File context not applied due to regex ordering

File context not applied due to regex ordering

[Laurent Bigonville]

Hello,

I remember that I already talk about this on IRC a while back, but I
don't remember if there was any outcome.

The refpolicy is containing the following filecontext:

/usr/(s)?bin/gdm(3)?    --      gen_context(system_u:object_r:xdm_exec_t,s0)

But for some reasons /usr/sbin/gdm3 is labeled on disk as bin_t instead
of xdm_exec_t. matchpathcon is giving me this:

/usr/bin/gdm	system_u:object_r:xdm_exec_t:SystemLow
/usr/bin/gdm3	system_u:object_r:xdm_exec_t:SystemLow
/usr/sbin/gdm	system_u:object_r:bin_t:SystemLow
/usr/sbin/gdm3	system_u:object_r:bin_t:SystemLow

Changing the regex to /usr/s?bin/gdm(3)? fix the issue.

Shouldn't this be fixed in the userspace libraries?

Cheers

Laurent Bigonville

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: File context not applied due to regex ordering

[Christopher J. PeBenito]

On 03/21/13 07:32, Laurent Bigonville wrote:
> Hello,
> 
> I remember that I already talk about this on IRC a while back, but I
> don't remember if there was any outcome.
> 
> The refpolicy is containing the following filecontext:
> 
> /usr/(s)?bin/gdm(3)?    --      gen_context(system_u:object_r:xdm_exec_t,s0)
> 
> But for some reasons /usr/sbin/gdm3 is labeled on disk as bin_t instead
> of xdm_exec_t. matchpathcon is giving me this:
> 
> /usr/bin/gdm	system_u:object_r:xdm_exec_t:SystemLow
> /usr/bin/gdm3	system_u:object_r:xdm_exec_t:SystemLow
> /usr/sbin/gdm	system_u:object_r:bin_t:SystemLow
> /usr/sbin/gdm3	system_u:object_r:bin_t:SystemLow
> 
> Changing the regex to /usr/s?bin/gdm(3)? fix the issue.
> 
> Shouldn't this be fixed in the userspace libraries?

I'm not clear; are you saying this is a file context sorting issue or a matchpathcon error?  Matchpathcon should be able to handle a regex with ()? so I'd guess its a sorting issue.  Since sorting file contexts is tricky, it would probably be simpler to fix the policy.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: File context not applied due to regex ordering

[Laurent Bigonville]

Le Mon, 1 Apr 2013 11:58:32 -0400,
"Christopher J. PeBenito" <cpebenito@tresys.com> a écrit :

> On 03/21/13 07:32, Laurent Bigonville wrote:
> > Hello,
> > 
> > I remember that I already talk about this on IRC a while back, but I
> > don't remember if there was any outcome.
> > 
> > The refpolicy is containing the following filecontext:
> > 
> > /usr/(s)?bin/gdm(3)?    --
> > gen_context(system_u:object_r:xdm_exec_t,s0)
> > 
> > But for some reasons /usr/sbin/gdm3 is labeled on disk as bin_t
> > instead of xdm_exec_t. matchpathcon is giving me this:
> > 
> > /usr/bin/gdm	system_u:object_r:xdm_exec_t:SystemLow
> > /usr/bin/gdm3	system_u:object_r:xdm_exec_t:SystemLow
> > /usr/sbin/gdm	system_u:object_r:bin_t:SystemLow
> > /usr/sbin/gdm3	system_u:object_r:bin_t:SystemLow
> > 
> > Changing the regex to /usr/s?bin/gdm(3)? fix the issue.
> > 
> > Shouldn't this be fixed in the userspace libraries?
> 
> I'm not clear; are you saying this is a file context sorting issue or
> a matchpathcon error?  Matchpathcon should be able to handle a regex
> with ()? so I'd guess its a sorting issue.  Since sorting file
> contexts is tricky, it would probably be simpler to fix the policy.
> 

I don't think this is a matchpathcon error only as the fc applied on
disk by restorecon are matching the one returned by matchpathcon.

I remember during the discussion on IRC that somebody said that it might
be related to the order the regex were ordered but nothing more.

I'll propose a patch to fix this particular case, but can we be sure
this is not happening in other places too?

Cheers

Laurent Bigonville


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: File context not applied due to regex ordering

[Eric Paris]

I feel like we talked about it...  Regex ordering is a bit tricky.  I
think I hacked up a patch which added an additional tie breaker step
with the total number of 'non-regex' type characters being used.  It's
been long lost though...

Do you still have that hack around?  Maybe we can see what others think?

On Mon, Apr 1, 2013 at 12:55 PM, Laurent Bigonville <bigon@debian.org> wrote:
> Le Mon, 1 Apr 2013 11:58:32 -0400,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a écrit :
>
>> On 03/21/13 07:32, Laurent Bigonville wrote:
>> > Hello,
>> >
>> > I remember that I already talk about this on IRC a while back, but I
>> > don't remember if there was any outcome.
>> >
>> > The refpolicy is containing the following filecontext:
>> >
>> > /usr/(s)?bin/gdm(3)?    --
>> > gen_context(system_u:object_r:xdm_exec_t,s0)
>> >
>> > But for some reasons /usr/sbin/gdm3 is labeled on disk as bin_t
>> > instead of xdm_exec_t. matchpathcon is giving me this:
>> >
>> > /usr/bin/gdm        system_u:object_r:xdm_exec_t:SystemLow
>> > /usr/bin/gdm3       system_u:object_r:xdm_exec_t:SystemLow
>> > /usr/sbin/gdm       system_u:object_r:bin_t:SystemLow
>> > /usr/sbin/gdm3      system_u:object_r:bin_t:SystemLow
>> >
>> > Changing the regex to /usr/s?bin/gdm(3)? fix the issue.
>> >
>> > Shouldn't this be fixed in the userspace libraries?
>>
>> I'm not clear; are you saying this is a file context sorting issue or
>> a matchpathcon error?  Matchpathcon should be able to handle a regex
>> with ()? so I'd guess its a sorting issue.  Since sorting file
>> contexts is tricky, it would probably be simpler to fix the policy.
>>
>
> I don't think this is a matchpathcon error only as the fc applied on
> disk by restorecon are matching the one returned by matchpathcon.
>
> I remember during the discussion on IRC that somebody said that it might
> be related to the order the regex were ordered but nothing more.
>
> I'll propose a patch to fix this particular case, but can we be sure
> this is not happening in other places too?
>
> Cheers
>
> Laurent Bigonville
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: File context not applied due to regex ordering

[Laurent Bigonville]

[-- Attachment #1: Type: text/plain, Size: 611 bytes --]

Le Mon, 1 Apr 2013 13:40:46 -0400,
Eric Paris <eparis@parisplace.org> a écrit :

> I feel like we talked about it...  Regex ordering is a bit tricky.  I
> think I hacked up a patch which added an additional tie breaker step
> with the total number of 'non-regex' type characters being used.  It's
> been long lost though...
> 
> Do you still have that hack around?  Maybe we can see what others
> think?

I definitely have a bad memory...

I grepped my IRC logs and found this patch[0] from you at the date of
the 28th of Sept 2012.

Cheers

Laurent Bigonville

[0] http://fpaste.org/p48W/

[-- Attachment #2: selinux_regex_stem.patch --]
[-- Type: text/x-patch, Size: 3123 bytes --]

diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index cd7ce68..5ee3b9f 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -128,6 +128,7 @@ typedef struct semanage_file_context_node {
 	char *context;
 	int path_len;
 	int effective_len;
+	int nonmeta_len;
 	int type_len;
 	int context_len;
 	int meta;		/* position of first meta char in path, -1 if none */
@@ -2000,6 +2001,12 @@ static int semanage_fc_compare(semanage_file_context_node_t * a,
 	if (b->meta < a->meta)
 		return 1;
 
+	/* total number of non meta chars? */
+	if (a->nonmeta_len < b->nonmeta_len)
+		return -1;
+	if (b->nonmeta_len < a->nonmeta_len)
+		return 1;
+
 	/* Check to see if either a or b have a shorter string
 	 *  length than the other. */
 	if (a->effective_len < b->effective_len)
@@ -2110,6 +2117,24 @@ static void semanage_fc_merge_sort(semanage_file_context_bucket_t * master)
 	}
 }
 
