|
> Date: Wed, 29 Jun 2011 15:14:04 +0800 > From: qingtao.cao@xxxxxxxxxxxxx > To: harrytaurus2002@xxxxxxxxxxx > CC: cpebenito@xxxxxxxxxx; slawrence@xxxxxxxxxx; method@xxxxxxxxxxxxxxx; selinux@xxxxxxxxxxxxx > Subject: Re: v3 Add role attribute support to libsepol > > Hi Chris, > > On 06/28/2011 04:28 PM, HarryCiao wrote: > > Attach the refpolicy debug patches that would generate the test results > > mentioned below. > > > > Thanks, > > Harry > > > > > From: qingtao.cao@xxxxxxxxxxxxx > > > To: cpebenito@xxxxxxxxxx; slawrence@xxxxxxxxxx; method@xxxxxxxxxxxxxxx > > > CC: selinux@xxxxxxxxxxxxx > > > Subject: v3 Add role attribute support to libsepol > > > Date: Tue, 28 Jun 2011 16:18:40 +0800 > > > > > > > > > Differences from v2 patchset > > > -! ---------------------------- > > > 1. For the 0001 patch, > > > Modify symtab_insert() to allow multiple declarations only for the > > regular > > > roles, while a role attribute can't be declared more than once and can't > > > share a same name with another regular role. > > > > > > 2. For the 0006 patch, > > > Although in the link stage all role identifiers defined in any > > > block/decl of any module would be copied into the base->p_roles.table, > > > the role-attribute relationships would still ! be recorded in the decl's > > > local symtab[SYM_ROLES] table(see get_local_role()), so before all the > > > escalation of sub role attribute's roles ebitmap into that of parent ever > > > happens, all decl in the base->global list except the global block would > > > have to be traversed so as t! o populate potential role-attribute > > attributes > & gt; > from decl up to the base module. > > > > > > > > > Remaining issues > > > ----------------- > > > 1. If built by "MONOLITHIC = y", run into below errors that not witnessed > > > when building in modular way: > > > > > > /usr/bin/checkpolicy -M -U allow policy.conf -o policy.26 > > > /usr/bin/checkpolicy: loading policy configuration from policy.conf > > > policy/modules/services/likewise.te":140:ERROR 'role attribute > > semanage_roles is not declared' at token ';' on line 1494287: > > > #line 140 > > > roleattribute system_r semanage_roles; > > > ! checkpolicy: error(s) encountered while parsing configuration > > > ; make: *** [policy.26] Error 1 > > > > > Turns out this is a very interesting thing that is only related with the > refpolicy debu! g patch, has nothing to do with this v3 patchset. > > The reason is that seutil_run_semanage() is called in the global block > of the likewise.te, and when building in a monolithic way, the > gen_require macro used in the global block would simply be expanded as > EMPTY, resulting in the semanage_roles attribute is referenced BEFORE > it's ever declared. > > This problem could be fixed by moving the declaration of semanage_roles > attribute from selinuxutil.te to kernel.te, but use gen_require macro to > require it in selinuxutil.te. This would have both hands meet :-) > > Same thing should happen to rpm_roles attribute. > > I have attached the updated 0002 debug patch for above improvement. > > Thanks, > Harry > > > > 2. The policy.X's binary representation and SELinux kernel role_datum_t > > > structure don't have to be changed, so th! e max version number for > > policy.X > > > won 't have to be bumped. > > > > > > But it may be desirable to bump the max module version number. > > > Write flavor flag and roles ebitmap into a pp file and read them out unconditionally, this would only run into problem only under one condition, that libsepol/checkpolicy are upgraded with this patchset but the pp files are built before the upgrade took place, which I think could be easily fixed by re-building all pp files by the upgraded libsepol/checkpolicy. So I think we don't have to bump MOD_POLICYDB_VERSION_MAX higher. Am I right? BTW, how do we trigger a pp downgrade? Anything like OUTPUT_POLICY or policy-version to trigger policy downgrade? Thanks, Harry > > > (I am still working on these two areas, any comments are greatly > > welcomed) > > > > > > > > > Tests I've done > > > ----------------- > > >! 1. test_t is able to transition into rpm_t, but could not direclty > > transition > > > into rpm_script_t, semanage_t, load_policy_t/setfiles_t: > > > > > > sh-3.2# sesearch -SCA -s test_t -t rpm_t -c process -p transition > > > Found 1 semantic av rules: > > > allow test_t rpm_t : process transition ; > > > > > > sh-3.2# sesearch -SCA -s test_t -t rpm_script_t -c process -p transition > > > > > > sh-3.2# sesearch -SCA -s tes! t_t -t semanage_t -c process -p transition > > > > > > sh-3.2# sesearch -SCA -s test_t -t load_policy_t -c process -p transition > > > > > > sh-3.2# sesearch -SCA -s test_t -t setfiles_t -c process -p transition > > > > > > 2. rpm_t is able to transition into rpm_script_t, but could not directly > > > transition into semanage_t, load_po! licy_t/setfiles_t: > > > > > > sh-3.2# sesea rch -SCA -s rpm_t -t rpm_script_t -c process -p transition > > > Found 1 semantic av rules: > > > allow rpm_t rpm_script_t : process transition ; > > > > > > sh-3.2# sesearch -SCA -s rpm_t -t semanage_t -c process -p transition > > > > > > sh-3.2# sesearch -SCA -s rpm_t -t load_policy_t -c process -p transition > > > > > > sh-3.2# sesearch -SCA -s rpm_t -t setfiles_t -c process -p transition > > > > > > 3. rpm_script_t is able to transition into semanage_t, but could not > > directly > > > transitio! n into load_policy_t/setfiles_t: > > > > > > sh-3.2# sesear ch -SCA -s rpm_script_t -t semanage_t -c process -p > > transition > > > Found 1 semantic av rules: > > > allow rpm_script_t semanage_t : process transition ; > > > > > > sh-3.2# ses! earch -SCA -s rpm_script_t -t load_policy_t -c process -p > > transition > > > > > > sh-3.2# sesearch -SCA -s rpm_script_t -t setfiles_t -c process -p > > transition > > > > > > 4. semanage_t is able to transition into load_policy_t & setfiles_t: > > > > > > sh-3.2# sesearch -SCA -s semanage_t -t load_policy_t -c process -p > > transition > > > Found 1 semantic av rules: > > > allow semanage_t load_policy_t : process transition ; > > > > > > sh-3.2# sesearch -SCA -s semanage_t -t setfiles_t -c process -p > > transition > > > Found 1 semantic av rules: > > > allow semanage_t setfiles_t : process transition ; > > > > > > 5. test_r is able to type with rpm_t, rpm_script_t, semanage_t, > > setfiles_t > > > and load! _policy_t: >! ; > > > > > sh-3.2# compute_create root:test_r:tes t_t:s0 > > system_u:object_r:rpm_exec_t:s0 process > > > root:test_r:rpm_t:s0 > > > sh-3.2# > > > > > > sh-3.2# compute_create root:test_r:rpm_script_t:s0 > > system_u:object_r:semanage_exec_t:s0 process > > > root:test_r:semanage_t:s0 > > > sh-3.2# > > > > > > sh-3.2# compute_create root:test_r:semanage_t:s0 > > system_u:object_r:setfiles_exec_t:s0 process > > > root:test_r:setfiles_t:s0 > > > sh-3.2# > > > > > > sh-3.2# compute_create root:test_r:semanage_t:s0 > > system_u:object_r:load_policy_exec_t:s0 process > > > root:test_r:load_policy_t:s0 > > > sh-3.2# > > > > > > 6. Use the apol tool to analyze what types the test_r role could type > > with: > > > (Since the apol installed on Ubuntu so far only supp! ort max version .24, > > > we need to setup "policy-version = 24" in semanage.conf) > > > > > > test_r (28 type! s) > > > chfn_t > > > chkpwd_t > > > consol etype_t > > > ddclient_t > > > dhcpc_t > > > hostname_t > > > ifconfig_t > > > insmod_t > > > iptables_t > > > load_policy_t > > > loadkeys_t > > > netutils_t > > > newrole_t > > > pam_t > > > passwd_t > > > ping_t > > > pppd_t > > > pptp_t > > > rpm_script_t > > > rpm_t > > > semanage_t > > > setfiles_t > > > test_t > > > traceroute_t > > > updpwd_t > > > user_home_t > > > usernetctl_t > > > utempter_t > > > > > > rpm_script_t> > > rpm_t > > > > > > semanage_roles (3 types) > > > load_policy_t > > > semanage_t > > > setfiles_t > > > > > > 7. Verify policy.X's binary representation that test_r's > > role_datum_t.types.types ebitmap records all these domains:! > > > > > > 0047a40: 7406 0000 0024 0a00 0001 0000 0000 0000 t....$.......... > > > 0047a50: 0074 6573 745f 7407 0000 0025 0a00 0001 .test_t....%.... > > > > > > test_t: policy value = 0xa24 > > > > > > 0036560: 0000 004a 0300 0001 0000 0000 0000 0072 ...J...........r > > > 0036570: 706d 5f74 0700 0000 4b03 0000 0100 0000 pm_t....K....... > > > > > > rpm_t: policy value = 0x34a > > > > > > 0041050: 0000 6d6f 6e6f 7064 5f65 7463 5f74 0c00 ..monopd_etc_t.. > > > 00410! 60: 0000 8907 0000 0100 0000 0000 0000 7270 ..............rp > > > 0041070: 6d5f 7363 7269 7074 5f74 0f00 0000 8a07 m_script_t...... > > > > > > rpm_script_t: policy value = 0x789 > > > > > > 004d800: 7365 6375 7269 7479 5f74 0a00 0000 490c security_t....I. > > > 004d810: 0000 0100 0000 0000 0000 7365 6d61 6e61 ..........semana > > > 004d820: 6765 5f74 0900 0000 4a0c 0000 0300 0000 ge_t....J......! . > > > > > > semanage_t: policy value = 0xc49 > > > < br>> 00492c0: 7075 745f 7865 7665 6e74 5f74 0d00 0000 put_xevent_t.... > > > 00492d0: ae0a 0000 0100 0000 0000 0000 6c6f 6164 ............load > > > 00492e0: 5f70 6f6c 6963 795f 740c 0000 00af 0a00 _policy_t....... > > > > > > load_policy_t: policy value = 0xaae > > > > > > 004d660: 740a 0000 003f 0c00 0001 0000 ! 0000 0000 t....?.......... > > > 004d670: 0073 6574 6669 6c65 735f 7414 0000 0010 .setfiles_t..... > > > > > > setfiles_t: policy value = 0xc3f > > > > > > > > > 002d050: 0600 0000 0000 0000 7465 7374 5f72 4000 ........test_r@. > > > 002d060: 0000 4000 0000 0100 0000 0000 0000 2000 ..@........... . > > > 002d070: 0000 0000 0000 4000 0000 800c 0000 1400 ......@......... > > > 002d080: 0000 8000 0000 0000 0000 0400 0000 4001 ..............@. > > > 002d090: 0000 0000 0000 0001 0000 0002 0000 0000 ................ > > > 002d0a0: 0000 0000 0001 4002 0000 0000 0000 001! 0 ......@......... > > > 002d0b0: 0000 8002 0000 0000 0040 0000 0000 0003 .........@...... > > > 002d0c0: 0000 0000 0004 0000 0030, 4003 0000 0002 .........0@..... > > > 002d0d0: 0000 0000 0000, c003 0000 0000 0000 0000 ................ > > > 002d0e0: 0080 0004 0000 0000 0000 0000 0008 8005 .! ............... > > > 002d0f0: 0000 0000 0008 0000 0000 4006 0000 1000 ..........@..... > > > 002d100: 0000 0000 0000 8006 0000 0200 0000 0000 ................ > > > 002d110: 0000, 8007 0000 0001 0000 0000 0000 8009 ................ > > > 002d120: 0000 0000 0210 0000 0410 c009 0000 0000 ................ > > > 002d130: 0100 0000 0000, 000a 0000 3000 0000 0800 ..........0..... > > > 002d140: 0000, 800a 0000 0000 0000 0020 0000, 000b ........... .... > > > 002d150: 0000 0008 0000 0000 0000, 000c 0000 0000 ................ > > > 002d160: 0000 0000 0040, 400c 0000 0001 0000 0020 .....@@........ > > > 002d170: 0000! > > > > > > test_r: policy value = 0x06 > > > dominates: > > > mz = 0x40, highbit = 0x40, node = 1 > > > startbit = 0, map: 2000 0000 0000 0000 > > > policy value: 0x06(test_r! ) > > > types.types: > > > mz = 0x40, highbi t = 0xc80, node = 0x14 > > > ...... > > > startbit = 0x340, map: 0002 0000 0000 0000 > > > policy value: 0x34a(rpm_t) > > > ...... > > > startbit = 0x780, map: 0001 0000 0000 0000 > > > policy value: 0x789(rpm_script_t) > > > ...... > > > startbit = 0xa00, map: 3000 0000 0800 0000 > > > policy value: 0xa01, 0xa02, 0xa24(test_t) > > > startbit = 0xa80, map: 0000 0000 0020 0000 > > > policy value: 0xaae(load_policy_t) > > > startbit = 0xc00, map: 0000 0000 0000 0040 > > > policy value: 0xc3f(setfiles_t) > > > startbit = 0xc40, map: 0001 0000 0020 0000 > > > policy value: 0xc49(semanage_t), 0xc6e > > > > > > -- > > > This message ! was distributed to subscribers of the selinux mailing > > list. > > > If you no longer wish to ! subscribe, send mail to > > majordomo@xxxxxxxxxxxxx with > > > the words "unsubscribe selinux" without quotes as the message. |
