analysing optional policy

analysing optional policy

[Russell Coker]

I'm having a problem with optional policy not being used when I think it 
should.

Is it possible to use apol to get information on optional policy for .pp files 
so I can try to work out why it doesn't get enabled?

                unconfined_run_to(depmod_t, depmod_exec_t)

In the Debian policy I have the above in an optional section of base.pp but 
for reasons that I don't understand it's not being loaded (both tests and 
running apol on policy.24 show this).

I've inspected the contents of base.conf and they appear to be OK.

Any suggestions of other tools to analyse this will be appreciated.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: analysing optional policy

[James Carter]

On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote:
> I'm having a problem with optional policy not being used when I think it 
> should.
> 
> Is it possible to use apol to get information on optional policy for .pp files 
> so I can try to work out why it doesn't get enabled?
> 
>                 unconfined_run_to(depmod_t, depmod_exec_t)
> 
> In the Debian policy I have the above in an optional section of base.pp but 
> for reasons that I don't understand it's not being loaded (both tests and 
> running apol on policy.24 show this).
> 
> I've inspected the contents of base.conf and they appear to be OK.
> 
> Any suggestions of other tools to analyse this will be appreciated.
> 

Is this with the policy found in
selinux-policy-src_0.2.20100524-4_all.deb?  I don't see
unconfined_run_to being used in that policy.

It looks like modutils is part of base, so depmod_t and depmod_exec_t
should be defined.  But there is a requires statement at the top of
modutils for "bool secure_mode_insmod".  Is secure_mode_insmod in the
policy?

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: analysing optional policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/30/2010 04:36 PM, James Carter wrote:
> On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote:
>> I'm having a problem with optional policy not being used when I think it 
>> should.
>>
>> Is it possible to use apol to get information on optional policy for .pp files 
>> so I can try to work out why it doesn't get enabled?
>>
>>                 unconfined_run_to(depmod_t, depmod_exec_t)
>>
>> In the Debian policy I have the above in an optional section of base.pp but 
>> for reasons that I don't understand it's not being loaded (both tests and 
>> running apol on policy.24 show this).
>>
>> I've inspected the contents of base.conf and they appear to be OK.
>>
>> Any suggestions of other tools to analyse this will be appreciated.

This may not be applicable here but do double check the module. I have
experienced similar issues where optional policy blocks were not loaded,
without any errors shown. I remember once requiring a type that did not
exist. Compiler did not complain but some particular policy was not loaded.

When this happens to me, i check syntax of all policy, check that all
used types exist and that there are no typos in types and other policy
in the particular module (in this case modutils and or unconfined). In
my erperience it is usually due to a syntax error or some other error in
the module.

Other issues i have had with optional policy is for example attributes
not being within scope or incorrectly nesting of optional policy.

But, i believe in both latter cases, the compiler or installer will
complain about duplicate declaration or not within scope.

So in my experience, i suspect there is an error in your policy that the
compiler did not catch.

What may help troubleshoot your issue is to try compiling and loading
the policy without the optional tags. In some cases that may expose
things errors.

These issues suck and can take ages to track down. The compiler is often
not very helpful in these instances either.

Basically all you can do is keep checking the involved modules for any
errors i believe.

I have been fighting with optional policy for quite some time, and i
have blamed optional policy for a lot of things. But since i figured out
how it works and how to nest optional policy i found out that it
actually makes sense. It can be complicated but usually not with
confining the system layer. When confining the user space, then nesting
optional policy becomes a big issue.

> 
> Is this with the policy found in
> selinux-policy-src_0.2.20100524-4_all.deb?  I don't see
> unconfined_run_to being used in that policy.
> 
> It looks like modutils is part of base, so depmod_t and depmod_exec_t
> should be defined.  But there is a requires statement at the top of
> modutils for "bool secure_mode_insmod".  Is secure_mode_insmod in the
> policy?
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz1KhkACgkQMlxVo39jgT/yBgCcC0kTlimf8OvIgOYGZgzJftWW
9DcAn3fUPqRPaMGrsrq+00EvJ9JZ8eSK
=atLW
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: analysing optional policy

[James Carter]

On Tue, 2010-11-30 at 17:45 +0100, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 11/30/2010 04:36 PM, James Carter wrote:
> > On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote:
> >> I'm having a problem with optional policy not being used when I think it 
> >> should.
> >>
> >> Is it possible to use apol to get information on optional policy for .pp files 
> >> so I can try to work out why it doesn't get enabled?
> >>
> >>                 unconfined_run_to(depmod_t, depmod_exec_t)
> >>
> >> In the Debian policy I have the above in an optional section of base.pp but 
> >> for reasons that I don't understand it's not being loaded (both tests and 
> >> running apol on policy.24 show this).
> >>
> >> I've inspected the contents of base.conf and they appear to be OK.
> >>
> >> Any suggestions of other tools to analyse this will be appreciated.
> 
> This may not be applicable here but do double check the module. I have
> experienced similar issues where optional policy blocks were not loaded,
> without any errors shown.

