Re: [PATCH v2] libsemanage: special handling of the identity reserved to system objects

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello. 

I am not using the Fedora policy, but in Reference Policy, if I comment out the line containing "system_u" in the files config/appconfig-{standard,mcs,mls}/seusers then the problem disappears... 

Regards, 

Guido 

Il 10 gennaio 2017 09:09:57 CET, Petr Lautrbach <plautrba@xxxxxxxxxx> ha scritto:
>On 01/09/2017 07:51 PM, Stephen Smalley wrote:
>> On Mon, 2017-01-09 at 19:46 +0100, Guido Trentalancia wrote:
>>> Hello, 
>>>
>>> the patch has been motivated by the fact that libsemanage currently
>>> searches for the user "system_u" in the passwd file and reports
>"user
>>> system_u not in passwd file".
>> 
>> Don't shoot the messenger. That warning is because the Fedora policy
>> wrongly has system_u in its seusers/login mapping as a login name. 
>We
>> should fix it there instead by removing that entry, which should not
>be
>> needed.
>
>This is supposed to be fixed in selinux-policy-3.13.1-219.fc25
>
>Currently there's no plan to backport it to Fedora 24 as genhomedircon
>in Fedora 24 still uses hardcoded system_u.
>
>
>>>
>>> Also, I have considered the notes in the file policy/users from
>>> Reference Policy.
>>>
>>> Finally, the prefix for system_u is wrongly set to "user_u" (it
>>> shouldn't have it).
>>>
>>> I have tested the patch and it seems to work fine.
>>>
>>> I hope it helps. 
>>>
>>> Kind regards, 
>>>
>>> Guido Trentalancia 
>>>
>>> On the 9th of January 2017 19:39:10 CET, Stephen Smalley
><sds@tycho.n
>>> sa.gov> wrote:
>>>>
>>>> On Thu, 2016-12-29 at 19:45 +0100, Guido Trentalancia wrote:
>>>>>
>>>>> The following patch makes sure that the SELinux identity
>>>>> reserved for system processes and objects is skipped
>>>>> when adding users.
>>>>>
>>>>> A warning is produced when a Unix identity is found to be
>>>>> equal to the SELinux user identity for system processes
>>>>> and objects.
>>>>>
>>>>> This patch also avoids creating an extra record for a user
>>>>> if there is no prefix.
>>>>
>>>> What problem are you encountering that motivated this patch?
>>>> What is a test case for this problem?
>>>> What is the behavior before and after this patch?
>>>>
>>>>>
>>>>>
>>>>> Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
>>>>> ---
>>>>>  include/semanage/user_record.h |    2 ++
>>>>>  src/genhomedircon.c            |   23 +++++++++++++++++++----
>>>>>  src/user_extra_record.c        |   39
>>>>> ++++++++++++++++++++++++++++++++-------
>>>>>  src/user_record.c              |   40 +++++++++++++++++++++++++-
>>>>> ----
>>>>> ----------
>>>>>  4 files changed, 78 insertions(+), 26 deletions(-)
>>>>>
>>>>> diff -pru a/include/semanage/user_record.h
>>>>> b/include/semanage/user_record.h
>>>>> --- a/include/semanage/user_record.h	2016-10-14
>>>>> 17:31:26.000000000 +0200
>>>>> +++ b/include/semanage/user_record.h	2016-12-28
>>>>> 23:22:50.848589870 +0100
>>>>> @@ -6,6 +6,8 @@
>>>>>  #include <stddef.h>
>>>>>  #include <semanage/handle.h>
>>>>>  
>>>>> +#define SYS_OBJECTS_USERID	"system_u"
>>>>> +
>>>>>  struct semanage_user;
>>>>>  typedef struct semanage_user semanage_user_t;
>>>>>  
>>>>> diff -pru a/src/genhomedircon.c b/src/genhomedircon.c
>>>>> --- a/src/genhomedircon.c	2016-10-14 17:31:26.000000000
>>>>> +0200
>>>>> +++ b/src/genhomedircon.c	2016-12-29 17:50:10.781727455
>>>>> +0100
>>>>> @@ -181,6 +181,9 @@ static int ignore(const char *homedir) {
>>>>>  static int prefix_is_homedir_role(const semanage_user_t *user,
>>>>>  				  const char *prefix)
>>>>>  {
>>>>> +	if (!prefix)
>>>>> +		return 0;
>>>>> +
>>>>>  	return strcmp(OBJECT_R, prefix) == 0 ||
>>>>>  		semanage_user_has_role(user, prefix);
>>>>>  }
>>>>> @@ -998,14 +1001,26 @@ static int add_user(genhomedircon_settin
