Re: [PATCH v2] libsemanage: special handling of the identity reserved to system objects

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/09/2017 07:51 PM, Stephen Smalley wrote:
> On Mon, 2017-01-09 at 19:46 +0100, Guido Trentalancia wrote:
>> Hello, 
>>
>> the patch has been motivated by the fact that libsemanage currently
>> searches for the user "system_u" in the passwd file and reports "user
>> system_u not in passwd file".
> 
> Don't shoot the messenger. That warning is because the Fedora policy
> wrongly has system_u in its seusers/login mapping as a login name.  We
> should fix it there instead by removing that entry, which should not be
> needed.

This is supposed to be fixed in selinux-policy-3.13.1-219.fc25

Currently there's no plan to backport it to Fedora 24 as genhomedircon
in Fedora 24 still uses hardcoded system_u.


>>
>> Also, I have considered the notes in the file policy/users from
>> Reference Policy.
>>
>> Finally, the prefix for system_u is wrongly set to "user_u" (it
>> shouldn't have it).
>>
>> I have tested the patch and it seems to work fine.
>>
>> I hope it helps. 
>>
>> Kind regards, 
>>
>> Guido Trentalancia 
>>
>> On the 9th of January 2017 19:39:10 CET, Stephen Smalley <sds@tycho.n
>> sa.gov> wrote:
>>>
>>> On Thu, 2016-12-29 at 19:45 +0100, Guido Trentalancia wrote:
>>>>
>>>> The following patch makes sure that the SELinux identity
>>>> reserved for system processes and objects is skipped
>>>> when adding users.
>>>>
>>>> A warning is produced when a Unix identity is found to be
>>>> equal to the SELinux user identity for system processes
>>>> and objects.
>>>>
>>>> This patch also avoids creating an extra record for a user
>>>> if there is no prefix.
>>>
>>> What problem are you encountering that motivated this patch?
>>> What is a test case for this problem?
>>> What is the behavior before and after this patch?
>>>
>>>>
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
>>>> ---
>>>>  include/semanage/user_record.h |    2 ++
>>>>  src/genhomedircon.c            |   23 +++++++++++++++++++----
>>>>  src/user_extra_record.c        |   39
>>>> ++++++++++++++++++++++++++++++++-------
>>>>  src/user_record.c              |   40 +++++++++++++++++++++++++-
>>>> ----
>>>> ----------
>>>>  4 files changed, 78 insertions(+), 26 deletions(-)
>>>>
>>>> diff -pru a/include/semanage/user_record.h
>>>> b/include/semanage/user_record.h
>>>> --- a/include/semanage/user_record.h	2016-10-14
>>>> 17:31:26.000000000 +0200
>>>> +++ b/include/semanage/user_record.h	2016-12-28
>>>> 23:22:50.848589870 +0100
>>>> @@ -6,6 +6,8 @@
>>>>  #include <stddef.h>
>>>>  #include <semanage/handle.h>
>>>>  
>>>> +#define SYS_OBJECTS_USERID	"system_u"
>>>> +
>>>>  struct semanage_user;
>>>>  typedef struct semanage_user semanage_user_t;
>>>>  
>>>> diff -pru a/src/genhomedircon.c b/src/genhomedircon.c
>>>> --- a/src/genhomedircon.c	2016-10-14 17:31:26.000000000
>>>> +0200
>>>> +++ b/src/genhomedircon.c	2016-12-29 17:50:10.781727455
>>>> +0100
>>>> @@ -181,6 +181,9 @@ static int ignore(const char *homedir) {
>>>>  static int prefix_is_homedir_role(const semanage_user_t *user,
>>>>  				  const char *prefix)
>>>>  {
>>>> +	if (!prefix)
>>>> +		return 0;
>>>> +
>>>>  	return strcmp(OBJECT_R, prefix) == 0 ||
>>>>  		semanage_user_has_role(user, prefix);
>>>>  }
>>>> @@ -998,14 +1001,26 @@ static int add_user(genhomedircon_settin
>>>>  		homedir_role = prefix;
>>>>  	}
>>>>  
>>>> +	/* There should be no Unix identity corresponding
>>>> +	 * to SELinux user reserved for system processes
>>>> +	 * and objects */
>>>>  	retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen,
>>>> &pwent);
>>>> -	if (retval != 0 || pwent == NULL) {
>>>> -		if (retval != 0 && retval != ENOENT) {
>>>> +	if (strcmp(name, SYS_OBJECTS_USERID)) {
>>>> +		if (retval != 0 || pwent == NULL) {
>>>> +			if (retval != 0 && retval != ENOENT) {
>>>> +				goto cleanup;
>>>> +			}
>>>> +
>>>> +			WARN(s->h_semanage,
>>>> +			     "user %s not in password file",
>>>> name);
>>>> +			retval = STATUS_SUCCESS;
>>>>  			goto cleanup;
>>>>  		}
>>>> +	} else {
>>>> +		if (retval)
>>>> +			WARN(s->h_semanage,
>>>> +			     "There should be no Unix identity
>>>> \"%s\" !", SYS_OBJECTS_USERID);
>>>>  
>>>> -		WARN(s->h_semanage,
>>>> -		     "user %s not in password file", name);
>>>>  		retval = STATUS_SUCCESS;
>>>>  		goto cleanup;
>>>>  	}
>>>> diff -pru a/src/user_extra_record.c b/src/user_extra_record.c
>>>> --- a/src/user_extra_record.c	2016-10-14
>>>> 17:31:26.000000000
>>>> +0200
>>>> +++ b/src/user_extra_record.c	2016-12-29
>>>> 17:17:26.168737139
>>>> +0100
>>>> @@ -37,8 +37,9 @@ static int semanage_user_extra_key_extra
>>>>  					   semanage_user_key_t
>>>> **
>>>> key_ptr)
>>>>  {
>>>>  
>>>> -	if (semanage_user_key_create(handle, user_extra->name,
>>>> key_ptr) < 0)
>>>> -		goto err;
>>>> +	if (user_extra)
>>>> +		if (semanage_user_key_create(handle, user_extra-
>>>>>
>>>>> name, key_ptr) < 0)
>>>> +			goto err;
>>>>  
>>>>  	return STATUS_SUCCESS;
>>>>  
>>>> @@ -54,7 +55,10 @@ static int semanage_user_extra_compare(c
>>>>  	const char *name;
>>>>  	semanage_user_key_unpack(key, &name);
>>>>  
>>>> -	return strcmp(user_extra->name, name);
>>>> +	if (user_extra)
>>>> +		return strcmp(user_extra->name, name);
>>>> +	else
>>>> +		return 1;
>>>>  }
>>>>  
>>>>  static int semanage_user_extra_compare2(const
>>>> semanage_user_extra_t
>>>> *
>>>> @@ -63,7 +67,10 @@ static int semanage_user_extra_compare2(
>>>>  					user_extra2)
>>>>  {
>>>>  
>>>> -	return strcmp(user_extra->name, user_extra2->name);
>>>> +	if (user_extra && user_extra2)
>>>> +		return strcmp(user_extra->name, user_extra2-
>>>>> name);
>>>> +	else
>>>> +		return 1;
>>>>  }
>>>>  
>>>>  static int semanage_user_extra_compare2_qsort(const
>>>> semanage_user_extra_t **
>>>> @@ -72,7 +79,10 @@ static int semanage_user_extra_compare2_
>>>>  					      user_extra2)
>>>>  {
>>>>  
>>>> -	return strcmp((*user_extra)->name, (*user_extra2)-
>>>>> name);
>>>> +	if (*user_extra && *user_extra2)
>>>> +		return strcmp((*user_extra)->name,
>>>> (*user_extra2)-
>>>>>
>>>>> name);
>>>> +	else
>>>> +		return 1;
>>>>  }
>>>>  
>>>>  /* Name */
>>>> @@ -80,7 +90,10 @@ hidden const char *semanage_user_extra_g
>>>>  						user_extra)
>>>>  {
>>>>  
>>>> -	return user_extra->name;
>>>> +	if (user_extra)
>>>> +		return user_extra->name;
>>>> +	else
>>>> +		return NULL;
>>>>  }
>>>>  
>>>>  hidden int semanage_user_extra_set_name(semanage_handle_t *
>>>> handle,
>>>> @@ -88,6 +101,9 @@ hidden int semanage_user_extra_set_name(
>>>>  					const char *name)
>>>>  {
>>>>  
>>>> +	if (!user_extra)
>>>> +		return STATUS_SUCCESS;
>>>> +
>>>>  	char *tmp_name = strdup(name);
>>>>  	if (!tmp_name) {
>>>>  		ERR(handle, "out of memory, could not set name
>>>> %s "
>>>> @@ -104,7 +120,10 @@ hidden const char *semanage_user_extra_g
>>>>  						  user_extra)
>>>>  {
>>>>  
>>>> -	return user_extra->prefix;
>>>> +	if (user_extra)
>>>> +		return user_extra->prefix;
>>>> +	else
>>>> +		return NULL;
>>>>  }
>>>>  
>>>>  hidden int semanage_user_extra_set_prefix(semanage_handle_t *
>>>> handle,
>>>> @@ -112,6 +131,9 @@ hidden int semanage_user_extra_set_prefi
>>>>  					  const char *prefix)
>>>>  {
>>>>  
>>>> +	if (!user_extra)
>>>> +		return STATUS_SUCCESS;
>>>> +
>>>>  	char *tmp_prefix = strdup(prefix);
>>>>  	if (!tmp_prefix) {
>>>>  		ERR(handle, "out of memory, could not set prefix
>>>> %s
>>>> "
>>>> @@ -162,6 +184,9 @@ hidden int semanage_user_extra_clone(sem
>>>>  				     semanage_user_extra_t **
>>>> user_extra_ptr)
>>>>  {
>>>>  
>>>> +	if (!user_extra)
>>>> +		return STATUS_SUCCESS;
>>>> +
>>>>  	semanage_user_extra_t *new_user_extra = NULL;
>>>>  
>>>>  	if (semanage_user_extra_create(handle, &new_user_extra)
>>>> < 0)
>>>> diff -pru a/src/user_record.c b/src/user_record.c
>>>> --- a/src/user_record.c	2016-10-14 17:31:26.000000000
>>>> +0200
>>>> +++ b/src/user_record.c	2016-12-29 19:23:11.783720792
>>>> +0100
>>>> @@ -313,6 +313,7 @@ hidden int semanage_user_join(semanage_h
>>>>  {
>>>>  
>>>>  	const char *name;
>>>> +	const char *prefix = NULL;
>>>>  	semanage_user_t *tmp_user = calloc(1,
>>>> sizeof(semanage_user_t));
>>>>  	if (!tmp_user)
>>>>  		goto omem;
>>>> @@ -324,6 +325,9 @@ hidden int semanage_user_join(semanage_h
>>>>  	else
>>>>  		name = semanage_user_base_get_name(record1);
>>>>  
>>>> +	if (record2)
>>>> +		prefix =
>>>> semanage_user_extra_get_prefix(record2);
>>>> +
>>>>  	/* Join base record if it exists, create a blank one
>>>> otherwise */
>>>>  	if (record1) {
>>>>  		if (semanage_user_base_clone(handle, record1,
>>>> &tmp_user->base) <
>>>> @@ -337,21 +341,27 @@ hidden int semanage_user_join(semanage_h
>>>>  			goto err;
>>>>  	}
>>>>  
>>>> -	/* Join extra record if it exists, create a blank one
>>>> otherwise */
>>>> -	if (record2) {
>>>> -		if (semanage_user_extra_clone(handle, record2,
>>>> &tmp_user->extra)
>>>> -		    < 0)
>>>> -			goto err;
>>>> -	} else {
>>>> -		if (semanage_user_extra_create(handle,
>>>> &tmp_user-
>>>>>
>>>>> extra) < 0)
>>>> -			goto err;
>>>> -		if (semanage_user_extra_set_name(handle,
>>>> tmp_user-
>>>>>
>>>>> extra, name)
>>>> -		    < 0)
>>>> -			goto err;
>>>> -		if (semanage_user_extra_set_prefix
>>>> -		    (handle, tmp_user->extra, "user") < 0)
>>>> -			goto err;
>>>> -	}
>>>> +	/* SELinux identities without a prefix shall not have an
>>>> extra record */
>>>> +	if (prefix) { 
>>>> +		/* Join extra record if it exists, create a
>>>> blank
>>>> one otherwise */
>>>> +		if (record2) {
>>>> +			if (&tmp_user->extra)
>>>> +				if
>>>> (semanage_user_extra_clone(handle, record2, &tmp_user->extra)
>>>> +				    < 0)
>>>> +					goto err;
>>>> +		} else {
>>>> +			if (semanage_user_extra_create(handle,
>>>> &tmp_user->extra) < 0)
>>>> +				goto err;
>>>> +			if (semanage_user_extra_set_name(handle,
>>>> tmp_user->extra, name)
>>>> +			    < 0)
>>>> +				goto err;
>>>> +
>>>> +			if (semanage_user_extra_set_prefix
>>>> +			    (handle, tmp_user->extra, "user") <
>>>> 0)
>>>> +				goto err;
>>>> +		}
>>>> +	} else
>>>> +		tmp_user->extra = NULL;
>>>>  
>>>>  	if (semanage_user_set_name(handle, tmp_user, name) < 0)
>>>>  		goto err;
>>>> _______________________________________________
>>>> Selinux mailing list
>>>> Selinux@xxxxxxxxxxxxx
>>>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>>>> To get help, send an email containing "help" to Selinux-request@t
>>>> ycho
>>>> .nsa.gov.
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
> 

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux