v0 Add class support to the role_transition rule

v0 Add class support to the role_transition rule

[Harry Ciao]

Comments:
---------
Add class support to the role_transition rule so that it could be used in
a much more generalized	manner.

So far the semantics of the role_transition rule does not support specifying
the class, and in SELinux kernel security server it could be applied to the
process class only.

With the class support the role_transition rule could be used for non-process
classes, and the newly created object could have roles other than "object_r",
which is a prerequisit for real RBAC separation development in the future.


Testings I've done:
-------------------

0. Add below snippet into sysadm.te for testing:

   role_transition sysadm_r user_home_t:{ file dir lnk_file fifo_file sock_file chr_file blk_file } sysadm_r;
   role sysadm_r types user_home_t;
   
   gen_require(`
           type vlock_exec_t, vlock_t;
   ')
   role_transition sysadm_r vlock_exec_t system_r;
   
1. Verify that the dismod program could display the class field of the
   role_transition rule correctly:
   
   /work/selinux/selinux/checkpolicy$ test/dismod /work/selinux/refpolicy/sysadm.pp 
   Reading policy...
   ......
   ......
   Command ('m' for menu):  7
   role transitions:
   --- begin avrule block ---
   decl 1:
   role transition  sysadm_r [vlock_exec_t] : [process] system_r
   role transition  sysadm_r [user_home_t] :{ [file] [dir] [lnk_file] [chr_file] [blk_file] [sock_file] [fifo_file] } sysadm_r
   --- begin avrule block ---
   decl 2:
   ......
   --- begin avrule block ---
   decl 342:
   
   Command ('m' for menu):  q
   /work/selinux/selinux/checkpolicy$ 
   
2. Further verify the binary reprensentation of the role_transition rule
   are correct:
   
   /work/selinux/refpolicy$ ls -lt /etc/selinux/refpolicy-mls/policy/policy.25 
   -rw-r--r--. 2 root root 5849742 2011-03-22 15:39 /etc/selinux/refpolicy-mls/policy/policy.25
   /work/selinux/refpolicy$ xxd /etc/selinux/refpolicy-mls/policy/policy.25 > policy_25_xxd
   /work/selinux/refpolicy$ vim policy_25_xxd
   ......
   055c510:                                    0d00  l.....S.........
   055c520: 0000 0300 0000 a006 0000 0200 0000 0b00  ................
   055c530: 0000 0300 0000 a103 0000 0200 0000 0b00  ................
   055c540: 0000 0800 0000 b707 0000 0200 0000 0b00  ................
   055c550: 0000 0800 0000 a70a 0000 0200 0000 0b00  ................
   055c560: 0000 0a00 0000 db00 0000 0200 0000 0b00  ................
   055c570: 0000 0a00 0000 8e05 0000 0600 0000 0a00  ................
   055c580: 0000 0a00 0000 8e05 0000 0700 0000 0a00  ................
   055c590: 0000 0a00 0000 8e05 0000 0900 0000 0a00  ................
   055c5a0: 0000 0a00 0000 8e05 0000 0a00 0000 0a00  ................
   055c5b0: 0000 0a00 0000 8e05 0000 0b00 0000 0a00  ................
   055c5c0: 0000 0a00 0000 8e05 0000 0c00 0000 0a00  ................
   055c5d0: 0000 0a00 0000 8e05 0000 0d00 0000 0a00  ................
   055c5e0: 0000 0c00 0000 9209 0000 0200 0000 0b00  ................
   055c5f0: 0000 
   ......
   /work/selinux/refpolicy$ 
   
3. Run-time test one - verify that the role_transition rule works for
   non-process classes:
   
   [root/sysadm_r/s0@~]# sestatus 
   SELinux status:                 enabled
   SELinuxfs mount:                /selinux
   Current mode:                   enforcing
   Mode from config file:          enforcing
   Policy version:                 25
   Policy from config file:        refpolicy-mls
   [root/sysadm_r/s0@~]#      
   [root/sysadm_r/s0@~]# id -Z
   root:sysadm_r:sysadm_t:s0-s15:c0.c1023 
   [root/sysadm_r/s0@~]# ls -Zd
   dr-xr-x---  root root root:object_r:user_home_dir_t:s0-s15:c0.c1023 .
   [root/sysadm_r/s0@~]#
   [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_dir_t:s0-s15:c0.c1023 file
   root:sysadm_r:user_home_t:s0
   [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_dir_t:s0-s15:c0.c1023 dir 
   root:sysadm_r:user_home_t:s0
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# mkdir dir
   [root/sysadm_r/s0@~]# touch file
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# ls -Zd dir file
   drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
   -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
   [root/sysadm_r/s0@~]# 
   
4. Run-time test two - verify that the role_transition rule works for the
   process class:
   
   [root/sysadm_r/s0@~]# ls -Z /usr/sbin/vlock-main 
   -rws--x--x  root root system_u:object_r:vlock_exec_t:s0 /usr/sbin/vlock-main
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# compute_create root:staff_r:staff_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
   root:staff_r:vlock_t:s0-s15:c0.c1023
   [root/sysadm_r/s0@~]#
   [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
   root:system_r:vlock_t:s0-s15:c0.c1023
   [root/sysadm_r/s0@~]# 
   
   [root/staff_r/s0@~]# vlock &
   [1] 796
   [root/staff_r/s0@~]# ps Z -C vlock-main
   LABEL                             PID TTY      STAT   TIME COMMAND
   root:staff_r:vlock_t:s0-s15:c0.c1023 796 pts/0 T      0:00 /usr/sbin/vlock-main
   
   [1]+  Stopped                 vlock
   [root/staff_r/s0@~]# 
   
   [root/sysadm_r/s0@~]# seclow "setenforce 0"
   Password: 
   [root/sysadm_r/s0@~]# vlock &
   [1] 812
   [root/sysadm_r/s0@~]# ps Z -C vlock-main
   LABEL                             PID TTY      STAT   TIME COMMAND
   root:staff_r:vlock_t:s0-s15:c0.c1023 796 pts/0 T      0:00 /usr/sbin/vlock-main
   root:system_r:vlock_t:s0-s15:c0.c1023 812 ttyS0 T     0:00 /usr/sbin/vlock-main
   
   [1]+  Stopped                 vlock
   [root/sysadm_r/s0@~]# 
   
   (Note, "setenforce 0" is to shortcut the necessary user-role & role-type settings in sysadm.pp for system_r)
   
5. (TODO) restorecon doesn't take into account the role_transition rule
   for non-process class so far:
   
   [root/sysadm_r/s0@~]# ls -Zd dir file
   drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
   -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# restorecon dir file
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# ls -Zd dir file
   drwxr-xr-x  root root root:object_r:user_home_t:s0     dir
   -rw-r--r--  root root root:object_r:user_home_t:s0     file
   [root/sysadm_r/s0@~]# 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 1/3] SELinux: Add class support to the role_trans structure

[Harry Ciao]

From: Harry Ciao <harrytaurus200@hotmail.com>

If kernel policy version is >= 25, then the binary representation of
the role_trans structure supports specifying the class for the current
subject or the newly created object.

If kernel policy version is < 25, then the class field would be default
to the process class.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 security/selinux/include/security.h |    3 ++-
 security/selinux/ss/policydb.c      |   24 +++++++++++++++++++++---
 security/selinux/ss/policydb.h      |    7 ++++---
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 671273e..a9d9e2b 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -28,13 +28,14 @@
 #define POLICYDB_VERSION_POLCAP		22
 #define POLICYDB_VERSION_PERMISSIVE	23
 #define POLICYDB_VERSION_BOUNDARY	24
+#define POLICYDB_VERSION_ROLETRANS	25
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_BOUNDARY
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
 #endif
 
 /* Mask for just the mount related flags */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 5736356..b660f08 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -123,6 +123,11 @@ static struct policydb_compat_info policydb_compat[] = {
 		.sym_num	= SYM_NUM,
 		.ocon_num	= OCON_NUM,
 	},
+	{
+		.version	= POLICYDB_VERSION_ROLETRANS,
+		.sym_num	= SYM_NUM,
+		.ocon_num	= OCON_NUM,
+	},
 };
 
 static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -2209,16 +2214,29 @@ int policydb_read(struct policydb *p, void *fp)
 			ltr->next = tr;
 		else
 			p->role_tr = tr;
-		rc = next_entry(buf, fp, sizeof(u32)*3);
+		rc = next_entry(buf, fp, sizeof(u32)*2);
 		if (rc)
 			goto bad;
 
-		rc = -EINVAL;
 		tr->role = le32_to_cpu(buf[0]);
 		tr->type = le32_to_cpu(buf[1]);
-		tr->new_role = le32_to_cpu(buf[2]);
+		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
+			rc = next_entry(buf, fp, sizeof(u32));
+			if (rc)
+				goto bad;
+			tr->cclass = le32_to_cpu(buf[0]);
+		} else
+			tr->cclass = p->process_class;
+
+		rc = next_entry(buf, fp, sizeof(u32));
+		if (rc)
+			goto bad;
+		tr->new_role = le32_to_cpu(buf[0]);
+
+		rc = -EINVAL;
 		if (!policydb_role_isvalid(p, tr->role) ||
 		    !policydb_type_isvalid(p, tr->type) ||
+		    !policydb_class_isvalid(p, tr->cclass) ||
 		    !policydb_role_isvalid(p, tr->new_role))
 			goto bad;
 		ltr = tr;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 4e3ab9d..ba08fb4 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -71,9 +71,10 @@ struct role_datum {
 };
 
 struct role_trans {
-	u32 role;		/* current role */
-	u32 type;		/* program executable type */
-	u32 new_role;		/* new role */
+	u32 role;	/* current role */
+	u32 type;	/* program executable type, or new object type */
+	u32 cclass;	/* process class, or new object class */
+	u32 new_role;	/* new role */
 	struct role_trans *next;
 };
 
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 2/3] SELinux: Compute role in newcontext for all classes

[Harry Ciao]

From: Harry Ciao <harrytaurus200@hotmail.com>

For the process class, the role_trans.type is compared with
tcontext->type, that is, the program executable type.

For all the rest classes, the role_trans.type is compared with
newcontext.type, that is, the type for the newly created object
of that class.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 security/selinux/ss/services.c |   23 ++++++++++++-----------
 1 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index a03cfaf..01fc3d5 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1443,17 +1443,18 @@ static int security_compute_sid(u32 ssid,
 	}
 
 	/* Check for class-specific changes. */
-	if  (tclass == policydb.process_class) {
-		if (specified & AVTAB_TRANSITION) {
-			/* Look for a role transition rule. */
-			for (roletr = policydb.role_tr; roletr;
-			     roletr = roletr->next) {
-				if (roletr->role == scontext->role &&
-				    roletr->type == tcontext->type) {
-					/* Use the role transition rule. */
-					newcontext.role = roletr->new_role;
-					break;
-				}
+	if (specified & AVTAB_TRANSITION) {
+		/* Look for a role transition rule. */
+		for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
+			if ((roletr->role == scontext->role) &&
+			    (roletr->cclass == tclass) &&
+			    ((roletr->cclass == policydb.process_class &&
+			      roletr->type == tcontext->type) ||
+			     (roletr->cclass != policydb.process_class &&
+			      roletr->type == newcontext.type))){
+				/* Use the role transition rule. */
+				newcontext.role = roletr->new_role;
+				break;
 			}
 		}
 	}
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 3/3] SELinux: Write class field in role_trans_write.

