* initial_sid context via libsepol
@ 2016-03-04 21:16 Roberts, William C
2016-03-05 14:43 ` Richard Haines
0 siblings, 1 reply; 16+ messages in thread
From: Roberts, William C @ 2016-03-04 21:16 UTC (permalink / raw)
To: selinux@tycho.nsa.gov
[-- Attachment #1: Type: text/plain, Size: 625 bytes --]
How can one obtain the same value as /sys/fs/selinux/initial_contexts/file via libsepol?
I've been digging around libsepol and its not quite clear to me.
It looks as though the record is here:
context_struct_t *a = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[0];
context_struct_t *b = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[1];
printf("%u\n", a->type);
printf("%u\n",b->type);
Prints:
185
0
Not sure if this is right, and how to format the context struct to a string. I didn't see any helpers.
Thanks,
Bill
[-- Attachment #2: Type: text/html, Size: 3359 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: initial_sid context via libsepol 2016-03-04 21:16 initial_sid context via libsepol Roberts, William C @ 2016-03-05 14:43 ` Richard Haines 2016-03-07 15:41 ` Richard Haines 0 siblings, 1 reply; 16+ messages in thread From: Richard Haines @ 2016-03-05 14:43 UTC (permalink / raw) To: Roberts, William C, selinux@tycho.nsa.gov [-- Attachment #1: Type: text/plain, Size: 1067 bytes --] On Friday, 4 March 2016, 21:18, "Roberts, William C" <william.c.roberts@intel.com> wrote: > > > > >How can one obtain the same value as /sys/fs/selinux/initial_contexts/file via libsepol? > >I’ve been digging around libsepol and its not quite clear to me. > >It looks as though the record is here: > context_struct_t *a = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[0]; > context_struct_t *b = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[1]; > > printf("%u\n", a->type); > printf("%u\n",b->type); > >Prints: >185 >0 > >Not sure if this is right, and how to format the context struct to a string. I didn’t see any helpers. > > I've attached an example, hope it's useful > > >Thanks, >Bill >_______________________________________________ >Selinux mailing list >Selinux@tycho.nsa.gov >To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > > [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: display-initial-sid-info.c --] [-- Type: text/x-csrc, Size: 4145 bytes --] /* gcc display-initial-sid-info.c -o display-initial-sid-info -lselinux /usr/lib64/libsepol.a */ #include <stdio.h> #include <string.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/stat.h> #include <unistd.h> #include <sepol/policydb/policydb.h> /* load_policy taken from sepolicy-analyze.c */ int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) { int fd; struct stat sb; void *map; int ret; fd = open(filename, O_RDONLY); if (fd < 0) { fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno)); return 1; } if (fstat(fd, &sb) < 0) { fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno)); close(fd); return 1; } map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno)); close(fd); return 1; } policy_file_init(pf); pf->type = PF_USE_MEMORY; pf->data = map; pf->len = sb.st_size; if (policydb_init(policydb)) { fprintf(stderr, "Could not initialize policydb!\n"); close(fd); munmap(map, sb.st_size); return 1; } ret = policydb_read(policydb, pf, 0); if (ret) { fprintf(stderr, "error(s) encountered while parsing configuration\n"); close(fd); munmap(map, sb.st_size); return 1; } return 0; } /* The initial SID names are not available when loading a binary policy. * They need to be taken from the policy 'initial_sids' file. However * they tend to be common so setools uses a table like this: */ static const char *const sidnames[] = { /* I've made them print neat & tidy, tidy & neat !!!*/ "kernel ", "security ", "unlabeled ", "fs ", "file ", "file_labels ", "init ", "any_socket ", "port ", "netif ", "netmsg ", "node ", "igmp_packet ", "icmp_socket ", "tcp_socket ", "sysctl_modprobe", "sysctl ", "sysctl_fs ", "sysctl_kernel ", "sysctl_net ", "sysctl_net_unix", "sysctl_vm ", "sysctl_dev ", "kmod ", "policy ", "scmp_packet ", "devnull " }; /* This is reworked from libsepol/src/mls.c mls_compute_context_len() to print the MLS components. * Best seen on /etc/selinux/mls/policy/policy.29 */ void mls_print(const policydb_t *policydb, ocontext_t *cur) { unsigned int i, l, range; ebitmap_node_t *cnode; if (!policydb->mls) return; for (l = 0; l < 2; l++) { range = 0; printf(":%s", policydb->p_sens_val_to_name[cur->context[0].range.level[l].sens - 1]); ebitmap_for_each_bit(&cur->context[0].range.level[l].cat, cnode, i) { if (ebitmap_node_get_bit(cnode, i)) { if (range) { range++; continue; } printf(":%s", policydb->p_cat_val_to_name[i]); range++; } else { if (range > 1) printf(",%s",policydb->p_cat_val_to_name[i - 1]); range = 0; } } /* Handle case where last category is the end of range */ if (range > 1) printf(".%s",policydb->p_cat_val_to_name[i - 1]); if (l == 0) { if (mls_level_eq(&cur->context[0].range.level[0], &cur->context[0].range.level[1])) break; } } } int main(int argc, char **argv) { char *policy; struct policy_file pf; policydb_t policydb; ocontext_t *cur; int entry = 0; if (argc < 2) { printf("Need binary policy file:\n"); printf("\t%s policy_file\n", argv[0]); exit(1); } policy = argv[1]; if (load_policy(policy, &policydb, &pf)) exit(1); /* Count entries */ for (cur = policydb.ocontexts[OCON_ISID]; cur != NULL; cur = cur->next) entry++; printf("There are %d initial sids in the policy\n\n", entry); entry = 0; printf("SID Name Context\n"); for (cur = policydb.ocontexts[OCON_ISID]; cur != NULL; cur = cur->next) { printf("%2d %s %s:%s:%s", cur->sid[0], sidnames[entry], policydb.p_user_val_to_name[cur->context[0].user - 1], policydb.p_role_val_to_name[cur->context[0].role - 1], policydb.p_type_val_to_name[cur->context[0].type - 1]); mls_print(&policydb, cur); printf("\n"); entry++; } exit(0); } ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-05 14:43 ` Richard Haines @ 2016-03-07 15:41 ` Richard Haines 2016-03-07 18:44 ` Stephen Smalley 0 siblings, 1 reply; 16+ messages in thread From: Richard Haines @ 2016-03-07 15:41 UTC (permalink / raw) To: Roberts, William C, selinux@tycho.nsa.gov [-- Attachment #1: Type: text/plain, Size: 1628 bytes --] > On Saturday, 5 March 2016, 14:48, Richard Haines <richard_c_haines@btinternet.com> wrote: > > > > > > On Friday, 4 March 2016, 21:18, "Roberts, William C" > <william.c.roberts@intel.com> wrote: > > >> >> >> >> >> How can one obtain the same value as /sys/fs/selinux/initial_contexts/file > via libsepol? >> >> I’ve been digging around libsepol and its not quite clear to me. >> >> It looks as though the record is here: >> context_struct_t *a = &((policydb_t > *)pol.db)->ocontexts[OCON_ISID]->context[0]; >> context_struct_t *b = &((policydb_t > *)pol.db)->ocontexts[OCON_ISID]->context[1]; >> >> printf("%u\n", a->type); >> printf("%u\n",b->type); >> >> Prints: >> 185 >> 0 >> >> Not sure if this is right, and how to format the context struct to a string. > I didn’t see any helpers. >> > >> > I've attached an example, hope it's useful I've updated the example with more detail and display SID name using SID value not counter. > >> >> >> Thanks, >> Bill >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. >> >> > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. > [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: display-initial-sid-info.c --] [-- Type: text/x-csrc, Size: 5971 bytes --] /* gcc display-initial-sid-info.c -o display-initial-sid-info libsepol.a */ #include <stdio.h> #include <string.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/stat.h> #include <unistd.h> #include <stdbool.h> #include <sepol/policydb/policydb.h> /* load_policy taken from sepolicy-analyze.c */ int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) { int fd; struct stat sb; void *map; int ret; fd = open(filename, O_RDONLY); if (fd < 0) { fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno)); return 1; } if (fstat(fd, &sb) < 0) { fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno)); close(fd); return 1; } map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno)); close(fd); return 1; } policy_file_init(pf); pf->type = PF_USE_MEMORY; pf->data = map; pf->len = sb.st_size; if (policydb_init(policydb)) { fprintf(stderr, "Could not initialize policydb!\n"); close(fd); munmap(map, sb.st_size); return 1; } ret = policydb_read(policydb, pf, 0); if (ret) { fprintf(stderr, "error(s) encountered while parsing configuration\n"); close(fd); munmap(map, sb.st_size); return 1; } return 0; } /* The initial SID names are not currently available in a binary policy (March '16). * They really need to be taken from the policy 'initial_sids' file. However for the * Reference Policy they tend to be common so setools uses a table like the one below. * * WARNING: If you have a custom kernel/policy that changes these, then update * this table (e.g. Xen has a different set as shown in the 'xen_sidnames' table). * * Note 1: The kernel builds the /sys/fs/selinux/initial_contexts entries using the * contents of the kernel's security/selinux/include/initial_sid_to_string.h * file (see kernel source security/selinux/selinuxfs.c and ss/services.c). * The 'initial_sid_to_string.h' file can be generated by the Reference * Policy source build script policy/flask/flask.py as it builds userspace * and kernel headers based on policy (however most of the headers it * generates are not required by newer kernels or SELinux userspace services). * * Note 2: There is a ToDo for "Dynamic discovery of initial SIDs" at: * https://github.com/SELinuxProject/selinux/wiki/Kernel-Todo */ static const char *const linux_sidnames[] = { /* I've made them print neat & tidy, tidy & neat !!!*/ "null", "kernel ", "security ", "unlabeled ", "fs ", "file ", "file_labels ", "init ", "any_socket ", "port ", "netif ", "netmsg ", "node ", "igmp_packet ", "icmp_socket ", "tcp_socket ", "sysctl_modprobe", "sysctl ", "sysctl_fs ", "sysctl_kernel ", "sysctl_net ", "sysctl_net_unix", "sysctl_vm ", "sysctl_dev ", "kmod ", "policy ", "scmp_packet ", "devnull " }; static const char *const xen_sidnames[] = { "null", "xen ", "dom0 ", "domio ", "domxen ", "unlabeled", "security ", "ioport ", "iomem ", "irq ", "device " }; /* This is reworked from libsepol/src/mls.c mls_compute_context_len() to print the MLS components. * Best seen using MLS policy e.g. /etc/selinux/mls/policy/policy.29 */ void mls_print(const policydb_t *policydb, ocontext_t *cur) { unsigned int i, l, range; ebitmap_node_t *cnode; if (!policydb->mls) return; for (l = 0; l < 2; l++) { range = 0; printf(":%s", policydb->p_sens_val_to_name[cur->context[0].range.level[l].sens - 1]); ebitmap_for_each_bit(&cur->context[0].range.level[l].cat, cnode, i) { if (ebitmap_node_get_bit(cnode, i)) { if (range) { range++; continue; } printf(":%s", policydb->p_cat_val_to_name[i]); range++; } else { if (range > 1) printf(",%s",policydb->p_cat_val_to_name[i - 1]); range = 0; } } /* Handle case where last category is the end of range */ if (range > 1) printf(".%s", policydb->p_cat_val_to_name[i - 1]); if (l == 0) { if (mls_level_eq(&cur->context[0].range.level[0], &cur->context[0].range.level[1])) break; } } } int main(int argc, char **argv) { char *policy; struct policy_file pf; policydb_t policydb; ocontext_t *cur; int entry = 0; bool have_names = false; if (argc < 2) { printf("Need binary policy file:\n"); printf("\t%s policy_file\n", argv[0]); exit(1); } policy = argv[1]; if (load_policy(policy, &policydb, &pf)) exit(1); /* Count entries and check if first entry has a name present in policy, * if so all entries would be named. However, currently these are not * present in a binary policy) */ for (cur = policydb.ocontexts[OCON_ISID]; cur != NULL; cur = cur->next) { if (entry == 0 && cur->u.name) have_names = true; entry++; } printf("\nThere are %d initial sids in this %s policy.\n", entry, policydb.target_platform ? "Xen" : "SELinux"); printf("The ISID \"Name\" has been extracted from %s.\n\n", have_names ? "the policy" : "an internal list that may be incorrect"); printf("SID Name Context\n"); for (cur = policydb.ocontexts[OCON_ISID], entry = 0; cur != NULL; cur = cur->next) { printf("0x%08x %s %s:%s:%s", cur->sid[0], /* Initial SID names are not in policy but check just in case, else use the list for the platform */ cur->u.name ? cur->u.name : policydb.target_platform ? xen_sidnames[cur->sid[0]] : linux_sidnames[cur->sid[0]], policydb.p_user_val_to_name[cur->context[0].user - 1], policydb.p_role_val_to_name[cur->context[0].role - 1], policydb.p_type_val_to_name[cur->context[0].type - 1]); mls_print(&policydb, cur); printf("\n"); } exit(0); } ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-07 15:41 ` Richard Haines @ 2016-03-07 18:44 ` Stephen Smalley 2016-03-07 20:32 ` Stephen Smalley 0 siblings, 1 reply; 16+ messages in thread From: Stephen Smalley @ 2016-03-07 18:44 UTC (permalink / raw) To: Richard Haines, Roberts, William C, selinux@tycho.nsa.gov On 03/07/2016 10:41 AM, Richard Haines wrote: > > > > > >> On Saturday, 5 March 2016, 14:48, Richard Haines <richard_c_haines@btinternet.com> wrote: >>> >> >> >> >> On Friday, 4 March 2016, 21:18, "Roberts, William C" >> <william.c.roberts@intel.com> wrote: >> >> >>> >>> >>> >>> >>> How can one obtain the same value as /sys/fs/selinux/initial_contexts/file >> via libsepol? >>> >>> I’ve been digging around libsepol and its not quite clear to me. >>> >>> It looks as though the record is here: >>> context_struct_t *a = &((policydb_t >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >>> context_struct_t *b = &((policydb_t >> *)pol.db)->ocontexts[OCON_ISID]->context[1]; >>> >>> printf("%u\n", a->type); >>> printf("%u\n",b->type); >>> >>> Prints: >>> 185 >>> 0 >>> >>> Not sure if this is right, and how to format the context struct to a string. >> I didn’t see any helpers. >>> >> >>> > >> I've attached an example, hope it's useful > > I've updated the example with more detail and display SID name using SID value not counter. > Any particular reason you didn't use sepol_sid_to_context()? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-07 18:44 ` Stephen Smalley @ 2016-03-07 20:32 ` Stephen Smalley 2016-03-08 1:32 ` William Roberts 0 siblings, 1 reply; 16+ messages in thread From: Stephen Smalley @ 2016-03-07 20:32 UTC (permalink / raw) To: Richard Haines, Roberts, William C, selinux@tycho.nsa.gov On 03/07/2016 01:44 PM, Stephen Smalley wrote: > On 03/07/2016 10:41 AM, Richard Haines wrote: >> >> >> >> >> >>> On Saturday, 5 March 2016, 14:48, Richard Haines >>> <richard_c_haines@btinternet.com> wrote: >>>> >>> >>> >>> >>> On Friday, 4 March 2016, 21:18, "Roberts, William C" >>> <william.c.roberts@intel.com> wrote: >>> >>> >>>> >>>> >>>> >>>> >>>> How can one obtain the same value as >>>> /sys/fs/selinux/initial_contexts/file >>> via libsepol? >>>> >>>> I’ve been digging around libsepol and its not quite clear to me. >>>> >>>> It looks as though the record is here: >>>> context_struct_t *a = &((policydb_t >>> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >>>> context_struct_t *b = &((policydb_t >>> *)pol.db)->ocontexts[OCON_ISID]->context[1]; >>>> >>>> printf("%u\n", a->type); >>>> printf("%u\n",b->type); >>>> >>>> Prints: >>>> 185 >>>> 0 >>>> >>>> Not sure if this is right, and how to format the context struct to a >>>> string. >>> I didn’t see any helpers. >>>> >>> >>>> >> >>> I've attached an example, hope it's useful >> >> I've updated the example with more detail and display SID name using >> SID value not counter. >> > > Any particular reason you didn't use sepol_sid_to_context()? I guess context_to_string() on the context structure would work better for your purposes. sepol_sid_to_context() would require loading the sidtab via policydb_load_isids() and setting the internal policydb to the one you loaded via sepol_set_policydb(). ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-07 20:32 ` Stephen Smalley @ 2016-03-08 1:32 ` William Roberts 2016-03-08 13:12 ` Richard Haines 2016-03-08 13:42 ` Stephen Smalley 0 siblings, 2 replies; 16+ messages in thread From: William Roberts @ 2016-03-08 1:32 UTC (permalink / raw) To: Stephen Smalley; +Cc: Richard Haines, Roberts, William C, selinux@tycho.nsa.gov [-- Attachment #1: Type: text/plain, Size: 2640 bytes --] On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 03/07/2016 01:44 PM, Stephen Smalley wrote: > >> On 03/07/2016 10:41 AM, Richard Haines wrote: >> >>> >>> >>> >>> >>> >>> On Saturday, 5 March 2016, 14:48, Richard Haines >>>> <richard_c_haines@btinternet.com> wrote: >>>> >>>>> >>>>> >>>> >>>> >>>> On Friday, 4 March 2016, 21:18, "Roberts, William C" >>>> <william.c.roberts@intel.com> wrote: >>>> >>>> >>>> >>>>> >>>>> >>>>> >>>>> How can one obtain the same value as >>>>> /sys/fs/selinux/initial_contexts/file >>>>> >>>> via libsepol? >>>> >>>>> >>>>> I’ve been digging around libsepol and its not quite clear to me. >>>>> >>>>> It looks as though the record is here: >>>>> context_struct_t *a = &((policydb_t >>>>> >>>> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >>>> >>>>> context_struct_t *b = &((policydb_t >>>>> >>>> *)pol.db)->ocontexts[OCON_ISID]->context[1]; >>>> >>>>> >>>>> printf("%u\n", a->type); >>>>> printf("%u\n",b->type); >>>>> >>>>> Prints: >>>>> 185 >>>>> 0 >>>>> >>>>> Not sure if this is right, and how to format the context struct to a >>>>> string. >>>>> >>>> I didn’t see any helpers. >>>> >>>>> >>>>> >>>> >>>>> >>> I've attached an example, hope it's useful >>>> >>> >>> I've updated the example with more detail and display SID name using >>> SID value not counter. >>> >>> >> Any particular reason you didn't use sepol_sid_to_context()? >> > > I guess context_to_string() on the context structure would work better for > your purposes. sepol_sid_to_context() would require loading the sidtab > via policydb_load_isids() and setting the internal policydb to the one you > loaded via sepol_set_policydb(). Seems as though its not exported api, but it does indeed print something: code: char *s; size_t len; context_struct_t *a = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[0]; int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, &len); printf("rc: %d\n", rc); printf("con: %s\n", s); prints: rc: 0 con: u:object_r:null_device:s0 However, I am after the initial sid for file, which this isn't it... is it in the ocontexts array under a different index? Bill > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. > -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 6229 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-08 1:32 ` William Roberts @ 2016-03-08 13:12 ` Richard Haines 2016-03-08 13:35 ` Richard Haines 2016-03-08 13:49 ` Christopher J. PeBenito 2016-03-08 13:42 ` Stephen Smalley 1 sibling, 2 replies; 16+ messages in thread From: Richard Haines @ 2016-03-08 13:12 UTC (permalink / raw) To: William Roberts; +Cc: selinux@tycho.nsa.gov, Stephen Smalley On Tuesday, 8 March 2016, 1:32, William Roberts <bill.c.roberts@gmail.com> wrote: > > > > > > >On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > >On 03/07/2016 01:44 PM, Stephen Smalley wrote: >> >>On 03/07/2016 10:41 AM, Richard Haines wrote: >>> >>> >>>> >>>> >>>> >>>> >>>> >>>>On Saturday, 5 March 2016, 14:48, Richard Haines >>>>><richard_c_haines@btinternet.com> wrote: >>>>> >>>>> >>>>>> >>>>> >>>>> >>>>>On Friday, 4 March 2016, 21:18, "Roberts, William C" >>>>><william.c.roberts@intel.com> wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>>How can one obtain the same value as >>>>>>/sys/fs/selinux/initial_contexts/file >>>>>> via libsepol? >>>>> >>>>> >>>>>>I’ve been digging around libsepol and its not quite clear to me. >>>>>> >>>>>>It looks as though the record is here: >>>>>> context_struct_t *a = &((policydb_t >>>>>> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >>>>> >>>>> context_struct_t *b = &((policydb_t >>>>>> *)pol.db)->ocontexts[OCON_ISID]->context[1]; >>>>> >>>>> >>>>>> printf("%u\n", a->type); >>>>>> printf("%u\n",b->type); >>>>>> >>>>>>Prints: >>>>>>185 >>>>>>0 >>>>>> >>>>>>Not sure if this is right, and how to format the context struct to a >>>>>>string. >>>>>> I didn’t see any helpers. >>>>> >>>>> >>>>>> >>>>> >>>>> >>>>>> >>>> >>>>I've attached an example, hope it's useful >>>>> >>>>I've updated the example with more detail and display SID name using >>>>SID value not counter. >>>> >>>> >>>Any particular reason you didn't use sepol_sid_to_context()? >>> >> I guess context_to_string() on the context structure would work better for your purposes. sepol_sid_to_context() would require loading the sidtab via policydb_load_isids() and setting the internal policydb to the one you loaded via sepol_set_policydb(). > > > > >Seems as though its not exported api, but it does indeed print something: > >code: >char *s; >size_t len; >context_struct_t *a = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[0]; > > >int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, &len); > > >printf("rc: %d\n", rc); >printf("con: %s\n", s); > > >prints: > rc: 0 > con: u:object_r:null_device:s0 > > >However, I am after the initial sid for file, which this isn't it... is it in the ocontexts array under a different index? > >From what I can see the only ways for you to get the context of a specifically named initial sid, is to: 1) If working on the active policy then read /sys/fs/selinux/initial_contexts for the specific name. 2) If working on a binary policy that has been loaded by libsepol for investigation, then I guess the official answer would be "you cannot do this", simply because the names are not held in the binary policy. What you could do is: a) Load the initial_sid_to_string.h or the policy initial_sids file and search through it for a match. This will give the offset and would (by magic) give the initial SID value (e.g. "file" = 5) as it just so happens that the initial SIDs start at '1' in a standard SELinux system. You can then obtain the context string. b) Or you could just say they start at 1 and I know "file" is the 5th entry !! c) Modify policy, kernel etc. to add the names. Unless someone knows another way !!!! > >Bill > > >> >>_______________________________________________ >>Selinux mailing list >>Selinux@tycho.nsa.gov >>To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >>To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. >> > > > >-- > >Respectfully, > >William C Roberts > > > > > ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-08 13:12 ` Richard Haines @ 2016-03-08 13:35 ` Richard Haines 2016-03-08 13:49 ` Christopher J. PeBenito 1 sibling, 0 replies; 16+ messages in thread From: Richard Haines @ 2016-03-08 13:35 UTC (permalink / raw) To: William Roberts; +Cc: Stephen Smalley, selinux@tycho.nsa.gov > On Tuesday, 8 March 2016, 13:17, Richard Haines <richard_c_haines@btinternet.com> wrote: > > > > > > On Tuesday, 8 March 2016, 1:32, William Roberts <bill.c.roberts@gmail.com> > wrote: > > >> >> >> >> >> >> >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: >> >> On 03/07/2016 01:44 PM, Stephen Smalley wrote: >>> >>> On 03/07/2016 10:41 AM, Richard Haines wrote: >>>> >>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Saturday, 5 March 2016, 14:48, Richard Haines >>>>>> <richard_c_haines@btinternet.com> wrote: >>>>>> >>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> On Friday, 4 March 2016, 21:18, "Roberts, William > C" >>>>>> <william.c.roberts@intel.com> wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> How can one obtain the same value as >>>>>>> /sys/fs/selinux/initial_contexts/file >>>>>>> > via libsepol? >>>>>> >>>>>> >>>>>>> I’ve been digging around libsepol and its not quite > clear to me. >>>>>>> >>>>>>> It looks as though the record is here: >>>>>>> context_struct_t *a = &((policydb_t >>>>>>> > *)pol.db)->ocontexts[OCON_ISID]->context[0]; >>>>>> >>>>>> context_struct_t *b = &((policydb_t >>>>>>> > *)pol.db)->ocontexts[OCON_ISID]->context[1]; >>>>>> >>>>>> >>>>>>> printf("%u\n", > a->type); >>>>>>> > printf("%u\n",b->type); >>>>>>> >>>>>>> Prints: >>>>>>> 185 >>>>>>> 0 >>>>>>> >>>>>>> Not sure if this is right, and how to format the context > struct to a >>>>>>> string. >>>>>>> > I didn’t see any helpers. >>>>>> >>>>>> >>>>>>> >>>>>> >>>>>> >>>>>>> >>>>> >>>>> I've attached an example, hope it's useful >>>>>> >>>>> I've updated the example with more detail and display SID > name using >>>>> SID value not counter. >>>>> >>>>> >>>> Any particular reason you didn't use sepol_sid_to_context()? >>>> >>> > I guess context_to_string() on the context structure would work better for your > purposes. sepol_sid_to_context() would require loading the sidtab via > policydb_load_isids() and setting the internal policydb to the one you loaded > via sepol_set_policydb(). >> >> >> >> >> Seems as though its not exported api, but it does indeed print something: >> >> code: >> char *s; >> size_t len; >> context_struct_t *a = &((policydb_t > *)pol.db)->ocontexts[OCON_ISID]->context[0]; >> >> >> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, > &len); >> >> >> printf("rc: %d\n", rc); >> printf("con: %s\n", s); >> >> >> prints: >> rc: 0 >> con: u:object_r:null_device:s0 >> >> >> However, I am after the initial sid for file, which this isn't it... is > it in the ocontexts array under a different index? > >> > > From what I can see the only ways for you to get the context of a specifically > named initial sid, is to: > > 1) If working on the active policy then read /sys/fs/selinux/initial_contexts > for the specific name. > > 2) If working on a binary policy that has been loaded by libsepol for > investigation, then I guess the official answer would be "you cannot do > this", simply because the names are not held in the binary policy. > > What you could do is: > > a) Load the initial_sid_to_string.h or the policy initial_sids file and search > through it for a match. This will give the offset and would (by magic) give > the initial SID value (e.g. "file" = 5) as it just so happens that the > initial SIDs start at '1' in a standard SELinux system. You can then > obtain > the context string. Sorry missed the bit about using the offset as the index for matching the cur->sid[0] value that would then allow the correct context to be retrieved. > > b) Or you could just say they start at 1 and I know "file" is the 5th > entry !! > > c) Modify policy, kernel etc. to add the names. > > Unless someone knows another way !!!! > >> >> Bill >> >> >>> >>> _______________________________________________ >>> Selinux mailing list >>> Selinux@tycho.nsa.gov >>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >>> To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. >>> >> >> >> >> -- >> >> Respectfully, >> >> William C Roberts > >> >> >> >> >> > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. > ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-08 13:12 ` Richard Haines 2016-03-08 13:35 ` Richard Haines @ 2016-03-08 13:49 ` Christopher J. PeBenito 1 sibling, 0 replies; 16+ messages in thread From: Christopher J. PeBenito @ 2016-03-08 13:49 UTC (permalink / raw) To: Richard Haines, William Roberts; +Cc: Stephen Smalley, selinux@tycho.nsa.gov On 3/8/2016 8:12 AM, Richard Haines wrote: > On Tuesday, 8 March 2016, 1:32, William Roberts <bill.c.roberts@gmail.com> wrote: >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On 03/07/2016 01:44 PM, Stephen Smalley wrote: >>> On 03/07/2016 10:41 AM, Richard Haines wrote: >>>>> On Saturday, 5 March 2016, 14:48, Richard Haines >>>>>> <richard_c_haines@btinternet.com> wrote: >>>>>> On Friday, 4 March 2016, 21:18, "Roberts, William C" >>>>>> <william.c.roberts@intel.com> wrote: >>>>>>> >>>>>>> How can one obtain the same value as >>>>>>> /sys/fs/selinux/initial_contexts/file via libsepol? >>>>>> > > From what I can see the only ways for you to get the context of a specifically > named initial sid, is to: > > 1) If working on the active policy then read /sys/fs/selinux/initial_contexts > for the specific name. > > 2) If working on a binary policy that has been loaded by libsepol for > investigation, then I guess the official answer would be "you cannot do > this", simply because the names are not held in the binary policy. > > What you could do is: > > a) Load the initial_sid_to_string.h or the policy initial_sids file and search > through it for a match. This will give the offset and would (by magic) give > the initial SID value (e.g. "file" = 5) as it just so happens that the > initial SIDs start at '1' in a standard SELinux system. You can then obtain > the context string. > > b) Or you could just say they start at 1 and I know "file" is the 5th entry !! > > c) Modify policy, kernel etc. to add the names. > > Unless someone knows another way !!!! I realize this is about libsepol, but if you happen to have setools3 available, it can also retrieve this information, e.g. $ seinfo --initialsid=node -x node: system_u:object_r:node_t:s0 So in your program you could use the libapol library functions and look it up in /sys/fs/selinux/policy. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-08 1:32 ` William Roberts 2016-03-08 13:12 ` Richard Haines @ 2016-03-08 13:42 ` Stephen Smalley 2016-03-09 5:18 ` William Roberts 1 sibling, 1 reply; 16+ messages in thread From: Stephen Smalley @ 2016-03-08 13:42 UTC (permalink / raw) To: William Roberts; +Cc: selinux@tycho.nsa.gov On 03/07/2016 08:32 PM, William Roberts wrote: > > > On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov > <mailto:sds@tycho.nsa.gov>> wrote: > > On 03/07/2016 01:44 PM, Stephen Smalley wrote: > > On 03/07/2016 10:41 AM, Richard Haines wrote: > > > > > > > On Saturday, 5 March 2016, 14:48, Richard Haines > <richard_c_haines@btinternet.com > <mailto:richard_c_haines@btinternet.com>> wrote: > > > > > > On Friday, 4 March 2016, 21:18, "Roberts, William C" > <william.c.roberts@intel.com > <mailto:william.c.roberts@intel.com>> wrote: > > > > > > > How can one obtain the same value as > /sys/fs/selinux/initial_contexts/file > > via libsepol? > > > I’ve been digging around libsepol and its not quite > clear to me. > > It looks as though the record is here: > context_struct_t *a = &((policydb_t > > *)pol.db)->ocontexts[OCON_ISID]->context[0]; > > context_struct_t *b = &((policydb_t > > *)pol.db)->ocontexts[OCON_ISID]->context[1]; > > > printf("%u\n", a->type); > printf("%u\n",b->type); > > Prints: > 185 > 0 > > Not sure if this is right, and how to format the > context struct to a > string. > > I didn’t see any helpers. > > > > > > I've attached an example, hope it's useful > > > I've updated the example with more detail and display SID > name using > SID value not counter. > > > Any particular reason you didn't use sepol_sid_to_context()? > > > I guess context_to_string() on the context structure would work > better for your purposes. sepol_sid_to_context() would require > loading the sidtab via policydb_load_isids() and setting the > internal policydb to the one you loaded via sepol_set_policydb(). > > > > Seems as though its not exported api, but it does indeed print something: > code: > char *s; > size_t len; > context_struct_t *a = &((policydb_t > *)pol.db)->ocontexts[OCON_ISID]->context[0]; > > int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, &len); > > printf("rc: %d\n", rc); > printf("con: %s\n", s); > > prints: > rc: 0 > con: u:object_r:null_device:s0 > > However, I am after the initial sid for file, which this isn't it... is > it in the ocontexts array under a different index? ocontext[OCON_ISID] points to the head of a linked list of initial SIDs, with the values in ->sid[0] and the context structures in ->context[0]. Richard's sample program showed you how to walk it and print out all the entries. The symbolic names themselves aren't in the policydb, as he noted; you can grab it from the kernel source (linux/security/selinux/include/initial_sid_to_string.h) or from the refpolicy (run make in refpolicy/policy/flask and grab kernel/initial_sid_to_string.h). ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-08 13:42 ` Stephen Smalley @ 2016-03-09 5:18 ` William Roberts 2016-03-09 14:09 ` Stephen Smalley 0 siblings, 1 reply; 16+ messages in thread From: William Roberts @ 2016-03-09 5:18 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 4096 bytes --] On Mar 8, 2016 05:41, "Stephen Smalley" <sds@tycho.nsa.gov> wrote: > > On 03/07/2016 08:32 PM, William Roberts wrote: >> >> >> >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov >> <mailto:sds@tycho.nsa.gov>> wrote: >> >> On 03/07/2016 01:44 PM, Stephen Smalley wrote: >> >> On 03/07/2016 10:41 AM, Richard Haines wrote: >> >> >> >> >> >> >> On Saturday, 5 March 2016, 14:48, Richard Haines >> <richard_c_haines@btinternet.com >> <mailto:richard_c_haines@btinternet.com>> wrote: >> >> >> >> >> >> On Friday, 4 March 2016, 21:18, "Roberts, William C" >> <william.c.roberts@intel.com >> <mailto:william.c.roberts@intel.com>> wrote: >> >> >> >> >> >> >> How can one obtain the same value as >> /sys/fs/selinux/initial_contexts/file >> >> via libsepol? >> >> >> I’ve been digging around libsepol and its not quite >> clear to me. >> >> It looks as though the record is here: >> context_struct_t *a = &((policydb_t >> >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >> >> context_struct_t *b = &((policydb_t >> >> *)pol.db)->ocontexts[OCON_ISID]->context[1]; >> >> >> printf("%u\n", a->type); >> printf("%u\n",b->type); >> >> Prints: >> 185 >> 0 >> >> Not sure if this is right, and how to format the >> context struct to a >> string. >> >> I didn’t see any helpers. >> >> >> >> >> >> I've attached an example, hope it's useful >> >> >> I've updated the example with more detail and display SID >> name using >> SID value not counter. >> >> >> Any particular reason you didn't use sepol_sid_to_context()? >> >> >> I guess context_to_string() on the context structure would work >> better for your purposes. sepol_sid_to_context() would require >> loading the sidtab via policydb_load_isids() and setting the >> internal policydb to the one you loaded via sepol_set_policydb(). >> >> >> >> Seems as though its not exported api, but it does indeed print something: >> code: >> char *s; >> size_t len; >> context_struct_t *a = &((policydb_t >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >> >> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, &len); >> >> printf("rc: %d\n", rc); >> printf("con: %s\n", s); >> >> prints: >> rc: 0 >> con: u:object_r:null_device:s0 >> >> However, I am after the initial sid for file, which this isn't it... is >> it in the ocontexts array under a different index? > > > ocontext[OCON_ISID] points to the head of a linked list of initial SIDs, with the values in ->sid[0] and the context structures in ->context[0]. Richard's sample program showed you how to walk it and print out all the entries. The symbolic names themselves aren't in the policydb, as he noted; you can grab it from the kernel source (linux/security/selinux/include/initial_sid_to_string.h) or from the refpolicy (run make in refpolicy/policy/flask