|
Hi Chris,
> Date: Tue, 23 Aug 2011 09:58:00 -0400 > From: cpebenito@xxxxxxxxxx > To: dwalsh@xxxxxxxxxx > CC: qingtao.cao@xxxxxxxxxxxxx; slawrence@xxxxxxxxxx; selinux@xxxxxxxxxxxxx > Subject: Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion. > > On 08/23/11 09:43, Daniel J Walsh wrote: > > Eliminating booleans would be great and replacing them with tunables, > > but the tunables must be discoverable, and it must be easy for the > > administrator to discover the "tunable" and turn it on. > > > > Currently audit2allow/audit2why turns on all booleans in a policy and > > checks to see if an AVC would be allowed with any boolean. Then it > > prints out the booleans that would have allowed the access. We use > > this functionality within setroubleshoot. This is critical to making > > selinux policy usable. > > &! gt; > User wants to allow ftp to access homedirs, he sets up ftp and SELinux > > blocks the access. Setroubleshoot comes up and says turn on the > > ftp_home_dir boolean to allow this access. > > > > > > If we can not duplicate this functionality then I NAK the change from > > booleans to tunables. > > Seems very easy to reproduce, as long as you turn on save-linked in > semanage.conf. The linked policy would have all the tunable > information, right Harry? > The implementation of the save-linked option has no idea about the effort to separate tunables from booleans, so I am afraid it won't help much. However, you did enlighten me to create a new option "handle-tunable" for semanage.conf, then we can specify whether discarding tunable is desirable and its value would be saved into a new member "handle_tunable" in policydb_t. Then in the separation_tunables() in l! ink.c, policydb_t.handle_tunable would be consulted about how to handl e tunables. By default this handle-tunable option for semanage.conf could be set to "discard", if audit2allow/audit2why are needed to debug AVC denied messages, we could set this option to "preserve" and rebuild and reload policy.X. When the related tunable is found we could toggle its default value to true and rebuild policy.X with the option back to "discard" again. This way I think Dan's worries would be addressed. Right? BTW, Is this the correct or best way to pass configuration options on to link process? I have created two patches for above logic(see attached), however I am pretty new to semanage and run into syntax error while parsing semanage.conf. Chris, could you please kindly take a look at what has been wrong in my 0007 patch? Many thanks! Cheers, Harry > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com > > -- > This message was distributed to subscrib! ers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. |
From 027bdc2668584f817ca2b48622edac6ebfd99a29 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Wed, 24 Aug 2011 17:20:29 +0800
Subject: [PATCH 7/8] Add new option of "handle-tunable" to semanage.conf
Add a new option of "handle-tunable" to semanage.conf, which is used
to indicate how to handle tunables during link/expansion.
Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
libsemanage/src/conf-parse.y | 14 ++++++++++++++
libsemanage/src/conf-scan.l | 1 +
libsemanage/src/semanage_conf.h | 1 +
libsemanage/src/semanage_store.c | 2 ++
libsepol/include/sepol/policydb.h | 5 +++++
libsepol/include/sepol/policydb/policydb.h | 9 +++++++++
libsepol/src/expand.c | 1 +
libsepol/src/policydb_public.c | 17 +++++++++++++++++
8 files changed, 50 insertions(+), 0 deletions(-)
diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
index 77c00b2..e1c9148 100644
--- a/libsemanage/src/conf-parse.y
+++ b/libsemanage/src/conf-parse.y
@@ -59,6 +59,7 @@ static int parse_errors;
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD
+%token HANDLE_TUNABLE
%token BZIP_BLOCKSIZE BZIP_SMALL
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
%token PROG_PATH PROG_ARGS
@@ -85,6 +86,7 @@ single_opt: module_store
| disable_genhomedircon
| usepasswd
| handle_unknown
+ | handle_tunable
| bzip_blocksize
| bzip_small
;
@@ -179,6 +181,17 @@ handle_unknown: HANDLE_UNKNOWN '=' ARG {
free($3);
}
+handle_tunable: HANDLE_TUNABLE '=' ARG {
+ if (strcasecmp($3, "discard") == 0) {
+ current_conf->handle_tunable = SEPOL_DISCARD_TUNABLE;
+ } else if (strcasecmp($3, "preserve") == 0) {
