Hi Chris,
On 06/28/2011 04:28 PM, HarryCiao wrote:
> Attach the refpolicy debug patches that would generate the test results
> mentioned below.
>
> Thanks,
> Harry
>
> > From: qingtao.cao@xxxxxxxxxxxxx
> > To: cpebenito@xxxxxxxxxx; slawrence@xxxxxxxxxx; method@xxxxxxxxxxxxxxx
> > CC: selinux@xxxxxxxxxxxxx
> > Subject: v3 Add role attribute support to libsepol
> > Date: Tue, 28 Jun 2011 16:18:40 +0800
> >
> >
> > Differences from v2 patchset
> > -----------------------------
> > 1. For the 0001 patch,
> > Modify symtab_insert() to allow multiple declarations only for the
> regular
> > roles, while a role attribute can't be declared more than once and can't
> > share a same name with another regular role.
> >
> > 2. For the 0006 patch,
> > Although in the link stage all role identifiers defined in any
> > block/decl of any module would be copied into the base->p_roles.table,
> > the role-attribute relationships would still ! be recorded in the decl's
> > local symtab[SYM_ROLES] table(see get_local_role()), so before all the
> > escalation of sub role attribute's roles ebitmap into that of parent ever
> > happens, all decl in the base->global list except the global block would
> > have to be traversed so as to populate potential role-attribute
> attributes
> > from decl up to the base module.
> >
> >
> > Remaining issues
> > -----------------
> > 1. If built by "MONOLITHIC = y", run into below errors that not witnessed
> > when building in modular way:
> >
> > /usr/bin/checkpolicy -M -U allow policy.conf -o policy.26
> > /usr/bin/checkpolicy: loading policy configuration from policy.conf
> > policy/modules/services/likewise.te":140:ERROR 'role attribute
> semanage_roles is not declared' at token ';' on line 1494287:
> > #line 140
> > roleattribute system_r semanage_roles;
> > ! checkpolicy: error(s) encountered while parsing configuration
> > ; make: *** [policy.26] Error 1
> >
Turns out this is a very interesting thing that is only related with the
refpolicy debug patch, has nothing to do with this v3 patchset.
The reason is that seutil_run_semanage() is called in the global block
of the likewise.te, and when building in a monolithic way, the
gen_require macro used in the global block would simply be expanded as
EMPTY, resulting in the semanage_roles attribute is referenced BEFORE
it's ever declared.
This problem could be fixed by moving the declaration of semanage_roles
attribute from selinuxutil.te to kernel.te, but use gen_require macro to
require it in selinuxutil.te. This would have both hands meet :-)
Same thing should happen to rpm_roles attribute.
I have attached the updated 0002 debug patch for above improvement.
Thanks,
Harry
> > 2. The policy.X's binary representation and SELinux kernel role_datum_t
> > structure don't have to be changed, so the max version number for
> policy.X
> > won't have to be bumped.
> >
> > But it may be desirable to bump the max module version number.
> >
> > (I am still working on these two areas, any comments are greatly
> welcomed)
> >
> >
> > Tests I've done
> > -----------------
> > 1. test_t is able to transition into rpm_t, but could not direclty
> transition
> > into rpm_script_t, semanage_t, load_policy_t/setfiles_t:
> >
> > sh-3.2# sesearch -SCA -s test_t -t rpm_t -c process -p transition
> > Found 1 semantic av rules:
> > allow test_t rpm_t : process transition ;
> >
> > sh-3.2# sesearch -SCA -s test_t -t rpm_script_t -c process -p transition
> >
> > sh-3.2# sesearch -SCA -s tes! t_t -t semanage_t -c process -p transition
> >
> > sh-3.2# sesearch -SCA -s test_t -t load_policy_t -c process -p transition
> >
> > sh-3.2# sesearch -SCA -s test_t -t setfiles_t -c process -p transition
> >
> > 2. rpm_t is able to transition into rpm_script_t, but could not directly
