Commit Graph

11 Commits

Author SHA1 Message Date
Eamon Walsh
70aeeb918a This patch allows selabel_*() interfaces to provide an expected security context
for the given database object identified by its name and object class.
It is necessary to implement a feature something like the restorecon on databases.

The specfile shall be described as follows:
  ------------------------
  #
  # The specfile for database objects
  # (for SE-PostgreSQL)
  #
  # <object class> <object name> <security context>
  #
  db_database     *               system_u:object_r:sepgsql_db_t:s0

  db_schema       *.pg_catalog    system_u:obejct_r:sepgsql_sys_schema_t:s0
  db_schema       *.*             system_u:object_r:sepgsql_schema_t:s0

  db_table        *.pg_catalog.*  system_u:object_r:sepgsql_sysobj_t:s0
  db_table        *.*.*           system_u:object_r:sepgsql_table_t:s0
  ------------------------

- All the characters after the '#' are ignored.
- Wildcards ('*' and '?') are available.
- It returns the first match security context.

Note that hierarchy of the namespace of database objects depends on RDBMS.
So, author of the specfile needs to write correct patterns which are suitable
for the target RDBMS. The patched selabel_*() interfaces don't have any
heuristics for the namespace hierarchy to be suitable for widespread RDBMSs.
In the case of SE-PgSQL, when we lookup an expected security context for the
'my_table' table in the 'public' schema and 'postgres' database, the caller
shall provide 'postgres.public.my_table' as a key.

In the default, it tries to read a specfile which maps database objects and security
context from the /etc/selinux/$POLICYTYPE/contexts/sepgsql_contexts.
Note that when another RDBMS uses this interface, it needs to give an explicit
SELABEL_OPT_PATH option on the selabel_open().

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-03-15 19:01:30 -04:00
Eamon Walsh
61d005b739 libselinux: fix avc_netlink_loop() error caused by nonblocking mode.
avc_open() creates the netlink socket in nonblocking mode.  If the
application later takes control of the netlink socket with
avc_netlink_acquire_fd() and then calls avc_netlink_loop(), it
will fail with EWOULDBLOCK.

To remedy this, remove the O_NONBLOCK flag from the netlink socket
at the start of avc_netlink_loop().  Also, with this fix, there is
no need for avc_open() to ever create a blocking socket, so change
that and update the man page.

-v2: use poll() in avc_netlink_check_nb().  This makes both
avc_netlink_loop() and avc_netlink_check_nb() independent of the
O_NONBLOCK flag.

-v3: move poll() to avc_receive() internal function; patch by
KaiGai Kohei <kaigai@kaigai.gr.jp>

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-03-08 18:15:53 -05:00
Joshua Brindle
48412c3930 Author: Guido Trentalancia
Email: guido@trentalancia.com
Subject: Contributed manual pages for libselinux
Date: Sat, 21 Nov 2009 20:51:17 +0100

Hello Eamon !

On Fri, 2009-11-20 at 21:42 -0500, Eamon Walsh wrote:

> Hi, thanks for doing this.  Some quick review below.

You are welcome, I suppose it was a boring task for many...

Thanks very much for reviewing the changes. And please accept my
apologies for not placing "[PATCH]" in the subject of the original post.
I had just subscribed to the list.

I left you cc address intact here...

> There is too much in matchpathcon(3) now.  It's going to need to be
> split up into different pages, perhaps the init/fini/teardown stuff in
> one page, the lookup calls in another, and the non-matchpathcon prefixed
> calls in a third page.
>
> Also, .so manpage links are needed for all the calls here.

Yes, matchpathcon is a mess. Following your guidelines, I have now
splitted the huge and messy page in several different man pages. It's
easier to consult and easier to maintain.

The first part (page) is strictly related to _init, its variant
_init_index, _fini, matchpathcon and its variant matchpathcon_index.
Nice and concise. References are provided in the "SEE ALSO" section to
the rest.

The second page describes the auxiliary lookup calls
(matchpathcon_checkmatches) and the inode associations functions
(matchpathcon_filespec_{add,destroy,eval}). The reference section points
to the main matchpathcon page.