[Harry Ciao]

From: Harry Ciao <harrytaurus2002@hotmail.com>

If kernel policy version is >= 25, then write the class field of the
role_trans structure into the binary reprensentation.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 security/selinux/ss/policydb.c |   18 +++++++++++++-----
 1 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index b660f08..a6be0f5 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -2450,10 +2450,11 @@ static int cat_write(void *vkey, void *datum, void *ptr)
 	return 0;
 }
 
-static int role_trans_write(struct role_trans *r, void *fp)
+static int role_trans_write(struct policydb *p, void *fp)
 {
+	struct role_trans *r = p->role_tr;
 	struct role_trans *tr;
-	u32 buf[3];
+	u32 buf[4];
 	size_t nel;
 	int rc;
 
@@ -2467,8 +2468,15 @@ static int role_trans_write(struct role_trans *r, void *fp)
 	for (tr = r; tr; tr = tr->next) {
 		buf[0] = cpu_to_le32(tr->role);
 		buf[1] = cpu_to_le32(tr->type);
-		buf[2] = cpu_to_le32(tr->new_role);
-		rc = put_entry(buf, sizeof(u32), 3, fp);
+		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
+			buf[2] = cpu_to_le32(tr->cclass);
+			buf[3] = cpu_to_le32(tr->new_role);
+			rc = put_entry(buf, sizeof(u32), 4, fp);
+		} else {
+			buf[2] = cpu_to_le32(tr->new_role);
+			rc = put_entry(buf, sizeof(u32), 3, fp);
+		}
+
 		if (rc)
 			return rc;
 	}
@@ -3145,7 +3153,7 @@ int policydb_write(struct policydb *p, void *fp)
 	if (rc)
 		return rc;
 
-	rc = role_trans_write(p->role_tr, fp);
+	rc = role_trans_write(p, fp);
 	if (rc)
 		return rc;
 
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 1/5] Add class to role_trans & role_trans_rule

[Harry Ciao]

From: Harry Ciao <harrytaurus2002@hotmail.com>

Introduce the class support to role_trans and role_trans_rule
structures, which could be the subject class("process") or the
class that the newly created object belongs to.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/include/sepol/policydb/policydb.h |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index e8991e2..3dcdeae 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -124,7 +124,8 @@ typedef struct role_datum {
 
 typedef struct role_trans {
 	uint32_t role;		/* current role */
-	uint32_t type;		/* program executable type */
+	uint32_t type;	/* program executable type, or new object type */
+	uint32_t cclass;	/* process class, or new object class */
 	uint32_t new_role;	/* new role */
 	struct role_trans *next;
 } role_trans_t;
@@ -234,7 +235,8 @@ typedef struct avrule {
 
 typedef struct role_trans_rule {
 	role_set_t roles;	/* current role */
-	type_set_t types;	/* program executable type */
+	type_set_t types; /* program executable type, or new object type */
+	ebitmap_t classes;	/* process class, or new object class */
 	uint32_t new_role;	/* new role */
 	struct role_trans_rule *next;
 } role_trans_rule_t;
@@ -630,10 +632,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define POLICYDB_VERSION_POLCAP		22
 #define POLICYDB_VERSION_PERMISSIVE	23
 #define POLICYDB_VERSION_BOUNDARY	24
+#define POLICYDB_VERSION_ROLETRANS	25
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_BOUNDARY
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
 
 /* Module versions and specific changes*/
 #define MOD_POLICYDB_VERSION_BASE		4
@@ -645,9 +648,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define MOD_POLICYDB_VERSION_PERMISSIVE		8
 #define MOD_POLICYDB_VERSION_BOUNDARY		9
 #define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS	10
+#define MOD_POLICYDB_VERSION_ROLETRANS		11
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_BOUNDARY_ALIAS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_ROLETRANS
 
 #define POLICYDB_CONFIG_MLS    1
 
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 2/5] Make role_transition parser to handle class field

[Harry Ciao]

From: Harry Ciao <harrytaurus2002@hotmail.com>

If no class is specified in the role_transition rule, then it would
be set to the "process" class by default.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 checkpolicy/policy_define.c |   89 ++++++++++++++++++++++++++++++++-----------
 checkpolicy/policy_define.h |    2 +-
 checkpolicy/policy_parse.y  |    4 +-
 3 files changed, 71 insertions(+), 24 deletions(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 82ab44c..6c28d8a 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2050,17 +2050,18 @@ static int set_roles(role_set_t * set, char *id)
 	return 0;
 }
 
-int define_role_trans(void)
+int define_role_trans(int class_specified)
 {
 	char *id;
 	role_datum_t *role;
 	role_set_t roles;
 	type_set_t types;
-	ebitmap_t e_types, e_roles;
-	ebitmap_node_t *tnode, *rnode;
+	class_datum_t *cladatum;
+	ebitmap_t e_types, e_roles, classes;
+	ebitmap_node_t *tnode, *rnode, *cnode;
 	struct role_trans *tr = NULL;
 	struct role_trans_rule *rule = NULL;
-	unsigned int i, j;
+	unsigned int i, j, k;
 	int add = 1;
 
 	if (pass == 1) {
@@ -2068,6 +2069,9 @@ int define_role_trans(void)
 			free(id);
 		while ((id = queue_remove(id_queue)))
 			free(id);
+		if (class_specified)
+			while ((id = queue_remove(id_queue)))
+				free(id);
 		id = queue_remove(id_queue);
 		free(id);
 		return 0;
@@ -2077,6 +2081,7 @@ int define_role_trans(void)
 	ebitmap_init(&e_roles);
 	type_set_init(&types);
 	ebitmap_init(&e_types);
+	ebitmap_init(&classes);
 
 	while ((id = queue_remove(id_queue))) {
 		if (set_roles(&roles, id))
@@ -2088,6 +2093,35 @@ int define_role_trans(void)
 			return -1;
 	}
 
+	if (class_specified) {
+		while ((id = queue_remove(id_queue))) {
+			if (!is_id_in_scope(SYM_CLASSES, id)) {
+				yyerror2("class %s is not within scope", id);
+				free(id);
+				return -1;
+			}
+			cladatum = hashtab_search(policydbp->p_classes.table,
+						  id);
+			if (!cladatum) {
+				yyerror2("unknow class %s", id);
+				return -1;
+			}
+
+			ebitmap_set_bit(&classes, cladatum->s.value - 1, TRUE);
+			free(id);
+		}
+	} else {
+		cladatum = hashtab_search(policydbp->p_classes.table,
+					  "process");
+		if (!cladatum) {
+			yyerror2("could not find process class for "
+				 "legacy role_transition statement");
+			return -1;
+		}
+
+		ebitmap_set_bit(&classes, cladatum->s.value - 1, TRUE);
+	}
+
 	id = (char *)queue_remove(id_queue);
 	if (!id) {
 		yyerror("no new role in transition definition?");
@@ -2117,27 +2151,37 @@ int define_role_trans(void)
 		ebitmap_for_each_bit(&e_types, tnode, j) {
 			if (!ebitmap_node_get_bit(tnode, j))
 				continue;
-
-			for (tr = policydbp->role_tr; tr; tr = tr->next) {
-				if (tr->role == (i + 1) && tr->type == (j + 1)) {
-					yyerror2("duplicate role transition for (%s,%s)",
-					      role_val_to_name(i + 1),
-					      policydbp->p_type_val_to_name[j]);
-					goto bad;
+			ebitmap_for_each_bit(&classes, cnode, k) {
+				if (!ebitmap_node_get_bit(cnode, k))
+					continue;
+				for (tr = policydbp->role_tr; tr;
+				     tr = tr->next) {
+					if (tr->role == (i + 1) &&
+					    tr->type == (j + 1) &&
+					    tr->cclass == (k + 1)) {
+						yyerror2("duplicate role "
+							 "transition for "
+							 "(%s,%s,%s)",
+							 role_val_to_name(i+1),
+							 policydbp->p_type_val_to_name[j],
+							 policydbp->p_class_val_to_name[k]);
+						goto bad;
+					}
 				}
-			}
 
-			tr = malloc(sizeof(struct role_trans));
-			if (!tr) {
-				yyerror("out of memory");
-				return -1;
+				tr = malloc(sizeof(struct role_trans));
+				if (!tr) {
+					yyerror("out of memory");
+					return -1;
+				}
+				memset(tr, 0, sizeof(struct role_trans));
+				tr->role = i + 1;
+				tr->type = j + 1;
+				tr->cclass = k + 1;
+				tr->new_role = role->s.value;
+				tr->next = policydbp->role_tr;
+				policydbp->role_tr = tr;
 			}
-			memset(tr, 0, sizeof(struct role_trans));
-			tr->role = i + 1;
-			tr->type = j + 1;
-			tr->new_role = role->s.value;
-			tr->next = policydbp->role_tr;
-			policydbp->role_tr = tr;
 		}
 	}
 	/* Now add the real rule */
@@ -2149,6 +2193,7 @@ int define_role_trans(void)
 	memset(rule, 0, sizeof(struct role_trans_rule));
 	rule->roles = roles;
 	rule->types = types;
+	rule->classes = classes;
 	rule->new_role = role->s.value;
 
 	append_role_trans(rule);
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index 5ac6667..2f7a78f 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -45,7 +45,7 @@ int define_ioport_context(unsigned long low, unsigned long high);
 int define_pcidevice_context(unsigned long device);
 int define_range_trans(int class_specified);
 int define_role_allow(void);
-int define_role_trans(void);
+int define_role_trans(int class_specified);
 int define_role_types(void);
 int define_sens(void);
 int define_te_avtab(int which);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 8d1bc37..8c29e2b 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -417,7 +417,9 @@ role_type_def		: ROLE identifier TYPES names ';'
 role_dominance		: DOMINANCE '{' roles '}'
 			;
 role_trans_def		: ROLE_TRANSITION names names identifier ';'
-			{if (define_role_trans()) return -1; }
+			{if (define_role_trans(0)) return -1; }
+			| ROLE_TRANSITION names names ':' names identifier ';'
+			{if (define_role_trans(1)) return -1;}
 			;
 role_allow_def		: ALLOW names names ';'
 			{if (define_role_allow()) return -1; }
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 3/5] Handle the class in role_trans structure

[Harry Ciao]