> > transition into semanage_t, load_policy_t/setfiles_t:
> >
> > sh-3.2# sesearch -SCA -s rpm_t -t rpm_script_t -c process -p transition
> > Found 1 semantic av rules:
> > allow rpm_t rpm_script_t : process transition ;
> >
> > sh-3.2# sesearch -SCA -s rpm_t -t semanage_t -c process -p transition
> >
> > sh-3.2# sesearch -SCA -s rpm_t -t load_policy_t -c process -p transition
> >
> > sh-3.2# sesearch -SCA -s rpm_t -t setfiles_t -c process -p transition
> >
> > 3. rpm_script_t is able to transition into semanage_t, but could not
> directly
> > transitio! n into load_policy_t/setfiles_t:
> >
> > sh-3.2# sesear ch -SCA -s rpm_script_t -t semanage_t -c process -p
> transition
> > Found 1 semantic av rules:
> > allow rpm_script_t semanage_t : process transition ;
> >
> > sh-3.2# sesearch -SCA -s rpm_script_t -t load_policy_t -c process -p
> transition
> >
> > sh-3.2# sesearch -SCA -s rpm_script_t -t setfiles_t -c process -p
> transition
> >
> > 4. semanage_t is able to transition into load_policy_t & setfiles_t:
> >
> > sh-3.2# sesearch -SCA -s semanage_t -t load_policy_t -c process -p
> transition
> > Found 1 semantic av rules:
> > allow semanage_t load_policy_t : process transition ;
> >
> > sh-3.2# sesearch -SCA -s semanage_t -t setfiles_t -c process -p
> transition
> > Found 1 semantic av rules:
> > allow semanage_t setfiles_t : process transition ;
> >
> > 5. test_r is able to type with rpm_t, rpm_script_t, semanage_t,
> setfiles_t
> > and load! _policy_t:
> >
> > sh-3.2# compute_create root:test_r:test_t:s0
> system_u:object_r:rpm_exec_t:s0 process
> > root:test_r:rpm_t:s0
> > sh-3.2#
> >
> > sh-3.2# compute_create root:test_r:rpm_script_t:s0
> system_u:object_r:semanage_exec_t:s0 process
> > root:test_r:semanage_t:s0
> > sh-3.2#
> >
> > sh-3.2# compute_create root:test_r:semanage_t:s0
> system_u:object_r:setfiles_exec_t:s0 process
> > root:test_r:setfiles_t:s0
> > sh-3.2#
> >
> > sh-3.2# compute_create root:test_r:semanage_t:s0
> system_u:object_r:load_policy_exec_t:s0 process
> > root:test_r:load_policy_t:s0
> > sh-3.2#
> >
> > 6. Use the apol tool to analyze what types the test_r role could type
> with:
> > (Since the apol installed on Ubuntu so far only support max version .24,
> > we need to setup "policy-version = 24" in semanage.conf)
> >
> > test_r (28 type! s)
> > chfn_t
> > chkpwd_t
> > consol etype_t
> > ddclient_t
> > dhcpc_t
> > hostname_t
> > ifconfig_t
> > insmod_t
> > iptables_t
> > load_policy_t
> > loadkeys_t
> > netutils_t
> > newrole_t
> > pam_t
> > passwd_t
> > ping_t
> > pppd_t
> > pptp_t
> > rpm_script_t
> > rpm_t
> > semanage_t
> > setfiles_t
> > test_t
> > traceroute_t
> > updpwd_t
> > user_home_t
> > usernetctl_t
> > utempter_t
> >
> > rpm_roles (2 types)
> > rpm_script_t
> > rpm_t
> >
> > semanage_roles (3 types)
> > load_policy_t
> > semanage_t
> > setfiles_t
> >
> > 7. Verify policy.X's binary representation that test_r's
> role_datum_t.types.types ebitmap records all these domains:!
> >
> > 0047a40: 7406 0000 0024 0a00 0001 0000 0000 0000 t....$..........
> > 0047a50: 0074 6573 745f 7407 0000 0025 0a00 0001 .test_t....%....
> >
> > test_t: policy value = 0xa24
> >
> > 0036560: 0000 004a 0300 0001 0000 0000 0000 0072 ...J...........r
> > 0036570: 706d 5f74 0700 0000 4b03 0000 0100 0000 pm_t....K.......
> >
> > rpm_t: policy value = 0x34a
> >
> > 0041050: 0000 6d6f 6e6f 7064 5f65 7463 5f74 0c00 ..monopd_etc_t..
> > 0041060: 0000 8907 0000 0100 0000 0000 0000 7270 ..............rp
> > 0041070: 6d5f 7363 7269 7074 5f74 0f00 0000 8a07 m_script_t......
> >
> > rpm_script_t: policy value = 0x789
> >
> > 004d800: 7365 6375 7269 7479 5f74 0a00 0000 490c security_t....I.
> > 004d810: 0000 0100 0000 0000 0000 7365 6d61 6e61 ..........semana
> > 004d820: 6765 5f74 0900 0000 4a0c 0000 0300 0000 ge_t....J......! .
