable dontaudits upon commit */
  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int 
disable_dontaudit);

diff -urN selinux.orig2/libsemanage/src/handle.c 
selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c    2009-07-01 
21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c    2009-07-01 21:55:04.525487189 -0400
@@ -29,6 +29,7 @@
  #include <stdio.h>
  #include <string.h>
  #include <sys/time.h>
+#include <limits.h>

  #include "direct_api.h"
  #include "handle.h"
@@ -58,6 +59,9 @@
      if (!sh->sepolh)
          goto err;
      sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
+
+    /* Set the disable_dont audit to the system default */
+    semanage_set_disable_dontaudit(sh,is_dontaudit_disabled());

      /* By default do not rebuild the policy on commit
       * If any changes are made, this flag is ignored */
@@ -110,6 +114,14 @@
      return;
  }

+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+    assert(sh != NULL);
+
+    return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
+
  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int 
disable_dontaudit)
  {
      assert(sh != NULL);
@@ -264,11 +276,22 @@
      assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
      if (!sh->is_in_transaction) {
          ERR(sh,
-            "Will not commit because caller does not have a tranaction 
lock yet.");
+            "Will not commit because caller does not have a transaction 
lock yet.");
          return -1;
      }
      retval = sh->funcs->commit(sh);
      sh->is_in_transaction = 0;
      sh->modules_modified = 0;
+    if (retval == 0){
+        char path[PATH_MAX];
+        
snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+        if(semanage_get_disable_dontaudit(sh) == 1){
+            FILE *touch;
+            touch = fopen(path,"w");
+            fclose(touch);
+        }else{
+            remove(path);
+        }
+    }
      return retval;
  }
diff -urN selinux.orig2/libsemanage/src/libsemanage.map 
selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map    2009-07-01 
21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map    2009-07-01 
21:44:57.278485521 -0400
@@ -15,7 +15,7 @@
        semanage_iface_*; semanage_port_*; semanage_context_*;
        semanage_node_*;
        semanage_fcontext_*; semanage_access_check; 
semanage_set_create_store;
-      semanage_is_connected; semanage_set_disable_dontaudit;
+      semanage_is_connected; semanage_get_disable_dontaudit; 
semanage_set_disable_dontaudit;
        semanage_mls_enabled;
    local: *;
  };

[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 4958 bytes --]

diff -urN selinux.orig2/libselinux/include/selinux/selinux.h selinux/libselinux/include/selinux/selinux.h
--- selinux.orig2/libselinux/include/selinux/selinux.h	2009-07-01 21:15:17.009238289 -0400
+++ selinux/libselinux/include/selinux/selinux.h	2009-07-01 21:44:57.264509874 -0400
@@ -8,6 +8,9 @@
 extern "C" {
 #endif
 
+/* Return 1 if the dont audit rules have been turned off or 0 if not. */
+extern int is_dontaudit_disabled(void);
+
 /* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
 extern int is_selinux_enabled(void);
 /* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
diff -urN selinux.orig2/libselinux/src/dontaudit.c selinux/libselinux/src/dontaudit.c
--- selinux.orig2/libselinux/src/dontaudit.c	1969-12-31 19:00:00.000000000 -0500
+++ selinux/libselinux/src/dontaudit.c	2009-07-01 21:48:48.635521208 -0400
@@ -0,0 +1,21 @@
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include "selinux_internal.h"
+#include <stdlib.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+int is_dontaudit_disabled(void)
+{
+	char path[PATH_MAX];
+	snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+
+	if (access(path,F_OK) == 0)
+		return 1;
+	else
+		return 0;
+}
+
+hidden_def(is_dontaudit_disabled)
diff -urN selinux.orig2/libselinux/src/selinux_internal.h selinux/libselinux/src/selinux_internal.h
--- selinux.orig2/libselinux/src/selinux_internal.h	2009-07-01 21:15:17.074235819 -0400
+++ selinux/libselinux/src/selinux_internal.h	2009-07-01 21:44:57.272486689 -0400
@@ -24,6 +24,7 @@
     hidden_proto(security_compute_create_raw)
     hidden_proto(security_compute_member_raw)
     hidden_proto(security_compute_relabel_raw)
+    hidden_proto(is_dontaudit_disabled)
     hidden_proto(is_selinux_enabled)
     hidden_proto(is_selinux_mls_enabled)
     hidden_proto(freecon)
diff -urN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-01 21:44:57.274484577 -0400
@@ -69,6 +69,9 @@
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-01 21:55:04.525487189 -0400
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -58,6 +59,9 @@
 	if (!sh->sepolh)
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
+	
+	/* Set the disable_dont audit to the system default */
+	semanage_set_disable_dontaudit(sh,is_dontaudit_disabled());
 
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
@@ -110,6 +114,14 @@
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
@@ -264,11 +276,22 @@
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
 	sh->is_in_transaction = 0;
 	sh->modules_modified = 0;
+	if (retval == 0){
+		char path[PATH_MAX];
+		snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+		if(semanage_get_disable_dontaudit(sh) == 1){
+			FILE *touch;
+			touch = fopen(path,"w");
+			fclose(touch);
+		}else{
+			remove(path);
+		}
+	}
 	return retval;
 }
diff -urN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-01 21:44:57.278485521 -0400
@@ -15,7 +15,7 @@
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };

Re: [Patch 2/2] libsemanage: remember and retrieve dontaudit settings

[Stephen Smalley]

On Wed, 2009-07-01 at 22:13 -0400, Christopher Pardy wrote:
> On 07/01/2009 10:08 PM, Christopher Pardy wrote:
> > This is a heavily modified version of the patch I recently submitted. 
> > It provides 3 new functions: in libsepol sepol_get_disable_dontaudit; 
> > in libsemanage semanage_get_disable_dontaudit; in libselinux 
> > is_dontaudit_disabled. It also fixes issues with the previous patch.
> >
> > The justification for this patch is the same as the one I posted 
> > earlier. Simply, there is currently no way to know if dontaudit rules 
> > are  enabled. Additionally once don't audit rules are turned they turn 
> > themselves off after policy rebuild (is that the desired 
> > functionality?) This patch provides  a way to check on both the 
> > current and pending state of the dontaudit rules and it maintains this 
> > state between policy rebuilds.
> >
> > Signed-off-by Christopher Pardy <cpardy@redhat.com>
> This patch implements the functions in libsemanage and libselinux.
> 
> diff -urN selinux.orig2/libselinux/include/selinux/selinux.h 
> selinux/libselinux/include/selinux/selinux.h

diff with -p (or just git diff) is nicer in that it shows function names
too.

> --- selinux.orig2/libselinux/include/selinux/selinux.h    2009-07-01 
> 21:15:17.009238289 -0400
> +++ selinux/libselinux/include/selinux/selinux.h    2009-07-01 
> 21:44:57.264509874 -0400
> @@ -8,6 +8,9 @@
>   extern "C" {
>   #endif
> 
> +/* Return 1 if the dont audit rules have been turned off or 0 if not. */
> +extern int is_dontaudit_disabled(void);

I'm not sure why we'd push this out to libselinux and expose the file
location to both libselinux and libsemanage.  What programs would use
this that couldn't just link against libsemanage?

> diff -urN selinux.orig2/libselinux/src/dontaudit.c 
> selinux/libselinux/src/dontaudit.c
> --- selinux.orig2/libselinux/src/dontaudit.c    1969-12-31 
> 19:00:00.000000000 -0500
> +++ selinux/libselinux/src/dontaudit.c    2009-07-01 21:48:48.635521208 
> -0400
> @@ -0,0 +1,21 @@
> +#include <unistd.h>
> +#include <selinux/selinux.h>
> +#include "selinux_internal.h"
> +#include <stdlib.h>
> +#include <limits.h>
> +#include <stdarg.h>
> +#include <stdio.h>
> +#include <string.h>
> +
> +int is_dontaudit_disabled(void)
> +{
> +    char path[PATH_MAX];
> +    snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
> +
> +    if (access(path,F_OK) == 0)
> +        return 1;
> +    else
> +        return 0;
> +}
> +
> +hidden_def(is_dontaudit_disabled)

We don't need a hidden def unless libselinux internally calls the
function as well.

> diff -urN selinux.orig2/libselinux/src/selinux_internal.h 
> selinux/libselinux/src/selinux_internal.h
> --- selinux.orig2/libselinux/src/selinux_internal.h    2009-07-01 
> 21:15:17.074235819 -0400
> +++ selinux/libselinux/src/selinux_internal.h    2009-07-01 
> 21:44:57.272486689 -0400
> @@ -24,6 +24,7 @@
>       hidden_proto(security_compute_create_raw)
>       hidden_proto(security_compute_member_raw)
>       hidden_proto(security_compute_relabel_raw)
> +    hidden_proto(is_dontaudit_disabled)

Ditto.

> diff -urN selinux.orig2/libsemanage/include/semanage/handle.h 
> selinux/libsemanage/include/semanage/handle.h
> --- selinux.orig2/libsemanage/include/semanage/handle.h    2009-07-01 
> 21:15:17.224235939 -0400
> +++ selinux/libsemanage/include/semanage/handle.h    2009-07-01 
> 21:44:57.274484577 -0400
> @@ -69,6 +69,9 @@
>    * 1 for yes, 0 for no (default) */
>   void semanage_set_create_store(semanage_handle_t * handle, int 
> create_store);
> 
> +/*Get whether or not to dontaudits will be disabled upon commit */
> +int semanage_get_disable_dontaudit(semanage_handle_t * handle);

As before, I don't know why we'd export this transient information
outside of the library, vs. only exporting the persistent dontaudit
setting.

> diff -urN selinux.orig2/libsemanage/src/handle.c 
> selinux/libsemanage/src/handle.c
> --- selinux.orig2/libsemanage/src/handle.c    2009-07-01 
> 21:15:17.288238017 -0400
> +++ selinux/libsemanage/src/handle.c    2009-07-01 21:55:04.525487189 -0400
<snip>
> @@ -264,11 +276,22 @@
>       assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
>       if (!sh->is_in_transaction) {
>           ERR(sh,
> -            "Will not commit because caller does not have a tranaction 
> lock yet.");
> +            "Will not commit because caller does not have a transaction 
> lock yet.");
>           return -1;
>       }
>       retval = sh->funcs->commit(sh);
>       sh->is_in_transaction = 0;
>       sh->modules_modified = 0;
> +    if (retval == 0){
> +        char path[PATH_MAX];
> +        
> snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
> +        if(semanage_get_disable_dontaudit(sh) == 1){
> +            FILE *touch;
> +            touch = fopen(path,"w");
> +            fclose(touch);
> +        }else{
> +            remove(path);
> +        }
> +    }

This doesn't make sense to me - we check whether we've already set
disable dontaudit and use that to decide whether to create the file?
But the existence of the file is what would have triggered setting
disable dontaudit in the first place.  Round and round we go...

Also, I think it makes more sense to keep all of this private to
libsemanage and to keep this file in the module store, as Joshua already
said.

>       return retval;
>   }

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2] libsemanage: remember and retrieve dontaudit settings

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 6653 bytes --]

On 07/02/2009 08:46 AM, Stephen Smalley wrote:
> On Wed, 2009-07-01 at 22:13 -0400, Christopher Pardy wrote:
>    
>> On 07/01/2009 10:08 PM, Christopher Pardy wrote:
>>      
>>> This is a heavily modified version of the patch I recently submitted.
>>> It provides 3 new functions: in libsepol sepol_get_disable_dontaudit;
>>> in libsemanage semanage_get_disable_dontaudit; in libselinux
>>> is_dontaudit_disabled. It also fixes issues with the previous patch.
>>>
>>> The justification for this patch is the same as the one I posted
>>> earlier. Simply, there is currently no way to know if dontaudit rules
>>> are  enabled. Additionally once don't audit rules are turned they turn
>>> themselves off after policy rebuild (is that the desired
>>> functionality?) This patch provides  a way to check on both the
>>> current and pending state of the dontaudit rules and it maintains this
>>> state between policy rebuilds.
>>>
>>> Signed-off-by Christopher Pardy<cpardy@redhat.com>
>>>        
>> This patch implements the functions in libsemanage and libselinux.
>>
>> diff -urN selinux.orig2/libselinux/include/selinux/selinux.h
>> selinux/libselinux/include/selinux/selinux.h
>>      
>
> diff with -p (or just git diff) is nicer in that it shows function names
> too.
>
>    
Thank you.
>> --- selinux.orig2/libselinux/include/selinux/selinux.h    2009-07-01
>> 21:15:17.009238289 -0400
>> +++ selinux/libselinux/include/selinux/selinux.h    2009-07-01
>> 21:44:57.264509874 -0400
>> @@ -8,6 +8,9 @@
>>    extern "C" {
>>    #endif
>>
>> +/* Return 1 if the dont audit rules have been turned off or 0 if not. */
>> +extern int is_dontaudit_disabled(void);
>>      
>
> I'm not sure why we'd push this out to libselinux and expose the file
> location to both libselinux and libsemanage.  What programs would use
> this that couldn't just link against libsemanage?
>
>    
It's not that a program would use this that couldn't link against 
libsemanage the functionality just seemed closer to that of the 
functions in libselinux, I've been doing alot of work on fedora stuff It 
seems to me  that 90% of the code in libsemanage is handle dependent 
functions. libselinux seems to be more of a global setting kind of deal. 
so it made sense to put it here. Let me know if this isn't the case
>> diff -urN selinux.orig2/libselinux/src/dontaudit.c
>> selinux/libselinux/src/dontaudit.c
>> --- selinux.orig2/libselinux/src/dontaudit.c    1969-12-31
>> 19:00:00.000000000 -0500
>> +++ selinux/libselinux/src/dontaudit.c    2009-07-01 21:48:48.635521208
>> -0400
>> @@ -0,0 +1,21 @@
>> +#include<unistd.h>
>> +#include<selinux/selinux.h>
>> +#include "selinux_internal.h"
>> +#include<stdlib.h>
>> +#include<limits.h>
>> +#include<stdarg.h>
>> +#include<stdio.h>
>> +#include<string.h>
>> +
>> +int is_dontaudit_disabled(void)
>> +{
>> +    char path[PATH_MAX];
>> +    snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
>> +
>> +    if (access(path,F_OK) == 0)
>> +        return 1;
>> +    else
>> +        return 0;
>> +}
>> +
>> +hidden_def(is_dontaudit_disabled)
>>      
>
> We don't need a hidden def unless libselinux internally calls the
> function as well.
>    
Thank you I'll be resubmitting this patch shortly
>    
>> diff -urN selinux.orig2/libselinux/src/selinux_internal.h
>> selinux/libselinux/src/selinux_internal.h
>> --- selinux.orig2/libselinux/src/selinux_internal.h    2009-07-01
>> 21:15:17.074235819 -0400
>> +++ selinux/libselinux/src/selinux_internal.h    2009-07-01
>> 21:44:57.272486689 -0400
>> @@ -24,6 +24,7 @@
>>        hidden_proto(security_compute_create_raw)
>>        hidden_proto(security_compute_member_raw)
>>        hidden_proto(security_compute_relabel_raw)
>> +    hidden_proto(is_dontaudit_disabled)
>>      
>
> Ditto.
>
>    
>> diff -urN selinux.orig2/libsemanage/include/semanage/handle.h
>> selinux/libsemanage/include/semanage/handle.h
>> --- selinux.orig2/libsemanage/include/semanage/handle.h    2009-07-01
>> 21:15:17.224235939 -0400
>> +++ selinux/libsemanage/include/semanage/handle.h    2009-07-01
>> 21:44:57.274484577 -0400
>> @@ -69,6 +69,9 @@
>>     * 1 for yes, 0 for no (default) */
>>    void semanage_set_create_store(semanage_handle_t * handle, int
>> create_store);
>>
>> +/*Get whether or not to dontaudits will be disabled upon commit */
>> +int semanage_get_disable_dontaudit(semanage_handle_t * handle);
>>      
>
> As before, I don't know why we'd export this transient information
> outside of the library, vs. only exporting the persistent dontaudit
> setting.
>    
See explaination from previous patch.
>    
>> diff -urN selinux.orig2/libsemanage/src/handle.c
>> selinux/libsemanage/src/handle.c
>> --- selinux.orig2/libsemanage/src/handle.c    2009-07-01
>> 21:15:17.288238017 -0400
>> +++ selinux/libsemanage/src/handle.c    2009-07-01 21:55:04.525487189 -0400
>>      
> <snip>
>    
>> @@ -264,11 +276,22 @@
>>        assert(sh != NULL&&  sh->funcs != NULL&&  sh->funcs->commit != NULL);
>>        if (!sh->is_in_transaction) {
>>            ERR(sh,
>> -            "Will not commit because caller does not have a tranaction
>> lock yet.");
>> +            "Will not commit because caller does not have a transaction
>> lock yet.");
>>            return -1;
>>        }
>>        retval = sh->funcs->commit(sh);
>>        sh->is_in_transaction = 0;
>>        sh->modules_modified = 0;
>> +    if (retval == 0){
>> +        char path[PATH_MAX];
>> +
>> snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
>> +        if(semanage_get_disable_dontaudit(sh) == 1){
>> +            FILE *touch;
>> +            touch = fopen(path,"w");
>> +            fclose(touch);
>> +        }else{
>> +            remove(path);
>> +        }
>> +    }
>>      
>
> This doesn't make sense to me - we check whether we've already set
> disable dontaudit and use that to decide whether to create the file?
> But the existence of the file is what would have triggered setting
> disable dontaudit in the first place.  Round and round we go...
>    
When we create the handle we set it's default property to the system 
default. When we commit a handle we set the system default property to 
the handles property. In between it is fully possible to that we have 
called a set_disable_dontaudit to change the value in the handle. If you 
would rather I checked if the two were different first I can.
> Also, I think it makes more sense to keep all of this private to
> libsemanage and to keep this file in the module store, as Joshua already
> said.
>    
Noted I'll move the file into the module folder.
>    
>>        return retval;
>>    }
>>      
>
>    


[-- Attachment #2: Type: text/html, Size: 8340 bytes --]

Re: [Patch 2/2] libsemanage: remember and retrieve dontaudit settings

[Stephen Smalley]

On Thu, 2009-07-02 at 09:55 -0400, Christopher Pardy wrote:
> It's not that a program would use this that couldn't link against
> libsemanage the functionality just seemed closer to that of the
> functions in libselinux, I've been doing alot of work on fedora stuff
> It seems to me  that 90% of the code in libsemanage is handle
> dependent functions. libselinux seems to be more of a global setting
> kind of deal. so it made sense to put it here. Let me know if this
> isn't the case

Unless you envision this interface being called by non-management
programs, I think it is reasonable to require them to link against
libsemanage and use an interface provided by it.