Not being defined is not an error in an optional block, it just means
the optional block is not to be used.

It is expected that there will be a lot of unused optional blocks if
only some modules are being used.  Reporting everything not defined
would not be helpful in this case.

This behavior of silently removing optional blocks can, however, cause
real errors to be missed.

>  I remember once requiring a type that did not
> exist. Compiler did not complain but some particular policy was not loaded.
> 
> When this happens to me, i check syntax of all policy, check that all
> used types exist and that there are no typos in types and other policy
> in the particular module (in this case modutils and or unconfined). In
> my erperience it is usually due to a syntax error or some other error in
> the module.
> 
> Other issues i have had with optional policy is for example attributes
> not being within scope or incorrectly nesting of optional policy.
> 
> But, i believe in both latter cases, the compiler or installer will
> complain about duplicate declaration or not within scope.
> 
> So in my experience, i suspect there is an error in your policy that the
> compiler did not catch.
> 
> What may help troubleshoot your issue is to try compiling and loading
> the policy without the optional tags. In some cases that may expose
> things errors.
> 
> These issues suck and can take ages to track down. The compiler is often
> not very helpful in these instances either.
> 
> Basically all you can do is keep checking the involved modules for any
> errors i believe.
> 
> I have been fighting with optional policy for quite some time, and i
> have blamed optional policy for a lot of things. But since i figured out
> how it works and how to nest optional policy i found out that it
> actually makes sense. It can be complicated but usually not with
> confining the system layer. When confining the user space, then nesting
> optional policy becomes a big issue.
> 
> > 
> > Is this with the policy found in
> > selinux-policy-src_0.2.20100524-4_all.deb?  I don't see
> > unconfined_run_to being used in that policy.
> > 
> > It looks like modutils is part of base, so depmod_t and depmod_exec_t
> > should be defined.  But there is a requires statement at the top of
> > modutils for "bool secure_mode_insmod".  Is secure_mode_insmod in the
> > policy?
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkz1KhkACgkQMlxVo39jgT/yBgCcC0kTlimf8OvIgOYGZgzJftWW
> 9DcAn3fUPqRPaMGrsrq+00EvJ9JZ8eSK
> =atLW
> -----END PGP SIGNATURE-----
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: analysing optional policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/30/2010 07:11 PM, James Carter wrote:
> On Tue, 2010-11-30 at 17:45 +0100, Dominick Grift wrote:
> On 11/30/2010 04:36 PM, James Carter wrote:
>>>> On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote:
>>>>> I'm having a problem with optional policy not being used when I think it 
>>>>> should.
>>>>>
>>>>> Is it possible to use apol to get information on optional policy for .pp files 
>>>>> so I can try to work out why it doesn't get enabled?
>>>>>
>>>>>                 unconfined_run_to(depmod_t, depmod_exec_t)
>>>>>
>>>>> In the Debian policy I have the above in an optional section of base.pp but 
>>>>> for reasons that I don't understand it's not being loaded (both tests and 
>>>>> running apol on policy.24 show this).
>>>>>
>>>>> I've inspected the contents of base.conf and they appear to be OK.
>>>>>
>>>>> Any suggestions of other tools to analyse this will be appreciated.
> 
> This may not be applicable here but do double check the module. I have
> experienced similar issues where optional policy blocks were not loaded,
> without any errors shown.
> 
>> Not being defined is not an error in an optional block, it just means
>> the optional block is not to be used.
> 
>> It is expected that there will be a lot of unused optional blocks if
>> only some modules are being used.  Reporting everything not defined
>> would not be helpful in this case.
> 
>> This behavior of silently removing optional blocks can, however, cause
>> real errors to be missed.

Yes now i remember what happened:

1. i have a per_role_template that had a type in the require section
that i removed. The per role template was called in an optional policy
block.

2. Because the template required a type that did not exist, it was not
used because it was called in an optional policy block.

3. Then later i found out about the required type that didnt exist and i
removed that from the require block of the per role template, and that
is when other errors were exposed in the per role template.

After fixing those , all was well.

An unlikely chain of events but it can happen and can be pretty
confusing. (atleast it was to me. Took me a view hours to troubleshoot :)


> 
>  I remember once requiring a type that did not
> exist. Compiler did not complain but some particular policy was not loaded.
> 
> When this happens to me, i check syntax of all policy, check that all
> used types exist and that there are no typos in types and other policy
> in the particular module (in this case modutils and or unconfined). In
> my erperience it is usually due to a syntax error or some other error in
> the module.
> 
> Other issues i have had with optional policy is for example attributes
> not being within scope or incorrectly nesting of optional policy.
> 
> But, i believe in both latter cases, the compiler or installer will
> complain about duplicate declaration or not within scope.
> 
> So in my experience, i suspect there is an error in your policy that the
> compiler did not catch.
> 
> What may help troubleshoot your issue is to try compiling and loading
> the policy without the optional tags. In some cases that may expose
> things errors.
> 
> These issues suck and can take ages to track down. The compiler is often
> not very helpful in these instances either.
> 
> Basically all you can do is keep checking the involved modules for any
> errors i believe.
> 
> I have been fighting with optional policy for quite some time, and i
> have blamed optional policy for a lot of things. But since i figured out
> how it works and how to nest optional policy i found out that it
> actually makes sense. It can be complicated but usually not with
> confining the system layer. When confining the user space, then nesting
> optional policy becomes a big issue.
> 
>>>>
>>>> Is this with the policy found in
>>>> selinux-policy-src_0.2.20100524-4_all.deb?  I don't see
>>>> unconfined_run_to being used in that policy.
>>>>
>>>> It looks like modutils is part of base, so depmod_t and depmod_exec_t
>>>> should be defined.  But there is a requires statement at the top of
>>>> modutils for "bool secure_mode_insmod".  Is secure_mode_insmod in the
>>>> policy?
>>>>
> 
>>
- --
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz1QdAACgkQMlxVo39jgT8TtgCgsr6eKlqN0LCcwC5/3tcanjY2
NxIAoKFWqesRFBg8dAsIGsuuL6hg0AD0
=E0DG
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: analysing optional policy

[James Carter]

[-- Attachment #1: Type: text/plain, Size: 2405 bytes --]

On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote:
> I'm having a problem with optional policy not being used when I think it 
> should.
> 
> Is it possible to use apol to get information on optional policy for .pp files 
> so I can try to work out why it doesn't get enabled?
> 
>                 unconfined_run_to(depmod_t, depmod_exec_t)
> 
> In the Debian policy I have the above in an optional section of base.pp but 
> for reasons that I don't understand it's not being loaded (both tests and 
> running apol on policy.24 show this).
> 
> I've inspected the contents of base.conf and they appear to be OK.
> 
> Any suggestions of other tools to analyse this will be appreciated.
> 

I have a policy compiler written in Lua that I used in the past to
experiment with language extensions and that I am currently working
towards being able to convert Refpolicy to CIL.  It is not industrial
strength and not friendly to anyone except its creator, but it does
display more error messages.

Running it on the policy in selinux-policy-src_0.2.20100524-4_all.deb I
found the following:

Same paramater used as a role and a type:
- Line 69 in ../debian_policy/policy/modules/apps/seunshare.if

Undefined macro calls:
- samba_run_smb at Line 180 in ../debian_policy/policy/modules/apps/qemu.if
- macro userdom_unpriv_usertype at Line 103 in ../debian_policy/policy/modules/apps/wine.if
- file_type_auto_trans at Line 308 in ../debian_policy/policy/modules/system/ipsec.te

Types used as an alias:
- procmail_t at Line 10 in ../debian_policy/policy/modules/services/lda.te
- procmail_exec_t at Line 12 in ../debian_policy/policy/modules/services/lda.te
- procmail_tmp_t at Line 17 in ../debian_policy/policy/modules/services/lda.te

Types not declared:
- httpd_nagios_script_exec_t
- httpd_cobbler_script_exec_t
- httpd_smokeping_cgi_script_exec_t
- httpd_nutups_cgi_script_exec_t
- lsassd_t
- dkim_var_run_t
- dkim_t

I believe that some of these errors are also in Refpolicy.

I don't see anything related to your problem here.

I've attached the current version of my compiler.
Unfortunately, it treats Refpolicy pre m4 expansion as the policy
language, so I need to patch a few things in the policy to make it work.

