[PATCH 0/7] Various SELinux Notebook updates

[PATCH 0/7] Various SELinux Notebook updates

[Richard Haines]

Notebook patches I've collected.

Richard Haines (7):
  notebook: Minor formatting fixes
  object_classes_permissions.md: Correct the context object class entry
  object_classes_permissions.md: Deprecate lockdown class
  policy_config_files.md: Update openrc_contexts contents
  policy_config_files.md: Update openssh_contexts contents
  policy_config_files.md: Update snapperd_contexts contents
  title.md: Clarify example code location

 src/bounds_rules.md                |  2 +-
 src/class_permission_statements.md |  2 +-
 src/libselinux_functions.md        | 14 +++----
 src/object_classes_permissions.md  | 23 +++++-------
 src/policy_config_files.md         | 59 ++++++++++++++++++++++++++++--
 src/title.md                       |  7 ++++
 6 files changed, 82 insertions(+), 25 deletions(-)

-- 
2.33.1

[PATCH 1/7] notebook: Minor formatting fixes

[Richard Haines]

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/bounds_rules.md                |  2 +-
 src/class_permission_statements.md |  2 +-
 src/libselinux_functions.md        | 14 +++++++-------
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/bounds_rules.md b/src/bounds_rules.md
index 6def780..650f817 100644
--- a/src/bounds_rules.md
+++ b/src/bounds_rules.md
@@ -41,7 +41,7 @@ The *type* or *typealias* identifier of the parent domain.
 *bounded_domain*
 
 One or more *type* or *typealias* identifiers of the child domains.
-Multiple entries consist of a comma ',' separated list.</td>
+Multiple entries consist of a comma ',' separated list.
 
 **The statement is valid in:**
 
diff --git a/src/class_permission_statements.md b/src/class_permission_statements.md
index 264e022..63e7262 100644
--- a/src/class_permission_statements.md
+++ b/src/class_permission_statements.md
@@ -160,7 +160,7 @@ A previously declared *common* identifier.
 *perm_set*
 
 One or more optional permission identifiers in a space separated list enclosed
-within braces \'\{\}\'.</td>
+within braces \'\{\}\'.
 
 Note: There must be at least one *common_set* or one *perm_set* defined within
 the statement.
diff --git a/src/libselinux_functions.md b/src/libselinux_functions.md
index b06018a..54b5d70 100644
--- a/src/libselinux_functions.md
+++ b/src/libselinux_functions.md
@@ -167,7 +167,7 @@ The SID mapping is not affected. Return 0 on success, -1 with errno set on error
 Log SID table statistics. Log a message with information about the size and
 distribution of the SID table. The audit callback is used to print the message.
 
-avc_sid_to_context*, *avc_sid_to_context_raw* - *avc.h*
+*avc_sid_to_context*, *avc_sid_to_context_raw* - *avc.h*
 
 Get copy of context corresponding to SID. Return a copy of the security context
 corresponding to the input sid in the memory referenced by *ctx*. The caller is
@@ -522,21 +522,21 @@ only the *scon* domain.
 
 *security_compute_create*, *security_compute_create_raw* - *selinux.h*
 
-Compute a labeling decision and set *newcon to refer to it.
+Compute a labeling decision and set *\*newcon* to refer to it.
 Caller must free via ***freecon**(3)*.
 
 *security_compute_create_name*, *security_compute_create_name_raw* - *selinux.h*
 
-This is identical to* ***security_compute_create**(3)* but also takes the name
+This is identical to ***security_compute_create**(3)* but also takes the name
 of the new object in creation as an argument.
 When a *type_transition* rule on the given class and the *scon* / *tcon* pair
-has an object name extension, *newcon* will be returned according to the policy.
+has an object name extension, *\*newcon* will be returned according to the policy.
 Note that this interface is only supported on the kernels 2.6.40 or later.
 For older kernels the object name is ignored.
 
 *security_compute_member*, *security_compute_member_raw* - *selinux.h*
 
-Compute a polyinstantiation member decision and set *newcon to refer to it.
+Compute a polyinstantiation member decision and set *\*newcon* to refer to it.
 Caller must free via ***freecon**(3)*.
 