+static int is_meta_char(char c)
+{
+	switch (c) {
+	case '.':
+	case '^':
+	case '$':
+	case '?':
+	case '*':
+	case '+':
+	case '|':
+	case '[':
+	case '(':
+	case '{':
+		return 1;
+	}
+	return 0;
+}
+
 /* Compute the location of the first regular expression 
  *   meta character in the path of the given node, if it exists. 
  * On return:
@@ -2127,25 +2152,15 @@ static void semanage_fc_find_meta(semanage_file_context_node_t * fc_node)
 	 *  spec_hasMetaChars in matchpathcon.c from
 	 *  libselinux-1.22. */
 	while (fc_node->path[c] != '\0') {
-		switch (fc_node->path[c]) {
-		case '.':
-		case '^':
-		case '$':
-		case '?':
-		case '*':
-		case '+':
-		case '|':
-		case '[':
-		case '(':
-		case '{':
+		if (is_meta_char(fc_node->path[c])) {
 			fc_node->meta = c - escape_chars;
 			return;
-		case '\\':
+		}
+		if (fc_node->path[c] == '\\') {
 			/* If an escape character is found,
 			 *  skip the next character. */
 			c++;
 			escape_chars++;
-			break;
 		}
 
 		c++;
@@ -2208,7 +2223,7 @@ int semanage_fc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
 	ssize_t sanity_check;
 	const char *line_buf, *line_end;
 	char *sorted_buf_pos;
-	int escape_chars, just_saw_escape;
+	int escape_chars, just_saw_escape, meta_chars;
 
 	semanage_file_context_node_t *temp;
 	semanage_file_context_node_t *head;
@@ -2291,10 +2306,13 @@ int semanage_fc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
 		temp->next = NULL;
 
 		/* Extract the regular expression from the line. */
+		meta_chars = 0;
 		escape_chars = 0;
 		just_saw_escape = 0;
 		start = i;
 		while (i < line_len && (!isspace(line_buf[i]))) {
+			if (is_meta_char(line_buf[i]))
+				meta_chars++;
 			if (line_buf[i] == '\\') {
 				if (!just_saw_escape) {
 					escape_chars++;
@@ -2399,6 +2417,7 @@ int semanage_fc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
 		/* Initialize the data about the file context. */
 		temp->path_len = regex_len;
 		temp->effective_len = regex_len - escape_chars;
+		temp->nonmeta_len = regex_len - escape_chars - meta_chars;
 		temp->type_len = type_len;
 		temp->context_len = context_len;
 		semanage_fc_find_meta(temp);

Re: File context not applied due to regex ordering

[Laurent Bigonville]

Hi,

Did anybody had the time to look at this? Dominick and I have observed
this with other file contexts as well.

Cheers

Laurent Bigonville

Le Tue, 2 Apr 2013 11:41:05 +0200,
Laurent Bigonville <bigon@debian.org> a écrit :

> Le Mon, 1 Apr 2013 13:40:46 -0400,
> Eric Paris <eparis@parisplace.org> a écrit :
> 
> > I feel like we talked about it...  Regex ordering is a bit tricky.
> > I think I hacked up a patch which added an additional tie breaker
> > step with the total number of 'non-regex' type characters being
> > used.  It's been long lost though...
> > 
> > Do you still have that hack around?  Maybe we can see what others
> > think?
> 
> I definitely have a bad memory...
> 
> I grepped my IRC logs and found this patch[0] from you at the date of
> the 28th of Sept 2012.
> 
> Cheers
> 
> Laurent Bigonville
> 
> [0] http://fpaste.org/p48W/



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: File context not applied due to regex ordering

[Dominick Grift]

On Sat, 2013-09-28 at 11:29 +0200, Laurent Bigonville wrote:
> Hi,
> 
> Did anybody had the time to look at this? Dominick and I have observed
> this with other file contexts as well.

Yes there is inconsistent behavior when it comes to regular expressions
in file context files. Its very confusing.


> Cheers
> 
> Laurent Bigonville
> 
> Le Tue, 2 Apr 2013 11:41:05 +0200,
> Laurent Bigonville <bigon@debian.org> a écrit :
> 
> > Le Mon, 1 Apr 2013 13:40:46 -0400,
> > Eric Paris <eparis@parisplace.org> a écrit :
> > 
> > > I feel like we talked about it...  Regex ordering is a bit tricky.
> > > I think I hacked up a patch which added an additional tie breaker
> > > step with the total number of 'non-regex' type characters being
> > > used.  It's been long lost though...
> > > 
> > > Do you still have that hack around?  Maybe we can see what others
> > > think?
> > 
> > I definitely have a bad memory...
> > 
> > I grepped my IRC logs and found this patch[0] from you at the date of
> > the 28th of Sept 2012.
> > 
> > Cheers
> > 
> > Laurent Bigonville
> > 
> > [0] http://fpaste.org/p48W/
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.