Menu
▾
▴
selinux-commits
|
From: <ssm...@us...> - 2008-03-10 13:20:20
|
Revision: 2847
http://selinux.svn.sourceforge.net/selinux/?rev=2847&view=rev
Author: ssmalley
Date: 2008-03-10 06:19:48 -0700 (Mon, 10 Mar 2008)
Log Message:
-----------
Drop selinux-doc from trunk.
It is out of date, not being maintained, and never had any end user
oriented documentation in the first place. Tech reports are available
on www.nsa.gov/selinux for historical reference.
Removed Paths:
-------------
trunk/README
trunk/selinux-doc/
Deleted: trunk/README
===================================================================
--- trunk/README 2008-03-07 15:40:42 UTC (rev 2846)
+++ trunk/README 2008-03-10 13:19:48 UTC (rev 2847)
@@ -1,2 +0,0 @@
-See selinux-doc/README for build instructions.
--z
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-05-27 20:03:41
|
Revision: 2886
http://selinux.svn.sourceforge.net/selinux/?rev=2886&view=rev
Author: ssmalley
Date: 2008-05-27 13:03:37 -0700 (Tue, 27 May 2008)
Log Message:
-----------
Author: Joshua Brindle
Email: me...@ma...
Subject: user and role remapping in expander (was Re: roles in base module)
Date: Sat, 24 May 2008 22:24:27 -0400
Stephen Smalley wrote:
> On Mon, 2008-05-19 at 17:59 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Fri, 2008-05-16 at 19:50 -0400, Joshua Brindle wrote:
>>>> Stephen Smalley wrote:
>>>>> On Tue, 2008-05-06 at 23:21 +0100, Martin Orr wrote:
>>>>>> Should I be able to build trunk refpolicy with the user roles included in
>>>>>> the base module? I can build it with the roles as modules, but if I try
>>>>>> building them into base I get
>>>>>> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
>>>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>>>>> libsepol.expand_module: Error while indexing out symbols
>>>>>> /usr/bin/checkmodule: expand module failed
>>>>>>
>>>>>> I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have
>>>>>> attached the modules.conf I am using, which seems to be the minimum number
>>>>>> of things I need to build in to be able to build in roles.
>>>>> Reproduced here as well, and naturally one should be able to build roles
>>>>> into base.
>>>>>
>>>>> We've seen this error condition in the past - it indicates that there is
>>>>> a hole in the symbol table, and requires mapping support in the expand
>>>>> code for roles to correctly handle it. So that represents a
>>>>> bug/limitation of the current policy compiler.
>>>>>
>>>>> Walking through it I see that it is omitting the auditadm_r and secadm_r
>>>>> roles during the expand, and this is leaving the holes in the symbol
>>>>> table.
>>>>>
>>>>> Fixing the compiler requires adding mapping support for the roles
>>>>> similar to what Karl did for booleans in r2308.
>>>>>
>>>>> Hopefully though Chris can work around it in the policy in the interim.
>>>>>
>>>> Patch below should fix both user and role mapping issues.
>>> Why is it that we don't need a usermap too?
>>>
>> Updated patch includes usermap and mapping in constraint_node_clone, completely untested.
>
> Still fails in the same way as reported by Martin upon semodule -b of the base module.
> libsepol.context_read_and_validate: invalid security context
> libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
> Error reading policy /etc/selinux/test/policy/policy.23: Success
> libsemanage.semanage_install_active: setfiles returned error code 1.
>
> Also fails upon just trying to semodule -B an existing valid policy
> store using the patched libsepol.
>
Ok, the following patch should address everything, it was more intrusive than I originally thought.
role->dominates will be incorrect when roles are copied and mapped from base into out policy, this is fixed after they've all been copied.
There is a tiny hack concerning object_r, at some point I'd like to address all the object_r hardcoding (both in the kernel and toolchain) but that is pretty low on the list.
expand_module_avrules() which is used by external apps (eg., setools) has changed so those users will need to be fixed.
valgrind and sediff are clean
------
Revision Links:
--------------
http://selinux.svn.sourceforge.net/selinux/?rev=2669&view=rev
Modified Paths:
--------------
trunk/checkpolicy/policy_define.c
trunk/libsepol/include/sepol/policydb/expand.h
trunk/libsepol/src/expand.c
trunk/libsepol/src/policydb.c
trunk/libsepol/src/users.c
Modified: trunk/checkpolicy/policy_define.c
===================================================================
--- trunk/checkpolicy/policy_define.c 2008-05-27 19:59:02 UTC (rev 2885)
+++ trunk/checkpolicy/policy_define.c 2008-05-27 20:03:37 UTC (rev 2886)
@@ -2006,7 +2006,7 @@
}
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
- if (role_set_expand(&roles, &e_roles, policydbp))
+ if (role_set_expand(&roles, &e_roles, policydbp, NULL))
goto bad;
if (type_set_expand(&types, &e_types, policydbp, 1))
Modified: trunk/libsepol/include/sepol/policydb/expand.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/expand.h 2008-05-27 19:59:02 UTC (rev 2885)
+++ trunk/libsepol/include/sepol/policydb/expand.h 2008-05-27 20:03:37 UTC (rev 2886)
@@ -43,6 +43,7 @@
*/
extern int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
policydb_t * out, uint32_t * typemap, uint32_t * boolmap,
+ uint32_t * rolemap, uint32_t * usermap,
int verbose, int expand_neverallow);
/*
* Expand all parts of a module. Neverallow rules are not expanded (only
@@ -59,7 +60,7 @@
unsigned char alwaysexpand);
extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
unsigned char alwaysexpand);
-extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
+extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap);
extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
policydb_t *p, sepol_handle_t *h);
extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2008-05-27 19:59:02 UTC (rev 2885)
+++ trunk/libsepol/src/expand.c 2008-05-27 20:03:37 UTC (rev 2886)
@@ -41,6 +41,8 @@
int verbose;
uint32_t *typemap;
uint32_t *boolmap;
+ uint32_t *rolemap;
+ uint32_t *usermap;
policydb_t *base;
policydb_t *out;
sepol_handle_t *handle;
@@ -52,6 +54,23 @@
memset(state, 0, sizeof(expand_state_t));
}
+static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
+{
+ unsigned int i;
+ ebitmap_node_t *tnode;
+ ebitmap_init(dst);
+
+ ebitmap_for_each_bit(src, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
+ if (!map[i])
+ continue;
+ if (ebitmap_set_bit(dst, map[i] - 1, 1))
+ return -1;
+ }
+ return 0;
+}
+
static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
void *data)
{
@@ -150,7 +169,7 @@
ERR(state->handle, "attribute %s vanished!", id);
return -1;
}
- if (convert_type_ebitmap(&type->types, &tmp_union, state->typemap)) {
+ if (map_ebitmap(&type->types, &tmp_union, state->typemap)) {
ERR(state->handle, "out of memory");
return -1;
}
@@ -297,6 +316,14 @@
names, 1)) {
goto out_of_mem;
}
+ } else if (new_expr->attr & CEXPR_ROLE) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) {
+ goto out_of_mem;
+ }
+ } else if (new_expr->attr & CEXPR_USER) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) {
+ goto out_of_mem;
+ }
} else {
/* Other kinds of sets do not. */
if (ebitmap_cpy(&new_expr->names,
@@ -511,6 +538,28 @@
return 0;
}
+static int role_remap_dominates(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *data)
+{
+ ebitmap_t mapped_roles;
+ role_datum_t *role = (role_datum_t *) datum;
+ expand_state_t *state = (expand_state_t *) data;
+
+ if (!(&role->dominates.node))
+ return 0;
+
+ if (map_ebitmap(&role->dominates, &mapped_roles, state->rolemap))
+ return -1;
+
+ ebitmap_destroy(&role->dominates);
+
+ if (ebitmap_cpy(&role->dominates, &mapped_roles))
+ return -1;
+
+ ebitmap_destroy(&mapped_roles);
+
+ return 0;
+}
+
static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
void *data)
{
@@ -525,8 +574,11 @@
role = (role_datum_t *) datum;
state = (expand_state_t *) data;
- if (strcmp(id, OBJECT_R) == 0)
+ if (strcmp(id, OBJECT_R) == 0) {
+ /* object_r is always value 1 */
+ state->rolemap[role->s.value - 1] = 1;
return 0;
+ }
if (!is_id_enabled(id, state->base, SYM_ROLES)) {
/* identifier's scope is not enabled */
@@ -552,8 +604,9 @@
return -1;
}
- new_role->s.value = role->s.value;
state->out->p_roles.nprim++;
+ new_role->s.value = state->out->p_roles.nprim;
+ state->rolemap[role->s.value - 1] = new_role->s.value;
ret = hashtab_insert(state->out->p_roles.table,
(hashtab_key_t) new_id,
(hashtab_datum_t) new_role);
@@ -570,6 +623,10 @@
ebitmap_init(&new_role->dominates);
}
+
+ /* The dominates bitmap is going to be wrong for the moment,
+ * we'll come back later and remap them, after we are sure all
+ * the roles have been added */
if (ebitmap_union(&new_role->dominates, &role->dominates)) {
ERR(state->handle, "Out of memory!");
return -1;
@@ -692,8 +749,9 @@
}
memset(new_user, 0, sizeof(user_datum_t));
- new_user->s.value = user->s.value;
state->out->p_users.nprim++;
+ new_user->s.value = state->out->p_users.nprim;
+ state->usermap[user->s.value - 1] = new_user->s.value;
new_id = strdup(id);
if (!new_id) {
@@ -756,7 +814,7 @@
ebitmap_init(&tmp_union);
/* get global roles for this user */
- if (role_set_expand(&user->roles, &tmp_union, state->base)) {
+ if (role_set_expand(&user->roles, &tmp_union, state->base, state->rolemap)) {
ERR(state->handle, "Out of memory!");
ebitmap_destroy(&tmp_union);
return -1;
@@ -938,14 +996,16 @@
ebitmap_init(&roles);
ebitmap_init(&new_roles);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
- if (role_set_expand(&cur->new_roles, &new_roles, state->out)) {
+
+ if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
+
ebitmap_for_each_bit(&roles, snode, i) {
if (!ebitmap_node_get_bit(snode, i))
continue;
@@ -1005,7 +1065,7 @@
ebitmap_init(&roles);
ebitmap_init(&types);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
@@ -1058,7 +1118,7 @@
memset(n, 0, sizeof(role_trans_t));
n->role = i + 1;
n->type = j + 1;
- n->new_role = cur->new_role;
+ n->new_role = state->rolemap[cur->new_role - 1];
if (l) {
l->next = n;
} else {
@@ -1658,8 +1718,8 @@
static int context_copy(context_struct_t * dst, context_struct_t * src,
expand_state_t * state)
{
- dst->user = src->user;
- dst->role = src->role;
+ dst->user = state->usermap[src->user - 1];
+ dst->role = state->rolemap[src->role - 1];
dst->type = state->typemap[src->type - 1];
return mls_context_cpy(dst, src);
}
@@ -1842,23 +1902,6 @@
return 0;
}
-int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * typemap)
-{
- unsigned int i;
- ebitmap_node_t *tnode;
- ebitmap_init(dst);
-
- ebitmap_for_each_bit(src, tnode, i) {
- if (!ebitmap_node_get_bit(tnode, i))
- continue;
- if (!typemap[i])
- continue;
- if (ebitmap_set_bit(dst, typemap[i] - 1, 1))
- return -1;
- }
- return 0;
-}
-
/* converts typeset using typemap and expands into ebitmap_t types using the attributes in the passed in policy.
* this should not be called until after all the blocks have been processed and the attributes in target policy
* are complete. */
@@ -1870,10 +1913,10 @@
type_set_init(&tmpset);
- if (convert_type_ebitmap(&set->types, &tmpset.types, typemap))
+ if (map_ebitmap(&set->types, &tmpset.types, typemap))
return -1;
- if (convert_type_ebitmap(&set->negset, &tmpset.negset, typemap))
+ if (map_ebitmap(&set->negset, &tmpset.negset, typemap))
return -1;
tmpset.flags = set->flags;
@@ -1915,12 +1958,14 @@
return retval;
}
-int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p)
+int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap)
{
unsigned int i;
ebitmap_node_t *rnode;
+ ebitmap_t mapped_roles;
ebitmap_init(r);
+ ebitmap_init(&mapped_roles);
if (x->flags & ROLE_STAR) {
for (i = 0; i < p->p_roles.nprim++; i++)
@@ -1929,13 +1974,23 @@
return 0;
}
- ebitmap_for_each_bit(&x->roles, rnode, i) {
+ if (rolemap) {
+ if (map_ebitmap(&x->roles, &mapped_roles, rolemap))
+ return -1;
+ } else {
+ if (ebitmap_cpy(&mapped_roles, &x->roles))
+ return -1;
+ }
+
+ ebitmap_for_each_bit(&mapped_roles, rnode, i) {
if (ebitmap_node_get_bit(rnode, i)) {
if (ebitmap_set_bit(r, i, 1))
return -1;
}
}
+ ebitmap_destroy(&mapped_roles);
+
/* if role is to be complimented, invert the entire bitmap here */
if (x->flags & ROLE_COMP) {
for (i = 0; i < ebitmap_length(r); i++) {
@@ -2239,7 +2294,8 @@
*/
int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
policydb_t * out, uint32_t * typemap,
- uint32_t * boolmap, int verbose,
+ uint32_t * boolmap, uint32_t * rolemap,
+ uint32_t * usermap, int verbose,
int expand_neverallow)
{
expand_state_t state;
@@ -2250,6 +2306,8 @@
state.out = out;
state.typemap = typemap;
state.boolmap = boolmap;
+ state.rolemap = rolemap;
+ state.usermap = usermap;
state.handle = handle;
state.verbose = verbose;
state.expand_neverallow = expand_neverallow;
@@ -2309,6 +2367,18 @@
goto cleanup;
}
+ state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t));
+ if (!state.rolemap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
+ state.usermap = (uint32_t *)calloc(state.base->p_users.nprim, sizeof(uint32_t));
+ if (!state.usermap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
/* order is important - types must be first */
/* copy types */
@@ -2405,6 +2475,11 @@
}
+ /* remap role dominates bitmaps */
+ if (hashtab_map(state.out->p_roles.table, role_remap_dominates, &state)) {
+ goto cleanup;
+ }
+
if (copy_and_expand_avrule_block(&state) < 0) {
ERR(handle, "Error during expand");
goto cleanup;
@@ -2464,6 +2539,8 @@
cleanup:
free(state.typemap);
free(state.boolmap);
+ free(state.rolemap);
+ free(state.usermap);
return retval;
}
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2008-05-27 19:59:02 UTC (rev 2885)
+++ trunk/libsepol/src/policydb.c 2008-05-27 20:03:37 UTC (rev 2886)
@@ -559,7 +559,7 @@
p = (policydb_t *) arg;
ebitmap_destroy(&user->cache);
- if (role_set_expand(&user->roles, &user->cache, p)) {
+ if (role_set_expand(&user->roles, &user->cache, p, NULL)) {
return -1;
}
Modified: trunk/libsepol/src/users.c
===================================================================
--- trunk/libsepol/src/users.c 2008-05-27 19:59:02 UTC (rev 2885)
+++ trunk/libsepol/src/users.c 2008-05-27 20:03:37 UTC (rev 2886)
@@ -260,7 +260,7 @@
/* Expand roles */
if (role_set_expand
- (&usrdatum->roles, &usrdatum->cache, policydb)) {
+ (&usrdatum->roles, &usrdatum->cache, policydb, NULL)) {
ERR(handle, "unable to expand role set");
goto err;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2008-06-13 18:38:36
|
Revision: 2911
http://selinux.svn.sourceforge.net/selinux/?rev=2911&view=rev
Author: madmethod
Date: 2008-06-13 11:38:34 -0700 (Fri, 13 Jun 2008)
Log Message:
-----------
Author: Joshua Brindle
Email: me...@ma...
Subject: libsepol write.c has shadowed var
Date: Fri, 13 Jun 2008 13:44:24 -0400
Stephen Smalley wrote:
> On Fri, 2008-06-13 at 11:43 -0400, Joshua Brindle wrote:
>> This patch addresses a shadowed var that prevents libsepol from being built with DEBUG=1
>>
>> Signed-off-by: Joshua Brindle <me...@ma...>
>>
>> ---
>>
>> Index: libsepol/src/write.c
>> ===================================================================
>> --- libsepol/src/write.c (revision 2908)
>> +++ libsepol/src/write.c (working copy)
>> @@ -1625,10 +1625,10 @@
>> if (p->policyvers < POLICYDB_VERSION_PERMISSIVE &&
>> p->policy_type == POLICY_KERN) {
>> ebitmap_node_t *tnode;
>> - unsigned int i;
>> + unsigned int j;
>>
>> - ebitmap_for_each_bit(&p->permissive_map, tnode, i) {
>> - if (ebitmap_node_get_bit(tnode, i)) {
>> + ebitmap_for_each_bit(&p->permissive_map, tnode, j) {
>> + if (ebitmap_node_get_bit(tnode, j)) {
>> WARN(fp->handle, "Warning! Policy version %d cannot "
>> "support permissive types, but some were defined",
>> p->policyvers);
>
> Any particular reason we can't just use the local var from the outer
> scope?
>
good point, I didn't really look at how i was being used. This uses i from the outer scope and adds -Wshadow to library and checkpolicy makefiles.
Acked-by: Stephen Smalley <sd...@ty...>
Revision Links:
--------------
http://selinux.svn.sourceforge.net/selinux/?rev=2908&view=rev
Modified Paths:
--------------
trunk/checkpolicy/Makefile
trunk/libselinux/src/Makefile
trunk/libsemanage/src/Makefile
trunk/libsepol/src/Makefile
trunk/libsepol/src/write.c
Modified: trunk/checkpolicy/Makefile
===================================================================
--- trunk/checkpolicy/Makefile 2008-06-13 14:14:57 UTC (rev 2910)
+++ trunk/checkpolicy/Makefile 2008-06-13 18:38:34 UTC (rev 2911)
@@ -10,7 +10,7 @@
YACC = bison -y
-CFLAGS ?= -g -Wall -Werror -O2 -pipe -fno-strict-aliasing
+CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
override CFLAGS += -I. -I${INCLUDEDIR}
Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile 2008-06-13 14:14:57 UTC (rev 2910)
+++ trunk/libselinux/src/Makefile 2008-06-13 18:38:34 UTC (rev 2911)
@@ -33,7 +33,7 @@
OBJS= $(patsubst %.c,%.o,$(SRCS))
LOBJS= $(patsubst %.c,%.lo,$(SRCS))
-CFLAGS ?= -Werror -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
+CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute
override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 $(EMFLAGS)
RANLIB=ranlib
Modified: trunk/libsemanage/src/Makefile
===================================================================
--- trunk/libsemanage/src/Makefile 2008-06-13 14:14:57 UTC (rev 2910)
+++ trunk/libsemanage/src/Makefile 2008-06-13 18:38:34 UTC (rev 2911)
@@ -31,7 +31,7 @@
LIBSO=$(TARGET).$(LIBVERSION)
OBJS= $(patsubst %.c,%.o,$(filter-out $(SWIGCOUT),$(wildcard *.c))) conf-scan.o conf-parse.o
LOBJS= $(patsubst %.c,%.lo,$(filter-out $(SWIGCOUT),$(wildcard *.c))) conf-scan.lo conf-parse.lo
-CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter
+CFLAGS ?= -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter
override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE
Modified: trunk/libsepol/src/Makefile
===================================================================
--- trunk/libsepol/src/Makefile 2008-06-13 14:14:57 UTC (rev 2910)
+++ trunk/libsepol/src/Makefile 2008-06-13 18:38:34 UTC (rev 2911)
@@ -10,7 +10,7 @@
LIBSO=$(TARGET).$(LIBVERSION)
OBJS= $(patsubst %.c,%.o,$(wildcard *.c))
LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c))
-CFLAGS ?= -Werror -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
+CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute
override CFLAGS += -I. -I../include -D_GNU_SOURCE
all: $(LIBA) $(LIBSO)
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2008-06-13 14:14:57 UTC (rev 2910)
+++ trunk/libsepol/src/write.c 2008-06-13 18:38:34 UTC (rev 2911)
@@ -1625,7 +1625,6 @@
if (p->policyvers < POLICYDB_VERSION_PERMISSIVE &&
p->policy_type == POLICY_KERN) {
ebitmap_node_t *tnode;
- unsigned int i;
ebitmap_for_each_bit(&p->permissive_map, tnode, i) {
if (ebitmap_node_get_bit(tnode, i)) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-06-30 13:12:59
|
Revision: 2914
http://selinux.svn.sourceforge.net/selinux/?rev=2914&view=rev
Author: ssmalley
Date: 2008-06-30 06:12:55 -0700 (Mon, 30 Jun 2008)
Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: sepolgen: fix role-type associations and role allow rules
Date: Mon, 23 Jun 2008 14:54:11 -0400
Stephen Smalley wrote:
> On Thu, 2008-06-19 at 11:42 -0400, Joshua Brindle wrote:
>
>> This was written by Karl but he is currently unable to send patches
>>
>
> Also need to fix it to extract the right type (the new type from the
> transition, not the tcontext type) from the error message.
> Use audit2allow -r < avc with the attached avc to test.
>
> Correct output is:
> require {
> type updpwd_t;
> role unconfined_r;
> }
>
> role unconfined_r types updpwd_t;
>
>
Updated patch attached.
Karl
Modified Paths:
--------------
trunk/policycoreutils/audit2allow/audit2allow
trunk/sepolgen/src/sepolgen/access.py
trunk/sepolgen/src/sepolgen/audit.py
trunk/sepolgen/src/sepolgen/output.py
trunk/sepolgen/src/sepolgen/policygen.py
trunk/sepolgen/src/sepolgen/refpolicy.py
Modified: trunk/policycoreutils/audit2allow/audit2allow
===================================================================
--- trunk/policycoreutils/audit2allow/audit2allow 2008-06-14 00:06:59 UTC (rev 2913)
+++ trunk/policycoreutils/audit2allow/audit2allow 2008-06-30 13:12:55 UTC (rev 2914)
@@ -152,12 +152,13 @@
def __process_input(self):
if self.__options.type:
- avcfilter = audit.TypeFilter(self.__options.type)
+ avcfilter = audit.AVCTypeFilter(self.__options.type)
self.__avs = self.__parser.to_access(avcfilter)
- self.__selinux_errs = self.__parser.to_role(avcfilter)
+ csfilter = audit.ComputeSidTypeFilter(self.__options.type)
+ self.__role_types = self.__parser.to_role(csfilter)
else:
self.__avs = self.__parser.to_access()
- self.__selinux_errs = self.__parser.to_role()
+ self.__role_types = self.__parser.to_role()
def __load_interface_info(self):
# Load interface info file
@@ -310,6 +311,7 @@
# Generate the policy
g.add_access(self.__avs)
+ g.add_role_types(self.__role_types)
# Output
writer = output.ModuleWriter()
@@ -328,12 +330,6 @@
fd = sys.stdout
writer.write(g.get_module(), fd)
- if len(self.__selinux_errs) > 0:
- fd.write("\n=========== ROLES ===============\n")
-
- for role in self.__selinux_errs:
- fd.write(role.output())
-
def main(self):
try:
self.__parse_options()
Modified: trunk/sepolgen/src/sepolgen/access.py
===================================================================
--- trunk/sepolgen/src/sepolgen/access.py 2008-06-14 00:06:59 UTC (rev 2913)
+++ trunk/sepolgen/src/sepolgen/access.py 2008-06-30 13:12:55 UTC (rev 2914)
@@ -295,3 +295,32 @@
perms[av.obj_class] = s
s.update(av.perms)
return perms
+
+class RoleTypeSet:
+ """A non-overlapping set of role type statements.
+
+ This clas allows the incremental addition of role type statements and
+ maintains a non-overlapping list of statements.
+ """
+ def __init__(self):
+ """Initialize an access vector set."""
+ self.role_types = {}
+
+ def __iter__(self):
+ """Iterate over all of the unique role allows statements in the set."""
+ for role_type in self.role_types.values():
+ yield role_type
+
+ def __len__(self):
+ """Return the unique number of role allow statements."""
+ return len(self.roles)
+
+ def add(self, role, type):
+ if self.role_types.has_key(role):
+ role_type = self.role_types[role]
+ else:
+ role_type = refpolicy.RoleType()
+ role_type.role = role
+ self.role_types[role] = role_type
+
+ role_type.types.add(type)
Modified: trunk/sepolgen/src/sepolgen/audit.py
===================================================================
--- trunk/sepolgen/src/sepolgen/audit.py 2008-06-14 00:06:59 UTC (rev 2913)
+++ trunk/sepolgen/src/sepolgen/audit.py 2008-06-30 13:12:55 UTC (rev 2914)
@@ -235,20 +235,21 @@
"""
def __init__(self, message):
AuditMessage.__init__(self, message)
- self.type = ""
- self.role = ""
+ self.invalid_context = refpolicy.SecurityContext()
+ self.scontext = refpolicy.SecurityContext()
+ self.tcontext = refpolicy.SecurityContext()
+ self.tclass = ""
def from_split_string(self, recs):
AuditMessage.from_split_string(self, recs)
- dict={}
- for i in recs:
- t = i.split('=')
- if len(t) < 2:
- continue
- dict[t[0]]=t[1]
+ if len(recs) < 10:
+ raise ValueError("Split string does not represent a valid compute sid message")
+
try:
- self.role = refpolicy.SecurityContext(dict["scontext"]).role
- self.type = refpolicy.SecurityContext(dict["tcontext"]).type
+ self.invalid_context = refpolicy.SecurityContext(recs[5])
+ self.scontext = refpolicy.SecurityContext(recs[7].split("=")[1])
+ self.tcontext = refpolicy.SecurityContext(recs[8].split("=")[1])
+ self.tclass = recs[9].split("=")[1]
except:
raise ValueError("Split string does not represent a valid compute sid message")
def output(self):
@@ -405,7 +406,7 @@
self.__post_process()
def to_role(self, role_filter=None):
- """Return list of SELINUX_ERR messages matching the specified filter
+ """Return RoleAllowSet statements matching the specified filter
Filter out types that match the filer, or all roles
@@ -416,13 +417,12 @@
Access vector set representing the denied access in the
audit logs parsed by this object.
"""
- roles = []
- if role_filter:
- for selinux_err in self.compute_sid_msgs:
- if role_filter.filter(selinux_err):
- roles.append(selinux_err)
- return roles
- return self.compute_sid_msgs
+ role_types = access.RoleTypeSet()
+ for cs in self.compute_sid_msgs:
+ if not role_filter or role_filter.filter(cs):
+ role_types.add(cs.invalid_context.role, cs.invalid_context.type)
+
+ return role_types
def to_access(self, avc_filter=None, only_denials=True):
"""Convert the audit logs access into a an access vector set.
