Commit graph

30 commits

Author SHA1 Message Date
Dan Walsh
ee6901618c libselinux: expose selinux_boolean_sub
Make selinux_boolean_sub a public method so getsebool can use it, as well as
potentially used within libsemanage.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 13:15:00 -04:00
Eric Paris
88c3524153 libselinux: boolean name equivalency
Add support for booleans.subs file. Basically this allows us to finally change
badly named booleans to some standard name.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-09-12 13:14:25 -04:00
Dan Walsh
c802d4a6d5 libselinux: Add support for lxc_contexts_path
In order for lxc to look up its process and file labels we add new
libselinux support.  This is what we do for everything else, like
libvirt, seposgresql, etc.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-09-12 12:16:09 -04:00
rpcraig
cfc492cf11 libselinux: New Android property labeling backend
This is already in the android repo.  This is here to prevent potential
conflicts of the selabel indices, and possibly with an eye toward an eventual
reunification of the two libselinuxes down the road.

Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
Kohei KaiGai
2b5a0530e7 libselinux: security_compute_create_name(3)
I'd like to use this interface to implement special case handling
for the default labeling behavior on temporary database objects.  Allow
userspace to use the filename_trans rules added to policy.

Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2012-03-28 14:52:14 -04:00
Daniel P. Berrange
bcdf92aac4 libselinux: Change annotation on include/selinux/avc.h to avoid upsetting SWIG
The earlier patch to avc.c put the struct member annotation at
the end of the line, which works fine for GCC, but upsets SWIG.
Equivalent code in selinux.h demonstrates how to place the
annotation without upsetting SWIG.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Daniel P. Berrange
57928fa1fd libselinux: Add more printf format annotations
The public avc.h file must use a printf annotation in the struct
callback members, otherwise application code will get compiler
warnings that the method should have an annotation set.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:12 -04:00
Daniel P. Berrange
b82b7e02df libselinux: Fix const-correctness
* include/selinux/selinux.h, src/init.c: set_selinuxmnt should take
  a const char *mntpath
* src/get_default_type.c: Avoid bad cast discarding const
* load_policy.c: Fix var decl to avoid discarding const

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:12 -04:00
Eric Paris
2b06f47400 libselinux: rename and export symlink_realpath
symlink_realpath is used by both libselinux and policycoreutils.
Instead of coding it twice, export the libselinux version under a new
name that makes it sound more generic.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-02 15:37:11 -04:00
Dan Walsh
9c46a0a315 libselinux: simple interface for access checks
Some programs, like passwd, need to do simeple one time access checks.
Rather than set up a full avc cache and use that infrastructure they
were directly using security_compute_av.  A problem with this approach
is the lack of audit on denials.  This patch creates a new interface
that is simple to use and which will still listen to things like
permissive and output audit messages on denials.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-02 15:37:10 -04:00
Eric Paris
b3b19fdce5 libselinux: load_policy: handle selinux=0 and /sys/fs/selinux not exist
Handle situation where selinux=0 passed to the kernel and both /selinux and
/sys/fs/selinux directories do not exist.  We used to handle selinux=0
(or kernel compile without selinux) by getting ENODEV when we tried to
mount selinuxfs on /selinux.  Now selinux=0 means that /sys/fs/selinux
won't exist and we never create the real directory /selinux at all. So
we get ENOENT instead of ENODEV.  The solution is to check to see if the
mount failure was for ENODEV and if not to check if selinuxfs exists in
/proc/filesystems at all.  If it doesn't exist, that's equivalent to
ENODEV.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-02 15:37:10 -04:00
Richard Haines
bc1a8e2a4a libselinux: selinux_file_context_verify function returns wrong value.
selinux_file_context_verify(3) should now return the correct codes and
matchpathcon(8) has been modified to handle them.

The selinux_file_context_verify(3)and selinux_file_context_cmp(3) man pages
have also been updated (re-written really) to correct return codes.

I found that selabel_open left errno set to ENOENT because a
file_contexts.subs file did not exist on my system, but left selabel_open
alone and set errno = 0 before calling selinux_filecontext_cmp.

[fix uninitialize init variable in matchpathcon.c::main - eparis]
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:27:51 -04:00
Daniel J Walsh
20b43b3fd3 This patch adds a new subs_dist file.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The idea is to allow distributions to ship a subs file as well as let
the user modify subs.

