On Tuesday, 8 March 2016, 1:32, William Roberts <bill.c.roberts@xxxxxxxxx> wrote:
>
>
>
>
>
>
>On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
>On 03/07/2016 01:44 PM, Stephen Smalley wrote:
>>
>>On 03/07/2016 10:41 AM, Richard Haines wrote:
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>On Saturday, 5 March 2016, 14:48, Richard Haines
>>>>><richard_c_haines@xxxxxxxxxxxxxx> wrote:
>>>>>
>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>On Friday, 4 March 2016, 21:18, "Roberts, William C"
>>>>><william.c.roberts@xxxxxxxxx> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>How can one obtain the same value as
>>>>>>/sys/fs/selinux/initial_contexts/file
>>>>>>
via libsepol?
>>>>>
>>>>>
>>>>>>I’ve been digging around libsepol and its not quite clear to me.
>>>>>>
>>>>>>It looks as though the record is here:
>>>>>> context_struct_t *a = &((policydb_t
>>>>>>
*)pol.db)->ocontexts[OCON_ISID]->context[0];
>>>>>
>>>>> context_struct_t *b = &((policydb_t
>>>>>>
*)pol.db)->ocontexts[OCON_ISID]->context[1];
>>>>>
>>>>>
>>>>>> printf("%u\n", a->type);
>>>>>> printf("%u\n",b->type);
>>>>>>
>>>>>>Prints:
>>>>>>185
>>>>>>0
>>>>>>
>>>>>>Not sure if this is right, and how to format the context struct to a
>>>>>>string.
>>>>>>
I didn’t see any helpers.
>>>>>
>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>>
>>>>
>>>>I've attached an example, hope it's useful
>>>>>
>>>>I've updated the example with more detail and display SID name using
>>>>SID value not counter.
>>>>
>>>>
>>>Any particular reason you didn't use sepol_sid_to_context()?
>>>
>>
I guess context_to_string() on the context structure would work better for your purposes. sepol_sid_to_context() would require loading the sidtab via policydb_load_isids() and setting the internal policydb to the one you loaded via sepol_set_policydb().
>
>
>
>
>Seems as though its not exported api, but it does indeed print something:
>
>code:
>char *s;
>size_t len;
>context_struct_t *a = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[0];
>
>
>int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, &len);
>
>
>printf("rc: %d\n", rc);
>printf("con: %s\n", s);
>
>
>prints:
> rc: 0
> con: u:object_r:null_device:s0
>
>
>However, I am after the initial sid for file, which this isn't it... is it in the ocontexts array under a different index?
>
>From what I can see the only ways for you to get the context of a specifically
named initial sid, is to:
1) If working on the active policy then read /sys/fs/selinux/initial_contexts
for the specific name.
2) If working on a binary policy that has been loaded by libsepol for
investigation, then I guess the official answer would be "you cannot do
this", simply because the names are not held in the binary policy.
What you could do is:
a) Load the initial_sid_to_string.h or the policy initial_sids file and search
through it for a match. This will give the offset and would (by magic) give
the initial SID value (e.g. "file" = 5) as it just so happens that the
initial SIDs start at '1' in a standard SELinux system. You can then obtain
the context string.
b) Or you could just say they start at 1 and I know "file" is the 5th entry !!
c) Modify policy, kernel etc. to add the names.
Unless someone knows another way !!!!
>
>Bill
>
>
>>
>>_______________________________________________
>>Selinux mailing list
>>Selinux@xxxxxxxxxxxxx
>>To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>>To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
>>
>
>
>
>--
>
>Respectfully,
>
>William C Roberts
>
>
>
>
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