> > This doesn't make sense to me - we check whether we've already set
> > disable dontaudit and use that to decide whether to create the file?
> > But the existence of the file is what would have triggered setting
> > disable dontaudit in the first place.  Round and round we go...
> >   
> When we create the handle we set it's default property to the system
> default. When we commit a handle we set the system default property to
> the handles property. In between it is fully possible to that we have
> called a set_disable_dontaudit to change the value in the handle. If
> you would rather I checked if the two were different first I can.

Hmmm...but if the flag file is private to the store, then you can just
create or remove it directly from semanage_set_disable_dontaudit(), and
you won't need to do this at commit.  At which point you seemingly don't
need the libsepol or libsemanage get functions.

BTW, to create a new file in the store, you'll want to extend
semanage_sandbox_defs in semanage_store.h with a
SEMANAGE_DISABLE_DONTAUDIT value and use
semanage_fname(SEMANAGE_DISABLE_DONTAUDIT) to obtain the pathname to the
flag file.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2] libsemanage: remember and retrieve dontaudit settings

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 2691 bytes --]

On 07/02/2009 10:13 AM, Stephen Smalley wrote:
> On Thu, 2009-07-02 at 09:55 -0400, Christopher Pardy wrote:
>    
>> It's not that a program would use this that couldn't link against
>> libsemanage the functionality just seemed closer to that of the
>> functions in libselinux, I've been doing alot of work on fedora stuff
>> It seems to me  that 90% of the code in libsemanage is handle
>> dependent functions. libselinux seems to be more of a global setting
>> kind of deal. so it made sense to put it here. Let me know if this
>> isn't the case
>>      
>
> Unless you envision this interface being called by non-management
> programs, I think it is reasonable to require them to link against
> libsemanage and use an interface provided by it.
>
>    
If I'm not mistaken disabling dontaudit rules will cause more AVCs, if 
this is the case then programs like SETroubleshoot would want to know if 
dontaudit rules are turned on. Additionally see my previous explaination 
as to why the two are separated.
>>> This doesn't make sense to me - we check whether we've already set
>>> disable dontaudit and use that to decide whether to create the file?
>>> But the existence of the file is what would have triggered setting
>>> disable dontaudit in the first place.  Round and round we go...
>>>
>>>        
>> When we create the handle we set it's default property to the system
>> default. When we commit a handle we set the system default property to
>> the handles property. In between it is fully possible to that we have
>> called a set_disable_dontaudit to change the value in the handle. If
>> you would rather I checked if the two were different first I can.
>>      
>
> Hmmm...but if the flag file is private to the store, then you can just
> create or remove it directly from semanage_set_disable_dontaudit(), and
> you won't need to do this at commit.  At which point you seemingly don't
> need the libsepol or libsemanage get functions.
>
>    
If the flag file was created at time of semanage_set_disable_dontaudit() 
it would reflect a pending state and not an actual state, if for some 
reason commit was never called or simply failed it would incorrectly 
reflect the state of the system. By creating the file only after a 
successful commit the file correctly identifies our actual state. While 
the get functions correctly identify our pending state.
> BTW, to create a new file in the store, you'll want to extend
> semanage_sandbox_defs in semanage_store.h with a
> SEMANAGE_DISABLE_DONTAUDIT value and use
> semanage_fname(SEMANAGE_DISABLE_DONTAUDIT) to obtain the pathname to the
> flag file.
>
>    
Thanks for that, I'll get a new version of the patch out shortly.

[-- Attachment #2: Type: text/html, Size: 3443 bytes --]

Re: [Patch 2/2] libsemanage: remember and retrieve dontaudit settings

[Stephen Smalley]

On Thu, 2009-07-02 at 10:30 -0400, Christopher Pardy wrote:
> On 07/02/2009 10:13 AM, Stephen Smalley wrote: 
> > On Thu, 2009-07-02 at 09:55 -0400, Christopher Pardy wrote:
> >   
> > > It's not that a program would use this that couldn't link against
> > > libsemanage the functionality just seemed closer to that of the
> > > functions in libselinux, I've been doing alot of work on fedora stuff
> > > It seems to me  that 90% of the code in libsemanage is handle
> > > dependent functions. libselinux seems to be more of a global setting
> > > kind of deal. so it made sense to put it here. Let me know if this
> > > isn't the case
> > >     
> > 
> > Unless you envision this interface being called by non-management
> > programs, I think it is reasonable to require them to link against
> > libsemanage and use an interface provided by it.
> > 
> >   
> If I'm not mistaken disabling dontaudit rules will cause more AVCs, if
> this is the case then programs like SETroubleshoot would want to know
> if dontaudit rules are turned on. Additionally see my previous
> explaination as to why the two are separated.

Not sure about setroubleshoot - I'll let Dan speak to that.  But putting
it outside of libsemanage means that it isn't atomic with policy
transactions, which seems undesirable, and one can manipulate it without
going through libsemanage (in which case libsemanage may get out of sync
with it and not catch up until the next transaction).

> > > > This doesn't make sense to me - we check whether we've already set
> > > > disable dontaudit and use that to decide whether to create the file?
> > > > But the existence of the file is what would have triggered setting
> > > > disable dontaudit in the first place.  Round and round we go...
> > > >   
> > > >       
> > > When we create the handle we set it's default property to the system
> > > default. When we commit a handle we set the system default property to
> > > the handles property. In between it is fully possible to that we have
> > > called a set_disable_dontaudit to change the value in the handle. If
> > > you would rather I checked if the two were different first I can.
> > >     
> > 
> > Hmmm...but if the flag file is private to the store, then you can just
> > create or remove it directly from semanage_set_disable_dontaudit(), and
> > you won't need to do this at commit.  At which point you seemingly don't
> > need the libsepol or libsemanage get functions.
> > 
> >   
> If the flag file was created at time of
> semanage_set_disable_dontaudit() it would reflect a pending state and
> not an actual state, if for some reason commit was never called or
> simply failed it would incorrectly reflect the state of the system. By
> creating the file only after a successful commit the file correctly
> identifies our actual state. While the get functions correctly
> identify our pending state.

No - if the flag file lives in the store, it will be in the sandbox that
gets created when you start a transaction, and won't be made active
until you commit.  That's the whole point of the store - atomic
transactions on policy.

> > BTW, to create a new file in the store, you'll want to extend
> > semanage_sandbox_defs in semanage_store.h with a
> > SEMANAGE_DISABLE_DONTAUDIT value and use
> > semanage_fname(SEMANAGE_DISABLE_DONTAUDIT) to obtain the pathname to the
> > flag file.
> > 
> >   
> Thanks for that, I'll get a new version of the patch out shortly.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2] libsemanage: create a don't audit flag

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 4530 bytes --]

Stephen, Josh: I think this might address all your concerns.
Changes: No more code in libselinux, new handles have their 
disable_dontaudit flag set to 0 upon creation (old way), 
set_disable_dontaudit creates a file in the sandbox to make the setting 
visible after commits.
Justification: After turning off dontaudit rules there is currently no 
way for the system to see that this change has been made, this creates a 
flag file which can be used as an indicator.
Note: still depends on patch 1/2

Signed-off-by: Christopher Pardy <cpardy@redhat.com>

diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h

--- selinux.orig2/libsemanage/include/semanage/handle.h    2009-07-01 21:15:17.224235939 -0400

+++ selinux/libsemanage/include/semanage/handle.h    2009-07-02 11:09:06.982262194 -0400

@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl

   * 1 for yes, 0 for no (default) */

  void semanage_set_create_store(semanage_handle_t * handle, int create_store);

  

+/*Get whether or not to dontaudits will be disabled upon commit */

+int semanage_get_disable_dontaudit(semanage_handle_t * handle);

+

  /* Set whether or not to disable dontaudits upon commit */

  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);

  

diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c

--- selinux.orig2/libsemanage/src/handle.c    2009-07-01 21:15:17.288238017 -0400

+++ selinux/libsemanage/src/handle.c    2009-07-02 11:29:20.740267205 -0400

@@ -29,6 +29,7 @@

  #include<stdio.h>

  #include<string.h>

  #include<sys/time.h>

+#include<limits.h>

  

  #include "direct_api.h"

  #include "handle.h"

@@ -75,7 +76,12 @@ semanage_handle_t *semanage_handle_creat

      /* Set callback */

      sh->msg_callback = semanage_msg_default_handler;

      sh->msg_callback_arg = NULL;

-

+

+    /*set the flag to be deleted*/

+    char path[PATH_MAX];

+    path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)

+    remove(path);

+

      return sh;

  

        err:

@@ -110,11 +116,27 @@ void semanage_set_create_store(semanage_

      return;

  }

  

+int semanage_get_disable_dontaudit(semanage_handle_t * sh)

+{

+    assert(sh != NULL);

+

+    return sepol_get_disable_dontaudit(sh->sepolh);

+}

+

  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)

  {

      assert(sh != NULL);

-

+

      sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);

+

+    char path[PATH_MAX];

+    path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)

+        if(disable_dontaudit(sh) == 1){

+            FILE *touch;

+            touch = fopen(path,"w");

+            fclose(touch);

+        }else

+            remove(path);

      return;

  }

  

@@ -264,7 +286,7 @@ int semanage_commit(semanage_handle_t *

      assert(sh != NULL&&  sh->funcs != NULL&&  sh->funcs->commit != NULL);

      if (!sh->is_in_transaction) {

          ERR(sh,

-            "Will not commit because caller does not have a tranaction lock yet.");

+            "Will not commit because caller does not have a transaction lock yet.");

          return -1;

      }

      retval = sh->funcs->commit(sh);

diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map

--- selinux.orig2/libsemanage/src/libsemanage.map    2009-07-01 21:15:17.290237650 -0400

+++ selinux/libsemanage/src/libsemanage.map    2009-07-02 11:12:49.864242881 -0400

@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {

        semanage_iface_*; semanage_port_*; semanage_context_*;

        semanage_node_*;

        semanage_fcontext_*; semanage_access_check; semanage_set_create_store;

-      semanage_is_connected; semanage_set_disable_dontaudit;

+      semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;

        semanage_mls_enabled;

    local: *;

  };

diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h

--- selinux.orig2/libsemanage/src/semanage_store.h    2009-07-01 21:15:17.262235597 -0400

+++ selinux/libsemanage/src/semanage_store.h    2009-07-02 10:35:04.362488949 -0400

@@ -58,7 +58,8 @@ enum semanage_sandbox_defs {

      SEMANAGE_USERS_EXTRA,

      SEMANAGE_NC,

      SEMANAGE_FC_HOMEDIRS,

-    SEMANAGE_STORE_NUM_PATHS

+    SEMANAGE_STORE_NUM_PATHS,

+    SEMANAGE_DISABLE_DONTAUDIT

  };

  

  /* FIXME: this needs to be made a module store specific init and the


[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 3645 bytes --]

diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-02 11:29:20.740267205 -0400
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -75,7 +76,12 @@ semanage_handle_t *semanage_handle_creat
 	/* Set callback */
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
-
+	
+	/*set the flag to be deleted*/
+	char path[PATH_MAX];
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)
+	remove(path);
+	
 	return sh;
 
       err:
@@ -110,11 +116,27 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	char path[PATH_MAX];
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)
+		if(disable_dontaudit(sh) == 1){
+			FILE *touch;
+			touch = fopen(path,"w");
+			fclose(touch);
+		}else
+			remove(path);
 	return;
 }
 
@@ -264,7 +286,7 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-02 11:12:49.864242881 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h	2009-07-02 10:35:04.362488949 -0400
@@ -58,7 +58,8 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
-	SEMANAGE_STORE_NUM_PATHS
+	SEMANAGE_STORE_NUM_PATHS,
+	SEMANAGE_DISABLE_DONTAUDIT
 };
 
 /* FIXME: this needs to be made a module store specific init and the

Re: [Patch 2/2] libsemanage: create a don't audit flag

[Stephen Smalley]

On Thu, 2009-07-02 at 11:32 -0400, Christopher Pardy wrote:
> Stephen, Josh: I think this might address all your concerns.
> Changes: No more code in libselinux, new handles have their 
> disable_dontaudit flag set to 0 upon creation (old way), 
> set_disable_dontaudit creates a file in the sandbox to make the setting 
> visible after commits.
> Justification: After turning off dontaudit rules there is currently no 
> way for the system to see that this change has been made, this creates a 
> flag file which can be used as an indicator.

Include the original patch description and then summarize changes or
incorporate into the description.

> Note: still depends on patch 1/2
> 
> Signed-off-by: Christopher Pardy <cpardy@redhat.com>

Add "---" followed by diffstat -p1 output here.

Still getting whitespace mangled by thunderbird - need to configure it.

> diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
> 
> --- selinux.orig2/libsemanage/src/handle.c    2009-07-01 21:15:17.288238017 -0400
> 
> +++ selinux/libsemanage/src/handle.c    2009-07-02 11:29:20.740267205 -0400
> @@ -75,7 +76,12 @@ semanage_handle_t *semanage_handle_creat
> 
>       /* Set callback */
> 
>       sh->msg_callback = semanage_msg_default_handler;
> 
>       sh->msg_callback_arg = NULL;
> 
> -
> 
> +
> 
> +    /*set the flag to be deleted*/
> 
> +    char path[PATH_MAX];
> 
> +    path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)

Missing semicolon?  And you don't need to allocate a buffer, just a
const char * - semanage_fname() returns a pointer to the pathname.

> 
> +    remove(path);

Unconditional removal of the flag file whenever a handle is created?

>   void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> 
>   {
> 
> +    char path[PATH_MAX];
> 
> +    path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)

Same issue here.

> 
> +        if(disable_dontaudit(sh) == 1){

What is this?

> 
> +            FILE *touch;
> 
> +            touch = fopen(path,"w");
> 
> +            fclose(touch);
> 
> +        }else
> 
> +            remove(path);
> 
>       return;
> 
>   }

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2] libsemanage: create a don't audit flag

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 5075 bytes --]

This patch provides the new function semanage_get_disable_dontaudit in libsemanage.

The justification for this patch is that there is currently no way to know if dontaudit rules are  enabled. This patch provides a way to check on both the pending state of the dontaudit rules and it creates a flag file which can be looked for to determine the state of dontaudit rule on the last rebuild.

Signed-off-by Christopher Pardy <cpardy@redhat.com> 
---
 libsemanage/include/semanage/handle.h |    3 +++
 libsemanage/src/handle.c              |   26 +++++++++++++++++++++++---
 libsemanage/src/libsemanage.map       |    2 +-
 libsemanage/src/semanage_store.c      |    1 +
 libsemanage/src/semanage_store.h      |    1 +
 5 files changed, 29 insertions(+), 4 deletions(-)


diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-06 08:09:22.536166709 -0400
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*make sure our flags are set right*/
+	semanage_set_disable_dontaudit(sh,semanage_get_disable_dontaudit(sh))
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -75,7 +79,7 @@ semanage_handle_t *semanage_handle_creat
 	/* Set callback */
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
-
+	
 	return sh;
 
       err:
@@ -110,11 +114,27 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	const char *path;
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)
+		if(disable_dontaudit == 1){
+			FILE *touch;
+			touch = fopen(path,"w");
+			fclose(touch);
+		}else
+			remove(path);
 	return;
 }
 
@@ -264,7 +284,7 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-02 11:12:49.864242881 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux/libsemanage/src/semanage_store.c	2009-07-06 08:21:49.374412534 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/modules/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h	2009-07-06 08:01:57.577197155 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 4306 bytes --]

diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-06 08:09:22.536166709 -0400
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*make sure our flags are set right*/
+	semanage_set_disable_dontaudit(sh,semanage_get_disable_dontaudit(sh))
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -75,7 +79,7 @@ semanage_handle_t *semanage_handle_creat
 	/* Set callback */
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
-
+	
 	return sh;
 
       err:
@@ -110,11 +114,27 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	const char *path;
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)
+		if(disable_dontaudit == 1){
+			FILE *touch;
+			touch = fopen(path,"w");
+			fclose(touch);
+		}else
+			remove(path);
 	return;
 }
 
@@ -264,7 +284,7 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-02 11:12:49.864242881 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux/libsemanage/src/semanage_store.c	2009-07-06 08:21:49.374412534 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/modules/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h	2009-07-06 08:01:57.577197155 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

Re: [Patch 2/2] libsemanage: create a don't audit flag

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 5130 bytes --]

Ignore previous version it was missing semicolons.

This patch provides the new function semanage_get_disable_dontaudit in libsemanage. 

The justification for this patch is that there is currently no way to know if dontaudit rules are  enabled. This patch provides a way to check on both the pending state of the dontaudit rules and it creates a flag file which can be looked for to determine the state of dontaudit rule on the last rebuild.

