Developers mailing list for the security enhanced linux project ()

Ryan Bradetich | 1 Mar 2007 08:57

Picon

Failed write to /selinux/context in selinux_trans_to_raw_contex()

Hello all,

I have tracked down a problem that prevents me from logging into my
system when I build a policy that only has the base modules defined.
All the notes below are using revision 2202 of the reference policy
(sorry for the length of the email, these are my notes while  tracking
down the problem... hopefully something in them will offer some
insight to the problem).   This problem is very reproducible for me:

   base-only policy:
       1. make bare
       2. make conf
       3. vi policy/modules.conf (:1,$s/= module/= off/g)
       4. make policy
       5. make load
       6. sync
       7. reboot

   everything policy:
       1. make bare
       2. make conf
       3. make policy
       4. make load
       5. sync
       6. reboot

    kernel version: 2.6.20

I am really hoping for a description of what is supposed to happen, so
I better understand how the security server works.   My end goal is to

(Continue reading)

Stephen Smalley | 1 Mar 2007 13:12

Picon

Re: Failed write to /selinux/context in selinux_trans_to_raw_contex()

On Wed, 2007-02-28 at 23:57 -0800, Ryan Bradetich wrote:
> Hello all,
> 
> I have tracked down a problem that prevents me from logging into my
> system when I build a policy that only has the base modules defined.
> All the notes below are using revision 2202 of the reference policy
> (sorry for the length of the email, these are my notes while  tracking
> down the problem... hopefully something in them will offer some
> insight to the problem).   This problem is very reproducible for me:
> 
>    base-only policy:
>        1. make bare
>        2. make conf
>        3. vi policy/modules.conf (:1,$s/= module/= off/g)

Um, why do you expect this to work?  Looking at a modules.conf here,
that would exclude userdomain from the build, and thus no user domains
at all.  Which is fine from a dependency view (hence not in base) but
not if you want users to login...

>        4. make policy
>        5. make load
>        6. sync
>        7. reboot
> 
>    everything policy:
>        1. make bare
>        2. make conf
>        3. make policy
>        4. make load

(Continue reading)

Stephen Smalley | 1 Mar 2007 13:40

Picon

Re: [RFC 3/4] SELinux: extract the NetLabel SELinux support from the security server

On Wed, 2007-02-28 at 15:14 -0500, Paul Moore wrote:
> plain text document attachment (selinux-isolate_netlabel)
> Up until this patch the functions which have provided NetLabel support to
> SELinux have been integrated into the SELinux security server, which for
> various reasons is not really ideal.  This patch makes an effort to extract as
> much of the NetLabel support from the security server as possibile and move it
> into it's own file within the SELinux directory structure.

Thanks, this looks much better, and helps keep the security server
interface as an abstract security interface.  Is there any reason you
didn't also move security_skb_extlbl_sid() out from the security server?
It seems to be a lingering case where the security server directly acts
on a kernel object rather than a security abstraction.

> 
> Signed-off-by: Paul Moore <paul.moore@...>
> ---
>  net/netlabel/netlabel_kapi.c                |    3 
>  security/selinux/Makefile                   |    2 
>  security/selinux/include/security.h         |   24 +
>  security/selinux/include/selinux_netlabel.h |   71 ++--
>  security/selinux/netlabel.c                 |  363 ++++++++++++++++++++++++
>  security/selinux/ss/services.c              |  423 +++-------------------------
>  6 files changed, 481 insertions(+), 405 deletions(-)
> 
> Index: net-2.6_future/net/netlabel/netlabel_kapi.c
> ===================================================================
> --- net-2.6_future.orig/net/netlabel/netlabel_kapi.c
> +++ net-2.6_future/net/netlabel/netlabel_kapi.c
>  <at>  <at>  -263,9 +263,6  <at>  <at>  int netlbl_socket_setattr(const struct s

(Continue reading)