So apply the attached patch and then run something like the following:
./fpp.lua -p ../debian_policy/ > policy.conf

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

[-- Attachment #2: debian_policy.diff --]
[-- Type: text/x-patch, Size: 17215 bytes --]

diff -ur debian_policy_orig/policy/constraints debian_policy/policy/constraints
--- debian_policy_orig/policy/constraints	2010-07-25 21:22:24.000000000 -0400
+++ debian_policy/policy/constraints	2010-11-29 10:51:16.000000000 -0500
@@ -25,21 +25,15 @@
 # name_list : name | name_list name		
 #
 
-define(`basic_ubac_conditions',`
-	ifdef(`enable_ubac',`
-		u1 == u2
-		or u1 == system_u or u1 == unconfined_u
-		or u2 == system_u
-		or t1 != ubac_constrained_type
-		or t2 != ubac_constrained_type
-	')
-')
-
 define(`basic_ubac_constraint',`
 	ifdef(`enable_ubac',`
 		constrain $1 all_$1_perms
 		(
-			basic_ubac_conditions
+			u1 == u2
+			or u1 == system_u or u1 == unconfined_u
+			or u2 == system_u
+			or t1 != ubac_constrained_type
+			or t2 != ubac_constrained_type
 		);
 	')
 ')
@@ -48,7 +42,11 @@
 	ifdef(`enable_ubac',`
 		constrain $1 all_$1_perms
 		(
-			basic_ubac_conditions
+			u1 == u2
+			or u1 == system_u or u1 == unconfined_u
+			or u2 == system_u
+			or t1 != ubac_constrained_type
+			or t2 != ubac_constrained_type
 			or t1 == $2
 		);
 	')
@@ -82,7 +80,11 @@
 ifdef(`enable_ubac',`
 	constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
 	(
-		basic_ubac_conditions
+		u1 == u2
+		or u1 == system_u or u1 == unconfined_u
+		or u2 == system_u
+		or t1 != ubac_constrained_type
+		or t2 != ubac_constrained_type	
 		or t1 == ubacproc
 	);
 ')
@@ -241,5 +243,4 @@
 
 
 undefine(`basic_ubac_constraint')
-undefine(`basic_ubac_conditions')
 undefine(`exempted_ubac_constraint')
diff -ur debian_policy_orig/policy/mcs debian_policy/policy/mcs
--- debian_policy_orig/policy/mcs	2010-07-25 21:22:38.000000000 -0400
+++ debian_policy/policy/mcs	2010-11-29 10:57:14.000000000 -0500
@@ -71,18 +71,20 @@
 mlsconstrain file { read ioctl lock execute execute_no_trans }
 	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
 
-mlsconstrain file { write setattr append link rename }
 ifdef(`distro_debian', `
-	((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 == mcswriteall ) or (t2 == mcstrustedobject) or ( t2 == domain ));
+	mlsconstrain file { write setattr append link rename }
+		     ((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 == mcswriteall ) or (t2 == mcstrustedobject) or ( t2 == domain ));
 ', `
+   mlsconstrain file { write setattr append link rename }
 	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
 ')
 
-mlsconstrain file { unlink }
 ifdef(`distro_debian', `
-	((( h1 dom h2 ) and ( l1 domby l2 )) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or (t2 == mcstrustedobject) or ( t2 == domain ));
+	mlsconstrain file { unlink }
+		     ((( h1 dom h2 ) and ( l1 domby l2 )) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or (t2 == mcstrustedobject) or ( t2 == domain ));
 ', `
-	(( h1 dom h2 ) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or ( t2 == domain ));
+	mlsconstrain file { unlink }
+		     (( h1 dom h2 ) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or ( t2 == domain ));
 ')
 
 mlsconstrain dir { search read ioctl lock }
@@ -96,12 +98,12 @@
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
-mlsconstrain file { create relabelto }
 ifdef(`distro_debian', `
-	(( h1 dom h2 ) and ( l2 eq h2 ) and
-	((l1 domby l2) or (t2 == mcstrustedobject)));
+	mlsconstrain file { create relabelto }
+		     (( h1 dom h2 ) and ( l2 eq h2 ) and ((l1 domby l2) or (t2 == mcstrustedobject)));
 ', `
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	mlsconstrain file { create relabelto }
+		     (( h1 dom h2 ) and ( l2 eq h2 ));
 ')
 
 # new file labels must be dominated by the relabeling subject clearance
@@ -112,19 +114,22 @@
 mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
-mlsconstrain process { transition dyntransition }
 ifdef(`distro_debian', `
-	(( ( h1 dom h2 ) and ((l1 domby l2) or (t1 == mcssetlow)) ) or ( t1 == mcssetcats ));
+	mlsconstrain process { transition dyntransition }
+		     (( ( h1 dom h2 ) and ((l1 domby l2) or (t1 == mcssetlow)) ) or ( t1 == mcssetcats ));
 ', `
-	(( h1 dom h2 ) or ( t1 == mcssetcats ));
+	mlsconstrain process { transition dyntransition }
+		     (( h1 dom h2 ) or ( t1 == mcssetcats ));
 ')
 
