headers
James Morris | 1 Mar 2009 23:23
Favicon

Re: [PATCH] selinux: Fix a panic in selinux_netlbl_inode_permission()

On Fri, 27 Feb 2009, Paul Moore wrote:

> Rick McNeal from LSI identified a panic in selinux_netlbl_inode_permission()
> caused by a certain sequence of SUNRPC operations.  The problem appears to be
> due to the lack of NULL pointer checking in the function; this patch adds the
> pointer checks so the function will exit safely in the cases where the socket
> is not completely initialized.

From which kernel does this happen?  Does it happen for the standard 
configuration when SELinux is enabled?

> 
> Signed-off-by: Paul Moore <paul.moore@...>
> ---
> 
>  security/selinux/netlabel.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
> index 3f4b266..350794a 100644
> --- a/security/selinux/netlabel.c
> +++ b/security/selinux/netlabel.c
>  <at>  <at>  -386,11 +386,12  <at>  <at>  int selinux_netlbl_inode_permission(struct inode *inode, int mask)
>  	if (!S_ISSOCK(inode->i_mode) ||
>  	    ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
>  		return 0;
> -
>  	sock = SOCKET_I(inode);
>  	sk = sock->sk;
> +	if (sk == NULL)
(Continue reading)

Permalink | Reply | 1 comment |
headers
Christopher J. PeBenito | 2 Mar 2009 16:39
Favicon

Re: [refpolicy] [PATCH v2] refpolicy: Add missing network related MLS constraints

On Fri, 2009-02-20 at 17:02 -0500, Paul Moore wrote:
> plain text document attachment (netpeer-constraints)
> Add MLS constraints for several network related access controls including
> the new ingress/egress controls and the older Secmark controls.  Based on
> the following post to the SELinux Reference Policy mailing list:
> 
>  * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html

Merged.

> Signed-off-by: Paul Moore <paul.moore@...>
> 
> ---
>  policy/mls                   |   45 +++++++++++++++++++++++++++++++++++++++++++
>  policy/modules/kernel/mls.if |   42 ++++++++++++++++++++++++++++++++++++++++
>  policy/modules/kernel/mls.te |    2 +
>  3 files changed, 89 insertions(+)
> 
> Index: refpolicy_svn_repo/policy/mls
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/mls
> +++ refpolicy_svn_repo/policy/mls
>  <at>  <at>  -295,8 +295,53  <at>  <at>  mlsconstrain { netif node } { tcp_send u
>  # these access vectors have no MLS restrictions
>  # node enforce_dest
>  
> +#
> +# MLS policy for the network ingress/egress controls
> +#
> +
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Moore | 2 Mar 2009 17:08
Picon
Favicon

Re: [PATCH] selinux: Fix a panic in selinux_netlbl_inode_permission()

On Sunday 01 March 2009 05:23:00 pm James Morris wrote:
> On Fri, 27 Feb 2009, Paul Moore wrote:
> > Rick McNeal from LSI identified a panic in
> > selinux_netlbl_inode_permission() caused by a certain sequence of SUNRPC
> > operations.  The problem appears to be due to the lack of NULL pointer
> > checking in the function; this patch adds the pointer checks so the
> > function will exit safely in the cases where the socket is not completely
> > initialized.
>
> From which kernel does this happen?

I suspect it started back when NetLabel was included back in 2.6.19 but I need 
to checking everything ... I'm working on that now.

> Does it happen for the standard configuration when SELinux is enabled?

I believe so, but Rick is the expert here, I'll defer you to his email.

> > Signed-off-by: Paul Moore <paul.moore@...>
> > ---
> >
> >  security/selinux/netlabel.c |    5 +++--
> >  1 files changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
> > index 3f4b266..350794a 100644
> > --- a/security/selinux/netlabel.c
> > +++ b/security/selinux/netlabel.c
> >  <at>  <at>  -386,11 +386,12  <at>  <at>  int selinux_netlbl_inode_permission(struct inode
> > *inode, int mask) if (!S_ISSOCK(inode->i_mode) ||
(Continue reading)

Permalink | Reply | 0 comments |
headers
Eric Paris | 2 Mar 2009 21:24
Picon
Favicon

Re: [RFC] X+SELinux performance work

On Fri, 2009-02-27 at 16:04 -0500, Eamon Walsh wrote:
> Eric Paris wrote:
> > First thing I did to try to help was to implement creation caching in the AVC:
> > http://people.redhat.com/~eparis/xorg-selinux/libselinux-create-cache.patch

> First glance looks good.

