sepol help

sepol help

[William Roberts]

I am working on a tool for parsing, and allowing overrides to occur in
seapp_contexts. I also want it to check the output selectors against
the compiled binary. After looking at sepol, it wasn't quite clear to
me how to get going with it. Can anyone give me function calls to do
something like this?

1. Load the compiled binary
2. Check to see if a boolean exists

-- 
Respectfully,

William C Roberts

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[William Roberts]

For anyone curios, the first round draft of the tool is here:

https://bitbucket.org/billcroberts/check_seapp

It is sans integration into Android's build system, its just the raw tool.

On Thu, Aug 23, 2012 at 7:01 PM, William Roberts
<bill.c.roberts@gmail.com> wrote:
> I am working on a tool for parsing, and allowing overrides to occur in
> seapp_contexts. I also want it to check the output selectors against
> the compiled binary. After looking at sepol, it wasn't quite clear to
> me how to get going with it. Can anyone give me function calls to do
> something like this?
>
> 1. Load the compiled binary
> 2. Check to see if a boolean exists
>
> --
> Respectfully,
>
> William C Roberts



-- 
Respectfully,

William C Roberts

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[Joshua Brindle]

William Roberts wrote:
> I am working on a tool for parsing, and allowing overrides to occur in
> seapp_contexts. I also want it to check the output selectors against
> the compiled binary. After looking at sepol, it wasn't quite clear to
> me how to get going with it. Can anyone give me function calls to do
> something like this?
>
> 1. Load the compiled binary

look at checkpolicy/test/dispol.c for examples. requires you to be 
statically linked against libsepol.

         fd = open(argv[1], O_RDONLY);
         if (fd < 0) {
...        }
         if (fstat(fd, &sb) < 0) {
...        }
         map =
             mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, 
fd, 0);
         if (map == MAP_FAILED) {
...        }
         policy_file_init(&pf);
         pf.type = PF_USE_MEMORY;
         pf.data = map;
         pf.len = sb.st_size;
         if (policydb_init(&policydb)) {
...        }
         ret = policydb_read(&policydb, &pf, 1);


> 2. Check to see if a boolean exists

bool = hashtab_search(policydb->p_bools.table, "some_boolean");
if (bool == null) {
	//no such boolean
}


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[William Roberts]

Thanks  I will dig, try that!

On Thu, Aug 23, 2012 at 7:34 PM, Joshua Brindle <method@manicmethod.com> wrote:
> William Roberts wrote:
>>
>> I am working on a tool for parsing, and allowing overrides to occur in
>> seapp_contexts. I also want it to check the output selectors against
>> the compiled binary. After looking at sepol, it wasn't quite clear to
>> me how to get going with it. Can anyone give me function calls to do
>> something like this?
>>
>> 1. Load the compiled binary
>
>
> look at checkpolicy/test/dispol.c for examples. requires you to be
> statically linked against libsepol.
>
>         fd = open(argv[1], O_RDONLY);
>         if (fd < 0) {
> ...        }
>         if (fstat(fd, &sb) < 0) {
> ...        }
>         map =
>             mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd,
> 0);
>         if (map == MAP_FAILED) {
> ...        }
>         policy_file_init(&pf);
>         pf.type = PF_USE_MEMORY;
>         pf.data = map;
>         pf.len = sb.st_size;
>         if (policydb_init(&policydb)) {
> ...        }
>         ret = policydb_read(&policydb, &pf, 1);
>
>
>
>> 2. Check to see if a boolean exists
>
>
> bool = hashtab_search(policydb->p_bools.table, "some_boolean");
> if (bool == null) {
>         //no such boolean
> }
>



-- 
Respectfully,

William C Roberts

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[William Roberts]

You got me with the cannot link as shared object....I was looking at
the text section going why wont it link, and then I tried static and
it worked. I should have paid more attention to that detail in your
email. So for all those make sure you link sepol statically.
Otherwise, thanks again.

On Thu, Aug 23, 2012 at 7:41 PM, William Roberts
<bill.c.roberts@gmail.com> wrote:
> Thanks  I will dig, try that!
>
> On Thu, Aug 23, 2012 at 7:34 PM, Joshua Brindle <method@manicmethod.com> wrote:
>> William Roberts wrote:
>>>
>>> I am working on a tool for parsing, and allowing overrides to occur in
>>> seapp_contexts. I also want it to check the output selectors against
>>> the compiled binary. After looking at sepol, it wasn't quite clear to
>>> me how to get going with it. Can anyone give me function calls to do
>>> something like this?
>>>
>>> 1. Load the compiled binary
>>
>>
>> look at checkpolicy/test/dispol.c for examples. requires you to be
>> statically linked against libsepol.
>>
>>         fd = open(argv[1], O_RDONLY);
>>         if (fd < 0) {
>> ...        }
>>         if (fstat(fd, &sb) < 0) {
>> ...        }
>>         map =
>>             mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd,
>> 0);
>>         if (map == MAP_FAILED) {
>> ...        }
>>         policy_file_init(&pf);
>>         pf.type = PF_USE_MEMORY;
>>         pf.data = map;
>>         pf.len = sb.st_size;
>>         if (policydb_init(&policydb)) {
>> ...        }
>>         ret = policydb_read(&policydb, &pf, 1);
>>
>>
>>
>>> 2. Check to see if a boolean exists
>>
>>
>> bool = hashtab_search(policydb->p_bools.table, "some_boolean");
>> if (bool == null) {
>>         //no such boolean
>> }
>>
>
>
>
> --
> Respectfully,
>
> William C Roberts



