[PATCH 0/4] APOL Enhancements to support additional policy features

[PATCH 0/4] APOL Enhancements to support additional policy features

[Richard Haines]

These four patches will update setools-3.3.8.tar.bz2 available from
http://oss.tresys.com/projects/setools/wiki/download

I know this is not being fully supported but as I use APOL frequently
I thought I would update it to support the latest policy version 29 (I
could be the only user!!!). Tested on latest Fedora 20 x86_64

The enhancements and bug fixes are listed below. All patches should be
applied to setools-3.3.8 and then built as follows:

  autoreconf -i -s
  ./configure
  make
  make install

This will put the binaries in /usr/local/bin, data files in
/usr/local/share/setool-3.3, and libraries in /usr/local/lib.
Assuming that /usr/local/bin is in your $PATH and /usr/local/lib in
$LD_LIBRARY_PATH everything should now work.

PATH=/usr/local/bin:$PATH
export LD_LIBRARY_PATH=/usr/local/lib

APOL enhancements and bug fixes
-------------------------------
* Add permissive type and typebound support to Types tab.
* Add new Constraints tab to search all constraint statements.
* Add new Bounds tab to search for userbound, rolebound and
  typebound statements.
* Add new policy capabilities tab.
* Add filename type_transition support on TE Rules tab.
* Add new Default Object tab to support defaultuser, defaultrole,
  defaulttype and defaultrange rules.
* Add new Namespaces tab to list CIL namespaces. This will also
  show any users, roles, types, classes, booleans, sensitivities
  and categories declared in each namespace. A global namespace is
  automatically generated (GLOBAL-NS).
* Update Query/Policy Summary page to show the number of new
  rules added plus the policy handle_unknown flag.
* Fixed File Contexts tab to stop hang when building the fc
  index when broken links/files found (libsefs). Also fixes indexcon util.
* Fixed Booleans tab to display CIL namespace booleans.
* Updated apol_help.txt to reflect the changes made plus how to
  load the running policy.

Richard Haines (4):
  setools: APOL Add constraints and filename transition support
  setools: APOL Add support for permissive types, polcaps, handle_unknown
  setools: APOL Add type, user, role bounds support
  setools: APOL Add default_objects and CIL policy namespaces tabs

 ChangeLog                                   |   26 +
 apol/Makefile.am                            |    5 +
 apol/apol_help.txt                          |   90 +-
 apol/bounds_tab.tcl                         |  433 ++++++++
 apol/cond_bools_tab.tcl                     |   12 +-
 apol/constraints_tab.tcl                    | 1589 +++++++++++++++++++++++++++
 apol/default_objects_tab.tcl                |  370 +++++++
 apol/initial_sids_tab.tcl                   |    2 +-
 apol/namespaces_tab.tcl                     |  206 ++++
 apol/polcap_tab.tcl                         |   73 ++
 apol/terules_tab.tcl                        |  201 +++-
 apol/top.tcl                                |  213 +++-
 apol/types_tab.tcl                          |   77 +-
 libapol/include/apol/Makefile.am            |    2 +
 libapol/include/apol/bounds-query.h         |  177 +++
 libapol/include/apol/default-object-query.h |   78 ++
 libapol/include/apol/ftrule-query.h         |   14 +-
 libapol/include/apol/policy-query.h         |    2 +
 libapol/include/apol/policy.h               |    9 +
 libapol/src/Makefile.am                     |    2 +
 libapol/src/bounds-query.c                  |  216 ++++
 libapol/src/default-object-query.c          |   87 ++
 libapol/src/ftrule-query.c                  |    4 +-
 libapol/src/libapol.map                     |    4 +
 libapol/src/policy-query-internal.h         |   19 +
 libapol/src/policy-query.c                  |   23 +
 libapol/src/policy.c                        |    9 +
 libapol/swig/apol.i                         |  311 ++++++
 libqpol/include/qpol/Makefile.am            |    2 +
 libqpol/include/qpol/bounds_query.h         |  162 +++
 libqpol/include/qpol/default_object_query.h |  113 ++
 libqpol/include/qpol/policy.h               |   24 +-
 libqpol/src/Makefile.am                     |    2 +
 libqpol/src/bounds_query.c                  |  332 ++++++
 libqpol/src/constraint_query.c              |    9 +-
 libqpol/src/default_object_query.c          |  290 +++++
 libqpol/src/libqpol.map                     |    5 +
 libqpol/src/policy.c                        |   68 ++
 libqpol/swig/qpol.i                         |  372 ++++++-
 libsefs/src/db.cc                           |    9 +-
 libsefs/src/new_ftw.c                       |    6 +-
 41 files changed, 5620 insertions(+), 28 deletions(-)
 create mode 100644 apol/bounds_tab.tcl
 create mode 100644 apol/constraints_tab.tcl
 create mode 100644 apol/default_objects_tab.tcl
 create mode 100644 apol/namespaces_tab.tcl
 create mode 100644 apol/polcap_tab.tcl
 create mode 100644 libapol/include/apol/bounds-query.h
 create mode 100644 libapol/include/apol/default-object-query.h
 create mode 100644 libapol/src/bounds-query.c
 create mode 100644 libapol/src/default-object-query.c
 create mode 100644 libqpol/include/qpol/bounds_query.h
 create mode 100644 libqpol/include/qpol/default_object_query.h
 create mode 100644 libqpol/src/bounds_query.c
 create mode 100644 libqpol/src/default_object_query.c

-- 
1.9.0

Re: [PATCH 0/4] APOL Enhancements to support additional policy features

[Christopher J. PeBenito]

On 04/08/2014 10:52 AM, Richard Haines wrote:
> These four patches will update setools-3.3.8.tar.bz2 available from
> http://oss.tresys.com/projects/setools/wiki/download
> 
> I know this is not being fully supported but as I use APOL frequently
> I thought I would update it to support the latest policy version 29 (I
> could be the only user!!!). Tested on latest Fedora 20 x86_64

Thanks, we'll take a look at these.  You're not the only user, as we use it internally at Tresys a lot.  Actually, we're in the process of prototyping SETools 4.  There are a few things that have been a challenge for maintaining SETools over the years:

* Libsepol is only designed for building the policy, not analyzing the policy:  It doesn't have an API that's conducive to querying the policy (it didn't even exist when SETools started).  SETools' source policy parsers have to be copied from checkpolicy/checkmodule.
* It's over 10 years old and has been very evolutionary in its development (hence tk and gtk toolkits, for example)
* A (nearly) full C implementation is fast, but we have our own implementations of functions/structures come built-in on OO languages.

So we're looking at the possibility of reimplementing SETools in Python.  That brings in a huge amount of capability.  For example, libapol has it's own vector implementation, which can be replaced with Python lists (or sets) and all their functions.  Similarly, we're evaluating the NetworkX graph library as a basis for the information flow and domain transition analyses.

Additionally, we'd like to see if some form of the libqpol API (or something similar) could be upstreamed into libsepol (or be a new upstream library).  It was discussed before at some point after the SETools dependency in audit2allow got upstreamed, but didn't really end in any implementation.

We're not quite ready for shifting to public development (we're not even set on Python yet, though it's very likely), but we'll let the list know when that happens.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

Re: [PATCH 0/4] APOL Enhancements to support additional policy features

[Daniel J Walsh]

We have a hole series of patches for setools also, that have never made
it upstream.


On 04/08/2014 11:38 AM, Christopher J. PeBenito wrote:
> On 04/08/2014 10:52 AM, Richard Haines wrote:
>> These four patches will update setools-3.3.8.tar.bz2 available from
>> http://oss.tresys.com/projects/setools/wiki/download
>>
>> I know this is not being fully supported but as I use APOL frequently
>> I thought I would update it to support the latest policy version 29 (I
>> could be the only user!!!). Tested on latest Fedora 20 x86_64
> Thanks, we'll take a look at these.  You're not the only user, as we use it internally at Tresys a lot.  Actually, we're in the process of prototyping SETools 4.  There are a few things that have been a challenge for maintaining SETools over the years:
>
> * Libsepol is only designed for building the policy, not analyzing the policy:  It doesn't have an API that's conducive to querying the policy (it didn't even exist when SETools started).  SETools' source policy parsers have to be copied from checkpolicy/checkmodule.
> * It's over 10 years old and has been very evolutionary in its development (hence tk and gtk toolkits, for example)
> * A (nearly) full C implementation is fast, but we have our own implementations of functions/structures come built-in on OO languages.
>
> So we're looking at the possibility of reimplementing SETools in Python.  That brings in a huge amount of capability.  For example, libapol has it's own vector implementation, which can be replaced with Python lists (or sets) and all their functions.  Similarly, we're evaluating the NetworkX graph library as a basis for the information flow and domain transition analyses.
>
> Additionally, we'd like to see if some form of the libqpol API (or something similar) could be upstreamed into libsepol (or be a new upstream library).  It was discussed before at some point after the SETools dependency in audit2allow got upstreamed, but didn't really end in any implementation.
>
> We're not quite ready for shifting to public development (we're not even set on Python yet, though it's very likely), but we'll let the list know when that happens.
>

