* User range vs. context's range @ 2016-01-20 20:59 Christopher J. PeBenito 2016-01-20 21:22 ` Stephen Smalley 0 siblings, 1 reply; 8+ messages in thread From: Christopher J. PeBenito @ 2016-01-20 20:59 UTC (permalink / raw) To: SELinux List What is the intended behavior for a user's allowed range in the policy vs. any labels in the policy (e.g. netifcon)? My expectation is that the allowed range should still apply, but it doesn't seem that checkpolicy checks that, based on what I've seen. For example, the new sediff test policies have this user[1]: user added_user roles system level s1 range s1; and checkpolicy doesn't error on this[2] later in the policy: genfscon added_genfs / added_user:object_r:system:s0 I think this should fail compilation since s0 is not in added_user's allowed range. [1] https://github.com/TresysTechnology/setools/blob/master/tests/diff_right.conf#L605 [2] https://github.com/TresysTechnology/setools/blob/master/tests/diff_right.conf#L633 -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: User range vs. context's range 2016-01-20 20:59 User range vs. context's range Christopher J. PeBenito @ 2016-01-20 21:22 ` Stephen Smalley 2016-01-21 13:14 ` Christopher J. PeBenito 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2016-01-20 21:22 UTC (permalink / raw) To: Christopher J. PeBenito, SELinux List On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote: > What is the intended behavior for a user's allowed range in the policy > vs. any labels in the policy (e.g. netifcon)? My expectation is that > the allowed range should still apply, but it doesn't seem that > checkpolicy checks that, based on what I've seen. For example, the new > sediff test policies have this user[1]: > > user added_user roles system level s1 range s1; > > and checkpolicy doesn't error on this[2] later in the policy: > > genfscon added_genfs / added_user:object_r:system:s0 > > I think this should fail compilation since s0 is not in added_user's > allowed range. Not for objects (object_r), same as with role-type relation. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: User range vs. context's range 2016-01-20 21:22 ` Stephen Smalley @ 2016-01-21 13:14 ` Christopher J. PeBenito 2016-01-21 21:49 ` Stephen Smalley 0 siblings, 1 reply; 8+ messages in thread From: Christopher J. PeBenito @ 2016-01-21 13:14 UTC (permalink / raw) To: Stephen Smalley, SELinux List On 1/20/2016 4:22 PM, Stephen Smalley wrote: > On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote: >> What is the intended behavior for a user's allowed range in the policy >> vs. any labels in the policy (e.g. netifcon)? My expectation is that >> the allowed range should still apply, but it doesn't seem that >> checkpolicy checks that, based on what I've seen. For example, the new >> sediff test policies have this user[1]: >> >> user added_user roles system level s1 range s1; >> >> and checkpolicy doesn't error on this[2] later in the policy: >> >> genfscon added_genfs / added_user:object_r:system:s0 >> >> I think this should fail compilation since s0 is not in added_user's >> allowed range. > > Not for objects (object_r), same as with role-type relation. I don't understand the logic for that. For the role-type relation, all types are implicitly added to object_r, which makes that behavior make sense, but the user has an explicitly-stated allowed range. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: User range vs. context's range 2016-01-21 13:14 ` Christopher J. PeBenito @ 2016-01-21 21:49 ` Stephen Smalley 2016-01-21 22:05 ` Stephen Smalley 2016-01-22 14:00 ` Christopher J. PeBenito 0 siblings, 2 replies; 8+ messages in thread From: Stephen Smalley @ 2016-01-21 21:49 UTC (permalink / raw) To: Christopher J. PeBenito, SELinux List On 01/21/2016 08:14 AM, Christopher J. PeBenito wrote: > On 1/20/2016 4:22 PM, Stephen Smalley wrote: >> On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote: >>> What is the intended behavior for a user's allowed range in the policy >>> vs. any labels in the policy (e.g. netifcon)? My expectation is that >>> the allowed range should still apply, but it doesn't seem that >>> checkpolicy checks that, based on what I've seen. For example, the new >>> sediff test policies have this user[1]: >>> >>> user added_user roles system level s1 range s1; >>> >>> and checkpolicy doesn't error on this[2] later in the policy: >>> >>> genfscon added_genfs / added_user:object_r:system:s0 >>> >>> I think this should fail compilation since s0 is not in added_user's >>> allowed range. >> >> Not for objects (object_r), same as with role-type relation. > > I don't understand the logic for that. For the role-type relation, all > types are implicitly added to object_r, which makes that behavior make > sense, but the user has an explicitly-stated allowed range. If that's true, it is only true of setools, not of libsepol or the kernel binary policy. policydb_context_isvalid() omits the role-type and user-role relation checks if the role is object_r, and mls_context_isvalid() does likewise for the user-range relation check. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: User range vs. context's range 2016-01-21 21:49 ` Stephen Smalley @ 2016-01-21 22:05 ` Stephen Smalley 2016-01-22 14:00 ` Christopher J. PeBenito 1 sibling, 0 replies; 8+ messages in thread From: Stephen Smalley @ 2016-01-21 22:05 UTC (permalink / raw) To: Christopher J. PeBenito, SELinux List On 01/21/2016 04:49 PM, Stephen Smalley wrote: > On 01/21/2016 08:14 AM, Christopher J. PeBenito wrote: >> On 1/20/2016 4:22 PM, Stephen Smalley wrote: >>> On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote: >>>> What is the intended behavior for a user's allowed range in the policy >>>> vs. any labels in the policy (e.g. netifcon)? My expectation is that >>>> the allowed range should still apply, but it doesn't seem that >>>> checkpolicy checks that, based on what I've seen. For example, the new >>>> sediff test policies have this user[1]: >>>> >>>> user added_user roles system level s1 range s1; >>>> >>>> and checkpolicy doesn't error on this[2] later in the policy: >>>> >>>> genfscon added_genfs / added_user:object_r:system:s0 >>>> >>>> I think this should fail compilation since s0 is not in added_user's >>>> allowed range. >>> >>> Not for objects (object_r), same as with role-type relation. >> >> I don't understand the logic for that. For the role-type relation, all >> types are implicitly added to object_r, which makes that behavior make >> sense, but the user has an explicitly-stated allowed range. > > If that's true, it is only true of setools, not of libsepol or the By "that", I mean "all types are implicitly added to object_r". I don't see that anywhere in libsepol or the kernel. I do see it in libqpol. But if you dump a kernel policy and look at object_r's role->types, they are empty. > kernel binary policy. policydb_context_isvalid() omits the role-type > and user-role relation checks if the role is object_r, and > mls_context_isvalid() does likewise for the user-range relation check. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: User range vs. context's range 2016-01-21 21:49 ` Stephen Smalley 2016-01-21 22:05 ` Stephen Smalley @ 2016-01-22 14:00 ` Christopher J. PeBenito 2016-01-22 14:07 ` Stephen Smalley 1 sibling, 1 reply; 8+ messages in thread From: Christopher J. PeBenito @ 2016-01-22 14:00 UTC (permalink / raw) To: Stephen Smalley, SELinux List On 1/21/2016 4:49 PM, Stephen Smalley wrote: > On 01/21/2016 08:14 AM, Christopher J. PeBenito wrote: >> On 1/20/2016 4:22 PM, Stephen Smalley wrote: >>> On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote: >>>> What is the intended behavior for a user's allowed range in the policy >>>> vs. any labels in the policy (e.g. netifcon)? My expectation is that >>>> the allowed range should still apply, but it doesn't seem that >>>> checkpolicy checks that, based on what I've seen. For example, the new >>>> sediff test policies have this user[1]: >>>> >>>> user added_user roles system level s1 range s1; >>>> >>>> and checkpolicy doesn't error on this[2] later in the policy: >>>> >>>> genfscon added_genfs / added_user:object_r:system:s0 >>>> >>>> I think this should fail compilation since s0 is not in added_user's >>>> allowed range. >>> >>> Not for objects (object_r), same as with role-type relation. >> >> I don't understand the logic for that. For the role-type relation, all >> types are implicitly added to object_r, which makes that behavior make >> sense, but the user has an explicitly-stated allowed range. > > If that's true, it is only true of setools, not of libsepol or the > kernel binary policy. policydb_context_isvalid() omits the role-type > and user-role relation checks if the role is object_r, and > mls_context_isvalid() does likewise for the user-range relation check. Apologies for being misled by the long-time setools object_r behavior (I'll undo that). However, I still disagree with ignoring the user-range check in the object_r case, because there is an explicit user-range relationship written in the policy. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: User range vs. context's range 2016-01-22 14:00 ` Christopher J. PeBenito @ 2016-01-22 14:07 ` Stephen Smalley 2016-01-22 15:48 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2016-01-22 14:07 UTC (permalink / raw) To: Christopher J. PeBenito, SELinux List On 01/22/2016 09:00 AM, Christopher J. PeBenito wrote: > On 1/21/2016 4:49 PM, Stephen Smalley wrote: >> On 01/21/2016 08:14 AM, Christopher J. PeBenito wrote: >>> On 1/20/2016 4:22 PM, Stephen Smalley wrote: >>>> On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote: >>>>> What is the intended behavior for a user's allowed range in the policy >>>>> vs. any labels in the policy (e.g. netifcon)? My expectation is that >>>>> the allowed range should still apply, but it doesn't seem that >>>>> checkpolicy checks that, based on what I've seen. For example, the new >>>>> sediff test policies have this user[1]: >>>>> >>>>> user added_user roles system level s1 range s1; >>>>> >>>>> and checkpolicy doesn't error on this[2] later in the policy: >>>>> >>>>> genfscon added_genfs / added_user:object_r:system:s0 >>>>> >>>>> I think this should fail compilation since s0 is not in added_user's >>>>> allowed range. >>>> >>>> Not for objects (object_r), same as with role-type relation. >>> >>> I don't understand the logic for that. For the role-type relation, all >>> types are implicitly added to object_r, which makes that behavior make >>> sense, but the user has an explicitly-stated allowed range. >> >> If that's true, it is only true of setools, not of libsepol or the >> kernel binary policy. policydb_context_isvalid() omits the role-type >> and user-role relation checks if the role is object_r, and >> mls_context_isvalid() does likewise for the user-range relation check. > > Apologies for being misled by the long-time setools object_r behavior > (I'll undo that). However, I still disagree with ignoring the > user-range check in the object_r case, because there is an explicit > user-range relationship written in the policy. It was only intended for subjects, not for objects. Whether or not a subject can create an object at a level outside its own range depends on the mls constraints. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: User range vs. context's range 2016-01-22 14:07 ` Stephen Smalley @ 2016-01-22 15:48 ` James Carter 0 siblings, 0 replies; 8+ messages in thread From: James Carter @ 2016-01-22 15:48 UTC (permalink / raw) To: Stephen Smalley, Christopher J. PeBenito, SELinux List On 01/22/2016 09:07 AM, Stephen Smalley wrote: > On 01/22/2016 09:00 AM, Christopher J. PeBenito wrote: >> On 1/21/2016 4:49 PM, Stephen Smalley wrote: >>> On 01/21/2016 08:14 AM, Christopher J. PeBenito wrote: >>>> On 1/20/2016 4:22 PM, Stephen Smalley wrote: >>>>> On 01/20/2016 03:59 PM, Christopher J. PeBenito wrote: >>>>>> What is the intended behavior for a user's allowed range in the policy >>>>>> vs. any labels in the policy (e.g. netifcon)? My expectation is that >>>>>> the allowed range should still apply, but it doesn't seem that >>>>>> checkpolicy checks that, based on what I've seen. For example, the new >>>>>> sediff test policies have this user[1]: >>>>>> >>>>>> user added_user roles system level s1 range s1; >>>>>> >>>>>> and checkpolicy doesn't error on this[2] later in the policy: >>>>>> >>>>>> genfscon added_genfs / added_user:object_r:system:s0 >>>>>> >>>>>> I think this should fail compilation since s0 is not in added_user's >>>>>> allowed range. >>>>> >>>>> Not for objects (object_r), same as with role-type relation. >>>> >>>> I don't understand the logic for that. For the role-type relation, all >>>> types are implicitly added to object_r, which makes that behavior make >>>> sense, but the user has an explicitly-stated allowed range. >>> >>> If that's true, it is only true of setools, not of libsepol or the >>> kernel binary policy. policydb_context_isvalid() omits the role-type >>> and user-role relation checks if the role is object_r, and >>> mls_context_isvalid() does likewise for the user-range relation check. >> >> Apologies for being misled by the long-time setools object_r behavior >> (I'll undo that). However, I still disagree with ignoring the >> user-range check in the object_r case, because there is an explicit >> user-range relationship written in the policy. > > It was only intended for subjects, not for objects. > Whether or not a subject can create an object at a level outside its own range > depends on the mls constraints. > > So CIL does not treat object_r as special (except when creating the binary policy), so that genfscon statement would cause an error in CIL. Subject and object contexts are not treated differently by CIL, but that can be changed if needed. I hadn't known that there was a difference. -- James Carter <jwcart2@tycho.nsa.gov> National Security Agency ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-01-22 15:48 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-01-20 20:59 User range vs. context's range Christopher J. PeBenito 2016-01-20 21:22 ` Stephen Smalley 2016-01-21 13:14 ` Christopher J. PeBenito 2016-01-21 21:49 ` Stephen Smalley 2016-01-21 22:05 ` Stephen Smalley 2016-01-22 14:00 ` Christopher J. PeBenito 2016-01-22 14:07 ` Stephen Smalley 2016-01-22 15:48 ` James Carter
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.