Stephen Smalley | 1 Mar 2007 13:52

Picon

Re: [RFC 3/4] SELinux: extract the NetLabel SELinux support from the security server

On Thu, 2007-03-01 at 07:40 -0500, Stephen Smalley wrote:
> On Wed, 2007-02-28 at 15:14 -0500, Paul Moore wrote:
> > plain text document attachment (selinux-isolate_netlabel)
> > Up until this patch the functions which have provided NetLabel support to
> > SELinux have been integrated into the SELinux security server, which for
> > various reasons is not really ideal.  This patch makes an effort to extract as
> > much of the NetLabel support from the security server as possibile and move it
> > into it's own file within the SELinux directory structure.
> 
> Thanks, this looks much better, and helps keep the security server
> interface as an abstract security interface.  Is there any reason you
> didn't also move security_skb_extlbl_sid() out from the security server?
> It seems to be a lingering case where the security server directly acts
> on a kernel object rather than a security abstraction.

It isn't NetLabel-specific, but appears that it could easily just be a
helper function in hooks.c itself.

> 
> > 
> > Signed-off-by: Paul Moore <paul.moore@...>
> > ---
> >  net/netlabel/netlabel_kapi.c                |    3 
> >  security/selinux/Makefile                   |    2 
> >  security/selinux/include/security.h         |   24 +
> >  security/selinux/include/selinux_netlabel.h |   71 ++--
> >  security/selinux/netlabel.c                 |  363 ++++++++++++++++++++++++
> >  security/selinux/ss/services.c              |  423 +++-------------------------
> >  6 files changed, 481 insertions(+), 405 deletions(-)
> >

(Continue reading)

Paul Moore | 1 Mar 2007 14:27

Picon

Re: [RFC 3/4] SELinux: extract the NetLabel SELinux support from the security server

On Thursday 01 March 2007 7:52:36 am Stephen Smalley wrote:
> On Thu, 2007-03-01 at 07:40 -0500, Stephen Smalley wrote:
> > On Wed, 2007-02-28 at 15:14 -0500, Paul Moore wrote:
> > > plain text document attachment (selinux-isolate_netlabel)
> > > Up until this patch the functions which have provided NetLabel support
> > > to SELinux have been integrated into the SELinux security server, which
> > > for various reasons is not really ideal.  This patch makes an effort to
> > > extract as much of the NetLabel support from the security server as
> > > possibile and move it into it's own file within the SELinux directory
> > > structure.
> >
> > Thanks, this looks much better, and helps keep the security server
> > interface as an abstract security interface.  Is there any reason you
> > didn't also move security_skb_extlbl_sid() out from the security server?
> > It seems to be a lingering case where the security server directly acts
> > on a kernel object rather than a security abstraction.
>
> It isn't NetLabel-specific, but appears that it could easily just be a
> helper function in hooks.c itself.

That is why I didn't move it, I was focusing on the NetLabel specific bits.  
However, I agree, it probably would make more sense to move that out to 
hooks.c.

I'll throw together another patch and send it out later today.

--

-- 
paul moore
linux security  <at>  hp

(Continue reading)

Christopher J. PeBenito | 1 Mar 2007 15:39

Re: wpa_cupplicant-global is a socket, Not sure if it used to be something different

On Mon, 2007-02-26 at 14:54 -0500, dwalsh@... wrote:
> ===File /tmp/patches/nsaserefpolicy_policy_modules_services_networkmanager.fc===
> --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2006-11-16 17:15:20.000000000 -0500
> +++ serefpolicy-2.5.5/policy/modules/services/networkmanager.fc	2007-02-26
11:04:23.000000000 -0500
>  <at>  <at>  -3,4 +3,5  <at>  <at> 
>  /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
>  /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
> -/var/run/wpa_supplicant-global	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
> +/var/run/wpa_supplicant-global		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
> +

Changed it to -s.

--

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

Christopher J. PeBenito | 1 Mar 2007 15:39

Re: Additional Device definitions.

