Please find attached two patches for testing the SELinux SCTP kernel patch:
0001-libsepol-Update-RC5-to-support-SCTP-DCCP-portcon-key.patch
This updates the https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20140826/libsepol-2.4-rc5.tar.gz
Requires the test policy modules to be built in CIL as it is much
easier to add new class/permissions:
;; Use last classorder from refpolicy base - cil module:
;(classorder (db_language sctp_socket))
;; Use last classorder from Fedora targeted base - cil module:
(classorder (proxy sctp_socket))
;; Define class / perms:
;; For some reason these work on refpolicy but NOT Fedora targeted:
;(classcommon sctp_socket socket)
;(class sctp_socket (node_bind name_connect bindx_add_addr bindx_rem_addr))
; But this works for Fedora:
(class sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind name_connect bindx_add_addr bindx_rem_addr))
0001-lksctp-tools-Add-SELinux-support-to-sctp_test.patch
This patch calls getpeercon/lgetfilecon to display the various contexts.
It is applied to lksctp-tools.
Richard
From a68c23c12e55947ace7ddb5baf432c0ba8015929 Mon Sep 17 00:00:00 2001
From: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Date: Sat, 1 Nov 2014 12:58:19 +0000
Subject: [PATCH] libsepol: Update RC5 to support SCTP/DCCP portcon keywords
This will allow the kernel patches to be tested.
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
libsepol/cil/docs/CIL_Reference_Guide.xml | 7 +++----
libsepol/cil/docs/cil_network_labeling_statements.xml | 8 +++++---
libsepol/cil/src/cil.c | 2 ++
libsepol/cil/src/cil_binary.c | 6 ++++++
libsepol/cil/src/cil_build_ast.c | 4 ++++
libsepol/cil/src/cil_internal.h | 6 +++++-
libsepol/cil/src/cil_policy.c | 4 ++++
libsepol/cil/src/cil_tree.c | 4 ++++
libsepol/cil/test/policy.cil | 2 ++
libsepol/include/sepol/policydb/policydb.h | 8 ++++----
libsepol/include/sepol/port_record.h | 2 ++
libsepol/src/port_record.c | 4 ++++
libsepol/src/ports.c | 8 ++++++++
13 files changed, 53 insertions(+), 12 deletions(-)
diff --git a/libsepol/cil/docs/CIL_Reference_Guide.xml b/libsepol/cil/docs/CIL_Reference_Guide.xml
index e905152..b76365e 100644
--- a/libsepol/cil/docs/CIL_Reference_Guide.xml
+++ b/libsepol/cil/docs/CIL_Reference_Guide.xml
@@ -29,9 +29,9 @@
<title>Common Interface Language (CIL) Reference Guide</title>
<revhistory>
<revision>
- <revnumber>0.2</revnumber>
- <date>22nd May '14</date>
- <revremark>Updated classmap/classmapping, added classmap to statements that utilise class_id's (defaultuser, typetransition etc.), update various examples to show anonymous classpermissionset's using expressions.</revremark>
+ <revnumber>0.3</revnumber>
+ <date>1st November '14</date>
+ <revremark>Add portcon support for DCCP and SCTP.</revremark>
</revision>
</revhistory>
</articleinfo>
@@ -39,7 +39,6 @@
<sect1>
<title>CIL Information</title>
<orderedlist>
- <listitem><para>The statement definitions are those found in the source from: <literal>git clone <ulink url="https://bitbucket.org/jwcarter/secilc.git";></ulink></literal> dated 21st May '14.</para></listitem>
<listitem><para>Not all possible alternate statement permutations are shown, however there should be enough variation to work out any other valid formats. There is also an example <filename>policy.cil</filename> file shown in the <link linkend="example_policy">Appendix</link>.</para></listitem>
<listitem><para>The MLS components on contexts and user statements must be declared even if the policy does not support MCS/MLS. </para></listitem>
<listitem><para>The CIL compiler will not build a policy unless it also has as a minimum: one <literal><link linkend="allow">allow</link></literal> rule, one <literal><link linkend="sid">sid</link></literal>, <literal><link linkend="sidorder">sidorder</link></literal> and <literal><link linkend="sidcontext">sidcontext</link></literal> statement. </para></listitem>
diff --git a/libsepol/cil/docs/cil_network_labeling_statements.xml b/libsepol/cil/docs/cil_network_labeling_statements.xml
index 785b583..6b7c954 100644
--- a/libsepol/cil/docs/cil_network_labeling_statements.xml
+++ b/libsepol/cil/docs/cil_network_labeling_statements.xml
@@ -184,7 +184,7 @@
<sect2 id="portcon">
<title>portcon</title>
- <para>Label a udp or tcp port.</para>
+ <para>Label a tcp, udp, dccp or sctp port.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(portcon protocol port context_id)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
@@ -206,7 +206,7 @@
<para><literal>protocol</literal></para>
</entry>
<entry>
- <para>The protocol keyword <literal>tcp</literal> or <literal>udp</literal>.</para>
+ <para>The protocol keyword <literal>tcp</literal>, <literal>udp</literal>, <literal>dccp</literal> or <literal>sctp</literal>.</para>
</entry>
</row>
<row>
@@ -227,7 +227,9 @@
(portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2))
(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
-(portcon tcp 55555 (unconfined.user object_r unconfined.object (systemlow level_3)))]]>
+(portcon tcp 55555 (unconfined.user object_r unconfined.object (systemlow level_3)))
+(portcon sctp 19000 (unconfined.user object_r unconfined.object ((s0) level_2)))
+(portcon dccp 19001 (unconfined.user object_r unconfined.object (systemlow level_3)))]]>
</programlisting>
</sect2>
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 9e88e45..e602a94 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -90,6 +90,8 @@ static void cil_init_keys(void)
CIL_KEY_STAR = cil_strpool_add("*");
CIL_KEY_UDP = cil_strpool_add("udp");
CIL_KEY_TCP = cil_strpool_add("tcp");
+ CIL_KEY_DCCP = cil_strpool_add("dccp");
+ CIL_KEY_SCTP = cil_strpool_add("sctp");
CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
CIL_KEY_ALLOW = cil_strpool_add("allow");
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index ee0d32c..c8288aa 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -2732,6 +2732,12 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
case CIL_PROTOCOL_TCP:
new_ocon->u.port.protocol = IPPROTO_TCP;
break;
+ case CIL_PROTOCOL_DCCP:
+ new_ocon->u.port.protocol = IPPROTO_DCCP;
+ break;
+ case CIL_PROTOCOL_SCTP:
+ new_ocon->u.port.protocol = IPPROTO_SCTP;
+ break;
default:
/* should not get here */
rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 20e9d8b..1a05c9a 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -3928,6 +3928,10 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
portcon->proto = CIL_PROTOCOL_UDP;
} else if (proto == CIL_KEY_TCP) {
portcon->proto = CIL_PROTOCOL_TCP;
+ } else if (proto == CIL_KEY_DCCP) {
+ portcon->proto = CIL_PROTOCOL_DCCP;
+ } else if (proto == CIL_KEY_SCTP) {
+ portcon->proto = CIL_PROTOCOL_SCTP;
} else {
cil_log(CIL_ERR, "Invalid protocol\n");
rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index 84819fc..97bb6a1 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -100,6 +100,8 @@ char *CIL_KEY_OBJECT_R;
char *CIL_KEY_STAR;
char *CIL_KEY_TCP;
char *CIL_KEY_UDP;
+char *CIL_KEY_DCCP;
+char *CIL_KEY_SCTP;
char *CIL_KEY_AUDITALLOW;
char *CIL_KEY_TUNABLEIF;
char *CIL_KEY_ALLOW;
@@ -658,7 +660,9 @@ struct cil_filecon {
enum cil_protocol {
CIL_PROTOCOL_UDP = 1,
- CIL_PROTOCOL_TCP
+ CIL_PROTOCOL_TCP,
+ CIL_PROTOCOL_DCCP,
+ CIL_PROTOCOL_SCTP
};
struct cil_portcon {
diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
index d19accb..0f04eac 100644
--- a/libsepol/cil/src/cil_policy.c
+++ b/libsepol/cil/src/cil_policy.c
@@ -122,6 +122,10 @@ int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort)
fprintf(file_arr[NETIFCONS], "udp ");
} else if (portcon->proto == CIL_PROTOCOL_TCP) {
fprintf(file_arr[NETIFCONS], "tcp ");
+ } else if (portcon->proto == CIL_PROTOCOL_DCCP) {
+ fprintf(file_arr[NETIFCONS], "dccp ");
+ } else if (portcon->proto == CIL_PROTOCOL_SCTP) {
+ fprintf(file_arr[NETIFCONS], "sctp ");
}
fprintf(file_arr[NETIFCONS], "%d ", portcon->port_low);
fprintf(file_arr[NETIFCONS], "%d ", portcon->port_high);
diff --git a/libsepol/cil/src/cil_tree.c b/libsepol/cil/src/cil_tree.c
index e74eece..60693fe 100644
--- a/libsepol/cil/src/cil_tree.c
+++ b/libsepol/cil/src/cil_tree.c
@@ -1289,6 +1289,10 @@ void cil_tree_print_node(struct cil_tree_node *node)
cil_log(CIL_INFO, " udp");
} else if (portcon->proto == CIL_PROTOCOL_TCP) {
cil_log(CIL_INFO, " tcp");
+ } else if (portcon->proto == CIL_PROTOCOL_DCCP) {
+ cil_log(CIL_INFO, " dccp");
+ } else if (portcon->proto == CIL_PROTOCOL_SCTP) {
+ cil_log(CIL_INFO, " sctp");
}
cil_log(CIL_INFO, " (%d %d)", portcon->port_low, portcon->port_high);
diff --git a/libsepol/cil/test/policy.cil b/libsepol/cil/test/policy.cil
index 686b1a4..0b36824 100644
--- a/libsepol/cil/test/policy.cil
+++ b/libsepol/cil/test/policy.cil
@@ -241,6 +241,8 @@
(nodecon ip_v6 netmask_v6 system_u_bin_t_l2h)
(portcon udp 25 system_u_bin_t_l2h)
(portcon tcp 22 system_u_bin_t_l2h)
+ (portcon sctp 19000 system_u_bin_t_l2h)
+ (portcon dccp 19001 system_u_bin_t_l2h)
(genfscon - "/usr/bin" system_u_bin_t_l2h)
(netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h) ;different contexts?
(fsuse xattr ext3 system_u_bin_t_l2h)
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 20bf759..abc64bf 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -299,7 +299,7 @@ typedef struct range_trans_rule {
/*
* The configuration data includes security contexts for
- * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
+ * initial SIDs, unlabeled file systems, TCP, UDP, DCCP and SCTP port numbers,
* network interfaces, and nodes. This structure stores the
* relevant data for one such entry. Entries of the same kind
* (e.g. all initial SIDs) are linked together into a list.
@@ -311,7 +311,7 @@ typedef struct ocontext {
uint8_t protocol;
uint16_t low_port;
uint16_t high_port;
- } port; /* TCP or UDP port information */
+ } port; /* TCP, UDP, DCCP or SCTP port information */
struct {
uint32_t addr; /* network order */
uint32_t mask; /* network order */
@@ -360,7 +360,7 @@ typedef struct genfs {
/* object context array indices */
#define OCON_ISID 0 /* initial SIDs */
#define OCON_FS 1 /* unlabeled file systems */
-#define OCON_PORT 2 /* TCP and UDP port numbers */
+#define OCON_PORT 2 /* TCP, UDP, DCCP and SCTP port numbers */
#define OCON_NETIF 3 /* network interfaces */
#define OCON_NODE 4 /* nodes */
#define OCON_FSUSE 5 /* fs_use */
@@ -538,7 +538,7 @@ typedef struct policydb {
role_allow_t *role_allow;
/* security contexts of initial SIDs, unlabeled file systems,
- TCP or UDP port numbers, network interfaces and nodes */
+ TCP, UDP, DCCP or SCTP port numbers, network interfaces and nodes */
ocontext_t *ocontexts[OCON_NUM];
/* security contexts for files in filesystems that cannot support
diff --git a/libsepol/include/sepol/port_record.h b/libsepol/include/sepol/port_record.h
index b347e08..e2ff8b8 100644
--- a/libsepol/include/sepol/port_record.h
+++ b/libsepol/include/sepol/port_record.h
@@ -11,6 +11,8 @@ typedef struct sepol_port_key sepol_port_key_t;
#define SEPOL_PROTO_UDP 0
#define SEPOL_PROTO_TCP 1
+#define SEPOL_PROTO_DCCP 2
+#define SEPOL_PROTO_SCTP 3
/* Key */
extern int sepol_port_compare(const sepol_port_t * port,
diff --git a/libsepol/src/port_record.c b/libsepol/src/port_record.c
index 6a33d93..15fb198 100644
--- a/libsepol/src/port_record.c
+++ b/libsepol/src/port_record.c
@@ -184,6 +184,10 @@ const char *sepol_port_get_proto_str(int proto)
return "udp";
case SEPOL_PROTO_TCP:
return "tcp";
+ case SEPOL_PROTO_DCCP:
+ return "dccp";
+ case SEPOL_PROTO_SCTP:
+ return "sctp";
default:
return "???";
}
diff --git a/libsepol/src/ports.c b/libsepol/src/ports.c
index cbf2a0b..d693e0f 100644
--- a/libsepol/src/ports.c
+++ b/libsepol/src/ports.c
@@ -16,6 +16,10 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto)
return IPPROTO_TCP;
case SEPOL_PROTO_UDP:
return IPPROTO_UDP;
+ case SEPOL_PROTO_DCCP:
+ return IPPROTO_DCCP;
+ case SEPOL_PROTO_SCTP:
+ return IPPROTO_SCTP;
default:
ERR(handle, "unsupported protocol %u", proto);
return STATUS_ERR;
@@ -30,6 +34,10 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto)
return SEPOL_PROTO_TCP;
case IPPROTO_UDP:
return SEPOL_PROTO_UDP;
+ case IPPROTO_DCCP:
+ return SEPOL_PROTO_DCCP;
+ case IPPROTO_SCTP:
+ return SEPOL_PROTO_SCTP;
default:
ERR(handle, "invalid protocol %u " "found in policy", proto);
return STATUS_ERR;
--
1.9.3
From 69c757b3f0e42041c917d8a8c935449a1f17d6d2 Mon Sep 17 00:00:00 2001
From: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Date: Thu, 6 Nov 2014 19:32:39 +0000
Subject: [PATCH] lksctp-tools: Add SELinux support to sctp_test
Add getcon, getpeercon and fgetfilecon to check each of the contexts
for sctp_test.c. This will allow testing of the SELinux kernel updates
to support SCTP.
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
configure.ac | 3 +++
src/apps/Makefile.am | 4 ++++
src/apps/sctp_test.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++--
3 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 778dac5..c569083 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,6 +38,9 @@ AC_LIBTOOL_DLOPEN
AC_PROG_LIBTOOL
AC_SUBST(LIBTOOL_DEPS)
+AC_CHECK_LIB([selinux], [getcon])
+AM_CONDITIONAL([USE_SELINUX], [test $ac_cv_lib_selinux_getcon = yes])
+
dnl Checks for header files.
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
diff --git a/src/apps/Makefile.am b/src/apps/Makefile.am
index 7e33b9c..da0f889 100644
--- a/src/apps/Makefile.am
+++ b/src/apps/Makefile.am
@@ -10,6 +10,10 @@ AM_CPPFLAGS = -I. -I$(top_srcdir)/src/include -I$(top_srcdir)/src/testlib \
AM_LDFLAGS =
+if USE_SELINUX
+AM_CFLAGS = -DHAVE_SELINUX
+endif
+
LDADD = $(top_builddir)/src/testlib/libsctputil.la \
$(top_builddir)/src/lib/libsctp.la
diff --git a/src/apps/sctp_test.c b/src/apps/sctp_test.c
index 2aaf9d3..7ca3b49 100644
--- a/src/apps/sctp_test.c
+++ b/src/apps/sctp_test.c
@@ -60,6 +60,31 @@
#include <sys/resource.h>
+#if HAVE_SELINUX
+#include <selinux/selinux.h>
+#else
+/* Stubs for SELinux functions */
+static int is_selinux_enabled(void)
+{
+ return -1;
+}
+static int getcon(char **context)
+{
+ *context = NULL;
+ return -1;
+}
+static int getpeercon(int fd, char **context)
+{
+ *context = NULL;
+ return -1;
+}
+
+static int fgetfilecon(int fd, char **context)
+{
+ *context = NULL;
+ return -1;
+}
+#endif
#define REALLY_BIG 65536
@@ -172,6 +197,9 @@ struct sockaddr *connectx_addrs = NULL;
int connectx_count = 0;
int if_index = 0;
+char *context;
+const char *no_ctx = "unavailable";
+
unsigned char msg[] = "012345678901234567890123456789012345678901234567890";
static int msg_sizes[NCASES][MSG_CNT] =
@@ -266,6 +294,22 @@ void usage(char *argv0)
} /* usage() */
+void print_context(int fd, char *text)
+{
+ if (is_selinux_enabled() <= 0)
+ return;
+
+ if (getpeercon(fd, &context) < 0)
+ context = strdup(no_ctx);
+ DEBUG_PRINT(DEBUG_MIN, "\t%s peer context=%s\n", text, context);
+ free(context);
+
+ if (fgetfilecon(fd, &context) < 0)
+ context = strdup(no_ctx);
+ DEBUG_PRINT(DEBUG_MIN, "\t%s fd context=%s\n", text, context);
+ free(context);
+}
+
void *
build_msg(int len)
{
@@ -602,6 +646,7 @@ int socket_r(void)
}
}
DEBUG_PRINT(DEBUG_MIN, " -> sk=%d\n", sk);
+ print_context(sk, "create sock");
memset(&subscribe, 0, sizeof(subscribe));
subscribe.sctp_data_io_event = 1;
@@ -668,6 +713,7 @@ int bind_r(int sk, struct sockaddr_storage *saddr)
}
} while (error < 0 && i < MAX_BIND_RETRYS);
+ print_context(sk, "bind");
return 0;
} /* bind_r() */
@@ -730,7 +776,9 @@ int listen_r(int sk, int listen_count)
}
else return -1;
}
- return 0;
+
+ print_context(sk, "listen");
+ return 0;
} /* listen_r() */
@@ -746,6 +794,7 @@ int accept_r(int sk){
exit(1);
}
+ print_context(sk, "accept");
return subsk;
} /* accept_r() */
@@ -765,6 +814,8 @@ int connect_r(int sk, const struct sockaddr *serv_addr, socklen_t addrlen)
}
else return -1;
}
+
+ print_context(sk, "connect");
return 0;
} /* connect_r() */
@@ -865,8 +916,10 @@ int receive_r(int sk, int once)
fflush(stdout);
}
- if (print_message(recvsk, &inmessage, error) > 0)
+ if (print_message(recvsk, &inmessage, error) > 0) {
+ print_context(recvsk, "recvmsg");
continue; /* got a notification... */
+ }
inmessage.msg_control = incmsg;
inmessage.msg_controllen = sizeof(incmsg);
@@ -1051,6 +1104,8 @@ int send_r(int sk, int stream, int order, int send_size, int assoc_i)
}
}
+ print_context(sk, "sendmsg");
+
if (send_size > 0) free(message);
return 0;
error_out:
@@ -1254,6 +1309,7 @@ mixed_mode_test(void)
print_message(poll_sks[i].sk, &inmessage,
error);
+ print_context(poll_sks[i].sk, "recvmsg");
inmessage.msg_control = incmsg;
inmessage.msg_controllen = sizeof(incmsg);
@@ -1359,6 +1415,11 @@ void start_test(int role)
DEBUG_PRINT(DEBUG_NONE, "\nStarting tests...\n");
+ if (getcon(&context) < 0)
+ context = strdup(no_ctx);
+ DEBUG_PRINT(DEBUG_MIN, "\tProcess security context=%s\n", context);
+ free(context);
+
repeat_count = repeat;
--
1.9.3
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
