SELinux Security Module development
 help / color / mirror / Atom feed
From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <plautrba@redhat.com>,
	Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH v2] libselinux: Add security_reject_unknown(3) man page
Date: Wed, 06 Mar 2019 13:56:42 +0100	[thread overview]
Message-ID: <pjdy35sma9h.fsf@redhat.com> (raw)
In-Reply-To: <bb4979d7-5e8c-7186-f8b6-e2d59057eee9@tycho.nsa.gov>


Stephen Smalley <sds@tycho.nsa.gov> writes:

> On 3/5/19 4:35 AM, Petr Lautrbach wrote:
>> Commit c19395d7 added a new interface security_reject_unknown() 
>> which needs to
>> be documented.
>
> For the kernel, checkpatch.pl requires that one specify at least 
> 12 characters
> of the sha1 followed by the one line summary log message quoted 
> within
> parentheses, ala:
> commit c19395d72295 ("libselinux: selinux_set_mapping: fix 
> handling of unknown
> classes/perms")
>
> selinux userspace obviously isn't bound by the kernel 
> checkpatch.pl requirements
> but this is probably a good practice to follow so that reviewers 
> don't
> necessarily have to look up the commit hash to have some idea as 
> to what the
> commit was and so that there is less risk of ambiguity.

This makes sense. I'll try to do better next time.

>>
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>>   libselinux/man/man3/security_getenforce.3     | 15 
>>   ++++++++++++++-
>>   libselinux/man/man3/security_reject_unknown.3 |  1 +
>>   2 files changed, 15 insertions(+), 1 deletion(-)
>>   create mode 100644 
>>   libselinux/man/man3/security_reject_unknown.3
>>
>> diff --git a/libselinux/man/man3/security_getenforce.3 
>> b/libselinux/man/man3/security_getenforce.3
>> index 29cf3de7..7b0a069f 100644
>> --- a/libselinux/man/man3/security_getenforce.3
>> +++ b/libselinux/man/man3/security_getenforce.3
>> @@ -1,6 +1,7 @@
>>   .TH "security_getenforce" "3" "1 January 2004" 
>>   "russell@coker.com.au" "SELinux API documentation"
>>   .SH "NAME"
>> -security_getenforce, security_setenforce, 
>> security_deny_unknown, security_get_checkreqprot\- get or set 
>> the enforcing state of SELinux
>> +security_getenforce, security_setenforce, 
>> security_deny_unknown, security_reject_unknown,
>> +security_get_checkreqprot \- get or set the enforcing state of 
>> SELinux
>>   .
>>   .SH "SYNOPSIS"
>>   .B #include <selinux/selinux.h>
>> @@ -11,6 +12,8 @@ security_getenforce, security_setenforce, 
>> security_deny_unknown, security_get_ch
>>   .sp
>>   .B int security_deny_unknown(void);
>>   .sp
>> +.B int security_reject_unknown(void);
>> +.sp
>>   .B int security_get_checkreqprot(void);
>>   .
>>   .SH "DESCRIPTION"
>> @@ -27,6 +30,16 @@ returned.
>>   returns 0 if SELinux treats policy queries on undefined 
>>   object classes or
>>   permissions as being allowed, 1 if such queries are denied, 
>>   and \-1 on error.
>>   +.BR security_reject_unknown ()
>> +returns 1 if SELinux rejects loading a policy which doesn't 
>> define all kernel
>> +object classes and permissions. In this state SELinux treats 
>> policy queries on
>> +undefined object classes or permissions as being denied.
>
> I'm not sure if the last part is quite correct.  If 
> handle_unknown=reject and
> the policy doesn't define all kernel classes/permissions, then 
> the policy load
> fails, which leaves the system without a policy at all (or with 
> its previously
> loaded policy if one was already loaded successfully). If the 
> system is
> enforcing and this is the initial policy load, then init should 
> halt the system
> due to the failed load.  Since no policy was ever loaded,
> security_reject_unknown() is still going to return 0 in that 
> case, but
> security_deny_unknown() should be 1.
>
> If handle_unknown=reject and the policy defines all kernel 
> classes/permissions
> but omits some userspace classes/permissions, then the policy 
> load succeeds and
> the behavior of the userspace object managers will vary 
> depending on what
> interfaces they use and how they handle error conditions. If 
> they use
> selinux_set_mapping() to map all of the classes/permissions up 
> front prior to
> using security_compute_av() or avc_has_perm(), then 
> selinux_set_mapping() will
> return an error and the object manager likely treats this as a 
> fatal error
> during startup (e.g. dbus-daemon appears to exit in this case; 
> XSELinux in
> contrast appears to just disable itself).  If they instead use
> selinux_check_access(), then it will return an error and the 
> object manager
> likely treats this like any other permission denial (but errno 
> will differ:
> EINVAL vs EACCES, so they could distinguish if they wanted). If 
> they directly
> call string_to_security_class() and string_to_av_perm() prior to 
> calling
> security_compute_av() or avc_has_perm(), then the string_*() 
> functions will
> return an error on the undefined class/perm and the object 
> manager likely treats
> that like any other permission denial.

There's also an inaccuracy that security_reject_unknown() is
related only to the current loaded policy. Even when a policy is
incomplete it could be still loaded if it's built using
handle-unknown=allow:

# checkpolicy -U reject -M -o /etc/selinux/dummy/policy/policy.31 
  policy.conf.complete 
# load_policy 
# cat /sys/fs/selinux/reject_unknown 
1
#checkpolicy -U reject -M -o /etc/selinux/dummy/policy/policy.31 
 policy.conf
# load_policy 
SELinux:  Could not load policy file 
/etc/selinux/dummy/policy/policy.31:  Invalid argument
load_policy:  Can't load policy:  Invalid argument
# checkpolicy -U allow -M -o /etc/selinux/dummy/policy/policy.31 
  policy.conf
# load_policy 
# cat /sys/fs/selinux/reject_unknown 
0


>> +
>> +It returns 0 if SELinux allows to load such policy and policy 
>> queries are
>> +treated according to
>> +.BR security_deny_unknown(),
>> +\-1 is returned on error.
>> +
>>   .BR security_get_checkreqprot ()
>>   can be used to determine whether SELinux is configured to 
>>   check the
>>   protection requested by the application or the actual 
>>   protection that will
>> diff --git a/libselinux/man/man3/security_reject_unknown.3 
>> b/libselinux/man/man3/security_reject_unknown.3
>> new file mode 100644
>> index 00000000..d59e5c2c
>> --- /dev/null
>> +++ b/libselinux/man/man3/security_reject_unknown.3
>> @@ -0,0 +1 @@
>> +.so man3/security_getenforce.3
>>


  reply	other threads:[~2019-03-06 12:56 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-04 16:37 [PATCH] libselinux: Add security_reject_unknown(3) man page Petr Lautrbach
2019-03-04 18:23 ` Stephen Smalley
2019-03-05  9:12   ` Petr Lautrbach
2019-03-05  9:35     ` [PATCH v2] " Petr Lautrbach
2019-03-05 15:44       ` Stephen Smalley
2019-03-06 12:56         ` Petr Lautrbach [this message]
2019-03-06 12:58           ` [PATCH v3] " Petr Lautrbach
2019-03-06 13:26             ` Stephen Smalley
2019-03-11 15:48               ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=pjdy35sma9h.fsf@redhat.com \
    --to=plautrba@redhat.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox