Re: missing avc message field names

On Wednesday 31 January 2007 17:59, Russell Coker wrote:
> Maybe there should be an option to have auditd write a binary log file as
> well as either a text log file or logging via syslog?

This should  be possible. The audit event dispatcher typically has had a 
plugin that relays audit events to syslog. It will likely be a little while 
before there are binary formatted logs. I guess my message is really that you 
might not want to assume that the site will have text based logs for user 
support. Text logs are not being deprecated. Its that there will be more 
options soon.

-Steve

selinux and UML integration problem

Re: selinux and UML integration problem

Hi,

I am copying here the reply to the UML-user ML post (same question):
"You are not doing anything wrong, if you check at the top of the page 
at http://uml.nagafix.co.uk/
It does mention the fact that there are problems with recent host 
kernels (>=2.6.16). I can only suggest that you try an older host kernel 
until the x86 bug is fixed."

Antoine

Pravin wrote:
> Hi,
> I am trying to compile linux kernel 2.9.19.2 with UML and having SELinux
> enabled.
> I did manage to compile and run UML on kernel 2.9.19.2 but I am not able to
> enable SELinux on the same.
> 
> I downloaded precompiled kernel with UML and SELinux enabled,
> from http://uml.nagafix.co.uk/kernels/kernel32-2.6.14.4-bs3
> but they are not working.
> 
> When I compile kernel 2.9.19.2 with config file given at
> http://uml.nagafix.co.uk/kernels/kernel32-2.6.19.2.config but even that is
> not working.
> 
> My guess is that the downloaded configuration file is having many options
> that I dont require on my setup.
> 
> I am not able to find any SELINUX related option in menu provided by "make
> menuconfig ARCH=um".
> The configuration file generated by "make menuconfig ARCH=um" is not having
> any SELINUX related option.
> 
> So, I copied all Security related options from downloaded configuration 
> file
> to my generated configuration file.
> 
> {{{
> #
> # Security options
> #
> CONFIG_KEYS=y
> CONFIG_KEYS_DEBUG_PROC_KEYS=y
> CONFIG_SECURITY=y
> CONFIG_SECURITY_NETWORK=y
> # CONFIG_SECURITY_NETWORK_XFRM is not set
> CONFIG_SECURITY_CAPABILITIES=y
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
> # CONFIG_SECURITY_SELINUX_DISABLE is not set
> CONFIG_SECURITY_SELINUX_DEVELOP=y
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
> # CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set
> # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
> }}}
> 
> After compilation, the security configuration options are automatically
> resetted to following
> 
> {{{
> #
> # Security options
> #
> CONFIG_KEYS=y
> CONFIG_KEYS_DEBUG_PROC_KEYS=y
> CONFIG_SECURITY=y
> CONFIG_SECURITY_NETWORK=y
> # CONFIG_SECURITY_NETWORK_XFRM is not set
> CONFIG_SECURITY_CAPABILITIES=y
> }}}
> 
> and SELinux is not enabled in the UML that is generated.
> 
> Do I need to change any other options also to make SELinux and UML running
> together ?
> 
> I am attaching my configuration file generated by "make menuconfig ARCH=um"
> 
> Can I know the minimum configuration options that I need to set in order to
> make SELinux enabled?
> 
> Thank you

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@... with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and UML integration problem

On Thu, 1 Feb 2007 17:25:28 +0530
Pravin <shindepravin@...> wrote:

> I am not able to find any SELINUX related option in menu provided by
> "make menuconfig ARCH=um".
> The configuration file generated by "make menuconfig ARCH=um" is not
> having any SELINUX related option.

The config file you attached has CONFIG_AUDIT disabled, which is
required by SELinux. Enable it and try again.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@... with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and UML integration problem

Il giorno gio, 01/02/2007 alle 17.25 +0530, Pravin ha scritto:

> Can I know the minimum configuration options that I need to set in
> order to make SELinux enabled?