 
-mlsconstrain process { ptrace }
+
 ifdef(`distro_debian', `
-	( (h1 dom h2) and ((l1 domby l2) or ( t1 == mcsptraceall )) );
+	mlsconstrain process { ptrace }
+		     ((h1 dom h2) and ((l1 domby l2) or ( t1 == mcsptraceall )) );
 ', `
-	(( h1 dom h2) or ( t1 == mcsptraceall ));
+	mlsconstrain process { ptrace }
+		     (( h1 dom h2) or ( t1 == mcsptraceall ));
 ')
 
 mlsconstrain process { sigkill sigstop }
diff -ur debian_policy_orig/policy/modules/kernel/files.if debian_policy/policy/modules/kernel/files.if
--- debian_policy_orig/policy/modules/kernel/files.if	2010-07-25 21:22:38.000000000 -0400
+++ debian_policy/policy/modules/kernel/files.if	2010-11-29 10:37:03.000000000 -0500
@@ -709,7 +709,7 @@
 		attribute file_type;
 	')
 
-	allow $1 { file_type $2 }:dir list_dir_perms;
+	allow $1 { file_type - $2 }:dir list_dir_perms;
 ')
 
 ########################################
@@ -734,7 +734,7 @@
 		attribute file_type;
 	')
 
-	read_files_pattern($1, { file_type $2 }, { file_type $2 })
+	read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
 ')
 
 ########################################
@@ -759,7 +759,7 @@
 		attribute file_type;
 	')
 
-	read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+	read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
 ')
 
 ########################################
@@ -1046,6 +1046,35 @@
 
 ########################################
 ## <summary>
+##	Relabel all files on the filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain perfoming this action.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type : dir list_dir_perms;
+	relabel_dirs_pattern($1, file_type, file_type)
+	relabel_files_pattern($1, file_type, file_type)
+	relabel_lnk_files_pattern($1, file_type, file_type)
+	relabel_fifo_files_pattern($1, file_type, file_type)
+	relabel_sock_files_pattern($1, file_type, file_type)
+	relabelfrom_blk_files_pattern($1, file_type, file_type)
+	relabelfrom_chr_files_pattern($1, file_type, file_type)
+
+	# satisfy the assertions:
+	seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
 ##	Relabel all files on the filesystem, except
 ##	the listed exceptions.
 ## </summary>
@@ -1062,21 +1091,21 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`files_relabel_all_files',`
+interface(`files_relabel_all_files_except',`
 	gen_require(`
 		attribute file_type;
 	')
 
-	allow $1 { file_type $2 }:dir list_dir_perms;
-	relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
-	relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
-	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
-	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
-	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+	allow $1 { file_type - $2 }:dir list_dir_perms;
+	relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+	relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+	relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+	relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+	relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
 	# this is only relabelfrom since there should be no
 	# device nodes with file types.
-	relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-	relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+	relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+	relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
 
 	# satisfy the assertions:
 	seutil_relabelto_bin_policy($1)
@@ -1110,6 +1139,33 @@
 
 ########################################
 ## <summary>
+##	Manage all files on the filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain perfoming this action.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	manage_dirs_pattern($1, file_type, file_type)
+	manage_files_pattern($1, file_type, file_type)
+	manage_lnk_files_pattern($1, file_type, file_type)
+	manage_fifo_files_pattern($1, file_type, file_type)
+	manage_sock_files_pattern($1, file_type, file_type)
+
+	# satisfy the assertions:
+	seutil_create_bin_policy($1)
+	files_manage_kernel_modules($1)
+')
+
+########################################
+## <summary>
 ##	Manage all files on the filesystem, except
 ##	the listed exceptions.
 ## </summary>
@@ -1126,16 +1182,16 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`files_manage_all_files',`
+interface(`files_manage_all_files_except',`
 	gen_require(`
 		attribute file_type;
 	')
 
-	manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
-	manage_files_pattern($1, { file_type $2 }, { file_type $2 })
-	manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
-	manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
-	manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+	manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+	manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+	manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+	manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+	manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
 