Re: [PATCH 0/4] APOL Enhancements to support additional policy features

[Steve Lawrence]

On 04/08/2014 11:57 AM, Daniel J Walsh wrote:
> We have a hole series of patches for setools also, that have never made
> it upstream.

About a year ago we merged some of your patches in and released setools
3.3.8 [1]. I see Fedora is still on 3.3.7, so many of your patches may
already have been upstreamed. But if there's anything we missed, please
send them our way. We'd be happy to review them and get them merged in.
Though, as mentioned in a previous email, it might take 2-3 weeks before
we can get to them.

Thanks,
- Steve

[1] http://oss.tresys.com/projects/setools/wiki/download

> On 04/08/2014 11:38 AM, Christopher J. PeBenito wrote:
>> On 04/08/2014 10:52 AM, Richard Haines wrote:
>>> These four patches will update setools-3.3.8.tar.bz2 available from
>>> http://oss.tresys.com/projects/setools/wiki/download
>>>
>>> I know this is not being fully supported but as I use APOL frequently
>>> I thought I would update it to support the latest policy version 29 (I
>>> could be the only user!!!). Tested on latest Fedora 20 x86_64
>> Thanks, we'll take a look at these.  You're not the only user, as we use it internally at Tresys a lot.  Actually, we're in the process of prototyping SETools 4.  There are a few things that have been a challenge for maintaining SETools over the years:
>>
>> * Libsepol is only designed for building the policy, not analyzing the policy:  It doesn't have an API that's conducive to querying the policy (it didn't even exist when SETools started).  SETools' source policy parsers have to be copied from checkpolicy/checkmodule.
>> * It's over 10 years old and has been very evolutionary in its development (hence tk and gtk toolkits, for example)
>> * A (nearly) full C implementation is fast, but we have our own implementations of functions/structures come built-in on OO languages.
>>
>> So we're looking at the possibility of reimplementing SETools in Python.  That brings in a huge amount of capability.  For example, libapol has it's own vector implementation, which can be replaced with Python lists (or sets) and all their functions.  Similarly, we're evaluating the NetworkX graph library as a basis for the information flow and domain transition analyses.
>>
>> Additionally, we'd like to see if some form of the libqpol API (or something similar) could be upstreamed into libsepol (or be a new upstream library).  It was discussed before at some point after the SETools dependency in audit2allow got upstreamed, but didn't really end in any implementation.
>>
>> We're not quite ready for shifting to public development (we're not even set on Python yet, though it's very likely), but we'll let the list know when that happens.
>>
> 

Re: [PATCH 0/4] APOL Enhancements to support additional policy features

[Richard Haines]

Thanks for the update. I look forward to SETools version 4

Richard



----- Original Message -----
From: Christopher J. PeBenito <cpebenito@tresys.com>
To: Richard Haines <richard_c_haines@btinternet.com>; selinux@tycho.nsa.gov; setools-bugs@tresys.com
Cc: 
Sent: Tuesday, 8 April 2014, 16:38
Subject: Re: [PATCH 0/4] APOL Enhancements to support additional policy features

On 04/08/2014 10:52 AM, Richard Haines wrote:
> These four patches will update setools-3.3.8.tar.bz2 available from
> http://oss.tresys.com/projects/setools/wiki/download
> 
> I know this is not being fully supported but as I use APOL frequently
> I thought I would update it to support the latest policy version 29 (I
> could be the only user!!!). Tested on latest Fedora 20 x86_64

Thanks, we'll take a look at these.  You're not the only user, as we use it internally at Tresys a lot.  Actually, we're in the process of prototyping SETools 4.  There are a few things that have been a challenge for maintaining SETools over the years:

* Libsepol is only designed for building the policy, not analyzing the policy:  It doesn't have an API that's conducive to querying the policy (it didn't even exist when SETools started).  SETools' source policy parsers have to be copied from checkpolicy/checkmodule.
* It's over 10 years old and has been very evolutionary in its development (hence tk and gtk toolkits, for example)
* A (nearly) full C implementation is fast, but we have our own implementations of functions/structures come built-in on OO languages.

So we're looking at the possibility of reimplementing SETools in Python.  That brings in a huge amount of capability.  For example, libapol has it's own vector implementation, which can be replaced with Python lists (or sets) and all their functions.  Similarly, we're evaluating the NetworkX graph library as a basis for the information flow and domain transition analyses.

Additionally, we'd like to see if some form of the libqpol API (or something similar) could be upstreamed into libsepol (or be a new upstream library).  It was discussed before at some point after the SETools dependency in audit2allow got upstreamed, but didn't really end in any implementation.

We're not quite ready for shifting to public development (we're not even set on Python yet, though it's very likely), but we'll let the list know when that happens.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

Re: [PATCH 0/4] APOL Enhancements to support additional policy features

[Steve Lawrence]

On 04/08/2014 10:52 AM, Richard Haines wrote:
> These four patches will update setools-3.3.8.tar.bz2 available from
> http://oss.tresys.com/projects/setools/wiki/download
> 

Thanks for the patchset! We would love to have apol updated to support
the latest toolchain better. Just a heads up though, this is a pretty
sizable patchset with some pieces I'm not too familiar with (i.e. tcl),
and I'll be on vacation next week, so it might take 2-3 weeks before we
can fully review this and merged it into setools.

Thanks!
- Steve

Re: [PATCH 0/4] APOL Enhancements to support additional policy features

[Richard Haines]

Most of the libapol/libqpol changes are based on the current structure for adding new statements etc.
Likewise for the tcl/tk. The only two areas I had problems were:

1) libsefs/src/new_ftw.c - This area caused the apol and indexcon to hang when broken links found.
   I could not understand why the code was there so just did a kludge:
-#if ! _LIBC && ! LSTAT_FOLLOWS_SLASHED_SYMLINK
+/* If this is used on Linux (Fedora) when a sym link or file is broken,
+   the file context function will hang forever:
+       #if ! _LIBC && ! LSTAT_FOLLOWS_SLASHED_SYMLINK
+   Therefore changed to this so uses Linux lstat function. */
+#if _LIBC && ! LSTAT_FOLLOWS_SLASHED_SYMLINK

2) When coding the iter functions in libqpol (e.g. qpol_policy_get_default_object_iter)
   I could not see how this worked so I just used the base object count
  (e.g. number of classes - as these held the default object_items), and then counted
  each default_object in top.tcl to arrive at the actual number of default_objects. I did the
  same for userbounds etc.

Richard




----- Original Message -----
From: Steve Lawrence <slawrence@tresys.com>
To: Richard Haines <richard_c_haines@btinternet.com>; selinux@tycho.nsa.gov; setools-bugs@tresys.com
Cc: 
Sent: Tuesday, 8 April 2014, 18:51
Subject: Re: [PATCH 0/4] APOL Enhancements to support additional policy features

On 04/08/2014 10:52 AM, Richard Haines wrote:
> These four patches will update setools-3.3.8.tar.bz2 available from
> http://oss.tresys.com/projects/setools/wiki/download
> 

Thanks for the patchset! We would love to have apol updated to support
the latest toolchain better. Just a heads up though, this is a pretty
sizable patchset with some pieces I'm not too familiar with (i.e. tcl),
and I'll be on vacation next week, so it might take 2-3 weeks before we
can fully review this and merged it into setools.

Thanks!
- Steve

Re: [PATCH 0/4] APOL Enhancements to support additional policy features

[Joshua Brindle]

Richard Haines wrote:
> These four patches will update setools-3.3.8.tar.bz2 available from
> http://oss.tresys.com/projects/setools/wiki/download
>
> I know this is not being fully supported but as I use APOL frequently
> I thought I would update it to support the latest policy version 29 (I
> could be the only user!!!). Tested on latest Fedora 20 x86_64
>

We use it quite a bit too so thank you very much.

Since we wanted to try out the patches, and because of my disdain for 
subversion I put up an (unofficial) git mirror that includes your 
patches on github at:

https://github.com/QuarkSecurity/setools

And to make it easier for others to try them out we posted some rpms:

https://quarksecurity.com/files/RPMS/

Oh, your ChangeLog change had to be rebased, as SVN trunk had an 
additional comment. I also fixed it to be tabs since that is the 
standard for that file.

Thanks!

Re: [PATCH 0/4] APOL Enhancements to support additional policy features

[Richard Haines]

Hope the patches are useful. I'm now attempting to produce a patch to support the
APOL source policy tab to version 29 - but I may be some time.




----- Original Message -----
From: Joshua Brindle <brindle@quarksecurity.com>
To: Richard Haines <richard_c_haines@btinternet.com>
Cc: selinux@tycho.nsa.gov; setools-bugs@tresys.com
Sent: Wednesday, 9 April 2014, 18:17
Subject: Re: [PATCH 0/4] APOL Enhancements to support additional policy features

Richard Haines wrote:
> These four patches will update setools-3.3.8.tar.bz2 available from
> http://oss.tresys.com/projects/setools/wiki/download
> 
> I know this is not being fully supported but as I use APOL frequently
> I thought I would update it to support the latest policy version 29 (I
> could be the only user!!!). Tested on latest Fedora 20 x86_64
> 

We use it quite a bit too so thank you very much.

Since we wanted to try out the patches, and because of my disdain for subversion I put up an (unofficial) git mirror that includes your patches on github at:

https://github.com/QuarkSecurity/setools

And to make it easier for others to try them out we posted some rpms:

https://quarksecurity.com/files/RPMS/

Oh, your ChangeLog change had to be rebased, as SVN trunk had an additional comment. I also fixed it to be tabs since that is the standard for that file.

Thanks!

Re: [PATCH 0/4] APOL Enhancements to support additional policy features

[Steve Lawrence]

On 04/08/2014 10:52 AM, Richard Haines wrote:
> These four patches will update setools-3.3.8.tar.bz2 available from
> http://oss.tresys.com/projects/setools/wiki/download
> 
> I know this is not being fully supported but as I use APOL frequently
> I thought I would update it to support the latest policy version 29 (I
> could be the only user!!!). Tested on latest Fedora 20 x86_64
> 
> The enhancements and bug fixes are listed below. All patches should be
> applied to setools-3.3.8 and then built as follows:
> 
>   autoreconf -i -s
>   ./configure
>   make
>   make install
> 
> This will put the binaries in /usr/local/bin, data files in
> /usr/local/share/setool-3.3, and libraries in /usr/local/lib.
> Assuming that /usr/local/bin is in your $PATH and /usr/local/lib in
> $LD_LIBRARY_PATH everything should now work.
> 
> PATH=/usr/local/bin:$PATH
> export LD_LIBRARY_PATH=/usr/local/lib
> 
> APOL enhancements and bug fixes
> -------------------------------
> * Add permissive type and typebound support to Types tab.
> * Add new Constraints tab to search all constraint statements.
> * Add new Bounds tab to search for userbound, rolebound and
>   typebound statements.
> * Add new policy capabilities tab.
> * Add filename type_transition support on TE Rules tab.
> * Add new Default Object tab to support defaultuser, defaultrole,
>   defaulttype and defaultrange rules.
> * Add new Namespaces tab to list CIL namespaces. This will also
>   show any users, roles, types, classes, booleans, sensitivities
>   and categories declared in each namespace. A global namespace is
>   automatically generated (GLOBAL-NS).
> * Update Query/Policy Summary page to show the number of new
>   rules added plus the policy handle_unknown flag.
> * Fixed File Contexts tab to stop hang when building the fc
>   index when broken links/files found (libsefs). Also fixes indexcon util.
> * Fixed Booleans tab to display CIL namespace booleans.
> * Updated apol_help.txt to reflect the changes made plus how to
>   load the running policy.
> 

All patches look good and applied. Thanks!

- Steve