Re: v0 Add class support to the role_transition rule

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Harry Ciao <qingtao.cao@windriver.com>
To: sds@tycho.nsa.gov, jmorris@namei.org, eparis@parisplace.org
Cc: selinux@tycho.nsa.gov
Subject: Re: v0 Add class support to the role_transition rule
Date: Wed, 23 Mar 2011 16:21:16 +0800	[thread overview]
Message-ID: <4D89AD7C.9030709@windriver.com> (raw)
In-Reply-To: <1300847325-20308-1-git-send-email-qingtao.cao@windriver.com>

I forgot to paste the test of SELinux kernel policydb_write > 
role_trans_write, please see below.

BTW, since the userspace security server has been out of sync with that 
in kernel(as Stephen has pointed out before), I didn't use checkpolicy 
-Mdb but have relied on compute_create to access kernel security server 
instead.

Best regard,
Harry

-------------

6. Verify that SELinux kernel policydb_write > role_trans_write works well:

    [root/sysadm_r/s0@~]# cat /selinux/policy > policy_read
    [root/sysadm_r/s0@~]# ls -l policy_read
    -rw-r--r-- 1 root root 5849742 Mar 23 08:07 policy_read
    [root/sysadm_r/s0@~]# ls -l /etc/selinux/refpolicy-mls/policy/policy.25
    -rw-r--r-- 1 root root 5849742 Mar 22 08:03 
/etc/selinux/refpolicy-mls/policy/policy.25
    [root/sysadm_r/s0@~]#
    [root/sysadm_r/s0@~]# xxd policy_read > policy_read_xxd
    [root/sysadm_r/s0@~]# vim policy_read_xxd
    ......
    055c510:                                    0d00  l.....S.........
    055c520: 0000 0300 0000 a006 0000 0200 0000 0b00  ................
    055c530: 0000 0300 0000 a103 0000 0200 0000 0b00  ................
    055c540: 0000 0800 0000 b707 0000 0200 0000 0b00  ................
    055c550: 0000 0800 0000 a70a 0000 0200 0000 0b00  ................
    055c560: 0000 0a00 0000 db00 0000 0200 0000 0b00  ................
    055c570: 0000 0a00 0000 8e05 0000 0600 0000 0a00  ................
    055c580: 0000 0a00 0000 8e05 0000 0700 0000 0a00  ................
    055c590: 0000 0a00 0000 8e05 0000 0900 0000 0a00  ................
    055c5a0: 0000 0a00 0000 8e05 0000 0a00 0000 0a00  ................
    055c5b0: 0000 0a00 0000 8e05 0000 0b00 0000 0a00  ................
    055c5c0: 0000 0a00 0000 8e05 0000 0c00 0000 0a00  ................
    055c5d0: 0000 0a00 0000 8e05 0000 0d00 0000 0a00  ................
    055c5e0: 0000
    ......
    [root/sysadm_r/s0@~]#


On 03/23/2011 10:28 AM, Harry Ciao wrote:
>
> Comments:
> ---------
> Add class support to the role_transition rule so that it could be used in
> a much more generalized	manner.
>
> So far the semantics of the role_transition rule does not support specifying
> the class, and in SELinux kernel security server it could be applied to the
> process class only.
>
> With the class support the role_transition rule could be used for non-process
> classes, and the newly created object could have roles other than "object_r",
> which is a prerequisit for real RBAC separation development in the future.
>
>
> Testings I've done:
> -------------------
>
> 0. Add below snippet into sysadm.te for testing:
>
>     role_transition sysadm_r user_home_t:{ file dir lnk_file fifo_file sock_file chr_file blk_file } sysadm_r;
>     role sysadm_r types user_home_t;
>
>     gen_require(`
>             type vlock_exec_t, vlock_t;
>     ')
>     role_transition sysadm_r vlock_exec_t system_r;
>
> 1. Verify that the dismod program could display the class field of the
>     role_transition rule correctly:
>
>     /work/selinux/selinux/checkpolicy$ test/dismod /work/selinux/refpolicy/sysadm.pp
>     Reading policy...
>     ......
>     ......
>     Command ('m' for menu):  7
>     role transitions:
>     --- begin avrule block ---
>     decl 1:
>     role transition  sysadm_r [vlock_exec_t] : [process] system_r
>     role transition  sysadm_r [user_home_t] :{ [file] [dir] [lnk_file] [chr_file] [blk_file] [sock_file] [fifo_file] } sysadm_r
>     --- begin avrule block ---
>     decl 2:
>     ......
>     --- begin avrule block ---
>     decl 342:
>
>     Command ('m' for menu):  q
>     /work/selinux/selinux/checkpolicy$
>
> 2. Further verify the binary reprensentation of the role_transition rule
>     are correct:
>
>     /work/selinux/refpolicy$ ls -lt /etc/selinux/refpolicy-mls/policy/policy.25
>     -rw-r--r--. 2 root root 5849742 2011-03-22 15:39 /etc/selinux/refpolicy-mls/policy/policy.25
>     /work/selinux/refpolicy$ xxd /etc/selinux/refpolicy-mls/policy/policy.25>  policy_25_xxd
>     /work/selinux/refpolicy$ vim policy_25_xxd
>     ......
>     055c510:                                    0d00  l.....S.........
>     055c520: 0000 0300 0000 a006 0000 0200 0000 0b00  ................
>     055c530: 0000 0300 0000 a103 0000 0200 0000 0b00  ................
>     055c540: 0000 0800 0000 b707 0000 0200 0000 0b00  ................
>     055c550: 0000 0800 0000 a70a 0000 0200 0000 0b00  ................
>     055c560: 0000 0a00 0000 db00 0000 0200 0000 0b00  ................
>     055c570: 0000 0a00 0000 8e05 0000 0600 0000 0a00  ................
>     055c580: 0000 0a00 0000 8e05 0000 0700 0000 0a00  ................
>     055c590: 0000 0a00 0000 8e05 0000 0900 0000 0a00  ................
>     055c5a0: 0000 0a00 0000 8e05 0000 0a00 0000 0a00  ................
>     055c5b0: 0000 0a00 0000 8e05 0000 0b00 0000 0a00  ................
>     055c5c0: 0000 0a00 0000 8e05 0000 0c00 0000 0a00  ................
>     055c5d0: 0000 0a00 0000 8e05 0000 0d00 0000 0a00  ................
>     055c5e0: 0000 0c00 0000 9209 0000 0200 0000 0b00  ................
>     055c5f0: 0000
>     ......
>     /work/selinux/refpolicy$
>
> 3. Run-time test one - verify that the role_transition rule works for
>     non-process classes:
>
>     [root/sysadm_r/s0@~]# sestatus
>     SELinux status:                 enabled
>     SELinuxfs mount:                /selinux
>     Current mode:                   enforcing
>     Mode from config file:          enforcing
>     Policy version:                 25
>     Policy from config file:        refpolicy-mls
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# id -Z
>     root:sysadm_r:sysadm_t:s0-s15:c0.c1023
>     [root/sysadm_r/s0@~]# ls -Zd
>     dr-xr-x---  root root root:object_r:user_home_dir_t:s0-s15:c0.c1023 .
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_dir_t:s0-s15:c0.c1023 file
>     root:sysadm_r:user_home_t:s0
>     [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_dir_t:s0-s15:c0.c1023 dir
>     root:sysadm_r:user_home_t:s0
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# mkdir dir
>     [root/sysadm_r/s0@~]# touch file
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# ls -Zd dir file
>     drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
>     -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
>     [root/sysadm_r/s0@~]#
>
> 4. Run-time test two - verify that the role_transition rule works for the
>     process class:
>
>     [root/sysadm_r/s0@~]# ls -Z /usr/sbin/vlock-main
>     -rws--x--x  root root system_u:object_r:vlock_exec_t:s0 /usr/sbin/vlock-main
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# compute_create root:staff_r:staff_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
>     root:staff_r:vlock_t:s0-s15:c0.c1023
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
>     root:system_r:vlock_t:s0-s15:c0.c1023
>     [root/sysadm_r/s0@~]#
>
>     [root/staff_r/s0@~]# vlock&
>     [1] 796
>     [root/staff_r/s0@~]# ps Z -C vlock-main
>     LABEL                             PID TTY      STAT   TIME COMMAND
>     root:staff_r:vlock_t:s0-s15:c0.c1023 796 pts/0 T      0:00 /usr/sbin/vlock-main
>
>     [1]+  Stopped                 vlock
>     [root/staff_r/s0@~]#
>
>     [root/sysadm_r/s0@~]# seclow "setenforce 0"
>     Password:
>     [root/sysadm_r/s0@~]# vlock&
>     [1] 812
>     [root/sysadm_r/s0@~]# ps Z -C vlock-main
>     LABEL                             PID TTY      STAT   TIME COMMAND
>     root:staff_r:vlock_t:s0-s15:c0.c1023 796 pts/0 T      0:00 /usr/sbin/vlock-main
>     root:system_r:vlock_t:s0-s15:c0.c1023 812 ttyS0 T     0:00 /usr/sbin/vlock-main
>
>     [1]+  Stopped                 vlock
>     [root/sysadm_r/s0@~]#
>
>     (Note, "setenforce 0" is to shortcut the necessary user-role&  role-type settings in sysadm.pp for system_r)
>
> 5. (TODO) restorecon doesn't take into account the role_transition rule
>     for non-process class so far:
>
>     [root/sysadm_r/s0@~]# ls -Zd dir file
>     drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
>     -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# restorecon dir file
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# ls -Zd dir file
>     drwxr-xr-x  root root root:object_r:user_home_t:s0     dir
>     -rw-r--r--  root root root:object_r:user_home_t:s0     file
>     [root/sysadm_r/s0@~]#
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

     prev parent reply	other threads:[~2011-03-23  8:21 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-23  2:28 v0 Add class support to the role_transition rule Harry Ciao
2011-03-23  2:28 ` [v0 PATCH 1/3] SELinux: Add class support to the role_trans structure Harry Ciao
2011-03-23 14:40   ` Eric Paris
2011-03-24  9:43     ` HarryCiao
2011-03-24 13:21       ` Stephen Smalley
2011-03-25  6:28         ` HarryCiao
2011-03-23  2:28 ` [v0 PATCH 2/3] SELinux: Compute role in newcontext for all classes Harry Ciao
2011-03-23 13:31   ` Stephen Smalley
2011-03-24  9:56     ` HarryCiao
2011-03-24 13:25       ` Stephen Smalley
2011-03-25  6:25         ` HarryCiao
2011-03-23 14:46   ` Eric Paris
2011-03-23  2:28 ` [v0 PATCH 3/3] SELinux: Write class field in role_trans_write Harry Ciao
2011-03-23 14:48   ` Eric Paris
2011-03-23 18:59     ` Joshua Brindle
2011-03-24 10:02       ` HarryCiao
2011-03-23  2:28 ` [v0 PATCH 1/5] Add class to role_trans & role_trans_rule Harry Ciao
2011-03-23  2:28 ` [v0 PATCH 2/5] Make role_transition parser to handle class field Harry Ciao
2011-03-23 19:30   ` Eric Paris
2011-03-23 19:41     ` Joshua Brindle
2011-03-23 20:14       ` Eric Paris
2011-03-23  2:28 ` [v0 PATCH 3/5] Handle the class in role_trans structure Harry Ciao
2011-03-23 13:26   ` Joshua Brindle
2011-03-23 19:05   ` Joshua Brindle
2011-03-24 10:36     ` HarryCiao
2011-03-23  2:28 ` [v0 PATCH 4/5] Handle the class in role_trans_rule structure Harry Ciao
2011-03-23  2:28 ` [v0 PATCH 5/5] Display the class in role_transition rule Harry Ciao
2011-03-23  8:21 ` Harry Ciao [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D89AD7C.9030709@windriver.com \
    --to=qingtao.cao@windriver.com \
    --cc=eparis@parisplace.org \
    --cc=jmorris@namei.org \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.