RE: v3 Add role attribute support to libsepol

HarryCiao <harrytaurus2002@xxxxxxxxxxx> · Tue, 28 Jun 2011 08:28:08 +0000

Attach the refpolicy debug patches that would generate the test results mentioned below.

Thanks,
Harry

> From: qingtao.cao@xxxxxxxxxxxxx
> To: cpebenito@xxxxxxxxxx; slawrence@xxxxxxxxxx; method@xxxxxxxxxxxxxxx
> CC: selinux@xxxxxxxxxxxxx
> Subject: v3 Add role attribute support to libsepol
> Date: Tue, 28 Jun 2011 16:18:40 +0800
> 
> 
> Differences from v2 patchset
> -----------------------------
> 1. For the 0001 patch, 
>    Modify symtab_insert() to allow multiple declarations only for the regular
>    roles, while a role attribute can't be declared more than once and can't
>    share a same name with another regular role.
>    
> 2. For the 0006 patch,
>    Although in the link stage all role identifiers defined in any
>    block/decl of any module would be copied into the base->p_roles.table,
>    the role-attribute relationships would still !
 be recorded in the decl's
>    local symtab[SYM_ROLES] table(see get_local_role()), so before all the
>    escalation of sub role attribute's roles ebitmap into that of parent ever
>    happens, all decl in the base->global list except the global block would
>    have to be traversed so as to populate potential role-attribute attributes
>    from decl up to the base module.
>    
>    
> Remaining issues
> -----------------
> 1. If built by "MONOLITHIC = y", run into below errors that not witnessed
>    when building in modular way:
>     
>    /usr/bin/checkpolicy -M -U allow policy.conf -o policy.26
>    /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>    policy/modules/services/likewise.te":140:ERROR 'role attribute semanage_roles is not declared' at token ';' on line 1494287:
>    #line 140
>    	roleattribute system_r semanage_roles;
>   !
  checkpolicy:  error(s) encountered while parsing configuration
>
;    make: *** [policy.26] Error 1
>    
> 2. The policy.X's binary representation and SELinux kernel role_datum_t
>    structure don't have to be changed, so the max version number for policy.X
>    won't have to be bumped.
> 
>    But it may be desirable to bump the max module version number.
>    
>    (I am still working on these two areas, any comments are greatly welcomed)
>    
>    
> Tests I've done
> -----------------
> 1. test_t is able to transition into rpm_t, but could not direclty transition
>    into rpm_script_t, semanage_t, load_policy_t/setfiles_t:
>    
>    sh-3.2# sesearch -SCA -s test_t -t rpm_t -c process -p transition
>    Found 1 semantic av rules:
>       allow test_t rpm_t : process transition ; 
>    
>    sh-3.2# sesearch -SCA -s test_t -t rpm_script_t -c process -p transition
>    
>    sh-3.2# sesearch -SCA -s tes!
 t_t -t semanage_t -c process -p transition
>    
>    sh-3.2# sesearch -SCA -s test_t -t load_policy_t -c process -p transition
>    
>    sh-3.2# sesearch -SCA -s test_t -t setfiles_t -c process -p transition
>    
> 2. rpm_t is able to transition into rpm_script_t, but could not directly
>    transition into semanage_t, load_policy_t/setfiles_t:
>    
>    sh-3.2# sesearch -SCA -s rpm_t -t rpm_script_t -c process -p transition
>    Found 1 semantic av rules:
>       allow rpm_t rpm_script_t : process transition ; 
>    
>    sh-3.2# sesearch -SCA -s rpm_t -t semanage_t -c process -p transition
>    
>    sh-3.2# sesearch -SCA -s rpm_t -t load_policy_t -c process -p transition
>    
>    sh-3.2# sesearch -SCA -s rpm_t -t setfiles_t -c process -p transition
>    
> 3. rpm_script_t is able to transition into semanage_t, but could not directly
>    transitio!
 n into load_policy_t/setfiles_t:
>    
>    sh-3.2# sesear
ch -SCA -s rpm_script_t -t semanage_t -c process -p transition
>    Found 1 semantic av rules:
>       allow rpm_script_t semanage_t : process transition ; 
>    
>    sh-3.2# sesearch -SCA -s rpm_script_t -t load_policy_t -c process -p transition
>    
>    sh-3.2# sesearch -SCA -s rpm_script_t -t setfiles_t -c process -p transition
>    
> 4. semanage_t is able to transition into load_policy_t & setfiles_t:
>    
>    sh-3.2# sesearch -SCA -s semanage_t -t load_policy_t -c process -p transition
>    Found 1 semantic av rules:
>       allow semanage_t load_policy_t : process transition ; 
>    
>    sh-3.2# sesearch -SCA -s semanage_t -t setfiles_t -c process -p transition
>    Found 1 semantic av rules:
>       allow semanage_t setfiles_t : process transition ; 
>    
> 5. test_r is able to type with rpm_t, rpm_script_t, semanage_t, setfiles_t
>    and load!
 _policy_t:
>    
>    sh-3.2# compute_create root:test_r:test_t:s0 system_u:object_r:rpm_exec_t:s0 process
>    root:test_r:rpm_t:s0
>    sh-3.2# 
>    
>    sh-3.2# compute_create root:test_r:rpm_script_t:s0 system_u:object_r:semanage_exec_t:s0 process
>    root:test_r:semanage_t:s0
>    sh-3.2# 
>    
>    sh-3.2# compute_create root:test_r:semanage_t:s0 system_u:object_r:setfiles_exec_t:s0 process
>    root:test_r:setfiles_t:s0
>    sh-3.2# 
>    
>    sh-3.2# compute_create root:test_r:semanage_t:s0 system_u:object_r:load_policy_exec_t:s0 process
>    root:test_r:load_policy_t:s0
>    sh-3.2# 
>    
> 6. Use the apol tool to analyze what types the test_r role could type with:
>    (Since the apol installed on Ubuntu so far only support max version .24,
>     we need to setup "policy-version = 24" in semanage.conf)
>    
>    test_r (28 type!
 s)
>        chfn_t
>        chkpwd_t
>        consol
etype_t
>        ddclient_t
>        dhcpc_t
>        hostname_t
>        ifconfig_t
>        insmod_t
>        iptables_t
>        load_policy_t
>        loadkeys_t
>        netutils_t
>        newrole_t
>        pam_t
>        passwd_t
>        ping_t
>        pppd_t
>        pptp_t
>        rpm_script_t
>        rpm_t
>        semanage_t
>        setfiles_t
>        test_t
>        traceroute_t
>        updpwd_t
>        user_home_t
>        usernetctl_t
>        utempter_t
>    
>    rpm_roles (2 types)
>        rpm_script_t
>        rpm_t
>    
>    semanage_roles (3 types)
>        load_policy_t
>        semanage_t
>        setfiles_t
>    
> 7. Verify policy.X's binary representation that test_r's role_datum_t.types.types ebitmap records all these domains:!
 
