Differences from v3 patchset
-----------------------------
1. For the 0002 patch,
Introduce MOD_POLICYDB_VERSION_ROLEATTRIB(== 13) and bump
MOD_POLICYDB_VERSION_MAX to it.
When read from or write to pp, take care of the flavor flag and roles
ebitmap only when the pp's version is no less than
MOD_POLICYDB_VERSION_ROLEATTRIB.
Tests I've done
-----------------
0. Build tests:
. revert this patchset, re-install libsepol/checkpolicy packages and
build modules(have no flavor/roles); apply this patchset, re-install
everything, the updated tools could handle old version modules in a
decent manner.
. in write_binary_policy() in checkmodule.c, trigger policy module
downgrade by adding "policyvers = MOD_POLICYDB_VERSION_MAX - 1"; apply
this patchset, the updated tools could generate and process old version
modules correctly.
1. test_t is able to transition into rpm_t, but could not direclty transition
into rpm_script_t, semanage_t, load_policy_t/setfiles_t:
sh-3.2# sesearch -SCA -s test_t -t rpm_t -c process -p transition
Found 1 semantic av rules:
allow test_t rpm_t : process transition ;
sh-3.2# sesearch -SCA -s test_t -t rpm_script_t -c process -p transition
sh-3.2# sesearch -SCA -s test_t -t semanage_t -c process -p transition
sh-3.2# sesearch -SCA -s test_t -t load_policy_t -c process -p transition
sh-3.2# sesearch -SCA -s test_t -t setfiles_t -c process -p transition
2. rpm_t is able to transition into rpm_script_t, but could not directly
transition into semanage_t, load_policy_t/setfiles_t:
sh-3.2# sesearch -SCA -s rpm_t -t rpm_script_t -c process -p transition
Found 1 semantic av rules:
allow rpm_t rpm_script_t : process transition ;
sh-3.2# sesearch -SCA -s rpm_t -t semanage_t -c process -p transition
sh-3.2# sesearch -SCA -s rpm_t -t load_policy_t -c process -p transition
sh-3.2# sesearch -SCA -s rpm_t -t setfiles_t -c process -p transition
3. rpm_script_t is able to transition into semanage_t, but could not directly
transition into load_policy_t/setfiles_t:
sh-3.2# sesearch -SCA -s rpm_script_t -t semanage_t -c process -p transition
Found 1 semantic av rules:
allow rpm_script_t semanage_t : process transition ;
sh-3.2# sesearch -SCA -s rpm_script_t -t load_policy_t -c process -p transition
sh-3.2# sesearch -SCA -s rpm_script_t -t setfiles_t -c process -p transition
4. semanage_t is able to transition into load_policy_t & setfiles_t:
sh-3.2# sesearch -SCA -s semanage_t -t load_policy_t -c process -p transition
Found 1 semantic av rules:
allow semanage_t load_policy_t : process transition ;
sh-3.2# sesearch -SCA -s semanage_t -t setfiles_t -c process -p transition
Found 1 semantic av rules:
allow semanage_t setfiles_t : process transition ;
5. test_r is able to type with rpm_t, rpm_script_t, semanage_t, setfiles_t
and load_policy_t:
sh-3.2# compute_create root:test_r:test_t:s0 system_u:object_r:rpm_exec_t:s0 process
root:test_r:rpm_t:s0
sh-3.2#
sh-3.2# compute_create root:test_r:rpm_script_t:s0 system_u:object_r:semanage_exec_t:s0 process
root:test_r:semanage_t:s0
sh-3.2#
sh-3.2# compute_create root:test_r:semanage_t:s0 system_u:object_r:setfiles_exec_t:s0 process
root:test_r:setfiles_t:s0
sh-3.2#
sh-3.2# compute_create root:test_r:semanage_t:s0 system_u:object_r:load_policy_exec_t:s0 process
root:test_r:load_policy_t:s0
sh-3.2#
6. Use the apol tool to analyze what types the test_r role could type with:
(Since the apol installed on Ubuntu so far only support max version .24,
we need to setup "policy-version = 24" in semanage.conf)
test_r (28 types)
chfn_t
chkpwd_t
consoletype_t
ddclient_t
dhcpc_t
hostname_t
ifconfig_t
insmod_t
iptables_t
load_policy_t
loadkeys_t
netutils_t
newrole_t
pam_t
passwd_t
ping_t
pppd_t
pptp_t
rpm_script_t
rpm_t
semanage_t
setfiles_t
test_t
traceroute_t
updpwd_t
user_home_t
usernetctl_t
utempter_t
rpm_roles (2 types)
rpm_script_t
rpm_t
semanage_roles (3 types)
load_policy_t
semanage_t
setfiles_t
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
