1. 26 7月, 2013 1 次提交
  2. 23 7月, 2012 1 次提交
  3. 10 4月, 2012 2 次提交
    • E
      SELinux: add default_type statements · eed7795d
      Eric Paris 提交于
      Because Fedora shipped userspace based on my development tree we now
      have policy version 27 in the wild defining only default user, role, and
      range.  Thus to add default_type we need a policy.28.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      eed7795d
    • E
      SELinux: allow default source/target selectors for user/role/range · aa893269
      Eric Paris 提交于
      When new objects are created we have great and flexible rules to
      determine the type of the new object.  We aren't quite as flexible or
      mature when it comes to determining the user, role, and range.  This
      patch adds a new ability to specify the place a new objects user, role,
      and range should come from.  For users and roles it can come from either
      the source or the target of the operation.  aka for files the user can
      either come from the source (the running process and todays default) or
      it can come from the target (aka the parent directory of the new file)
      
      examples always are done with
      directory context: system_u:object_r:mnt_t:s0-s0:c0.c512
      process context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      
      [no rule]
      	unconfined_u:object_r:mnt_t:s0   test_none
      [default user source]
      	unconfined_u:object_r:mnt_t:s0   test_user_source
      [default user target]
      	system_u:object_r:mnt_t:s0       test_user_target
      [default role source]
      	unconfined_u:unconfined_r:mnt_t:s0 test_role_source
      [default role target]
      	unconfined_u:object_r:mnt_t:s0   test_role_target
      [default range source low]
      	unconfined_u:object_r:mnt_t:s0 test_range_source_low
      [default range source high]
      	unconfined_u:object_r:mnt_t:s0:c0.c1023 test_range_source_high
      [default range source low-high]
      	unconfined_u:object_r:mnt_t:s0-s0:c0.c1023 test_range_source_low-high
      [default range target low]
      	unconfined_u:object_r:mnt_t:s0 test_range_target_low
      [default range target high]
      	unconfined_u:object_r:mnt_t:s0:c0.c512 test_range_target_high
      [default range target low-high]
      	unconfined_u:object_r:mnt_t:s0-s0:c0.c512 test_range_target_low-high
      Signed-off-by: NEric Paris <eparis@redhat.com>
      aa893269
  4. 06 1月, 2012 4 次提交
  5. 10 9月, 2011 4 次提交
  6. 25 4月, 2011 1 次提交
  7. 02 4月, 2011 1 次提交
  8. 29 3月, 2011 1 次提交
  9. 02 2月, 2011 1 次提交
    • E
      SELinux: Use dentry name in new object labeling · 652bb9b0
      Eric Paris 提交于
      Currently SELinux has rules which label new objects according to 3 criteria.
      The label of the process creating the object, the label of the parent
      directory, and the type of object (reg, dir, char, block, etc.)  This patch
      adds a 4th criteria, the dentry name, thus we can distinguish between
      creating a file in an etc_t directory called shadow and one called motd.
      
      There is no file globbing, regex parsing, or anything mystical.  Either the
      policy exactly (strcmp) matches the dentry name of the object or it doesn't.
      This patch has no changes from today if policy does not implement the new
      rules.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      652bb9b0
  10. 21 10月, 2010 4 次提交
    • E
      SELinux: allow userspace to read policy back out of the kernel · cee74f47
      Eric Paris 提交于
      There is interest in being able to see what the actual policy is that was
      loaded into the kernel.  The patch creates a new selinuxfs file
      /selinux/policy which can be read by userspace.  The actual policy that is
      loaded into the kernel will be written back out to userspace.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      cee74f47
    • E
      secmark: make secmark object handling generic · 2606fd1f
      Eric Paris 提交于
      Right now secmark has lots of direct selinux calls.  Use all LSM calls and
      remove all SELinux specific knowledge.  The only SELinux specific knowledge
      we leave is the mode.  The only point is to make sure that other LSMs at
      least test this generic code before they assume it works.  (They may also
      have to make changes if they do not represent labels as strings)
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      2606fd1f
    • K
      selinux: fix up style problem on /selinux/status · 36f7f284
      KaiGai Kohei 提交于
      This patch fixes up coding-style problem at this commit:
      
       4f27a7d49789b04404eca26ccde5f527231d01d5
       selinux: fast status update interface (/selinux/status)
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      36f7f284
    • K
      selinux: fast status update interface (/selinux/status) · 11904167
      KaiGai Kohei 提交于
      This patch provides a new /selinux/status entry which allows applications
      read-only mmap(2).
      This region reflects selinux_kernel_status structure in kernel space.
        struct selinux_kernel_status
        {
                u32     length;         /* length of this structure */
                u32     sequence;       /* sequence number of seqlock logic */
                u32     enforcing;      /* current setting of enforcing mode */
                u32     policyload;     /* times of policy reloaded */
                u32     deny_unknown;   /* current setting of deny_unknown */
        };
      
      When userspace object manager caches access control decisions provided
      by SELinux, it needs to invalidate the cache on policy reload and setenforce
      to keep consistency.
      However, the applications need to check the kernel state for each accesses
      on userspace avc, or launch a background worker process.
      In heuristic, frequency of invalidation is much less than frequency of
      making access control decision, so it is annoying to invoke a system call
      to check we don't need to invalidate the userspace cache.
      If we can use a background worker thread, it allows to receive invalidation
      messages from the kernel. But it requires us an invasive coding toward the
      base application in some cases; E.g, when we provide a feature performing
      with SELinux as a plugin module, it is unwelcome manner to launch its own
      worker thread from the module.
      
      If we could map /selinux/status to process memory space, application can
      know updates of selinux status; policy reload or setenforce.
      
      A typical application checks selinux_kernel_status::sequence when it tries
      to reference userspace avc. If it was changed from the last time when it
      checked userspace avc, it means something was updated in the kernel space.
      Then, the application can reset userspace avc or update current enforcing
      mode, without any system call invocations.
      This sequence number is updated according to the seqlock logic, so we need
      to wait for a while if it is odd number.
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NEric Paris <eparis@redhat.com>
      --
       security/selinux/include/security.h |   21 ++++++
       security/selinux/selinuxfs.c        |   56 +++++++++++++++
       security/selinux/ss/Makefile        |    2 +-
       security/selinux/ss/services.c      |    3 +
       security/selinux/ss/status.c        |  129 +++++++++++++++++++++++++++++++++++
       5 files changed, 210 insertions(+), 1 deletions(-)
      Signed-off-by: NJames Morris <jmorris@namei.org>
      11904167
  11. 04 2月, 2010 1 次提交
  12. 18 1月, 2010 1 次提交
    • S
      selinux: change the handling of unknown classes · 19439d05
      Stephen Smalley 提交于
      If allow_unknown==deny, SELinux treats an undefined kernel security
      class as an error condition rather than as a typical permission denial
      and thus does not allow permissions on undefined classes even when in
      permissive mode.  Change the SELinux logic so that this case is handled
      as a typical permission denial, subject to the usual permissive mode and
      permissive domain handling.
      
      Also drop the 'requested' argument from security_compute_av() and
      helpers as it is a legacy of the original security server interface and
      is unused.
      
      Changes:
      - Handle permissive domains consistently by moving up the test for a
      permissive domain.
      - Make security_compute_av_user() consistent with security_compute_av();
      the only difference now is that security_compute_av() performs mapping
      between the kernel-private class and permission indices and the policy
      values.  In the userspace case, this mapping is handled by libselinux.
      - Moved avd_init inside the policy lock.
      
      Based in part on a patch by Paul Moore <paul.moore@hp.com>.
      Reported-by: NAndrew Worsley <amworsley@gmail.com>
      Signed-off-by: NStephen D. Smalley <sds@tycho.nsa.gov>
      Reviewed-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      19439d05
  13. 07 10月, 2009 1 次提交
    • S
      selinux: dynamic class/perm discovery · c6d3aaa4
      Stephen Smalley 提交于
      Modify SELinux to dynamically discover class and permission values
      upon policy load, based on the dynamic object class/perm discovery
      logic from libselinux.  A mapping is created between kernel-private
      class and permission indices used outside the security server and the
      policy values used within the security server.
      
      The mappings are only applied upon kernel-internal computations;
      similar mappings for the private indices of userspace object managers
      is handled on a per-object manager basis by the userspace AVC.  The
      interfaces for compute_av and transition_sid are split for kernel
      vs. userspace; the userspace functions are distinguished by a _user
      suffix.
      
      The kernel-private class indices are no longer tied to the policy
      values and thus do not need to skip indices for userspace classes;
      thus the kernel class index values are compressed.  The flask.h
      definitions were regenerated by deleting the userspace classes from
      refpolicy's definitions and then regenerating the headers.  Going
      forward, we can just maintain the flask.h, av_permissions.h, and
      classmap.h definitions separately from policy as they are no longer
      tied to the policy values.  The next patch introduces a utility to
      automate generation of flask.h and av_permissions.h from the
      classmap.h definitions.
      
      The older kernel class and permission string tables are removed and
      replaced by a single security class mapping table that is walked at
      policy load to generate the mapping.  The old kernel class validation
      logic is completely replaced by the mapping logic.
      
      The handle unknown logic is reworked.  reject_unknown=1 is handled
      when the mappings are computed at policy load time, similar to the old
      handling by the class validation logic.  allow_unknown=1 is handled
      when computing and mapping decisions - if the permission was not able
      to be mapped (i.e. undefined, mapped to zero), then it is
      automatically added to the allowed vector.  If the class was not able
      to be mapped (i.e. undefined, mapped to zero), then all permissions
      are allowed for it if allow_unknown=1.
      
      avc_audit leverages the new security class mapping table to lookup the
      class and permission names from the kernel-private indices.
      
      The mdp program is updated to use the new table when generating the
      class definitions and allow rules for a minimal boot policy for the
      kernel.  It should be noted that this policy will not include any
      userspace classes, nor will its policy index values for the kernel
      classes correspond with the ones in refpolicy (they will instead match
      the kernel-private indices).
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c6d3aaa4
  14. 19 5月, 2009 1 次提交
  15. 02 4月, 2009 1 次提交
    • K
      Permissive domain in userspace object manager · 8a6f83af
      KaiGai Kohei 提交于
      This patch enables applications to handle permissive domain correctly.
      
      Since the v2.6.26 kernel, SELinux has supported an idea of permissive
      domain which allows certain processes to work as if permissive mode,
      even if the global setting is enforcing mode.
      However, we don't have an application program interface to inform
      what domains are permissive one, and what domains are not.
      It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
      and so on) cannot handle permissive domain correctly.
      
      This patch add the sixth field (flags) on the reply of the /selinux/access
      interface which is used to make an access control decision from userspace.
      If the first bit of the flags field is positive, it means the required
      access control decision is on permissive domain, so application should
      allow any required actions, as the kernel doing.
      
      This patch also has a side benefit. The av_decision.flags is set at
      context_struct_compute_av(). It enables to check required permissions
      without read_lock(&policy_rwlock).
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NEric Paris <eparis@redhat.com>
      --
       security/selinux/avc.c              |    2 +-
       security/selinux/include/security.h |    4 +++-
       security/selinux/selinuxfs.c        |    4 ++--
       security/selinux/ss/services.c      |   30 +++++-------------------------
       4 files changed, 11 insertions(+), 29 deletions(-)
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8a6f83af
  16. 14 2月, 2009 1 次提交
  17. 19 1月, 2009 2 次提交
  18. 28 8月, 2008 1 次提交
    • K
      SELinux: add boundary support and thread context assignment · d9250dea
      KaiGai Kohei 提交于
      The purpose of this patch is to assign per-thread security context
      under a constraint. It enables multi-threaded server application
      to kick a request handler with its fair security context, and
      helps some of userspace object managers to handle user's request.
      
      When we assign a per-thread security context, it must not have wider
      permissions than the original one. Because a multi-threaded process
      shares a single local memory, an arbitary per-thread security context
      also means another thread can easily refer violated information.
      
      The constraint on a per-thread security context requires a new domain
      has to be equal or weaker than its original one, when it tries to assign
      a per-thread security context.
      
      Bounds relationship between two types is a way to ensure a domain can
      never have wider permission than its bounds. We can define it in two
      explicit or implicit ways.
      
      The first way is using new TYPEBOUNDS statement. It enables to define
      a boundary of types explicitly. The other one expand the concept of
      existing named based hierarchy. If we defines a type with "." separated
      name like "httpd_t.php", toolchain implicitly set its bounds on "httpd_t".
      
      This feature requires a new policy version.
      The 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into
      kernel space, and the following patch enables to handle it.
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      d9250dea
  19. 15 7月, 2008 1 次提交
  20. 14 7月, 2008 2 次提交
    • E
      SELinux: allow fstype unknown to policy to use xattrs if present · 811f3799
      Eric Paris 提交于
      Currently if a FS is mounted for which SELinux policy does not define an
      fs_use_* that FS will either be genfs labeled or not labeled at all.
      This decision is based on the existence of a genfscon rule in policy and
      is irrespective of the capabilities of the filesystem itself.  This
      patch allows the kernel to check if the filesystem supports security
      xattrs and if so will use those if there is no fs_use_* rule in policy.
      An fstype with a no fs_use_* rule but with a genfs rule will use xattrs
      if available and will follow the genfs rule.
      
      This can be particularly interesting for things like ecryptfs which
      actually overlays a real underlying FS.  If we define excryptfs in
      policy to use xattrs we will likely get this wrong at times, so with
      this path we just don't need to define it!
      
      Overlay ecryptfs on top of NFS with no xattr support:
      SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts
      Overlay ecryptfs on top of ext4 with xattr support:
      SELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr
      
      It is also useful as the kernel adds new FS we don't need to add them in
      policy if they support xattrs and that is how we want to handle them.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      811f3799
    • S
      selinux: support deferred mapping of contexts · 12b29f34
      Stephen Smalley 提交于
      Introduce SELinux support for deferred mapping of security contexts in
      the SID table upon policy reload, and use this support for inode
      security contexts when the context is not yet valid under the current
      policy.  Only processes with CAP_MAC_ADMIN + mac_admin permission in
      policy can set undefined security contexts on inodes.  Inodes with
      such undefined contexts are treated as having the unlabeled context
      until the context becomes valid upon a policy reload that defines the
      context.  Context invalidation upon policy reload also uses this
      support to save the context information in the SID table and later
      recover it upon a subsequent policy reload that defines the context
      again.
      
      This support is to enable package managers and similar programs to set
      down file contexts unknown to the system policy at the time the file
      is created in order to better support placing loadable policy modules
      in packages and to support build systems that need to create images of
      different distro releases with different policies w/o requiring all of
      the contexts to be defined or legal in the build host policy.
      
      With this patch applied, the following sequence is possible, although
      in practice it is recommended that this permission only be allowed to
      specific program domains such as the package manager.
      
      # rmdir baz
      # rm bar
      # touch bar
      # chcon -t foo_exec_t bar # foo_exec_t is not yet defined
      chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
      # mkdir -Z system_u:object_r:foo_exec_t baz
      mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument
      # cat setundefined.te
      policy_module(setundefined, 1.0)
      require {
      	type unconfined_t;
      	type unlabeled_t;
      }
      files_type(unlabeled_t)
      allow unconfined_t self:capability2 mac_admin;
      # make -f /usr/share/selinux/devel/Makefile setundefined.pp
      # semodule -i setundefined.pp
      # chcon -t foo_exec_t bar # foo_exec_t is not yet defined
      # mkdir -Z system_u:object_r:foo_exec_t baz
      # ls -Zd bar baz
      -rw-r--r--  root root system_u:object_r:unlabeled_t    bar
      drwxr-xr-x  root root system_u:object_r:unlabeled_t    baz
      # cat foo.te
      policy_module(foo, 1.0)
      type foo_exec_t;
      files_type(foo_exec_t)
      # make -f /usr/share/selinux/devel/Makefile foo.pp
      # semodule -i foo.pp # defines foo_exec_t
      # ls -Zd bar baz
      -rw-r--r--  root root user_u:object_r:foo_exec_t       bar
      drwxr-xr-x  root root system_u:object_r:foo_exec_t    baz
      # semodule -r foo
      # ls -Zd bar baz
      -rw-r--r--  root root system_u:object_r:unlabeled_t    bar
      drwxr-xr-x  root root system_u:object_r:unlabeled_t    baz
      # semodule -i foo.pp
      # ls -Zd bar baz
      -rw-r--r--  root root user_u:object_r:foo_exec_t       bar
      drwxr-xr-x  root root system_u:object_r:foo_exec_t    baz
      # semodule -r setundefined foo
      # chcon -t foo_exec_t bar # no longer defined and not allowed
      chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
      # rmdir baz
      # mkdir -Z system_u:object_r:foo_exec_t baz
      mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      12b29f34
  21. 30 4月, 2008 2 次提交
  22. 29 4月, 2008 1 次提交
  23. 28 4月, 2008 1 次提交
    • E
      SELinux: selinux/include/security.h whitespace, syntax, and other cleanups · b19d8eae
      Eric Paris 提交于
      This patch changes selinux/include/security.h to fix whitespace and syntax issues.  Things that
      are fixed may include (does not not have to include)
      
      whitespace at end of lines
      spaces followed by tabs
      spaces used instead of tabs
      spacing around parenthesis
      location of { around structs and else clauses
      location of * in pointer declarations
      removal of initialization of static data to keep it in the right section
      useless {} in if statemetns
      useless checking for NULL before kfree
      fixing of the indentation depth of switch statements
      no assignments in if statements
      and any number of other things I forgot to mention
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      b19d8eae
  24. 18 4月, 2008 4 次提交