Re: I would like to change the behavior of MCS label creations in directory.

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Fri, 14 Oct 2011 11:57:47 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<snip>

Eric and I have come up with the following syntax for this behaviour.

default_trans level dir_file_class_set parent;
default_trans user dir_file_class_set process;
default_trans role file parent;

We have developed a patch to checkpolicy that will process this
syntax, although it does nothing with it yet, need a patch for libsepol...

We have made these commands optional and I am placing them in the
policy/mcs file.  Default will be current behavior.


ifdef(`enable_mcs',`
default_trans level dir_file_class_set parent;

#
# Define sensitivities
#
# MCS is single-sensitivity.

gen_sens(1)

...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6YW/sACgkQrlYvE4MpobNlHACgqYKr4T3Bi5tp4cPb0ee5mw3q
I2UAn2trAI2BXOGu+JAbSx2RBNPuAvpd
=MWrk
-----END PGP SIGNATURE-----

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 1bf669c..7ec64aa 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -327,6 +327,39 @@ int define_initial_sid(void)
 	return -1;
 }
 
+int define_default_trans(int component, int from)
+{
+	char *id;
+	ebitmap_t e_tclasses;
+	class_datum_t *cladatum;
+
+	if (pass == 1) {
+		while ((id = queue_remove(id_queue)))
+			free(id);
+		return 0;
+	}
+
+	ebitmap_init(&e_tclasses);
+	while ((id = queue_remove(id_queue))) {
+		if (!is_id_in_scope(SYM_CLASSES, id)) {
+			yyerror2("class %s is not within scope", id);
+			return -1;
+		}
+		cladatum = hashtab_search(policydbp->p_classes.table, id);
+		if (!cladatum) {
+			yyerror2("unknown class %s", id);
+			return -1;
+		}
+		if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) {
+			yyerror("Out of memory");
+			return -1;
+		}
+		free(id);
+	}
+
+	return 0;
+}
+
 int define_common_perms(void)
 {
 	char *id = 0, *perm = 0;
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index 92a9be7..2c881e1 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -13,6 +13,14 @@
 #define TRUE 1
 #define FALSE 0
 
+enum dt_enum {
+	DT_USER,
+	DT_ROLE,
+	DT_LEVEL,
+	DT_PROCESS,
+	DT_PARENT,
+};
+
 avrule_t *define_cond_compute_type(int which);
 avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
 avrule_t *define_cond_te_avtab(int which);
@@ -52,6 +60,7 @@ int define_role_types(void);
 int define_role_attr(void);
 int define_roleattribute(void);
 int define_filename_trans(void);
+int define_default_trans(int componnt, int from);
 int define_sens(void);
 int define_te_avtab(int which);
 int define_typealias(void);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 49ac15f..86aa574 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -143,6 +143,9 @@ typedef int (* require_func_t)();
 %token POLICYCAP
 %token PERMISSIVE
 %token FILESYSTEM
+%token DEFAULT_TRANS
+%token PROCESS
+%token PARENT
 
 %left OR
 %left XOR
@@ -157,10 +160,10 @@ base_policy             : { if (define_policy(pass, 0) == -1) return -1; }
                           classes initial_sids access_vectors
                           { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
                             else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
-			  opt_mls te_rbac users opt_constraints 
+			  default_trans_rules opt_mls te_rbac users opt_constraints 
                          { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
 			   else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
-			  initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
+			  initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts 
 			;
 classes			: class_def 
 			| classes class_def
@@ -176,6 +179,23 @@ initial_sid_def		: SID identifier
 			;
 access_vectors		: opt_common_perms av_perms
 			;
+default_trans_rules     : default_trans_def
+                        | default_trans_rules default_trans_def
+                        |
+                        ;
+default_trans_def	: DEFAULT_TRANS USER names PROCESS ';'
+			{if (define_default_trans(DT_USER, DT_PROCESS)) return -1;}
+			| DEFAULT_TRANS ROLE names PROCESS ';'
+			{if (define_default_trans(DT_ROLE, DT_PROCESS)) return -1;}
+			| DEFAULT_TRANS LEVEL names PROCESS ';'
+			{if (define_default_trans(DT_LEVEL, DT_PROCESS)) return -1;}
+			| DEFAULT_TRANS USER names PARENT ';'
+			{if (define_default_trans(DT_USER, DT_PARENT)) return -1;}
+			| DEFAULT_TRANS ROLE names PARENT ';'
+			{if (define_default_trans(DT_ROLE, DT_PARENT)) return -1;}
+			| DEFAULT_TRANS LEVEL names PARENT ';'
+			{if (define_default_trans(DT_LEVEL, DT_PARENT)) return -1;}
+			;
 opt_common_perms        : common_perms
                         |
                         ;
@@ -353,7 +373,7 @@ cond_rule_def           : cond_transition_def
 			| require_block
 			{ $$ = NULL; }
                         ;
-cond_transition_def	: TYPE_TRANSITION names names ':' names identifier filename ';'
+cond_transition_def	: TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';'
                         { $$ = define_cond_filename_trans() ;
                           if ($$ == COND_ERR) return -1;}
 			| TYPE_TRANSITION names names ':' names identifier ';'
@@ -391,7 +411,7 @@ cond_dontaudit_def	: DONTAUDIT names names ':' names names ';'
 			{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
                           if ($$ == COND_ERR) return -1; }
 		        ;
-transition_def		: TYPE_TRANSITION  names names ':' names identifier filename ';'
+transition_def		: TYPE_TRANSITION  names names ':' names identifier '\"' filename '\"' ';'
 			{if (define_filename_trans()) return -1; }
 			| TYPE_TRANSITION names names ':' names identifier ';'
                         {if (define_compute_type(AVRULE_TRANSITION)) return -1;}
@@ -753,6 +773,8 @@ nested_id_element       : identifier | '-' { if (insert_id("-", 0)) return -1; }
                         ;
 identifier		: IDENTIFIER
 			{ if (insert_id(yytext,0)) return -1; }
+                        | PROCESS
+			{ if (insert_id(yytext,0)) return -1; }
 			;
 path     		: PATH
 			{ if (insert_id(yytext,0)) return -1; }
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index a61e0db..e7bdf9f 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -219,6 +219,12 @@ h2 |
 H2				{ return(H2); }
 policycap |
 POLICYCAP			{ return(POLICYCAP); }
+process |
+PROCESS				{ return(PROCESS); }
+parent |
+PARENT				{ return(PARENT); }
+default_trans |
+DEFAULT_TRANS			{ return(DEFAULT_TRANS); }
 permissive |
 PERMISSIVE			{ return(PERMISSIVE); }
 "/"({alnum}|[_\.\-/])*	        { return(PATH); }
@@ -227,9 +233,8 @@ PERMISSIVE			{ return(PERMISSIVE); }
 {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
 {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
 {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
-\"({alnum}|[_\.\-])+\"		{ return(FILENAME); }
 {alnum}*                        { return(FILENAME); }
-\.({alnum}|[_\.\-])*	        { return(FILENAME); }
+\.({alnum}|[_\.\-])+	        { return(FILENAME); }
 {letter}+([-_\.]|{alnum})+      { return(FILENAME); }
 ([_\.]){alnum}+                 { return(FILENAME); }
 #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
@@ -253,6 +258,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
 "-" |
 "." |
 "]" |
+"\"" |
 "~" |
 "*"				{ return(yytext[0]); } 
 .                               { yywarn("unrecognized character");}




