headers
Russell Coker | 1 Sep 2011 02:21
Picon

policycoreutils man pages patch

The attached patch documents semanage -i, the -p option for setfiles and 
restorecon, the -0 option for restorecon, and the fact that setfiles and 
restorecon are the same program.

--

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
Attachment (policycoreutils-man.diff): text/x-patch, 3183 bytes
Permalink | Reply | 0 comments |
headers
Harry Ciao | 1 Sep 2011 05:29
Favicon

[v2 PATCH 5/8] Permanently discard disabled branches of tunables in expansion.

For a cond_node_t in one decl->cond_list queue, append its
avtrue_list or avfalse_list to the avrules list of its home decl
depending on its state value, so that these effective rules would
be permanently added to te_avtab hashtab.

On the other hand, the rules on the disabled unused list won't be
expanded and written to the raw policy at all.

Signed-off-by: Harry Ciao <qingtao.cao@...>
---
 libsepol/src/expand.c |   98 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 98 insertions(+), 0 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 06f11f4..be41243 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
 <at>  <at>  -2665,6 +2665,94  <at>  <at>  int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
 	return copy_and_expand_avrule_block(&state);
 }

+static void discard_tunables(policydb_t *pol)
+{
+	avrule_block_t *block;
+	avrule_decl_t *decl;
+	cond_node_t *cur_node;
+	cond_expr_t *cur_expr;
+	int cur_state;
+	avrule_t *tail, *to_be_appended;
+
(Continue reading)

Permalink | Reply | 0 comments |
headers
Harry Ciao | 1 Sep 2011 05:29
Favicon

[v2 PATCH 1/8] Indicate when boolean is indeed a tunable.

Add flags to cond_bool_datum_t and cond_node_t structures to differentiate
the tunables' identifiers and conditionals from those of booleans.

Signed-off-by: Harry Ciao <qingtao.cao@...>
---
 libsepol/include/sepol/policydb/conditional.h |    6 ++++--
 libsepol/include/sepol/policydb/policydb.h    |    5 ++++-
 libsepol/src/policydb.c                       |   14 ++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/libsepol/include/sepol/policydb/conditional.h b/libsepol/include/sepol/policydb/conditional.h
index a8ed694..48ec106 100644
--- a/libsepol/include/sepol/policydb/conditional.h
+++ b/libsepol/include/sepol/policydb/conditional.h
 <at>  <at>  -77,15 +77,17  <at>  <at>  typedef struct cond_node {
 	/* these true/false lists point into te_avtab when that is used */
 	cond_av_list_t *true_list;
 	cond_av_list_t *false_list;
-	/* and these are using during parsing and for modules */
+	/* and these are used during parsing and for modules */
 	avrule_t *avtrue_list;
 	avrule_t *avfalse_list;
 	/* these fields are not written to binary policy */
 	unsigned int nbools;
 	uint32_t bool_ids[COND_MAX_BOOLS];
 	uint32_t expr_pre_comp;
-	/*                                               */
 	struct cond_node *next;
+	/* a tunable conditional, calculated and used at expansion */
+#define	COND_NODE_FLAGS_TUNABLE	0x01
(Continue reading)

Permalink | Reply | 0 comments |
headers
Harry Ciao | 1 Sep 2011 05:29
Favicon

[v2 PATCH 8/8] Preserve tunables when required by semodule program.

If the "-P/--preserve_tunables" option is set for the semodule program,
the preserve_tunables flag in sepol_handle_t would be set, then all tunables
would be treated as booleans by having their TUNABLE flag bit cleared,
resulting in all tunables if-else conditionals preserved for raw policy.

Note, such option would invalidate the logic to double-check if tunables
ever mix with booleans in one expression, so skip the call to assert()
when this option is passed.

Signed-off-by: Harry Ciao <qingtao.cao@...>
---
 libsepol/src/expand.c |   36 ++++++++++++++++++++++++------------
 1 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index d5f10a6..d67b84c 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
 <at>  <at>  -2678,25 +2678,29  <at>  <at>  int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
 	return copy_and_expand_avrule_block(&state);
 }

-static void discard_tunables(policydb_t *pol)
+static void discard_tunables(sepol_handle_t *sh, policydb_t *pol)
 {
 	avrule_block_t *block;
 	avrule_decl_t *decl;
 	cond_node_t *cur_node;
 	cond_expr_t *cur_expr;
-	int cur_state;
(Continue reading)

Permalink | Reply | 0 comments |
headers
Harry Ciao | 1 Sep 2011 05:29
Favicon

[v2 PATCH 4/8] Copy and check the cond_bool_datum_t.flags during link.

Copy the TUNABLE flag for cond_bool_datum_t during link, and check
if there is a mismatch between boolean/tunable declaration and
usage among modules. If this is the case, bail out with errors.

Signed-off-by: Harry Ciao <qingtao.cao@...>
---
 libsepol/src/link.c |   20 +++++++++++++++++---
 1 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 421c47b..ee9675b 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
 <at>  <at>  -587,7 +587,18  <at>  <at>  static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 		}
 		state->base->p_bools.nprim++;
 		base_bool = new_bool;
-
+		base_bool->flags = booldatum->flags;
+	} else if ((booldatum->flags & COND_BOOL_FLAGS_TUNABLE) !=
+		   (base_bool->flags & COND_BOOL_FLAGS_TUNABLE)) {
+			/* A mismatch between boolean/tunable declaration
+			 * and usage(for example a boolean used in the
+			 * tunable_policy() or vice versa).
+			 *
+			 * This is not allowed and bail out with errors */
+			ERR(state->handle,
+			    "%s: Mismatch between boolean/tunable definition "
+			    "and usage for %s", state->cur_mod_name, id);
+			return -1;
(Continue reading)

Permalink | Reply | 0 comments |
headers
Harry Ciao | 1 Sep 2011 05:29
Favicon

v2 Discard unused tunables from raw policy


Special Notes
---------------
1. So far the latest master toolchain seems to have a segfault problem related
   with the commit of "libsemanage: patch for MCS/MLS in user files", which
   would be gone if we revert that commit or specify
   "disable-genhomedircon = true" in semanage.conf.

Differences from v1
--------------------

The v2 patchset just provides two minor changes from v1:

1. 0008-Preserve-tunables-when-required-by-semodule-program.patch
   Extract the codes to make use of sh->preserve_tunables flag in discard_tunable()
   from the 0007 patch in v1, and present them in this separate 0008 patch;

2. 0007-Create-a-new-preserve_tunables-flag-in-sepol_handle_.patch
   Fix an obvious error to mistakenly set sh->preserve_tunables flag in
   semanage_direct_connect(), which should be solely set according to the options
   passed for the semodule program.

   Then the preserve_tunables flag file in the module store could be properly
   removed if no "-P/--preserve_tunables" option used for semodule.
Permalink | Reply | 14 comments |
headers
Harry Ciao | 1 Sep 2011 05:29
Favicon

[v2 PATCH 2/8] Separate tunable from boolean during compile.

Both boolean and tunable keywords are processed by define_bool_tunable(),
argument 0 and 1 would be passed for boolean and tunable respectively.
For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags.

Note, when creating an if-else conditional we can not know if the
tunable identifier is indeed a tunable(for example, a boolean may be
misused in tunable_policy() or vice versa), thus the TUNABLE flag
for cond_node_t would be calculated and used in expansion when all
booleans/tunables copied during link.

Signed-off-by: Harry Ciao <qingtao.cao@...>
---
 checkpolicy/module_compiler.c |   16 +++++++++++++++-
 checkpolicy/module_compiler.h |    1 +
 checkpolicy/policy_define.c   |    4 +++-
 checkpolicy/policy_define.h   |    2 +-
 checkpolicy/policy_parse.y    |    8 +++++++-
 checkpolicy/policy_scan.l     |    2 ++
 libsepol/src/conditional.c    |    1 +
 7 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index 1c1d1d5..ffffaf1 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
 <at>  <at>  -1045,7 +1045,7  <at>  <at>  int require_user(int pass)
 	}
 }

-int require_bool(int pass)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Harry Ciao | 1 Sep 2011 05:29
Favicon

[v2 PATCH 3/8] Write and read TUNABLE flags in related data structures.

All flags in cond_bool_datum_t and cond_node_t structures are written
or read for policy modules which version is no less than
MOD_POLICYDB_VERSION_TUNABLE_SEP.

Note, for cond_node_t the TUNABLE flag bit would be used only at expand,
however, it won't hurt to read/write this field for modules(potentially
for future usage).

Signed-off-by: Harry Ciao <qingtao.cao@...>
---
 libsepol/src/conditional.c |   21 +++++++++++++++++++--
 libsepol/src/write.c       |   18 ++++++++++++++++++
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
index efdedb0..d9d4fee 100644
--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
 <at>  <at>  -564,8 +564,8  <at>  <at>  static int bool_isvalid(cond_bool_datum_t * b)
 	return 1;
 }

-int cond_read_bool(policydb_t * p
-		   __attribute__ ((unused)), hashtab_t h,
+int cond_read_bool(policydb_t * p,
+		   hashtab_t h,
 		   struct policy_file *fp)
 {
 	char *key = 0;
 <at>  <at>  -597,6 +597,15  <at>  <at>  int cond_read_bool(policydb_t * p
(Continue reading)

Permalink | Reply | 2 comments |
headers
Harry Ciao | 1 Sep 2011 05:29
Favicon

[v2 PATCH 7/8] Create a new preserve_tunables flag in sepol_handle_t.

By default only the effective branch of a tunable conditional would be
expanded and written to raw policy, while all needless unused branches
would be discarded.

Add a new option '-P' or "--preserve_tunables" to the semodule program.
By default it is 0, if set to 1 then the above preserve_tunables flag
in the sepol_handle_t would be set to 1 accordingly.

Signed-off-by: Harry Ciao <qingtao.cao@...>
---
 libsemanage/include/semanage/handle.h |    6 ++++++
 libsemanage/src/direct_api.c          |   29 ++++++++++++++++++++++++++++-
 libsemanage/src/handle.c              |   13 +++++++++++++
 libsemanage/src/libsemanage.map       |    1 +
 libsemanage/src/semanage_store.c      |    1 +
 libsemanage/src/semanage_store.h      |    1 +
 libsepol/include/sepol/handle.h       |    7 +++++++
 libsepol/src/handle.c                 |   15 +++++++++++++++
 libsepol/src/handle.h                 |    2 +-
 libsepol/src/libsepol.map             |    1 +
 policycoreutils/semodule/semodule.c   |   10 +++++++++-
 11 files changed, 83 insertions(+), 3 deletions(-)

diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
index e303713..c746930 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
 <at>  <at>  -129,6 +129,12  <at>  <at>  int semanage_mls_enabled(semanage_handle_t *sh);
 /* Change to alternate selinux root path */
 int semanage_set_root(const char *path);
(Continue reading)

Permalink | Reply | 0 comments |
headers
Harry Ciao | 1 Sep 2011 05:29
Favicon

[v2 PATCH 6/8] Skip tunable identifier and cond_node_t in expansion.

The effective branch of a tunable has been appended to its home
decl->avrules list during link, in expansion we should just skip tunables
from expanding their rules into te_cond_avtab hashtab and adding to the
out->cond_list queue.

Signed-off-by: Harry Ciao <qingtao.cao@...>
---
 libsepol/src/expand.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index be41243..d5f10a6 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
 <at>  <at>  -1014,6 +1014,11  <at>  <at>  static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 		return 0;
 	}

+	if (bool->flags & COND_BOOL_FLAGS_TUNABLE) {
+		/* Skip tunables */
+		return 0;
+	}
+
 	if (state->verbose)
 		INFO(state->handle, "copying boolean %s", id);

 <at>  <at>  -1046,6 +1051,7  <at>  <at>  static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	state->boolmap[bool->s.value - 1] = new_bool->s.value;

 	new_bool->state = bool->state;
(Continue reading)

Permalink | Reply | 2 comments |

Gmane