 	# satisfy the assertions:
 	seutil_create_bin_policy($1)
Only in debian_policy/policy/modules/kernel: files.if.orig
diff -ur debian_policy_orig/policy/modules/kernel/selinux.if debian_policy/policy/modules/kernel/selinux.if
--- debian_policy_orig/policy/modules/kernel/selinux.if	2010-07-25 21:22:38.000000000 -0400
+++ debian_policy/policy/modules/kernel/selinux.if	2010-11-29 10:37:19.000000000 -0500
@@ -40,7 +40,7 @@
 
 	# because of this statement, any module which
 	# calls this interface must be in the base module:
-	genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+	#genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
 ')
 
 ########################################
diff -ur debian_policy_orig/policy/modules/services/nx.te debian_policy/policy/modules/services/nx.te
--- debian_policy_orig/policy/modules/services/nx.te	2010-07-25 21:22:34.000000000 -0400
+++ debian_policy/policy/modules/services/nx.te	2010-11-29 10:37:32.000000000 -0500
@@ -13,6 +13,7 @@
 domain_user_exemption_target(nx_server_t)
 # we need an extra role because nxserver is called from sshd
 # cjp: do we really need this?
+role nx_server_r;
 role nx_server_r types nx_server_t;
 allow system_r nx_server_r;
 
Only in debian_policy/policy/modules/services: nx.te.orig
diff -ur debian_policy_orig/policy/modules/system/authlogin.if debian_policy/policy/modules/system/authlogin.if
--- debian_policy_orig/policy/modules/system/authlogin.if	2010-07-25 21:22:38.000000000 -0400
+++ debian_policy/policy/modules/system/authlogin.if	2010-11-29 10:37:03.000000000 -0500
@@ -1113,7 +1113,7 @@
 		type shadow_t;
 	')
 
-	files_read_all_dirs_except($1,$2 -shadow_t)
+	files_read_all_dirs_except($1, shadow_t)
 ')
 
 ########################################
@@ -1139,7 +1139,7 @@
 		type shadow_t;
 	')
 
-	files_read_all_files_except($1,$2 -shadow_t)
+	files_read_all_files_except($1, shadow_t)
 ')
 
 ########################################
@@ -1164,7 +1164,7 @@
 		type shadow_t;
 	')
 
-	files_read_all_symlinks_except($1,$2 -shadow_t)
+	files_read_all_symlinks_except($1, shadow_t)
 ')
 
 ########################################
@@ -1190,7 +1190,7 @@
 		type shadow_t;
 	')
 
-	files_relabel_all_files($1,$2 -shadow_t)
+	files_relabel_all_files_except($1, shadow_t)
 ')
 
 ########################################
@@ -1242,7 +1242,7 @@
 		type shadow_t;
 	')
 
-	files_manage_all_files($1,$2 -shadow_t)
+	files_manage_all_files_except($1, shadow_t)
 ')
 
 ########################################
diff -ur debian_policy_orig/policy/support/misc_macros.spt debian_policy/policy/support/misc_macros.spt
--- debian_policy_orig/policy/support/misc_macros.spt	2010-07-25 21:22:24.000000000 -0400
+++ debian_policy/policy/support/misc_macros.spt	2010-11-29 10:36:35.000000000 -0500
@@ -65,12 +65,6 @@
 
 ########################################
 #
-# can_exec(domain,executable)
-#
-define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
-
-########################################
-#
 # gen_bool(name,default_value)
 #
 define(`gen_bool',`
diff -ur debian_policy_orig/policy/support/misc_patterns.spt debian_policy/policy/support/misc_patterns.spt
--- debian_policy_orig/policy/support/misc_patterns.spt	2010-07-25 21:22:24.000000000 -0400
+++ debian_policy/policy/support/misc_patterns.spt	2010-11-29 10:36:35.000000000 -0500
@@ -62,3 +62,9 @@
 	allow $1 $2:lnk_file read_lnk_file_perms;
 	allow $1 $2:process getattr;
 ')
+
+########################################
+#
+# can_exec(domain,executable)
+#
+define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
diff -ur debian_policy_orig/policy/users debian_policy/policy/users
--- debian_policy_orig/policy/users	2010-07-25 21:22:24.000000000 -0400
+++ debian_policy/policy/users	2010-11-29 10:42:46.000000000 -0500
@@ -15,7 +15,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # user_u is a generic user identity for Linux users who have no
@@ -24,12 +24,12 @@
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#gen_user(user_u, user, user_r, s0, s0)
+#gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+#gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 # Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # The following users correspond to Unix identities.
@@ -38,8 +38,47 @@
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
-ifdef(`direct_sysadm_daemon',`
-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#ifdef(`direct_sysadm_daemon',`
+	#gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#',`
+	#gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+#')
+
+ifdef(`enable_mls',`
+	user system_u roles system_r level s0 range s0 - mls_systemhigh;
+	user user_u roles user_r level s0 range s0;
+	user staff_u roles { staff_r sysadm_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
+	user sysadm_u roles sysadm_r level s0 range s0 - mls_systemhigh;
+	user unconfined_u roles unconfined_r level s0 range s0 - mls_systemhigh;
+	ifdef(`direct_sysadm_daemon',`
+		user root roles { sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - mls_systemhigh;
+	',`
+		user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
+	')		
 ',`
-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+	ifdef(`enable_mcs',`
+		user system_u roles system_r level s0 range s0 - s0:mcs_allcats;
+		user user_u roles user_r level s0 range s0;
+		user staff_u roles { staff_r sysadm_r } level s0 range s0 - s0:mcs_allcats;
+		user sysadm_u roles sysadm_r level s0 range s0 - s0:mcs_allcats;
+		user unconfined_u roles unconfined_r level s0 range s0 - s0:mcs_allcats;
+		ifdef(`direct_sysadm_daemon',`
+			user root roles { sysadm_r staff_r system_r } level s0 range s0 - s0:mcs_allcats;
+		',`
+			user root roles { sysadm_r staff_r } level s0 range s0 - s0:mcs_allcats;
+		')
+	',`	
+		# No MLS
+		# Not supporting MCS
+		user system_u roles system_r;
+		user user_u roles user_r;
+		user staff_u roles { staff_r sysadm_r };
+		user sysadm_u roles sysadm_r;
+		user unconfined_u roles unconfined_r;
+		ifdef(`direct_sysadm_daemon',`
+			user root roles { sysadm_r staff_r system_r };
+		',`
+			user root roles { sysadm_r staff_r };
+		')
+	')
+ ')

[-- Attachment #3: fpp_20101130.tar.bz2 --]
[-- Type: application/x-bzip-compressed-tar, Size: 74125 bytes --]

Re: analysing optional policy

[Christopher J. PeBenito]

On 11/30/10 13:11, James Carter wrote:
> On Tue, 2010-11-30 at 17:45 +0100, Dominick Grift wrote:
> On 11/30/2010 04:36 PM, James Carter wrote:
>>>> On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote:
>>>>> I'm having a problem with optional policy not being used when I think it 
>>>>> should.
>>>>>
>>>>> Is it possible to use apol to get information on optional policy for .pp files 
>>>>> so I can try to work out why it doesn't get enabled?
>>>>>
>>>>>                 unconfined_run_to(depmod_t, depmod_exec_t)
>>>>>
>>>>> In the Debian policy I have the above in an optional section of base.pp but 
>>>>> for reasons that I don't understand it's not being loaded (both tests and 
>>>>> running apol on policy.24 show this).
>>>>>
>>>>> I've inspected the contents of base.conf and they appear to be OK.
>>>>>
>>>>> Any suggestions of other tools to analyse this will be appreciated.
> 
>> This may not be applicable here but do double check the module. I have
>> experienced similar issues where optional policy blocks were not loaded,
>> without any errors shown.
> 
> Not being defined is not an error in an optional block, it just means
> the optional block is not to be used.
> 
> It is expected that there will be a lot of unused optional blocks if
> only some modules are being used.  Reporting everything not defined
> would not be helpful in this case.
> 
> This behavior of silently removing optional blocks can, however, cause
> real errors to be missed.

At first I was going to suggest an extra-verbose or a debug mode on the
toolchain to help on this, but I suspect that identifying the block in a
useful fashion wouldn't be possible.  When resolving the blocks, is
there even any reference to the module it comes from?  Beyond that,
there probably aren't line numbers either, so it couldn't have messages
like "block disabled: optional beginning on line 123 from foo.pp."

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: analysing optional policy

[James Carter]

On Tue, 2010-11-30 at 13:45 -0500, Christopher J. PeBenito wrote:
> On 11/30/10 13:11, James Carter wrote:
> > On Tue, 2010-11-30 at 17:45 +0100, Dominick Grift wrote:
> > On 11/30/2010 04:36 PM, James Carter wrote:
> >>>> On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote:
> >>>>> I'm having a problem with optional policy not being used when I think it 
> >>>>> should.
> >>>>>
> >>>>> Is it possible to use apol to get information on optional policy for .pp files 
> >>>>> so I can try to work out why it doesn't get enabled?
> >>>>>
> >>>>>                 unconfined_run_to(depmod_t, depmod_exec_t)
> >>>>>
> >>>>> In the Debian policy I have the above in an optional section of base.pp but 
> >>>>> for reasons that I don't understand it's not being loaded (both tests and 
> >>>>> running apol on policy.24 show this).
> >>>>>
> >>>>> I've inspected the contents of base.conf and they appear to be OK.
> >>>>>
> >>>>> Any suggestions of other tools to analyse this will be appreciated.
> > 
> >> This may not be applicable here but do double check the module. I have
> >> experienced similar issues where optional policy blocks were not loaded,
> >> without any errors shown.
> > 
> > Not being defined is not an error in an optional block, it just means
> > the optional block is not to be used.
> > 
> > It is expected that there will be a lot of unused optional blocks if
> > only some modules are being used.  Reporting everything not defined
> > would not be helpful in this case.
> > 
> > This behavior of silently removing optional blocks can, however, cause
> > real errors to be missed.
> 
> At first I was going to suggest an extra-verbose or a debug mode on the
> toolchain to help on this, but I suspect that identifying the block in a
> useful fashion wouldn't be possible.  When resolving the blocks, is
> there even any reference to the module it comes from?  Beyond that,
> there probably aren't line numbers either, so it couldn't have messages
> like "block disabled: optional beginning on line 123 from foo.pp."
> 

It seems like it would be helpful to Russell and others if there was a
debug mode, even if it merely said something like "optional block
disabled: foo_t not defined".  They would at least have a starting
point.

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: analysing optional policy

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/30/2010 01:44 PM, James Carter wrote:
> On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote:
>> I'm having a problem with optional policy not being used when I think it 
>> should.
>>
>> Is it possible to use apol to get information on optional policy for .pp files 
>> so I can try to work out why it doesn't get enabled?
>>
>>                 unconfined_run_to(depmod_t, depmod_exec_t)
>>
>> In the Debian policy I have the above in an optional section of base.pp but 
>> for reasons that I don't understand it's not being loaded (both tests and 
>> running apol on policy.24 show this).
>>
>> I've inspected the contents of base.conf and they appear to be OK.
>>
>> Any suggestions of other tools to analyse this will be appreciated.
>>
> 
> I have a policy compiler written in Lua that I used in the past to
> experiment with language extensions and that I am currently working
> towards being able to convert Refpolicy to CIL.  It is not industrial
> strength and not friendly to anyone except its creator, but it does
> display more error messages.
> 
> Running it on the policy in selinux-policy-src_0.2.20100524-4_all.deb I
> found the following:
> 
> Same paramater used as a role and a type:
> - Line 69 in ../debian_policy/policy/modules/apps/seunshare.if
> 
> Undefined macro calls:
> - samba_run_smb at Line 180 in ../debian_policy/policy/modules/apps/qemu.if
> - macro userdom_unpriv_usertype at Line 103 in ../debian_policy/policy/modules/apps/wine.if
> - file_type_auto_trans at Line 308 in ../debian_policy/policy/modules/system/ipsec.te
> 
> Types used as an alias:
> - procmail_t at Line 10 in ../debian_policy/policy/modules/services/lda.te
> - procmail_exec_t at Line 12 in ../debian_policy/policy/modules/services/lda.te
> - procmail_tmp_t at Line 17 in ../debian_policy/policy/modules/services/lda.te
> 
> Types not declared:
> - httpd_nagios_script_exec_t
> - httpd_cobbler_script_exec_t
> - httpd_smokeping_cgi_script_exec_t
> - httpd_nutups_cgi_script_exec_t
> - lsassd_t
> - dkim_var_run_t
> - dkim_t
> 
> I believe that some of these errors are also in Refpolicy.
> 
> I don't see anything related to your problem here.
> 
> I've attached the current version of my compiler.
> Unfortunately, it treats Refpolicy pre m4 expansion as the policy
> language, so I need to patch a few things in the policy to make it work.
> 
> So apply the attached patch and then run something like the following:
> ./fpp.lua -p ../debian_policy/ > policy.conf
> 

One thing I got burned on last night was a gen_require block with a
spelling mistake.  So it pulled a hole section of policy out.

It would be cool, it we could check that all types that are required
within an interface file are defined within the te file.

foobar.if should not require types that are not defined in foobar.te.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz1bj0ACgkQrlYvE4MpobNVAACgzGbRdjVNBgDu6nDZaNvWjJJQ
G1YAoMCnf+hV2RtkSRUNXS4HPr5KkmuL
=rJpA
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.