A third page has been created for the functions that are used to set the
flags (set_matchpathcon_flags) or to configure the behaviour of the main
matchpathcon functions (set_matchpathcon_invalidcon and
set_matchpathcon_printf).

A fourth and fifth page is devoted to functions that should never had
ended up in matchpathcon (selinux_file_context_cmp and
selinux_file_context_verify in one page and selinux_lsetfilecon_default
in another one): we do not really need to save electrons needed for new
pages...

>
>
> > * print_access_vector
> >
>
> Looks good.

No modifications.

> > * security_disable
> >
>
> See the selinux.h comments for this.  It needs to be documented that
> this function can only be called at startup time.

Ok. I have stressed that now and also mentioned that after the policy
has been loaded at startup, then only "setenforce" can be used to alter
(not disable) the mode of the SELinux kernel code (for example by
placing it into "permissive" mode).

> > * security_set_boolean_list
> >
>
> a RETURN VALUE section is needed in this page, documenting at least this
> call if not the others in that page.

I have now added a "RETURN VALUE" section.

Also, to avoid confusion, I have rephrased the word "returns" in
"provides" when not strictly referring the to the return value of the
function (take for example security_get_boolean_names(), strictly
speaking the function returns an integer representing 0=success or
-1=failure, although from a conceptual point of view it also returns a
list trough modification of one of its parameters passed by reference).

Usually when an application developer looks at the "RETURN VALUE"
section it is because he/she has already planned/coded the call to the
function (and thus also the handling to parameters passed by reference)
and only needs to check for the function exit status so that it can be
handled properly at the call point.

> > * selinux_check_passwd_access
> >
>
> This is a replacement for the inconsistently named "checkPasswdAccess"
> function.  So, the existing description of checkPasswdAccess should be
> moved to this function, and checkPasswdAccess should be changed to "this
> is a deprecated alias for selinux_check_passwd_access".

Yes, I have now mentioned that checkPasswdAccess is deprecated. We are
referring to file security_compute_av.3 as the description of these two
functions lives there...

By the way, it has been pointed out that this function should not
hard-code a string. I also agree with him, there is a generic constant
for such "passwd" object class, it is defined in flask.h could be used
instead of the string, thus avoiding hard-coding and also allowing to
save a few cycles and be theoretically future-proof (if ever the name
would change, say to "password", "auth-token" or anything else).

libselinux/src/checkAccess.c.orig   2009-11-21 20:07:21.000000000
libselinux/src/checkAccess.c        2009-11-21 20:08:36.000000000
@@ -13,17 +13,12 @@ int selinux_check_passwd_access(access_v
        if (is_selinux_enabled() == 0)
                return 0;
        if (getprevcon_raw(&user_context) == 0) {
-               security_class_t passwd_class;
                struct av_decision avd;
                int retval;

-               passwd_class = string_to_security_class("passwd");
-               if (passwd_class == 0)
-                       return 0;
-
                retval = security_compute_av_raw(user_context,
                                                     user_context,
-                                                    passwd_class,
+                                                    SECCLASS_PASSWD,
                                                     requested,
                                                     &avd);

Note that the above code, should really live in the application and not
in the selinux library. It used to be like that, then for some reason it
has been introduced. Redhat's passwd and cronie are calling the library
function and thus at the moment they rely on it. But for example,
util-linux-ng has the code in it and does not call this function, as I
believe it should be. A very minor issue anyway...

> > * selinux_init_load_policy
> >
>
> A paragraph break is needed in the DESCRIPTION section before this function.

Done. I have also added a note to the already mentioned fact that after
initial policy load, SELinux cannot be anymore disabled using calls to
security_disable(3).

> > * selinux_lsetfilecon_default
> >
>
> See notes above about the matchpathcon manpage.

Yes, separate man page now.

> > * selinux_mkload_policy
> >
>
> Looks good.

No modifications.

> > * set_selinuxmnt
> >
>
> This manpage includes two static functions that are not part of the
> libselinux API (at least, not anymore) and should be removed.
>
> Also, I'm not comfortable with the description given.  Instead, use the
> comments in selinux.h, which are more accurate and verbose.
>

Please let me know if things are any better now.