+ current_conf->handle_tunable = SEPOL_PRESERVE_TUNABLE;
+ } else {
+ yyerror("handle-tunable can only be 'discard' or 'preserve'");
+ }
+ free($3);
+ }
+
bzip_blocksize: BZIP_BLOCKSIZE '=' ARG {
int blocksize = atoi($3);
free($3);
@@ -265,6 +278,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
conf->policyvers = sepol_policy_kern_vers_max();
conf->expand_check = 1;
conf->handle_unknown = -1;
+ conf->handle_tunable = -1;
conf->usepasswd = 1;
conf->file_mode = 0644;
conf->bzip_blocksize = 9;
diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
index e57119d..ca449dd 100644
--- a/libsemanage/src/conf-scan.l
+++ b/libsemanage/src/conf-scan.l
@@ -48,6 +48,7 @@ save-linked return SAVE_LINKED;
disable-genhomedircon return DISABLE_GENHOMEDIRCON;
usepasswd return USEPASSWD;
handle-unknown return HANDLE_UNKNOWN;
+handle-tunable return HANDLE_TUNABLE;
bzip-blocksize return BZIP_BLOCKSIZE;
bzip-small return BZIP_SMALL;
"[load_policy]" return LOAD_POLICY_START;
diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h
index f58d9ac..da7cc58 100644
--- a/libsemanage/src/semanage_conf.h
+++ b/libsemanage/src/semanage_conf.h
@@ -40,6 +40,7 @@ typedef struct semanage_conf {
int disable_genhomedircon;
int usepasswd;
int handle_unknown;
+ int handle_tunable;
mode_t file_mode;
int bzip_blocksize;
int bzip_small;
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 8d6ff1c..4098d8a 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -1723,6 +1723,8 @@ int semanage_expand_sandbox(semanage_handle_t * sh,
}
if (sh->conf->handle_unknown >= 0)
sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
+ if (sh->conf->handle_tunable > 0)
+ sepol_policydb_set_handle_tunable(out, sh->conf->handle_tunable);
*policydb = out;
return STATUS_SUCCESS;
diff --git a/libsepol/include/sepol/policydb.h b/libsepol/include/sepol/policydb.h
index 43e23b3..5975f88 100644
--- a/libsepol/include/sepol/policydb.h
+++ b/libsepol/include/sepol/policydb.h
@@ -135,4 +135,9 @@ extern int sepol_policydb_mls_enabled(const sepol_policydb_t * p);
*/
extern int sepol_policydb_compat_net(const sepol_policydb_t * p);
+/* Set how to handle tunables */
+#define SEPOL_DISCARD_TUNABLE 8
+#define SEPOL_PRESERVE_TUNABLE 16
+extern int sepol_policydb_set_handle_tunable(sepol_policydb_t * p,
+ unsigned int handle_tunable);
#endif
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 1848a7b..871a894 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -545,6 +545,9 @@ typedef struct policydb {
unsigned policyvers;
unsigned handle_unknown;
+
+ /* discard tunables or treat them as booleans */
+ unsigned handle_tunable;
} policydb_t;
struct sepol_policydb {
@@ -709,6 +712,12 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
+/* the config flags related to how to handle tunables are bits 8 and 16 */
+#define DISCARD_TUNABLE SEPOL_DISCARD_TUNABLE
+#define PRESERVE_TUNABLE SEPOL_PRESERVE_TUNABLE
+
+#define POLICYDB_CONFIG_TUNABLE_MASK (DISCARD_TUNABLE | PRESERVE_TUNABLE)
+
#define OBJECT_R "object_r"
#define OBJECT_R_VAL 1
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index ff8a214..c85e230 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2710,6 +2710,7 @@ int expand_module(sepol_handle_t * handle,
/* Copy mls state from base to out */
out->mls = base->mls;
out->handle_unknown = base->handle_unknown;
+ out->handle_tunable = base->handle_tunable;
/* Copy target from base to out */
out->target_platform = base->target_platform;
diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c
index f6ae793..af08806 100644
--- a/libsepol/src/policydb_public.c
+++ b/libsepol/src/policydb_public.c
@@ -152,6 +152,23 @@ int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
return 0;
}
+int sepol_policydb_set_handle_tunable(sepol_policydb_t * sp,
+ unsigned int handle_tunable)
+{
+ struct policydb *p = &sp->p;
+
+ switch (handle_tunable) {
+ case SEPOL_DISCARD_TUNABLE:
+ case SEPOL_PRESERVE_TUNABLE:
+ break;
+ default:
+ return -1;
+ }
+
+ p->handle_tunable = handle_tunable;
+ return 0;
+}
+
int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
{
return policydb_read(&p->p, &pf->pf, 0);
--
1.7.0.4
From 6e45472fb6bde827bc01241ed269fc82119dce63 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Wed, 24 Aug 2011 14:36:51 +0800
Subject: [PATCH 8/8] handle_tunable decides if tunables are preserved or discarded.
If one cond_node_t's expression just contains tunable identifiers, then
how to handle tunable would be determined by the handle_tunable flag
in policydb_t.
If all tunables should be preserved(thus treated as booleans), then the
TUNABLE flag bit would be cleared in their cond_bool_datum_t.flags, so
that these tunable identifiers won't be discarded during expansion,
neither would the cond_node_t ever be marked as TUNABLE.
BTW, if tunables ever mixed with booleans in one expression, tunables
would be transformed as booleans and preserved, in this case the value of
handle_tunable would be ignored.
Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
libsepol/src/link.c | 66 +++++++++++++++++++++++++++++---------------------
1 files changed, 38 insertions(+), 28 deletions(-)
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 35c075b..47d38c9 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -2486,6 +2486,9 @@ static void separate_tunables(link_state_t *state, policydb_t *pol)
*
* If tunables and booleans co-exist in the expression of a cond_node,
* then tunables would be "transformed" as booleans.
+ *
+ * If tunables are requested to be preserved then they would be
+ * "transformed" as booleans.
*/
for (block = pol->global; block != NULL; block = block->next) {
decl = block->enabled;
@@ -2516,35 +2519,42 @@ static void separate_tunables(link_state_t *state, policydb_t *pol)
booleans++;
}
- if (tunables && booleans) {
- /* Tunable mixed with boolean */
- for (i = 0; i < tunables; i++)
- tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
- } else if (tunables && !booleans) {
- /* Pure tunable conditional */
- cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
- cur_state = cond_evaluate_expr(pol, cur_node->expr);
- if (cur_state == -1) {
- printf("Expression result was "
- "undefined, skipping all"
- "rules\n");
- continue;
+ if (booleans) {
+ cur_node->flags &= ~COND_NODE_FLAGS_TUNABLE;
+ if (tunables) {
+ for (i = 0; i < tunables; i++)
+ tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
+ }
+ } else {
+ if (pol->handle_tunable == SEPOL_DISCARD_TUNABLE) {
+ cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
+ cur_state = cond_evaluate_expr(pol, cur_node->expr);
+ if (cur_state == -1) {
+ printf("Expression result was "
+ "undefined, skipping "
+ "all rules\n");
+ continue;
+ }
+
+ to_be_appended = (cur_state == 1) ?
+ cur_node->avtrue_list : cur_node->avfalse_list;
+
+ if (tail)
+ tail->next = to_be_appended;
+ else
+ tail = decl->avrules = to_be_appended;
+
+ /* Update the tail of decl->avrules
+ * for further concatenation */
+ while (tail && tail->next)
+ tail = tail->next;
+
+ cur_node->avtrue_list = cur_node->avfalse_list = NULL;
+ } else if (pol->handle_tunable == SEPOL_PRESERVE_TUNABLE) {
+ cur_node->flags &= ~COND_NODE_FLAGS_TUNABLE;
+ for (i = 0; i < tunables; i++)
+ tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
}
-
- to_be_appended = (cur_state == 1) ?
- cur_node->avtrue_list : cur_node->avfalse_list;
-
- if (tail)
- tail->next = to_be_appended;
- else
- tail = decl->avrules = to_be_appended;
-
- /* Update the tail of decl->avrules for
- * further concatenation */
- while (tail && tail->next)
- tail = tail->next;
-
- cur_node->avtrue_list = cur_node->avfalse_list = NULL;
}
}
}
--
1.7.0.4
