Stephen Smalley wrote:
> On Thu, 2006-09-28 at 14:33 -0400, Linda Knippers wrote:
>
>>Its a little more complicated than that because avc_has_perm() takes
>>you down a path where it wants to translate a context.
>>
>>avc_had_perm() calls avc_has_perm_noaudit() and if the avc_lookup()
>>fails, it calls security_compute_av(), which needs a raw context
>>so it calls back into the translation functions.
>>
>>I think I can make it work by calling security_compute_av_raw()
>>instead but then it doesn't get cached, right?
>>
>>Any other ideas?
>
>
> Hmmm..context translation support wasn't properly integrated with the
> userspace AVC. Logically, I'd expect avc_context_to_sid() and
> avc_sid_to_context() to perform translation, such that
> avc_has_perm_noaudit() would already have the raw contexts available to
> it from the SIDs and be able to directly call security_compute_av_raw()
> internally. And then one would have avc_context_to_sid_raw() and
> avc_sid_to_context_raw() for programs that didn't want translation at
> all.
>
> For the translation daemon itself, you might want a libselinux function
> that lets you disable all translations (i.e. set a flag that is checked
> on entry by selinux_trans_to_raw_context() and
> selinux_raw_to_trans_context() and handled in the same manner as the !
> mls_enabled case). Then the translation daemon could just call any
> libselinux function without needing to worry about accidentally
> triggering a communication to itself.
I threw together a couple of patches. Is this what you had in mind?
-- ljk
--- libselinux-1.30.28/src/setrans_client.c 2006-09-13 13:37:04.000000000
-0400
+++ libselinux-1.30.28.ljk/src/setrans_client.c 2006-10-02 14:57:22.000000000
-0400
@@ -17,6 +17,7 @@
#include "setrans_internal.h"
static int mls_enabled = -1;
+static int trans_disabled = 0;
// Simple cache
static __thread security_context_t prev_t2r_trans = NULL;
@@ -245,7 +246,7 @@ int selinux_trans_to_raw_context(securit
return 0;
}
- if (!mls_enabled) {
+ if (!mls_enabled || trans_disabled) {
*rawp = strdup(trans);
goto out;
}
@@ -287,7 +288,7 @@ int selinux_raw_to_trans_context(securit
return 0;
}
- if (!mls_enabled) {
+ if (!mls_enabled || trans_disabled) {
*transp = strdup(raw);
goto out;
}
@@ -320,3 +321,9 @@ int selinux_raw_to_trans_context(securit
}
hidden_def(selinux_raw_to_trans_context)
+
+void selinux_disable_translation (int value)
+{
+ trans_disabled = value;
+ return;
+}
--- libselinux-1.30.28/include/selinux/selinux.h 2006-09-13
13:37:05.000000000 -0400
+++ libselinux-1.30.28.ljk/include/selinux/selinux.h 2006-10-02
13:12:17.000000000 -0400
@@ -444,6 +444,9 @@ extern "C" {
extern int selinux_raw_to_trans_context(security_context_t raw,
security_context_t * transp);
+/* Disable the translation of contexts if passed a non-zero value.*/
+ extern void selinux_disable_translation(int value);
+
/* Get the SELinux username and level to use for a given Linux username.
These values may then be passed into the get_ordered_context_list*
and get_default_context* functions to obtain a context for the user.
--- mcstrans-0.1.8/src/mcstransd.c 2006-06-19 14:38:08.000000000 -0400
+++ mcstrans-0.1.8.ljk/src/mcstransd.c 2006-10-02 14:50:35.000000000 -0400
@@ -17,6 +17,9 @@
#include <sys/types.h>
#include <sys/capability.h>
#include <sys/resource.h>
+#include <selinux/avc.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
#ifdef UNUSED
#elif defined(__GNUC__)
@@ -71,22 +74,47 @@ static __attribute__((noreturn)) void c
}
/*
+ * Check to see if the subject requesting the translation
+ * is cleared to see the translation.
+ * Returns: 0 on success (allowed), 1 on failure (denied).
+ */
+static int
+cleared_to_translate(char *in, char *pcon)
+{
+
+ security_id_t ssid,tsid; /* SELinux SIDS */
+ int retval;
+
+ avc_init("mcstransd", NULL, NULL, NULL, NULL);
+ if (avc_context_to_sid(pcon, &ssid) != 0)
+ return 1;
+ if (avc_context_to_sid(in, &tsid) != 0) {
+ free(ssid);
+ return 1;
+ }
+ retval = avc_has_perm(ssid, tsid, SECCLASS_FILE, FILE__GETATTR,
+ NULL, NULL);
+ free(ssid);
+ free(tsid);
+ if (retval == 0)
+ return 0;
+ return 1;
+}
+
+/*
* Convert raw label portion of a security context to translated label
* Returns: 0 on success, 1 on failure
*/
static int
-raw_to_trans_context(char *in, char **out, char *UNUSED(pcon))
+raw_to_trans_context(char *in, char **out, char *pcon)
{
-
*out = NULL;
- /* TODO: Check if MLS clearance (in "pcon") dominates the MLS label
- * (in "in").
- */
-
- trans_context(in, out);
-
- return 0;
+ if (cleared_to_translate(in, pcon) == 0) {
+ trans_context(in, out);
+ return 0;
+ }
+ return 1;
}
@@ -95,16 +123,15 @@ raw_to_trans_context(char *in, char **ou
* Returns: 0 on success, 1 on failure
*/
static int
-trans_to_raw_context(char *in, char **out, char *UNUSED(pcon))
+trans_to_raw_context(char *in, char **out, char *pcon)
{
*out = NULL;
- /* TODO: Check if MLS clearance (in "pcon") dominates the MLS label
- * (in "in").
- */
-
untrans_context(in, out);
-
+ if (cleared_to_translate(*out, pcon) == 0) {
+ *out = NULL;
+ return 1;
+ }
return 0;
}
@@ -493,6 +520,8 @@ initialize(void)
cleanup_exit(1);
}
+ selinux_disable_translation(1);
+
/* the socket will be unlinked when the daemon terminates */
act.sa_handler = sigterm_handler;
sigemptyset(&act.sa_mask);
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