>>>>>  		homedir_role = prefix;
>>>>>  	}
>>>>>  
>>>>> +	/* There should be no Unix identity corresponding
>>>>> +	 * to SELinux user reserved for system processes
>>>>> +	 * and objects */
>>>>>  	retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen,
>>>>> &pwent);
>>>>> -	if (retval != 0 || pwent == NULL) {
>>>>> -		if (retval != 0 && retval != ENOENT) {
>>>>> +	if (strcmp(name, SYS_OBJECTS_USERID)) {
>>>>> +		if (retval != 0 || pwent == NULL) {
>>>>> +			if (retval != 0 && retval != ENOENT) {
>>>>> +				goto cleanup;
>>>>> +			}
>>>>> +
>>>>> +			WARN(s->h_semanage,
>>>>> +			     "user %s not in password file",
>>>>> name);
>>>>> +			retval = STATUS_SUCCESS;
>>>>>  			goto cleanup;
>>>>>  		}
>>>>> +	} else {
>>>>> +		if (retval)
>>>>> +			WARN(s->h_semanage,
>>>>> +			     "There should be no Unix identity
>>>>> \"%s\" !", SYS_OBJECTS_USERID);
>>>>>  
>>>>> -		WARN(s->h_semanage,
>>>>> -		     "user %s not in password file", name);
>>>>>  		retval = STATUS_SUCCESS;
>>>>>  		goto cleanup;
>>>>>  	}
>>>>> diff -pru a/src/user_extra_record.c b/src/user_extra_record.c
>>>>> --- a/src/user_extra_record.c	2016-10-14
>>>>> 17:31:26.000000000
>>>>> +0200
>>>>> +++ b/src/user_extra_record.c	2016-12-29
>>>>> 17:17:26.168737139
>>>>> +0100
>>>>> @@ -37,8 +37,9 @@ static int semanage_user_extra_key_extra
>>>>>  					   semanage_user_key_t
>>>>> **
>>>>> key_ptr)
>>>>>  {
>>>>>  
>>>>> -	if (semanage_user_key_create(handle, user_extra->name,
>>>>> key_ptr) < 0)
>>>>> -		goto err;
>>>>> +	if (user_extra)
>>>>> +		if (semanage_user_key_create(handle, user_extra-
>>>>>>
>>>>>> name, key_ptr) < 0)
>>>>> +			goto err;
>>>>>  
>>>>>  	return STATUS_SUCCESS;
>>>>>  
>>>>> @@ -54,7 +55,10 @@ static int semanage_user_extra_compare(c
>>>>>  	const char *name;
>>>>>  	semanage_user_key_unpack(key, &name);
>>>>>  
>>>>> -	return strcmp(user_extra->name, name);
>>>>> +	if (user_extra)
>>>>> +		return strcmp(user_extra->name, name);
>>>>> +	else
>>>>> +		return 1;
>>>>>  }
>>>>>  
>>>>>  static int semanage_user_extra_compare2(const
>>>>> semanage_user_extra_t
>>>>> *
>>>>> @@ -63,7 +67,10 @@ static int semanage_user_extra_compare2(
>>>>>  					user_extra2)
>>>>>  {
>>>>>  
>>>>> -	return strcmp(user_extra->name, user_extra2->name);
>>>>> +	if (user_extra && user_extra2)
>>>>> +		return strcmp(user_extra->name, user_extra2-
>>>>>> name);
>>>>> +	else
>>>>> +		return 1;
>>>>>  }
>>>>>  
>>>>>  static int semanage_user_extra_compare2_qsort(const
>>>>> semanage_user_extra_t **
>>>>> @@ -72,7 +79,10 @@ static int semanage_user_extra_compare2_
>>>>>  					      user_extra2)
>>>>>  {
>>>>>  
>>>>> -	return strcmp((*user_extra)->name, (*user_extra2)-
>>>>>> name);
>>>>> +	if (*user_extra && *user_extra2)
>>>>> +		return strcmp((*user_extra)->name,
>>>>> (*user_extra2)-
>>>>>>
>>>>>> name);
>>>>> +	else
>>>>> +		return 1;
>>>>>  }
>>>>>  
>>>>>  /* Name */
>>>>> @@ -80,7 +90,10 @@ hidden const char *semanage_user_extra_g
>>>>>  						user_extra)
>>>>>  {
>>>>>  
>>>>> -	return user_extra->name;
>>>>> +	if (user_extra)
>>>>> +		return user_extra->name;
>>>>> +	else
>>>>> +		return NULL;
>>>>>  }
>>>>>  
>>>>>  hidden int semanage_user_extra_set_name(semanage_handle_t *
>>>>> handle,
>>>>> @@ -88,6 +101,9 @@ hidden int semanage_user_extra_set_name(
>>>>>  					const char *name)
>>>>>  {
>>>>>  
>>>>> +	if (!user_extra)
>>>>> +		return STATUS_SUCCESS;
>>>>> +
>>>>>  	char *tmp_name = strdup(name);
>>>>>  	if (!tmp_name) {
>>>>>  		ERR(handle, "out of memory, could not set name
>>>>> %s "
>>>>> @@ -104,7 +120,10 @@ hidden const char *semanage_user_extra_g
>>>>>  						  user_extra)
>>>>>  {
>>>>>  
>>>>> -	return user_extra->prefix;
>>>>> +	if (user_extra)
>>>>> +		return user_extra->prefix;
>>>>> +	else
>>>>> +		return NULL;
>>>>>  }