Signed-off-by Christopher Pardy <cpardy@redhat.com>

---
 libsemanage/include/semanage/handle.h |    3 +++
 libsemanage/src/handle.c              |   26 +++++++++++++++++++++++---
 libsemanage/src/libsemanage.map       |    2 +-
 libsemanage/src/semanage_store.c      |    1 +
 libsemanage/src/semanage_store.h      |    1 +
 5 files changed, 29 insertions(+), 4 deletions(-)


diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-06 08:27:57.859443250 -0400
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*make sure our flags are set right*/
+	semanage_set_disable_dontaudit(sh,semanage_get_disable_dontaudit(sh));
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -75,7 +79,7 @@ semanage_handle_t *semanage_handle_creat
 	/* Set callback */
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
-
+	
 	return sh;
 
       err:
@@ -110,11 +114,27 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	const char *path;
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+		if(disable_dontaudit == 1){
+			FILE *touch;
+			touch = fopen(path,"w");
+			fclose(touch);
+		}else
+			remove(path);
 	return;
 }
 
@@ -264,7 +284,7 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-02 11:12:49.864242881 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux/libsemanage/src/semanage_store.c	2009-07-06 08:21:49.374412534 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/modules/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h	2009-07-06 08:01:57.577197155 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 4308 bytes --]

diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-06 08:27:57.859443250 -0400
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*make sure our flags are set right*/
+	semanage_set_disable_dontaudit(sh,semanage_get_disable_dontaudit(sh));
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -75,7 +79,7 @@ semanage_handle_t *semanage_handle_creat
 	/* Set callback */
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
-
+	
 	return sh;
 
       err:
@@ -110,11 +114,27 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	const char *path;
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+		if(disable_dontaudit == 1){
+			FILE *touch;
+			touch = fopen(path,"w");
+			fclose(touch);
+		}else
+			remove(path);
 	return;
 }
 
@@ -264,7 +284,7 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-02 11:12:49.864242881 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux/libsemanage/src/semanage_store.c	2009-07-06 08:21:49.374412534 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/modules/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h	2009-07-06 08:01:57.577197155 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

Re: [Patch 2/2] libsemanage: create a don't audit flag

[Stephen Smalley]

On Mon, 2009-07-06 at 08:31 -0400, Christopher Pardy wrote:
> Ignore previous version it was missing semicolons.
> 
> This patch provides the new function semanage_get_disable_dontaudit in libsemanage. 
> 
> The justification for this patch is that there is currently no way to know if dontaudit rules are  enabled. This patch provides a way to check on both the pending state of the dontaudit rules and it creates a flag file which can be looked for to determine the state of dontaudit rule on the last rebuild.
> 
> Signed-off-by Christopher Pardy <cpardy@redhat.com>
> 
> ---
>  libsemanage/include/semanage/handle.h |    3 +++
>  libsemanage/src/handle.c              |   26 +++++++++++++++++++++++---
>  libsemanage/src/libsemanage.map       |    2 +-
>  libsemanage/src/semanage_store.c      |    1 +
>  libsemanage/src/semanage_store.h      |    1 +
>  5 files changed, 29 insertions(+), 4 deletions(-)
> 
> 
> diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
> --- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
> +++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
> @@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
>   * 1 for yes, 0 for no (default) */
>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>  
> +/*Get whether or not to dontaudits will be disabled upon commit */
> +int semanage_get_disable_dontaudit(semanage_handle_t * handle);
> +
>  /* Set whether or not to disable dontaudits upon commit */
>  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>  
> diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
> --- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
> +++ selinux/libsemanage/src/handle.c	2009-07-06 08:27:57.859443250 -0400
> @@ -29,6 +29,7 @@
>  #include <stdio.h>
>  #include <string.h>
>  #include <sys/time.h>
> +#include <limits.h>
>  
>  #include "direct_api.h"
>  #include "handle.h"
> @@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
>  		goto err;
>  	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
>  
> +	/*make sure our flags are set right*/
> +	semanage_set_disable_dontaudit(sh,semanage_get_disable_dontaudit(sh));
> +

I don't believe that this is right.  semanage_get_disable_dontaudit()
calls sepol_get_disable_dontaudit() which will always return 0 when the
handle is first created and it cannot have been set yet since we are
only just now creating the handle.  Then you'll pass that zero to
semanage_set_disable_dontaudit() and always remove the flag file on
handle creation.  Not what you want.

>  	/* By default do not rebuild the policy on commit
>  	 * If any changes are made, this flag is ignored */
>  	sh->do_rebuild = 0;
> @@ -75,7 +79,7 @@ semanage_handle_t *semanage_handle_creat
>  	/* Set callback */
>  	sh->msg_callback = semanage_msg_default_handler;
>  	sh->msg_callback_arg = NULL;
> -
> +	
>  	return sh;
>  
>        err:

Spurious whitespace change?

> @@ -110,11 +114,27 @@ void semanage_set_create_store(semanage_
>  	return;
>  }
>  
> +int semanage_get_disable_dontaudit(semanage_handle_t * sh)
> +{
> +	assert(sh != NULL);
> +
> +	return sepol_get_disable_dontaudit(sh->sepolh);
> +}
> +
>  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>  {
>  	assert(sh != NULL);
> -	
> +
>  	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> +	
> +	const char *path;

local var decls go at the beginning of the function.

> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> +		if(disable_dontaudit == 1){
> +			FILE *touch;
> +			touch = fopen(path,"w");
> +			fclose(touch);

What if the fopen() fails and returns NULL?

> +		}else
> +			remove(path);

Indentation needs to be fixed.
Do we care if the remove() fails?  Need to report an ERR() message?

> diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux/libsemanage/src/semanage_store.c
> --- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
> +++ selinux/libsemanage/src/semanage_store.c	2009-07-06 08:21:49.374412534 -0400
> @@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
>  	"/users_extra",
>  	"/netfilter_contexts",
>  	"/file_contexts.homedirs",
> +	"/modules/disable_dontaudit",

No, just use "/disable_dontaudit".  It will automatically put into the
sandbox subdirectory, just like the rest.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2] libsemanage: create a don't audit flag

[Stephen Smalley]

On Mon, 2009-07-06 at 09:46 -0400, Stephen Smalley wrote:
> I don't believe that this is right.  semanage_get_disable_dontaudit()
> calls sepol_get_disable_dontaudit() which will always return 0 when the
> handle is first created and it cannot have been set yet since we are
> only just now creating the handle.  Then you'll pass that zero to
> semanage_set_disable_dontaudit() and always remove the flag file on
> handle creation.  Not what you want.

So I think that we don't need the libsepol patch at all anymore, nor do
we need semanage_get_disable_dontaudit().  So all we need is the change
to semanage_set_disable_dontaudit() along with the path definition in
libsemanage, and the patch to semodule in policycoreutils.  Re-post both
patches as a series with updated description and diffstat after
addressing the comments please.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[Patch 1/2] libsepol: method to check disable dontaudit flag.

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 2298 bytes --]

This patch adds the ability to check on the value of the disable_dontaudit flag in the sepol handle. In the past the only way to know the value of this was to directly read the values from the handle. The get function provides a setter-getter symmetry similar to other functions found in libsepol.

Signed-off-by: Christopher Pardy <cpardy@redhat.com>

---
 libsepol/include/sepol/handle.h |    6 ++++++
 libsepol/src/handle.c           |    6 ++++++
 libsepol/src/libsepol.map       |    1 +
 3 files changed, 13 insertions(+)


diff -urN selinux.orig/libsepol/include/sepol/handle.h selinux/libsepol/include/sepol/handle.h
--- selinux.orig/libsepol/include/sepol/handle.h	2009-07-01 21:05:26.823235749 -0400
+++ selinux/libsepol/include/sepol/handle.h	2009-07-01 21:08:33.277237031 -0400
@@ -7,6 +7,12 @@
 /* Create and return a sepol handle. */
 sepol_handle_t *sepol_handle_create(void);
 
+/* Get whether or not dontaudits will be disabled, same values as
+ * specified by disable dont audit. This value reflects the state
+ * your system will be set to upon commit, not nessesarily it's
+ * current state.*/
+int sepol_get_disable_dontaudit(sepol_handle_t * sh);
+
 /* Set whether or not to disable dontaudits, 0 is default and does 
  * not disable dontaudits, 1 disables them */
 void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
diff -urN selinux.orig/libsepol/src/handle.c selinux/libsepol/src/handle.c
--- selinux.orig/libsepol/src/handle.c	2009-07-01 21:05:26.854236864 -0400
+++ selinux/libsepol/src/handle.c	2009-07-01 21:07:15.532236991 -0400
@@ -21,6 +21,12 @@
 	return sh;
 }
 
+int sepol_get_disable_dontaudit(sepol_handle_t *sh)
+{
+	assert(sh !=NULL);
+	return sh->disable_dontaudit;
+}
+
 void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh !=NULL);
diff -urN selinux.orig/libsepol/src/libsepol.map selinux/libsepol/src/libsepol.map
--- selinux.orig/libsepol/src/libsepol.map	2009-07-01 21:05:26.848236011 -0400
+++ selinux/libsepol/src/libsepol.map	2009-07-01 21:07:45.948485729 -0400
@@ -12,6 +12,7 @@
 	sepol_policydb_*; sepol_set_policydb_from_file; 
 	sepol_policy_kern_*;
 	sepol_policy_file_*;
+	sepol_get_disable_dontaudit;
 	sepol_set_disable_dontaudit;
 	sepol_set_expand_consume_base;
   local: *;

[-- Attachment #2: selinux.patch1 --]
[-- Type: text/plain, Size: 1768 bytes --]

diff -urN selinux.orig/libsepol/include/sepol/handle.h selinux/libsepol/include/sepol/handle.h
--- selinux.orig/libsepol/include/sepol/handle.h	2009-07-01 21:05:26.823235749 -0400
+++ selinux/libsepol/include/sepol/handle.h	2009-07-01 21:08:33.277237031 -0400
@@ -7,6 +7,12 @@
 /* Create and return a sepol handle. */
 sepol_handle_t *sepol_handle_create(void);
 
+/* Get whether or not dontaudits will be disabled, same values as
+ * specified by disable dont audit. This value reflects the state
+ * your system will be set to upon commit, not nessesarily it's
+ * current state.*/
+int sepol_get_disable_dontaudit(sepol_handle_t * sh);
+
 /* Set whether or not to disable dontaudits, 0 is default and does 
  * not disable dontaudits, 1 disables them */
 void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
diff -urN selinux.orig/libsepol/src/handle.c selinux/libsepol/src/handle.c
--- selinux.orig/libsepol/src/handle.c	2009-07-01 21:05:26.854236864 -0400
+++ selinux/libsepol/src/handle.c	2009-07-01 21:07:15.532236991 -0400
@@ -21,6 +21,12 @@
 	return sh;
 }
 
+int sepol_get_disable_dontaudit(sepol_handle_t *sh)
+{
+	assert(sh !=NULL);
+	return sh->disable_dontaudit;
+}
+
 void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh !=NULL);
diff -urN selinux.orig/libsepol/src/libsepol.map selinux/libsepol/src/libsepol.map
--- selinux.orig/libsepol/src/libsepol.map	2009-07-01 21:05:26.848236011 -0400
+++ selinux/libsepol/src/libsepol.map	2009-07-01 21:07:45.948485729 -0400
@@ -12,6 +12,7 @@
 	sepol_policydb_*; sepol_set_policydb_from_file; 
 	sepol_policy_kern_*;
 	sepol_policy_file_*;
+	sepol_get_disable_dontaudit;
 	sepol_set_disable_dontaudit;
 	sepol_set_expand_consume_base;
   local: *;

[Patch 2/2] libsemanage: maintain disable dontaudit state between handle commits

[Christopher Pardy]

Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.

Signed-off-by: Christopher Pardy <cpardy@redhat.com>

---
 libsemanage/include/semanage/handle.h |    3 +++
 libsemanage/src/handle.c              |   33 +++++++++++++++++++++++++++++++--
 libsemanage/src/libsemanage.map       |    2 +-
 libsemanage/src/semanage_store.c      |    1 +
 libsemanage/src/semanage_store.h      |    1 +
 5 files changed, 37 insertions(+), 3 deletions(-)


diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-06 10:28:52.492201095 -0400
@@ -23,12 +23,14 @@
 
 #include <selinux/selinux.h>
 
+#include <unistd.h>
 #include <stdarg.h>
 #include <assert.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -42,6 +44,7 @@ semanage_handle_t *semanage_handle_creat
 {
 	semanage_handle_t *sh = NULL;
 	const char *conf_name = NULL;
+	char path[PATH_MAX]
 
 	/* Allocate handle */
 	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
@@ -59,6 +62,14 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*set the disable dontaudit flag to system defaults*/
+	snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
+
+	if (access(path,F_OK) == 0)
+		semanage_set_disable_dontaudit(sh,1);
+	else
+		semanage_set_disable_dontaudit(sh,0);
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -110,11 +121,29 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
+	const char *path;
+
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+		if(disable_dontaudit == 1){
+			FILE *touch;
+			touch = fopen(path,"w");
+			if (touch != NULL)
+				fclose(touch);
+		}else
+			remove(path);
 	return;
 }
 
@@ -264,7 +293,7 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-02 11:12:49.864242881 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux/libsemanage/src/semanage_store.c	2009-07-06 10:06:53.140167854 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h	2009-07-06 08:01:57.577197155 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Mon, 2009-07-06 at 10:54 -0400, Christopher Pardy wrote:
> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
> 
> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> 
> ---
>  libsemanage/include/semanage/handle.h |    3 +++
>  libsemanage/src/handle.c              |   33 +++++++++++++++++++++++++++++++--
>  libsemanage/src/libsemanage.map       |    2 +-
>  libsemanage/src/semanage_store.c      |    1 +
>  libsemanage/src/semanage_store.h      |    1 +
>  5 files changed, 37 insertions(+), 3 deletions(-)
> 
> 
> diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
> --- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
> +++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
> @@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
>   * 1 for yes, 0 for no (default) */
>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>  
> +/*Get whether or not to dontaudits will be disabled upon commit */
> +int semanage_get_disable_dontaudit(semanage_handle_t * handle);

Still don't see the need for this function.  The two patches I was
expecting were one to modify semanage_set_disable_dontaudit() to create
or remove the flag file, and one to update semodule to call
semanage_set_disable_dontaudit() in the build case.  No libsepol
patches.

> +
>  /* Set whether or not to disable dontaudits upon commit */
>  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>  
> diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
> --- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
> +++ selinux/libsemanage/src/handle.c	2009-07-06 10:28:52.492201095 -0400
> @@ -23,12 +23,14 @@
>  
>  #include <selinux/selinux.h>
>  
> +#include <unistd.h>
>  #include <stdarg.h>
>  #include <assert.h>
>  #include <stdlib.h>
>  #include <stdio.h>
>  #include <string.h>
>  #include <sys/time.h>
> +#include <limits.h>
>  
>  #include "direct_api.h"
>  #include "handle.h"
> @@ -42,6 +44,7 @@ semanage_handle_t *semanage_handle_creat
>  {
>  	semanage_handle_t *sh = NULL;
>  	const char *conf_name = NULL;
> +	char path[PATH_MAX]

No semicolon.

>  	/* Allocate handle */
>  	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
> @@ -59,6 +62,14 @@ semanage_handle_t *semanage_handle_creat
>  		goto err;
>  	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
>  
> +	/*set the disable dontaudit flag to system defaults*/
> +	snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
> +
> +	if (access(path,F_OK) == 0)
> +		semanage_set_disable_dontaudit(sh,1);
> +	else
> +		semanage_set_disable_dontaudit(sh,0);

No.  Now we're back to a flag file outside the policy store that isn't
managed by libsemanage.

Why do you need to do anything here at all?  What happens if you just
drop your changes to semanage_handle_create() and only modify
semanage_set_disable_dontaudit() to create or remove the in-store flag
file?

> +
>  	/* By default do not rebuild the policy on commit
>  	 * If any changes are made, this flag is ignored */
>  	sh->do_rebuild = 0;
> @@ -110,11 +121,29 @@ void semanage_set_create_store(semanage_
>  	return;
>  }
>  
> +int semanage_get_disable_dontaudit(semanage_handle_t * sh)
> +{
> +	assert(sh != NULL);
> +
> +	return sepol_get_disable_dontaudit(sh->sepolh);
> +}
> +
>  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>  {
> +	const char *path;
> +
>  	assert(sh != NULL);
> -	
> +
>  	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> +	
> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> +		if(disable_dontaudit == 1){

The entire if statement needs to be re-indented.

> +			FILE *touch;
> +			touch = fopen(path,"w");
> +			if (touch != NULL)
> +				fclose(touch);
> +		}else
> +			remove(path);
>  	return;
>  }

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2] libsemanage: maintain disable dontaudit state between handle commits

[Daniel J Walsh]

On 07/06/2009 11:03 AM, Stephen Smalley wrote:
> On Mon, 2009-07-06 at 10:54 -0400, Christopher Pardy wrote:
>> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
>>
>> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
>>
>> ---
>>  libsemanage/include/semanage/handle.h |    3 +++
>>  libsemanage/src/handle.c              |   33 +++++++++++++++++++++++++++++++--
>>  libsemanage/src/libsemanage.map       |    2 +-
>>  libsemanage/src/semanage_store.c      |    1 +
>>  libsemanage/src/semanage_store.h      |    1 +
>>  5 files changed, 37 insertions(+), 3 deletions(-)
>>
>>
>> diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
>> --- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
>> +++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
>> @@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
>>   * 1 for yes, 0 for no (default) */
>>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>  
>> +/*Get whether or not to dontaudits will be disabled upon commit */
>> +int semanage_get_disable_dontaudit(semanage_handle_t * handle);
> 
> Still don't see the need for this function.  The two patches I was
> expecting were one to modify semanage_set_disable_dontaudit() to create
> or remove the flag file, and one to update semodule to call
> semanage_set_disable_dontaudit() in the build case.  No libsepol
> patches.
> 
We would like to put an indicator in setroubleshoot to say DONTAUDIT Rules are currently disabled.  This will cause a lot of AVC messages that ordinarily can be ignored.  We have similar wording for checking whether or not the machine is in permissive mode.

The original goal of this check was for system-config-selinux to check whether or not the machine was in in disable dontaudit mode, so we could set a button to enabled/disable dontaudit rules.  We have decided to remove this button from the GUI, since setting this should be seldom be run.


>> +
>>  /* Set whether or not to disable dontaudits upon commit */
>>  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>>  
>> diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
>> --- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
>> +++ selinux/libsemanage/src/handle.c	2009-07-06 10:28:52.492201095 -0400
>> @@ -23,12 +23,14 @@
>>  
>>  #include <selinux/selinux.h>
>>  
>> +#include <unistd.h>
>>  #include <stdarg.h>
>>  #include <assert.h>
>>  #include <stdlib.h>
>>  #include <stdio.h>
>>  #include <string.h>
>>  #include <sys/time.h>
>> +#include <limits.h>
>>  
>>  #include "direct_api.h"
>>  #include "handle.h"
>> @@ -42,6 +44,7 @@ semanage_handle_t *semanage_handle_creat
>>  {
>>  	semanage_handle_t *sh = NULL;
>>  	const char *conf_name = NULL;
>> +	char path[PATH_MAX]
> 
> No semicolon.
> 
>>  	/* Allocate handle */
>>  	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
>> @@ -59,6 +62,14 @@ semanage_handle_t *semanage_handle_creat
>>  		goto err;
>>  	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
>>  
>> +	/*set the disable dontaudit flag to system defaults*/
>> +	snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
>> +
>> +	if (access(path,F_OK) == 0)
>> +		semanage_set_disable_dontaudit(sh,1);
>> +	else
>> +		semanage_set_disable_dontaudit(sh,0);
> 
> No.  Now we're back to a flag file outside the policy store that isn't
> managed by libsemanage.
> 
> Why do you need to do anything here at all?  What happens if you just
> drop your changes to semanage_handle_create() and only modify
> semanage_set_disable_dontaudit() to create or remove the in-store flag
> file?
> 
>> +
>>  	/* By default do not rebuild the policy on commit
>>  	 * If any changes are made, this flag is ignored */
>>  	sh->do_rebuild = 0;
>> @@ -110,11 +121,29 @@ void semanage_set_create_store(semanage_
>>  	return;
>>  }
>>  
>> +int semanage_get_disable_dontaudit(semanage_handle_t * sh)
>> +{
>> +	assert(sh != NULL);
>> +
>> +	return sepol_get_disable_dontaudit(sh->sepolh);
>> +}
>> +
>>  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>>  {
>> +	const char *path;
>> +
>>  	assert(sh != NULL);
>> -	
>> +
>>  	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>> +	
>> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
>> +		if(disable_dontaudit == 1){
> 
> The entire if statement needs to be re-indented.
> 
>> +			FILE *touch;
>> +			touch = fopen(path,"w");
>> +			if (touch != NULL)
>> +				fclose(touch);
>> +		}else
>> +			remove(path);
>>  	return;
>>  }
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2] libsemanage: maintain disable dontaudit state between handle commits

[Christopher Pardy]

On 07/06/2009 11:17 AM, Daniel J Walsh wrote:
> On 07/06/2009 11:03 AM, Stephen Smalley wrote:
>> On Mon, 2009-07-06 at 10:54 -0400, Christopher Pardy wrote:
>>> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
>>>
>>> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
>>>
>>> ---
>>>  libsemanage/include/semanage/handle.h |    3 +++
>>>  libsemanage/src/handle.c              |   33 +++++++++++++++++++++++++++++++--
>>>  libsemanage/src/libsemanage.map       |    2 +-
>>>  libsemanage/src/semanage_store.c      |    1 +
>>>  libsemanage/src/semanage_store.h      |    1 +
>>>  5 files changed, 37 insertions(+), 3 deletions(-)
>>>
>>>
>>> diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
>>> --- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
>>> +++ selinux/libsemanage/include/semanage/handle.h	2009-07-02 11:09:06.982262194 -0400
>>> @@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
>>>   * 1 for yes, 0 for no (default) */
>>>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>>  
>>> +/*Get whether or not to dontaudits will be disabled upon commit */
>>> +int semanage_get_disable_dontaudit(semanage_handle_t * handle);
>> Still don't see the need for this function.  The two patches I was
>> expecting were one to modify semanage_set_disable_dontaudit() to create
>> or remove the flag file, and one to update semodule to call
>> semanage_set_disable_dontaudit() in the build case.  No libsepol
>> patches.
>>
> We would like to put an indicator in setroubleshoot to say DONTAUDIT Rules are currently disabled.  This will cause a lot of AVC messages that ordinarily can be ignored.  We have similar wording for checking whether or not the machine is in permissive mode.
> 
> The original goal of this check was for system-config-selinux to check whether or not the machine was in in disable dontaudit mode, so we could set a button to enabled/disable dontaudit rules.  We have decided to remove this button from the GUI, since setting this should be seldom be run.
> 
> 

Usage example for this function:
1.Program A creates handle x
2.Program A gets initial values form handle x and stores them
3.Program A passes handle x to Library B
4.Library B sets the values of handle x based on some logic
5.Library B returns a modified handle x to Program A
6.Program A repeats steps 3 - 5 with Libraries C - N
7.Program A gets new values in handle x and compares them to oldvalues to see if commit is needed.

Or:
User A tells SELINUX to turn off dontaudit rules, rather than rebuild policy right away selinux can check if dontaudit rules are already turned off by creating a handle and calling get_disable_dontaudit

Also libsepol patch will remain as it mimicks current behavior, is faster than accessing the file system, and more correct if the sepol handle was modified from another source.

>>> +
>>>  /* Set whether or not to disable dontaudits upon commit */
>>>  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>>>  
>>> diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
>>> --- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
>>> +++ selinux/libsemanage/src/handle.c	2009-07-06 10:28:52.492201095 -0400
>>> @@ -23,12 +23,14 @@
>>>  
>>>  #include <selinux/selinux.h>
>>>  
>>> +#include <unistd.h>
>>>  #include <stdarg.h>
>>>  #include <assert.h>
>>>  #include <stdlib.h>
>>>  #include <stdio.h>
>>>  #include <string.h>
>>>  #include <sys/time.h>
>>> +#include <limits.h>
>>>  
>>>  #include "direct_api.h"
>>>  #include "handle.h"
>>> @@ -42,6 +44,7 @@ semanage_handle_t *semanage_handle_creat
>>>  {
>>>  	semanage_handle_t *sh = NULL;
>>>  	const char *conf_name = NULL;
>>> +	char path[PATH_MAX]
>> No semicolon.
>>
>>>  	/* Allocate handle */
>>>  	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
>>> @@ -59,6 +62,14 @@ semanage_handle_t *semanage_handle_creat
>>>  		goto err;
>>>  	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
>>>  
>>> +	/*set the disable dontaudit flag to system defaults*/
>>> +	snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());
>>> +
>>> +	if (access(path,F_OK) == 0)
>>> +		semanage_set_disable_dontaudit(sh,1);
>>> +	else
>>> +		semanage_set_disable_dontaudit(sh,0);
>> No.  Now we're back to a flag file outside the policy store that isn't
>> managed by libsemanage.
>>
>> Why do you need to do anything here at all?  What happens if you just
>> drop your changes to semanage_handle_create() and only modify
>> semanage_set_disable_dontaudit() to create or remove the in-store flag
>> file?

The issue is that I need to know what the flag was set to on the last commit. for this I don't want to look at the sandbox where the inprogress files are stored I want to look at the file that gets written post commit. Also this functionality cannot be put into set_disable_dontaudit.

>>> +
>>>  	/* By default do not rebuild the policy on commit
>>>  	 * If any changes are made, this flag is ignored */
>>>  	sh->do_rebuild = 0;
>>> @@ -110,11 +121,29 @@ void semanage_set_create_store(semanage_
>>>  	return;
>>>  }
>>>  
>>> +int semanage_get_disable_dontaudit(semanage_handle_t * sh)
>>> +{
>>> +	assert(sh != NULL);
>>> +
>>> +	return sepol_get_disable_dontaudit(sh->sepolh);
>>> +}
>>> +
>>>  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>>>  {
>>> +	const char *path;
>>> +
>>>  	assert(sh != NULL);
>>> -	
>>> +
>>>  	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>>> +	
>>> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
>>> +		if(disable_dontaudit == 1){
>> The entire if statement needs to be re-indented.
>>
>>> +			FILE *touch;
>>> +			touch = fopen(path,"w");
>>> +			if (touch != NULL)
>>> +				fclose(touch);
>>> +		}else
>>> +			remove(path);
>>>  	return;
>>>  }
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Mon, 2009-07-06 at 11:54 -0400, Christopher Pardy wrote:
> The issue is that I need to know what the flag was set to on the last
> commit. for this I don't want to look at the sandbox where the
> inprogress files are stored I want to look at the file that gets
> written post commit. Also this functionality cannot be put into
> set_disable_dontaudit.

Ok, let me clarify how libsemanage works:
1.  Let DIR=/etc/selinux/$SELINUXTYPE/modules represent the policy
store.
2.  The files for the current, active policy live under $DIR/active/.
3.  When you start a transaction, libsemanage creates a complete copy of
$DIR/active to $DIR/tmp.
4.  For each operation you perform within the transaction, libsemanage
acts on that copy only.  If you call semanage_set_disable_dontaudit()
with a 0, then you'll remove the flag file within the copy; or if you
call it with a 1, you'll create the flag file within the copy.  If you
implement semanage_get_disable_dontaudit() by testing for the existence
of the flag file within the sandbox and it gets called by another
process in a different transaction, it will still see the current,
active setting.
5.  When you commit, libsemanage moves $DIR/active to $DIR/previous, and
moves $DIR/tmp to $DIR/active.  Now the flag file is active.

You don't need some external file for this, and you don't really want a
sepol_get_disable_dontaudit() - it only tells you the transient
in-memory setting from the last call to sepol_set_disable_dontaudit() on
the same handle.  You want to just test for the existence of the flag
file in the store.

Try it, and let me know if it doesn't actually work.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[Patch 2/2 v2] libsemanage: maintain disable dontaudit state between handle commits

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 5851 bytes --]

Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.

Stephen Smalley: This get function has the correct functionality as it gets the actual value that will be committed to memory.

Signed-off-by: Christopher Pardy <cpardy@redhat.com>

---
 libsemanage/include/semanage/handle.h |    3 +++
 libsemanage/src/handle.c              |   34 ++++++++++++++++++++++++++++++++--
 libsemanage/src/libsemanage.map       |    2 +-
 libsemanage/src/semanage_store.c      |    1 +
 libsemanage/src/semanage_store.h      |    1 +
 5 files changed, 38 insertions(+), 3 deletions(-)


diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-06 13:26:53.584171399 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-06 13:34:00.186414341 -0400
@@ -23,12 +23,14 @@
 
 #include <selinux/selinux.h>
 
+#include <unistd.h>
 #include <stdarg.h>
 #include <assert.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -42,6 +44,7 @@ semanage_handle_t *semanage_handle_creat
 {
 	semanage_handle_t *sh = NULL;
 	const char *conf_name = NULL;
+	const char *path;
 
 	/* Allocate handle */
 	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
@@ -59,6 +62,14 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*set the disable dontaudit flag to system defaults*/
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+
+	if (access(path,F_OK) == 0)
+		semanage_set_disable_dontaudit(sh,1);
+	else
+		semanage_set_disable_dontaudit(sh,0);
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -110,11 +121,29 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
+	const char *path;
+
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(disable_dontaudit == 1){
+		FILE *touch;
+		touch = fopen(path,"w");
+		if (touch != NULL)
+			fclose(touch);
+	}else
+		remove(path);
 	return;
 }
 
@@ -264,9 +293,10 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
+	semanage_set_disable_dontaudit(sh,semanage_get_disable_dontaudit(sh));
 	retval = sh->funcs->commit(sh);
 	sh->is_in_transaction = 0;
 	sh->modules_modified = 0;
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 4725 bytes --]

diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-06 13:26:53.584171399 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-06 13:34:00.186414341 -0400
@@ -23,12 +23,14 @@
 
 #include <selinux/selinux.h>
 
+#include <unistd.h>
 #include <stdarg.h>
 #include <assert.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -42,6 +44,7 @@ semanage_handle_t *semanage_handle_creat
 {
 	semanage_handle_t *sh = NULL;
 	const char *conf_name = NULL;
+	const char *path;
 
 	/* Allocate handle */
 	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
@@ -59,6 +62,14 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*set the disable dontaudit flag to system defaults*/
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+
+	if (access(path,F_OK) == 0)
+		semanage_set_disable_dontaudit(sh,1);
+	else
+		semanage_set_disable_dontaudit(sh,0);
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -110,11 +121,29 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
+	const char *path;
+
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(disable_dontaudit == 1){
+		FILE *touch;
+		touch = fopen(path,"w");
+		if (touch != NULL)
+			fclose(touch);
+	}else
+		remove(path);
 	return;
 }
 
@@ -264,9 +293,10 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
+	semanage_set_disable_dontaudit(sh,semanage_get_disable_dontaudit(sh));
 	retval = sh->funcs->commit(sh);
 	sh->is_in_transaction = 0;
 	sh->modules_modified = 0;
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

Re: [Patch 2/2 v2] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Mon, 2009-07-06 at 13:37 -0400, Christopher Pardy wrote:
> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
> 
> Stephen Smalley: This get function has the correct functionality as it
> gets the actual value that will be committed to memory.
> 
> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> 
> ---
>  libsemanage/include/semanage/handle.h |    3 +++
>  libsemanage/src/handle.c              |   34 ++++++++++++++++++++++++++++++++--
>  libsemanage/src/libsemanage.map       |    2 +-
>  libsemanage/src/semanage_store.c      |    1 +
>  libsemanage/src/semanage_store.h      |    1 +
>  5 files changed, 38 insertions(+), 3 deletions(-)
> 

> diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
> --- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
> @@ -59,6 +62,14 @@ semanage_handle_t *semanage_handle_creat
>  		goto err;
>  	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
>  
> +	/*set the disable dontaudit flag to system defaults*/
> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> +
> +	if (access(path,F_OK) == 0)
> +		semanage_set_disable_dontaudit(sh,1);
> +	else
> +		semanage_set_disable_dontaudit(sh,0);
> +

No.  This will try to create or remove the file within the active policy
store without even having started a transaction.  And it is completely a
waste as you are merely re-creating or removing the file based on
whether it already exists.  And you aren't allowed to touch the store
from handle_create; the caller hasn't yet connected to the store via
semanage_connect().  And technically all interaction with the file store
ought to happen from the direct_api functions.

>  	/* By default do not rebuild the policy on commit
>  	 * If any changes are made, this flag is ignored */
>  	sh->do_rebuild = 0;
> @@ -110,11 +121,29 @@ void semanage_set_create_store(semanage_
>  	return;
>  }
>  
> +int semanage_get_disable_dontaudit(semanage_handle_t * sh)
> +{
> +	assert(sh != NULL);
> +
> +	return sepol_get_disable_dontaudit(sh->sepolh);
> +}
> +
>  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>  {
> +	const char *path;
> +
>  	assert(sh != NULL);
> -	
> +
>  	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> +	
> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> +	if(disable_dontaudit == 1){
> +		FILE *touch;
> +		touch = fopen(path,"w");
> +		if (touch != NULL)
> +			fclose(touch);
> +	}else
> +		remove(path);
>  	return;
>  }
>  
> @@ -264,9 +293,10 @@ int semanage_commit(semanage_handle_t * 
>  	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
>  	if (!sh->is_in_transaction) {
>  		ERR(sh,
> -		    "Will not commit because caller does not have a tranaction lock yet.");
> +		    "Will not commit because caller does not have a transaction lock yet.");
>  		return -1;
>  	}
> +	semanage_set_disable_dontaudit(sh,semanage_get_disable_dontaudit(sh));

This likewise doesn't make sense; if the application called
semanage_set_disable_dontaudit(), then the in-memory variable and the
flag file have already been set properly and you don't need this.

As is, this will try to re-create or remove the file 3 times on a single
sequence, once at handle_create (not legal), once when the application
itself calls semanage_set_disable_dontaudit(), and once upon commit.

>  	retval = sh->funcs->commit(sh);
>  	sh->is_in_transaction = 0;
>  	sh->modules_modified = 0;

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v2] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Mon, 2009-07-06 at 14:07 -0400, Stephen Smalley wrote:
> On Mon, 2009-07-06 at 13:37 -0400, Christopher Pardy wrote:
> > Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
> > 
> > Stephen Smalley: This get function has the correct functionality as it
> > gets the actual value that will be committed to memory.
> > 
> > Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> > 
> > ---
> >  libsemanage/include/semanage/handle.h |    3 +++
> >  libsemanage/src/handle.c              |   34 ++++++++++++++++++++++++++++++++--
> >  libsemanage/src/libsemanage.map       |    2 +-
> >  libsemanage/src/semanage_store.c      |    1 +
> >  libsemanage/src/semanage_store.h      |    1 +
> >  5 files changed, 38 insertions(+), 3 deletions(-)
> > 
> 
> > diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
> > --- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
> > @@ -59,6 +62,14 @@ semanage_handle_t *semanage_handle_creat
> >  		goto err;
> >  	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
> >  
> > +	/*set the disable dontaudit flag to system defaults*/
> > +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> > +
> > +	if (access(path,F_OK) == 0)
> > +		semanage_set_disable_dontaudit(sh,1);
> > +	else
> > +		semanage_set_disable_dontaudit(sh,0);
> > +
> 
> No.  This will try to create or remove the file within the active policy
> store without even having started a transaction.  And it is completely a
> waste as you are merely re-creating or removing the file based on
> whether it already exists.  And you aren't allowed to touch the store
> from handle_create; the caller hasn't yet connected to the store via
> semanage_connect().  And technically all interaction with the file store
> ought to happen from the direct_api functions.

Suggestion:  In semanage_direct_connect(), test for the existence of the
flag file via access(), and then call sepol_set_disable_dontaudit() to
set the in-memory variable without touching any files.  Do not call
semanage_set_disable_dontaudit() at all from libsemanage, only from your
application.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v3] libsemanage: maintain disable dontaudit state between handle commits

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 7353 bytes --]

Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
 
Stephen Smalley: No longer attempt to create or destroy the file in the handle create, all store functionality has been moved to direct_api.c all functions now use sepol versions. The reason for needing to create the file in the commit statement is because changes to the flag in sepol directly may be reflected in the commited policy but not the flags.

Signed-off-by: Christopher Pardy <cpardy@redhat.com>

---
 libsemanage/include/semanage/handle.h |    3 +++
 libsemanage/src/direct_api.c          |   33 +++++++++++++++++++++++++++++++++
 libsemanage/src/direct_api.h          |    4 ++++
 libsemanage/src/handle.c              |   19 +++++++++++++++++--
 libsemanage/src/libsemanage.map       |    2 +-
 libsemanage/src/semanage_store.c      |    1 +
 libsemanage/src/semanage_store.h      |    1 +
 7 files changed, 60 insertions(+), 3 deletions(-)

diff -uprN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-06 13:26:53.584171399 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -uprN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
--- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
+++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-06 15:01:10.811163179 -0400
@@ -293,6 +293,39 @@ static int semanage_direct_begintrans(se
 	return 0;
 }
 
+/*********Dont audit functions*************/
+
+/* Creates, removes, and tests for the existance of a dont audit flag.
+ */
+
+int get_disable_dontaudit_flag(void)
+{
+	const char *path;
+	
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(access(path,F_OK) == 0)
+		return 1;
+	else
+		return 0;
+}
+
+void set_disable_dontaudit_flag(int setting)
+{
+	const char *path;
+
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(setting == 1){
+		FILE *touch;
+		touch = fopen(path,"w");
+		if (touch != NULL)
+			fclose(touch);
+	}else
+		remove(path);
+	
+	return;
+}
+
+
 /********************* utility functions *********************/
 
 /* Takes a module stored in 'module_data' and parses its headers.
diff -uprN selinux.orig2/libsemanage/src/direct_api.h selinux.orig3/libsemanage/src/direct_api.h
--- selinux.orig2/libsemanage/src/direct_api.h	2009-07-01 21:15:17.270235734 -0400
+++ selinux.orig3/libsemanage/src/direct_api.h	2009-07-06 15:00:55.602167275 -0400
@@ -39,6 +39,10 @@ int semanage_direct_access_check(struct 
 
 int semanage_direct_mls_enabled(struct semanage_handle *sh);
 
+int get_disable_dontaudit_flag(void);
+
+void set_disable_dontaudit_flag(int setting);
+
 #include <stdio.h>
 #include <unistd.h>
 ssize_t bunzip(FILE *f, char **data);
diff -uprN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux.orig3/libsemanage/src/handle.c	2009-07-06 15:04:18.442166837 -0400
@@ -59,6 +59,9 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*set the disable dontaudit flag to system defaults*/
+	sepol_set_disable_dontaudit(sh->sepolh,get_disable_dontaudit_flag());
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -66,6 +69,7 @@ semanage_handle_t *semanage_handle_creat
 	/* By default always reload policy after commit if SELinux is enabled. */
 	sh->do_reload = (is_selinux_enabled() > 0);
 
+
 	/* By default do not create store */
 	sh->create_store = 0;
 
@@ -110,11 +114,21 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	set_disable_dontaudit_flag(disable_dontaudit);
+
 	return;
 }
 
@@ -264,9 +278,10 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
+	set_disable_dontaudit_flag(sepol_get_disable_dontaudit(sh->sepolh));
 	retval = sh->funcs->commit(sh);
 	sh->is_in_transaction = 0;
 	sh->modules_modified = 0;
diff -uprN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux.orig3/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -uprN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -uprN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 5884 bytes --]

diff -uprN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-06 13:26:53.584171399 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -uprN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
--- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
+++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-06 15:01:10.811163179 -0400
@@ -293,6 +293,39 @@ static int semanage_direct_begintrans(se
 	return 0;
 }
 
+/*********Dont audit functions*************/
+
+/* Creates, removes, and tests for the existance of a dont audit flag.
+ */
+
+int get_disable_dontaudit_flag(void)
+{
+	const char *path;
+	
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(access(path,F_OK) == 0)
+		return 1;
+	else
+		return 0;
+}
+
+void set_disable_dontaudit_flag(int setting)
+{
+	const char *path;
+
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(setting == 1){
+		FILE *touch;
+		touch = fopen(path,"w");
+		if (touch != NULL)
+			fclose(touch);
+	}else
+		remove(path);
+	
+	return;
+}
+
+
 /********************* utility functions *********************/
 
 /* Takes a module stored in 'module_data' and parses its headers.
diff -uprN selinux.orig2/libsemanage/src/direct_api.h selinux.orig3/libsemanage/src/direct_api.h
--- selinux.orig2/libsemanage/src/direct_api.h	2009-07-01 21:15:17.270235734 -0400
+++ selinux.orig3/libsemanage/src/direct_api.h	2009-07-06 15:00:55.602167275 -0400
@@ -39,6 +39,10 @@ int semanage_direct_access_check(struct 
 
 int semanage_direct_mls_enabled(struct semanage_handle *sh);
 
+int get_disable_dontaudit_flag(void);
+
+void set_disable_dontaudit_flag(int setting);
+
 #include <stdio.h>
 #include <unistd.h>
 ssize_t bunzip(FILE *f, char **data);
diff -uprN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux.orig3/libsemanage/src/handle.c	2009-07-06 15:04:18.442166837 -0400
@@ -59,6 +59,9 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*set the disable dontaudit flag to system defaults*/
+	sepol_set_disable_dontaudit(sh->sepolh,get_disable_dontaudit_flag());
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -66,6 +69,7 @@ semanage_handle_t *semanage_handle_creat
 	/* By default always reload policy after commit if SELinux is enabled. */
 	sh->do_reload = (is_selinux_enabled() > 0);
 
+
 	/* By default do not create store */
 	sh->create_store = 0;
 
@@ -110,11 +114,21 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
-	
+
 	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	
+	set_disable_dontaudit_flag(disable_dontaudit);
+
 	return;
 }
 
@@ -264,9 +278,10 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
+	set_disable_dontaudit_flag(sepol_get_disable_dontaudit(sh->sepolh));
 	retval = sh->funcs->commit(sh);
 	sh->is_in_transaction = 0;
 	sh->modules_modified = 0;
diff -uprN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux.orig3/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -uprN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -uprN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

Re: [Patch 2/2 v3] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Mon, 2009-07-06 at 15:10 -0400, Christopher Pardy wrote:
> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
>  
> Stephen Smalley: No longer attempt to create or destroy the file in the handle create, all store functionality has been moved to direct_api.c all functions now use sepol versions. The reason for needing to create the file in the commit statement is because changes to the flag in sepol directly may be reflected in the commited policy but not the flags.
> 
> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> 
> ---
>  libsemanage/include/semanage/handle.h |    3 +++
>  libsemanage/src/direct_api.c          |   33 +++++++++++++++++++++++++++++++++
>  libsemanage/src/direct_api.h          |    4 ++++
>  libsemanage/src/handle.c              |   19 +++++++++++++++++--
>  libsemanage/src/libsemanage.map       |    2 +-
>  libsemanage/src/semanage_store.c      |    1 +
>  libsemanage/src/semanage_store.h      |    1 +
>  7 files changed, 60 insertions(+), 3 deletions(-)

> diff -uprN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
> --- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
> +++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-06 15:01:10.811163179 -0400
> @@ -293,6 +293,39 @@ static int semanage_direct_begintrans(se
>  	return 0;
>  }
>  
> +/*********Dont audit functions*************/
> +
> +/* Creates, removes, and tests for the existance of a dont audit flag.
> + */
> +
> +int get_disable_dontaudit_flag(void)

Should follow the naming convention of this file, i.e.
semanage_direct_get_disable_dontaudit_flag().

> +{
> +	const char *path;
> +	
> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> +	if(access(path,F_OK) == 0)
> +		return 1;
> +	else
> +		return 0;
> +}
> +
> +void set_disable_dontaudit_flag(int setting)

Ditto.

> +{
> +	const char *path;
> +
> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> +	if(setting == 1){
> +		FILE *touch;
> +		touch = fopen(path,"w");

I suspect we want to log an ERR() if this fails.

> +		if (touch != NULL)
> +			fclose(touch);
> +	}else
> +		remove(path);

Ditto.

> +	
> +	return;
> +}
> +
> +
>  /********************* utility functions *********************/
>  
>  /* Takes a module stored in 'module_data' and parses its headers.
<snip>
> diff -uprN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
> --- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
> +++ selinux.orig3/libsemanage/src/handle.c	2009-07-06 15:04:18.442166837 -0400
> @@ -59,6 +59,9 @@ semanage_handle_t *semanage_handle_creat
>  		goto err;
>  	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
>  
> +	/*set the disable dontaudit flag to system defaults*/
> +	sepol_set_disable_dontaudit(sh->sepolh,get_disable_dontaudit_flag());

Shouldn't be done here, as I said - has to be done from
semanage_direct_connect() after we've already set up the connection
since it accesses a file in the store.


> @@ -66,6 +69,7 @@ semanage_handle_t *semanage_handle_creat
>  	/* By default always reload policy after commit if SELinux is enabled. */
>  	sh->do_reload = (is_selinux_enabled() > 0);
>  
> +
>  	/* By default do not create store */
>  	sh->create_store = 0;

Avoid spurious whitespace changes.

 
> @@ -264,9 +278,10 @@ int semanage_commit(semanage_handle_t * 
>  	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
>  	if (!sh->is_in_transaction) {
>  		ERR(sh,
> -		    "Will not commit because caller does not have a tranaction lock yet.");
> +		    "Will not commit because caller does not have a transaction lock yet.");
>  		return -1;
>  	}
> +	set_disable_dontaudit_flag(sepol_get_disable_dontaudit(sh->sepolh));

Not justified AFAICS - the only way that the sepol disable dontaudit
flag can change is if the application called
semanage_set_disable_dontaudit() on the semanage handle (sepol handle is
private to libsemanage), so you can track changes there and do not need
to re-fetch here.

>  	retval = sh->funcs->commit(sh);
>  	sh->is_in_transaction = 0;
>  	sh->modules_modified = 0;

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v3] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Mon, 2009-07-06 at 15:30 -0400, Stephen Smalley wrote:
> On Mon, 2009-07-06 at 15:10 -0400, Christopher Pardy wrote:
> > Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
> >  
> > Stephen Smalley: No longer attempt to create or destroy the file in the handle create, all store functionality has been moved to direct_api.c all functions now use sepol versions. The reason for needing to create the file in the commit statement is because changes to the flag in sepol directly may be reflected in the commited policy but not the flags.
> > 
> > Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> > 
> > ---
> >  libsemanage/include/semanage/handle.h |    3 +++
> >  libsemanage/src/direct_api.c          |   33 +++++++++++++++++++++++++++++++++
> >  libsemanage/src/direct_api.h          |    4 ++++
> >  libsemanage/src/handle.c              |   19 +++++++++++++++++--
> >  libsemanage/src/libsemanage.map       |    2 +-
> >  libsemanage/src/semanage_store.c      |    1 +
> >  libsemanage/src/semanage_store.h      |    1 +
> >  7 files changed, 60 insertions(+), 3 deletions(-)

> > +{
> > +	const char *path;
> > +
> > +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> > +	if(setting == 1){
> > +		FILE *touch;
> > +		touch = fopen(path,"w");
> 
> I suspect we want to log an ERR() if this fails.

Actually, I think we want to not only log an error (via ERR) but also
return an error to the caller (i.e. the function needs to return an
error status) so that we can ultimately indicate to semodule that
semodule -DB or semodule -B failed.

> 
> > +		if (touch != NULL)
> > +			fclose(touch);
> > +	}else
> > +		remove(path);
> 
> Ditto.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v3] libsemanage: maintain disable dontaudit state between handle commits

[Christopher Pardy]

On 07/07/2009 07:45 AM, Stephen Smalley wrote:
> On Mon, 2009-07-06 at 15:30 -0400, Stephen Smalley wrote:
>> On Mon, 2009-07-06 at 15:10 -0400, Christopher Pardy wrote:
>>> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
>>>  
>>> Stephen Smalley: No longer attempt to create or destroy the file in the handle create, all store functionality has been moved to direct_api.c all functions now use sepol versions. The reason for needing to create the file in the commit statement is because changes to the flag in sepol directly may be reflected in the commited policy but not the flags.
>>>
>>> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
>>>
>>> ---
>>>  libsemanage/include/semanage/handle.h |    3 +++
>>>  libsemanage/src/direct_api.c          |   33 +++++++++++++++++++++++++++++++++
>>>  libsemanage/src/direct_api.h          |    4 ++++
>>>  libsemanage/src/handle.c              |   19 +++++++++++++++++--
>>>  libsemanage/src/libsemanage.map       |    2 +-
>>>  libsemanage/src/semanage_store.c      |    1 +
>>>  libsemanage/src/semanage_store.h      |    1 +
>>>  7 files changed, 60 insertions(+), 3 deletions(-)
> 
>>> +{
>>> +	const char *path;
>>> +
>>> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
>>> +	if(setting == 1){
>>> +		FILE *touch;
>>> +		touch = fopen(path,"w");
>> I suspect we want to log an ERR() if this fails.
> 
> Actually, I think we want to not only log an error (via ERR) but also
> return an error to the caller (i.e. the function needs to return an
> error status) so that we can ultimately indicate to semodule that
> semodule -DB or semodule -B failed.
> 
>>> +		if (touch != NULL)
>>> +			fclose(touch);
>>> +	}else
>>> +		remove(path);
>> Ditto.
> 
If we're returning an error to the user should we also revert the disable dontaudit flag? IE. making the change of the flag and file creation atomic?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v3] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Tue, 2009-07-07 at 08:47 -0400, Christopher Pardy wrote:
> On 07/07/2009 07:45 AM, Stephen Smalley wrote:
> > On Mon, 2009-07-06 at 15:30 -0400, Stephen Smalley wrote:
> >> On Mon, 2009-07-06 at 15:10 -0400, Christopher Pardy wrote:
> >>> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules.
> >>>  
> >>> Stephen Smalley: No longer attempt to create or destroy the file in the handle create, all store functionality has been moved to direct_api.c all functions now use sepol versions. The reason for needing to create the file in the commit statement is because changes to the flag in sepol directly may be reflected in the commited policy but not the flags.
> >>>
> >>> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> >>>
> >>> ---
> >>>  libsemanage/include/semanage/handle.h |    3 +++
> >>>  libsemanage/src/direct_api.c          |   33 +++++++++++++++++++++++++++++++++
> >>>  libsemanage/src/direct_api.h          |    4 ++++
> >>>  libsemanage/src/handle.c              |   19 +++++++++++++++++--
> >>>  libsemanage/src/libsemanage.map       |    2 +-
> >>>  libsemanage/src/semanage_store.c      |    1 +
> >>>  libsemanage/src/semanage_store.h      |    1 +
> >>>  7 files changed, 60 insertions(+), 3 deletions(-)
> > 
> >>> +{
> >>> +	const char *path;
> >>> +
> >>> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> >>> +	if(setting == 1){
> >>> +		FILE *touch;
> >>> +		touch = fopen(path,"w");
> >> I suspect we want to log an ERR() if this fails.
> > 
> > Actually, I think we want to not only log an error (via ERR) but also
> > return an error to the caller (i.e. the function needs to return an
> > error status) so that we can ultimately indicate to semodule that
> > semodule -DB or semodule -B failed.
> > 
> >>> +		if (touch != NULL)
> >>> +			fclose(touch);
> >>> +	}else
> >>> +		remove(path);
> >> Ditto.
> > 
> If we're returning an error to the user should we also revert the
> disable dontaudit flag? IE. making the change of the flag and file
> creation atomic?

Oh, wait - sorry, we can't return an error to the user because the
existing semanage_set_disable_dontaudit() interface is void and we can't
change that without breaking the ABI.  So I guess we're limited to
logging an error there with ERR().

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v4] libsemanage: maintain disable dontaudit state between handle commits

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 7794 bytes --]

Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created the dontaudit rules dont change and errors are set.
 
Signed-off-by: Christopher Pardy <cpardy@redhat.com>

---
 libsemanage/include/semanage/handle.h |    8 +++++-
 libsemanage/src/direct_api.c          |   40 ++++++++++++++++++++++++++++++++++
 libsemanage/src/direct_api.h          |    5 ++++
 libsemanage/src/handle.c              |   21 ++++++++++++++++-
 libsemanage/src/libsemanage.map       |    2 -
 libsemanage/src/semanage_store.c      |    1 
 libsemanage/src/semanage_store.h      |    1 
 7 files changed, 74 insertions(+), 4 deletions(-)

diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-07 09:37:35.888570766 -0400
@@ -69,7 +69,13 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
-/* Set whether or not to disable dontaudits upon commit */
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
+/* Set whether or not to disable dontaudits upon commit
+ * Sets errno to 0 if successful. Otherwise sets errno
+ * to any of the errors specified by fopen,fclose, or remove.
+ */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
 /* Check whether policy is managed via libsemanage on this system.
diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
--- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
+++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-07 09:19:28.174321784 -0400
@@ -293,6 +293,46 @@ static int semanage_direct_begintrans(se
 	return 0;
 }
 
+/*********Dont audit functions*************/
+
+/* Creates, removes, and tests for the existance of a dont audit flag.
+ */
+
+int get_disable_dontaudit_flag(void)
+{
+	const char *path;
+	
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(access(path,F_OK) == 0)
+		return 1;
+	else
+		return 0;
+}
+
+int set_disable_dontaudit_flag(int setting)
+{
+	const char *path;
+	int retcode;
+
+	retcode = 0;
+
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(setting == 1){
+		FILE *touch;
+		touch = fopen(path,"w");
+		if (touch != NULL)
+			if(fclose(touch) != 0)
+				retcode = -1;
+		else
+			retcode = -1;
+	}else
+		if(remove(path) == -1 && errno != ENOENT)
+			retcode = -1
+	
+	return retcode;
+}
+
+
 /********************* utility functions *********************/
 
 /* Takes a module stored in 'module_data' and parses its headers.
diff -urpN selinux.orig2/libsemanage/src/direct_api.h selinux.orig3/libsemanage/src/direct_api.h
--- selinux.orig2/libsemanage/src/direct_api.h	2009-07-01 21:15:17.270235734 -0400
+++ selinux.orig3/libsemanage/src/direct_api.h	2009-07-07 08:50:24.620326359 -0400
@@ -39,6 +39,11 @@ int semanage_direct_access_check(struct 
 
 int semanage_direct_mls_enabled(struct semanage_handle *sh);
 
+int get_disable_dontaudit_flag(void);
+
+/*returns a 0 on success*/
+int set_disable_dontaudit_flag(int setting);
+
 #include <stdio.h>
 #include <unistd.h>
 ssize_t bunzip(FILE *f, char **data);
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux.orig3/libsemanage/src/handle.c	2009-07-07 09:44:23.677572218 -0400
@@ -23,6 +23,7 @@
 
 #include <selinux/selinux.h>
 
+#include <errno.h>
 #include <stdarg.h>
 #include <assert.h>
 #include <stdlib.h>
@@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*set the disable dontaudit flag to system defaults*/
+	sepol_set_disable_dontaudit(sh->sepolh,get_disable_dontaudit_flag());
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -66,6 +70,7 @@ semanage_handle_t *semanage_handle_creat
 	/* By default always reload policy after commit if SELinux is enabled. */
 	sh->do_reload = (is_selinux_enabled() > 0);
 
+
 	/* By default do not create store */
 	sh->create_store = 0;
 
@@ -110,11 +115,22 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
+	if(set_disable_dontaudit_flag(disable_dontaudit) == 0){
+		sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+		errno = 0;
+	}else
+		ERR(sh,"Could not set disable dontaudit flag of handle.");
 	
-	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
 	return;
 }
 
@@ -264,9 +280,10 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
+	set_disable_dontaudit_flag(sepol_get_disable_dontaudit(sh->sepolh));
 	retval = sh->funcs->commit(sh);
 	sh->is_in_transaction = 0;
 	sh->modules_modified = 0;
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux.orig3/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 6582 bytes --]

diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-07 09:37:35.888570766 -0400
@@ -69,7 +69,13 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
-/* Set whether or not to disable dontaudits upon commit */
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
+/* Set whether or not to disable dontaudits upon commit
+ * Sets errno to 0 if successful. Otherwise sets errno
+ * to any of the errors specified by fopen,fclose, or remove.
+ */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
 /* Check whether policy is managed via libsemanage on this system.
diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
--- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
+++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-07 09:19:28.174321784 -0400
@@ -293,6 +293,46 @@ static int semanage_direct_begintrans(se
 	return 0;
 }
 
+/*********Dont audit functions*************/
+
+/* Creates, removes, and tests for the existance of a dont audit flag.
+ */
+
+int get_disable_dontaudit_flag(void)
+{
+	const char *path;
+	
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(access(path,F_OK) == 0)
+		return 1;
+	else
+		return 0;
+}
+
+int set_disable_dontaudit_flag(int setting)
+{
+	const char *path;
+	int retcode;
+
+	retcode = 0;
+
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(setting == 1){
+		FILE *touch;
+		touch = fopen(path,"w");
+		if (touch != NULL)
+			if(fclose(touch) != 0)
+				retcode = -1;
+		else
+			retcode = -1;
+	}else
+		if(remove(path) == -1 && errno != ENOENT)
+			retcode = -1
+	
+	return retcode;
+}
+
+
 /********************* utility functions *********************/
 
 /* Takes a module stored in 'module_data' and parses its headers.
diff -urpN selinux.orig2/libsemanage/src/direct_api.h selinux.orig3/libsemanage/src/direct_api.h
--- selinux.orig2/libsemanage/src/direct_api.h	2009-07-01 21:15:17.270235734 -0400
+++ selinux.orig3/libsemanage/src/direct_api.h	2009-07-07 08:50:24.620326359 -0400
@@ -39,6 +39,11 @@ int semanage_direct_access_check(struct 
 
 int semanage_direct_mls_enabled(struct semanage_handle *sh);
 
+int get_disable_dontaudit_flag(void);
+
+/*returns a 0 on success*/
+int set_disable_dontaudit_flag(int setting);
+
 #include <stdio.h>
 #include <unistd.h>
 ssize_t bunzip(FILE *f, char **data);
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux.orig3/libsemanage/src/handle.c	2009-07-07 09:44:23.677572218 -0400
@@ -23,6 +23,7 @@
 
 #include <selinux/selinux.h>
 
+#include <errno.h>
 #include <stdarg.h>
 #include <assert.h>
 #include <stdlib.h>
@@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
 
+	/*set the disable dontaudit flag to system defaults*/
+	sepol_set_disable_dontaudit(sh->sepolh,get_disable_dontaudit_flag());
+
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
 	sh->do_rebuild = 0;
@@ -66,6 +70,7 @@ semanage_handle_t *semanage_handle_creat
 	/* By default always reload policy after commit if SELinux is enabled. */
 	sh->do_reload = (is_selinux_enabled() > 0);
 
+
 	/* By default do not create store */
 	sh->create_store = 0;
 
@@ -110,11 +115,22 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
+	if(set_disable_dontaudit_flag(disable_dontaudit) == 0){
+		sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+		errno = 0;
+	}else
+		ERR(sh,"Could not set disable dontaudit flag of handle.");
 	
-	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
 	return;
 }
 
@@ -264,9 +280,10 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
+	set_disable_dontaudit_flag(sepol_get_disable_dontaudit(sh->sepolh));
 	retval = sh->funcs->commit(sh);
 	sh->is_in_transaction = 0;
 	sh->modules_modified = 0;
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux.orig3/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

Re: [Patch 2/2 v4] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Tue, 2009-07-07 at 09:48 -0400, Christopher Pardy wrote:
> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created the dontaudit rules dont change and errors are set.
>  
> Signed-off-by: Christopher Pardy <cpardy@redhat.com>

As before:
1.  Move the logic to initialize the flag from semanage_handle_create()
to semanage_direct_connect() after the semanage_access_check() call.
2.  Justify why we need to call set_disable_dontaudit_flag() from
semanage_commit() - it should have been initialized upon connect and can
only change upon semanage_set_disable_dontaudit() and thus should
already be correct.  If we truly do need it, move to
semanage_direct_commit(), but explain why first please - I don't see the
rationale (better yet, test without it and demonstrate that it doesn't
work otherwise!).

