Revive Steve Grubb's patch for libselinux lazy init and extend it to
address not only the reading of /etc/selinux/config but also probing
for /selinux/class and reading of /selinux/mls. This should reduce the
need for dontaudit rules for programs that link with libselinux and it
should reduce unnecessary overhead.
I did not convert init_selinuxmnt over to lazy init since the functions
that use selinux_mnt are not localized, and it only requires stat'ing
of /selinux in the common case.
I couldn't see a valid reason why we needed fini_obj_class_compat(), as
the existence of /selinux/class will only change across a reboot with
different kernel versions. fini_context_translations() already had a
comment saying that it was unnecessary as well.
Before:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat64("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3
After:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
Original-patch-by: Steve Grubb <linux_4ever@yahoo.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Patch for semodule command
semodule -B
Will now turn on dontaudit rules
semodule -DB
Will turn off dontaudit rules.
With other patch all other semanage commands will maintain state.
Created by Dan Walsh
Signed-off-by: Christopher Pardy <cpardy@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Currently any changes made to the policy which require committing a handle cause dontaudit rules to be re-enabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is connected. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created a call to commit will fail.
Signed-off-by: Christopher Pardy <cpardy@redhat.com>
[sds: Removed duplicate from other patch and cleaned up style.]
[sds: Changed uses of semanage_fname to semanage_path.]
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This patch adds the ability to check on the value of the disable_dontaudit flag in the sepol handle. In the past the only way to know the value of this was to directly read the values from the handle. The get function provides a setter-getter symmetry similar to other functions found in libsepol.
Signed-off-by: Christopher Pardy <cpardy@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Email: dwalsh@redhat.com
Subject: This patch add seusers support to SELinux
Date: Mon, 18 May 2009 14:20:30 -0400
The idea here is to break the seusers file up into lots of little
seusers file that can be user specific, also adds the service field to
be used by tools like pam_selinux to choose which is the correct context
to log a user in as.
Patch was added to facilitate IPA handing out SELinux content for
selection of roles at login.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
This is version 5 of the setfiles to fts patch.
The code has been cleaned up to adhere to the CodingStyle guidelines.
I have confirmed that the stat struct that fts returns for a symlink when using
the FTS_PHYSICAL flag is in fact the stat struct for the symlink, not the file
it points to (st_size is 8 bytes).
Instead of using fts_path for getfilecon/setfilecon it now uses fts_accpath,
which should be more efficient since fts walks the file hierarchy for us.
FreeBSD setfsmac uses fts in a similar way to how this patch does and one
thing that I took from it was to pass the FTSENT pointer around instead of
the names, because although fts_accpath is more efficient for get/setfilecon,
it is less helpful in verbose output (fts_path will give the entire path).
Here is the output from running restorecon on /
(nftw version)
restorecon -Rv / 2>/dev/null
restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0
(new version)
./restorecon -Rv / 2>/dev/null
./restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0
Here are some benchmarks each was run twice from a fresh
boot in single user mode (shown are the second runs).
(nftw version)
restorecon -Rv /usr
real 1m56.392s
user 1m49.559s
sys 0m6.012s
(new version)
./restorecon -Rv /usr
real 1m55.102s
user 1m50.427s
sys 0m4.656s
So not much of a change, though some work has been pushed from kernel space
to user space.
It turns out setting the FTS_XDEV flag tells fts not to descend into
directories with different device numbers, but fts will still give back the
actual directory. I think nftw would completely avoid the directories as well
as their contents.
This patch fixed this issue by saving the device number of the directory
that was passed to setfiles and then skipping all action on any directories
with a different device number when the FTS_XDEV flag is set.
Also removed some code that removed beginning and trailing slashes
from paths, since fts seems to handle it.
Signed-off-by: Thomas Liu <tliu@redhat.com>
[sds: Moved local variable declarations to beginning of process_one.]
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On Wed, 2009-05-20 at 22:57 +0800, Dennis Wronka wrote:
> Okay, here we go:
>
> I unmounted /selinux and then got this:
> load_policy: Can't load policy: Invalid argument
>
> I attached my kernel-config and the two traces (trace1 for the "Device or
> resource busy"-error, trace2 for the "Invalid argument"-error).