From: Harry Ciao <harrytaurus2002@hotmail.com>

Add the class support to various functions that handle the role_trans
structure.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/policydb.c |   28 ++++++++++++++++++++++++----
 libsepol/src/write.c    |   22 +++++++++++++++++-----
 2 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 5c0081f..9b43c56 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -137,6 +137,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
 	{
+	 .type = POLICY_KERN,
+	 .version = POLICYDB_VERSION_ROLETRANS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
+	{
 	 .type = POLICY_BASE,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -2103,12 +2110,15 @@ static int type_read(policydb_t * p
 	return -1;
 }
 
-int role_trans_read(role_trans_t ** t, struct policy_file *fp)
+int role_trans_read(policydb_t *p, struct policy_file *fp)
 {
+	role_trans_t **t = &p->role_tr;
 	unsigned int i;
 	uint32_t buf[3], nel;
 	role_trans_t *tr, *ltr;
 	int rc;
+	int new_roletr = (p->policy_type == POLICY_KERN &&
+			  p->policyvers >= POLICYDB_VERSION_ROLETRANS);
 
 	rc = next_entry(buf, fp, sizeof(uint32_t));
 	if (rc < 0)
@@ -2125,12 +2135,22 @@ int role_trans_read(role_trans_t ** t, struct policy_file *fp)
 		} else {
 			*t = tr;
 		}
-		rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
 		if (rc < 0)
 			return -1;
 		tr->role = le32_to_cpu(buf[0]);
 		tr->type = le32_to_cpu(buf[1]);
-		tr->new_role = le32_to_cpu(buf[2]);
+		if (new_roletr) {
+			rc = next_entry(buf, fp, sizeof(uint32_t));
+			if (rc < 0)
+				return -1;
+			tr->cclass = le32_to_cpu(buf[0]);
+		} else
+			tr->cclass = SECCLASS_PROCESS;
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
+			return -1;
+		tr->new_role = le32_to_cpu(buf[0]);
 		ltr = tr;
 	}
 	return 0;
@@ -3451,7 +3471,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
 		if (r_policyvers >= POLICYDB_VERSION_BOOL)
 			if (cond_read_list(p, &p->cond_list, fp))
 				goto bad;
-		if (role_trans_read(&p->role_tr, fp))
+		if (role_trans_read(p, fp))
 			goto bad;
 		if (role_allow_read(&p->role_allow, fp))
 			goto bad;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 00c605f..1db5960 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -462,11 +462,14 @@ static int cat_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
 	return POLICYDB_SUCCESS;
 }
 
-static int role_trans_write(role_trans_t * r, struct policy_file *fp)
+static int role_trans_write(policydb_t *p, struct policy_file *fp)
 {
+	role_trans_t *r = p->role_tr;
 	role_trans_t *tr;
 	uint32_t buf[3];
 	size_t nel, items;
+	int new_roletr = (p->policy_type == POLICY_KERN &&
+			  p->policyvers >= POLICYDB_VERSION_ROLETRANS);
 
 	nel = 0;
 	for (tr = r; tr; tr = tr->next)
@@ -478,9 +481,18 @@ static int role_trans_write(role_trans_t * r, struct policy_file *fp)
 	for (tr = r; tr; tr = tr->next) {
 		buf[0] = cpu_to_le32(tr->role);
 		buf[1] = cpu_to_le32(tr->type);
-		buf[2] = cpu_to_le32(tr->new_role);
-		items = put_entry(buf, sizeof(uint32_t), 3, fp);
-		if (items != 3)
+		items = put_entry(buf, sizeof(uint32_t), 2, fp);
+		if (items != 2)
+			return POLICYDB_ERROR;
+		if (new_roletr) {
+			buf[0] = cpu_to_le32(tr->cclass);
+			items = put_entry(buf, sizeof(uint32_t), 1, fp);
+			if (items != 1)
+				return POLICYDB_ERROR;
+		}
+		buf[0] = cpu_to_le32(tr->new_role);
+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
+		if (items != 1)
 			return POLICYDB_ERROR;
 	}
 
@@ -1815,7 +1827,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
 			if (cond_write_list(p, p->cond_list, fp))
 				return POLICYDB_ERROR;
 		}
-		if (role_trans_write(p->role_tr, fp))
+		if (role_trans_write(p, fp))
 			return POLICYDB_ERROR;
 		if (role_allow_write(p->role_allow, fp))
 			return POLICYDB_ERROR;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 4/5] Handle the class in role_trans_rule structure

[Harry Ciao]

From: Harry Ciao <harrytaurus2002@hotmail.com>

Add class support to various functions to handle the role_trans_rule
structures.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/expand.c   |   94 +++++++++++++++++++++++++----------------------
 libsepol/src/link.c     |   14 +++++++
 libsepol/src/policydb.c |    5 ++
 libsepol/src/write.c    |    2 +
 4 files changed, 71 insertions(+), 44 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 16d6bcb..50e6a10 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1146,11 +1146,11 @@ static int copy_role_allows(expand_state_t * state, role_allow_rule_t * rules)
 
 static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
 {
-	unsigned int i, j;
+	unsigned int i, j, k;
 	role_trans_t *n, *l, *cur_trans;
 	role_trans_rule_t *cur;
 	ebitmap_t roles, types;
-	ebitmap_node_t *rnode, *tnode;
+	ebitmap_node_t *rnode, *tnode, *cnode;
 
 	/* start at the end of the list */
 	for (l = state->out->role_tr; l && l->next; l = l->next) ;
@@ -1175,51 +1175,57 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
 			ebitmap_for_each_bit(&types, tnode, j) {
 				if (!ebitmap_node_get_bit(tnode, j))
 					continue;
+				ebitmap_for_each_bit(&cur->classes, cnode, k) {
+					if (!ebitmap_node_get_bit(cnode, k))
+						continue;
 
-				cur_trans = state->out->role_tr;
-				while (cur_trans) {
-					if ((cur_trans->role == i + 1) &&
-					    (cur_trans->type == j + 1)) {
-						if (cur_trans->new_role ==
-						    cur->new_role) {
-							break;
-						} else {
-							ERR(state->handle,
-							    "Conflicting role trans rule %s %s : %s",
-							    state->out->
-							    p_role_val_to_name
-							    [i],
-							    state->out->
-							    p_type_val_to_name
-							    [j],
-							    state->out->
-							    p_role_val_to_name
-							    [cur->new_role -
-							     1]);
-							return -1;
+					cur_trans = state->out->role_tr;
+					while (cur_trans) {
+						if ((cur_trans->role ==
+								i + 1) &&
+						    (cur_trans->type ==
+								j + 1) &&
+						    (cur_trans->cclass ==
+								k + 1)) {
+							if (cur_trans->
+							    new_role ==
+								cur->new_role) {
+								break;
+							} else {
+								ERR(state->handle,
+									"Conflicting role trans rule %s %s : %s %s",
+									state->out->p_role_val_to_name[i],
+									state->out->p_type_val_to_name[j],
+									state->out->p_class_val_to_name[k],
+									state->out->p_role_val_to_name[cur->new_role - 1]);
+								return -1;
+							}
 						}
+						cur_trans = cur_trans->next;
 					}
-					cur_trans = cur_trans->next;
-				}
-				if (cur_trans)
-					continue;
+					if (cur_trans)
+						continue;
 
-				n = (role_trans_t *)
-				    malloc(sizeof(role_trans_t));
-				if (!n) {
-					ERR(state->handle, "Out of memory!");
-					return -1;
-				}
-				memset(n, 0, sizeof(role_trans_t));
-				n->role = i + 1;
-				n->type = j + 1;
-				n->new_role = state->rolemap[cur->new_role - 1];
-				if (l) {
-					l->next = n;
-				} else {
-					state->out->role_tr = n;
+					n = (role_trans_t *)
+						malloc(sizeof(role_trans_t));
+					if (!n) {
+						ERR(state->handle,
+							"Out of memory!");
+						return -1;
+					}
+					memset(n, 0, sizeof(role_trans_t));
+					n->role = i + 1;
+					n->type = j + 1;
+					n->cclass = k + 1;
+					n->new_role = state->rolemap
+							[cur->new_role - 1];
+					if (l)
+						l->next = n;
+					else
+						state->out->role_tr = n;
+
+					l = n;
 				}
-				l = n;
 			}
 		}
 
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index d03e599..e33db0f 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -1246,6 +1246,8 @@ static int copy_role_trans_list(role_trans_rule_t * list,
 				policy_module_t * module, link_state_t * state)
 {
 	role_trans_rule_t *cur, *new_rule = NULL, *tail;
+	unsigned int i;
+	ebitmap_node_t *cnode;
 
 	cur = list;
 	tail = *dst;
@@ -1267,6 +1269,18 @@ static int copy_role_trans_list(role_trans_rule_t * list,
 			goto cleanup;
 		}
 
+		ebitmap_for_each_bit(&cur->classes, cnode, i) {
+			if (ebitmap_node_get_bit(cnode, i)) {
+				assert(module->map[SYM_CLASSES][i]);
+				if (ebitmap_set_bit(&new_rule->classes,
+						    module->
+						    map[SYM_CLASSES][i] - 1,
+						    1)) {
+					goto cleanup;
+				}
+			}
+		}
+
 		new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1];
 
 		if (*dst == NULL) {
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 9b43c56..ddf91ee 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -420,6 +420,7 @@ void role_trans_rule_init(role_trans_rule_t * x)
 	memset(x, 0, sizeof(*x));
 	role_set_init(&x->roles);
 	type_set_init(&x->types);
+	ebitmap_init(&x->classes);
 }
 
 void role_trans_rule_destroy(role_trans_rule_t * x)
@@ -427,6 +428,7 @@ void role_trans_rule_destroy(role_trans_rule_t * x)
 	if (x != NULL) {
 		role_set_destroy(&x->roles);
 		type_set_destroy(&x->types);
+		ebitmap_destroy(&x->classes);
 	}
 }
 
@@ -2945,6 +2947,9 @@ static int role_trans_rule_read(role_trans_rule_t ** r, struct policy_file *fp)
 		if (type_set_read(&tr->types, fp))
 			return -1;
 
+		if (ebitmap_read(&tr->classes, fp))
+			return -1;
+
 		rc = next_entry(buf, fp, sizeof(uint32_t));
 		if (rc < 0)
 			return -1;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 1db5960..a112c8c 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -1458,6 +1458,8 @@ static int role_trans_rule_write(role_trans_rule_t * t, struct policy_file *fp)
 			return POLICYDB_ERROR;
 		if (type_set_write(&tr->types, fp))
 			return POLICYDB_ERROR;
+		if (ebitmap_write(&tr->classes, fp))
+			return POLICYDB_ERROR;
 		buf[0] = cpu_to_le32(tr->new_role);
 		items = put_entry(buf, sizeof(uint32_t), 1, fp);
 		if (items != 1)
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 5/5] Display the class in role_transition rule

[Harry Ciao]

Add support to display the class field in the role_transition rule
in the checkpolicy/test/dismod program.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 checkpolicy/test/dismod.c |   27 ++++++++++++++++++++++++++-
 1 files changed, 26 insertions(+), 1 deletions(-)

diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 4d31597..33a29e4 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -451,13 +451,38 @@ void display_initial_sids(policydb_t * p, FILE * fp)
 #endif
 }
 
+void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
+{
+	int i, num = 0;
+
+	for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
+		if (!ebitmap_get_bit(classes, i))
+			continue;
+		num++;
+		if (num > 1) {
+			fprintf(fp, "{");
+			break;
+		}
+	}
+
+	for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
+		if (ebitmap_get_bit(classes, i))
+			display_id(p, fp, SYM_CLASSES, i, "");
+	}
+
+	if (num > 1)
+		fprintf(fp, " }");
+}
+
 void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
 {
 	for (; tr; tr = tr->next) {
 		fprintf(fp, "role transition ");
 		display_mod_role_set(&tr->roles, p, fp);
 		display_type_set(&tr->types, 0, p, fp);
-		display_id(p, fp, SYM_ROLES, tr->new_role - 1, " :");
+		fprintf(fp, " :");
+		display_class_set(&tr->classes, p, fp);
+		display_id(p, fp, SYM_ROLES, tr->new_role - 1, "");
 		fprintf(fp, "\n");
 	}
 }
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Add class support to the role_transition rule

[Harry Ciao]

I forgot to paste the test of SELinux kernel policydb_write > 
role_trans_write, please see below.