On Mon, 2007-02-26 at 14:52 -0500, dwalsh@... wrote:
> 
> ===File /tmp/patches/nsaserefpolicy_policy_modules_kernel_devices.fc===
> --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-01-02 12:57:13.000000000 -0500
> +++ serefpolicy-2.5.5/policy/modules/kernel/devices.fc	2007-02-26 11:04:23.000000000 -0500
>  <at>  <at>  -28,9 +28,11  <at>  <at> 
>  /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
>  /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
>  /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
> +/dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
>  /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
>  /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
>  /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
> +/dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
>  /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
>  /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
>  /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
>  <at>  <at>  -58,6 +60,7  <at>  <at> 
>  /dev/srnd[0-7]		-c	gen_context(system_u:object_r:sound_device_t,s0)
>  /dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
>  /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
> +/dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
>  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
>  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
>  /dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
> ============================================================

Merged with some reorganization.

--

--

(Continue reading)

Christopher J. PeBenito | 1 Mar 2007 15:39

Re: More textrel_shlib_t libraries

On Mon, 2007-02-26 at 14:55 -0500, dwalsh@... wrote:
> ===File /tmp/patches/nsaserefpolicy_policy_modules_system_libraries.fc===
> --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-02-19 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.5/policy/modules/system/libraries.fc	2007-02-26 11:04:23.000000000 -0500
>  <at>  <at>  -80,6 +80,7  <at>  <at> 
>  /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:shlib_t,s0)
>  /opt/(.*/)?jre/.+\.jar			--	gen_context(system_u:object_r:shlib_t,s0)
>  /opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> +/opt/cxoffice/lib/wine/.+\.so      -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>  
>  ifdef(`distro_gentoo',`
>  # despite the extensions, they are actually libs
>  <at>  <at>  -276,7 +277,10  <at>  <at> 
>  /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/(local/)?lib/xchat/plugins/systray.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
> -/usr/local/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> +/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> +/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap.so    -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> +/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl).so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> +
>  /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>  
>  /usr/lib/acroread/(.*/)?sidecars/*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)

Merged with some reorg.

--

-- 
Chris PeBenito
Tresys Technology, LLC

(Continue reading)

Christopher J. PeBenito | 1 Mar 2007 15:39

Re: Add MATLAB policy to run as a java_exec_t

On Mon, 2007-02-26 at 14:50 -0500, dwalsh@... wrote:
> ===File /tmp/patches/nsaserefpolicy_policy_modules_apps_java.fc===
> --- nsaserefpolicy/policy/modules/apps/java.fc	2007-01-25 08:13:58.000000000 -0500
> +++ serefpolicy-2.5.5/policy/modules/apps/java.fc	2007-02-26 11:04:22.000000000 -0500
>  <at>  <at>  -18,3 +18,8  <at>  <at> 
>  /usr/bin/grmic  	--	gen_context(system_u:object_r:java_exec_t,s0)
>  /usr/bin/grmiregistry  	--	gen_context(system_u:object_r:java_exec_t,s0)
>  /usr/bin/jv-convert  	--	gen_context(system_u:object_r:java_exec_t,s0)
> +# MATLAB Policy
> +/usr/matlab/bin/(.*/)?MATLAB.	--	gen_context(system_u:object_r:java_exec_t,s0)
> +/usr/local/matlab/bin/(.*/)?MATLAB.	--	gen_context(system_u:object_r:java_exec_t,s0)
> +/opt/matlab/bin/(.*/)?MATLAB.	--	gen_context(system_u:object_r:java_exec_t,s0)
> +/opt/local/matlab/bin/(.*/)?MATLAB.	--	gen_context(system_u:object_r:java_exec_t,s0)
> ============================================================

Merged with a little reorganization.

--

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

Christopher J. PeBenito | 1 Mar 2007 15:39

Re: Additional bin_t files

On Mon, 2007-02-26 at 14:51 -0500, dwalsh@... wrote:
> 
> ===File /tmp/patches/nsaserefpolicy_policy_modules_kernel_corecommands.fc===
> --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-02-19 11:32:51.000000000 -0500
> +++ serefpolicy-2.5.5/policy/modules/kernel/corecommands.fc	2007-02-26 11:04:22.000000000 -0500
>  <at>  <at>  -73,7 +73,6  <at>  <at> 
>  
>  ifdef(`targeted_policy',`
>  /etc/X11/prefdm			--	gen_context(system_u:object_r:bin_t,s0)
> -/usr/games/nethack-3.4.3/nethack --	gen_context(system_u:object_r:bin_t,s0)
>  ')
>  
>  #
>  <at>  <at>  -254,3 +253,7  <at>  <at> 
>  ifdef(`distro_suse',`
>  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
>  ')
> +
> +/etc/security/namespace.init    --      gen_context(system_u:object_r:bin_t,s0)
> +
> +/usr/lib/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
> ============================================================

Merged with a little reorganization.

--

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

(Continue reading)

Group

gmane.comp.security.selinux.

Project Web Page

Developers mailing list for the security enhanced linux project ()

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 50

Articles in period: 498

March 2007

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

high to low UDP stream (23 May 2013)
Last version of policycoreutils using Fedora only API (23 May 2013)
[PATCH] Properly build the swig exception file even if the headers are (20 May 2013)
[PATCH] libselinux: Requires libpcre and libpthread for static linking (20 May 2013)
network, deep drive (19 May 2013)
connection between different labels (16 May 2013)
Future of SETools and CIL (16 May 2013)
marking ipv6 loopback for cipsov? (15 May 2013)
[PATCH/RFC 0/2] Test failures when building sepolgen (11 May 2013)
[PATCH] Enable setting security contexts on rootfs inodes. (10 May 2013)
[PATCH 00/15] Patches from the Debian packages (10 May 2013)
audit2allow/sepolgen not setting the locale properly when calculating (9 May 2013)
Disabling rules (9 May 2013)
[PATCH 1/1] Fix KeyError when using sepolicy transition (7 May 2013)
Clarification of labeled IPsec checks (3 May 2013)
[PATCH 1/1] Add SELinux policy capability for always checking packet a (3 May 2013)
'av.data' may be used uninitialized (2 May 2013)
[PATCH 1/1] Open stdin as read/write (1 May 2013)
[PATCH 1/1] Fix referenced before assignment error (1 May 2013)
What provides _policy? (1 May 2013)
Current Makefile system is inconvenient/limited (1 May 2013)

Archives

89	May 2013
56	April 2013
27	March 2013
36	February 2013
112	January 2013
43	December 2012
49	November 2012
45	October 2012
186	September 2012
217	August 2012
328	July 2012
207	June 2012
103	May 2012
33	April 2012
243	March 2012
104	February 2012
60	January 2012
97	December 2011
85	November 2011
61	October 2011
254	September 2011
320	August 2011
110	July 2011
74	June 2011
116	May 2011
136	April 2011
169	March 2011
84	February 2011
60	January 2011
69	December 2010
49	November 2010
91	October 2010
24	September 2010
73	August 2010
162	July 2010
163	June 2010
181	May 2010
146	April 2010
260	March 2010
257	February 2010
202	January 2010
83	December 2009
130	November 2009
140	October 2009
302	September 2009
329	August 2009
389	July 2009
146	June 2009
210	May 2009
274	April 2009
241	March 2009
276	February 2009
228	January 2009
144	December 2008
172	November 2008
367	October 2008
330	September 2008
449	August 2008
435	July 2008
368	June 2008
249	May 2008
287	April 2008
537	March 2008
691	February 2008
498	January 2008
467	December 2007
354	November 2007
290	October 2007
503	September 2007
758	August 2007
277	July 2007
491	June 2007
405	May 2007
480	April 2007
498	March 2007
474	February 2007
410	January 2007
1	December 2006

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template