From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: initial_sid context via libsepol To: William Roberts References: <121365621.6063900.1457189031805.JavaMail.yahoo@mail.yahoo.com> <767708561.7764421.1457365274229.JavaMail.yahoo@mail.yahoo.com> <56DDCBF6.6010605@tycho.nsa.gov> <56DDE54F.4050208@tycho.nsa.gov> <56DED6C6.4000407@tycho.nsa.gov> <56E02EAE.3090505@tycho.nsa.gov> Cc: selinux@tycho.nsa.gov From: Stephen Smalley Message-ID: <56E04456.5050500@tycho.nsa.gov> Date: Wed, 9 Mar 2016 10:42:14 -0500 MIME-Version: 1.0 In-Reply-To: <56E02EAE.3090505@tycho.nsa.gov> Content-Type: text/plain; charset=utf-8; format=flowed List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 03/09/2016 09:09 AM, Stephen Smalley wrote: > On 03/09/2016 12:18 AM, William Roberts wrote: >> >> On Mar 8, 2016 05:41, "Stephen Smalley" > > wrote: >> > >> > On 03/07/2016 08:32 PM, William Roberts wrote: >> >> >> >> >> >> >> >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley > >> >> >> wrote: >> >> >> >> On 03/07/2016 01:44 PM, Stephen Smalley wrote: >> >> >> >> On 03/07/2016 10:41 AM, Richard Haines wrote: >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Saturday, 5 March 2016, 14:48, Richard Haines >> >> > >> >> > >> wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Friday, 4 March 2016, 21:18, "Roberts, William C" >> >> > >> >> > >> wrote: >> >> >> >> >> >> >> >> >> >> >> >> >> >> How can one obtain the same value as >> >> /sys/fs/selinux/initial_contexts/file >> >> >> >> via libsepol? >> >> >> >> >> >> I’ve been digging around libsepol and its not >> quite >> >> clear to me. >> >> >> >> It looks as though the record is here: >> >> context_struct_t *a = >> &((policydb_t >> >> >> >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >> >> >> >> context_struct_t *b = >> &((policydb_t >> >> >> >> *)pol.db)->ocontexts[OCON_ISID]->context[1]; >> >> >> >> >> >> printf("%u\n", a->type); >> >> printf("%u\n",b->type); >> >> >> >> Prints: >> >> 185 >> >> 0 >> >> >> >> Not sure if this is right, and how to format the >> >> context struct to a >> >> string. >> >> >> >> I didn’t see any helpers. >> >> >> >> >> >> >> >> >> >> >> >> I've attached an example, hope it's useful >> >> >> >> >> >> I've updated the example with more detail and display SID >> >> name using >> >> SID value not counter. >> >> >> >> >> >> Any particular reason you didn't use sepol_sid_to_context()? >> >> >> >> >> >> I guess context_to_string() on the context structure would work >> >> better for your purposes. sepol_sid_to_context() would require >> >> loading the sidtab via policydb_load_isids() and setting the >> >> internal policydb to the one you loaded via sepol_set_policydb(). >> >> >> >> >> >> >> >> Seems as though its not exported api, but it does indeed print >> something: >> >> code: >> >> char *s; >> >> size_t len; >> >> context_struct_t *a = &((policydb_t >> >> *)pol.db)->ocontexts[OCON_ISID]->context[0]; >> >> >> >> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, >> &len); >> >> >> >> printf("rc: %d\n", rc); >> >> printf("con: %s\n", s); >> >> >> >> prints: >> >> rc: 0 >> >> con: u:object_r:null_device:s0 >> >> >> >> However, I am after the initial sid for file, which this isn't >> it... is >> >> it in the ocontexts array under a different index? >> > >> > >> > ocontext[OCON_ISID] points to the head of a linked list of initial >> SIDs, with the values in ->sid[0] and the context structures in >> ->context[0]. Richard's sample program showed you how to walk it and >> print out all the entries. The symbolic names themselves aren't in the >> policydb, as he noted; you can grab it from the kernel source >> (linux/security/selinux/include/initial_sid_to_string.h) or from the >> refpolicy (run make in refpolicy/policy/flask and grab >> kernel/initial_sid_to_string.h). >> >> I was hoping there was something I was missing between what you were >> posting and Richards sample. Looks like it's all by ordinal, so >> (conjecturing here) initial sid ordering must match the kernel header >> ordering as far as I can tell, is that right? >> >> Something must remap it in the kernel from initial sid to class. >> >> I was hoping there would be a clean way to grab this from the policy for >> use in fs_config tools under build, but just hard coding the default >> context string seems to be the best approach. > > I don't know what you are doing, but the initial SID context is not what > you want for fs_config. You want the result of selabel_lookup(), just > as is done by system/extras/ext4_utils to label files in the generated > images. Oh, I see - you are trying to replace the hardcoded "u:object_r:unlabeled:s0" fallback in fs_config.c when selabel_lookup() fails. Worthy goal, but I don't think trying to use an initial SID context is the right approach. I guess the question is whether selabel_lookup() failure ought to just be a hard error for fs_config; if the file does not match any expression in file_contexts, then that reflects a gap in the file_contexts configuration that should be filled. We don't actually want any files with the unlabeled context; the rules for unlabeled in the policy are just for upgrading from pre-SELinux devices with unlabeled /data.