BTW, since the userspace security server has been out of sync with that 
in kernel(as Stephen has pointed out before), I didn't use checkpolicy 
-Mdb but have relied on compute_create to access kernel security server 
instead.

Best regard,
Harry

-------------

6. Verify that SELinux kernel policydb_write > role_trans_write works well:

    [root/sysadm_r/s0@~]# cat /selinux/policy > policy_read
    [root/sysadm_r/s0@~]# ls -l policy_read
    -rw-r--r-- 1 root root 5849742 Mar 23 08:07 policy_read
    [root/sysadm_r/s0@~]# ls -l /etc/selinux/refpolicy-mls/policy/policy.25
    -rw-r--r-- 1 root root 5849742 Mar 22 08:03 
/etc/selinux/refpolicy-mls/policy/policy.25
    [root/sysadm_r/s0@~]#
    [root/sysadm_r/s0@~]# xxd policy_read > policy_read_xxd
    [root/sysadm_r/s0@~]# vim policy_read_xxd
    ......
    055c510:                                    0d00  l.....S.........
    055c520: 0000 0300 0000 a006 0000 0200 0000 0b00  ................
    055c530: 0000 0300 0000 a103 0000 0200 0000 0b00  ................
    055c540: 0000 0800 0000 b707 0000 0200 0000 0b00  ................
    055c550: 0000 0800 0000 a70a 0000 0200 0000 0b00  ................
    055c560: 0000 0a00 0000 db00 0000 0200 0000 0b00  ................
    055c570: 0000 0a00 0000 8e05 0000 0600 0000 0a00  ................
    055c580: 0000 0a00 0000 8e05 0000 0700 0000 0a00  ................
    055c590: 0000 0a00 0000 8e05 0000 0900 0000 0a00  ................
    055c5a0: 0000 0a00 0000 8e05 0000 0a00 0000 0a00  ................
    055c5b0: 0000 0a00 0000 8e05 0000 0b00 0000 0a00  ................
    055c5c0: 0000 0a00 0000 8e05 0000 0c00 0000 0a00  ................
    055c5d0: 0000 0a00 0000 8e05 0000 0d00 0000 0a00  ................
    055c5e0: 0000
    ......
    [root/sysadm_r/s0@~]#


On 03/23/2011 10:28 AM, Harry Ciao wrote:
>
> Comments:
> ---------
> Add class support to the role_transition rule so that it could be used in
> a much more generalized	manner.
>
> So far the semantics of the role_transition rule does not support specifying
> the class, and in SELinux kernel security server it could be applied to the
> process class only.
>
> With the class support the role_transition rule could be used for non-process
> classes, and the newly created object could have roles other than "object_r",
> which is a prerequisit for real RBAC separation development in the future.
>
>
> Testings I've done:
> -------------------
>
> 0. Add below snippet into sysadm.te for testing:
>
>     role_transition sysadm_r user_home_t:{ file dir lnk_file fifo_file sock_file chr_file blk_file } sysadm_r;
>     role sysadm_r types user_home_t;
>
>     gen_require(`
>             type vlock_exec_t, vlock_t;
>     ')
>     role_transition sysadm_r vlock_exec_t system_r;
>
> 1. Verify that the dismod program could display the class field of the
>     role_transition rule correctly:
>
>     /work/selinux/selinux/checkpolicy$ test/dismod /work/selinux/refpolicy/sysadm.pp
>     Reading policy...
>     ......
>     ......
>     Command ('m' for menu):  7
>     role transitions:
>     --- begin avrule block ---
>     decl 1:
>     role transition  sysadm_r [vlock_exec_t] : [process] system_r
>     role transition  sysadm_r [user_home_t] :{ [file] [dir] [lnk_file] [chr_file] [blk_file] [sock_file] [fifo_file] } sysadm_r
>     --- begin avrule block ---
>     decl 2:
>     ......
>     --- begin avrule block ---
>     decl 342:
>
>     Command ('m' for menu):  q
>     /work/selinux/selinux/checkpolicy$
>
> 2. Further verify the binary reprensentation of the role_transition rule
>     are correct:
>
>     /work/selinux/refpolicy$ ls -lt /etc/selinux/refpolicy-mls/policy/policy.25
>     -rw-r--r--. 2 root root 5849742 2011-03-22 15:39 /etc/selinux/refpolicy-mls/policy/policy.25
>     /work/selinux/refpolicy$ xxd /etc/selinux/refpolicy-mls/policy/policy.25>  policy_25_xxd
>     /work/selinux/refpolicy$ vim policy_25_xxd
>     ......
>     055c510:                                    0d00  l.....S.........
>     055c520: 0000 0300 0000 a006 0000 0200 0000 0b00  ................
>     055c530: 0000 0300 0000 a103 0000 0200 0000 0b00  ................
>     055c540: 0000 0800 0000 b707 0000 0200 0000 0b00  ................
>     055c550: 0000 0800 0000 a70a 0000 0200 0000 0b00  ................
>     055c560: 0000 0a00 0000 db00 0000 0200 0000 0b00  ................
>     055c570: 0000 0a00 0000 8e05 0000 0600 0000 0a00  ................
>     055c580: 0000 0a00 0000 8e05 0000 0700 0000 0a00  ................
>     055c590: 0000 0a00 0000 8e05 0000 0900 0000 0a00  ................
>     055c5a0: 0000 0a00 0000 8e05 0000 0a00 0000 0a00  ................
>     055c5b0: 0000 0a00 0000 8e05 0000 0b00 0000 0a00  ................
>     055c5c0: 0000 0a00 0000 8e05 0000 0c00 0000 0a00  ................
>     055c5d0: 0000 0a00 0000 8e05 0000 0d00 0000 0a00  ................
>     055c5e0: 0000 0c00 0000 9209 0000 0200 0000 0b00  ................
>     055c5f0: 0000
>     ......
>     /work/selinux/refpolicy$
>
> 3. Run-time test one - verify that the role_transition rule works for
>     non-process classes:
>
>     [root/sysadm_r/s0@~]# sestatus
>     SELinux status:                 enabled
>     SELinuxfs mount:                /selinux
>     Current mode:                   enforcing
>     Mode from config file:          enforcing
>     Policy version:                 25
>     Policy from config file:        refpolicy-mls
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# id -Z
>     root:sysadm_r:sysadm_t:s0-s15:c0.c1023
>     [root/sysadm_r/s0@~]# ls -Zd
>     dr-xr-x---  root root root:object_r:user_home_dir_t:s0-s15:c0.c1023 .
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_dir_t:s0-s15:c0.c1023 file
>     root:sysadm_r:user_home_t:s0
>     [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_dir_t:s0-s15:c0.c1023 dir
>     root:sysadm_r:user_home_t:s0
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# mkdir dir
>     [root/sysadm_r/s0@~]# touch file
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# ls -Zd dir file
>     drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
>     -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
>     [root/sysadm_r/s0@~]#
>
> 4. Run-time test two - verify that the role_transition rule works for the
>     process class:
>
>     [root/sysadm_r/s0@~]# ls -Z /usr/sbin/vlock-main
>     -rws--x--x  root root system_u:object_r:vlock_exec_t:s0 /usr/sbin/vlock-main
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# compute_create root:staff_r:staff_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
>     root:staff_r:vlock_t:s0-s15:c0.c1023
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
>     root:system_r:vlock_t:s0-s15:c0.c1023
>     [root/sysadm_r/s0@~]#
>
>     [root/staff_r/s0@~]# vlock&
>     [1] 796
>     [root/staff_r/s0@~]# ps Z -C vlock-main
>     LABEL                             PID TTY      STAT   TIME COMMAND
>     root:staff_r:vlock_t:s0-s15:c0.c1023 796 pts/0 T      0:00 /usr/sbin/vlock-main
>
>     [1]+  Stopped                 vlock
>     [root/staff_r/s0@~]#
>
>     [root/sysadm_r/s0@~]# seclow "setenforce 0"
>     Password:
>     [root/sysadm_r/s0@~]# vlock&
>     [1] 812
>     [root/sysadm_r/s0@~]# ps Z -C vlock-main
>     LABEL                             PID TTY      STAT   TIME COMMAND
>     root:staff_r:vlock_t:s0-s15:c0.c1023 796 pts/0 T      0:00 /usr/sbin/vlock-main
>     root:system_r:vlock_t:s0-s15:c0.c1023 812 ttyS0 T     0:00 /usr/sbin/vlock-main
>
>     [1]+  Stopped                 vlock
>     [root/sysadm_r/s0@~]#
>
>     (Note, "setenforce 0" is to shortcut the necessary user-role&  role-type settings in sysadm.pp for system_r)
>
> 5. (TODO) restorecon doesn't take into account the role_transition rule
>     for non-process class so far:
>
>     [root/sysadm_r/s0@~]# ls -Zd dir file
>     drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
>     -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# restorecon dir file
>     [root/sysadm_r/s0@~]#
>     [root/sysadm_r/s0@~]# ls -Zd dir file
>     drwxr-xr-x  root root root:object_r:user_home_t:s0     dir
>     -rw-r--r--  root root root:object_r:user_home_t:s0     file
>     [root/sysadm_r/s0@~]#
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 3/5] Handle the class in role_trans structure

[Joshua Brindle]

Harry Ciao wrote:
> From: Harry Ciao<harrytaurus2002@hotmail.com>
>
> Add the class support to various functions that handle the role_trans
> structure.
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
>   libsepol/src/policydb.c |   28 ++++++++++++++++++++++++----
>   libsepol/src/write.c    |   22 +++++++++++++++++-----
>   2 files changed, 41 insertions(+), 9 deletions(-)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index 5c0081f..9b43c56 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -137,6 +137,13 @@ static struct policydb_compat_info policydb_compat[] = {
>   	 .target_platform = SEPOL_TARGET_SELINUX,
>   	},
>   	{
> +	 .type = POLICY_KERN,
> +	 .version = POLICYDB_VERSION_ROLETRANS,
> +	 .sym_num = SYM_NUM,
> +	 .ocon_num = OCON_NODE6 + 1,
> +	 .target_platform = SEPOL_TARGET_SELINUX,
> +	},
> +	{
>   	 .type = POLICY_BASE,
>   	 .version = MOD_POLICYDB_VERSION_BASE,
>   	 .sym_num = SYM_NUM,

Why just the kernel version? There should be a module version that supports this 
also. Have you attempted to write out modules with classes in role_trans rules?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 2/3] SELinux: Compute role in newcontext for all classes

[Stephen Smalley]

On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> From: Harry Ciao <harrytaurus200@hotmail.com>
> 
> For the process class, the role_trans.type is compared with
> tcontext->type, that is, the program executable type.
> 
> For all the rest classes, the role_trans.type is compared with
> newcontext.type, that is, the type for the newly created object
> of that class.