Take a look here:
http://marc.theaimsgroup.com/?l=selinux&m=116947747203114&w=2

--

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@... with
the words "unsubscribe selinux" without quotes as the message.

coreutils: selinux is nearly ready: status

I've been spending little bits of time over the last few months getting
coreutils' SELinux into shape.  These changes started off based on Red
Hat patches from six months ago.  Initially it was all in a mercurial
repository based on a snapshot of coreutils CVS.  Then coreutils
development switched to git, and only recently have I merged most of
the hg-based deltas into the new repository.  It's on a branch named
"selinux".

Here is the current state:

  http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=shortlog;h=selinux

Here are some of the remaining tasks:

  - add runcon (should be quick)
  - add many more SELinux-specific tests
  - fix at least one test (tests/cp/cp-a-selinux is in-progress
      and known to fail -- but I know a couple ways to fix it)
  - documentation
  - make sure that any newer selinux-related changes from Red Hat
      (or any other distribution) are included

To checkout a copy, do this: (checked out repo size: 54MB)

  $ git-clone git://git.sv.gnu.org/coreutils
  $ cd coreutils
  $ git-fetch git://git.sv.gnu.org/coreutils selinux:my-selinux
  $ git-checkout my-selinux

Comments welcome.

Jim

[RFC] new libsepol policy representation

This is an RFC about a series of patches I have been working on to 
simplify the policy representation used in libsepol. The patch set can 
be seen at 
http://people.redhat.com/kmacmill/patches/selinux/policy-parser-rewrite/. 
I'm not going to post the patch series to the list (unless requested) 
since it is large and not ready for merging.

The goal is to replace the current parsing, module representation 
(including file format), linking, and expanding code in libsepol with 
this new representation. Backwards compatibility with existing module 
files would, of course, be preserved.

BACKGROUND

This work started with my policy generation tools (initially madison, 
now sepolgen). The strategy I employed with those tools was to parse the 
reference policy headers and other policy (source and binary) to gather 
information needed to generate better policy. That includes calls to 
reference policy interfaces.

This parsing was done using a separate parser written in Python. My 
thought was that the needs of that parser / representation were 
divergent enough from the current uses of libsepol that a separate 
parser was simpler and more maintainable.

Several things have changed my mind about keeping a separate parser:

* Making the sepolgen parser complete enough to do what I need will 
result in a parser capable of handling _all_ selinux policy and overlap 
significantly with checkpolicy / libsepol.

* I need to extract information from policy modules (mainly attributes 
and rules that reference attributes). Having to use a completely 
separate representation to extract that information is difficult and 
error prone.

* The policy representation I designed for sepolgen is much more in line 
with how compilers are usually implemented than what is currently in 
libsepol. After working with the sepolgen representation I became 
convinced that it was far superior both for what sepolgen needs 
(generation and analysis) and for what libsepol / checkpolicy needs 
(semantic / syntactic checking, optimization, and conversion to a kernel 
policy).

Given this I decided to look at creating a similar representation in 
libsepol and converting checkpolicy / checkmodule to use that.

STATUS

This patch set implements several new data structures (some of which I 
have sent to the list before) and an incomplete version of the policy 
representation and checkpolicy changes. I am posting it now because it 
is complete enough that feedback is possible. I believe that it already 
shows the value of this approach.

ADVANTAGES

Unlike the current libsepol representation, the structures in the 
representation are based on trees and use strings (more like the 
"records" that Ivan added). This representation has several advantages:

* The tree structure more closely aligns the libsepol representation 
with the policy structure, eliminating the need to store scoping 
information separately. The current scope information in libsepol is 
cumbersome, incomplete, and space consuming. See idtab_check_scope in 
policy_check.c for an example of how this structure simplifies handling 
scoping - compare to the similar operation in the parser / linker.

* The use of strings rather than numeric ids for components makes 
manipulating and merging the policy much simpler (e.g., all of the 
mapping that is done in link.c just goes away - that code has been very 
difficult to get right and is difficult to maintain).

* Policy components (e.g., types or booleans) can exist outside of a 
larger policy structure. That makes it possible to merge this 
representation with the "records" currently used in libsepol / libsemanage.

* The object pool and object sets mitigate most of the disadvantages of 
using strings by storing only a single copy of every string. This 
removes much of the extra space and allows string comparisons to devolve 
into pointer comparisons in many cases. The use of the pooling is 
optional, however, to simplify the use of the data structures separate 
from a policy.

* All of the current ordering constraints in the parser are removed. 
This should remove most of the hacks that the reference policy currently 
needs to build correctly.

* The parser is now single pass.

* The parser can handle arbitrary nesting of components (including 
conditionals) much more easily.

* The semantic checking can be shared _completely_ by the parser and the 
linker/expander. Currently these are only partially shared (and the 
linker / expander don't check everything that the parser does).

* Implementing planned language extensions to directly support the 
reference policy will be greatly simplified.

* This structures will be usable for policy generation (which started 
all of this!).

PATCHES

01-sepol-list-iter.patch
Add a list data type and iterators.

02-sepol-symtab-export.patch
Export functions for hashing and comparing strings.

03-sepol-hashtab-iter.patch
Add iterators to the hashtab data type.

04-sepol-objpool.patch
Add the object pool data type, for managing a pool of reference counted 
objects (e.g., strings).

05-sepol-objset.patch
Add the object set data type for keeping sets of objects (with 
guaranteed uniqueness - this is modeled on 
http://docs.python.org/lib/types-set.html).

06-sepol-policy.patch
Add a tree-based policy representation.

07-sepol-policy-check.patch
Add an example semantic check that uses the tree-based representation.

08-checkpolicy.patch
Convert the parser to generate the tree-based representation. This is 
the least complete and most invasive patch in the series. Note that some 
of the grammar changes are very helpful for making nested conditionals / 
optionals work naturally separate from the policy representation changes.

FUTURE

The next steps are to:

* Finish the parser and semantic checker

* Implement serialization for the policy trees to create a new module 
file format (the package format won't change). I anticipate that this 
could also be used for the libsemanage wire protocol, which currently 
requires an entirely separate set of serialization functions.

* Implement conversion from the tree representation to the kernel data 
structures (which will replace expansion - linking comes basically for 
free with this representation).

* Implement a reader for the current module format to the new tree 
structure - this will provide backwards compatibility.

At this point I'm looking for:

* Fundamental objections
* Feedback on the general approach
* Ideas on how to integrate this work while avoiding the "big bang" 
style integration we had with the policy module work.
* Help!

Any feedback is welcome.

Thanks - Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@... with
the words "unsubscribe selinux" without quotes as the message.

Kernel oops on fc6 with non-mls policy

There seems to be a kernel oops on non-mls policies with the fc6 kernel.
It appears that netlabel is the culprit but I couldn't immediately track
down the issue, the mls functions all seem to be returning if mls is
disabled. The oops and ksymoops output is available at
http://pastebin.com/872996.

I have seen another that isn't there that happens on unix_stream_connect
and oopses in security_sid_mls_copy->ebitmap_cpy.

Is this a known issue?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@... with
the words "unsubscribe selinux" without quotes as the message.

Re: Kernel oops on fc6 with non-mls policy

On Thu, 2007-02-01 at 14:58 -0500, Joshua Brindle wrote:
> There seems to be a kernel oops on non-mls policies with the fc6 kernel.
> It appears that netlabel is the culprit but I couldn't immediately track
> down the issue, the mls functions all seem to be returning if mls is
> disabled. The oops and ksymoops output is available at
> http://pastebin.com/872996.
> 
> I have seen another that isn't there that happens on unix_stream_connect
> and oopses in security_sid_mls_copy->ebitmap_cpy.
> 
> Is this a known issue?

http://marc2.theaimsgroup.com/?l=selinux&m=116920292206962&w=2

I believe.

Will get fixed in FC7 when the kernel gets new enough to pick it up from
upstream.  Will not get fixed in RHEL5 until U1.

-Eric

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@... with
the words "unsubscribe selinux" without quotes as the message.