And your coding style isn't quite right - add a space between if and (,
between ) and {, and between { and else in
semanage_set_disable_dontaudit.  And no extraneous whitespace in the
patch (you add an extra empty line to semanage_handle_create after
sh->do_reload gets set).

Thanks.

> ---
>  libsemanage/include/semanage/handle.h |    8 +++++-
>  libsemanage/src/direct_api.c          |   40 ++++++++++++++++++++++++++++++++++
>  libsemanage/src/direct_api.h          |    5 ++++
>  libsemanage/src/handle.c              |   21 ++++++++++++++++-
>  libsemanage/src/libsemanage.map       |    2 -
>  libsemanage/src/semanage_store.c      |    1 
>  libsemanage/src/semanage_store.h      |    1 
>  7 files changed, 74 insertions(+), 4 deletions(-)
> 
> diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
> --- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
> +++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-07 09:37:35.888570766 -0400
> @@ -69,7 +69,13 @@ void semanage_set_rebuild(semanage_handl
>   * 1 for yes, 0 for no (default) */
>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>  
> -/* Set whether or not to disable dontaudits upon commit */
> +/*Get whether or not to dontaudits will be disabled upon commit */
> +int semanage_get_disable_dontaudit(semanage_handle_t * handle);
> +
> +/* Set whether or not to disable dontaudits upon commit
> + * Sets errno to 0 if successful. Otherwise sets errno
> + * to any of the errors specified by fopen,fclose, or remove.
> + */
>  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>  
>  /* Check whether policy is managed via libsemanage on this system.
> diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
> --- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
> +++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-07 09:19:28.174321784 -0400
> @@ -293,6 +293,46 @@ static int semanage_direct_begintrans(se
>  	return 0;
>  }
>  
> +/*********Dont audit functions*************/
> +
> +/* Creates, removes, and tests for the existance of a dont audit flag.
> + */
> +
> +int get_disable_dontaudit_flag(void)
> +{
> +	const char *path;
> +	
> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> +	if(access(path,F_OK) == 0)
> +		return 1;
> +	else
> +		return 0;
> +}
> +
> +int set_disable_dontaudit_flag(int setting)
> +{
> +	const char *path;
> +	int retcode;
> +
> +	retcode = 0;
> +
> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> +	if(setting == 1){
> +		FILE *touch;
> +		touch = fopen(path,"w");
> +		if (touch != NULL)
> +			if(fclose(touch) != 0)
> +				retcode = -1;
> +		else
> +			retcode = -1;
> +	}else
> +		if(remove(path) == -1 && errno != ENOENT)
> +			retcode = -1
> +	
> +	return retcode;
> +}
> +
> +
>  /********************* utility functions *********************/
>  
>  /* Takes a module stored in 'module_data' and parses its headers.
> diff -urpN selinux.orig2/libsemanage/src/direct_api.h selinux.orig3/libsemanage/src/direct_api.h
> --- selinux.orig2/libsemanage/src/direct_api.h	2009-07-01 21:15:17.270235734 -0400
> +++ selinux.orig3/libsemanage/src/direct_api.h	2009-07-07 08:50:24.620326359 -0400
> @@ -39,6 +39,11 @@ int semanage_direct_access_check(struct 
>  
>  int semanage_direct_mls_enabled(struct semanage_handle *sh);
>  
> +int get_disable_dontaudit_flag(void);
> +
> +/*returns a 0 on success*/
> +int set_disable_dontaudit_flag(int setting);
> +
>  #include <stdio.h>
>  #include <unistd.h>
>  ssize_t bunzip(FILE *f, char **data);
> diff -urpN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
> --- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
> +++ selinux.orig3/libsemanage/src/handle.c	2009-07-07 09:44:23.677572218 -0400
> @@ -23,6 +23,7 @@
>  
>  #include <selinux/selinux.h>
>  
> +#include <errno.h>
>  #include <stdarg.h>
>  #include <assert.h>
>  #include <stdlib.h>
> @@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
>  		goto err;
>  	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
>  
> +	/*set the disable dontaudit flag to system defaults*/
> +	sepol_set_disable_dontaudit(sh->sepolh,get_disable_dontaudit_flag());
> +
>  	/* By default do not rebuild the policy on commit
>  	 * If any changes are made, this flag is ignored */
>  	sh->do_rebuild = 0;
> @@ -66,6 +70,7 @@ semanage_handle_t *semanage_handle_creat
>  	/* By default always reload policy after commit if SELinux is enabled. */
>  	sh->do_reload = (is_selinux_enabled() > 0);
>  
> +
>  	/* By default do not create store */
>  	sh->create_store = 0;
>  
> @@ -110,11 +115,22 @@ void semanage_set_create_store(semanage_
>  	return;
>  }
>  
> +int semanage_get_disable_dontaudit(semanage_handle_t * sh)
> +{
> +	assert(sh != NULL);
> +
> +	return sepol_get_disable_dontaudit(sh->sepolh);
> +}
> +
>  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>  {
>  	assert(sh != NULL);
> +	if(set_disable_dontaudit_flag(disable_dontaudit) == 0){
> +		sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
> +		errno = 0;
> +	}else
> +		ERR(sh,"Could not set disable dontaudit flag of handle.");
>  	
> -	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>  	return;
>  }
>  
> @@ -264,9 +280,10 @@ int semanage_commit(semanage_handle_t * 
>  	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
>  	if (!sh->is_in_transaction) {
>  		ERR(sh,
> -		    "Will not commit because caller does not have a tranaction lock yet.");
> +		    "Will not commit because caller does not have a transaction lock yet.");
>  		return -1;
>  	}
> +	set_disable_dontaudit_flag(sepol_get_disable_dontaudit(sh->sepolh));
>  	retval = sh->funcs->commit(sh);
>  	sh->is_in_transaction = 0;
>  	sh->modules_modified = 0;
> diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
> --- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
> +++ selinux.orig3/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
> @@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
>  	  semanage_node_*;
>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
> -	  semanage_is_connected; semanage_set_disable_dontaudit;
> +	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
>  	  semanage_mls_enabled;
>    local: *;
>  };
> diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
> --- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
> +++ selinux.orig3/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
> @@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
>  	"/users_extra",
>  	"/netfilter_contexts",
>  	"/file_contexts.homedirs",
> +	"/disable_dontaudit",
>  };
>  
>  /* A node used in a linked list of file contexts; used for sorting.
> diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
> --- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
> +++ selinux.orig3/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
> @@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
>  	SEMANAGE_USERS_EXTRA,
>  	SEMANAGE_NC,
>  	SEMANAGE_FC_HOMEDIRS,
> +	SEMANAGE_DISABLE_DONTAUDIT,
>  	SEMANAGE_STORE_NUM_PATHS
>  };
>  
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v4] libsemanage: maintain disable dontaudit state between handle commits

[Christopher Pardy]

On 07/07/2009 10:20 AM, Stephen Smalley wrote:
> On Tue, 2009-07-07 at 09:48 -0400, Christopher Pardy wrote:
>> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created the dontaudit rules dont change and errors are set.
>>  
>> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> 
> As before:
> 1.  Move the logic to initialize the flag from semanage_handle_create()
> to semanage_direct_connect() after the semanage_access_check() call.
> 2.  Justify why we need to call set_disable_dontaudit_flag() from
> semanage_commit() - it should have been initialized upon connect and can
> only change upon semanage_set_disable_dontaudit() and thus should
> already be correct.  If we truly do need it, move to
> semanage_direct_commit(), but explain why first please - I don't see the
> rationale (better yet, test without it and demonstrate that it doesn't
> work otherwise!).

1. If I do that then the disable_dontaudit handle will not be correctly set when the handle is created and the semanage_get_disable_dontaudit value will be wrong. More importantly it may change when semanage_connect() is called. That behavior would be incorrect.
2. We must call set_disable_dontaudit_flag() following a commit because although the flag will correctly represent the changes made via libsemanage any changes via libsepol will not be reflected. I'll move this call to semanage_direct_commit().

> 
> And your coding style isn't quite right - add a space between if and (,
> between ) and {, and between { and else in
> semanage_set_disable_dontaudit.  And no extraneous whitespace in the
> patch (you add an extra empty line to semanage_handle_create after
> sh->do_reload gets set).
>

I'll fix these up.
 
> Thanks.
> 
>> ---
>>  libsemanage/include/semanage/handle.h |    8 +++++-
>>  libsemanage/src/direct_api.c          |   40 ++++++++++++++++++++++++++++++++++
>>  libsemanage/src/direct_api.h          |    5 ++++
>>  libsemanage/src/handle.c              |   21 ++++++++++++++++-
>>  libsemanage/src/libsemanage.map       |    2 -
>>  libsemanage/src/semanage_store.c      |    1 
>>  libsemanage/src/semanage_store.h      |    1 
>>  7 files changed, 74 insertions(+), 4 deletions(-)
>>
>> diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
>> --- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
>> +++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-07 09:37:35.888570766 -0400
>> @@ -69,7 +69,13 @@ void semanage_set_rebuild(semanage_handl
>>   * 1 for yes, 0 for no (default) */
>>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>>  
>> -/* Set whether or not to disable dontaudits upon commit */
>> +/*Get whether or not to dontaudits will be disabled upon commit */
>> +int semanage_get_disable_dontaudit(semanage_handle_t * handle);
>> +
>> +/* Set whether or not to disable dontaudits upon commit
>> + * Sets errno to 0 if successful. Otherwise sets errno
>> + * to any of the errors specified by fopen,fclose, or remove.
>> + */
>>  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>>  
>>  /* Check whether policy is managed via libsemanage on this system.
>> diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
>> --- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
>> +++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-07 09:19:28.174321784 -0400
>> @@ -293,6 +293,46 @@ static int semanage_direct_begintrans(se
>>  	return 0;
>>  }
>>  
>> +/*********Dont audit functions*************/
>> +
>> +/* Creates, removes, and tests for the existance of a dont audit flag.
>> + */
>> +
>> +int get_disable_dontaudit_flag(void)
>> +{
>> +	const char *path;
>> +	
>> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
>> +	if(access(path,F_OK) == 0)
>> +		return 1;
>> +	else
>> +		return 0;
>> +}
>> +
>> +int set_disable_dontaudit_flag(int setting)
>> +{
>> +	const char *path;
>> +	int retcode;
>> +
>> +	retcode = 0;
>> +
>> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
>> +	if(setting == 1){
>> +		FILE *touch;
>> +		touch = fopen(path,"w");
>> +		if (touch != NULL)
>> +			if(fclose(touch) != 0)
>> +				retcode = -1;
>> +		else
>> +			retcode = -1;
>> +	}else
>> +		if(remove(path) == -1 && errno != ENOENT)
>> +			retcode = -1
>> +	
>> +	return retcode;
>> +}
>> +
>> +
>>  /********************* utility functions *********************/
>>  
>>  /* Takes a module stored in 'module_data' and parses its headers.
>> diff -urpN selinux.orig2/libsemanage/src/direct_api.h selinux.orig3/libsemanage/src/direct_api.h
>> --- selinux.orig2/libsemanage/src/direct_api.h	2009-07-01 21:15:17.270235734 -0400
>> +++ selinux.orig3/libsemanage/src/direct_api.h	2009-07-07 08:50:24.620326359 -0400
>> @@ -39,6 +39,11 @@ int semanage_direct_access_check(struct 
>>  
>>  int semanage_direct_mls_enabled(struct semanage_handle *sh);
>>  
>> +int get_disable_dontaudit_flag(void);
>> +
>> +/*returns a 0 on success*/
>> +int set_disable_dontaudit_flag(int setting);
>> +
>>  #include <stdio.h>
>>  #include <unistd.h>
>>  ssize_t bunzip(FILE *f, char **data);
>> diff -urpN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
>> --- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
>> +++ selinux.orig3/libsemanage/src/handle.c	2009-07-07 09:44:23.677572218 -0400
>> @@ -23,6 +23,7 @@
>>  
>>  #include <selinux/selinux.h>
>>  
>> +#include <errno.h>
>>  #include <stdarg.h>
>>  #include <assert.h>
>>  #include <stdlib.h>
>> @@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
>>  		goto err;
>>  	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
>>  
>> +	/*set the disable dontaudit flag to system defaults*/
>> +	sepol_set_disable_dontaudit(sh->sepolh,get_disable_dontaudit_flag());
>> +
>>  	/* By default do not rebuild the policy on commit
>>  	 * If any changes are made, this flag is ignored */
>>  	sh->do_rebuild = 0;
>> @@ -66,6 +70,7 @@ semanage_handle_t *semanage_handle_creat
>>  	/* By default always reload policy after commit if SELinux is enabled. */
>>  	sh->do_reload = (is_selinux_enabled() > 0);
>>  
>> +
>>  	/* By default do not create store */
>>  	sh->create_store = 0;
>>  
>> @@ -110,11 +115,22 @@ void semanage_set_create_store(semanage_
>>  	return;
>>  }
>>  
>> +int semanage_get_disable_dontaudit(semanage_handle_t * sh)
>> +{
>> +	assert(sh != NULL);
>> +
>> +	return sepol_get_disable_dontaudit(sh->sepolh);
>> +}
>> +
>>  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
>>  {
>>  	assert(sh != NULL);
>> +	if(set_disable_dontaudit_flag(disable_dontaudit) == 0){
>> +		sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>> +		errno = 0;
>> +	}else
>> +		ERR(sh,"Could not set disable dontaudit flag of handle.");
>>  	
>> -	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
>>  	return;
>>  }
>>  
>> @@ -264,9 +280,10 @@ int semanage_commit(semanage_handle_t * 
>>  	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
>>  	if (!sh->is_in_transaction) {
>>  		ERR(sh,
>> -		    "Will not commit because caller does not have a tranaction lock yet.");
>> +		    "Will not commit because caller does not have a transaction lock yet.");
>>  		return -1;
>>  	}
>> +	set_disable_dontaudit_flag(sepol_get_disable_dontaudit(sh->sepolh));
>>  	retval = sh->funcs->commit(sh);
>>  	sh->is_in_transaction = 0;
>>  	sh->modules_modified = 0;
>> diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
>> --- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
>> +++ selinux.orig3/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
>> @@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
>>  	  semanage_iface_*; semanage_port_*; semanage_context_*;
>>  	  semanage_node_*;
>>  	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
>> -	  semanage_is_connected; semanage_set_disable_dontaudit;
>> +	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
>>  	  semanage_mls_enabled;
>>    local: *;
>>  };
>> diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
>> --- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
>> +++ selinux.orig3/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
>> @@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
>>  	"/users_extra",
>>  	"/netfilter_contexts",
>>  	"/file_contexts.homedirs",
>> +	"/disable_dontaudit",
>>  };
>>  
>>  /* A node used in a linked list of file contexts; used for sorting.
>> diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
>> --- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
>> +++ selinux.orig3/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
>> @@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
>>  	SEMANAGE_USERS_EXTRA,
>>  	SEMANAGE_NC,
>>  	SEMANAGE_FC_HOMEDIRS,
>> +	SEMANAGE_DISABLE_DONTAUDIT,
>>  	SEMANAGE_STORE_NUM_PATHS
>>  };
>>  


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v4] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Tue, 2009-07-07 at 10:41 -0400, Christopher Pardy wrote:
> On 07/07/2009 10:20 AM, Stephen Smalley wrote:
> > On Tue, 2009-07-07 at 09:48 -0400, Christopher Pardy wrote:
> >> Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created the dontaudit rules dont change and errors are set.
> >>  
> >> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> > 
> > As before:
> > 1.  Move the logic to initialize the flag from semanage_handle_create()
> > to semanage_direct_connect() after the semanage_access_check() call.
> > 2.  Justify why we need to call set_disable_dontaudit_flag() from
> > semanage_commit() - it should have been initialized upon connect and can
> > only change upon semanage_set_disable_dontaudit() and thus should
> > already be correct.  If we truly do need it, move to
> > semanage_direct_commit(), but explain why first please - I don't see the
> > rationale (better yet, test without it and demonstrate that it doesn't
> > work otherwise!).
> 
> 1. If I do that then the disable_dontaudit handle will not be
> correctly set when the handle is created and the
> semanage_get_disable_dontaudit value will be wrong. More importantly
> it may change when semanage_connect() is called. That behavior would
> be incorrect.

