|
Hi, The attached is the refpolicy patch used for role attribute testing. Thanks, Harry > From: qingtao.cao@xxxxxxxxxxxxx > To: sds@xxxxxxxxxxxxx; method@xxxxxxxxxxxxxxx; jmorris@xxxxxxxxx; eparis@xxxxxxxxxxxxxx > CC: selinux@xxxxxxxxxxxxx > Subject: v0 Add role attribute support to libsepol > Date: Fri, 27 May 2011 09:24:19 +0800 > > > > Comments: > --------- > Add role attribute to SELinux, which aims at replacing the deprecated > role dominance rule. > > Previous discussions could be found here: > http://www.spinics.net/lists/selinux/msg00974.html > > A role attribute could be declared by the rule of > "attribute <role_attribute_name> role;" and further used in the > user-roles, role-types, role-allows and role_transition rules. In order > to avoid ambiguity, the role-types would no longer to declare a role, > another! new rule of role-attr is added to declare a regular role and > optionally a list of role attribute that the regular role belongs to > (like the type rule). Also the role-attribute association could be > declared by a new rule of roleattribute. > > BTW, since the flavor and roles ebitmap of a role_datum_t structure > are not needed to be written to policy.X, the SELinux kernel driver > would not need any change. The maximum version number in both libsepol > and kernel remain the same. > > FIXME_1: > I may need some help to specify the "kind" of a required attribute > (of a type attribute or role attribute), please see the notes left in > the patches. BTW, since multiple declarations of role/user are allowed, > so far I just explicitly declare the required role attribute :-P > > > Testings I've done: > ------------------- > 1. Use role attribute in several di! fferent modules to test if a role > attribute used in user-ro les, role-types, role-allows and role-transition > rules could be properly compiled/linked/expanded. > > Also in order to support that role-types rule no longer is used to > declare a regular role, we have to use the role-attr rule to declare > the related role explicitly (so far only nx_server_r and unconfined_r). > > Please refer to the attached refpolicy patch for above tests, then make > policy. > > > 2. Make a hexdump of policy.26 by xxd tool, then check out the policy value > for those identifiers related with this test: > > 0035b40: 07 0000 004a 0300 r_tmpfs_t....J.. > 0035b50: 0001 0000 0000 0000 0076 6c6f 636b 5f74 .........vlock_t > > vlock_t: len = 7, policy value = 0x34a, prop = 01, bounds = 0 > > 00353b0: 0800 0000 fa02 ..shadow_t...... >! 00353c0: 0000 0100 0000 00000000 7379 7361 646d ..........sysadm > 00353d0: 5f74 1200 0000 cb01 0000 0000 0000 0000 _t > > sysadm_t: len = 8, policy value = 0x2fa, prop = 01, bounds = 0 > > 003d3f0: 635f 7409 0000 0034 0600 0001 0000 0000 c_t....4........ > 003d400: 0000 006e 6577 726f 6c65 5f74 0900 0000 ...newrole_t.... > > newrole_t: len = 9, policy value = 0x634, prop = 0x01, bounds = 0 > > 0045dc0: 0800 ......cgroup_t.. > 0045dd0: 0000 7309 0000 0100 0000 0000 0000 6368 ..s...........ch > 0045de0: 6b70 7764 5f74 0800 0000 7409 0000 0100 kpwd_t > > chkpwd_t: len = 0x08, policy value = 0x973, prop = 0x01, bounds = 0 > > 002c6a0: 07 ................ > 002c6b0: 0000 0005 0000 0000 0000 0073 7461 6666 ...........staff > 002c! 6c0: 5f72 4000 0000 4000 0000 0100 0000 0000 _r@...@......... > > staff_r: len = 0x07, policy value = 0x05, bounds = 0 > > 002cc60: 0800 0000 .......@........ > 002cc70: 0a00 0000 0000 0000 7379 7361 646d 5f72 ........sysadm_r > > sysadm_r: len = 0x08, policy value = 0x0a, bounds = 0 > > 002cec0: 0800 0000 @............... > 002ced0: 0b00 0000 0000 0000 7379 7374 656d 5f72 ........system_r > > system_r: len = 0x08, policy value = 0x0b, bounds = 0 > > > 3. Check out the hexdump for the sysadm_r_2 and sysadm_r_3 role, verify > if their types.types ebitmap records all types specified in the > "role role_attribute_1 types xxx;" rule: > > 002d470: 0a 0000 0010 0000 0000 ................ > 002d480: 0000 0073 7973 6164 6d5f 725f 3240 0000 ...sysadm_r_2@.. > 002d490: 0040 0000 0! 001 0000 0000 0000 0000 8000 .@.............. > 002d4a0: 0000 0000 0040 0000 0080 0900 0004 0000 .....@.......... > 002d4b0: 00c0 0200 0000 0000 0000 0000 0240 0300 .............@.. > 002d4c0: 0000 0200 0000 0000 0000 0600 0000 0000 ................ > 002d4d0: 0000 0008 0040 0900 0000 0000 0000 0004 .....@.......... > 002d4e0: 000a 0000 0011 0000 0000 0000 0073 7973 .............sys > 002d4f0: 6164 6d5f 725f 3340 0000 0040 0000 0001 adm_r_3@...@.... > 002d500: 0000 0000 0000 0000 0001 0000 0000 0040 ...............@ > 002d510: 0000 0080 0900 0004 0000 00c0 0200 0000 ................ > 002d520: 0000 0000 0000 0240 0300 0000 0200 0000 .......@........ > 002d530: 0000 0000 0600 0000 0000 0000 0008 0040 ...............@ > 002d540: 0900 0000 0000 0000 0004 0065 0d00 00fa ...........e.... > > sysadm_r_2: > len = 0x0a, policy value = 0x10, bou! nds = 0 > dominates: > ms = 0x40, highbit = 0x40, node = 0x01, > startbit = 0, map: 00 8000 0000 0000 00 (policy value = 0x10) > types.types: > ms = 0x40, highbit = 0x980, node = 0x04, > startbit = 0x2c0, map: 00 0000 0000 0000 02 (policy value = 0x2fa, sysadm_t) > startbit = 0x340, map: 00 0200 0000 0000 00 (policy value = 0x34a, vlock_t) > startbit = 0x600, map: 00 0000 0000 0008 00 (policy value = 0x634, newrole_t) > startbit = 0x940, map: 00 0000 0000 0004 00 (policy value = 0x973, chkpwd_t) > > sysadm_r_3: > len = 0x0a, policy value = 0x11, bounds = 0 > (The dominates and types.types ebitmaps are the same as that > of sysadm_r_2) > > > 4. Check out the hexdump of the root user, verify if its roles.roles ebitmap > records the policy values of sysadm_r_2 and sysadm_r_3 that specified in > the "user root roles role_attribute_1 ...;" rule: > > 0! 04fc20: 04 0000 0003 ................ > 004fc30: 0000 0000 0000 0072 6f6f 7440 0000 0040 .......root@...@ > 004fc40: 0000 0001 0000 0000 0000 0012 8701 0000 ................ > 004fc50: 0000 0002 0000 0001 0000 0010 0000 0040 ...............@ > 004fc60: 0000 0000 0000 0000 0000 0040 0000 0000 ...........@.... > 004fc70: 0400 0010 0000 0000 0000 00ff ffff ffff ................ > 004fc80: ffff ff40 0000 00ff ffff ffff ffff ff80 ...@............ > > root: > len = 0x04, policy value = 0x03, bounds = 0x0 > roles.roles: > ms = 0x40, highbit = 0x40, node = 0x01, > startbit = 0, map: 12 8701 0000 0000 00 > > roles.roles ebitmap for the root user recorded following policy values: > 2, 5, 9, 10, 11, 16, 17 > where 5 == staff_r, 10 == sysadmd_r, 11 == system_r, 16 == sysadm_r_2, > 17 == sysadm_! r_3 > > > 5. Boot up the system with the lat est Eric SELinux tree: > > [root/sysadm_r/s0@~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 26 > Policy from config file: refpolicy-mls > [root/sysadm_r/s0@~]# > [root/sysadm_r/s0@~]# echo "sysadm_r_2:sysadm_t" >> /etc/selinux/refpolicy-mls/contexts/default_type > [root/sysadm_r/s0@~]# echo "sysadm_r_3:sysadm_t" >> /etc/selinux/refpolicy-mls/contexts/default_type > [root/sysadm_r/s0@~]# > > > 6. Use newrole command to switch between sysadm_r and sysadm_r_2/3, to > prove that the role_attribute_1 used in relevant > role-allow/user-roles/role-types rules have been properly linked/expanded: > > [root/sysadm_r/s0@~]# new! role -r sysadm_r_2 -p > Password: > [root/sysadm_r_2/s0@~]# > [root/sysadm_r_2/s0@~]# id -Z > root:sysadm_r_2:sysadm_t:s0-s15:c0.c1023 > [root/sysadm_r_2/s0@~]# > [root/sysadm_r_2/s0@~]# newrole -r sysadm_r -p > Password: > [root/sysadm_r/s0@~]# > [root/sysadm_r/s0@~]# newrole -r sysadm_r_3 -p > Password: > [root/sysadm_r_3/s0@~]# > [root/sysadm_r_3/s0@~]# newrole -r sysadm_r -p > Password: > [root/sysadm_r/s0@~]# id -Z > root:sysadm_r:sysadm_t:s0-s15:c0.c1023 > [root/sysadm_r/s0@~]# > > > 7. Use the compute_create command to prove that the role_attribute_1 used > in relevant role_transition rule has been properly linked/expanded: > > [root/sysadm_r_2/s0@~]# ls -Z /usr/sbin/vlock-main > -rws--x--x root root system_u:object_r:vlock_exec_t:s0 /usr/sbin/vlock-main > [root/sysadm_r_2/s0@~]# c ompute_create `id -Z` system_u:object_r:vlock_exec_t:s0 process > root:system_r:vlock_t:s0-s15:c0.c1023 > [root/sysadm_r_2/s0@~]# > > [root/sysadm_r_3/s0@~]# compute_create `id -Z` system_u:object_r:vlock_exec_t:s0 process > root:system_r:vlock_t:s0-s15:c0.c1023 > [root/sysadm_r_3/s0@~]# > > > 8. FIXME_2: > The result of compute_create in the above steps has showed that the > domain transition from sysadm_t to vlock_t, and the role transition from > sysadm_r_2/3 to system_r could have taken place correctly. BTW, since > security_compute_sid() has called policydb_context_isvalid(), so the > "root:system_r:vlock_t:s0-s15:c0.c1023" context is valid. > > However, the root:sysadm_r_2:sysadm_t would fail to run the vlock > program with the below AVC denied message, what else refpolicy rule > should I have added ? > ! > [root/sysadm_r_2/s0@~]# date > Thu May 26 06:27:29 GMT 2011 > [root/sysadm_r_2/s0@~]# vlock > /usr/bin/vlock: line 224: /usr/sbin/vlock-main: Permission denied > [root/sysadm_r_2/s0@~]# exit > > [root/sysadm_r/s0@~]# audhigh "ausearch -ts 06:27:29 -sv no" > Password: > ---- > time->Thu May 26 06:27:32 2011 > type=SYSCALL msg=audit(1306391252.699:38): arch=40000003 syscall=11 success=no exit=-13 a0=80db080 a1=80da830 a2=80d07b0 a3=80da830 items=0 ppid=723 pid=849 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="vlock" exe="/bin/bash" subj=root:sysadm_r_2:sysadm_t:s0-s15:c0.c1023 key=(null) > type=AVC msg=audit(1306391252.699:38): avc: denied { transition } for pid=849 comm="vlock" path="/usr/sbin/vlock-main" dev=sda ino=50097 scontext=root:sysadm_r_2:sysadm_t:s0-s15:c0.c1023 tcontext=root:system_r:vloc! k_t:s0-s15:c0.c1023 tclass=process > [root/sysadm_r/s0@~]# > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. |
From 4e2bd0a7ce57010b09ab54fd4af50af57d26a791 Mon Sep 17 00:00:00 2001 From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx> Date: Wed, 25 May 2011 17:34:47 +0800 Subject: [PATCH 1/1] Role attribute debug. Use role attribute in several different modules to test if a role attribute used in user-roles, role-types, role-allows and role-transition rules could be properly compiled/linked/expanded. Also in order to support that role-types rule no longer is used to declare a regular role, we have to use the role-attr rule to declare the related role explicitly (so far only nx_server_r and unconfined_r). Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx> --- policy/modules/apps/vlock.te | 14 ++++++++++++++ policy/modules/roles/sysadm.te | 25 +++++++++++++++++++++++++ policy/modules/services/likewise.te | 2 +- policy/modules/services/nx.te | 1 + policy/modules/system/selinuxutil.te | 19 +++++++++++++++++++ policy/modules/system/unconfined.te | 1 + 6 files changed, 61 insertions(+), 1 deletions(-) diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te index 03fc701..4d3295f 100644 --- a/policy/modules/apps/vlock.te +++ b/policy/modules/apps/vlock.te @@ -51,3 +51,17 @@ miscfiles_read_localization(vlock_t) userdom_dontaudit_search_user_home_dirs(vlock_t) userdom_use_user_terminals(vlock_t) + +optional_policy(` + gen_require(` + role system_r; + ') + + # so far I do not know how to require a role attribute yet + attribute role_attribute_1 ROLE; + + # assume the system_r role once transitioned to vlock_t domain + role_transition role_attribute_1 vlock_exec_t system_r; + role system_r types vlock_t; + user root roles system_r level s0 range s0 - s15:c0.c1023; +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 2f2bc77..67a8415 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -454,3 +454,28 @@ optional_policy(` ') #') + +# 1. define a role attribute by the modified attribute rule +# Note, so far the duplicated declarations of role/user are allowed +# (symtab_insert) +attribute role_attribute_1 role; +attribute role_attribute_1 ROLE; + +# 2. define a regular role by the new role_attr rule, +# specifying the role attribute that a regular role belongs to +role sysadm_r_2, role_attribute_1; + +# 3. define a regular role by the existing role_type rule +role sysadm_r_3; + +# 4. add a regular role into a role attribute +roleattribute sysadm_r_3 role_attribute_1; + +optional_policy(` + gen_require(` + user root; + type vlock_t; + ') + + user root roles role_attribute_1 level s0 range s0 - s15:c0.c1023; +') diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te index 3acbf1d..84f4baf 100644 --- a/policy/modules/services/likewise.te +++ b/policy/modules/services/likewise.te @@ -137,7 +137,7 @@ selinux_validate_context(lsassd_t) seutil_read_config(lsassd_t) seutil_read_default_contexts(lsassd_t) seutil_read_file_contexts(lsassd_t) -seutil_run_semanage(lsassd_t, lsassd_t) +#seutil_run_semanage(lsassd_t, lsassd_t) sysnet_use_ldap(lsassd_t) sysnet_read_config(lsassd_t) diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index ebb9582..a3559f2 100644 --- a/policy/modules/services/nx.te +++ b/policy/modules/services/nx.te @@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t) domain_user_exemption_target(nx_server_t) # we need an extra role because nxserver is called from sshd # cjp: do we really need this? +role nx_server_r; role nx_server_r types nx_server_t; allow system_r nx_server_r; diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 284c7f8..65e0698 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -603,3 +603,22 @@ ifdef(`hide_broken_symptoms',` optional_policy(` hotplug_use_fds(setfiles_t) ') + +optional_policy(` + gen_require(` + role sysadm_r; + type sysadm_t, chkpwd_t; + ') + + # so far I do not know how to require a role attribute yet + attribute role_attribute_1 ROLE; + + # allow the transition from sysadm_r to all regular roles that + # belong to the role_attribute_1 and vice versa by the newrole cmd + allow sysadm_r role_attribute_1; + allow role_attribute_1 sysadm_r; + + role role_attribute_1 types newrole_t; + role role_attribute_1 types chkpwd_t; + role role_attribute_1 types sysadm_t; +') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index eae5001..9c5f931 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -19,6 +19,7 @@ init_system_domain(unconfined_t, unconfined_exec_t) type unconfined_execmem_t; type unconfined_execmem_exec_t; init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) +role unconfined_r; role unconfined_r types unconfined_execmem_t; ######################################## -- 1.7.0.4