>    
>    0047a40: 7406 0000 0024 0a00 0001 0000 0000 0000  t....$..........
>    0047a50: 0074 6573 745f 7407 0000 0025 0a00 0001  .test_t....%....
>    
>    test_t: policy value = 0xa24
>    
>    0036560: 0000 004a 0300 0001 0000 0000 0000 0072  ...J...........r
>    0036570: 706d 5f74 0700 0000 4b03 0000 0100 0000  pm_t....K.......
>    
>    rpm_t: policy value = 0x34a
>    
>    0041050: 0000 6d6f 6e6f 7064 5f65 7463 5f74 0c00  ..monopd_etc_t..
>    0041060: 0000 8907 0000 0100 0000 0000 0000 7270  ..............rp
>    0041070: 6d5f 7363 7269 7074 5f74 0f00 0000 8a07  m_script_t......
>    
>    rpm_script_t: policy value = 0x789
>    
>    004d800: 7365 6375 7269 7479 5f74 0a00 0000 490c  security_t....I.
>    004d810: 0000 0100 0000 0000 0000 7365 6d61 6e61  ..........semana
>    004d820: 6765 5f74 0900 0000 4a0c 0000 0300 0000  ge_t....J......!
 .
>    
>    semanage_t: policy value = 0xc49
>    <
br>>    00492c0: 7075 745f 7865 7665 6e74 5f74 0d00 0000  put_xevent_t....
>    00492d0: ae0a 0000 0100 0000 0000 0000 6c6f 6164  ............load
>    00492e0: 5f70 6f6c 6963 795f 740c 0000 00af 0a00  _policy_t.......
>    
>    load_policy_t: policy value = 0xaae
>    
>    004d660: 740a 0000 003f 0c00 0001 0000 0000 0000  t....?..........
>    004d670: 0073 6574 6669 6c65 735f 7414 0000 0010  .setfiles_t.....
>    
>    setfiles_t: policy value = 0xc3f
>    
>    
>    002d050: 0600 0000 0000 0000 7465 7374 5f72 4000  ........test_r@.
>    002d060: 0000 4000 0000 0100 0000 0000 0000 2000  ..@........... .
>    002d070: 0000 0000 0000 4000 0000 800c 0000 1400  ......@.........
>    002d080: 0000 8000 0000 0000 0000 0400 0000 4001  ..............@.
>    002d090: 0000 0000 0000 0001 0000 0002 0000 0000  ................
>    002d0a0: 0000 0000 0001 4002 0000 0000 0000 001!
 0  ......@.........
>    002d0b0: 0000 8002 0000 0000 0040 0000 0000 0003  .........@......
>    002d0c0: 0000 0000 0004 0000 0030, 4003 0000 0002  .........0@.....
>    002d0d0: 0000 0000 0000, c003 0000 0000 0000 0000  ................
>    002d0e0: 0080 0004 0000 0000 0000 0000 0008 8005  ................
>    002d0f0: 0000 0000 0008 0000 0000 4006 0000 1000  ..........@.....
>    002d100: 0000 0000 0000 8006 0000 0200 0000 0000  ................
>    002d110: 0000, 8007 0000 0001 0000 0000 0000 8009  ................
>    002d120: 0000 0000 0210 0000 0410 c009 0000 0000  ................
>    002d130: 0100 0000 0000, 000a 0000 3000 0000 0800  ..........0.....
>    002d140: 0000, 800a 0000 0000 0000 0020 0000, 000b  ........... ....
>    002d150: 0000 0008 0000 0000 0000, 000c 0000 0000  ................
>    002d160: 0000 0000 0040, 400c 0000 0001 0000 0020  .....@@........ 
>    002d170: 0000!
 