 *security_compute_relabel*, *security_compute_relabel_raw* - *selinux.h*
@@ -544,7 +544,7 @@ Caller must free via ***freecon**(3)*.
 Compute a relabeling decision and set *\*newcon* to refer to it.
 Caller must free via ***freecon**(3)*.
 
-*security_compute_user*, security_compute_user_raw* (deprecated) - *selinux.h*
+*security_compute_user*, *security_compute_user_raw* (deprecated) - *selinux.h*
 
 Compute the set of reachable user contexts and set *\*con* to refer to the
 NULL-terminated array of contexts. Caller must free via ***freeconary**(3)*.
@@ -918,7 +918,7 @@ Return path to the securetty_types file under the policy root directory.
 
 *selinux_sepgsql_context_path* - *selinux.h*
 
-*Return path to *sepgsql_context* file under the policy root directory.
+Return path to *sepgsql_context* file under the policy root directory.
 
 *selinux_set_callback* - *selinux.h*
 
-- 
2.33.1

[PATCH 2/7] object_classes_permissions.md: Correct the context object class entry

[Richard Haines]

Clarify the intent of 'contains' and 'translate' permissions.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/object_classes_permissions.md | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index bbc703d..b092a9b 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -3081,21 +3081,18 @@ Manage the D-BUS Messaging service that is required to run various services.
 
 ### *context*
 
-Support for the translation daemon ***mcstransd**(8)*. These permissions are
-required to allow translation and querying of level and ranges for MCS and
-MLS systems.
+These permissions are used for SELinux configuration file context entries
+and context translations for MCS/MLS policy.
 
 **Permissions** - 2 unique permissions:
 
 *contains*
 
-- Calculate a MLS/MCS subset - Required to check what the configuration
-  file contains.
+- Check configuration file contains a valid context entry.
 
 *translate*
 
-- Translate a raw MLS/MCS label - Required to allow a domain to translate
-  contexts.
+- Translate a raw label to a meaningful text string.
 
 ### *service*
 
-- 
2.33.1

[PATCH 3/7] object_classes_permissions.md: Deprecate lockdown class

[Richard Haines]

Add text regarding the removal of lockdown hooks from kernel 5.16.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/object_classes_permissions.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index b092a9b..4ad8520 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -70,7 +70,7 @@
   - [Performance Event Object Class](#performance-event-object-class)
     - [*perf_event*](#perf_event)
   - [Lockdown Object Class](#lockdown-object-class)
-    - [*lockdown*](#lockdown)
+    - [*lockdown* (Deprecated)](#lockdown-deprecated)
   - [IPC Object Classes](#ipc-object-classes)
     - [*ipc* (Deprecated)](#ipc-deprecated)
     - [*sem*](#sem)
@@ -1674,15 +1674,15 @@ Control ***perf**(1)* events
 
 ## Lockdown Object Class
 
-Note: If the *lockdown* LSM is enabled alongside SELinux, then the
-lockdown access control will take precedence over the SELinux lockdown
-implementation.
+The *lockdown* class and associated SELinux LSM hook (added in kernel 5.6),
+have been removed from kernel 5.16 for the reasons discussed in
+<https://lore.kernel.org/selinux/163292547664.17566.8479687865641275719.stgit@olly/>.
 
-### *lockdown*
+### *lockdown* (Deprecated)
 
 Stop userspace extracting/modify kernel data.
 
-**Permissions** - 6 unique permissions:
+**Permissions** - 2 unique permissions:
 
 *confidentiality*
 
-- 
2.33.1

[PATCH 4/7] policy_config_files.md: Update openrc_contexts contents

[Richard Haines]

This config file will only be present if openrc is installed.
See https://github.com/OpenRC/openrc

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/policy_config_files.md | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index d186b98..4b2c091 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -680,12 +680,34 @@ matching of network packets - Never been used.
 
 ## *contexts/openrc_contexts*
 
-**To be determined**
+OpenRC is a dependency-based init system that works with the system-provided
+*init* program, normally */sbin/init*. This config file will only be present
+if *openrc* is installed, see
+[**https://github.com/OpenRC/openrc**](https://github.com/OpenRC/openrc)
 
 **The file format is as follows:**
 
+```
+run_init=[domain]
+```
+
+**Where:**
+
+*run_init*
+
+- The keyword *run_init*. Note that there must not be any spaces around
+  the '=' sign.
+
+*domain*
+
+- The domain type for the process.
+
 **Example file contents:**
 
+```
+run_init=run_init_t
+```
+
 **Supporting libselinux API functions are:**
 
 - ***selinux_context_path**(3)*
-- 
2.33.1

[PATCH 5/7] policy_config_files.md: Update openssh_contexts contents

[Richard Haines]

Used by openssh for privilege separated processes in the
preauthentication phase.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/policy_config_files.md | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index 4b2c091..9f2996c 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -715,10 +715,26 @@ run_init=run_init_t
 
 ## *contexts/openssh_contexts*
 
-**To be determined**
+Used by *openssh* (***ssh**(1)*) for privilege separated processes in the
+preauthentication phase.
 
 **The file format is as follows:**
 
+```
+privsep_preauth=[domain]
+```
+
+**Where:**
+
+*privsep_preauth*
+
+- The keyword *privsep_preauth*
+
+*domain*
+
+- The domain type for the privilege separated processes in the
+  preauthentication phase.
+
 **Example file contents:**
 
 ```
-- 
2.33.1

[PATCH 6/7] policy_config_files.md: Update snapperd_contexts contents

[Richard Haines]

Used by snapper(8) for filesystem snapshot management.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/policy_config_files.md | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index 9f2996c..ffc4fac 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -816,10 +816,25 @@ db_schema         *.*       system_u:object_r:sepgsql_schema_t:s0
 
 ## *contexts/snapperd_contexts*
 
-**To be determined**
+Used by ***snapper**(8)* for filesystem snapshot management to set an SELinux
+context on ***btrfs**(8)* subvolumes.
 
 **The file format is as follows:**
 
+```
+snapperd_data = user:role:type[:range]
+```
+
+**Where:**
+
+*snapperd_data*
+
+- The keyword *snapperd_data*
+
+*user:role:type[:range]*
+
+- The security context including the MLS / MCS *level* or *range* if applicable.
+
 **Example file contents:**
 
 ```
-- 
2.33.1

[PATCH 7/7] title.md: Clarify example code location

[Richard Haines]

Clarify that the example code is not embedded, but linked.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/title.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/title.md b/src/title.md
index caf5b41..03c5795 100644
--- a/src/title.md
+++ b/src/title.md
@@ -82,6 +82,13 @@ Android.
 **Object Classes and Permissions** - Describes the SELinux object
 classes and permissions.
 
+#### Notebook Examples
+
+The Notebook examples are not embedded into any of the document formats
+described in
+**<https://github.com/SELinuxProject/selinux-notebook/blob/main/BUILD.md>**,
+however they will have links to them in their build directories.
+
 ### Updated Editions
 
 The SELinux Notebook is being maintained as part of the SELinux project, more
-- 
2.33.1

Re: [PATCH 5/7] policy_config_files.md: Update openssh_contexts contents

[Dominick Grift]

Richard Haines <richard_c_haines@btinternet.com> writes:

> Used by openssh for privilege separated processes in the
> preauthentication phase.

Maybe mention that this is Red Hat specific patch that is not upstreamed
so others do not have this.

>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>  src/policy_config_files.md | 18 +++++++++++++++++-
>  1 file changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/src/policy_config_files.md b/src/policy_config_files.md
> index 4b2c091..9f2996c 100644
> --- a/src/policy_config_files.md
> +++ b/src/policy_config_files.md
> @@ -715,10 +715,26 @@ run_init=run_init_t
>  
>  ## *contexts/openssh_contexts*
>  
> -**To be determined**
> +Used by *openssh* (***ssh**(1)*) for privilege separated processes in the
> +preauthentication phase.
>  
>  **The file format is as follows:**
>  
> +```
> +privsep_preauth=[domain]
> +```
> +
> +**Where:**
> +
> +*privsep_preauth*
> +
> +- The keyword *privsep_preauth*
> +
> +*domain*
> +
> +- The domain type for the privilege separated processes in the
> +  preauthentication phase.
> +
>  **Example file contents:**
>  
>  ```

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift