From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: David Windsor <dwindsor@gmail.com>, SELinux <selinux@tycho.nsa.gov>
Subject: Re: I would like to change the behavior of MCS label creations in directory.
Date: Fri, 14 Oct 2011 11:57:47 -0400 [thread overview]
Message-ID: <4E985BFB.1000806@redhat.com> (raw)
In-Reply-To: <4E82123C.4070406@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 918 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
<snip>
Eric and I have come up with the following syntax for this behaviour.
default_trans level dir_file_class_set parent;
default_trans user dir_file_class_set process;
default_trans role file parent;
We have developed a patch to checkpolicy that will process this
syntax, although it does nothing with it yet, need a patch for libsepol...
We have made these commands optional and I am placing them in the
policy/mcs file. Default will be current behavior.
ifdef(`enable_mcs',`
default_trans level dir_file_class_set parent;
#
# Define sensitivities
#
# MCS is single-sensitivity.
gen_sens(1)
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6YW/sACgkQrlYvE4MpobNlHACgqYKr4T3Bi5tp4cPb0ee5mw3q
I2UAn2trAI2BXOGu+JAbSx2RBNPuAvpd
=MWrk
-----END PGP SIGNATURE-----
[-- Attachment #2: checkpolicy.patch --]
[-- Type: text/plain, Size: 6778 bytes --]
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 1bf669c..7ec64aa 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -327,6 +327,39 @@ int define_initial_sid(void)
return -1;
}
+int define_default_trans(int component, int from)
+{
+ char *id;
+ ebitmap_t e_tclasses;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ ebitmap_init(&e_tclasses);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ return -1;
+ }
+ free(id);
+ }
+
+ return 0;
+}
+
int define_common_perms(void)
{
char *id = 0, *perm = 0;
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index 92a9be7..2c881e1 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -13,6 +13,14 @@
#define TRUE 1
#define FALSE 0
+enum dt_enum {
+ DT_USER,
+ DT_ROLE,
+ DT_LEVEL,
+ DT_PROCESS,
+ DT_PARENT,
+};
+
avrule_t *define_cond_compute_type(int which);
avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
avrule_t *define_cond_te_avtab(int which);
@@ -52,6 +60,7 @@ int define_role_types(void);
int define_role_attr(void);
int define_roleattribute(void);
int define_filename_trans(void);
+int define_default_trans(int componnt, int from);
int define_sens(void);
int define_te_avtab(int which);
int define_typealias(void);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 49ac15f..86aa574 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -143,6 +143,9 @@ typedef int (* require_func_t)();
%token POLICYCAP
%token PERMISSIVE
%token FILESYSTEM
+%token DEFAULT_TRANS
+%token PROCESS
+%token PARENT
%left OR
%left XOR
@@ -157,10 +160,10 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; }
classes initial_sids access_vectors
{ if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
- opt_mls te_rbac users opt_constraints
+ default_trans_rules opt_mls te_rbac users opt_constraints
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
- initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
+ initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
;
classes : class_def
| classes class_def
@@ -176,6 +179,23 @@ initial_sid_def : SID identifier
;
access_vectors : opt_common_perms av_perms
;
+default_trans_rules : default_trans_def
+ | default_trans_rules default_trans_def
+ |
+ ;
+default_trans_def : DEFAULT_TRANS USER names PROCESS ';'
+ {if (define_default_trans(DT_USER, DT_PROCESS)) return -1;}
+ | DEFAULT_TRANS ROLE names PROCESS ';'
+ {if (define_default_trans(DT_ROLE, DT_PROCESS)) return -1;}
+ | DEFAULT_TRANS LEVEL names PROCESS ';'
+ {if (define_default_trans(DT_LEVEL, DT_PROCESS)) return -1;}
+ | DEFAULT_TRANS USER names PARENT ';'
+ {if (define_default_trans(DT_USER, DT_PARENT)) return -1;}
+ | DEFAULT_TRANS ROLE names PARENT ';'
+ {if (define_default_trans(DT_ROLE, DT_PARENT)) return -1;}
+ | DEFAULT_TRANS LEVEL names PARENT ';'
+ {if (define_default_trans(DT_LEVEL, DT_PARENT)) return -1;}
+ ;
opt_common_perms : common_perms
|
;
@@ -353,7 +373,7 @@ cond_rule_def : cond_transition_def
| require_block
{ $$ = NULL; }
;
-cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
+cond_transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';'
{ $$ = define_cond_filename_trans() ;
if ($$ == COND_ERR) return -1;}
| TYPE_TRANSITION names names ':' names identifier ';'
@@ -391,7 +411,7 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
if ($$ == COND_ERR) return -1; }
;
-transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
+transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';'
{if (define_filename_trans()) return -1; }
| TYPE_TRANSITION names names ':' names identifier ';'
{if (define_compute_type(AVRULE_TRANSITION)) return -1;}
@@ -753,6 +773,8 @@ nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; }
;
identifier : IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
+ | PROCESS
+ { if (insert_id(yytext,0)) return -1; }
;
path : PATH
{ if (insert_id(yytext,0)) return -1; }
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index a61e0db..e7bdf9f 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -219,6 +219,12 @@ h2 |
H2 { return(H2); }
policycap |
POLICYCAP { return(POLICYCAP); }
+process |
+PROCESS { return(PROCESS); }
+parent |
+PARENT { return(PARENT); }
+default_trans |
+DEFAULT_TRANS { return(DEFAULT_TRANS); }
permissive |
PERMISSIVE { return(PERMISSIVE); }
"/"({alnum}|[_\.\-/])* { return(PATH); }
@@ -227,9 +233,8 @@ PERMISSIVE { return(PERMISSIVE); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
-\"({alnum}|[_\.\-])+\" { return(FILENAME); }
{alnum}* { return(FILENAME); }
-\.({alnum}|[_\.\-])* { return(FILENAME); }
+\.({alnum}|[_\.\-])+ { return(FILENAME); }
{letter}+([-_\.]|{alnum})+ { return(FILENAME); }
([_\.]){alnum}+ { return(FILENAME); }
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
@@ -253,6 +258,7 @@ PERMISSIVE { return(PERMISSIVE); }
"-" |
"." |
"]" |
+"\"" |
"~" |
"*" { return(yytext[0]); }
. { yywarn("unrecognized character");}
next prev parent reply other threads:[~2011-10-14 15:57 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-22 19:53 I would like to change the behavior of MCS label creations in directory Daniel J Walsh
2011-09-22 20:13 ` Guido Trentalancia
2011-09-22 20:31 ` Stephen Smalley
2011-09-22 20:32 ` Daniel J Walsh
2011-09-22 20:37 ` Stephen Smalley
2011-09-22 20:42 ` Stephen Smalley
2011-09-23 15:01 ` Daniel J Walsh
2011-09-23 15:07 ` Stephen Smalley
2011-09-23 16:06 ` Guido Trentalancia
2011-09-23 17:33 ` Daniel J Walsh
2011-09-24 22:05 ` David Windsor
2011-09-27 16:06 ` Stephen Smalley
2011-09-27 16:50 ` David Windsor
2011-09-27 16:51 ` Stephen Smalley
2011-09-27 18:13 ` Daniel J Walsh
2011-10-14 15:57 ` Daniel J Walsh [this message]
2011-10-18 12:34 ` Christopher J. PeBenito
[not found] ` <00243337-937e-4e6b-880b-ba2f351112e7@email.android.com>
2011-10-18 22:07 ` David Windsor
2011-10-19 16:55 ` Stephen Smalley
2011-10-19 15:31 ` Joshua Brindle
2011-10-19 16:26 ` Stephen Smalley
2011-11-22 18:59 ` Eric Paris
2011-11-22 19:25 ` Stephen Smalley
2011-11-22 19:37 ` Eric Paris
2011-11-22 19:39 ` Stephen Smalley
2011-11-22 19:42 ` Eric Paris
2011-10-19 16:36 ` Kyle Moffett
2011-10-19 17:41 ` Daniel J Walsh
2011-10-19 17:47 ` Joshua Brindle
2011-10-19 17:50 ` Daniel J Walsh
2011-09-22 20:41 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E985BFB.1000806@redhat.com \
--to=dwalsh@redhat.com \
--cc=dwindsor@gmail.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.