Ok, I've got a slightly cleaned up version I'll submit in a bit.

> > Next thing to try was to stop regularly calling recv on the netlink
> > socket to find policy update information. 

> Well, I don't see a reasonable alternative -- the netlink check is
> required to catch policy reloads, and a separate thread is the only way
> to take the recv() call out of the main code path.

> - - Form an expedition and venture deep down into the far recesses of
> the X server, delving into the OS layer, maybe even Xtrans, and find the
> select() call at the very core, and destroy it, freeing us...I mean, add
> the netlink socket to it, which may require new interfaces to send the
> fd all the way down there and then bubble the notification all the way
> back up or call a callback or whatever.

Turns out ajax is a one man expeditionary force.  I think we'll see
patches on this front soon.

> > Last thing was that translating from raw to whatever looked to be taking
> > up tons of syscalls

> Yeah this makes sense, it should all be raw, no reason to be calling
(Continue reading)

Permalink | Reply | 0 comments |
headers
Eric Paris | 2 Mar 2009 22:24
Picon
Favicon

[PATCH] libselinux: cache avc_compute_create results in the avc

In one benchmark the X server was found to be extremely slow creating
windows with selinux running.  Part of the reason for this was because
libselinux called into the kernel /selinux/create interface for every
object.  This patch caches the results of /selinux/create in the
userspace avc to significantly increase the speed of these types of
operations.

Signed-off-by: Eric Paris <eparis@...>

---

diff -up libselinux-2.0.77/include/selinux/avc.h.pre.create.cache libselinux-2.0.77/include/selinux/avc.h
--- libselinux-2.0.77/include/selinux/avc.h.pre.create.cache	2009-01-27 14:47:32.000000000 -0500
+++ libselinux-2.0.77/include/selinux/avc.h	2009-03-02 14:52:40.859167987 -0500
 <at>  <at>  -353,6 +353,7  <at>  <at>  int avc_compute_member(security_id_t ssi
 #define AVC_CALLBACK_AUDITALLOW_DISABLE	32
 #define AVC_CALLBACK_AUDITDENY_ENABLE	64
 #define AVC_CALLBACK_AUDITDENY_DISABLE	128
+#define AVC_CALLBACK_ADD_CREATE		256

 /**
  * avc_add_callback - Register a callback for security events.
diff -up libselinux-2.0.77/src/avc.c.pre.create.cache libselinux-2.0.77/src/avc.c
--- libselinux-2.0.77/src/avc.c.pre.create.cache	2009-01-27 14:47:32.000000000 -0500
+++ libselinux-2.0.77/src/avc.c	2009-03-02 15:57:54.764288907 -0500
 <at>  <at>  -20,6 +20,8  <at>  <at>  struct avc_entry {
 	security_id_t tsid;
 	security_class_t tclass;
 	struct av_decision avd;
+	security_id_t	create_sid;
(Continue reading)

Permalink | Reply | 2 comments |
headers
Eric Paris | 3 Mar 2009 00:34
Picon
Favicon

[PATCH] Xorg: always use raw contexts in the xserver

This patch changes all places in the X code to use _raw functions.  The
X server should never see, translate, or deal with a munged context.
Display managers which show contexts to the user should take care of
translating these to human readable form.

---

 Xext/xselinux.c |   64 ++++++++++++++++++++++++++++----------------------------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff -up xorg-server-1.6.0/Xext/xselinux.c.pre.raw xorg-server-1.6.0/Xext/xselinux.c
--- xorg-server-1.6.0/Xext/xselinux.c.pre.raw	2009-03-02 18:21:49.913042490 -0500
+++ xorg-server-1.6.0/Xext/xselinux.c	2009-03-02 18:22:30.884307930 -0500
 <at>  <at>  -186,19 +186,19  <at>  <at>  SELinuxAtomToSIDLookup(Atom atom, SELinu
     obj->poly = 1;

     /* Look in the mappings of names to contexts */
-    if (selabel_lookup(label_hnd, &ctx, name, map) == 0) {
+    if (selabel_lookup_raw(label_hnd, &ctx, name, map) == 0) {
 	obj->poly = 0;
     } else if (errno != ENOENT) {
 	ErrorF("SELinux: a property label lookup failed!\n");
 	return BadValue;
-    } else if (selabel_lookup(label_hnd, &ctx, name, polymap) < 0) {
+    } else if (selabel_lookup_raw(label_hnd, &ctx, name, polymap) < 0) {
 	ErrorF("SELinux: a property label lookup failed!\n");
 	return BadValue;
     }

     /* Get a SID for context */
(Continue reading)

Permalink | Reply | 0 comments |
headers
KaiGai Kohei | 3 Mar 2009 04:37
Picon

Re: PHP/SELinux: libselinux wrappers

Now it in PECL repository:
   http://pecl.php.net/package/selinux
   http://cvs.php.net/viewvc.cgi/pecl/selinux/

The php-pecl-selinux package is under review-requesting:
   https://bugzilla.redhat.com/show_bug.cgi?id=488185

It is necessary the package to be reviewed whether the specfile
correctly follows Fedora packaging guideline [1] [2], or not.
I would like folks to help reviewing it.

In addition, Fedora Project requires all the new packages
to be approved by core maintainers called as "sponsor" [3].

Could you introduce me an appropriate person to recommend
the package?

Thanks,

[1] http://fedoraproject.org/wiki/Packaging/Guidelines
[2] http://fedoraproject.org/wiki/Packaging/PHP
[3] https://admin.fedoraproject.org/accounts/group/members/packager/*/sponsor

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> KaiGai Kohei wrote:
>> Joshua Brindle wrote:
>>>> -----Original Message-----
(Continue reading)

Permalink | Reply | 1 comment |
headers
Russell Coker | 4 Mar 2009 12:21
Picon

Re: gnome and dbus

On Wed, 4 Mar 2009, Russell Coker <russell@...> wrote:
> type=AVC msg=audit(1236164018.240:156): avc:  denied  { execute_no_trans }
> for pid=6554 comm="dbus-daemon"
> path="/usr/lib/gnome-vfs-2.0/gnome-vfs-daemon" dev=hda2 ino=393873
> scontext=unconfined_u:unconfined_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file
>
> So what would this gnome-vfs-daemon program be and why would a dbus-daemon
> process be running it?

Also for reference I get the same from the user_r role.

type=AVC msg=audit(1236165516.836:2178): avc:  denied  { execute_no_trans } 
for  pid=8208 comm="dbus-daemon" 
path="/usr/lib/gnome-vfs-2.0/gnome-vfs-daemon" dev=hda2 ino=393873 
scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:lib_t:s0 
tclass=file
type=SYSCALL msg=audit(1236165516.836:2178): arch=40000003 syscall=11 
success=no exit=-13 a0=b9047898 a1=b9045fe0 a2=b9048ef8 a3=b9048c58 items=0 
ppid=8207 pid=8208 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 
fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 
comm="dbus-daemon" exe="/usr/bin/dbus-daemon" 
subj=user_u:user_r:user_dbusd_t:s0 key=(null)

--

-- 
russell@...
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog
(Continue reading)

Permalink | Reply | 0 comments |
headers
Russell Coker | 4 Mar 2009 12:04
Picon

gnome and dbus

type=AVC msg=audit(1236164018.240:156): avc:  denied  { execute_no_trans } for  
pid=6554 comm="dbus-daemon" path="/usr/lib/gnome-vfs-2.0/gnome-vfs-daemon" 
dev=hda2 ino=393873 
scontext=unconfined_u:unconfined_r:system_dbusd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:lib_t:s0 tclass=file

So what would this gnome-vfs-daemon program be and why would a dbus-daemon 
process be running it?

--

-- 
russell@...
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog
Permalink | Reply | 2 comments |
headers
Russell Coker | 4 Mar 2009 13:09
Picon

dbus reading /proc/X/cmdline

Why does the dbus-daemon want to read the cmdline of every process that it 
talks to?  Is it something to allow or dontaudit?  It appears to work without 
allowing it.

type=AVC msg=audit(1236168464.840:83): avc:  denied  { search } for  pid=2757 
comm="dbus-daemon" name="2874" dev=proc ino=12535 
scontext=unconfined_u:unconfined_r:system_dbusd_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1236168464.840:83): avc:  denied  { read } for  pid=2757 
comm="dbus-daemon" name="cmdline" dev=proc ino=12536 
scontext=unconfined_u:unconfined_r:system_dbusd_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1236168464.840:83): arch=40000003 syscall=5 success=yes 
exit=16 a0=b8481fa0 a1=0 a2=b3a a3=b84826c0 items=0 ppid=1 pid=2757 
auid=4294967295 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 
fsgid=105 tty=(none) ses=4294967295 comm="dbus-daemon" 
exe="/usr/bin/dbus-daemon" 
subj=unconfined_u:unconfined_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)

--

-- 
russell@...
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog
Permalink | Reply | 4 comments |

Gmane