In F16 we are looking at shipping a

file_contexts.subs_dist file like this

cat file_contexts.subs_dist
/run /var/run
/run/lock /var/lock
/var/run/lock /var/lock
/lib64 /lib
/usr/lib64 /usr/lib

The we will remove all (64)?  from policy.

This will allow us to make sure all /usr/lib/libBLAH is labeled the same
as /usr/lib64/libBLAH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2c1ksACgkQrlYvE4MpobNXcQCgqgAiQJxmwa1+NdIq8E3tQRp6
QT0An0ihA60di9CRsEqEdVbSaHOwtte5
=LXgd
-----END PGP SIGNATURE-----

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-08 10:28:02 -04:00
Daniel J Walsh
1629d2f89a This patch cleans up a couple of crashes caused by libselinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you fail to load_policy in the init or SELinux is disabled, you need
to free the selinux_mnt variable and clear the memory.

systemd was calling load_polcy on a DISABLED system then later on it
would call is_selinux_enabled() and get incorrect response, since
selinux_mnt still had valid data.

The second bug in libselinux, resolves around calling the
selinux_key_delete(destructor_key) if the selinux_key_create call had
never been called.  This was causing data to be freed in other
applications that loaded an unloaded the libselinux library but never
setup setrans or matchpathcon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM
mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj
=jpyr
-----END PGP SIGNATURE-----

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-08 10:22:17 -04:00
KaiGai Kohei
c4737c2e32 add db_language support on label_db.c
The attached patch add support db_language object class
to the selabel_lookup(_raw) interfaces.
It is needed to inform object manager initial label of
procedural language object.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2011-03-23 08:53:13 -04:00
KaiGai Kohei
bc2a8f418e libselinux: add selinux_status_* interfaces for /selinux/status
The attached patch adds several interfaces to reference /selinux/status
according to sequential-lock logic.

selinux_status_open() open the kernel status page and mmap it with
read-only mode, or open netlink socket as a fallback in older kernels.

Then, we can obtain status information from the mmap'ed page using
selinux_status_updated(), selinux_status_getenfoce(),
selinux_status_policyload() or selinux_status_deny_unknown().

It enables to help to implement userspace avc with heavy access control
decision; that we cannot ignore the cost to communicate with kernel for
validation of userspace caches.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-03-01 11:21:19 -05:00
KaiGai Kohei
6a17cfaafc Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: libselinux APIs should take "const" qualifier?
Date: Tue, 23 Mar 2010 11:56:36 +0900

(2010/03/19 22:32), Stephen Smalley wrote:
> On Fri, 2010-03-19 at 16:52 +0900, KaiGai Kohei wrote:
>> Right now, security_context_t is an alias of char *, declared in selinux.h.
>>
>> Various kind of libselinux API takes security_context_t arguments,
>> however, it is inconvenience in several situations.
>>
>> For example, the following query is parsed, then delivered to access
>> control subsystem with the security context as "const char *" cstring.
>>
>>    ALTER TABLE my_tbl SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:SystemHigh';
>>                  const char *<----    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> In this case, we want to call selinux_trans_to_raw_context() to translate
>> the given security context into raw format. But it takes security_context_t
>> argument for the source context, although this pointer is read-only.
>> In the result, compiler raises warnings because we gave "const char *" pointer
>> into functions which take security_context_t (= char *).
>>
>> Any comments?
>>
>> It seems to me the following functions' prototype should be qualified by
>> "const".
>
> That seems reasonable and should have no impact on library ABI.
> On the other hand, others have pointed out that security_context_t is
> not a properly encapsulated data type at all, and perhaps should be
> deprecated and replaced with direct use of char*/const char* throughout.
>
> There are other library API issues as well that have come up in the
> past, such as lack of adequate namespacing (with approaches put forth),
> but we don't ever seem to get a round tuit.

At first, I tried to add const qualifiers read-only security_context_t
pointers, but didn't replace them by char */const char * yet, right now.

BTW, I could find out the following code:

  int security_compute_create(security_context_t scon,
                              security_context_t tcon,
                              security_class_t tclass,
                              security_context_t * newcon)
  {
          int ret;
          security_context_t rscon = scon;
          security_context_t rtcon = tcon;
          security_context_t rnewcon;

          if (selinux_trans_to_raw_context(scon, &rscon))
                  return -1;
          if (selinux_trans_to_raw_context(tcon, &rtcon)) {
                  freecon(rscon);
                  return -1;
          }
      :

In this case, scon and tcon can be qualified by const, and the first
argument of selinux_trans_to_raw_context() can take const pointer.
But it tries to initialize rscon and tscon by const pointer, although
these are used to store raw security contexts.
The selinux_trans_to_raw_context() always set dynamically allocated
text string on the second argument, so we don't need to initialize it
anyway. I also removed these initializations in this patch.

Does the older mcstrans code could return without allocation of raw
format when the given scon is already raw format? I don't know why
these are initialized in this manner.

Thanks.
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-14 15:21:51 -04:00
Eamon Walsh
70aeeb918a This patch allows selabel_*() interfaces to provide an expected security context
for the given database object identified by its name and object class.
It is necessary to implement a feature something like the restorecon on databases.

The specfile shall be described as follows:
  ------------------------
  #
  # The specfile for database objects
  # (for SE-PostgreSQL)
  #
  # <object class> <object name> <security context>
  #
  db_database     *               system_u:object_r:sepgsql_db_t:s0

  db_schema       *.pg_catalog    system_u:obejct_r:sepgsql_sys_schema_t:s0
  db_schema       *.*             system_u:object_r:sepgsql_schema_t:s0

  db_table        *.pg_catalog.*  system_u:object_r:sepgsql_sysobj_t:s0
  db_table        *.*.*           system_u:object_r:sepgsql_table_t:s0
  ------------------------

- All the characters after the '#' are ignored.
- Wildcards ('*' and '?') are available.
- It returns the first match security context.

Note that hierarchy of the namespace of database objects depends on RDBMS.
So, author of the specfile needs to write correct patterns which are suitable
for the target RDBMS. The patched selabel_*() interfaces don't have any
heuristics for the namespace hierarchy to be suitable for widespread RDBMSs.
In the case of SE-PgSQL, when we lookup an expected security context for the
'my_table' table in the 'public' schema and 'postgres' database, the caller
shall provide 'postgres.public.my_table' as a key.

In the default, it tries to read a specfile which maps database objects and security
context from the /etc/selinux/$POLICYTYPE/contexts/sepgsql_contexts.
Note that when another RDBMS uses this interface, it needs to give an explicit
SELABEL_OPT_PATH option on the selabel_open().

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-03-15 19:01:30 -04:00
Chad Sellers
7d19f9df51 libselinux: Export reset_selinux_config()
In integrating SELinux policy into rpm, we have a need to be
able to reset the configuration data (e.g. policy type) loaded
into libselinux. These values are currently loaded lazily by a
number of different functions (e.g. matchpatchcon_init()).
Since we are changing rpm to install policy, including initial
base policy, we need to be able to reload these configuration
items after the policy has been installed.

reset_selinux_config() already exists and is used by
selinux_init_load_policy() for a similar reason, but it is not
exported. This was probably intentionaly since it is not thread
safe at all. That said, rpm needs to do the same thing. This
patch makes the function public, and places a warning in the
header comment that it is not thread safe.

Signed-off-by:  Chad Sellers <csellers@tresys.com>
2009-10-21 19:41:59 -04:00
Daniel J Walsh
66d0760007 This patch fixes the exception handling in libselinux-python bindings
On 09/16/2009 03:35 PM, Joshua Brindle wrote:
>
>
> Joshua Brindle wrote:
>>
>>
>> Daniel J Walsh wrote:
>>> What do you think of this one. Removed excess swig cruft,
>>>
>>> You need to run
>>>
>>> make swigify to generate those changes.
>>>
>>
>> Ok, looking at this now. I don't completely get how it works. I'm trying
>> to reproduce what you are doing by hand but nothing comes out of gcc:
>>
>> [root@localhost src]# echo '#include "../include/selinux/selinux.h"' >
>> temp.c
>> [root@localhost src]# gcc -c temp.c -aux-info temp.aux
>> [root@localhost src]# ls temp.*
>> temp.c temp.o
>>
>>
>> What is the purpose of the aux-info thing, and why doesn't it work on my
>> F11 machine?
>>
>> also, I'm not sure if the best place for selinuxswig_exception.i is
>> swigify or pywrap. In the swigify case it shouldn't be in the clean
>> target because if you check out the repo and do make clean; make pywrap
>> you'll get an error. (I can make these fixes, I'm just trying to figure
>> out how it all works first).
>>
>
> Oh, one more thing, should this be python specific? (E.g, should it be
> named selinuxswig_python_exception.i ?)
Changed name to selinux_python_exception.i

WOrks for me on F11 and F12

dwalsh@localhost$ echo '#include "../include/selinux/selinux.h"' > temp.c
dwalsh@localhost$ gcc -c temp.c -aux-info temp.aux
dwalsh@localhost$ ls temp.*
temp.aux  temp.c  temp.o

cat temp.aux
/* compiled from: . */
/* /usr/include/sys/select.h:109:NC */ extern int select (int, fd_set *, fd_set *, fd_set *, struct timeval *);
/* /usr/include/sys/select.h:121:NC */ extern int pselect (int, fd_set *, fd_set *, fd_set *, const struct timespec *, const __sigset_t *);
/* /usr/include/sys/sysmacros.h:31:NC */ extern unsigned int gnu_dev_major (long long unsigned int);
/* /usr/include/sys/sysmacros.h:34:NC */ extern unsigned int gnu_dev_minor (long long unsigned int);
/* /usr/include/sys/sysmacros.h:37:NC */ extern long long unsigned int gnu_dev_makedev (unsigned int, unsigned int);
/* ../include/selinux/selinux.h:12:NC */ extern int is_selinux_enabled (void);
/* ../include/selinux/selinux.h:14:NC */ extern int is_selinux_mls_enabled (void);
/* ../include/selinux/selinux.h:19:NC */ extern void freecon (security_context_t);
/* ../include/selinux/selinux.h:22:NC */ extern void freeconary (security_context_t *);
...

commit 38d98bd958f42ea18c9376e624d733795665ee22
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Wed Sep 16 16:51:14 2009 -0400

    Add exception code
2009-09-24 13:34:42 -04:00
Daniel J Walsh
532bd9a892 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: This patch add seusers support to SELinux
Date: Mon, 18 May 2009 14:20:30 -0400

The idea here is to break the seusers file up into lots of little
seusers file that can be user specific, also adds the service field to
be used by tools like pam_selinux to choose which is the correct context
to log a user in as.

Patch was added to facilitate IPA handing out SELinux content for
selection of roles at login.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-07-07 12:15:44 -04:00
Daniel J Walsh
20271d94ed Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: SELinux context patch
Date: Mon, 18 May 2009 14:16:12 -0400

This patch adds context files for virtual_domain and virtual_image,
these are both being used to locat the default context to be executed by
svirt.

I also included the subs patch which I submitted before.  This patch
allows us to substitute prefixes to matchpathcon.

So we can say /export/home == /home

and

/web == /var/www

Author: Chad Sellers
Email: csellers@tresys.com

Flipped free()'s in original patch when strdup'd fail to proper order.

Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-06-04 17:15:31 -04:00
KaiGai Kohei
433a99d403 It is useful for userspace object manager, if libselinux has an
interface something like: int security_deny_unknown(void);

This interface can suggest applications preferable behavior when
string_to_security_class() or string_to_av_perm() returns invalid
value which means the security policy does not define required
ones.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
2009-04-07 22:48:01 -04:00
KaiGai Kohei
55ed6e7fa6 This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.

This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.

This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
2009-04-07 22:10:30 -04:00
KaiGai Kohei
318748d659 The attached patch enables userspace object managers to handle notification
messages via netlink socket from SELinux.

* Two new callbacks were added to selinux_set_callback(3)
  - SELINUX_CB_SETENFORCE
     is invoked when it got SELNL_MSG_SETENFORCE message in the
     avc_netlink_process().
  - SELINUX_CB_POLICYLOAD
     is invoked when it got SELNL_MSG_POLICYLOAD message in the
     avc_netlink_process().

* Three functions were exposed to applications.
  - int avc_netlink_open(int blocking);
  - void avc_netlink_loop(void);
  - void avc_netlink_close(void);

Due to a few reasons, SE-PostgreSQL implements its own userspace
avc, so it needs to copy and paste some of avc_internal.c.
This update enables to share common part from such kind of application.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
2009-04-07 22:08:48 -04:00
Eamon Walsh
7ab6b29011 Netlink socket handoff functions from Adam Jackson. 2009-03-10 20:31:38 -04:00
Eamon Walsh
f9b1f1a2a1 Add config path function for secolor.conf file.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-01-02 16:15:58 -05:00
Eamon Walsh
cfa3cb6fa5 Add client routines for translating raw security contexts into colors.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2008-12-31 18:51:42 -05:00
Joshua Brindle
5973c54402 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Latest flask definitions for libselinux.
Date: Mon, 22 Sep 2008 13:50:26 -0400

Adds open, X Definitions and nlmsg_tty_audit for netlink_audit_socket

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-29 12:12:04 -04:00
Joshua Brindle
13cd4c8960 initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00