|
Attach the refpolicy patch to test adding one role attribute into another. > From: qingtao.cao@xxxxxxxxxxxxx > To: cpebenito@xxxxxxxxxx; sds@xxxxxxxxxxxxx; method@xxxxxxxxxxxxxxx; jmorris@xxxxxxxxx; eparis@xxxxxxxxxxxxxx > CC: selinux@xxxxxxxxxxxxx > Subject: v1 Add role attribute support to libsepol > Date: Sun, 29 May 2011 12:36:53 +0800 > > > > Comments > --------- > > Support adding one role attribute into another. > > When the link process is completed, the types type_set_t and roles > ebitmap in a role attribute are settled, then we could go on scan > all role attributes in the base.p_roles table checking if any non-zero > bit in its roles ebitmap is indeed another role attribute. > > If this is the case, then we need to escalate the roles ebitmap of > the sub-attribute into that of the parent attribute, a! nd remove the > sub-attribute from parent's roles ebitmap. > > Since sub-attribute's roles ebitmap may further contain other role > attributes, we need to re-scan the updated parent's roles ebitmap. > > Also if a loop dependency is detected, no escalation of sub-attribute's > roles ebitmap is needed. > > > In order to highlight this patch I've decided to introduce a new > separate commit, while all the rest 5 commits are the same as v0. > > > Tests of adding one role attribute into another > ------------------------------------------------ > > 1. Apply the patch for rpm.* and selinuxuti.*, to introduce rpm_roles and > semanage_roles attributes and eliminate the "chain of run interfaces", > make policy.X and dump its hexdump, check out the policy value for > related identifiers: > > 0! 035b00: 5f74 0500 0000 4103 0000 0100 0000 0000 _t....A......... & gt; 0035b10: 0000 7270 6d5f 7407 0000 0042 0300 0001 ..rpm_t.... > > rpm_t: policy value = 0x341 > > 0040460: 740c 0000 0075 0700 0001 0000 0000 0000 t....u.......... > 0040470: 0072 706d 5f73 6372 6970 745f 740f 0000 .rpm_script_t. > > rpm_script_t: policy value = 0x775 > > 004c900: 6563 7572 6974 795f 740a 0000 001e 0c00 ecurity_t....... > 004c910: 0001 0000 0000 0000 0073 656d 616e 6167 .........semanag > 004c920: 655f 7409 0000 001f 0c00 0003 0000 0000 e_t > > semanage_t: policy value = 0xc1e > > 004c760: 0a00 0000 140c 0000 0100 0000 0000 0000 ................ > 004c770: 7365 7466 696c 6573 5f74 1400 0000 ec0a setfiles_t...... > > setfiles_t: policy value = 0xc14 > > 00484e0: 740d 0000 008b 0a00 0001 0000 0000 0000 t............... > 00484f0: 006c 6f61 645f 706f 6c! 69 6379 5f74 0c00 .load_policy_t.. > > load_policy_t: policy value = 0xa8b > > > 2. Check out rpm_roles.types ebitmap: > > 002d2c0: 0000 0400 0000 0000 0000 0900 0000 0f00 ................ > 002d2d0: 0000 0000 0000 7270 6d5f 726f 6c65 7340 ......rpm_roles@ > 002d2e0: 0000 0040 0000 0001 0000 0000 0000 0000 ...@............ > 002d2f0: 4000 0000 0000 0040 0000 0080 0700 0002 @......@........ > 002d300: 0000 0040 0300 0001 0000 0000 0000 0040 ...@...........@ > 002d310: 0700 0000 0000 0000 0010 000b 0000 0010 ................ > 002d320: 0000 0000 0000 006e 785f 7365 7276 6572 ....... > > rpm_roles: policy value = 0x0f > dominates: > mz = 0x40, highbit = 0x40, node = 1 > startbit = 0, map: 00 4000 0000 0000 00 > policy value: 0x0f(rpm_roles) > types.types: > mz = 0x40, highbit ! = 0x780, node = 2 > startbit = 0x340, map: 01 0000 0000 000 0 00 > policy value: 0x341(rpm_t) > startbit = 0x740, map: 00 0000 0000 0010 00 > policy value: 0x775(rpm_script_t) > > > 3. Check out semanage_roles.types ebitmap: > > 002caa0: 0000 0000 0e00 0000 0800 0000 0000 0000 ................ > 002cab0: 7365 6d61 6e61 6765 5f72 6f6c 6573 4000 semanage_roles@. > 002cac0: 0000 4000 0000 0100 0000 0000 0000 8000 ..@............. > 002cad0: 0000 0000 0000 4000 0000 400c 0000 0200 ......@...@..... > 002cae0: 0000 800a 0000 0004 0000 0000 0000 000c ................ > 002caf0: 0000 0000 0820 0000 0000 1000 0000 0900 ..... .......... > 002cb00: 0000 0000 0000 726f 6c65 5f61 7474 7269 ...... > > semanage_roles: policy value = 0x08 > dominates: > mz = 0x40, highbit = 0x40, node = 1, > startbit = 0, map: 8000 0000 0000 0000 > policy value: 8(semanage_rol! es) > types.types: > mz = 0x40, highbit = 0xc40 node = 2 > startbit = 0xa80, map: 0004 0000 0000 0000 > policy value: 0xa8b(load_policy_t) > startbit = 0xc00, map: 0000 0820 0000 0000 > policy value: 0xc14(setfiles_t), 0xc1e(semanage_t) > > > 4. Verify that once rpm_roles attribute becomes a sub-attribute of > semanage_roles attribute, then all regular roles belonging to rpm_roles > such as sysadm_r should be able to type all those types of the parent role > attribute's types(that is, semanage_roles.types): > > 002ccc0: 0000 0800 0000 0b00 0000 0000 0000 7379 ..............sy > 002ccd0: 7361 646d 5f72 4000 0000 4000 0000 0100 sadm_r@...@..... > 002cce0: 0000 0000 0000 0004 0000 0000 0000 4000 ..............@. > 002ccf0: 0000 800d 0000 2d00 0000 8000 0000 0000 ......-......... > ... > 002cd70: 5808, 40! 03 0000 0906 0200 0000 0000, 8003 X.@............. > ... > 002cdf0: 4000 0000 0900 c006 0000 0000 0008 0000 @............... > 002ce00: 0000, 4007 0000 4000 0000 0000 1006, 8007 ..@...@......... > 002ce10: 0000 0000 000a 0000 0000 c007 0000 0080 ................ > ... > 002ce90: 8000, 400a 0000 0000 0000 0000 0040, 800a ..@..........@.. > 002cea0: 0000 0004 0002 0000 0000 c00a 0000 0000 ................ > 002ceb0: 0000 8000 0000 000b 0000 0000 0080 0080 ................ > 002cec0: 0000 c00b 0000 0000 0000 1000 0000, 000c ................ > 002ced0: 0000 0000 3820 0004 0000 400c 0000 0400 ....8 ....@..... > ... > > sysadm_r: policy value = 0x0b > dominates: > mz = 0x40, highbit = 0x40, node = 1 > startbit = 0x0, map: 0004 0000 0000 0000 > policy value: 0x0b(sysadm_r) > types.types: > mz = 0x40, highbit = 0xd80, node = 0x2d > startbit = 0x340, map: ! 0906 0200 0000 0000 > policy value: 341(rpm_t), 344, 34a, 34b > > startbit = 0x740, map: 4000 0000 0000 1006 > policy value: 747, 775(rpm_script_t), 77a, 77b > > startbit = 0xa80, map: 0004 0002 0000 0000 > policy value: a8b(load_policy_t), a9a > > startbit = 0xc00, map: 0000 3820 0004 0000 > policy value: c14(setfiles_t), c15, c16, c1e(semanage_t) > > > 5. Extra loop depenency tests. > > 5.1 When there is no loop dependency between rpm_roles and semanage_roles > attributes, the secadm_r that belongs to semanage_roles attributes is > not able to type those types of the rpm_roles.types, such as rpm_t or > rpm_script_t: > > 002cb60: 0000 0a00 0000 0000 0000 7365 6361 646d ..........secadm > 002cb70: 5f72 4000 0000 4000 0000 0100 0000 0000 _r@...@......... > 00! 2cb80: 0000 0002 0000 0000 0000 4000 0000 400d ..........@...@. &g t; 002cb90: 0000 1900 0000 8000 0000 0000 0000 0200 ................ > ... > 002cbe0: 0000 0400 0200 0000 1800, 4003 0000 0002 ..........@..... > 002cbf0: 0000 0000 0000 c003 0000 0000 0000 0000 ................ > ... > 002cc30: 0800 4006 0000 0000 0000 0000 0100, 4007 ..@...........@. > 002cc40: 0000 0000 0000 0000 2000 4009 0000 0000 ........ .@..... > 002cc50: 0000 0000 0420 8009 0000 0000 0820 0000 ..... ....... .. > > secadm_r: > types.types: > mz = 0x40, highbit = 0xd40, node = 0x19 > startbit = 0x340, map: 0002 0000 0000 0000 > policy value: 34a, ... > > startbit = 0x740, map: 0000 0000 0000 2000 > policy value: 776 > > > 5.2 Add below statements in selinuxutil.te to create a loop dependcy > between rpm_roles and semanage_roles attributes: > > att! ribute rpm_roles ROLE; > roleattribute semanage_roles rpm_roles; > > Then rebuild policy.X in modular way, the loop dependency should be > properly handled, and secadm_r that belongs to the semanage_roles > should be able to type all those types in rpm_roles.types ebitmap, > such as rpm_t and rpm_script_t: > > 002cb60: 0000 0a00 0000 0000 0000 7365 6361 646d ..........secadm > 002cb70: 5f72 4000 0000 4000 0000 0100 0000 0000 _r@...@......... > 002cb80: 0000 0002 0000 0000 0000 4000 0000 400d ..........@...@. > 002cb90: 0000 1900 0000 8000 0000 0000 0000 0200 ................ > ... > 002cbe0: 0000 0400 0200 0000 1800, 4003 0000 0102 ..........@..... > 002cbf0: 0000 0000 0000 c003 0000 0000 0000 0000 ................ > ... > 002cc30: 0800 4006 0000 0000 0000 0000 0100, 4007 ..@...........@. > 002cc40: 0000 0000 0000 ! 0000 3000 4009 0000 0000 ........0.@..... > 002cc50: 0000 00 00 0420 8009 0000 0000 0820 0000 ..... ....... .. > > secadm_r: > types.types: > mz = 0x40, highbit = 0xd40, node = 0x19 > startbit = 0x340, map: 0102 0000 0000 0000 > policy value: 341(rpm_t), ... > > startbit = 0x740, map: 0000 0000 0000 3000 > policy value: 775(rpm_script_t), 776 > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. |