I don't understand why you aren't applying the logic consistently for
all classes.  Compare with range_trans handling.  Also, if we think
there will be any significant number of these role_trans rules, you
might want to go ahead and start using a hashtab as was later done for
range_trans for efficient lookup.

> 
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> ---
>  security/selinux/ss/services.c |   23 ++++++++++++-----------
>  1 files changed, 12 insertions(+), 11 deletions(-)
> 
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index a03cfaf..01fc3d5 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1443,17 +1443,18 @@ static int security_compute_sid(u32 ssid,
>  	}
>  
>  	/* Check for class-specific changes. */
> -	if  (tclass == policydb.process_class) {
> -		if (specified & AVTAB_TRANSITION) {
> -			/* Look for a role transition rule. */
> -			for (roletr = policydb.role_tr; roletr;
> -			     roletr = roletr->next) {
> -				if (roletr->role == scontext->role &&
> -				    roletr->type == tcontext->type) {
> -					/* Use the role transition rule. */
> -					newcontext.role = roletr->new_role;
> -					break;
> -				}
> +	if (specified & AVTAB_TRANSITION) {
> +		/* Look for a role transition rule. */
> +		for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
> +			if ((roletr->role == scontext->role) &&
> +			    (roletr->cclass == tclass) &&
> +			    ((roletr->cclass == policydb.process_class &&
> +			      roletr->type == tcontext->type) ||
> +			     (roletr->cclass != policydb.process_class &&
> +			      roletr->type == newcontext.type))){
> +				/* Use the role transition rule. */
> +				newcontext.role = roletr->new_role;
> +				break;
>  			}
>  		}
>  	}

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 1/3] SELinux: Add class support to the role_trans structure

[Eric Paris]

On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> From: Harry Ciao <harrytaurus200@hotmail.com>
> 
> If kernel policy version is >= 25, then the binary representation of
> the role_trans structure supports specifying the class for the current
> subject or the newly created object.
> 
> If kernel policy version is < 25, then the class field would be default
> to the process class.
> 
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> ---
>  security/selinux/include/security.h |    3 ++-
>  security/selinux/ss/policydb.c      |   24 +++++++++++++++++++++---
>  security/selinux/ss/policydb.h      |    7 ++++---
>  3 files changed, 27 insertions(+), 7 deletions(-)
> 
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 671273e..a9d9e2b 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -28,13 +28,14 @@
>  #define POLICYDB_VERSION_POLCAP		22
>  #define POLICYDB_VERSION_PERMISSIVE	23
>  #define POLICYDB_VERSION_BOUNDARY	24
> +#define POLICYDB_VERSION_ROLETRANS	25

Grab a newer kernel.  POLICYDB_VERSION_FILENAME_TRANS == 25.  You're
going to need 26  (although I haven't gotten the userspace
implementation of 26 done so we are going to have to work together to
make sure we don't trample on each other there)
 
>  /* Range of policy versions we understand*/
>  #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
>  #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
>  #define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
>  #else
> -#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_BOUNDARY
> +#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
>  #endif
>  
>  /* Mask for just the mount related flags */
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 5736356..b660f08 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -123,6 +123,11 @@ static struct policydb_compat_info policydb_compat[] = {
>  		.sym_num	= SYM_NUM,
>  		.ocon_num	= OCON_NUM,
>  	},
> +	{
> +		.version	= POLICYDB_VERSION_ROLETRANS,
> +		.sym_num	= SYM_NUM,
> +		.ocon_num	= OCON_NUM,
> +	},
>  };
>  
>  static struct policydb_compat_info *policydb_lookup_compat(int version)
> @@ -2209,16 +2214,29 @@ int policydb_read(struct policydb *p, void *fp)
>  			ltr->next = tr;
>  		else
>  			p->role_tr = tr;
> -		rc = next_entry(buf, fp, sizeof(u32)*3);
> +		rc = next_entry(buf, fp, sizeof(u32)*2);
>  		if (rc)
>  			goto bad;
>  
> -		rc = -EINVAL;
>  		tr->role = le32_to_cpu(buf[0]);
>  		tr->type = le32_to_cpu(buf[1]);
> -		tr->new_role = le32_to_cpu(buf[2]);
> +		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> +			rc = next_entry(buf, fp, sizeof(u32));
> +			if (rc)
> +				goto bad;
> +			tr->cclass = le32_to_cpu(buf[0]);
> +		} else
> +			tr->cclass = p->process_class;
> +
> +		rc = next_entry(buf, fp, sizeof(u32));
> +		if (rc)
> +			goto bad;
> +		tr->new_role = le32_to_cpu(buf[0]);
> +
> +		rc = -EINVAL;
>  		if (!policydb_role_isvalid(p, tr->role) ||
>  		    !policydb_type_isvalid(p, tr->type) ||
> +		    !policydb_class_isvalid(p, tr->cclass) ||
>  		    !policydb_role_isvalid(p, tr->new_role))
>  			goto bad;
>  		ltr = tr;
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index 4e3ab9d..ba08fb4 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -71,9 +71,10 @@ struct role_datum {
>  };
>  
>  struct role_trans {
> -	u32 role;		/* current role */
> -	u32 type;		/* program executable type */
> -	u32 new_role;		/* new role */
> +	u32 role;	/* current role */
> +	u32 type;	/* program executable type, or new object type */
> +	u32 cclass;	/* process class, or new object class */

Why "cclass"?  most of the code uses tclass (which might mean 'target
class' but I'm not sure)

Otherwise the patch looks good to me.  If you fix those you can add an
ACK on your next submission.

> +	u32 new_role;	/* new role */
>  	struct role_trans *next;
>  };
>  



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 2/3] SELinux: Compute role in newcontext for all classes

[Eric Paris]

On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> From: Harry Ciao <harrytaurus200@hotmail.com>
> 
> For the process class, the role_trans.type is compared with
> tcontext->type, that is, the program executable type.
> 
> For all the rest classes, the role_trans.type is compared with
> newcontext.type, that is, the type for the newly created object
> of that class.
> 
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>

That's a hard conditional to read, but I guess it's correct.  Feel free
to add my ack on resubmission.

-Eric

> ---
>  security/selinux/ss/services.c |   23 ++++++++++++-----------
>  1 files changed, 12 insertions(+), 11 deletions(-)
> 
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index a03cfaf..01fc3d5 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1443,17 +1443,18 @@ static int security_compute_sid(u32 ssid,
>  	}
>  
>  	/* Check for class-specific changes. */
> -	if  (tclass == policydb.process_class) {
> -		if (specified & AVTAB_TRANSITION) {
> -			/* Look for a role transition rule. */
> -			for (roletr = policydb.role_tr; roletr;
> -			     roletr = roletr->next) {
> -				if (roletr->role == scontext->role &&
> -				    roletr->type == tcontext->type) {
> -					/* Use the role transition rule. */
> -					newcontext.role = roletr->new_role;
> -					break;
> -				}
> +	if (specified & AVTAB_TRANSITION) {
> +		/* Look for a role transition rule. */
> +		for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
> +			if ((roletr->role == scontext->role) &&
> +			    (roletr->cclass == tclass) &&
> +			    ((roletr->cclass == policydb.process_class &&
> +			      roletr->type == tcontext->type) ||
> +			     (roletr->cclass != policydb.process_class &&
> +			      roletr->type == newcontext.type))){
> +				/* Use the role transition rule. */
> +				newcontext.role = roletr->new_role;
> +				break;
>  			}
>  		}
>  	}



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 3/3] SELinux: Write class field in role_trans_write.

[Eric Paris]

On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> From: Harry Ciao <harrytaurus2002@hotmail.com>
> 
> If kernel policy version is >= 25, then write the class field of the
> role_trans structure into the binary reprensentation.
> 
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>

Looking at this patch (and the first one) I really start to feel like
putting the class after the newrole on disk.  It really would clean up
the patches and the code to not insert the conditional in the middle of
reading/writing and instead do it at the end....

> ---
>  security/selinux/ss/policydb.c |   18 +++++++++++++-----
>  1 files changed, 13 insertions(+), 5 deletions(-)
> 
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index b660f08..a6be0f5 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2450,10 +2450,11 @@ static int cat_write(void *vkey, void *datum, void *ptr)
>  	return 0;
>  }
>  
> -static int role_trans_write(struct role_trans *r, void *fp)
> +static int role_trans_write(struct policydb *p, void *fp)
>  {
> +	struct role_trans *r = p->role_tr;
>  	struct role_trans *tr;
> -	u32 buf[3];
> +	u32 buf[4];
>  	size_t nel;
>  	int rc;
>  
> @@ -2467,8 +2468,15 @@ static int role_trans_write(struct role_trans *r, void *fp)
>  	for (tr = r; tr; tr = tr->next) {
>  		buf[0] = cpu_to_le32(tr->role);
>  		buf[1] = cpu_to_le32(tr->type);
> -		buf[2] = cpu_to_le32(tr->new_role);
> -		rc = put_entry(buf, sizeof(u32), 3, fp);
> +		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> +			buf[2] = cpu_to_le32(tr->cclass);
> +			buf[3] = cpu_to_le32(tr->new_role);
> +			rc = put_entry(buf, sizeof(u32), 4, fp);
> +		} else {
> +			buf[2] = cpu_to_le32(tr->new_role);
> +			rc = put_entry(buf, sizeof(u32), 3, fp);
> +		}
> +
>  		if (rc)
>  			return rc;
>  	}
> @@ -3145,7 +3153,7 @@ int policydb_write(struct policydb *p, void *fp)
>  	if (rc)
>  		return rc;
>  
> -	rc = role_trans_write(p->role_tr, fp);
> +	rc = role_trans_write(p, fp);
>  	if (rc)
>  		return rc;
>  



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 3/3] SELinux: Write class field in role_trans_write.