Possible patch for libselinux to a) gracefully handle the situation
where selinuxfs is already mounted, b) report errors when switching to
permissive, and c) proceed with the policy load even if we cannot switch
to permissive mode as requested, as proceeding without a policy when the
kernel only supports enforcing mode is not desirable.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Al was complaining that he has selinux disabled and has 100,000+ mounts
in /proc/mounts. Every time he runs ls the thing takes 5 seconds
because the libselinux constructor runs the entirety of his /proc/mounts
looking for selinuxfs, which doesn't exist. Speed things up by first
checking for selinuxfs in /proc/filesystems, only if the fs is even
registered should we bother to run all of /proc/mounts.
Signed-off-by: Eric Paris <eparis@redhat.com>
Email: dwalsh@redhat.com
Subject: chcat fixes
Date: Thu, 21 May 2009 08:13:26 -0400
On 05/20/2009 04:05 PM, Chad Sellers wrote:
> On 5/20/09 3:00 PM, "Daniel J Walsh"<dwalsh@redhat.com> wrote:
>
>> Expansion of categores is still broken. Here is a patch to fix.
>>
> This message appears to be missing a patch.
>
> Thanks,
> Chad
>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: setfiles will only put out a "*" if > 1000 files are fixed.
Date: Wed, 20 May 2009 13:08:14 -0400
setfiles was always putting out a \n, even when not many files were
being fixed. yum transactions were being desturbed by this.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Add btrfs to fixfiles.
Date: Wed, 20 May 2009 15:02:33 -0400
Hopefully the last time we will ever need to update. Once patch gets
out with kernel support to tell me which file systems support xattr, we
can remove this hack.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: tmraz@redhat.com
Subject: Problems with freeing thread local storage in libselinux
Date: Wed, 06 May 2009 12:38:35 +0200
On Wed, 2009-05-06 at 01:32 -0500, Manoj Srivastava wrote:
> Hi folks,
>
> There have been numerous reports in Debian and derivatives of
> programs linked with libselinux intermittently getting segfaults.
> There is, for instance, the Debian report 505920[0], and Ubuntu
> reports[1], [3] and [5], and Gnome [2]. I have not been able to
> reproduce the error myself, though I have run the test cases a number
> of times.
>
> The common thread in unclutter, libavg, gst-inspect et al. is a
> segmentation fault in libselinux1, in the 'fini' destructor functions,
> referencing the thread local variables.
>
> The Ubuntu bug log reference my old patch for libselinux from
> 1.X days, where I replaced the thread local storage with regular
> variables and mutexes, and people report success with that. I suspect
> that something is corrupting the thread local storage. From the ubuntu
> report:
> --8<---------------cut here---------------start------------->8---
> Valgrind reports:
> =29183== Invalid read of size 8
> ==29183== at 0xE29B9DD: fini_context_translations (setrans_client.c:211)
> ==29183== by 0xE28F1F1: (within /lib/libselinux.so.1)
> ==29183== by 0xE29D040: (within /lib/libselinux.so.1)
> ==29183== by 0x570010F: exit (exit.c:75)
> 505920==29183== by 0x56E91CA: (below main) (libc-start.c:252)
> ==29183== Address 0x80 is not stack'd, malloc'd or (recently) free'd
> ==29183==
> ==29183== Process terminating with default action of signal 11 (SIGSEGV): dumping core
> ==29183== Access not within mapped region at address 0x80
> ==29183== at 0xE29B9DD: fini_context_translations (setrans_client.c:211)
> ==29183== by 0xE28F1F1: (within /lib/libselinux.so.1)
> ==29183== by 0xE29D040: (within /lib/libselinux.so.1)==29183== by 0x570010F: exit (exit.c:75)
> ==29183== by 0x56E91CA: (below main) (libc-start.c:252)
>
>
> (gdb) bt
> #0 0x00007f3ae812a9dd in fini_context_translations () at setrans_client.c:211
> #1 0x00007f3ae811e1f2 in __do_global_dtors_aux () from /lib/libselinux.so.1
> #2 0x00007ffff9097700 in ?? ()
> #3 0x00007f3ae812c041 in _fini () from /lib/libselinux.so.1
> #4 0x00007ffff9097700 in ?? ()
> #5 0x00007f3af0e88796 in _dl_fini () from /lib64/ld-linux-x86-64.so.2
> Backtrace stopped: previous frame inner to this frame (corrupt stack?)
