string_to_av_perm behavior

string_to_av_perm behavior

[Ted Toth]

[-- Attachment #1: Type: text/plain, Size: 182 bytes --]

./avperm
1 - av_perm 0
security class: 66
class db_tuple av select
2 - av_perm 8
3 - av_perm 8

why does the first call to string_to_av_perm return 0 something seem wrong here.

Ted

[-- Attachment #2: avperm.c --]
[-- Type: text/x-csrc, Size: 882 bytes --]

#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/av_permissions.h>

int main(int argc, char**argv) {
  const char *perm_name = "select";
  const char *class_name = "db_tuple";
  access_vector_t av_perm;
  security_class_t sec_class;

  av_perm = 0;
  sec_class = SECCLASS_DB_TUPLE;

  av_perm = string_to_av_perm(sec_class, perm_name);
  printf("1 - av_perm %d\n", av_perm);

  sec_class = string_to_security_class(class_name);
  printf("security class: %d\n", sec_class);
  av_perm = 0;
  av_perm = string_to_av_perm(sec_class, perm_name);
  printf("class %s av %s\n", security_class_to_string(SECCLASS_DB_TUPLE), security_av_perm_to_string(SECCLASS_DB_TUPLE, DB_TUPLE__SELECT));
  printf("2 - av_perm %d\n", av_perm);
  av_perm = 0;
  av_perm = string_to_av_perm(SECCLASS_DB_TUPLE, perm_name);
  printf("3 - av_perm %d\n", av_perm);

}

Re: string_to_av_perm behavior

[Stephen Smalley]

On 05/22/2015 12:12 PM, Ted Toth wrote:
> ./avperm
> 1 - av_perm 0
> security class: 66
> class db_tuple av select
> 2 - av_perm 8
> 3 - av_perm 8
> 
> why does the first call to string_to_av_perm return 0 something seem wrong here.

You need to call string_to_security_class() first.

The hardcoded #defines in flask.h and av_permissions.h are deprecated;
you'll get compiler warnings with a recent version of libselinux when
including them.

Re: string_to_av_perm behavior

[Stephen Smalley]

On 05/22/2015 12:20 PM, Stephen Smalley wrote:
> On 05/22/2015 12:12 PM, Ted Toth wrote:
>> ./avperm
>> 1 - av_perm 0
>> security class: 66
>> class db_tuple av select
>> 2 - av_perm 8
>> 3 - av_perm 8
>>
>> why does the first call to string_to_av_perm return 0 something seem wrong here.
> 
> You need to call string_to_security_class() first.
> 
> The hardcoded #defines in flask.h and av_permissions.h are deprecated;
> you'll get compiler warnings with a recent version of libselinux when
> including them.

BTW, the preferred interface for SELinux userspace permission checks
these days is selinux_check_access().  Then you don't ever need to deal
with class or permission values or directly use any of the avc interfaces.

Re: string_to_av_perm behavior

[Ted Toth]

It would be good if the man page were updated to reflect this
requirement. I'll take a look at selinux_check_access, thanks.

Ted

On Fri, May 22, 2015 at 11:23 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 05/22/2015 12:20 PM, Stephen Smalley wrote:
>> On 05/22/2015 12:12 PM, Ted Toth wrote:
>>> ./avperm
>>> 1 - av_perm 0
>>> security class: 66
>>> class db_tuple av select
>>> 2 - av_perm 8
>>> 3 - av_perm 8
>>>
>>> why does the first call to string_to_av_perm return 0 something seem wrong here.
>>
>> You need to call string_to_security_class() first.
>>
>> The hardcoded #defines in flask.h and av_permissions.h are deprecated;
>> you'll get compiler warnings with a recent version of libselinux when
>> including them.
>
> BTW, the preferred interface for SELinux userspace permission checks
> these days is selinux_check_access().  Then you don't ever need to deal
> with class or permission values or directly use any of the avc interfaces.
>
>

Re: string_to_av_perm behavior

[Ted Toth]

What version of libselinux was selinux_check_access added?

On Fri, May 22, 2015 at 11:26 AM, Ted Toth <txtoth@gmail.com> wrote:
> It would be good if the man page were updated to reflect this
> requirement. I'll take a look at selinux_check_access, thanks.
>
> Ted
>
> On Fri, May 22, 2015 at 11:23 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 05/22/2015 12:20 PM, Stephen Smalley wrote:
>>> On 05/22/2015 12:12 PM, Ted Toth wrote:
>>>> ./avperm
>>>> 1 - av_perm 0
>>>> security class: 66
>>>> class db_tuple av select
>>>> 2 - av_perm 8
>>>> 3 - av_perm 8
>>>>
>>>> why does the first call to string_to_av_perm return 0 something seem wrong here.
>>>
>>> You need to call string_to_security_class() first.
>>>
>>> The hardcoded #defines in flask.h and av_permissions.h are deprecated;
>>> you'll get compiler warnings with a recent version of libselinux when
>>> including them.
>>
>> BTW, the preferred interface for SELinux userspace permission checks
>> these days is selinux_check_access().  Then you don't ever need to deal
>> with class or permission values or directly use any of the avc interfaces.
>>
>>

Re: string_to_av_perm behavior

[Stephen Smalley]

On 05/22/2015 12:36 PM, Ted Toth wrote:
> What version of libselinux was selinux_check_access added?

2.1.7

Re: string_to_av_perm behavior

[Ted Toth]

:( we currently live in the RHEL6 world.

On Fri, May 22, 2015 at 11:39 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 05/22/2015 12:36 PM, Ted Toth wrote:
>> What version of libselinux was selinux_check_access added?
>
> 2.1.7
>
>

Re: string_to_av_perm behavior

[Stephen Smalley]

selinux_check_access() is a pretty simple wrapper around the existing
libselinux interfaces, so you could just grab the code from upstream and
put it into your own library or application.

On 05/22/2015 12:47 PM, Ted Toth wrote:
> :( we currently live in the RHEL6 world.
> 
> On Fri, May 22, 2015 at 11:39 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 05/22/2015 12:36 PM, Ted Toth wrote:
>>> What version of libselinux was selinux_check_access added?
>>
>> 2.1.7
>>
>>
> 
>