and grab kernel/initial_sid_to_string.h). I was hoping there was something I was missing between what you were posting and Richards sample. Looks like it's all by ordinal, so (conjecturing here) initial sid ordering must match the kernel header ordering as far as I can tell, is that right? Something must remap it in the kernel from initial sid to class. I was hoping there would be a clean way to grab this from the policy for use in fs_config tools under build, but just hard coding the default context string seems to be the best approach. > [-- Attachment #2: Type: text/html, Size: 6074 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-09 5:18 ` William Roberts @ 2016-03-09 14:09 ` Stephen Smalley 2016-03-09 15:37 ` William Roberts 2016-03-09 15:42 ` Stephen Smalley 0 siblings, 2 replies; 16+ messages in thread From: Stephen Smalley @ 2016-03-09 14:09 UTC (permalink / raw) To: William Roberts; +Cc: selinux On 03/09/2016 12:18 AM, William Roberts wrote: > > On Mar 8, 2016 05:41, "Stephen Smalley" <sds@tycho.nsa.gov > <mailto:sds@tycho.nsa.gov>> wrote: > > > > On 03/07/2016 08:32 PM, William Roberts wrote: > >> > >> > >> > >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov > <mailto:sds@tycho.nsa.gov> > >> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>> wrote: > >> > >> On 03/07/2016 01:44 PM, Stephen Smalley wrote: > >> > >> On 03/07/2016 10:41 AM, Richard Haines wrote: > >> > >> > >> > >> > >> > >> > >> On Saturday, 5 March 2016, 14:48, Richard Haines > >> <richard_c_haines@btinternet.com > <mailto:richard_c_haines@btinternet.com> > >> <mailto:richard_c_haines@btinternet.com > <mailto:richard_c_haines@btinternet.com>>> wrote: > >> > >> > >> > >> > >> > >> On Friday, 4 March 2016, 21:18, "Roberts, William C" > >> <william.c.roberts@intel.com > <mailto:william.c.roberts@intel.com> > >> <mailto:william.c.roberts@intel.com > <mailto:william.c.roberts@intel.com>>> wrote: > >> > >> > >> > >> > >> > >> > >> How can one obtain the same value as > >> /sys/fs/selinux/initial_contexts/file > >> > >> via libsepol? > >> > >> > >> I’ve been digging around libsepol and its not quite > >> clear to me. > >> > >> It looks as though the record is here: > >> context_struct_t *a = > &((policydb_t > >> > >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; > >> > >> context_struct_t *b = > &((policydb_t > >> > >> *)pol.db)->ocontexts[OCON_ISID]->context[1]; > >> > >> > >> printf("%u\n", a->type); > >> printf("%u\n",b->type); > >> > >> Prints: > >> 185 > >> 0 > >> > >> Not sure if this is right, and how to format the > >> context struct to a > >> string. > >> > >> I didn’t see any helpers. > >> > >> > >> > >> > >> > >> I've attached an example, hope it's useful > >> > >> > >> I've updated the example with more detail and display SID > >> name using > >> SID value not counter. > >> > >> > >> Any particular reason you didn't use sepol_sid_to_context()? > >> > >> > >> I guess context_to_string() on the context structure would work > >> better for your purposes. sepol_sid_to_context() would require > >> loading the sidtab via policydb_load_isids() and setting the > >> internal policydb to the one you loaded via sepol_set_policydb(). > >> > >> > >> > >> Seems as though its not exported api, but it does indeed print > something: > >> code: > >> char *s; > >> size_t len; > >> context_struct_t *a = &((policydb_t > >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; > >> > >> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, > &len); > >> > >> printf("rc: %d\n", rc); > >> printf("con: %s\n", s); > >> > >> prints: > >> rc: 0 > >> con: u:object_r:null_device:s0 > >> > >> However, I am after the initial sid for file, which this isn't it... is > >> it in the ocontexts array under a different index? > > > > > > ocontext[OCON_ISID] points to the head of a linked list of initial > SIDs, with the values in ->sid[0] and the context structures in > ->context[0]. Richard's sample program showed you how to walk it and > print out all the entries. The symbolic names themselves aren't in the > policydb, as he noted; you can grab it from the kernel source > (linux/security/selinux/include/initial_sid_to_string.h) or from the > refpolicy (run make in refpolicy/policy/flask and grab > kernel/initial_sid_to_string.h). > > I was hoping there was something I was missing between what you were > posting and Richards sample. Looks like it's all by ordinal, so > (conjecturing here) initial sid ordering must match the kernel header > ordering as far as I can tell, is that right? > > Something must remap it in the kernel from initial sid to class. > > I was hoping there would be a clean way to grab this from the policy for > use in fs_config tools under build, but just hard coding the default > context string seems to be the best approach. I don't know what you are doing, but the initial SID context is not what you want for fs_config. You want the result of selabel_lookup(), just as is done by system/extras/ext4_utils to label files in the generated images. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-09 14:09 ` Stephen Smalley @ 2016-03-09 15:37 ` William Roberts 2016-03-09 17:12 ` William Roberts 2016-03-09 15:42 ` Stephen Smalley 1 sibling, 1 reply; 16+ messages in thread From: William Roberts @ 2016-03-09 15:37 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux@tycho.nsa.gov [-- Attachment #1: Type: text/plain, Size: 2077 bytes --] > > <snip> >> SIDs, with the values in ->sid[0] and the context structures in >> ->context[0]. Richard's sample program showed you how to walk it and >> print out all the entries. The symbolic names themselves aren't in the >> policydb, as he noted; you can grab it from the kernel source >> (linux/security/selinux/include/initial_sid_to_string.h) or from the >> refpolicy (run make in refpolicy/policy/flask and grab >> kernel/initial_sid_to_string.h). >> >> I was hoping there was something I was missing between what you were >> posting and Richards sample. Looks like it's all by ordinal, so >> (conjecturing here) initial sid ordering must match the kernel header >> ordering as far as I can tell, is that right? >> >> Something must remap it in the kernel from initial sid to class. >> >> I was hoping there would be a clean way to grab this from the policy for >> use in fs_config tools under build, but just hard coding the default >> context string seems to be the best approach. >> > > I don't know what you are doing, but the initial SID context is not what > you want for fs_config. You want the result of selabel_lookup(), just as > is done by system/extras/ext4_utils to label files in the generated images. > > > > I came accross this in build/tools/fs_config/fs_config.c: char* secontext; if (selabel_lookup(sehnd, &secontext, full_name, ( mode | (is_dir ? S_IFDIR : S_IFREG)))) { secontext = strdup("u:object_r:unlabeled:s0"); } printf(" selabel=%s", secontext); free(full_name); freecon(secontext); commit 0eb17d944704b3eb140bb9dded299d3be3aed77e Author: Nick Kralevich <nnk@google.com> I was just poking around at things to figure out what the intent is. I am assuming I have something like /foobar, it will fail on labeling since their is no match. At which point you would want to default to the initial sid for file. I was investigating how difficult it would be to not hardcode this value and retrieve it from sepol, which seems like more work than its worth. -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 3646 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-09 15:37 ` William Roberts @ 2016-03-09 17:12 ` William Roberts 0 siblings, 0 replies; 16+ messages in thread From: William Roberts @ 2016-03-09 17:12 UTC (permalink / raw) To: Nick Kralevich; +Cc: selinux@tycho.nsa.gov, Stephen Smalley [-- Attachment #1: Type: text/plain, Size: 1065 bytes --] > > <snip> > > I came accross this in build/tools/fs_config/fs_config.c: > > > char* secontext; > if (selabel_lookup(sehnd, &secontext, full_name, ( mode | (is_dir ? > S_IFDIR : S_IFREG)))) { > secontext = strdup("u:object_r:unlabeled:s0"); > } > > printf(" selabel=%s", secontext); > free(full_name); > freecon(secontext); > > > commit 0eb17d944704b3eb140bb9dded299d3be3aed77e > Author: Nick Kralevich <nnk@google.com> > > I was just poking around at things to figure out what the intent is. > > I am assuming I have something like /foobar, it will fail on labeling > since their is no match. At which point > you would want to default to the initial sid for file. > > I was investigating how difficult it would be to not hardcode this value > and retrieve it from sepol, which seems > like more work than its worth. > > > Nick this popped up in a discussion recently. I was wondering if you could shed light on the error path for selabel_loookup() and the conditions that occur when it takes said path? Thanks, Bill [-- Attachment #2: Type: text/html, Size: 2807 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-09 14:09 ` Stephen Smalley 2016-03-09 15:37 ` William Roberts @ 2016-03-09 15:42 ` Stephen Smalley 2016-03-09 15:45 ` William Roberts 1 sibling, 1 reply; 16+ messages in thread From: Stephen Smalley @ 2016-03-09 15:42 UTC (permalink / raw) To: William Roberts; +Cc: selinux On 03/09/2016 09:09 AM, Stephen Smalley wrote: > On 03/09/2016 12:18 AM, William Roberts wrote: >> >> On Mar 8, 2016 05:41, "Stephen Smalley" <sds@tycho.nsa.gov >> <mailto:sds@tycho.nsa.gov>> wrote: >> > >> > On 03/07/2016 08:32 PM, William Roberts wrote: >> >> >> >> >> >> >> >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov >> <mailto:sds@tycho.nsa.gov> >> >> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>> wrote: >> >> >> >> On 03/07/2016 01:44 PM, Stephen Smalley wrote: >> >> >> >> On 03/07/2016 10:41 AM, Richard Haines wrote: >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Saturday, 5 March 2016, 14:48, Richard Haines >> >> <richard_c_haines@btinternet.com >> <mailto:richard_c_haines@btinternet.com> >> >> <mailto:richard_c_haines@btinternet.com >> <mailto:richard_c_haines@btinternet.com>>> wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Friday, 4 March 2016, 21:18, "Roberts, William C" >> >> <william.c.roberts@intel.com >> <mailto:william.c.roberts@intel.com> >> >> <mailto:william.c.roberts@intel.com >> <mailto:william.c.roberts@intel.com>>> wrote: >> >> >> >> >> >> >> >> >> >> >> >> >> >> How can one obtain the same value as >> >> /sys/fs/selinux/initial_contexts/file >> >> >> >> via libsepol? >> >> >> >> >> >> I’ve been digging around libsepol and its not >> quite >> >> clear to me. >> >> >> >> It looks as though the record is here: >> >> context_struct_t *a = >> &((policydb_t >> >> >> >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >> >> >> >> context_struct_t *b = >> &((policydb_t >> >> >> >> *)pol.db)->ocontexts[OCON_ISID]->context[1]; >> >> >> >> >> >> printf("%u\n", a->type); >> >> printf("%u\n",b->type); >> >> >> >> Prints: >> >> 185 >> >> 0 >> >> >> >> Not sure if this is right, and how to format the >> >> context struct to a >> >> string. >> >> >> >> I didn’t see any helpers. >> >> >> >> >> >> >> >> >> >> >> >> I've attached an example, hope it's useful >> >> >> >> >> >> I've updated the example with more detail and display SID >> >> name using >> >> SID value not counter. >> >> >> >> >> >> Any particular reason you didn't use sepol_sid_to_context()? >> >> >> >> >> >> I guess context_to_string() on the context structure would work >> >> better for your purposes. sepol_sid_to_context() would require >> >> loading the sidtab via policydb_load_isids() and setting the >> >> internal policydb to the one you loaded via sepol_set_policydb(). >> >> >> >> >> >> >> >> Seems as though its not exported api, but it does indeed print >> something: >> >> code: >> >> char *s; >> >> size_t len; >> >> context_struct_t *a = &((policydb_t >> >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >> >> >> >> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, >> &len); >> >> >> >> printf("rc: %d\n", rc); >> >> printf("con: %s\n", s); >> >> >> >> prints: >> >> rc: 0 >> >> con: u:object_r:null_device:s0 >> >> >> >> However, I am after the initial sid for file, which this isn't >> it... is >> >> it in the ocontexts array under a different index? >> > >> > >> > ocontext[OCON_ISID] points to the head of a linked list of initial >> SIDs, with the values in ->sid[0] and the context structures in >> ->context[0]. Richard's sample program showed you how to walk it and >> print out all the entries. The symbolic names themselves aren't in the >> policydb, as he noted; you can grab it from the kernel source >> (linux/security/selinux/include/initial_sid_to_string.h) or from the >> refpolicy (run make in refpolicy/policy/flask and grab >> kernel/initial_sid_to_string.h). >> >> I was hoping there was something I was missing between what you were >> posting and Richards sample. Looks like it's all by ordinal, so >> (conjecturing here) initial sid ordering must match the kernel header >> ordering as far as I can tell, is that right? >> >> Something must remap it in the kernel from initial sid to class. >> >> I was hoping there would be a clean way to grab this from the policy for >> use in fs_config tools under build, but just hard coding the default >> context string seems to be the best approach. > > I don't know what you are doing, but the initial SID context is not what > you want for fs_config. You want the result of selabel_lookup(), just > as is done by system/extras/ext4_utils to label files in the generated > images. Oh, I see - you are trying to replace the hardcoded "u:object_r:unlabeled:s0" fallback in fs_config.c when selabel_lookup() fails. Worthy goal, but I don't think trying to use an initial SID context is the right approach. I guess the question is whether selabel_lookup() failure ought to just be a hard error for fs_config; if the file does not match any expression in file_contexts, then that reflects a gap in the file_contexts configuration that should be filled. We don't actually want any files with the unlabeled context; the rules for unlabeled in the policy are just for upgrading from pre-SELinux devices with unlabeled /data. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol 2016-03-09 15:42 ` Stephen Smalley @ 2016-03-09 15:45 ` William Roberts 0 siblings, 0 replies; 16+ messages in thread From: William Roberts @ 2016-03-09 15:45 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux@tycho.nsa.gov [-- Attachment #1: Type: text/plain, Size: 6620 bytes --] On Wed, Mar 9, 2016 at 7:42 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 03/09/2016 09:09 AM, Stephen Smalley wrote: > >> On 03/09/2016 12:18 AM, William Roberts wrote: >> >>> >>> On Mar 8, 2016 05:41, "Stephen Smalley" <sds@tycho.nsa.gov >>> <mailto:sds@tycho.nsa.gov>> wrote: >>> > >>> > On 03/07/2016 08:32 PM, William Roberts wrote: >>> >> >>> >> >>> >> >>> >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov >>> <mailto:sds@tycho.nsa.gov> >>> >> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>> wrote: >>> >> >>> >> On 03/07/2016 01:44 PM, Stephen Smalley wrote: >>> >> >>> >> On 03/07/2016 10:41 AM, Richard Haines wrote: >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> On Saturday, 5 March 2016, 14:48, Richard Haines >>> >> <richard_c_haines@btinternet.com >>> <mailto:richard_c_haines@btinternet.com> >>> >> <mailto:richard_c_haines@btinternet.com >>> <mailto:richard_c_haines@btinternet.com>>> wrote: >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> On Friday, 4 March 2016, 21:18, "Roberts, William C" >>> >> <william.c.roberts@intel.com >>> <mailto:william.c.roberts@intel.com> >>> >> <mailto:william.c.roberts@intel.com >>> <mailto:william.c.roberts@intel.com>>> wrote: >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> How can one obtain the same value as >>> >> /sys/fs/selinux/initial_contexts/file >>> >> >>> >> via libsepol? >>> >> >>> >> >>> >> I’ve been digging around libsepol and its not >>> quite >>> >> clear to me. >>> >> >>> >> It looks as though the record is here: >>> >> context_struct_t *a = >>> &((policydb_t >>> >> >>> >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >>> >> >>> >> context_struct_t *b = >>> &((policydb_t >>> >> >>> >> *)pol.db)->ocontexts[OCON_ISID]->context[1]; >>> >> >>> >> >>> >> printf("%u\n", a->type); >>> >> printf("%u\n",b->type); >>> >> >>> >> Prints: >>> >> 185 >>> >> 0 >>> >> >>> >> Not sure if this is right, and how to format the >>> >> context struct to a >>> >> string. >>> >> >>> >> I didn’t see any helpers. >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> I've attached an example, hope it's useful >>> >> >>> >> >>> >> I've updated the example with more detail and display SID >>> >> name using >>> >> SID value not counter. >>> >> >>> >> >>> >> Any particular reason you didn't use sepol_sid_to_context()? >>> >> >>> >> >>> >> I guess context_to_string() on the context structure would work >>> >> better for your purposes. sepol_sid_to_context() would require >>> >> loading the sidtab via policydb_load_isids() and setting the >>> >> internal policydb to the one you loaded via sepol_set_policydb(). >>> >> >>> >> >>> >> >>> >> Seems as though its not exported api, but it does indeed print >>> something: >>> >> code: >>> >> char *s; >>> >> size_t len; >>> >> context_struct_t *a = &((policydb_t >>> >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >>> >> >>> >> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, >>> &len); >>> >> >>> >> printf("rc: %d\n", rc); >>> >> printf("con: %s\n", s); >>> >> >>> >> prints: >>> >> rc: 0 >>> >> con: u:object_r:null_device:s0 >>> >> >>> >> However, I am after the initial sid for file, which this isn't >>> it... is >>> >> it in the ocontexts array under a different index? >>> > >>> > >>> > ocontext[OCON_ISID] points to the head of a linked list of initial >>> SIDs, with the values in ->sid[0] and the context structures in >>> ->context[0]. Richard's sample program showed you how to walk it and >>> print out all the entries. The symbolic names themselves aren't in the >>> policydb, as he noted; you can grab it from the kernel source >>> (linux/security/selinux/include/initial_sid_to_string.h) or from the >>> refpolicy (run make in refpolicy/policy/flask and grab >>> kernel/initial_sid_to_string.h). >>> >>> I was hoping there was something I was missing between what you were >>> posting and Richards sample. Looks like it's all by ordinal, so >>> (conjecturing here) initial sid ordering must match the kernel header >>> ordering as far as I can tell, is that right? >>> >>> Something must remap it in the kernel from initial sid to class. >>> >>> I was hoping there would be a clean way to grab this from the policy for >>> use in fs_config tools under build, but just hard coding the default >>> context string seems to be the best approach. >>> >> >> I don't know what you are doing, but the initial SID context is not what >> you want for fs_config. You want the result of selabel_lookup(), just >> as is done by system/extras/ext4_utils to label files in the generated >> images. >> > > Oh, I see - you are trying to replace the hardcoded > "u:object_r:unlabeled:s0" fallback in fs_config.c when selabel_lookup() > fails. Worthy goal, but I don't think trying to use an initial SID context > is the right approach. I guess the question is whether selabel_lookup() > failure ought to just be a hard error for fs_config; if the file does not > match any expression in file_contexts, then that reflects a gap in the > file_contexts configuration that should be filled. We don't actually want > any files with the unlabeled context; the rules for unlabeled in the policy > are just for upgrading from pre-SELinux devices with unlabeled /data. > Yeah I was trying to understand why its not a hard failure. I was thinking at boot the fc would relabel it, but it would be the same fc as packaged in the ota afaik. I think the easiest would be just ask nick what his intentions were here and what corner case he was trying to cover. I haven't been able to get it to take that path in fs_config.c I noticed this when doing this work: https://android-review.googlesource.com/#/q/topic:fs-config -- Respectfully, William C Roberts [-- Attachment #2: Type: text/html, Size: 9749 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2016-03-09 17:12 UTC | newest] Thread overview: 16+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-03-04 21:16 initial_sid context via libsepol Roberts, William C 2016-03-05 14:43 ` Richard Haines 2016-03-07 15:41 ` Richard Haines 2016-03-07 18:44 ` Stephen Smalley 2016-03-07 20:32 ` Stephen Smalley 2016-03-08 1:32 ` William Roberts 2016-03-08 13:12 ` Richard Haines 2016-03-08 13:35 ` Richard Haines 2016-03-08 13:49 ` Christopher J. PeBenito 2016-03-08 13:42 ` Stephen Smalley 2016-03-09 5:18 ` William Roberts 2016-03-09 14:09 ` Stephen Smalley 2016-03-09 15:37 ` William Roberts 2016-03-09 17:12 ` William Roberts 2016-03-09 15:42 ` Stephen Smalley 2016-03-09 15:45 ` William Roberts
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.