>>>>>  
>>>>>  hidden int semanage_user_extra_set_prefix(semanage_handle_t *
>>>>> handle,
>>>>> @@ -112,6 +131,9 @@ hidden int semanage_user_extra_set_prefi
>>>>>  					  const char *prefix)
>>>>>  {
>>>>>  
>>>>> +	if (!user_extra)
>>>>> +		return STATUS_SUCCESS;
>>>>> +
>>>>>  	char *tmp_prefix = strdup(prefix);
>>>>>  	if (!tmp_prefix) {
>>>>>  		ERR(handle, "out of memory, could not set prefix
>>>>> %s
>>>>> "
>>>>> @@ -162,6 +184,9 @@ hidden int semanage_user_extra_clone(sem
>>>>>  				     semanage_user_extra_t **
>>>>> user_extra_ptr)
>>>>>  {
>>>>>  
>>>>> +	if (!user_extra)
>>>>> +		return STATUS_SUCCESS;
>>>>> +
>>>>>  	semanage_user_extra_t *new_user_extra = NULL;
>>>>>  
>>>>>  	if (semanage_user_extra_create(handle, &new_user_extra)
>>>>> < 0)
>>>>> diff -pru a/src/user_record.c b/src/user_record.c
>>>>> --- a/src/user_record.c	2016-10-14 17:31:26.000000000
>>>>> +0200
>>>>> +++ b/src/user_record.c	2016-12-29 19:23:11.783720792
>>>>> +0100
>>>>> @@ -313,6 +313,7 @@ hidden int semanage_user_join(semanage_h
>>>>>  {
>>>>>  
>>>>>  	const char *name;
>>>>> +	const char *prefix = NULL;
>>>>>  	semanage_user_t *tmp_user = calloc(1,
>>>>> sizeof(semanage_user_t));
>>>>>  	if (!tmp_user)
>>>>>  		goto omem;
>>>>> @@ -324,6 +325,9 @@ hidden int semanage_user_join(semanage_h
>>>>>  	else
>>>>>  		name = semanage_user_base_get_name(record1);
>>>>>  
>>>>> +	if (record2)
>>>>> +		prefix =
>>>>> semanage_user_extra_get_prefix(record2);
>>>>> +
>>>>>  	/* Join base record if it exists, create a blank one
>>>>> otherwise */
>>>>>  	if (record1) {
>>>>>  		if (semanage_user_base_clone(handle, record1,
>>>>> &tmp_user->base) <
>>>>> @@ -337,21 +341,27 @@ hidden int semanage_user_join(semanage_h
>>>>>  			goto err;
>>>>>  	}
>>>>>  
>>>>> -	/* Join extra record if it exists, create a blank one
>>>>> otherwise */
>>>>> -	if (record2) {
>>>>> -		if (semanage_user_extra_clone(handle, record2,
>>>>> &tmp_user->extra)
>>>>> -		    < 0)
>>>>> -			goto err;
>>>>> -	} else {
>>>>> -		if (semanage_user_extra_create(handle,
>>>>> &tmp_user-
>>>>>>
>>>>>> extra) < 0)
>>>>> -			goto err;
>>>>> -		if (semanage_user_extra_set_name(handle,
>>>>> tmp_user-
>>>>>>
>>>>>> extra, name)
>>>>> -		    < 0)
>>>>> -			goto err;
>>>>> -		if (semanage_user_extra_set_prefix
>>>>> -		    (handle, tmp_user->extra, "user") < 0)
>>>>> -			goto err;
>>>>> -	}
>>>>> +	/* SELinux identities without a prefix shall not have an
>>>>> extra record */
>>>>> +	if (prefix) { 
>>>>> +		/* Join extra record if it exists, create a
>>>>> blank
>>>>> one otherwise */
>>>>> +		if (record2) {
>>>>> +			if (&tmp_user->extra)
>>>>> +				if
>>>>> (semanage_user_extra_clone(handle, record2, &tmp_user->extra)
>>>>> +				    < 0)
>>>>> +					goto err;
>>>>> +		} else {
>>>>> +			if (semanage_user_extra_create(handle,
>>>>> &tmp_user->extra) < 0)
>>>>> +				goto err;
>>>>> +			if (semanage_user_extra_set_name(handle,
>>>>> tmp_user->extra, name)
>>>>> +			    < 0)
>>>>> +				goto err;
>>>>> +
>>>>> +			if (semanage_user_extra_set_prefix
>>>>> +			    (handle, tmp_user->extra, "user") <
>>>>> 0)
>>>>> +				goto err;
>>>>> +		}
>>>>> +	} else
>>>>> +		tmp_user->extra = NULL;
>>>>>  
>>>>>  	if (semanage_user_set_name(handle, tmp_user, name) < 0)
>>>>>  		goto err;
>>>>> _______________________________________________
>>>>> Selinux mailing list
>>>>> Selinux@xxxxxxxxxxxxx
>>>>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>>>>> To get help, send an email containing "help" to Selinux-request@t
>>>>> ycho
>>>>> .nsa.gov.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@xxxxxxxxxxxxx
>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>> To get help, send an email containing "help" to
>Selinux-request@xxxxxxxxxxxxx.
>> 

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux