We would like to be able to say that the user, role, or range of a newly
created object should be based on the user, role, or range of either the
source or the target of the creation operation. aka, for a new file
this could be the user of the creating process or the user or the parent
directory. This patch implements the new language and the policydb
support to give this information to the kernel.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The filename_trans code had a bug where duplicate detection was being
done between the unmapped type value of a new rule and the type value of
rules already in policy. This meant that duplicates were not being
silently dropped and were instead outputting a message that there was a
problem. It made things hard because the message WAS using the mapped
type to convert to the string representation, so it didn't look like a
dup!
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patches moves some ebitmap functions (and, xor, not, etc.) from
mcstrans into libsepol, where they really belong and could be used by
other applications (e.g. CIL)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The makefile which generated the package config files did not have the
VERSION file as a dependancy. Thus if you updated a tree you have
previously build the .pc file wouldn't be rebuilt and the old version
would be reinstalled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Change the default "make" target for the libraries from "install" to
"all" in the makefiles.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is needed in order to build setools, although I think setools
still will not fully build. It would be good if someone from setools
would diagnose what is breaking.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If the "-P/--preserve_tunables" option is set for the semodule program,
the preserve_tunables flag in sepol_handle_t would be set, then all tunables
would be treated as booleans by having their TUNABLE flag bit cleared,
resulting in all tunables if-else conditionals preserved for raw policy.
Note, such option would invalidate the logic to double-check if tunables
ever mix with booleans in one expression, so skip the call to assert()
when this option is passed.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
By default only the effective branch of a tunable conditional would be
expanded and written to raw policy, while all needless unused branches
would be discarded.
Add a new option '-P' or "--preserve_tunables" to the semodule program.
By default it is 0, if set to 1 then the above preserve_tunables flag
in the sepol_handle_t would be set to 1 accordingly.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The effective branch of a tunable has been appended to its home
decl->avrules list during link, in expansion we should just skip tunables
from expanding their rules into te_cond_avtab hashtab and adding to the
out->cond_list queue.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
For a cond_node_t in one decl->cond_list queue, append its
avtrue_list or avfalse_list to the avrules list of its home decl
depending on its state value, so that these effective rules would
be permanently added to te_avtab hashtab.
On the other hand, the rules on the disabled unused list won't be
expanded and written to the raw policy at all.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Copy the TUNABLE flag for cond_bool_datum_t during link, and check
if there is a mismatch between boolean/tunable declaration and
usage among modules. If this is the case, bail out with errors.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
All flags in cond_bool_datum_t and cond_node_t structures are written
or read for policy modules which version is no less than
MOD_POLICYDB_VERSION_TUNABLE_SEP.
Note, for cond_node_t the TUNABLE flag bit would be used only at expand,
however, it won't hurt to read/write this field for modules(potentially
for future usage).
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Both boolean and tunable keywords are processed by define_bool_tunable(),
argument 0 and 1 would be passed for boolean and tunable respectively.
For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags.
Note, when creating an if-else conditional we can not know if the
tunable identifier is indeed a tunable(for example, a boolean may be
misused in tunable_policy() or vice versa), thus the TUNABLE flag
for cond_node_t would be calculated and used in expansion when all
booleans/tunables copied during link.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add flags to cond_bool_datum_t and cond_node_t structures to differentiate
the tunables' identifiers and conditionals from those of booleans.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Role attributes are redundant for policy.X, their destiny has been
fulfilled in the expand phase when their types.types ebitmap have
been populated to that of their sub regular roles.
When pp is downgraded, role_datum_t's the flavor flag and roles
ebitmap would be discarded, resulting in role attributes useless
at all. So for such case they should also be skipped.
Deduct the number of role attributes from p_roles.table->nel when
they are skipped.
Last, uncount attributes number before converting endianness.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
expand_role_attributes() would merge the sub role attribute's roles
ebitmap into that of the parent, then clear it off from the parent's
roles ebitmap. This supports the assertion in role_fix_callback() that
any role attribute's roles ebitmap contains just regular roles.
expand_role_attribute() works on base.p_roles table but not any
block/decl's p_roles table, so the above assertion in role_fix_callback
could fail when it is called for block/decl and some role attribute is
added into another.
Since the effect of get_local_role() would have been complemented by
the populate_roleattributes() at the end of the link phase, there is
no needs(and wrong) to call role_fix_callback() for block/decl in the
expand phase.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When expanding a module which includes role transitions we were
comparing the numeric value of the base policy role with the numberic
value of the unmapped role in the module. Comparisions between
role values need to both be in terms of the mapped role in the base
module.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Harry Ciao <qingtao.cao@windriver.com>
The kernel policy parsing logic was incorrectly believing the list of
filename transition rules was always empty because we never updated the
tail pointer when we added to the list. This patch updates the pointer
to the last entry when a new entry is added.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Bump checkpolicy to 2.1.0
Bump libselinux to 2.1.0
Bump libsepol to 2.1.0
Bump libsemanage to 2.1.0
Bump policycoreutils to 2.1.0
Bump sepolgen to 1.1.0
When the link process is completed, the types type_set_t and roles
ebitmap in a role attribute are settled, then we could go on to scan
all role attributes in the base->p_roles.table checking if any non-zero
bit in its roles ebitmap is indeed another role attribute.
If this is the case, then we need to escalate the roles ebitmap of
the sub role attribute into that of the parent, and remove the sub role
attribute from parent's roles ebitmap.
Since sub-attribute's roles ebitmap may further contain other role
attributes, we need to re-scan the updated parent's roles ebitmap.
Also if a loop dependency is detected, no escalation of sub-attribute's
roles ebitmap is needed.
Note, although in the link stage all role identifiers defined in any
block/decl of any module would be copied into the base->p_roles.table,
the role-attribute relationships could still be recorded in the decl's
local symtab[SYM_ROLES] table(see get_local_role()), so before all above
escalation of sub role attribute's roles ebitmap into that of parent ever
happens, all decl in the base->global list except the global block would
have to be traversed so as to populate potential role-attribute
relationships from decl up to the base module.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
When the rolemap and pointer to the base module are available, if
a non-zero bit in role_set_t.roles is a role attribute, expand it
before remap.
Note, during module compile the rolemap may not be available, the
potential duplicates of a regular role and the role attribute that
the regular role belongs to could be properly handled by
copy_role_allow() and copy_role_trans() during module expansion.
Take advantage of the role_val_to_struct[] of the base module, since
when role_set_expand() is invoked, the role_val_to_struct[] of the
out module may have not been established yet.
Also cleanup the error handling of role_set_expand().
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
1. Copy the flavor flag into its counterpart in the out module;
2. Fix all role attributes in the base module:
2.1 remap the roles ebitmap and merge into its counterpart in the
out module;
2.2 escalate the types.types ebitmap of its counterpart in the out
module, to the counterparts for all the regular roles that belongs
to the current role attribute.
The role_fix_callback() must be called after role_copy_callback()
so that state->rolemap[] is available.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Make the flavor flag and the roles ebitmap in role_datum_t structure
properly handled during module link process:
1. the flavor flag is copied into the base module;
2. if both the current module and the base module have defined or
required the same role, check if there is a discrepency in flavor;
3. remap the roles ebitmap and merge into its counterpart in the
base module;
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add support to read/write the flavor flag and roles ebitmap in the
role_datum_t structure from/to policy module, if its version is no less
than MOD_POLICYDB_VERSION_ROLEATTRIB.
Since the role ebitmap would be expanded and won't be written into
policy.X, neither is the flavor flag, kernel SELinux security server
needs no change, the maximum version number for policy.X needs no bump.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
1. Add a uint32_t "flavor" field and an ebitmap "roles" to the
role_datum_t structure;
2. Add a new "attribute_role" statement and its handler to declare
a role attribute;
3. Modify declare_role() to setup role_datum_t.flavor according
to the isattr argument;
4. Add a new "roleattribute" rule and its handler, which will record
the regular role's (policy value - 1) into the role attribute's
role_datum_t.roles ebitmap;
5. Modify the syntax for the role-types rule only to define the
role-type associations;
6. Add a new role-attr rule to support the declaration of a single
role, and optionally the role attribute that the role belongs to;
7. Check if the new_role used in role-transition rule is a regular role;
8. Support to require a role attribute;
9. Modify symtab_insert() to allow multiple declarations only for
the regular role, while a role attribute can't be declared more than once
and can't share a same name with another regular role.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
When writing the roletrans rules, rules are dropped when not supported,
but the number of rules is not decreased. This sets the number of
elements to the actual number of rules that will be written.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Although the role trans code had support to handle the kernel policy
when the version was less that roletrans such support was not in the
module read/write code. This patch adds proper support for role trans
in modules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This patch adds libsepol support for filename_trans rules. These rules
allow one to make labeling decisions for new objects based partially on
the last path component. They are stored in a list. If we find that
the number of rules grows to an significant size I will likely choose to
store these in a hash, both in libsepol and in the kernel. But as long
as the number of such rules stays small, this should be good.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Bump checkpolicy to 2.0.24
Bump libselinux to 2.0.102
Bump libsepol to 2.0.43
Bump policycoreutils to 2.0.86
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add class support to various functions to handle role_trans_rule_t
structures.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add the class support to various functions that handle role_trans
structure.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Introduce the class support to role_trans and role_trans_rule
structures, which could be the subject class("process") or the
class that the newly created object belongs to.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Email: justinmattock@gmail.com
Subject: libsepol
Date: Tue, 6 Jul 2010 15:23:29 -0700
Going through these warning messages Im getting:
(example 1 of many)
booleans.c: In function 'sepol_bool_count':
booleans.c:106:39: error: parameter 'handle' set but not used
cc1: all warnings being treated as errors
seems most of these go to NULL; Which tells me that these are here for
future use and/or need to be there for some other reason.
The biggest problem I have is Im getting errors out of these as opposed
to just a warning(-Werror) so marking the variable with a GCC
__attribute__ ((unused)) gets things going.
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
This test must have been disabled a very long time ago, before attributes were present in the kernel policy. Since the attributes are now present this unit test should be turned back on, unless I'm missing something pretty major (it looks reasonable and is successful when run).
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
On 02/24/2010 02:24 PM, Daniel J Walsh wrote:
>
Ignore the first patch it was missing pc.in files.
Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: srivasta@debian.org
Subject: cannnot -> cannot and suport -> support
Date: Tue, 17 Nov 2009 10:27:57 -0600
This was reported after a lintian check found this on any package
linked with libsepol. Closes: #556390
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Chad Sellers <csellers@tresys.com>
Having a pkgconfig files allows the pkg-config tool to be used to
query the presence of the library (or a particular version of it),
and to obtain the C flags and linker arguments to build with it.
Based on Debian patches by Manoj Srivastava <srivasta@debian.org>.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