I did also provide on the same day a patch for beautifying and improving
the command-line option parsing of a few utilities (a ticket had been
created by somebody). That patch provides those improvement according to
GNU-style parsing of "help" and "version" options (including long-option
variants). I think it also fixes a couple of typos here and there. Feel
free to include that patch too if you like it, so that the ticket can be
closed ! I will attach it again in another separate message: it has been
slightly modified in order to apply cleanly to the latest git snapshot.

More important, I was also thinking about fingerprinting (and
subsequently checking) the libraries with some cryptographic hash
function such as the NIST-recommended SHA2. It is beginning to be done
for security-related projects like OpenSSL, so I believe it is even more
essential for SELinux. Ever thought about anything like that ?

Best regards,

Guido

Signed-off-By: Joshua Brindle <method@manicmethod.com>
2009-11-27 14:44:41 -05:00
Eamon Walsh
09cd8160d9 Documentation updates for the removal of recounted SID's.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-09-02 20:36:42 -04:00
KaiGai Kohei
433a99d403 It is useful for userspace object manager, if libselinux has an
interface something like: int security_deny_unknown(void);

This interface can suggest applications preferable behavior when
string_to_security_class() or string_to_av_perm() returns invalid
value which means the security policy does not define required
ones.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
2009-04-07 22:48:01 -04:00
KaiGai Kohei
55ed6e7fa6 This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.

This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.

This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
2009-04-07 22:10:30 -04:00
KaiGai Kohei
318748d659 The attached patch enables userspace object managers to handle notification
messages via netlink socket from SELinux.

* Two new callbacks were added to selinux_set_callback(3)
  - SELINUX_CB_SETENFORCE
     is invoked when it got SELNL_MSG_SETENFORCE message in the
     avc_netlink_process().
  - SELINUX_CB_POLICYLOAD
     is invoked when it got SELNL_MSG_POLICYLOAD message in the
     avc_netlink_process().

* Three functions were exposed to applications.
  - int avc_netlink_open(int blocking);
  - void avc_netlink_loop(void);
  - void avc_netlink_close(void);

Due to a few reasons, SE-PostgreSQL implements its own userspace
avc, so it needs to copy and paste some of avc_internal.c.
This update enables to share common part from such kind of application.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
2009-04-07 22:08:48 -04:00
Joshua Brindle
345fb4a99b Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Yet another man page patch
Date: Tue, 30 Sep 2008 08:52:58 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

int selinux_file_context_cmp(const security_context_t a,
+                                    const security_context_t b);"
+
+.BI "int selinux_file_context_verify(const char *path, mode_t mode);"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjiISoACgkQrlYvE4MpobPV9gCg0KZ+rsxGsIalBS1qvbObK7bA
0H8Anj8FnGzOnSjnOfbk+5R4Bf2OyxW+
=nJ7k
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-14 07:34:49 -04:00
Joshua Brindle
06c2dd5d04 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Some missing man pages from libselinux
Date: Wed, 24 Sep 2008 08:57:44 -0400

We are still missing the following man pages.
Perhaps some of these functions should be removed?
selinux_users_path seems to return a bogus directory?
Also do not have _raw functions defined in man pages.

matchpathcon_checkmatches
matchpathcon_filespec_add
matchpathcon_filespec_destroy
matchpathcon_filespec_eval
matchpathcon_index
matchpathcon_init_prefix
print_access_vector
security_canonicalize_context
security_disable
security_set_boolean_list
selinux_check_passwd_access
selinux_customizable_types_path
selinux_file_context_cmp
selinux_file_context_verify
selinux_get_callback
selinux_init_load_policy
selinux_lsetfilecon_default
selinux_mkload_policy
selinux_raw_to_trans_context
selinux_trans_to_raw_context
selinux_translations_path
selinux_users_path
set_selinuxmnt

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-29 15:55:18 -04:00
Joshua Brindle
85ea2db4bd Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Man page fixes for libselinux.
Date: Mon, 22 Sep 2008 13:52:13 -0400

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-29 15:12:38 -04:00
Joshua Brindle
13cd4c8960 initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00