@@ -454,7 +454,7 @@
avc.accesses, avc)
return av_set
-class TypeFilter:
+class AVCTypeFilter:
def __init__(self, regex):
self.regex = re.compile(regex)
@@ -465,4 +465,17 @@
return True
return False
+class ComputeSidTypeFilter:
+ def __init__(self, regex):
+ self.regex = re.compile(regex)
+ def filter(self, avc):
+ if self.regex.match(avc.invalid_context.type):
+ return True
+ if self.regex.match(avc.scontext.type):
+ return True
+ if self.regex.match(avc.tcontext.type):
+ return True
+ return False
+
+
Modified: trunk/sepolgen/src/sepolgen/output.py
===================================================================
--- trunk/sepolgen/src/sepolgen/output.py 2008-06-14 00:06:59 UTC (rev 2913)
+++ trunk/sepolgen/src/sepolgen/output.py 2008-06-30 13:12:55 UTC (rev 2914)
@@ -101,6 +101,8 @@
else:
return id_set_cmp(a.src_types, [b.args[0]])
+def role_type_cmp(a, b):
+ return cmp(a.role, b.role)
def sort_filter(module):
"""Sort and group the output for readability.
@@ -146,6 +148,18 @@
c.extend(sep_rules)
+
+ ras = []
+ ras.extend(node.role_types())
+ ras.sort(role_type_cmp)
+ if len(ras):
+ comment = refpolicy.Comment()
+ comment.lines.append("============= ROLES ==============")
+ c.append(comment)
+
+
+ c.extend(ras)
+
# Everything else
for child in node.children:
if child not in c:
Modified: trunk/sepolgen/src/sepolgen/policygen.py
===================================================================
--- trunk/sepolgen/src/sepolgen/policygen.py 2008-06-14 00:06:59 UTC (rev 2913)
+++ trunk/sepolgen/src/sepolgen/policygen.py 2008-06-30 13:12:55 UTC (rev 2914)
@@ -167,7 +167,14 @@
if self.gen_requires:
gen_requires(self.module)
+ def add_role_types(self, role_type_set):
+ for role_type in role_type_set:
+ self.module.children.append(role_type)
+ # Generate the requires
+ if self.gen_requires:
+ gen_requires(self.module)
+
def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION):
"""Explain why a policy statement was generated.
@@ -334,8 +341,12 @@
# can actually figure those out.
r.types.add(arg)
+ for role_type in node.role_types():
+ r.roles.add(role_type.role)
+ r.types.update(role_type.types)
+
r.types.discard("self")
-
+
node.children.insert(0, r)
# FUTURE - this is untested on modules with any sort of
Modified: trunk/sepolgen/src/sepolgen/refpolicy.py
===================================================================
--- trunk/sepolgen/src/sepolgen/refpolicy.py 2008-06-14 00:06:59 UTC (rev 2913)
+++ trunk/sepolgen/src/sepolgen/refpolicy.py 2008-06-30 13:12:55 UTC (rev 2914)
@@ -122,6 +122,12 @@
def roles(self):
return itertools.ifilter(lambda x: isinstance(x, Role), walktree(self))
+ def role_allows(self):
+ return itertools.ifilter(lambda x: isinstance(x, RoleAllow), walktree(self))
+
+ def role_types(self):
+ return itertools.ifilter(lambda x: isinstance(x, RoleType), walktree(self))
+
def __str__(self):
if self.comment:
return str(self.comment) + "\n" + self.to_string()
@@ -494,6 +500,15 @@
return "allow %s %s;" % (self.src_roles.to_comma_str(),
self.tgt_roles.to_comma_str())
+class RoleType(Leaf):
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.role = ""
+ self.types = IdSet()
+
+ def to_string(self):
+ return "role %s types %s;" % (self.role, self.types.to_comma_str())
+
class ModuleDeclaration(Leaf):
def __init__(self, parent=None):
Leaf.__init__(self, parent)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X