Re: [PATCH 1/3] secilc/docs: selinuxuser actually takes a string not identifier

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Aug 30, 2022 at 4:45 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Sun, Aug 28, 2022 at 8:18 AM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote:
> >
> > Update parameter table and add note to example.
> > This can very easily lead to confusion, because secilc does not reject
> > e.g. (selinuxuser "admin_1" admin low_low).
> >
> > Signed-off-by: Jonathan Hettwer (bauen1) <j2468h@xxxxxxxxx>
> > ---
> >   secilc/docs/cil_user_statements.md | 5 +++--
> >   1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
> > index d5674f12..45a52140 100644
> > --- a/secilc/docs/cil_user_statements.md
> > +++ b/secilc/docs/cil_user_statements.md
> > @@ -429,7 +429,7 @@ Associates a GNU/Linux user to a previously declared [`user`](cil_user_statement
> >   </tr>
> >   <tr class="odd">
> >   <td align="left"><p><code>user_id</code></p></td>
> > -<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
> > +<td align="left"><p>A <b>string</b> referencing a previously declared SELinux <code>user</code> identifier.</p></td>
> >   </tr>
> >   <tr class="even">
> >   <td align="left"><p><code>userrange_id</code></p></td>
> > @@ -445,7 +445,8 @@ This example will associate `unconfined.admin` user with a GNU / Linux user "`ad
> >   ```secil
> >       (block unconfined
> >           (user admin)
> > -        (selinuxuser admin_1 admin low_low)
> > +        ; XXX: Because the user_id is a string, the fully qualified identifier needs to be used here:
> > +        (selinuxuser "admin_1" "unconfined.admin" low_low)
>
> I don't see this behavior.
>
> The following:
> (block b2
>   (user user2_u)
>   (userrole user2_u ROLE)
>   (userlevel user2_u (SENS))
>   (userrange user2_u ((SENS) (SENS (CAT))))
>   (userprefix user2_u user2)
>   (selinuxuser name2 user2_u ((SENS) (SENS (CAT))))
> )
> Gives me:
> name2:b2.user2_u:SENS-SENS:CAT
>
> It works with quotes as well, but it doesn't require them.
>
> The following:
> (block b3
>   (user user3_u)
>   (userrole user3_u ROLE)
>   (userlevel user3_u (SENS))
>   (userrange user3_u ((SENS) (SENS (CAT))))
>   (userprefix user3_u user3)
>   (selinuxuser "name3" "user3_u" ((SENS) (SENS (CAT))))
> )
> Gives me:
> name3:b3.user3_u:SENS-SENS:CAT
>
> Thanks,
> Jim

Attached is the policy I used to test and a program that calls
cil_selinuxusers_to_string().
Jim

Attachment: test_user_rules.cil
Description: application/vnd.ms-artgalry

#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <sys/stat.h>

#include <sepol/cil/cil.h>
#include <sepol/policydb.h>

static int write_out_selinuxusers(struct cil_db *db)
{
	int rc;
	char *data;
	size_t size, i;

	rc = cil_selinuxusers_to_string(db, &data, &size);
	if (rc != SEPOL_OK) {
		return rc;
	}

	if (size > 0) {
		printf("####################\n");
		for (i=0; i<size; i++) {
			printf("%c", data[i]);
		}
		printf("####################\n");
	}

	return 0;
}

/*
gcc -I/home/jim/local/usr/include -L/home/jim/local/usr/lib -lsepol -o get_selinuxusers get_selinuxusers.c
*/
int main(int argc, char *argv[])
{
	struct cil_db *db = NULL;
	FILE *file = NULL;
	char *buffer = NULL;
	struct stat filedata;
	uint32_t file_size;
	int i;
	int rc = SEPOL_ERR;

	if (argc < 2) {
		fprintf(stderr, "No cil files specified\n");
		rc = SEPOL_ERR;
		goto exit;
	}

	cil_set_log_level(CIL_ERR);

	cil_db_init(&db);
	cil_set_mls(db, 1);
	cil_set_preserve_tunables(db, 0);
	cil_set_qualified_names(db, 0);
	cil_set_attrs_expand_generated(db, 0);
	cil_set_attrs_expand_size(db, 0);

	for (i = 1; i < argc; i++) {
		file = fopen(argv[i], "r");
		if (!file) {
			fprintf(stderr, "Could not open file: %s\n", argv[i]);
			rc = SEPOL_ERR;
			goto exit;
		}
		rc = stat(argv[i], &filedata);
		if (rc == -1) {
			fprintf(stderr, "Could not stat file: %s\n", argv[i]);
			goto exit;
		}
		file_size = filedata.st_size;

		buffer = malloc(file_size);
		rc = fread(buffer, file_size, 1, file);
		if (rc != 1) {
			fprintf(stderr, "Failure reading file: %s\n", argv[i]);
			goto exit;
		}
		fclose(file);
		file = NULL;

		rc = cil_add_file(db, argv[i], buffer, file_size);
		if (rc != SEPOL_OK) {
			fprintf(stderr, "Failure adding %s\n", argv[i]);
			goto exit;
		}

		free(buffer);
		buffer = NULL;
	}

	rc = cil_compile(db);
	if (rc != SEPOL_OK) {
		fprintf(stderr, "Failed to compile CIL policy\n");
		goto exit;
	}

	rc = write_out_selinuxusers(db);
	if (rc != SEPOL_OK) {
		fprintf(stderr, "Failed to write selinux users\n");
		goto exit;
	}

	
exit:
	free(buffer);
	cil_db_destroy(&db);
	return rc;
}
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux