headers
Stephen Smalley | 1 Nov 2007 17:51
Picon

Re: [PATCH] libselinux: refactor AVC netlink code

On Wed, 2007-10-24 at 14:31 -0400, Eamon Walsh wrote:
> This patch removes duplication in the AVC netlink code
> by introducing helper functions.
> 
> Did some basic testing and confirmed that messages are
> received and processed.
> 
> More patches to follow.
> 
> Signed-off-by: Eamon Walsh <ewalsh@...>

Merged.

However, it occurs to me that this code may yield unaligned accesses
(before and after this patch), just like the libsepol policy reading
code until recently.

> ---
> 
>  avc_internal.c |  289 +++++++++++++++++++++------------------------------------
>  1 file changed, 107 insertions(+), 182 deletions(-)
> 
> 
> Index: libselinux/src/avc_internal.c
> ===================================================================
> --- libselinux/src/avc_internal.c	(revision 2662)
> +++ libselinux/src/avc_internal.c	(working copy)
>  <at>  <at>  -89,221 +89,146  <at>  <at> 
>  	close(fd);
>  }
(Continue reading)

Permalink | Reply | 7 comments |
headers
Stephen Smalley | 1 Nov 2007 21:11

Re: [PATCH] checkpolicy: Remove use of REJECT and trailing context in lex rules; make ipv4 address processing like ipv6

On Wed, 2007-10-31 at 15:43 -0400, James Carter wrote:
> This is a patch to remove the use of REJECT and trailing context in the
> lex rules.  To help accomplish this, it also makes ipv4 address
> processing like ipv6 address processing.
> 
> It improves policy compile times on my laptop from ~95sec to ~85sec.  
> 
> REJECT was used to reject an identifier if it had two consecutive "."s
> or one at the end.  The new rule should prevent both of these conditions
> without the use of REJECT and the is_valid_identifier function.
> 
> Trailing context was used in the rule to identify the module version.
> Without the trailing context, the rule would match ipv4 addresses.  A
> rule for ipv4 addresses was added to eliminate the need for the use of
> trailing context and to allow ipv4 addresses to be handled in a manner
> similar to ipv6 addresses.
> 
> Finally, the alnum character class was defined and some minor cleanup
> was done.
> 
> I am, by the way, surprised by the rule to match the module version.
> It is "[0-9]+(\.[A-Za-z0-9_.]*)?" when I would have expected something
> like "[0-9]+(\.[0-9]+){0,2}".  I assumed that there is a reason why it
> is like this and left it alone.
> 
> 
> Signed off by: James Carter <jwcart2@...>

Thanks, merged.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel J Walsh | 2 Nov 2007 20:58
Picon
Favicon
Gravatar

Patch to allow semanage to set boolean values and translate booleans via policy.xml


Also added translations of booleans to command line.

> /usr/sbin/semanage boolean -l  | grep nfs_export
> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> nfs_export_all_ro              -> on    Allow nfs to be exported read only
> sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
> xen_use_nfs                    -> off   Allow xen to manage nfs files
> use_nfs_home_dirs              -> on    Support NFS home directories
> allow_ftpd_use_nfs             -> off   Allow ftp servers to use nfs used for public file transfer services.
> cdrecord_read_content          -> off   Allow cdrecord to read various content. nfs, samba, removable devices,
user temp and untrusted content files
> httpd_use_nfs                  -> off   Allow httpd to read nfs files
> samba_share_nfs                -> off   Allow samba to export NFS volumes.
> mail_read_content              -> off   Allow email client to various content. nfs, samba, removable devices, user
temp and untrusted content files
> allow_nfsd_anon_write          -> off   Allow nfs servers to modify public files used for public file transfer services.
> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> nfs_export_all_ro              -> on    Allow nfs to be exported read only

This time with the patch.  :^)

diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r
nsapolicycoreutils/semanage/semanage policycoreutils-2.0.31/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2007-10-05 13:09:53.000000000 -0400
+++ policycoreutils-2.0.31/semanage/semanage	2007-11-02 15:50:54.000000000 -0400
 <at>  <at>  -1,5 +1,5  <at>  <at> 
 #! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat
(Continue reading)

Permalink | Reply | 504 comments |
headers
Daniel J Walsh | 2 Nov 2007 20:57
Picon
Favicon
Gravatar

Patch to allow semanage to set boolean values and translate booleans via policy.xml


Also added translations of booleans to command line.

> /usr/sbin/semanage boolean -l  | grep nfs_export
> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> nfs_export_all_ro              -> on    Allow nfs to be exported read only
> sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
> xen_use_nfs                    -> off   Allow xen to manage nfs files
> use_nfs_home_dirs              -> on    Support NFS home directories
> allow_ftpd_use_nfs             -> off   Allow ftp servers to use nfs used for public file transfer services.
> cdrecord_read_content          -> off   Allow cdrecord to read various content. nfs, samba, removable devices,
user temp and untrusted content files
> httpd_use_nfs                  -> off   Allow httpd to read nfs files
> samba_share_nfs                -> off   Allow samba to export NFS volumes.
> mail_read_content              -> off   Allow email client to various content. nfs, samba, removable devices, user
temp and untrusted content files
> allow_nfsd_anon_write          -> off   Allow nfs servers to modify public files used for public file transfer services.
> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> nfs_export_all_ro              -> on    Allow nfs to be exported read only
Permalink | Reply | 0 comments |
headers
Jan-Frode Myklebust | 5 Nov 2007 11:50

Re: policyd module

On Wed, Oct 24, 2007 at 01:08:32PM +0000, Christopher J. PeBenito wrote:
> On Tue, 2007-10-23 at 18:03 +0200, Jan-Frode Myklebust wrote:
> > Resending this one, as it seems to have dropped of your radar. Still
> > applies to refpolicy-head.
> 
> I'm wrestling with the naming.  Policyd, while its the name of the
> server, seems far too generic.  It seems like postfix_policyd would be
> better.

Here's an updated patch against HEAD with name changed to
postfix_policyd, and r_dir_perms/r_file_perms changed to
list_dir_perms/read_file_perms. 

Re: Russels comment "If you make a policy that's generic
	enough for the majority of Postfix policy server modules
	then getting it to also work for Sendmail milters etc
	should not be difficult."

This is not meant as a generic postfix policy policy.. but a
specific policy for the policyd postfix policy daemon :-)

  -jf

diff -ruN refpolicy.head/policy/modules/kernel/corenetwork.te.in refpolicy/policy/modules/kernel/corenetwork.te.in
--- refpolicy.head/policy/modules/kernel/corenetwork.te.in	2007-11-05 11:11:01.000000000 +0100
+++ refpolicy/policy/modules/kernel/corenetwork.te.in	2007-11-05 11:18:53.000000000 +0100
 <at>  <at>  -132,6 +132,7  <at>  <at> 
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 network_port(pegasus_http, tcp,5988,s0)
(Continue reading)

Permalink | Reply | 1 comment |
headers
Eamon Walsh | 5 Nov 2007 21:15
Picon

[PATCH] libselinux: introduce enforcing mode override option

Introduces an enforcing mode override option, so the object manager
can bring up the AVC in permissive mode on an enforcing system, or
vice versa.

Signed-off-by: Eamon Walsh <ewalsh@...>
---

 include/selinux/avc.h |   11 ++++++++++-
 src/avc.c             |   29 ++++++++++++++++++++---------
 src/avc_internal.c    |    7 +++++--
 src/avc_internal.h    |    1 +
 4 files changed, 36 insertions(+), 12 deletions(-)

Index: libselinux/include/selinux/avc.h
===================================================================
--- libselinux/include/selinux/avc.h	(revision 2671)
+++ libselinux/include/selinux/avc.h	(working copy)
 <at>  <at>  -157,6 +157,15  <at>  <at> 
 };

 /*
+ * Available options
+ */
+
+/* no-op option, useful for unused slots in an array of options */
+#define AVC_OPT_UNUSED		0
+/* override kernel enforcing mode (boolean value) */
+#define AVC_OPT_SETENFORCE	1
+
+/*
(Continue reading)

Permalink | Reply | 6 comments |
headers
Dean Anderson | 5 Nov 2007 22:28

Re: Decoder for log messages???

On Wed, 31 Oct 2007, Stephen Smalley wrote:
> 
> Not a full pathname, no.
> 
> We don't have enough information at the point where we do our permission
> checks to reconstruct a pathname, 

?? These checks are in open or exec. The full pathname should be 
available.

> and such a pathname will always be process-local and not guaranteed to
> be meaningful, stable, or the actual path by which the file was
> accessed.  

?? The filesystem is not process local, except perhaps /proc

> The theory was that the audit subsystem would solve that problem for
> us, and this was true for a period of time until it was "optimized" to
> only collect that information if at least one syscall audit filter was
> put into place.  So to get PATH records, you have to put at least a
> dummy audit filter into place, ala:
> 	/sbin/auditctl -a exit,always -S chroot 
> or put the following at the end of /etc/audit/audit.rules to have it
> take effect always when auditd is started: -a exit,always -S chroot

You can't get out what you don't put in.

		--Dean

> > Can you decode it in 6 months with only a filesystem dump? Because by
(Continue reading)

Permalink | Reply | 3 comments |
headers
Paul Moore | 5 Nov 2007 22:43
Picon
Favicon

[RFC PATCH v5 0/8] Updated labeled networking patches

An update on the labeled networking patches I'm targeting for 2.6.25.  This
latest spin rebases against Linus' latest and adds in the foundation for the
fallback/static label patches that were posted earlier.  The actual fallback
and flow control patches are still not included in this patch set but all of
the foundation pieces should now be in place.

Just a word of caution, while these all compile without problems I'm
currently having a problem getting the "make modules_install" step to work
correctly so I haven't had a chance to test these patches yet.

For those of you using git, you can find these patches here:

 * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing

--

-- 
paul moore
linux security  <at>  hp
Permalink | Reply | 9 comments |
headers
Paul Moore | 5 Nov 2007 22:43
Picon
Favicon

[RFC PATCH v5 2/8] SELinux: add secctx_to_secid() LSM hook

Add a secctx_to_secid() LSM hook to go along with the existing
secid_to_secctx() LSM hook.  This patch also includes a SELinux implementation
for this hook.
---

 include/linux/security.h |   13 +++++++++++++
 security/dummy.c         |    6 ++++++
 security/security.c      |    8 ++++++++
 security/selinux/hooks.c |    6 ++++++
 4 files changed, 33 insertions(+), 0 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index ac05083..db19c92 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
 <at>  <at>  -1183,6 +1183,10  <at>  <at>  struct request_sock;
  *	Convert secid to security context.
  *	 <at> secid contains the security ID.
  *	 <at> secdata contains the pointer that stores the converted security context.
+ *  <at> secctx_to_secid:
+ *      Convert security context to secid.
+ *       <at> secid contains the pointer to the generated security ID.
+ *       <at> secdata contains the security context.
  *
  *  <at> release_secctx:
  *	Release the security context.
 <at>  <at>  -1371,6 +1375,7  <at>  <at>  struct security_operations {
  	int (*getprocattr)(struct task_struct *p, char *name, char **value);
  	int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size);
 	int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
(Continue reading)

Permalink | Reply | 1 comment |
headers
Paul Moore | 5 Nov 2007 22:43
Picon
Favicon

[RFC PATCH v5 4/8] SELinux: Add a capabilities bitmap to SELinux policy version 22

Add a new policy capabilities bitmap to SELinux policy version 22.  This bitmap
will enable the security server to query the policy to determine which features
it supports.
---

 security/selinux/Kconfig            |    2 -
 security/selinux/include/security.h |   15 ++++++
 security/selinux/selinuxfs.c        |   89 +++++++++++++++++++++++++++++++++--
 security/selinux/ss/policydb.c      |   18 +++++++
 security/selinux/ss/policydb.h      |    2 +
 security/selinux/ss/services.c      |   67 ++++++++++++++++++++++++++
 6 files changed, 185 insertions(+), 8 deletions(-)

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index b32a459..2b517d6 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
 <at>  <at>  -145,7 +145,7  <at>  <at>  config SECURITY_SELINUX_POLICYDB_VERSION_MAX
 config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 	int "NSA SELinux maximum supported policy format version value"
 	depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX
-	range 15 21
+	range 15 22
 	default 19
 	help
 	  This option sets the value for the maximum policy format version
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 39337af..4d3c0d3 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
(Continue reading)

Permalink | Reply | 0 comments |

Gmane