Re: PATCH: libselinux matchpathcon() eliminate %as scanf format

Todd C. Miller wrote:
> This is a patch I sent in last year but forgot to split up as
> requested; it still applies to the recently-released selinux-1.34.0.
> 
> THe patch replaces usage of the non-standard %as scanf() format
> (which conflicts with C99) with strtok_r().  This does mean that
> line_buf is modified but this variable is only used as an argument
> to process_line() and is freed thereafter.
> 
> I made this change as part of the port of libselinux to SEBSD and
> SEDarwin.
> 
>  - todd

Acked-by: Karl MacMillan <kmacmillan@...>

I made a few updates for style (the !! thing was too clever for me) and 
merged into trunk and stable. Actual merged version is attached.

> --- matchpathcon.c	2007-01-25 14:19:39.000000000 -0500
> +++ matchpathcon.c	2007-01-25 14:21:32.000000000 -0500
>  <at>  <at>  -444,7 +444,7  <at>  <at> 
>  			int pass, unsigned lineno)
>  {
>  	int items, len, regerr, ret;
> -	char *buf_p;
> +	char *buf_p, *ptr;
>  	char *regex, *type, *context;
>  	const char *reg_buf;
>  	char *anchored_regex;
>  <at>  <at>  -459,7 +459,11  <at>  <at> 
>  	/* Skip comment lines and empty lines. */
>  	if (*buf_p == '#' || *buf_p == 0)
>  		return 0;
> -	items = sscanf(line_buf, "%as %as %as", &regex, &type, &context);
> +
> +	regex = strtok_r(buf_p, " \t", &ptr);
> +	type = strtok_r(NULL, " \t", &ptr);
> +	context = strtok_r(NULL, " \t", &ptr);
> +	items = !!regex + !!type + !!context;
>  	if (items < 2) {
>  		myprintf("%s:  line %d is missing fields, skipping\n", path,
>  			 lineno);
>  <at>  <at>  -470,6 +474,15  <at>  <at> 
>  		type = NULL;
>  	}
>  
> +	regex = strdup(regex);
> +	if (type != NULL)
> +		type = strdup(type);
> +	context = strdup(context);
> +	if (!!regex + !!type + !!context != items) {
> +		ret = -1;
> +		goto finish;
> +	}
> +
>  	reg_buf = regex;
>  	len = get_stem_from_spec(reg_buf);
>  	if (len && prefix && strncmp(prefix, regex, len)) {
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@... with
> the words "unsubscribe selinux" without quotes as the message.

Index: libselinux/src/matchpathcon.c
===================================================================
--- libselinux/src/matchpathcon.c	(revision 2209)
+++ libselinux/src/matchpathcon.c	(working copy)
 <at>  <at>  -444,7 +444,7  <at>  <at> 
 			int pass, unsigned lineno)
 {
 	int items, len, regerr, ret;
-	char *buf_p;
+	char *buf_p, *ptr;
 	char *regex, *type, *context;
 	const char *reg_buf;
 	char *anchored_regex;
 <at>  <at>  -459,7 +459,18  <at>  <at> 
 	/* Skip comment lines and empty lines. */
 	if (*buf_p == '#' || *buf_p == 0)
 		return 0;
-	items = sscanf(line_buf, "%as %as %as", &regex, &type, &context);
+
+	items = 0;
+	regex = strtok_r(buf_p, " \t", &ptr);
+	if (regex)
+		items += 1;
+	type = strtok_r(NULL, " \t", &ptr);
+	if (type)
+		items += 1;
+	context = strtok_r(NULL, " \t", &ptr);
+	if (context)
+		items += 1;
+	
 	if (items < 2) {
 		myprintf("%s:  line %d is missing fields, skipping\n", path,
 			 lineno);
 <at>  <at>  -470,6 +481,23  <at>  <at> 
 		type = NULL;
 	}

+	regex = strdup(regex);
+	if (!regex) {
+		return -1;
+	}
+	if (type) {
+		type = strdup(type);
+		if (!type) {
+			ret = -1;
+			goto finish;
+		}
+	}
+	context = strdup(context);
+	if (!context) {
+		ret = -1;
+		goto finish;
+	}
+
 	reg_buf = regex;
 	len = get_stem_from_spec(reg_buf);
 	if (len && prefix && strncmp(prefix, regex, len)) {