[Joshua Brindle]

Eric Paris wrote:
> On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
>> From: Harry Ciao<harrytaurus2002@hotmail.com>
>>
>> If kernel policy version is>= 25, then write the class field of the
>> role_trans structure into the binary reprensentation.
>>
>> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
>
> Looking at this patch (and the first one) I really start to feel like
> putting the class after the newrole on disk.  It really would clean up
> the patches and the code to not insert the conditional in the middle of
> reading/writing and instead do it at the end....

He doesn't have to put it after new_role to clean up the conditional, just break 
the buffer in 2. range_write() does this in userspace, I'm not sure what the 
kernel interface looks like.

>
>> ---
>>   security/selinux/ss/policydb.c |   18 +++++++++++++-----
>>   1 files changed, 13 insertions(+), 5 deletions(-)
>>
>> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
>> index b660f08..a6be0f5 100644
>> --- a/security/selinux/ss/policydb.c
>> +++ b/security/selinux/ss/policydb.c
>> @@ -2450,10 +2450,11 @@ static int cat_write(void *vkey, void *datum, void *ptr)
>>   	return 0;
>>   }
>>
>> -static int role_trans_write(struct role_trans *r, void *fp)
>> +static int role_trans_write(struct policydb *p, void *fp)
>>   {
>> +	struct role_trans *r = p->role_tr;
>>   	struct role_trans *tr;
>> -	u32 buf[3];
>> +	u32 buf[4];
>>   	size_t nel;
>>   	int rc;
>>
>> @@ -2467,8 +2468,15 @@ static int role_trans_write(struct role_trans *r, void *fp)
>>   	for (tr = r; tr; tr = tr->next) {
>>   		buf[0] = cpu_to_le32(tr->role);
>>   		buf[1] = cpu_to_le32(tr->type);
>> -		buf[2] = cpu_to_le32(tr->new_role);
>> -		rc = put_entry(buf, sizeof(u32), 3, fp);
>> +		if (p->policyvers>= POLICYDB_VERSION_ROLETRANS) {
>> +			buf[2] = cpu_to_le32(tr->cclass);
>> +			buf[3] = cpu_to_le32(tr->new_role);
>> +			rc = put_entry(buf, sizeof(u32), 4, fp);
>> +		} else {
>> +			buf[2] = cpu_to_le32(tr->new_role);
>> +			rc = put_entry(buf, sizeof(u32), 3, fp);
>> +		}
>> +
>>   		if (rc)
>>   			return rc;
>>   	}
>> @@ -3145,7 +3153,7 @@ int policydb_write(struct policydb *p, void *fp)
>>   	if (rc)
>>   		return rc;
>>
>> -	rc = role_trans_write(p->role_tr, fp);
>> +	rc = role_trans_write(p, fp);
>>   	if (rc)
>>   		return rc;
>>
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 3/5] Handle the class in role_trans structure

[Joshua Brindle]

Harry Ciao wrote:
> From: Harry Ciao<harrytaurus2002@hotmail.com>
<snip>

> --- a/libsepol/src/write.c
> +++ b/libsepol/src/write.c
> @@ -462,11 +462,14 @@ static int cat_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
>   	return POLICYDB_SUCCESS;
>   }
>
> -static int role_trans_write(role_trans_t * r, struct policy_file *fp)
> +static int role_trans_write(policydb_t *p, struct policy_file *fp)
>   {
> +	role_trans_t *r = p->role_tr;
>   	role_trans_t *tr;
>   	uint32_t buf[3];
>   	size_t nel, items;
> +	int new_roletr = (p->policy_type == POLICY_KERN&&
> +			  p->policyvers>= POLICYDB_VERSION_ROLETRANS);
>
>   	nel = 0;
>   	for (tr = r; tr; tr = tr->next)
> @@ -478,9 +481,18 @@ static int role_trans_write(role_trans_t * r, struct policy_file *fp)
>   	for (tr = r; tr; tr = tr->next) {
>   		buf[0] = cpu_to_le32(tr->role);
>   		buf[1] = cpu_to_le32(tr->type);
> -		buf[2] = cpu_to_le32(tr->new_role);
> -		items = put_entry(buf, sizeof(uint32_t), 3, fp);
> -		if (items != 3)
> +		items = put_entry(buf, sizeof(uint32_t), 2, fp);
> +		if (items != 2)
> +			return POLICYDB_ERROR;
> +		if (new_roletr) {
> +			buf[0] = cpu_to_le32(tr->cclass);
> +			items = put_entry(buf, sizeof(uint32_t), 1, fp);
> +			if (items != 1)
> +				return POLICYDB_ERROR;
> +		}
> +		buf[0] = cpu_to_le32(tr->new_role);
> +		items = put_entry(buf, sizeof(uint32_t), 1, fp);
> +		if (items != 1)
>   			return POLICYDB_ERROR;
>   	}
>

You need to do something like range_write if you end up having a class set from 
the parser but you are building a lower version of the policy. The range write 
warning is:

         for (rt = p->range_tr; rt; rt = rt->next) {
                 if (!new_rangetr && rt->target_class != SECCLASS_PROCESS) {
                         if (!warning_issued)
                                 WARN(fp->handle, "Discarding range_transition "
                                      "rules for security classes other than "
                                      "\"process\"");
                         warning_issued = 1;
                         continue;
                 }

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 2/5] Make role_transition parser to handle class field

[Eric Paris]

On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> From: Harry Ciao <harrytaurus2002@hotmail.com>
> 
> If no class is specified in the role_transition rule, then it would
> be set to the "process" class by default.
> 
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> ---
>  checkpolicy/policy_define.c |   89 ++++++++++++++++++++++++++++++++-----------
>  checkpolicy/policy_define.h |    2 +-
>  checkpolicy/policy_parse.y  |    4 +-
>  3 files changed, 71 insertions(+), 24 deletions(-)
> 
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 82ab44c..6c28d8a 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -2050,17 +2050,18 @@ static int set_roles(role_set_t * set, char *id)
>  	return 0;
>  }
>  
> -int define_role_trans(void)
> +int define_role_trans(int class_specified)
>  {
>  	char *id;
>  	role_datum_t *role;
>  	role_set_t roles;
>  	type_set_t types;
> -	ebitmap_t e_types, e_roles;
> -	ebitmap_node_t *tnode, *rnode;
> +	class_datum_t *cladatum;
> +	ebitmap_t e_types, e_roles, classes;

minor nit, most of this code uses e_* for ebitmaps.  You don't need to
change that.....

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 2/5] Make role_transition parser to handle class field

[Joshua Brindle]

Eric Paris wrote:
> On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
>> From: Harry Ciao<harrytaurus2002@hotmail.com>
>>
>> If no class is specified in the role_transition rule, then it would
>> be set to the "process" class by default.
>>
>> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
>> ---
>>   checkpolicy/policy_define.c |   89 ++++++++++++++++++++++++++++++++-----------
>>   checkpolicy/policy_define.h |    2 +-
>>   checkpolicy/policy_parse.y  |    4 +-
>>   3 files changed, 71 insertions(+), 24 deletions(-)
>>
>> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
>> index 82ab44c..6c28d8a 100644
>> --- a/checkpolicy/policy_define.c
>> +++ b/checkpolicy/policy_define.c
>> @@ -2050,17 +2050,18 @@ static int set_roles(role_set_t * set, char *id)
>>   	return 0;
>>   }
>>
>> -int define_role_trans(void)
>> +int define_role_trans(int class_specified)
>>   {
>>   	char *id;
>>   	role_datum_t *role;
>>   	role_set_t roles;
>>   	type_set_t types;
>> -	ebitmap_t e_types, e_roles;
>> -	ebitmap_node_t *tnode, *rnode;
>> +	class_datum_t *cladatum;
>> +	ebitmap_t e_types, e_roles, classes;
>
> minor nit, most of this code uses e_* for ebitmaps.  You don't need to
> change that.....
>

There is only a single instance of e_* for ebitmaps in checkpolicy (which is 
what this patch is against)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 2/5] Make role_transition parser to handle class field

[Eric Paris]

On Wed, 2011-03-23 at 15:41 -0400, Joshua Brindle wrote:
> Eric Paris wrote:
> > On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> >> From: Harry Ciao<harrytaurus2002@hotmail.com>
> >>
> >> If no class is specified in the role_transition rule, then it would
> >> be set to the "process" class by default.
> >>
> >> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> >> ---
> >>   checkpolicy/policy_define.c |   89 ++++++++++++++++++++++++++++++++-----------
> >>   checkpolicy/policy_define.h |    2 +-
> >>   checkpolicy/policy_parse.y  |    4 +-
> >>   3 files changed, 71 insertions(+), 24 deletions(-)
> >>
> >> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> >> index 82ab44c..6c28d8a 100644
> >> --- a/checkpolicy/policy_define.c
> >> +++ b/checkpolicy/policy_define.c
> >> @@ -2050,17 +2050,18 @@ static int set_roles(role_set_t * set, char *id)
> >>   	return 0;
> >>   }
> >>
> >> -int define_role_trans(void)
> >> +int define_role_trans(int class_specified)
> >>   {
> >>   	char *id;
> >>   	role_datum_t *role;
> >>   	role_set_t roles;
> >>   	type_set_t types;
> >> -	ebitmap_t e_types, e_roles;
> >> -	ebitmap_node_t *tnode, *rnode;
> >> +	class_datum_t *cladatum;
> >> +	ebitmap_t e_types, e_roles, classes;
> >
> > minor nit, most of this code uses e_* for ebitmaps.  You don't need to
> > change that.....
> >
> 
> There is only a single instance of e_* for ebitmaps in checkpolicy (which is 
> what this patch is against)

Not in my tree that I was looking at, but then again, my tree adds stuff
which copied this code, so I guess you are right!



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [v0 PATCH 1/3] SELinux: Add class support to the role_trans structure

[HarryCiao]

[-- Attachment #1: Type: text/plain, Size: 5228 bytes --]




> Subject: Re: [v0 PATCH 1/3] SELinux: Add class support to the role_trans structure
> From: eparis@redhat.com
> To: qingtao.cao@windriver.com
> CC: sds@tycho.nsa.gov; jmorris@namei.org; eparis@parisplace.org; selinux@tycho.nsa.gov
> Date: Wed, 23 Mar 2011 10:40:22 -0400
> 
> On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> > From: Harry Ciao <harrytaurus200@hotmail.com>
> > 
> > If kernel policy version is >= 25, then the binary representation of
> > the role_trans structure supports specifying the class for the current
> > subject or the newly created object.
> > 
> > If kernel policy version is < 25, then the class field would be default
> > to the process class.
> > 
> > Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> > ---
> >  security/selinux/include/security.h |    3 ++-
> >  security/selinux/ss/policydb.c      |   24 +++++++++++++++++++++---
> >  security/selinux/ss/policydb.h      |    7 ++++---
> >  3 files changed, 27 insertions(+), 7 deletions(-)
> > 
> > diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> > index 671273e..a9d9e2b 100644
> > --- a/security/selinux/include/security.h
> > +++ b/security/selinux/include/security.h
> > @@ -28,13 +28,14 @@
> >  #define POLICYDB_VERSION_POLCAP		22
> >  #define POLICYDB_VERSION_PERMISSIVE	23
> >  #define POLICYDB_VERSION_BOUNDARY	24
> > +#define POLICYDB_VERSION_ROLETRANS	25
> 
> Grab a newer kernel.  POLICYDB_VERSION_FILENAME_TRANS == 25.  You're
> going to need 26  (although I haven't gotten the userspace
> implementation of 26 done so we are going to have to work together to
> make sure we don't trample on each other there)

No problem!

I will rebase to the latest SELinux kernel tree and reserve 25 for you in the userspace.

>  
> >  /* Range of policy versions we understand*/
> >  #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
> >  #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
> >  #define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
> >  #else
> > -#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_BOUNDARY
> > +#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
> >  #endif
> >  
> >  /* Mask for just the mount related flags */
> > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > index 5736356..b660f08 100644
> > --- a/security/selinux/ss/policydb.c
> > +++ b/security/selinux/ss/policydb.c
> > @@ -123,6 +123,11 @@ static struct policydb_compat_info policydb_compat[] = {
> >  		.sym_num	= SYM_NUM,
> >  		.ocon_num	= OCON_NUM,
> >  	},
> > +	{
> > +		.version	= POLICYDB_VERSION_ROLETRANS,
> > +		.sym_num	= SYM_NUM,
> > +		.ocon_num	= OCON_NUM,
> > +	},
> >  };
> >  
> >  static struct policydb_compat_info *policydb_lookup_compat(int version)
> > @@ -2209,16 +2214,29 @@ int policydb_read(struct policydb *p, void *fp)
> >  			ltr->next = tr;
> >  		else
> >  			p->role_tr = tr;
> > -		rc = next_entry(buf, fp, sizeof(u32)*3);
> > +		rc = next_entry(buf, fp, sizeof(u32)*2);
> >  		if (rc)
> >  			goto bad;
> >  
> > -		rc = -EINVAL;
> >  		tr->role = le32_to_cpu(buf[0]);
> >  		tr->type = le32_to_cpu(buf[1]);
> > -		tr->new_role = le32_to_cpu(buf[2]);
> > +		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> > +			rc = next_entry(buf, fp, sizeof(u32));
> > +			if (rc)
> > +				goto bad;
> > +			tr->cclass = le32_to_cpu(buf[0]);
> > +		} else
> > +			tr->cclass = p->process_class;
> > +
> > +		rc = next_entry(buf, fp, sizeof(u32));
> > +		if (rc)
> > +			goto bad;
> > +		tr->new_role = le32_to_cpu(buf[0]);
> > +
> > +		rc = -EINVAL;
> >  		if (!policydb_role_isvalid(p, tr->role) ||
> >  		    !policydb_type_isvalid(p, tr->type) ||
> > +		    !policydb_class_isvalid(p, tr->cclass) ||
> >  		    !policydb_role_isvalid(p, tr->new_role))
> >  			goto bad;
> >  		ltr = tr;
> > diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> > index 4e3ab9d..ba08fb4 100644
> > --- a/security/selinux/ss/policydb.h
> > +++ b/security/selinux/ss/policydb.h
> > @@ -71,9 +71,10 @@ struct role_datum {
> >  };
> >  
> >  struct role_trans {
> > -	u32 role;		/* current role */
> > -	u32 type;		/* program executable type */
> > -	u32 new_role;		/* new role */
> > +	u32 role;	/* current role */
> > +	u32 type;	/* program executable type, or new object type */
> > +	u32 cclass;	/* process class, or new object class */
> 
> Why "cclass"?  most of the code uses tclass (which might mean 'target
> class' but I'm not sure)

Well, I intended to use "class" but it is a reserved GCC identifier.

The class could be the subject class, that is, the "process" class, or could be the newly object class, so tclass(target class) won't fit much here.

I will update it to "classes" which I think will be better than "cclass" :-)

Thanks,
Harry

> 
> Otherwise the patch looks good to me.  If you fix those you can add an
> ACK on your next submission.
> 
> > +	u32 new_role;	/* new role */
> >  	struct role_trans *next;
> >  };
> >  
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
 		 	   		  

[-- Attachment #2: Type: text/html, Size: 6626 bytes --]

RE: [v0 PATCH 2/3] SELinux: Compute role in newcontext for all classes

[HarryCiao]

[-- Attachment #1: Type: text/plain, Size: 3887 bytes --]


Hi Stephen,

> Subject: Re: [v0 PATCH 2/3] SELinux: Compute role in newcontext for all classes
> From: sds@tycho.nsa.gov
> To: qingtao.cao@windriver.com
> CC: jmorris@namei.org; eparis@parisplace.org; selinux@tycho.nsa.gov
> Date: Wed, 23 Mar 2011 09:31:52 -0400
> 
> On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> > From: Harry Ciao <harrytaurus200@hotmail.com>
> > 
> > For the process class, the role_trans.type is compared with
> > tcontext->type, that is, the program executable type.
> > 
> > For all the rest classes, the role_trans.type is compared with
> > newcontext.type, that is, the type for the newly created object
> > of that class.
> 
> I don't understand why you aren't applying the logic consistently for
> all classes.  Compare with range_trans handling.  Also, if we think
> there will be any significant number of these role_trans rules, you
> might want to go ahead and start using a hashtab as was later done for
> range_trans for efficient lookup.

Suppose we have below role_transition rule:

role_transition sysadm_r user_home_t : dir sysadm_r;

If roletr->type compared with newcontext.type, then it means that if sysadm_r is creating an directory object with type equals to user_home_t, then the directory object will have a role of sysadm_r.

However, if roletr->type is compared with tcontext->type, then the semantics would be changed to that any objects of any class created by sysadm_r in a directory object of the user_home_t type would have their role set to sysadm_r, since in selinux_inode_init_security(), dir->i_security is passed as tsid always.

I guess the former approach could have much refined control on the objects role, if objects are of different types, then they could assume different roles, not necessarily all files in one directory have to share the same role.

What you think?

BTW, I came to the idea to use hashtab structure to manage range_tr too, and this could be a separate development activity that I could do later.

Thanks a lot!

Best regards,
Harry

> 
> > 
> > Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> > ---
> >  security/selinux/ss/services.c |   23 ++++++++++++-----------
> >  1 files changed, 12 insertions(+), 11 deletions(-)
> > 
> > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> > index a03cfaf..01fc3d5 100644
> > --- a/security/selinux/ss/services.c
> > +++ b/security/selinux/ss/services.c
> > @@ -1443,17 +1443,18 @@ static int security_compute_sid(u32 ssid,
> >  	}
> >  
> >  	/* Check for class-specific changes. */
> > -	if  (tclass == policydb.process_class) {
> > -		if (specified & AVTAB_TRANSITION) {
> > -			/* Look for a role transition rule. */
> > -			for (roletr = policydb.role_tr; roletr;
> > -			     roletr = roletr->next) {
> > -				if (roletr->role == scontext->role &&
> > -				    roletr->type == tcontext->type) {
> > -					/* Use the role transition rule. */
> > -					newcontext.role = roletr->new_role;
> > -					break;
> > -				}
> > +	if (specified & AVTAB_TRANSITION) {
> > +		/* Look for a role transition rule. */
> > +		for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
> > +			if ((roletr->role == scontext->role) &&
> > +			    (roletr->cclass == tclass) &&
> > +			    ((roletr->cclass == policydb.process_class &&
> > +			      roletr->type == tcontext->type) ||
> > +			     (roletr->cclass != policydb.process_class &&
> > +			      roletr->type == newcontext.type))){
> > +				/* Use the role transition rule. */
> > +				newcontext.role = roletr->new_role;
> > +				break;
> >  			}
> >  		}
> >  	}
> 
> -- 
> Stephen Smalley
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
 		 	   		  

[-- Attachment #2: Type: text/html, Size: 4849 bytes --]

RE: [v0 PATCH 3/3] SELinux: Write class field in role_trans_write.

[HarryCiao]

[-- Attachment #1: Type: text/plain, Size: 3628 bytes --]


Hi Joshua and Eric,

> Date: Wed, 23 Mar 2011 14:59:20 -0400
> From: method@manicmethod.com
> To: eparis@redhat.com
> CC: qingtao.cao@windriver.com; sds@tycho.nsa.gov; jmorris@namei.org; eparis@parisplace.org; selinux@tycho.nsa.gov
> Subject: Re: [v0 PATCH 3/3] SELinux: Write class field in role_trans_write.
> 
> Eric Paris wrote:
> > On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> >> From: Harry Ciao<harrytaurus2002@hotmail.com>
> >>
> >> If kernel policy version is>= 25, then write the class field of the
> >> role_trans structure into the binary reprensentation.
> >>
> >> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> >
> > Looking at this patch (and the first one) I really start to feel like
> > putting the class after the newrole on disk.  It really would clean up
> > the patches and the code to not insert the conditional in the middle of
> > reading/writing and instead do it at the end....
> 
> He doesn't have to put it after new_role to clean up the conditional, just break 
> the buffer in 2. range_write() does this in userspace, I'm not sure what the 
> kernel interface looks like.


I'd followed range_write() logic and used new_roletr in role_trans_write() similar to new_rangetr used in range_write().

Anyway, it won't take much extra effort to put the classes field after new_role in the binary representation, which does can make the code simpler :-) I will commit such change in the next version patches.

Thanks,
Harry

> 
> >
> >> ---
> >>   security/selinux/ss/policydb.c |   18 +++++++++++++-----
> >>   1 files changed, 13 insertions(+), 5 deletions(-)
> >>
> >> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> >> index b660f08..a6be0f5 100644
> >> --- a/security/selinux/ss/policydb.c
> >> +++ b/security/selinux/ss/policydb.c
> >> @@ -2450,10 +2450,11 @@ static int cat_write(void *vkey, void *datum, void *ptr)
> >>   	return 0;
> >>   }
> >>
> >> -static int role_trans_write(struct role_trans *r, void *fp)
> >> +static int role_trans_write(struct policydb *p, void *fp)
> >>   {
> >> +	struct role_trans *r = p->role_tr;
> >>   	struct role_trans *tr;
> >> -	u32 buf[3];
> >> +	u32 buf[4];
> >>   	size_t nel;
> >>   	int rc;
> >>
> >> @@ -2467,8 +2468,15 @@ static int role_trans_write(struct role_trans *r, void *fp)
> >>   	for (tr = r; tr; tr = tr->next) {
> >>   		buf[0] = cpu_to_le32(tr->role);
> >>   		buf[1] = cpu_to_le32(tr->type);
> >> -		buf[2] = cpu_to_le32(tr->new_role);
> >> -		rc = put_entry(buf, sizeof(u32), 3, fp);
> >> +		if (p->policyvers>= POLICYDB_VERSION_ROLETRANS) {
> >> +			buf[2] = cpu_to_le32(tr->cclass);
> >> +			buf[3] = cpu_to_le32(tr->new_role);
> >> +			rc = put_entry(buf, sizeof(u32), 4, fp);
> >> +		} else {
> >> +			buf[2] = cpu_to_le32(tr->new_role);
> >> +			rc = put_entry(buf, sizeof(u32), 3, fp);
> >> +		}
> >> +
> >>   		if (rc)
> >>   			return rc;
> >>   	}
> >> @@ -3145,7 +3153,7 @@ int policydb_write(struct policydb *p, void *fp)
> >>   	if (rc)
> >>   		return rc;
> >>
> >> -	rc = role_trans_write(p->role_tr, fp);
> >> +	rc = role_trans_write(p, fp);
> >>   	if (rc)
> >>   		return rc;
> >>
> >
> >
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> >
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
 		 	   		  

[-- Attachment #2: Type: text/html, Size: 4803 bytes --]

RE: [v0 PATCH 3/5] Handle the class in role_trans structure

[HarryCiao]

[-- Attachment #1: Type: text/plain, Size: 2929 bytes --]


I've got your point, for lower version policy non-process class object won't be supported in the role_transition rule, so it makes sense to discard all such rules.