Why?  semanage_connect() has to be called before you first access the
file store.  No other file in the file store is even read up until that
time.  And, no, it cannot be changed before semanage_connect() is called
- that has to happen before you do anything else.

> 2. We must call set_disable_dontaudit_flag() following a commit
> because although the flag will correctly represent the changes made
> via libsemanage any changes via libsepol will not be reflected. I'll
> move this call to semanage_direct_commit().

The application doesn't get the libsepol handle and can't affect it
directly.  The libsepol handle is private to libsemanage.  It can't
happen.   Really.

You might try listening to the people who have been maintaining the code
for a long time, you know...

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [Patch 2/2 v4] libsemanage: maintain disable dontaudit state between handle commits

[Joshua Brindle]

> From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
> 
> On Tue, 2009-07-07 at 10:41 -0400, Christopher Pardy wrote:
> > On 07/07/2009 10:20 AM, Stephen Smalley wrote:
> > > On Tue, 2009-07-07 at 09:48 -0400, Christopher Pardy wrote:
> > >> Currently any changes made to the policy which require 
> committing a handle cause dontaudit rules to be disabled. 
> This is confusing, and frustrating for users who want to edit 
> policy with dontaudit rules turned off. This patch allows 
> semanage to remember the last state of the dontaudit rules 
> and apply them as default whenever a handle is created. 
> Additionally other functions may check for the file semanage 
> creates to determine if dontaudit rules are turned on. This 
> knowledge can be useful for tools like SETroubleshoot which 
> may want to change their behavior depending on the state of 
> the dontaudit rules. In the event that a the file cannot be 
> created the dontaudit rules dont change and errors are set.
> > >>  
> > >> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> > > 
> > > As before:
> > > 1.  Move the logic to initialize the flag from 
> > > semanage_handle_create() to semanage_direct_connect() 
> after the semanage_access_check() call.
> > > 2.  Justify why we need to call set_disable_dontaudit_flag() from
> > > semanage_commit() - it should have been initialized upon 
> connect and 
> > > can only change upon semanage_set_disable_dontaudit() and thus 
> > > should already be correct.  If we truly do need it, move to 
> > > semanage_direct_commit(), but explain why first please - 
> I don't see 
> > > the rationale (better yet, test without it and 
> demonstrate that it 
> > > doesn't work otherwise!).
> > 
> > 1. If I do that then the disable_dontaudit handle will not be 
> > correctly set when the handle is created and the 
> > semanage_get_disable_dontaudit value will be wrong. More 
> importantly 
> > it may change when semanage_connect() is called. That 
> behavior would 
> > be incorrect.
> 

Additionally just calling semanage_connect() doesn't give you the
ability to write files, you must start a transaction to get a writable
copy of the store, then the dontaudit_flag can write to the file and
commit will move the temporary store back into place. The resulting
'active' store will have the file set and the policy will have been
rebuilt without dontaudits. The file never needs to leave the store (it
will be private to libsemanage and will require semanage_connect() to be
called before reading the state). 

> Why?  semanage_connect() has to be called before you first 
> access the file store.  No other file in the file store is 
> even read up until that time.  And, no, it cannot be changed 
> before semanage_connect() is called
> - that has to happen before you do anything else.
> 
> > 2. We must call set_disable_dontaudit_flag() following a commit 
> > because although the flag will correctly represent the changes made 
> > via libsemanage any changes via libsepol will not be 
> reflected. I'll 
> > move this call to semanage_direct_commit().
> 

Libsepol isn't used to change the policy by outside applications, it is
used only internally by libsemanage. You shouldn't be calling any
libsepol functions (as Steve says below). Libsepol already has the flag
to remove dontaudits and that flag will be called only by libsemanage,
not by any client application. Libsepol will not be aware of the
disable_dontaudit file nor should it.

> The application doesn't get the libsepol handle and can't 
> affect it directly.  The libsepol handle is private to 
> libsemanage.  It can't
> happen.   Really.
> 
> You might try listening to the people who have been 
> maintaining the code for a long time, you know...
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v4] libsemanage: maintain disable dontaudit state between handle commits

[Christopher Pardy]

Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is connected. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created a call to commit will fail.
  
Signed-off-by: Christopher Pardy <cpardy@redhat.com>

---
 libsemanage/include/semanage/handle.h |    8 +++++++-
 libsemanage/src/direct_api.c          |   27 +++++++++++++++++++++++++--
 libsemanage/src/handle.c              |    9 ++++++++-
 libsemanage/src/libsemanage.map       |    2 +-
 libsemanage/src/semanage_store.c      |    1 +
 libsemanage/src/semanage_store.h      |    1 +
 6 files changed, 43 insertions(+), 5 deletions(-)


diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-07 09:37:35.888570766 -0400
@@ -69,7 +69,13 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
-/* Set whether or not to disable dontaudits upon commit */
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
+/* Set whether or not to disable dontaudits upon commit
+ * Sets errno to 0 if successful. Otherwise sets errno
+ * to any of the errors specified by fopen,fclose, or remove.
+ */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
 /* Check whether policy is managed via libsemanage on this system.
diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
--- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
+++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-07 12:00:22.111349550 -0400
@@ -20,6 +20,7 @@
  */
 
 #include <sepol/module.h>
+#include <sepol/handle.h>
 #include <selinux/selinux.h>
 
 #include <assert.h>
@@ -111,6 +112,7 @@ int semanage_direct_is_managed(semanage_
 int semanage_direct_connect(semanage_handle_t * sh)
 {
 	char polpath[PATH_MAX];
+	const char *path;
 
 	snprintf(polpath, PATH_MAX, "%s%s", selinux_path(),
 		 sh->conf->store_path);
@@ -223,6 +225,13 @@ int semanage_direct_connect(semanage_han
 	if (bool_activedb_dbase_init(sh, semanage_bool_dbase_active(sh)) < 0)
 		goto err;
 
+	/* set the disable dontaudit value */
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(access(path,F_OK) == 0)
+		sepol_set_disable_dontaudit(sh->sepolh,1);
+	else
+		sepol_set_disable_dontaudit(sh->sepolh,0);
+
 	return STATUS_SUCCESS;
 
       err:
@@ -641,11 +650,11 @@ static int semanage_direct_update_seuser
  * Returns commit number on success, -1 on error.
  */
 static int semanage_direct_commit(semanage_handle_t * sh)
-{
+{	
 	char **mod_filenames = NULL;
 	char *sorted_fc_buffer = NULL, *sorted_nc_buffer = NULL;
 	size_t sorted_fc_buffer_len = 0, sorted_nc_buffer_len = 0;
-	const char *linked_filename = NULL, *ofilename = NULL;
+	const char *linked_filename = NULL, *ofilename = NULL, *path;
 	sepol_module_package_t *base = NULL;
 	int retval = -1, num_modfiles = 0, i;
 	sepol_policydb_t *out = NULL;
@@ -669,6 +678,20 @@ static int semanage_direct_commit(semana
 	dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh);
 	dbase_config_t *seusers = semanage_seuser_dbase_local(sh);
 
+	/* Immediently create the disable_dontaudit flag */
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
+		FILE *touch;
+		touch = fopen(path,"w");
+		if (touch != NULL)
+			if(fclose(touch) != 0)
+				goto cleanup;
+		else
+			goto cleanup;
+	} else
+		if (remove(path) == -1 && errno != ENOENT)
+			goto cleanup;
+
 	/* Before we do anything else, flush the join to its component parts.
 	 * This *does not* flush to disk automatically */
 	if (users->dtable->is_modified(users->dbase)) {
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux.orig3/libsemanage/src/handle.c	2009-07-07 12:05:02.964347072 -0400
@@ -110,6 +110,13 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
@@ -264,7 +271,7 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux.orig3/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v4] libsemanage: maintain disable dontaudit state between handle commits

[Stephen Smalley]

On Tue, 2009-07-07 at 12:07 -0400, Christopher Pardy wrote:
> Currently any changes made to the policy which require committing a
> handle cause dontaudit rules to be disabled.

I think you mean "re-enable dontaudit rules even if they were previously
disabled."

>  This is confusing, and frustrating for users who want to edit policy
> with dontaudit rules turned off. This patch allows semanage to
> remember the last state of the dontaudit rules and apply them as
> default whenever a handle is connected. Additionally other functions
> may check for the file semanage creates to determine if dontaudit
> rules are turned on.

Just to be clear:  anything outside of libsemanage must use
semanage_get_disable_dontaudit() to test for the flag, not directly test
for the existence of the file, as the policy store is private to
libsemanage.

>  This knowledge can be useful for tools like SETroubleshoot which may
> want to change their behavior depending on the state of the dontaudit
> rules. In the event that a the file cannot be created a call to commit
> will fail.
>   
> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
> 
> ---
>  libsemanage/include/semanage/handle.h |    8 +++++++-
>  libsemanage/src/direct_api.c          |   27 +++++++++++++++++++++++++--
>  libsemanage/src/handle.c              |    9 ++++++++-
>  libsemanage/src/libsemanage.map       |    2 +-
>  libsemanage/src/semanage_store.c      |    1 +
>  libsemanage/src/semanage_store.h      |    1 +
>  6 files changed, 43 insertions(+), 5 deletions(-)
> 
> 
> diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
> --- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
> +++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-07 09:37:35.888570766 -0400
> @@ -69,7 +69,13 @@ void semanage_set_rebuild(semanage_handl
>   * 1 for yes, 0 for no (default) */
>  void semanage_set_create_store(semanage_handle_t * handle, int create_store);
>  
> -/* Set whether or not to disable dontaudits upon commit */
> +/*Get whether or not to dontaudits will be disabled upon commit */
> +int semanage_get_disable_dontaudit(semanage_handle_t * handle);
> +
> +/* Set whether or not to disable dontaudits upon commit
> + * Sets errno to 0 if successful. Otherwise sets errno
> + * to any of the errors specified by fopen,fclose, or remove.

The errno discussion is no longer relevant here and can be removed.

> + */
>  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
>  
>  /* Check whether policy is managed via libsemanage on this system.
> diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
> --- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
> +++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-07 12:00:22.111349550 -0400
> @@ -641,11 +650,11 @@ static int semanage_direct_update_seuser
>   * Returns commit number on success, -1 on error.
>   */
>  static int semanage_direct_commit(semanage_handle_t * sh)
> -{
> +{

Extraneous whitespace.   Try using checkpatch.pl.
	
> @@ -669,6 +678,20 @@ static int semanage_direct_commit(semana
>  	dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh);
>  	dbase_config_t *seusers = semanage_seuser_dbase_local(sh);
>  
> +	/* Immediently create the disable_dontaudit flag */
> +	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
> +	if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
> +		FILE *touch;
> +		touch = fopen(path,"w");
> +		if (touch != NULL)
> +			if(fclose(touch) != 0)
> +				goto cleanup;
> +		else
> +			goto cleanup;

I think we still want an ERR() call here to let us know why it failed.
> +	} else
> +		if (remove(path) == -1 && errno != ENOENT)
> +			goto cleanup;

And likewise here.

Otherwise, looks good to me.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 2/2 v6] libsemanage: maintain disable dontaudit state between handle commits

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 6936 bytes --]

Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is connected. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created a call to commit will fail.
   
Signed-off-by: Christopher Pardy <cpardy@redhat.com>

---
 libsemanage/include/semanage/handle.h |    3 +++
 libsemanage/src/direct_api.c          |   32 +++++++++++++++++++++++++++++++-
 libsemanage/src/handle.c              |    9 ++++++++-
 libsemanage/src/libsemanage.map       |    2 +-
 libsemanage/src/semanage_store.c      |    1 +
 libsemanage/src/semanage_store.h      |    1 +
 6 files changed, 45 insertions(+), 3 deletions(-)


diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-07 13:27:46.543350374 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
--- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
+++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-07 13:26:25.135320503 -0400
@@ -20,6 +20,7 @@
  */
 
 #include <sepol/module.h>
+#include <sepol/handle.h>
 #include <selinux/selinux.h>
 
 #include <assert.h>
@@ -111,6 +112,7 @@ int semanage_direct_is_managed(semanage_
 int semanage_direct_connect(semanage_handle_t * sh)
 {
 	char polpath[PATH_MAX];
+	const char *path;
 
 	snprintf(polpath, PATH_MAX, "%s%s", selinux_path(),
 		 sh->conf->store_path);
@@ -223,6 +225,13 @@ int semanage_direct_connect(semanage_han
 	if (bool_activedb_dbase_init(sh, semanage_bool_dbase_active(sh)) < 0)
 		goto err;
 
+	/* set the disable dontaudit value */
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(access(path,F_OK) == 0)
+		sepol_set_disable_dontaudit(sh->sepolh,1);
+	else
+		sepol_set_disable_dontaudit(sh->sepolh,0);
+
 	return STATUS_SUCCESS;
 
       err:
@@ -645,7 +654,7 @@ static int semanage_direct_commit(semana
 	char **mod_filenames = NULL;
 	char *sorted_fc_buffer = NULL, *sorted_nc_buffer = NULL;
 	size_t sorted_fc_buffer_len = 0, sorted_nc_buffer_len = 0;
-	const char *linked_filename = NULL, *ofilename = NULL;
+	const char *linked_filename = NULL, *ofilename = NULL, *path;
 	sepol_module_package_t *base = NULL;
 	int retval = -1, num_modfiles = 0, i;
 	sepol_policydb_t *out = NULL;
@@ -669,6 +678,27 @@ static int semanage_direct_commit(semana
 	dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh);
 	dbase_config_t *seusers = semanage_seuser_dbase_local(sh);
 
+	/* Immediently create the disable_dontaudit flag */
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
+		FILE *touch;
+		touch = fopen(path,"w");
+		if (touch != NULL) {
+			if (fclose(touch) != 0) {
+				ERR(sh,"Error attempting to create disable_dontaudit flag.");
+				goto cleanup;
+			}
+		} else {
+			ERR(sh,"Error attempting to create disable_dontaudit flag.");
+			goto cleanup;
+		}
+	} else {
+		if (remove(path) == -1 && errno != ENOENT) {
+			ERR(sh,"Error removing the disable_dontaudit flag.");
+			goto cleanup;
+		}
+	}
+
 	/* Before we do anything else, flush the join to its component parts.
 	 * This *does not* flush to disk automatically */
 	if (users->dtable->is_modified(users->dbase)) {
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux.orig3/libsemanage/src/handle.c	2009-07-07 12:05:02.964347072 -0400
@@ -110,6 +110,13 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
@@ -264,7 +271,7 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux.orig3/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };

[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 5806 bytes --]

diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux.orig3/libsemanage/include/semanage/handle.h	2009-07-07 13:27:46.543350374 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
--- selinux.orig2/libsemanage/src/direct_api.c	2009-07-01 21:15:17.264236347 -0400
+++ selinux.orig3/libsemanage/src/direct_api.c	2009-07-07 13:26:25.135320503 -0400
@@ -20,6 +20,7 @@
  */
 
 #include <sepol/module.h>
+#include <sepol/handle.h>
 #include <selinux/selinux.h>
 
 #include <assert.h>
@@ -111,6 +112,7 @@ int semanage_direct_is_managed(semanage_
 int semanage_direct_connect(semanage_handle_t * sh)
 {
 	char polpath[PATH_MAX];
+	const char *path;
 
 	snprintf(polpath, PATH_MAX, "%s%s", selinux_path(),
 		 sh->conf->store_path);
@@ -223,6 +225,13 @@ int semanage_direct_connect(semanage_han
 	if (bool_activedb_dbase_init(sh, semanage_bool_dbase_active(sh)) < 0)
 		goto err;
 
+	/* set the disable dontaudit value */
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if(access(path,F_OK) == 0)
+		sepol_set_disable_dontaudit(sh->sepolh,1);
+	else
+		sepol_set_disable_dontaudit(sh->sepolh,0);
+
 	return STATUS_SUCCESS;
 
       err:
@@ -645,7 +654,7 @@ static int semanage_direct_commit(semana
 	char **mod_filenames = NULL;
 	char *sorted_fc_buffer = NULL, *sorted_nc_buffer = NULL;
 	size_t sorted_fc_buffer_len = 0, sorted_nc_buffer_len = 0;
-	const char *linked_filename = NULL, *ofilename = NULL;
+	const char *linked_filename = NULL, *ofilename = NULL, *path;
 	sepol_module_package_t *base = NULL;
 	int retval = -1, num_modfiles = 0, i;
 	sepol_policydb_t *out = NULL;
@@ -669,6 +678,27 @@ static int semanage_direct_commit(semana
 	dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh);
 	dbase_config_t *seusers = semanage_seuser_dbase_local(sh);
 
+	/* Immediently create the disable_dontaudit flag */
+	path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+	if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
+		FILE *touch;
+		touch = fopen(path,"w");
+		if (touch != NULL) {
+			if (fclose(touch) != 0) {
+				ERR(sh,"Error attempting to create disable_dontaudit flag.");
+				goto cleanup;
+			}
+		} else {
+			ERR(sh,"Error attempting to create disable_dontaudit flag.");
+			goto cleanup;
+		}
+	} else {
+		if (remove(path) == -1 && errno != ENOENT) {
+			ERR(sh,"Error removing the disable_dontaudit flag.");
+			goto cleanup;
+		}
+	}
+
 	/* Before we do anything else, flush the join to its component parts.
 	 * This *does not* flush to disk automatically */
 	if (users->dtable->is_modified(users->dbase)) {
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux.orig3/libsemanage/src/handle.c	2009-07-07 12:05:02.964347072 -0400
@@ -110,6 +110,13 @@ void semanage_set_create_store(semanage_
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
@@ -264,7 +271,7 @@ int semanage_commit(semanage_handle_t * 
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux.orig3/libsemanage/src/libsemanage.map	2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c	2009-07-01 21:15:17.271236564 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.c	2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
 	"/users_extra",
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
+	"/disable_dontaudit",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h	2009-07-01 21:15:17.262235597 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.h	2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_USERS_EXTRA,
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
+	SEMANAGE_DISABLE_DONTAUDIT,
 	SEMANAGE_STORE_NUM_PATHS
 };
 

[Patch 3/2] semodule: maintain old functionality

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 961 bytes --]

Patch for semodule command
semodule -B
Will now turn on dontaudit rules
semodule -DB
Will turn off dontaudit rules.
With other patch all other semanage commands will maintain state.