-- 
Respectfully,

William C Roberts

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[Stephen Smalley]

On Thu, 2012-08-23 at 19:01 -0700, William Roberts wrote:
> I am working on a tool for parsing, and allowing overrides to occur in
> seapp_contexts. I also want it to check the output selectors against
> the compiled binary. After looking at sepol, it wasn't quite clear to
> me how to get going with it. Can anyone give me function calls to do
> something like this?
> 
> 1. Load the compiled binary
> 2. Check to see if a boolean exists

When possible, try to use the shared library interfaces and exported
data structures (look for sepol_ prefixes) rather than the private ones.
For that reason, checkpolicy isn't a good example to use.

libsemanage uses only the shared library APIs.
libselinux/src/load_policy.c (in upstream selinux) uses only the shared
library APIs.
policycoreutils/setfiles/setfiles.c uses only the shared library APIs.

If that doesn't quite get you there, you can look at
libselinux/src/audit2why.c, which although it does use the static lib,
it at least tries to use the sepol_ data types and interfaces wherever
possible.


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[Stephen Smalley]

On Thu, 2012-08-23 at 22:34 -0400, Joshua Brindle wrote:
> William Roberts wrote:
> > I am working on a tool for parsing, and allowing overrides to occur in
> > seapp_contexts. I also want it to check the output selectors against
> > the compiled binary. After looking at sepol, it wasn't quite clear to
> > me how to get going with it. Can anyone give me function calls to do
> > something like this?
> >
> > 1. Load the compiled binary
> 
> look at checkpolicy/test/dispol.c for examples. requires you to be 
> statically linked against libsepol.
> 
>          fd = open(argv[1], O_RDONLY);
>          if (fd < 0) {
> ...        }
>          if (fstat(fd, &sb) < 0) {
> ...        }
>          map =
>              mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, 
> fd, 0);
>          if (map == MAP_FAILED) {
> ...        }
>          policy_file_init(&pf);
>          pf.type = PF_USE_MEMORY;
>          pf.data = map;
>          pf.len = sb.st_size;
>          if (policydb_init(&policydb)) {
> ...        }
>          ret = policydb_read(&policydb, &pf, 1);
> 
> 
> > 2. Check to see if a boolean exists
> 
> bool = hashtab_search(policydb->p_bools.table, "some_boolean");
> if (bool == null) {
> 	//no such boolean
> }

libsemanage and/or libselinux/src/audit2why.c shows how to do this more
cleanly using the sepol_* interfaces.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[Stephen Smalley]

On Thu, 2012-08-23 at 21:41 -0700, William Roberts wrote:
> You got me with the cannot link as shared object....I was looking at
> the text section going why wont it link, and then I tried static and
> it worked. I should have paid more attention to that detail in your
> email. So for all those make sure you link sepol statically.
> Otherwise, thanks again.

I'd prefer it if you could use the shared library instead, using its
interfaces.  Otherwise we have to rebuild your tool anytime the library
changes. 

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[William Roberts]

I'm with you there, ill look into these new interfaces.

On Fri, Aug 24, 2012 at 5:10 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Thu, 2012-08-23 at 21:41 -0700, William Roberts wrote:
>> You got me with the cannot link as shared object....I was looking at
>> the text section going why wont it link, and then I tried static and
>> it worked. I should have paid more attention to that detail in your
>> email. So for all those make sure you link sepol statically.
>> Otherwise, thanks again.
>
> I'd prefer it if you could use the shared library instead, using its
> interfaces.  Otherwise we have to rebuild your tool anytime the library
> changes.
>
> --
> Stephen Smalley
> National Security Agency
>



-- 
Respectfully,

William C Roberts

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[William Roberts]

Ok so I have the boolean stuff in place using the sepol_ family of
functions. You can check out this work of the "dev" branch of this
repo....

https://bitbucket.org/billcroberts/check_seapp

After using that interface, checking the seboolean's was pretty
straightforward, Ill have to look into those other projects for
examples on how to check on the other output selectors:

domain
type
level

Are domain and type just going to be checked using the same function
that searches types, does anyone know offhand what this function is
before I start searching the examples Stephen provided me with?

Also on the level, currently we reformat the level on setcontext in android.c
snprintf(level, sizeof level, "%s:c%lu",
                                 context_range_get(ctx), id);

in the sepolicy lib their is sepol_mls_check that I am using, but I
need to convert the mls to a similar format and don't know what the
corresponding sepol call is for context_rage_get...