Thanks a lot!

Best regards,
Harry


> Date: Wed, 23 Mar 2011 15:05:06 -0400
> From: method@manicmethod.com
> To: qingtao.cao@windriver.com
> CC: sds@tycho.nsa.gov; jmorris@namei.org; eparis@parisplace.org; selinux@tycho.nsa.gov
> Subject: Re: [v0 PATCH 3/5] Handle the class in role_trans structure
> 
> Harry Ciao wrote:
> > From: Harry Ciao<harrytaurus2002@hotmail.com>
> <snip>
> 
> > --- a/libsepol/src/write.c
> > +++ b/libsepol/src/write.c
> > @@ -462,11 +462,14 @@ static int cat_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
> >   	return POLICYDB_SUCCESS;
> >   }
> >
> > -static int role_trans_write(role_trans_t * r, struct policy_file *fp)
> > +static int role_trans_write(policydb_t *p, struct policy_file *fp)
> >   {
> > +	role_trans_t *r = p->role_tr;
> >   	role_trans_t *tr;
> >   	uint32_t buf[3];
> >   	size_t nel, items;
> > +	int new_roletr = (p->policy_type == POLICY_KERN&&
> > +			  p->policyvers>= POLICYDB_VERSION_ROLETRANS);
> >
> >   	nel = 0;
> >   	for (tr = r; tr; tr = tr->next)
> > @@ -478,9 +481,18 @@ static int role_trans_write(role_trans_t * r, struct policy_file *fp)
> >   	for (tr = r; tr; tr = tr->next) {
> >   		buf[0] = cpu_to_le32(tr->role);
> >   		buf[1] = cpu_to_le32(tr->type);
> > -		buf[2] = cpu_to_le32(tr->new_role);
> > -		items = put_entry(buf, sizeof(uint32_t), 3, fp);
> > -		if (items != 3)
> > +		items = put_entry(buf, sizeof(uint32_t), 2, fp);
> > +		if (items != 2)
> > +			return POLICYDB_ERROR;
> > +		if (new_roletr) {
> > +			buf[0] = cpu_to_le32(tr->cclass);
> > +			items = put_entry(buf, sizeof(uint32_t), 1, fp);
> > +			if (items != 1)
> > +				return POLICYDB_ERROR;
> > +		}
> > +		buf[0] = cpu_to_le32(tr->new_role);
> > +		items = put_entry(buf, sizeof(uint32_t), 1, fp);
> > +		if (items != 1)
> >   			return POLICYDB_ERROR;
> >   	}
> >
> 
> You need to do something like range_write if you end up having a class set from 
> the parser but you are building a lower version of the policy. The range write 
> warning is:
> 
>          for (rt = p->range_tr; rt; rt = rt->next) {
>                  if (!new_rangetr && rt->target_class != SECCLASS_PROCESS) {
>                          if (!warning_issued)
>                                  WARN(fp->handle, "Discarding range_transition "
>                                       "rules for security classes other than "
>                                       "\"process\"");
>                          warning_issued = 1;
>                          continue;
>                  }
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
 		 	   		  

[-- Attachment #2: Type: text/html, Size: 3756 bytes --]

RE: [v0 PATCH 1/3] SELinux: Add class support to the role_trans structure

[Stephen Smalley]

On Thu, 2011-03-24 at 09:43 +0000, HarryCiao wrote:
> > Why "cclass"? most of the code uses tclass (which might mean 'target
> > class' but I'm not sure)
> 
> Well, I intended to use "class" but it is a reserved GCC identifier.
> 
> The class could be the subject class, that is, the "process" class, or
> could be the newly object class, so tclass(target class) won't fit
> much here.
> 
> I will update it to "classes" which I think will be better than
> "cclass" :-)

tclass is more consistent with existing code, and it does mean "target
class", where target can be a subject or an object.  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [v0 PATCH 2/3] SELinux: Compute role in newcontext for all classes

[Stephen Smalley]

On Thu, 2011-03-24 at 09:56 +0000, HarryCiao wrote:
> Hi Stephen,
> 
> > Subject: Re: [v0 PATCH 2/3] SELinux: Compute role in newcontext for
> all classes
> > From: sds@tycho.nsa.gov
> > To: qingtao.cao@windriver.com
> > CC: jmorris@namei.org; eparis@parisplace.org; selinux@tycho.nsa.gov
> > Date: Wed, 23 Mar 2011 09:31:52 -0400
> > 
> > On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> > > From: Harry Ciao <harrytaurus200@hotmail.com>
> > > 
> > > For the process class, the role_trans.type is compared with
> > > tcontext->type, that is, the program executable type.
> > > 
> > > For all the rest classes, the role_trans.type is compared with
> > > newcontext.type, that is, the type for the newly created object
> > > of that class.
> > 
> > I don't understand why you aren't applying the logic consistently
> for
> > all classes. Compare with range_trans handling. Also, if we think
> > there will be any significant numbe! r of these role_trans rules,
> you
> > might want to go ahead and start using a hashtab as was later done
> for
> > range_trans for efficient lookup.
> 
> Suppose we have below role_transition rule:
> 
> role_transition sysadm_r user_home_t : dir sysadm_r;
> 
> If roletr->type compared with newcontext.type, then it means that if
> sysadm_r is creating an directory object with type equals to
> user_home_t, then the directory object will have a role of sysadm_r.
> 
> However, if roletr->type is compared with tcontext->type, then the
> semantics would be changed to that any objects of any class created by
> sysadm_r in a directory object of the user_home_t type would have
> their role set to sysadm_r, since in selinux_inode_init_security(),
> dir->i_security is passed as tsid always.
> 
> I guess the former approach could have much refined control on the
> objects role, if objects are of different types, then they could
> assume different roles, not necessarily all f! iles in one directory
> have to share the same role.
> 
> What you thi nk?

Compare with type_transition or range_transition semantics.
type_transition sysadm_t tmp_t : sock_file sysadm_tmp_t;
means when a sysadm_t (scontext->type) process creates a socket file
(tclass) object in a directory labeled tmp_t (tcontext->type), then
label the socket file with sysadm_tmp_t (newcontext->type).

type_transition sysadm_t sshd_exec_t:process sshd_t;
means when a sysadm_t (scontext->type) process executes a sshd_exec_t
(tcontext->type) file, then label the new process (tclass) with sshd_t
(newcontext->type).

See how they are consistently applied regardless of whether it is a
process or object class?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [v0 PATCH 2/3] SELinux: Compute role in newcontext for all classes

[HarryCiao]

[-- Attachment #1: Type: text/plain, Size: 2427 bytes --]


Hi Stephen,

[cut]
> > 
> > Suppose we have below role_transition rule:
> > 
> > role_transition sysadm_r user_home_t : dir sysadm_r;
> > 
> > If roletr->type compared with newcontext.type, then it means that if
> > sysadm_r is creating an directory object with type equals to
> > user_home_t, then the directory object will have a role of sysadm_r.
> > 
> > However, if roletr->type is compared with tcontext->type, then the
> > semantics would be changed to that any objects of any class created by
> > sysadm_r in a directory object of the user_home_t type would have
> > their role set to sysadm_r, since in selinux_inode_init_security(),
> > dir->i_security is passed as tsid always.
> > 
> > I guess the former approach could have much refined control on the
> > objects role, if objects are of different types, then they could
> > assume different roles, not necessarily all f! iles in one directory
> > have to share the same role.
> > 
> > What you thi nk?
> 
> Compare with type_transition or range_transition semantics.
> type_transition sysadm_t tmp_t : sock_file sysadm_tmp_t;
> means when a sysadm_t (scontext->type) process creates a socket file
> (tclass) object in a directory labeled tmp_t (tcontext->type), then
> label the socket file with sysadm_tmp_t (newcontext->type).
> 
> type_transition sysadm_t sshd_exec_t:process sshd_t;
> means when a sysadm_t (scontext->type) process executes a sshd_exec_t
> (tcontext->type) file, then label the new process (tclass) with sshd_t
> (newcontext->type).
> 
> See how they are consistently applied regardless of whether it is a
> process or object class?
> 

Thanks for taking the patience to correct me. Now I've got it - for the newly created objects, the type field in both role_transition and type_transition rules  are always the parent directory type, and we can still use the class field in both rules to specify what class objects would the rule be applied to, so I am now clear that there won't be such a thing that "any object of any class in the same parent directory would have the same role", please find out in the tests I've done.

Best regards,
Harry


> -- 
> Stephen Smalley
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
 		 	   		  

[-- Attachment #2: Type: text/html, Size: 3015 bytes --]

RE: [v0 PATCH 1/3] SELinux: Add class support to the role_trans structure

[HarryCiao]

[-- Attachment #1: Type: text/plain, Size: 1291 bytes --]




> Subject: RE: [v0 PATCH 1/3] SELinux: Add class support to the role_trans structure
> From: sds@tycho.nsa.gov
> To: harrytaurus2002@hotmail.com
> CC: eparis@redhat.com; qingtao.cao@windriver.com; jmorris@namei.org; eparis@parisplace.org; selinux@tycho.nsa.gov
> Date: Thu, 24 Mar 2011 09:21:01 -0400
> 
> On Thu, 2011-03-24 at 09:43 +0000, HarryCiao wrote:
> > > Why "cclass"? most of the code uses tclass (which might mean 'target
> > > class' but I'm not sure)
> > 
> > Well, I intended to use "class" but it is a reserved GCC identifier.
> > 
> > The class could be the subject class, that is, the "process" class, or
> > could be the newly object class, so tclass(target class) won't fit
> > much here.
> > 
> > I will update it to "classes" which I think will be better than
> > "cclass" :-)
> 
> tclass is more consistent with existing code, and it does mean "target
> class", where target can be a subject or an object.  

Sure, I will correct it in the v2 patches.

Thanks!

Harry

> 
> -- 
> Stephen Smalley
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
 		 	   		  

[-- Attachment #2: Type: text/html, Size: 1729 bytes --]