Created by Dan Walsh

Signed-off-by: Christopher Pardy <cpardy@redhat.com>
---
 semodule/semodule.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff -up policycoreutils-2.0.64/semodule/semodule.c~ policycoreutils-2.0.64/semodule/semodule.c
--- policycoreutils-2.0.64/semodule/semodule.c~	2009-06-23 15:36:25.000000000 -0400
+++ policycoreutils-2.0.64/semodule/semodule.c	2009-07-01 13:34:42.027229000 -0400
@@ -417,8 +418,10 @@ int main(int argc, char *argv[])
 			printf("Committing changes:\n");
 		if (no_reload)
 			semanage_set_reload(sh, 0);
-		if (build)
+		if (build) {
+			semanage_set_disable_dontaudit(sh, 0);
 			semanage_set_rebuild(sh, 1);
+		}
 		if (disable_dontaudit)
 			semanage_set_disable_dontaudit(sh, 1);
 		result = semanage_commit(sh);

[-- Attachment #2: policycoreutils-dontaudit.patch --]
[-- Type: text/plain, Size: 618 bytes --]

diff -up policycoreutils-2.0.64/semodule/semodule.c~ policycoreutils-2.0.64/semodule/semodule.c
--- policycoreutils-2.0.64/semodule/semodule.c~	2009-06-23 15:36:25.000000000 -0400
+++ policycoreutils-2.0.64/semodule/semodule.c	2009-07-01 13:34:42.027229000 -0400
@@ -417,8 +418,10 @@ int main(int argc, char *argv[])
 			printf("Committing changes:\n");
 		if (no_reload)
 			semanage_set_reload(sh, 0);
-		if (build)
+		if (build) {
+			semanage_set_disable_dontaudit(sh, 0);
 			semanage_set_rebuild(sh, 1);
+		}
 		if (disable_dontaudit)
 			semanage_set_disable_dontaudit(sh, 1);
 		result = semanage_commit(sh);

Re: [Patch 3/2] semodule: maintain old functionality

[Joshua Brindle]

Christopher Pardy wrote:
> Patch for semodule command
> semodule -B
> Will now turn on dontaudit rules
> semodule -DB
> Will turn off dontaudit rules.
> With other patch all other semanage commands will maintain state.
>
> Created by Dan Walsh
>
> Signed-off-by: Christopher Pardy<cpardy@redhat.com>
> ---
>   semodule/semodule.c |    4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff -up policycoreutils-2.0.64/semodule/semodule.c~ policycoreutils-2.0.64/semodule/semodule.c
> --- policycoreutils-2.0.64/semodule/semodule.c~	2009-06-23 15:36:25.000000000 -0400
> +++ policycoreutils-2.0.64/semodule/semodule.c	2009-07-01 13:34:42.027229000 -0400
> @@ -417,8 +418,10 @@ int main(int argc, char *argv[])
>   			printf("Committing changes:\n");
>   		if (no_reload)
>   			semanage_set_reload(sh, 0);
> -		if (build)
> +		if (build) {
> +			semanage_set_disable_dontaudit(sh, 0);
>   			semanage_set_rebuild(sh, 1);
> +		}
>   		if (disable_dontaudit)
>   			semanage_set_disable_dontaudit(sh, 1);
>   		result = semanage_commit(sh);

I don't like this, it is non-obvious. Eg., if set dontaudit and rebuild it will 
first set disable_dontaudit to 0 and then immediately after set it to 1. Can you 
rework these if statements to make it more obvious what is going on?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[Patch 3/2 v2] semodule: maintain old functionality

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

Patch for semodule command
semodule -B
Will now turn on dontaudit rules
semodule -DB
Will turn off dontaudit rules.
With other patch all other semanage commands will maintain state.
 
Created by Dan Walsh
 
Signed-off-by: Christopher Pardy <cpardy@redhat.com>

---
 policycoreutils/semodule/semodule.c |    3 +++
 1 file changed, 3 insertions(+)

diff -urpN selinux.orig3/policycoreutils/semodule/semodule.c selinux/policycoreutils/semodule/semodule.c
--- selinux.orig3/policycoreutils/semodule/semodule.c	2009-07-06 13:26:25.802165404 -0400
+++ selinux/policycoreutils/semodule/semodule.c	2009-07-06 13:58:22.572415382 -0400
@@ -421,6 +421,9 @@ int main(int argc, char *argv[])
 			semanage_set_rebuild(sh, 1);
 		if (disable_dontaudit)
 			semanage_set_disable_dontaudit(sh, 1);
+		else if(build)
+			semanage_set_disable_dontaudit(sh,0);
+
 		result = semanage_commit(sh);
 	}
 

[-- Attachment #2: selinux.patch3 --]
[-- Type: text/plain, Size: 535 bytes --]

diff -urpN selinux.orig3/policycoreutils/semodule/semodule.c selinux/policycoreutils/semodule/semodule.c
--- selinux.orig3/policycoreutils/semodule/semodule.c	2009-07-06 13:26:25.802165404 -0400
+++ selinux/policycoreutils/semodule/semodule.c	2009-07-06 13:58:22.572415382 -0400
@@ -421,6 +421,9 @@ int main(int argc, char *argv[])
 			semanage_set_rebuild(sh, 1);
 		if (disable_dontaudit)
 			semanage_set_disable_dontaudit(sh, 1);
+		else if(build)
+			semanage_set_disable_dontaudit(sh,0);
+
 		result = semanage_commit(sh);
 	}
 

Re: [Patch 2/2] libsemanage, libselinux: Get don't audit settings from handle and remember settings after commit.

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 5886 bytes --]

Fixed location of file, removed hiddendef and hiddenproto.
This patch provide an libselinux call to check if dontaudit rules are 
disabled after rebuilding policy. It also includes a libsemange call to 
check if dontaudit rules will be disabled after policy rebuild. This 
functionality is required firstly by administrators who wish to know if 
dontaudit rules are disabled, secondly by programs which  will 
manipulate this data and may want to check it's settings.

Signed-off-by Christopher Pardy <cpardy@redhat.com>


diff -urN selinux.orig2/libselinux/include/selinux/selinux.h selinux/libselinux/include/selinux/selinux.h

--- selinux.orig2/libselinux/include/selinux/selinux.h    2009-07-01 21:15:17.009238289 -0400

+++ selinux/libselinux/include/selinux/selinux.h    2009-07-01 21:44:57.264509874 -0400

@@ -8,6 +8,9 @@

  extern "C" {

  #endif

  

+/* Return 1 if the dont audit rules have been turned off or 0 if not. */

+extern int is_dontaudit_disabled(void);

+

  /* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */

  extern int is_selinux_enabled(void);

  /* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */

diff -urN selinux.orig2/libselinux/src/dontaudit.c selinux/libselinux/src/dontaudit.c

--- selinux.orig2/libselinux/src/dontaudit.c    1969-12-31 19:00:00.000000000 -0500

+++ selinux/libselinux/src/dontaudit.c    2009-07-01 21:48:48.635521208 -0400

@@ -0,0 +1,21 @@

+#include<unistd.h>

+#include<selinux/selinux.h>

+#include "selinux_internal.h"

+#include<stdlib.h>

+#include<limits.h>

+#include<stdarg.h>

+#include<stdio.h>

+#include<string.h>

+

+int is_dontaudit_disabled(void)

+{

+    char path[PATH_MAX];

+    snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());

+

+    if (access(path,F_OK) == 0)

+        return 1;

+    else

+        return 0;

+}

+

+hidden_def(is_dontaudit_disabled)

diff -urN selinux.orig2/libselinux/src/selinux_internal.h selinux/libselinux/src/selinux_internal.h

--- selinux.orig2/libselinux/src/selinux_internal.h    2009-07-01 21:15:17.074235819 -0400

+++ selinux/libselinux/src/selinux_internal.h    2009-07-01 21:44:57.272486689 -0400

@@ -24,6 +24,7 @@

      hidden_proto(security_compute_create_raw)

      hidden_proto(security_compute_member_raw)

      hidden_proto(security_compute_relabel_raw)

+    hidden_proto(is_dontaudit_disabled)

      hidden_proto(is_selinux_enabled)

      hidden_proto(is_selinux_mls_enabled)

      hidden_proto(freecon)

diff -urN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h

--- selinux.orig2/libsemanage/include/semanage/handle.h    2009-07-01 21:15:17.224235939 -0400

+++ selinux/libsemanage/include/semanage/handle.h    2009-07-01 21:44:57.274484577 -0400

@@ -69,6 +69,9 @@

   * 1 for yes, 0 for no (default) */

  void semanage_set_create_store(semanage_handle_t * handle, int create_store);

  

+/*Get whether or not to dontaudits will be disabled upon commit */

+int semanage_get_disable_dontaudit(semanage_handle_t * handle);

+

  /* Set whether or not to disable dontaudits upon commit */

  void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);

  

diff -urN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c

--- selinux.orig2/libsemanage/src/handle.c    2009-07-01 21:15:17.288238017 -0400

+++ selinux/libsemanage/src/handle.c    2009-07-01 21:55:04.525487189 -0400

@@ -29,6 +29,7 @@

  #include<stdio.h>

  #include<string.h>

  #include<sys/time.h>

+#include<limits.h>

  

  #include "direct_api.h"

  #include "handle.h"

@@ -58,6 +59,9 @@

      if (!sh->sepolh)

          goto err;

      sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);

+

+    /* Set the disable_dont audit to the system default */

+    semanage_set_disable_dontaudit(sh,is_dontaudit_disabled());

  

      /* By default do not rebuild the policy on commit

       * If any changes are made, this flag is ignored */

@@ -110,6 +114,14 @@

      return;

  }

  

+int semanage_get_disable_dontaudit(semanage_handle_t * sh)

+{

+    assert(sh != NULL);

+

+    return sepol_get_disable_dontaudit(sh->sepolh);

+}

+

+

  void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)

  {

      assert(sh != NULL);

@@ -264,11 +276,22 @@

      assert(sh != NULL&&  sh->funcs != NULL&&  sh->funcs->commit != NULL);

      if (!sh->is_in_transaction) {

          ERR(sh,

-            "Will not commit because caller does not have a tranaction lock yet.");

+            "Will not commit because caller does not have a transaction lock yet.");

          return -1;

      }

      retval = sh->funcs->commit(sh);

      sh->is_in_transaction = 0;

      sh->modules_modified = 0;

+    if (retval == 0){

+        char path[PATH_MAX];

+        snprintf(path,PATH_MAX,"%s/disable_dontaudit",selinux_policy_root());

+        if(semanage_get_disable_dontaudit(sh) == 1){

+            FILE *touch;

+            touch = fopen(path,"w");

+            fclose(touch);

+        }else{

+            remove(path);

+        }

+    }

      return retval;

  }

diff -urN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map

--- selinux.orig2/libsemanage/src/libsemanage.map    2009-07-01 21:15:17.290237650 -0400

+++ selinux/libsemanage/src/libsemanage.map    2009-07-01 21:44:57.278485521 -0400

@@ -15,7 +15,7 @@

        semanage_iface_*; semanage_port_*; semanage_context_*;

        semanage_node_*;

        semanage_fcontext_*; semanage_access_check; semanage_set_create_store;

-      semanage_is_connected; semanage_set_disable_dontaudit;

+      semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;

        semanage_mls_enabled;

    local: *;

  };


[-- Attachment #2: selinux.patch2 --]
[-- Type: text/plain, Size: 4361 bytes --]

diff -urN selinux.orig2/libselinux/include/selinux/selinux.h selinux/libselinux/include/selinux/selinux.h
--- selinux.orig2/libselinux/include/selinux/selinux.h	2009-07-01 21:15:17.009238289 -0400
+++ selinux/libselinux/include/selinux/selinux.h	2009-07-01 21:44:57.264509874 -0400
@@ -8,6 +8,9 @@
 extern "C" {
 #endif
 
+/* Return 1 if the dont audit rules have been turned off or 0 if not. */
+extern int is_dontaudit_disabled(void);
+
 /* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
 extern int is_selinux_enabled(void);
 /* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
diff -urN selinux.orig2/libselinux/src/dontaudit.c selinux/libselinux/src/dontaudit.c
--- selinux.orig2/libselinux/src/dontaudit.c	1969-12-31 19:00:00.000000000 -0500
+++ selinux/libselinux/src/dontaudit.c	2009-07-01 21:48:48.635521208 -0400
@@ -0,0 +1,21 @@
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include "selinux_internal.h"
+#include <stdlib.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+int is_dontaudit_disabled(void)
+{
+	char path[PATH_MAX];
+	snprintf(path,PATH_MAX,"%s/modules/disable_dontaudit",selinux_policy_root());
+
+	if (access(path,F_OK) == 0)
+		return 1;
+	else
+		return 0;
+}
+
diff -urN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h	2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h	2009-07-01 21:44:57.274484577 -0400
@@ -69,6 +69,9 @@
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
 /* Set whether or not to disable dontaudits upon commit */
 void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
 
diff -urN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c	2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c	2009-07-01 21:55:04.525487189 -0400
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/time.h>
+#include <limits.h>
 
 #include "direct_api.h"
 #include "handle.h"
@@ -58,6 +59,9 @@
 	if (!sh->sepolh)
 		goto err;
 	sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
+	
+	/* Set the disable_dont audit to the system default */
+	semanage_set_disable_dontaudit(sh,is_dontaudit_disabled());
 
 	/* By default do not rebuild the policy on commit
 	 * If any changes are made, this flag is ignored */
@@ -110,6 +114,14 @@
 	return;
 }
 
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+
+	return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
+
 void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
 {
 	assert(sh != NULL);
@@ -264,11 +276,22 @@
 	assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
 	if (!sh->is_in_transaction) {
 		ERR(sh,
-		    "Will not commit because caller does not have a tranaction lock yet.");
+		    "Will not commit because caller does not have a transaction lock yet.");
 		return -1;
 	}
 	retval = sh->funcs->commit(sh);
 	sh->is_in_transaction = 0;
 	sh->modules_modified = 0;
+	if (retval == 0){
+		char path[PATH_MAX];
+		snprintf(path,PATH_MAX,"%s/modules/disable_dontaudit",selinux_policy_root());
+		if(semanage_get_disable_dontaudit(sh) == 1){
+			FILE *touch;
+			touch = fopen(path,"w");
+			fclose(touch);
+		}else{
+			remove(path);
+		}
+	}
 	return retval;
 }
diff -urN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map	2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map	2009-07-01 21:44:57.278485521 -0400
@@ -15,7 +15,7 @@
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
   local: *;
 };

Re: Re:[Patch 0/2] libsemanage: remember and retrieve dontaudit settings

[Stephen Smalley]

On Wed, 2009-07-01 at 22:08 -0400, Christopher Pardy wrote:
> This is a heavily modified version of the patch I recently submitted. It 
> provides 3 new functions: in libsepol sepol_get_disable_dontaudit; in 
> libsemanage semanage_get_disable_dontaudit; in libselinux 
> is_dontaudit_disabled. It also fixes issues with the previous patch.
> 
> The justification for this patch is the same as the one I posted 
> earlier. Simply, there is currently no way to know if dontaudit rules 
> are  enabled. Additionally once don't audit rules are turned they turn 
> themselves off after policy rebuild (is that the desired functionality?) 

semodule -DB should still strip dontaudit rules from the policy, and
semodule -B should still restore them.  The only thing that should
change IIUC is that semodule -DB should persist across any other
semodule or semanage operations other than semodule -B.

> This patch provides  a way to check on both the current and pending 
> state of the dontaudit rules and it maintains this state between policy 
> rebuilds.
> 
> Signed-off-by Christopher Pardy <cpardy@redhat.com>
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Patch 0/2] libsemanage: remember and retrieve dontaudit settings

[Christopher Pardy]

[-- Attachment #1: Type: text/plain, Size: 1682 bytes --]

On 07/02/2009 08:33 AM, Stephen Smalley wrote:
> On Wed, 2009-07-01 at 22:08 -0400, Christopher Pardy wrote:
>    
>> This is a heavily modified version of the patch I recently submitted. It
>> provides 3 new functions: in libsepol sepol_get_disable_dontaudit; in
>> libsemanage semanage_get_disable_dontaudit; in libselinux
>> is_dontaudit_disabled. It also fixes issues with the previous patch.
>>
>> The justification for this patch is the same as the one I posted
>> earlier. Simply, there is currently no way to know if dontaudit rules
>> are  enabled. Additionally once don't audit rules are turned they turn
>> themselves off after policy rebuild (is that the desired functionality?)
>>      
>
> semodule -DB should still strip dontaudit rules from the policy, and
> semodule -B should still restore them.  The only thing that should
> change IIUC is that semodule -DB should persist across any other
> semodule or semanage operations other than semodule -B.
>
>    
See Dan Walsh's patch to policycoreutils for this functionality. I need 
the functionality I'm creating with this persistence in some gui work 
I'm doing and I believe it's much more intuitive if things stay turned 
off till they're turned back on.
>> This patch provides  a way to check on both the current and pending
>> state of the dontaudit rules and it maintains this state between policy
>> rebuilds.
>>
>> Signed-off-by Christopher Pardy<cpardy@redhat.com>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>      


[-- Attachment #2: Type: text/html, Size: 2401 bytes --]

Re: Re:[Patch 0/2] libsemanage: remember and retrieve dontaudit settings

[Stephen Smalley]

On Wed, 2009-07-01 at 22:08 -0400, Christopher Pardy wrote:
> This is a heavily modified version of the patch I recently submitted. It 
> provides 3 new functions: in libsepol sepol_get_disable_dontaudit; in 
> libsemanage semanage_get_disable_dontaudit; in libselinux 
> is_dontaudit_disabled. It also fixes issues with the previous patch.
> 
> The justification for this patch is the same as the one I posted 
> earlier. Simply, there is currently no way to know if dontaudit rules 
> are  enabled. Additionally once don't audit rules are turned they turn 
> themselves off after policy rebuild (is that the desired functionality?) 
> This patch provides  a way to check on both the current and pending 
> state of the dontaudit rules and it maintains this state between policy 
> rebuilds.
> 
> Signed-off-by Christopher Pardy <cpardy@redhat.com>

patch 0/N is generally discouraged these days - just incorporate the
relevant description into the actual patch descriptions instead (which
you also did, but no need to post it separately then).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: [Patch] libsemanage: remember and retrieve dontaudit settings]

[Joshua Brindle]

Daniel J Walsh wrote:
> On 07/01/2009 09:32 AM, Christopher Pardy wrote:
>> Creates a empty file disable_dontaudit in the polciy directory
>> (/etc/selinux/<policytype>). Checks for the existance of this file to
>> set the sepol disable don't audit upon handle creation. Also provides
>> the function "int semanage_get_disable_dontaudit()" which returns the
>> don't audit property of the current policy.
>>
>> Signed-off-by: Christopher Pardy <cpardy@redhat.com>
>
> Better version of patch.

Inline preferred.

Anyway, if this is going to be set by tools and not people it should be in the 
module store, not the root of the selinux config directory.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.