From 16829156f34aedf220a132062d6efeb4cfec15e5 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Sun, 29 May 2011 12:47:42 +0800
Subject: [PATCH 1/1] Test adding one role attribute into another.
Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/admin/rpm.if | 14 ++++++++++----
policy/modules/admin/rpm.te | 11 +++++++++++
policy/modules/system/selinuxutil.if | 12 +++++++++---
policy/modules/system/selinuxutil.te | 16 ++++++++++++++++
4 files changed, 46 insertions(+), 7 deletions(-)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index d33daa8..7a7a4fe 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -82,10 +82,16 @@ interface(`rpm_run',`
')
rpm_domtrans($1)
- role $2 types { rpm_t rpm_script_t };
- seutil_run_loadpolicy(rpm_script_t, $2)
- seutil_run_semanage(rpm_script_t, $2)
- seutil_run_setfiles(rpm_script_t, $2)
+
+ # should require not declare an attribute here
+ attribute rpm_roles ROLE;
+
+ roleattribute $2 rpm_roles;
+
+# role $2 types { rpm_t rpm_script_t };
+# seutil_run_loadpolicy(rpm_script_t, $2)
+# seutil_run_semanage(rpm_script_t, $2)
+# seutil_run_setfiles(rpm_script_t, $2)
')
########################################
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 47a8f7d..d216048 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -192,6 +192,17 @@ seutil_manage_bin_policy(rpm_t)
userdom_use_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
+# Test: add one role attribute into another
+attribute rpm_roles ROLE;
+role rpm_roles types { rpm_t rpm_script_t };
+seutil_run_semanage(rpm_script_t, rpm_roles)
+# semanage_t could transition into load_policy_t and setfiles_t
+# so there is no need to explicitly invoke seutil_run_loadpolicy()
+# and seutil_run_setfiles() for the rpm_script_t
+#seutil_run_loadpolicy(rpm_script_t, rpm_roles)
+#seutil_run_setfiles(rpm_script_t, rpm_roles)
+
+
optional_policy(`
cron_system_entry(rpm_t, rpm_exec_t)
')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 170e2c7..31a11ec 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1030,10 +1030,16 @@ interface(`seutil_run_semanage',`
type semanage_t;
')
+ # should require not declare an attribute here
+ attribute semanage_roles ROLE;
+
seutil_domtrans_semanage($1)
- seutil_run_setfiles(semanage_t, $2)
- seutil_run_loadpolicy(semanage_t, $2)
- role $2 types semanage_t;
+
+ roleattribute $2 semanage_roles;
+
+# seutil_run_setfiles(semanage_t, $2)
+# seutil_run_loadpolicy(semanage_t, $2)
+# role $2 types semanage_t;
')
########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 65e0698..5ef0e35 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -482,6 +482,22 @@ seutil_manage_default_contexts(semanage_t)
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
+# Declare a semanage_role which is able to type all kinds of
+# domains provided by selinuxutil.pp
+attribute semanage_roles ROLE;
+role semanage_roles types { semanage_t setfiles_t load_policy_t };
+
+# Administrator only needs to invoke seutil_run_semanage(), while
+# semanage_t is able to transition into other domains provided by
+# selinuxutil.pp
+seutil_run_setfiles(semanage_t, semanage_roles)
+seutil_run_loadpolicy(semanage_t, semanage_roles)
+
+# A role attribute loop dependency test
+# should require rather than declare the role attribute here
+#attribute rpm_roles ROLE;
+#roleattribute semanage_roles rpm_roles;
+
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
--
1.7.0.4