>    
>       test_r: policy value = 0x06
>       	
dominates:
>      		mz = 0x40, highbit = 0x40, node = 1
>    		startbit = 0, map: 2000 0000 0000 0000
>    			policy value: 0x06(test_r)
>       	types.types:
>       		mz = 0x40, highbit = 0xc80, node = 0x14
>    		......
>       		startbit = 0x340, map: 0002 0000 0000 0000
>    			policy value: 0x34a(rpm_t)
>    		......
>       		startbit = 0x780, map: 0001 0000 0000 0000
>    			policy value: 0x789(rpm_script_t)
>    		......
>       		startbit = 0xa00, map: 3000 0000 0800 0000
>    			policy value: 0xa01, 0xa02, 0xa24(test_t)
>       		startbit = 0xa80, map: 0000 0000 0020 0000 
>    			policy value: 0xaae(load_policy_t)
>       		startbit = 0xc00, map: 0000 0000 0000 0040 
>    			policy value: 0xc3f(setfiles_t)
>       		startbit = 0xc40, map: 0001 0000 0020 0000
>    			policy value: 0xc49(semanage_t), 0xc6e
> 
> --
> This message !
 was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
 		 	   		  
From 0c78ae4dc12bf6b23aef8ca9f3ceb41655f55d05 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Wed, 25 May 2011 17:34:47 +0800
Subject: [PATCH 1/2] Role attribute debug.

Use role attribute in several different modules to test if a role
attribute used in user-roles, role-types, role-allows and role-transition
rules could be properly compiled/linked/expanded.

Also in order to support that role-types rule no longer is used to
declare a regular role, we have to use the role-attr rule to declare
the related role explicitly (so far only nx_server_r and unconfined_r).

Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
 policy/modules/apps/vlock.te         |   13 +++++++++++++
 policy/modules/roles/sysadm.te       |   15 +++++++++++++++
 policy/modules/services/nx.te        |    1 +
 policy/modules/system/selinuxutil.te |   17 +++++++++++++++++
 policy/modules/system/unconfined.te  |    1 +
 5 files changed, 47 insertions(+), 0 deletions(-)

diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te
index 03fc701..22ae444 100644
--- a/policy/modules/apps/vlock.te
+++ b/policy/modules/apps/vlock.te
@@ -51,3 +51,16 @@ miscfiles_read_localization(vlock_t)
 
 userdom_dontaudit_search_user_home_dirs(vlock_t)
 userdom_use_user_terminals(vlock_t)
+
+optional_policy(`
+	gen_require(`
+		role system_r;
+		attribute_role role_attribute_1;
+	')
+
+	# assume the system_r role once transitioned to vlock_t domain
+	role_transition role_attribute_1 vlock_exec_t system_r;
+	role role_attribute_1 types vlock_t;
+	role system_r types vlock_t;
+	user root roles system_r level s0 range s0 - s15:c0.c1023;
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8cfab06..0c7ba8e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -20,6 +20,21 @@ ifndef(`enable_mls',`
 	userdom_security_admin_template(sysadm_t, sysadm_r)
 ')
 
+# Test for role attribute
+attribute_role role_attribute_1;
+role sysadm_r_2, role_attribute_1;
+role sysadm_r_3;
+roleattribute sysadm_r_3 role_attribute_1;
+
+optional_policy(`
+	gen_require(`
+		user root;
+		type vlock_t;
+	')
+	
+	user root roles role_attribute_1 level s0 range s0 - s15:c0.c1023;
+')
+
 ########################################
 #
 # Local policy
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index ebb9582..a3559f2 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t)
 domain_user_exemption_target(nx_server_t)
 # we need an extra role because nxserver is called from sshd
 # cjp: do we really need this?
+role nx_server_r;
 role nx_server_r types nx_server_t;
 allow system_r nx_server_r;
 
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 284c7f8..a7a8186 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -603,3 +603,20 @@ ifdef(`hide_broken_symptoms',`
 optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')
+
+optional_policy(`
+	gen_require(`
+		role sysadm_r;
+		type sysadm_t, chkpwd_t;
+		attribute_role role_attribute_1;
+	')
+
+	# allow the transition from sysadm_r to all regular roles that
+	# belong to the role_attribute_1 and vice versa by the newrole cmd
+	allow sysadm_r role_attribute_1;
+	allow role_attribute_1 sysadm_r;
+
+	role role_attribute_1 types newrole_t;
+	role role_attribute_1 types chkpwd_t;
+	role role_attribute_1 types sysadm_t;
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae5001..9c5f931 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -19,6 +19,7 @@ init_system_domain(unconfined_t, unconfined_exec_t)
 type unconfined_execmem_t;
 type unconfined_execmem_exec_t;
 init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+role unconfined_r;
 role unconfined_r types unconfined_execmem_t;
 
 ########################################
-- 
1.7.0.4

From 1343f31fe00a47d21b1a4b91fa90dbce6eaf7fc6 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Sun, 29 May 2011 12:47:42 +0800
Subject: [PATCH 2/2] Test adding one role attribute into another.

Create an unprivileged user "test" and calls rpm_run() for it. We would
verify if test_t could only transition into rpm_t, which in turn would
transition into semanage_t, which in turn would transition into other
selinuxutil domains such as setfiles_t. However, test_t could not directly
transition into these domains, but test_r is able to type with them.

Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
 policy/modules/admin/rpm.if          |    7 ++-----
 policy/modules/admin/rpm.te          |   15 ++++++++++++---
 policy/modules/kernel/kernel.te      |    1 +
 policy/modules/roles/unprivuser.te   |    6 ++++++
 policy/modules/system/selinuxutil.if |    6 ++----
 policy/modules/system/selinuxutil.te |   15 +++++++++++++++
 policy/users                         |    4 ++--
 7 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index d33daa8..6a2f8cf 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -78,14 +78,11 @@ interface(`rpm_domtrans_script',`
 #
 interface(`rpm_run',`
 	gen_require(`
-		type rpm_t, rpm_script_t;
+		attribute_role rpm_roles;	
 	')
 
 	rpm_domtrans($1)
-	role $2 types { rpm_t rpm_script_t };
-	seutil_run_loadpolicy(rpm_script_t, $2)
-	seutil_run_semanage(rpm_script_t, $2)
-	seutil_run_setfiles(rpm_script_t, $2)
+	roleattribute $2 rpm_roles;
 ')
 
 ########################################
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 47a8f7d..833f2d6 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -192,6 +192,11 @@ seutil_manage_bin_policy(rpm_t)
 userdom_use_user_terminals(rpm_t)
 userdom_use_unpriv_users_fds(rpm_t)
 
+# Test: add one role attribute into another
+attribute_role rpm_roles;
+role rpm_roles types { rpm_t rpm_script_t };
+seutil_run_semanage(rpm_script_t, rpm_roles)
+
 optional_policy(`
 	cron_system_entry(rpm_t, rpm_exec_t)
 ')
@@ -335,9 +340,13 @@ miscfiles_read_localization(rpm_script_t)
 modutils_domtrans_depmod(rpm_script_t)
 modutils_domtrans_insmod(rpm_script_t)
 
-seutil_domtrans_loadpolicy(rpm_script_t)
-seutil_domtrans_setfiles(rpm_script_t)
-seutil_domtrans_semanage(rpm_script_t)
+# Test for adding one role attribute into another
+# rpm_script_t only could transition into semanage_t, which in turn
+# could transition into other selinux utils domains 
+#
+#seutil_domtrans_loadpolicy(rpm_script_t)
+#seutil_domtrans_setfiles(rpm_script_t)
+#seutil_domtrans_semanage(rpm_script_t)
 
 userdom_use_all_users_fds(rpm_script_t)
 
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d91c62f..5d6a9ab 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,7 @@ role system_r;
 role sysadm_r;
 role staff_r;
 role user_r;
+role test_r;
 
 # here until order dependence is fixed:
 role unconfined_r;
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index d769fb0..465b2ee 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,6 +12,12 @@ role user_r;
 
 userdom_unpriv_user_template(user)
 
+role test_r;
+userdom_unpriv_user_template(test)
+optional_policy(`
+	rpm_run(test_t, test_r)
+')
+
 optional_policy(`
 	apache_role(user_r, user_t)
 ')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 170e2c7..3bd6cb4 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1027,13 +1027,11 @@ interface(`seutil_domtrans_semanage',`
 #
 interface(`seutil_run_semanage',`
 	gen_require(`
-		type semanage_t;
+		attribute_role semanage_roles;	
 	')
 
 	seutil_domtrans_semanage($1)
-	seutil_run_setfiles(semanage_t, $2)
-	seutil_run_loadpolicy(semanage_t, $2)
-	role $2 types semanage_t;
+	roleattribute $2 semanage_roles;
 ')
 
 ########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index a7a8186..d60d2fc 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -482,6 +482,21 @@ seutil_manage_default_contexts(semanage_t)
 userdom_read_user_home_content_files(semanage_t)
 userdom_read_user_tmp_files(semanage_t)
 
+# Test: semanage_roles attribute able to type all related domains
+attribute_role semanage_roles;
+role semanage_roles types { semanage_t setfiles_t load_policy_t };
+
+# Administrator only needs to invoke seutil_run_semanage(), while
+# semanage_t is able to transition into other domains
+seutil_run_setfiles(semanage_t, semanage_roles)
+seutil_run_loadpolicy(semanage_t, semanage_roles)
+
+# Uncomment below snippet to do "role attribute loop dependency" test
+#gen_require(`
+#	attribute_role rpm_roles;
+#')
+#roleattribute semanage_roles rpm_roles;
+
 ifdef(`distro_debian',`
 	files_read_var_lib_files(semanage_t)
 	files_read_var_lib_symlinks(semanage_t)
diff --git a/policy/users b/policy/users
index c4ebc7e..5e071c7 100644
--- a/policy/users
+++ b/policy/users
@@ -39,7 +39,7 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
 # not in the sysadm_r.
 #
 ifdef(`direct_sysadm_daemon',`
-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+	gen_user(root, sysadm, sysadm_r staff_r test_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ',`
-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+	gen_user(root, sysadm, sysadm_r staff_r test_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 ')
-- 
1.7.0.4