I looked in context.h and didn't see anything giving me back some data
I could use to recreate this, can someone (again) point me in the
right direction?

Thanks,
Bill

On Fri, Aug 24, 2012 at 2:22 PM, William Roberts
<bill.c.roberts@gmail.com> wrote:
> I'm with you there, ill look into these new interfaces.
>
> On Fri, Aug 24, 2012 at 5:10 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On Thu, 2012-08-23 at 21:41 -0700, William Roberts wrote:
>>> You got me with the cannot link as shared object....I was looking at
>>> the text section going why wont it link, and then I tried static and
>>> it worked. I should have paid more attention to that detail in your
>>> email. So for all those make sure you link sepol statically.
>>> Otherwise, thanks again.
>>
>> I'd prefer it if you could use the shared library instead, using its
>> interfaces.  Otherwise we have to rebuild your tool anytime the library
>> changes.
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>
>
>
> --
> Respectfully,
>
> William C Roberts



-- 
Respectfully,

William C Roberts

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[William Roberts]

I tried getting mls prefix by doing:

sepol_context_create(pol.handle,&pol.con);
char *mls = sepol_context_get_mls(pol.con);

but mls is NULL. Not really sure if I am creating the handle and
context properly.

Bill

On Fri, Aug 24, 2012 at 4:56 PM, William Roberts
<bill.c.roberts@gmail.com> wrote:
> Ok so I have the boolean stuff in place using the sepol_ family of
> functions. You can check out this work of the "dev" branch of this
> repo....
>
> https://bitbucket.org/billcroberts/check_seapp
>
> After using that interface, checking the seboolean's was pretty
> straightforward, Ill have to look into those other projects for
> examples on how to check on the other output selectors:
>
> domain
> type
> level
>
> Are domain and type just going to be checked using the same function
> that searches types, does anyone know offhand what this function is
> before I start searching the examples Stephen provided me with?
>
> Also on the level, currently we reformat the level on setcontext in android.c
> snprintf(level, sizeof level, "%s:c%lu",
>                                  context_range_get(ctx), id);
>
> in the sepolicy lib their is sepol_mls_check that I am using, but I
> need to convert the mls to a similar format and don't know what the
> corresponding sepol call is for context_rage_get...
>
> I looked in context.h and didn't see anything giving me back some data
> I could use to recreate this, can someone (again) point me in the
> right direction?
>
> Thanks,
> Bill
>
> On Fri, Aug 24, 2012 at 2:22 PM, William Roberts
> <bill.c.roberts@gmail.com> wrote:
>> I'm with you there, ill look into these new interfaces.
>>
>> On Fri, Aug 24, 2012 at 5:10 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On Thu, 2012-08-23 at 21:41 -0700, William Roberts wrote:
>>>> You got me with the cannot link as shared object....I was looking at
>>>> the text section going why wont it link, and then I tried static and
>>>> it worked. I should have paid more attention to that detail in your
>>>> email. So for all those make sure you link sepol statically.
>>>> Otherwise, thanks again.
>>>
>>> I'd prefer it if you could use the shared library instead, using its
>>> interfaces.  Otherwise we have to rebuild your tool anytime the library
>>> changes.
>>>
>>> --
>>> Stephen Smalley
>>> National Security Agency
>>>
>>
>>
>>
>> --
>> Respectfully,
>>
>> William C Roberts
>
>
>
> --
> Respectfully,
>
> William C Roberts



-- 
Respectfully,

William C Roberts

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[Stephen Smalley]

On Fri, 2012-08-24 at 19:35 -0700, William Roberts wrote:
> I tried getting mls prefix by doing:
> 
> sepol_context_create(pol.handle,&pol.con);
> char *mls = sepol_context_get_mls(pol.con);
> 
> but mls is NULL. Not really sure if I am creating the handle and
> context properly.

sepol_context_create() just creates an empty context record that you
then have to fill.  If you want to create it from an existing string
security context, then use sepol_context_from_string() to initialize it
and then you can use sepol_context_get_* to extract individual fields.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sepol help

[Stephen Smalley]

On Fri, 2012-08-24 at 16:56 -0700, William Roberts wrote:
> Ok so I have the boolean stuff in place using the sepol_ family of
> functions. You can check out this work of the "dev" branch of this
> repo....
> 
> https://bitbucket.org/billcroberts/check_seapp
> 
> After using that interface, checking the seboolean's was pretty
> straightforward, Ill have to look into those other projects for
> examples on how to check on the other output selectors:
> 
> domain
> type
> level
> 
> Are domain and type just going to be checked using the same function
> that searches types, does anyone know offhand what this function is
> before I start searching the examples Stephen provided me with?

I'm not sure the shared lib exposes an interface for that functionality
presently.  It would be a single function for domains and types (as both
are "types" to SELinux), likely modeled after sepol_bool_exists().

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.