> >
> > semanage_t: policy value = 0xc49
> > < br>> 00492c0: 7075 745f 7865 7665 6e74 5f74 0d00 0000 put_xevent_t....
> > 00492d0: ae0a 0000 0100 0000 0000 0000 6c6f 6164 ............load
> > 00492e0: 5f70 6f6c 6963 795f 740c 0000 00af 0a00 _policy_t.......
> >
> > load_policy_t: policy value = 0xaae
> >
> > 004d660: 740a 0000 003f 0c00 0001 0000 0000 0000 t....?..........
> > 004d670: 0073 6574 6669 6c65 735f 7414 0000 0010 .setfiles_t.....
> >
> > setfiles_t: policy value = 0xc3f
> >
> >
> > 002d050: 0600 0000 0000 0000 7465 7374 5f72 4000 ........test_r@.
> > 002d060: 0000 4000 0000 0100 0000 0000 0000 2000 ..@........... .
> > 002d070: 0000 0000 0000 4000 0000 800c 0000 1400 ......@.........
> > 002d080: 0000 8000 0000 0000 0000 0400 0000 4001 ..............@.
> > 002d090: 0000 0000 0000 0001 0000 0002 0000 0000 ................
> > 002d0a0: 0000 0000 0001 4002 0000 0000 0000 001! 0 ......@.........
> > 002d0b0: 0000 8002 0000 0000 0040 0000 0000 0003 .........@......
> > 002d0c0: 0000 0000 0004 0000 0030, 4003 0000 0002 .........0@.....
> > 002d0d0: 0000 0000 0000, c003 0000 0000 0000 0000 ................
> > 002d0e0: 0080 0004 0000 0000 0000 0000 0008 8005 ................
> > 002d0f0: 0000 0000 0008 0000 0000 4006 0000 1000 ..........@.....
> > 002d100: 0000 0000 0000 8006 0000 0200 0000 0000 ................
> > 002d110: 0000, 8007 0000 0001 0000 0000 0000 8009 ................
> > 002d120: 0000 0000 0210 0000 0410 c009 0000 0000 ................
> > 002d130: 0100 0000 0000, 000a 0000 3000 0000 0800 ..........0.....
> > 002d140: 0000, 800a 0000 0000 0000 0020 0000, 000b ........... ....
> > 002d150: 0000 0008 0000 0000 0000, 000c 0000 0000 ................
> > 002d160: 0000 0000 0040, 400c 0000 0001 0000 0020 .....@@........
> > 002d170: 0000!
> >
> > test_r: policy value = 0x06
> > dominates:
> > mz = 0x40, highbit = 0x40, node = 1
> > startbit = 0, map: 2000 0000 0000 0000
> > policy value: 0x06(test_r)
> > types.types:
> > mz = 0x40, highbit = 0xc80, node = 0x14
> > ......
> > startbit = 0x340, map: 0002 0000 0000 0000
> > policy value: 0x34a(rpm_t)
> > ......
> > startbit = 0x780, map: 0001 0000 0000 0000
> > policy value: 0x789(rpm_script_t)
> > ......
> > startbit = 0xa00, map: 3000 0000 0800 0000
> > policy value: 0xa01, 0xa02, 0xa24(test_t)
> > startbit = 0xa80, map: 0000 0000 0020 0000
> > policy value: 0xaae(load_policy_t)
> > startbit = 0xc00, map: 0000 0000 0000 0040
> > policy value: 0xc3f(setfiles_t)
> > startbit = 0xc40, map: 0001 0000 0020 0000
> > policy value: 0xc49(semanage_t), 0xc6e
> >
> > --
> > This message ! was distributed to subscribers of the selinux mailing
> list.
> > If you no longer wish to subscribe, send mail to
> majordomo@xxxxxxxxxxxxx with
> > the words "unsubscribe selinux" without quotes as the message.
>From 2e85a8b36227a515a1a02cadf4b2fc7266d054cc Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Sun, 29 May 2011 12:47:42 +0800
Subject: [PATCH 2/2] Test adding one role attribute into another.
Create an unprivileged user "test" and calls rpm_run() for it. We would
verify if test_t could only transition into rpm_t, which in turn would
transition into semanage_t, which in turn would transition into other
selinuxutil domains such as setfiles_t. However, test_t could not directly
transition into these domains, but test_r is able to type with them.
This debug patch could be compiled well if building in a modular way,
however, it used to run into "role attribute semanage_roles undeclared" issue
when building in a monolithic way. The reason is that the semanage_roles
attribute would be referenced BEFORE it's ever declared, so we could declare
it not in selinuxutil.te but move up to kernel.te, and gen_require it in
selinuxutil.te. The gen_require macro used in the global block would expand
to empty when building as monolithic, but expand to require when building
as modular.
Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/admin/rpm.if | 7 ++-----
policy/modules/admin/rpm.te | 17 ++++++++++++++---
policy/modules/kernel/kernel.te | 3 +++
policy/modules/roles/unprivuser.te | 6 ++++++
policy/modules/system/selinuxutil.if | 6 ++----
policy/modules/system/selinuxutil.te | 17 +++++++++++++++++
policy/users | 4 ++--
7 files changed, 46 insertions(+), 14 deletions(-)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index d33daa8..6a2f8cf 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -78,14 +78,11 @@ interface(`rpm_domtrans_script',`
#
interface(`rpm_run',`
gen_require(`
- type rpm_t, rpm_script_t;
+ attribute_role rpm_roles;
')
rpm_domtrans($1)
- role $2 types { rpm_t rpm_script_t };
- seutil_run_loadpolicy(rpm_script_t, $2)
- seutil_run_semanage(rpm_script_t, $2)
- seutil_run_setfiles(rpm_script_t, $2)
+ roleattribute $2 rpm_roles;
')
########################################
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 47a8f7d..eae3569 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -192,6 +192,13 @@ seutil_manage_bin_policy(rpm_t)
userdom_use_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
+# Test: add one role attribute into another
+gen_require(`
+ attribute_role rpm_roles;
+')
+role rpm_roles types { rpm_t rpm_script_t };
+seutil_run_semanage(rpm_script_t, rpm_roles)
+
optional_policy(`
cron_system_entry(rpm_t, rpm_exec_t)
')
@@ -335,9 +342,13 @@ miscfiles_read_localization(rpm_script_t)
modutils_domtrans_depmod(rpm_script_t)
modutils_domtrans_insmod(rpm_script_t)
-seutil_domtrans_loadpolicy(rpm_script_t)
-seutil_domtrans_setfiles(rpm_script_t)
-seutil_domtrans_semanage(rpm_script_t)
+# Test for adding one role attribute into another
+# rpm_script_t only could transition into semanage_t, which in turn
+# could transition into other selinux utils domains
+#
+#seutil_domtrans_loadpolicy(rpm_script_t)
+#seutil_domtrans_setfiles(rpm_script_t)
+#seutil_domtrans_semanage(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d91c62f..0e72e7b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ role system_r;
role sysadm_r;
role staff_r;
role user_r;
+role test_r;
+attribute_role semanage_roles;
+attribute_role rpm_roles;
# here until order dependence is fixed:
role unconfined_r;
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index d769fb0..465b2ee 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,6 +12,12 @@ role user_r;
userdom_unpriv_user_template(user)
+role test_r;
+userdom_unpriv_user_template(test)
+optional_policy(`
+ rpm_run(test_t, test_r)
+')
+
optional_policy(`
apache_role(user_r, user_t)
')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 170e2c7..3bd6cb4 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1027,13 +1027,11 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
- type semanage_t;
+ attribute_role semanage_roles;
')
seutil_domtrans_semanage($1)
- seutil_run_setfiles(semanage_t, $2)
- seutil_run_loadpolicy(semanage_t, $2)
- role $2 types semanage_t;
+ roleattribute $2 semanage_roles;
')
########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index a7a8186..6285b15 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -482,6 +482,23 @@ seutil_manage_default_contexts(semanage_t)
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
+# Test: semanage_roles attribute able to type all related domains
+gen_require(`
+ attribute_role semanage_roles;
+')
+role semanage_roles types { semanage_t setfiles_t load_policy_t };
+
+# Administrator only needs to invoke seutil_run_semanage(), while
+# semanage_t is able to transition into other domains
+seutil_run_setfiles(semanage_t, semanage_roles)
+seutil_run_loadpolicy(semanage_t, semanage_roles)
+
+# Uncomment below snippet to do "role attribute loop dependency" test
+#gen_require(`
+# attribute_role rpm_roles;
+#')
+#roleattribute semanage_roles rpm_roles;
+
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
diff --git a/policy/users b/policy/users
index c4ebc7e..5e071c7 100644
--- a/policy/users
+++ b/policy/users
@@ -39,7 +39,7 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
# not in the sysadm_r.
#
ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ gen_user(root, sysadm, sysadm_r staff_r test_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+ gen_user(root, sysadm, sysadm_r staff_r test_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
')
--
1.7.0.4
