Email: dwalsh@redhat.com
Subject: Help with python seobject.loginRecords
Date: Thu, 12 Mar 2009 09:29:17 -0400
On 03/11/2009 05:00 PM, Stephen Smalley wrote:
> On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Joe Nall wrote:
>>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>>>
>>>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>>>> I need to add login mappings in python firstboot modules during system
>>>>> configuration. In my first module a simple:
>>>>>
>>>>> seobject.loginRecords().add(username, "siterep_u",
>>>>> "SystemLow-SystemHigh")
>>>>>
>>>>> works. In subsequent modules, I get an exception:
>>>>>
>>>>> libsemanage.enter_rw: this operation requires a transaction
>>>>> libsemanage.enter_rw: could not enter read-write section
>>>>> Traceback (most recent call last):
>>>>> File "./t", line 6, in<module>
>>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>>>> raise error
>>>>> ValueError: Could not add login mapping for test3
>>>>>
>>>>> What is the right way to do this?
>>>>>
>>>>> joe
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>> Probably an MLS issue. firtstboot is running in a context that is not
>>>> allowed to lock/manage selinux.
>>> I'm installing in permissive and switching to enforcing after firstboot.
>>> You are correct that firstboot_t doesn't have the policy for all the
>>> stuff I'm trying to do yet.
>>>
>>>> You probably should exec semanage rather then calling seobject so you
>>>> could do a transition and not have to give a huge app like first boot
>>>> the ability to manage security policy.
>>> That is what is installing right now. I would still like an
>>> explanation/code snippet of correct usage for future use
>>>
>>> joe
>>>
>>>
>> This works on F10 Targeted policy
>>
>> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
>> "staff_u", "s0")
>> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
>>
>> Could it be a translation problem?
>
> Try running multiple calls within the same python interpreter.
> I think seobject.py isn't using libsemanage correctly. For example, in
> add(), you do:
> self.begin()
> self.__add(name, sename, serange)
> self.commit()
> but begin() only ever invokes semanage_begin_transaction() the very
> first time:
> def begin(self):
> if self.transaction:
> return
> rc = semanage_begin_transaction(self.sh)
>
> So after the first commit(), you'll start failing.
>
I think this patch fixes the transaction patch in semanage.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Patch matchpathcon to eliminate file "/"
Date: Wed, 04 Mar 2009 15:39:31 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So
matchpathcon /etc/
Will work the same as
matchpathcon /etc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmu5wMACgkQrlYvE4MpobNK4gCgiVeXXEZcCMsJKXM7jqh6r1u3
OScAoLcmXBIR63gpvA8RS3g07pcPC6IF
=e+Re
-----END PGP SIGNATURE-----
Signed-off-by: Chad Sellers <csellers@tresys.com>
interface something like: int security_deny_unknown(void);
This interface can suggest applications preferable behavior when
string_to_security_class() or string_to_av_perm() returns invalid
value which means the security policy does not define required
ones.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
messages via netlink socket from SELinux.
* Two new callbacks were added to selinux_set_callback(3)
- SELINUX_CB_SETENFORCE
is invoked when it got SELNL_MSG_SETENFORCE message in the
avc_netlink_process().
- SELINUX_CB_POLICYLOAD
is invoked when it got SELNL_MSG_POLICYLOAD message in the
avc_netlink_process().
* Three functions were exposed to applications.
- int avc_netlink_open(int blocking);
- void avc_netlink_loop(void);
- void avc_netlink_close(void);
Due to a few reasons, SE-PostgreSQL implements its own userspace
avc, so it needs to copy and paste some of avc_internal.c.
This update enables to share common part from such kind of application.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Email: method@manicmethod.com
Subject: libsepol: fix boolean state smashing
Date: Wed, 18 Mar 2009 10:47:34 -0400
If a boolean is encountered in a require block before the place where it is
declared it currently gets created with the state set to false no matter what
the declared state was. This only affects booleans in modules where the boolean
was also required in another module. Patch below:
Signed-off-by: Joshua Brindle <method@manicmethod.com>
windows with selinux running. Part of the reason for this was because
libselinux called into the kernel /selinux/create interface for every
object. This patch caches the results of /selinux/create in the
userspace avc to significantly increase the speed of these types of
operations.
Revised to correct locking, interface issues.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Email: dwalsh@redhat.com
Subject: Several fixes to restorecond
Date: Tue, 17 Feb 2009 11:40:54 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Init script should be 755
libflashplayer.so has moved in the homedir and is now correct so no
longer needs to have labeling checked.
restorecond supports glob matching and should not complain on multiple
hard links if they match a glob.
So if a file has > 1 link and is an exact match complain, otherwise do not.
Also fix a couple of error messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkma6JYACgkQrlYvE4MpobOoIACfUgUfpCuhvVTWyHgsq7/8hY0z
9WcAmgPK2KktAlY84HhtRmdu/Hy+9eE/
=zcCj
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
The boundry format mapped the primary field to a boolean in the
properties bitmap. This is appropriate for the kernel policy, but in
modular policy the primary field may be an integer that indicates the
primary type that is being aliased. In this case, the primary value cannot
be assumed to be boolean.
This patch creates a new module format that writes out the primary value
as was done before the boundry format.
Signed-off-by: Caleb Case <ccase@tresys.com>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Make removing of a module a warning rather then an error.
Date: Tue, 13 Jan 2009 08:57:17 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This way if I say a command line
semodule -r mypol -i newmypol
and mypol was not there the semodule command does not error out.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklsnb0ACgkQrlYvE4MpobNwFACfTqc17wREKC2aAhLOIkfbqgeg
GxgAn2/ZBz5ljtyK1aiVkqoCBj98y9Ey
=I4uX
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Add restorecon and install methods for libselinux python bindings.
Date: Tue, 06 Jan 2009 10:31:04 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>> Luke Macken wrote restorecon and install functions used in Fedora
>> Infrastructure which can be used to install files with the proper
>> context and to fix the labels of files/directories without having to
>> exec restorecon.
>
>> diff --exclude-from=exclude -N -u -r
>> nsalibselinux/src/selinuxswig_python.i
>> libselinux-2.0.75/src/selinuxswig_python.i
>> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
>> 09:34:24.000000000 -0400
>> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
>> 17:09:50.000000000 -0500
>> @@ -6,6 +6,32 @@
>> #include "selinux/selinux.h"
>> %}
>
>> +%pythoncode %{
>> +
>> +import shutil, os
>> +
>> +def restorecon(path, recursive=False):
>> + """ Restore SELinux context on a given path """
>> + mode = os.stat(path)[stat.ST_MODE]
>
>> stat doesn't exist here, perhaps he meant mode?
>
>> + status, context = matchpathcon(path, mode)
>> + if status == 0:
>> + lsetfilecon(path, context)
>> + if recursive:
>> + os.path.walk(path, lambda arg, dirname, fnames:
>> + map(restorecon, [os.path.join(dirname, fname)
>> + s for fname in fnames]),
>> None)
>
>> typo, the s causes a syntax error
>
>> +
>> +def copytree(src, dest):
>> + """ An SELinux-friendly shutil.copytree method """
>> + shutil.copytree(src, dest)
>> + restorecon(dest, recursive=True)
>> +
>> +def install(src, dest):
>> + """ An SELinux-friendly shutil.move method """
>> + shutil.move(src, dest)
>> + restorecon(dest, recursive=True)
>> +%}
>> +
>> /* security_get_boolean_names() typemap */
>> %typemap(argout) (char ***names, int *len) {
>> PyObject* list = PyList_New(*$2);
>
>> This patch doesn't appear correct, I'll fix the things above, have you
>> been testing this at all?
>
> Must have sent you a bad patch.
>
>
> This is what the current patch looks like.
>
And this is still broken.
One more fix.
+ mode = os.stat(path)[stat.ST_MODE]
should be
+ mode = os.lstat(path)[stat.ST_MODE]
Modified to remove copytree and install functions
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Problem in sepolgen
Date: Mon, 01 Dec 2008 11:51:19 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
self.roles does not exist, need to return length of dictionary.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk0FgYACgkQrlYvE4MpobP5HwCeNgjPTSPoqBQTXa14ZA9Jc0ww
yycAoNWJhg78BXm4L5Vg9cNAdNa7ggfD
=Uz8t
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Change semanage/seobject to use semanage_mls_enabled() rather than
is_selinux_mls_enabled(). I dropped the mls enabled tests altogether
from the semanage front-end script since setting up a handle is done by
seobject.py; if those checks are actually important, we could move them
inside of the seobject methods, but I'm not clear on the real benefit of
those checks. In seobject.py, I moved the setting of the is_mls_enabled
variable inside of get_handle(store) after the connect. I also dropped
the is_mls_enabled test from setransRecords since no handle/connection
exists there (since translations are not managed via libsemanage), and
again I'm not clear that the check there was overly important/useful.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a semanage_mls_enabled() interface to libsemanage so that
semanage/seobject can be rewritten to use it to test whether MLS is
enabled for a given policy store rather than checking the runtime MLS
enabled status, which can be misleading when using semanage on a
SELinux-disabled host or when using semanage on a store other than the
active one. Sample usage:
from semanage import *
handle = semanage_handle_create()
rc = semanage_connect(handle)
rc = semanage_mls_enabled(handle)
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>