tequilaOS/platform_external_selinux

Fork 0

Commit graph

Author	SHA1	Message	Date
Christian Göttsche	fed78faaa3	libsepol: add policy utilities These are similar to the libselinux utilities but operate on a binary policy instead of the running kernel. This allows to run them on SELinux disabled or even non Linux systems, e.g. for development or continuous integration. sepol_check_access: (similar to selinux_check_access) Check access: $ sepol_check_access policy.bin staff_u:staff_r:gpg_t:s0 sysadm_u:sysadm_r:gpg_t:s0 process fork requested permission fork denied by constraint; reason: constrain process { fork setexec setfscreate setcurrent execmem execstack execheap setkeycreate setsockcreate } ((r1 == r2 -Fail-) ); Constraint DENIED constrain process { signull getsched getsession getpgid getcap getattr getrlimit } ((r1 == r2 -Fail-) or (r1 != { staff_r user_r logadm_r apache2adm_r } -Fail-) and (t1 == rbacproc_read -Fail-) or (t1 == rbacproc_full -Fail-) or (t1 == systemd_user_instance_domain -Fail-) and (u2 == system_u -Fail-) and (r2 == system_r -Fail-) and (t2 == systemd_t -Fail-) ); Constraint DENIED constrain process { sigchld sigkill sigstop signal ptrace setsched setpgid setcap share setrlimit } ((r1 == r2 -Fail-) or (r1 != { staff_r user_r logadm_r apache2adm_r } -Fail-) and (t1 == rbacproc_full -Fail-) or (t1 == systemd_user_instance_domain -Fail-) and (u2 == system_u -Fail-) and (r2 == system_r -Fail-) and (t2 == systemd_t -Fail-) ); Constraint DENIED sepol_compute_av: (similar to compute_av) Compute access vectors: $ sepol_compute_av policy.bin staff_u:staff_r:gpg_t:s0 staff_u:staff_r:gpg_t:s0 process allowed: fork sigchld signull signal getsched setsched setpgid getcap setcap setrlimit decided: fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit auditallow: auditdeny: fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit sepol_compute_member: (similar to compute_member) Compute a SID to use when selecting a member of a polyinstantiated object: $ sepol_compute_member policy.bin staff_u:staff_r:staff_t:s0 system_u:object_r:tmp_t:s0 dir system_u:object_r:user_tmp_t:s0 sepol_compute_relabel: (similar to compute_relabel) Compute a SID to use for relabeling an object: $ sepol_compute_relabel policy.bin staff_u:staff_r:staff_t:s0 system_u:object_r:tty_device_t:s0 chr_file staff_u:object_r:user_tty_device_t:s0 sepol_validate_transition: (similar to validatetrans) Compute a validatetrans decision: $ sepol_validate_transition policy.bin system_u:object_r:user_tmp_t:s0 system_u:object_r:shadow_t:s0 file staff_u:staff_r:staff_t:s0 allowed Acked-by: James Carter <jwcart2@gmail.com> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2022-04-12 13:09:19 -04:00

Author

SHA1

Message

Date

Christian Göttsche

fed78faaa3

libsepol: add policy utilities

These are similar to the libselinux utilities but operate on a binary
policy instead of the running kernel.  This allows to run them on
SELinux disabled or even non Linux systems, e.g. for development or
continuous integration.

sepol_check_access:
  (similar to selinux_check_access)
  Check access:

    $ sepol_check_access policy.bin staff_u:staff_r:gpg_t:s0 sysadm_u:sysadm_r:gpg_t:s0 process fork
    requested permission fork denied by constraint; reason:
    constrain process { fork setexec setfscreate setcurrent execmem execstack execheap setkeycreate setsockcreate } ((r1 == r2 -Fail-) ); Constraint DENIED
    constrain process { signull getsched getsession getpgid getcap getattr getrlimit } ((r1 == r2 -Fail-)  or (r1 != { staff_r user_r logadm_r apache2adm_r } -Fail-)  and (t1 == rbacproc_read -Fail-)  or (t1 == rbacproc_full -Fail-)  or (t1 == systemd_user_instance_domain -Fail-)  and (u2 == system_u -Fail-)  and (r2 == system_r -Fail-)  and (t2 == systemd_t -Fail-) ); Constraint DENIED
    constrain process { sigchld sigkill sigstop signal ptrace setsched setpgid setcap share setrlimit } ((r1 == r2 -Fail-)  or (r1 != { staff_r user_r logadm_r apache2adm_r } -Fail-)  and (t1 == rbacproc_full -Fail-)  or (t1 == systemd_user_instance_domain -Fail-)  and (u2 == system_u -Fail-)  and (r2 == system_r -Fail-)  and (t2 == systemd_t -Fail-) ); Constraint DENIED

sepol_compute_av:
  (similar to compute_av)
  Compute access vectors:

    $ sepol_compute_av policy.bin staff_u:staff_r:gpg_t:s0 staff_u:staff_r:gpg_t:s0 process
    allowed:     fork sigchld signull signal getsched setsched setpgid getcap setcap setrlimit
    decided:     fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit
    auditallow:
    auditdeny:   fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit

sepol_compute_member:
  (similar to compute_member)
  Compute a SID to use when selecting a member of a polyinstantiated object:

    $ sepol_compute_member policy.bin staff_u:staff_r:staff_t:s0 system_u:object_r:tmp_t:s0 dir
    system_u:object_r:user_tmp_t:s0

sepol_compute_relabel:
  (similar to compute_relabel)
  Compute a SID to use for relabeling an object:

    $ sepol_compute_relabel policy.bin staff_u:staff_r:staff_t:s0 system_u:object_r:tty_device_t:s0 chr_file
    staff_u:object_r:user_tty_device_t:s0

sepol_validate_transition:
  (similar to validatetrans)
  Compute a validatetrans decision:

  $ sepol_validate_transition policy.bin system_u:object_r:user_tmp_t:s0 system_u:object_r:shadow_t:s0 file staff_u:staff_r:staff_t:s0
  allowed

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

2022-04-12 13:09:19 -04:00

1 commit