> --8<---------------cut here---------------end--------------->8---
>
> There have been two sets of patches proposed for this; first one
> merely initializes the variables in the init function, and this works
> for a number of people, but at least one person has reported a second
> segfault even with the patch installed[6]
>
> The second patch below converts a thread local cache to a
> process wide cache, with mutex guards, which makes the cache slower,
> and non-thread local caches means that cache misses are more likely.
>
> I'll try and follow up with people who can reproduce the
> problems to see if either one of the patches solve their problems
> without triggering other segmentation faults, but I'd appreciate
> comments if anyone has insight into the issue.
The problem is with freeing storage referenced by TLS variables in
destructors. The destructor is called only in one of the threads and the
variables might not be even properly initialized in that thread. One
possibility is to not free the storage at all but that will leak memory
if the libselinux is loaded/unloaded multiple times in a process.
The only proper way is to use TSD (pthread_key_create,
pthread_setspecific etc.) to store the pointers to the cached contexts.
The attached patch implements this. I did not test it thoroughly though.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: SELinux context patch
Date: Mon, 18 May 2009 14:16:12 -0400
This patch adds context files for virtual_domain and virtual_image,
these are both being used to locat the default context to be executed by
svirt.
I also included the subs patch which I submitted before. This patch
allows us to substitute prefixes to matchpathcon.
So we can say /export/home == /home
and
/web == /var/www
Author: Chad Sellers
Email: csellers@tresys.com
Flipped free()'s in original patch when strdup'd fail to proper order.
Signed-off-by: Chad Sellers <csellers@tresys.com>
This patch adds a SWIG specification file for ruby bindings for libsemanage.
The spec file is almost identical to the python SWIG file with the exception
that all list generating typemaps have been removed and the python related
functions have been replaced with the corresponding ruby ones. Finally the
Makefile is modified to be able to build the new bindings. Something to note is
that on 64-bit systems ruby.h might be found somewhere under /usr/lib64 instead
of /usr/lib so LIBDIR=/usr/lib64 will be needed to build the ruby bindings from
source.
Below is an example using the ruby bindings and produces the similar output
to semodule -l
#!/usr/bin/ruby
require "semanage"
handle = Semanage.semanage_handle_create
Semanage.semanage_select_store(handle, "targeted", Semanage::SEMANAGE_CON_DIRECT)
Semanage.semanage_connect(handle)
module_info = Semanage.semanage_module_list(handle)
modules = Array.new()
module_info[2].times do |n|
temp_module = Semanage.semanage_module_list_nth(module_info[1], n)
mod_string = Semanage.semanage_module_get_name(temp_module).to_s + " " \
+ Semanage.semanage_module_get_version(temp_module).to_s
modules.push(mod_string)
end
puts "List of Installed Modules"
modules.each do |str|
puts str
end
Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Email: dwalsh@redhat.com
Subject: Patch to getdefaultcon to print just the correct match and add verbose option
Date: Wed, 04 Mar 2009 15:41:37 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I really want to rename this to selinuxdefaultcon, which is what we ship
in Fedora.
Also exit with proper error on failure.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmu54AACgkQrlYvE4MpobNoZACdHgQDP2Hp/KDBpGCD7G08HjOX
p68An25Uu83SlOqjKyy9EG8ZgdIcuTCB
=L6UU
-----END PGP SIGNATURE-----
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: We have moved matchpathcon to /sbin from /usr/sbin
Date: Wed, 01 Apr 2009 10:21:53 -0400
Some init scripts wanted to use matchpathcon before /usr is mounted.
Author: Chad Sellers
Email: csellers@tresys.com
Added matchpathcon to clean target
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: patch to policycoreutils
Date: Wed, 01 Apr 2009 10:10:43 -0400
Multiple patches to policycoreutils.
First added /root/.ssh and /root/.ssh/* to allow people to place keys
in /root directory and have them labeled by restorcond
<snipdue to previously ack'd patch>
Clean up permissive domains creation in semanage so it does not leave
crap in /var/lib/selinux
---
Also have fixfiles operate recursively when in RPM mode, per:
Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Re: patch to policycoreutils
Date: Wed, 22 Apr 2009 21:50:48 -0400
If a package owned a directory like /var/lib/libvirt/images, when it is
relabeling we would want it to relabel not only the directory but the
contents of the directory
Signed-off-by: Chad Sellers <csellers@tresys.com>
Commit b3b3f8186e attempted to fix a bug,
but didn't. The following patch should do it.
Marshall Miller
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Help with python seobject.loginRecords
Date: Thu, 12 Mar 2009 09:29:17 -0400
On 03/11/2009 05:00 PM, Stephen Smalley wrote:
> On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Joe Nall wrote:
>>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>>>
>>>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>>>> I need to add login mappings in python firstboot modules during system
>>>>> configuration. In my first module a simple:
>>>>>
>>>>> seobject.loginRecords().add(username, "siterep_u",
>>>>> "SystemLow-SystemHigh")
>>>>>
>>>>> works. In subsequent modules, I get an exception:
>>>>>
>>>>> libsemanage.enter_rw: this operation requires a transaction
>>>>> libsemanage.enter_rw: could not enter read-write section
>>>>> Traceback (most recent call last):
>>>>> File "./t", line 6, in<module>
>>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>>>> raise error
>>>>> ValueError: Could not add login mapping for test3
>>>>>
>>>>> What is the right way to do this?
>>>>>
>>>>> joe
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>> Probably an MLS issue. firtstboot is running in a context that is not
>>>> allowed to lock/manage selinux.
>>> I'm installing in permissive and switching to enforcing after firstboot.
>>> You are correct that firstboot_t doesn't have the policy for all the
>>> stuff I'm trying to do yet.
>>>
>>>> You probably should exec semanage rather then calling seobject so you
>>>> could do a transition and not have to give a huge app like first boot
>>>> the ability to manage security policy.
>>> That is what is installing right now. I would still like an
>>> explanation/code snippet of correct usage for future use
>>>
>>> joe
>>>
>>>
>> This works on F10 Targeted policy
>>
>> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
>> "staff_u", "s0")
>> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
>>
>> Could it be a translation problem?
>
> Try running multiple calls within the same python interpreter.
> I think seobject.py isn't using libsemanage correctly. For example, in
> add(), you do:
> self.begin()
> self.__add(name, sename, serange)
> self.commit()
> but begin() only ever invokes semanage_begin_transaction() the very
> first time:
> def begin(self):
> if self.transaction:
> return
> rc = semanage_begin_transaction(self.sh)
>
> So after the first commit(), you'll start failing.
>
I think this patch fixes the transaction patch in semanage.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Patch matchpathcon to eliminate file "/"
Date: Wed, 04 Mar 2009 15:39:31 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So
matchpathcon /etc/
Will work the same as
matchpathcon /etc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmu5wMACgkQrlYvE4MpobNK4gCgiVeXXEZcCMsJKXM7jqh6r1u3
OScAoLcmXBIR63gpvA8RS3g07pcPC6IF
=e+Re
-----END PGP SIGNATURE-----
Signed-off-by: Chad Sellers <csellers@tresys.com>
interface something like: int security_deny_unknown(void);
This interface can suggest applications preferable behavior when
string_to_security_class() or string_to_av_perm() returns invalid
value which means the security policy does not define required
ones.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
messages via netlink socket from SELinux.
* Two new callbacks were added to selinux_set_callback(3)
- SELINUX_CB_SETENFORCE
is invoked when it got SELNL_MSG_SETENFORCE message in the
avc_netlink_process().
- SELINUX_CB_POLICYLOAD
is invoked when it got SELNL_MSG_POLICYLOAD message in the
avc_netlink_process().
* Three functions were exposed to applications.
- int avc_netlink_open(int blocking);
- void avc_netlink_loop(void);
- void avc_netlink_close(void);
Due to a few reasons, SE-PostgreSQL implements its own userspace
avc, so it needs to copy and paste some of avc_internal.c.
This update enables to share common part from such kind of application.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Email: method@manicmethod.com
Subject: libsepol: fix boolean state smashing
Date: Wed, 18 Mar 2009 10:47:34 -0400
If a boolean is encountered in a require block before the place where it is
declared it currently gets created with the state set to false no matter what
the declared state was. This only affects booleans in modules where the boolean
was also required in another module. Patch below:
Signed-off-by: Joshua Brindle <method@manicmethod.com>
