void map_decision(security_class_t tclass, struct av_decision *avd) { if (tclass < current_mapping_size) { bool allow_unknown = (security_deny_unknown() == 0); struct selinux_mapping *mapping = ¤t_mapping[tclass]; unsigned int i, n = mapping->num_perms; access_vector_t result; for (i = 0, result = 0; i < n; i++) { if (avd->allowed & mapping->perms[i]) result |= 1<<i; else if (allow_unknown && !mapping->perms[i]) result |= 1<<i; } avd->allowed = result; for (i = 0, result = 0; i < n; i++) { if (avd->decided & mapping->perms[i]) result |= 1<<i; else if (allow_unknown && !mapping->perms[i]) result |= 1<<i; } avd->decided = result; for (i = 0, result = 0; i < n; i++) if (avd->auditallow & mapping->perms[i]) result |= 1<<i; avd->auditallow = result; for (i = 0, result = 0; i < n; i++) { if (avd->auditdeny & mapping->perms[i]) result |= 1<<i; else if (!allow_unknown && !mapping->perms[i]) result |= 1<<i; } /* * Make sure we audit denials for any permission check * beyond the mapping->num_perms since this indicates * a bug in the object manager. */ for (; i < (sizeof(result)*8); i++) result |= 1<<i; avd->auditdeny = result; } }
/* * selinux_status_deny_unknown * * It returns a guideline to handle undefined object classes or permissions. * 0 means SELinux treats policy queries on undefined stuff being allowed, * however, 1 means such queries are denied. */ int selinux_status_deny_unknown(void) { uint32_t seqno; uint32_t deny_unknown; if (selinux_status == NULL) { errno = EINVAL; return -1; } if (selinux_status == MAP_FAILED) return security_deny_unknown(); /* sequence must not be changed during references */ do { seqno = read_sequence(selinux_status); deny_unknown = selinux_status->deny_unknown; } while (seqno != read_sequence(selinux_status)); return deny_unknown ? 1 : 0; }
int main(int argc, char **argv) { /* these vars are reused several times */ int rc, opt, i, c; char *context, *root_path; /* files that need context checks */ char *fc[MAX_CHECK]; char *cterm = ttyname(0); int nfc = 0; struct stat m; /* processes that need context checks */ char *pc[MAX_CHECK]; int npc = 0; /* booleans */ char **bools; int nbool; int verbose = 0; int show_bools = 0; /* policy */ const char *pol_name, *root_dir; char *pol_path; while (1) { opt = getopt(argc, argv, "vb"); if (opt == -1) break; switch (opt) { case 'v': verbose = 1; break; case 'b': show_bools = 1; break; default: /* invalid option */ printf("\nUsage: %s [OPTION]\n\n", basename(argv[0])); printf(" -v Verbose check of process and file contexts.\n"); printf(" -b Display current state of booleans.\n"); printf("\nWithout options, show SELinux status.\n"); return -1; } } printf_tab("SELinux status:"); rc = is_selinux_enabled(); switch (rc) { case 1: printf("enabled\n"); break; case 0: printf("disabled\n"); return 0; break; default: printf("unknown (%s)\n", strerror(errno)); return 0; break; } printf_tab("SELinuxfs mount:"); if (selinux_mnt != NULL) { printf("%s\n", selinux_mnt); } else { printf("not mounted\n\n"); printf("Please mount selinuxfs for proper results.\n"); return -1; } printf_tab("SELinux root directory:"); root_dir = selinux_path(); if (root_dir == NULL) { printf("error (%s)\n", strerror(errno)); return -1; } /* The path has a trailing '/' so duplicate to edit */ root_path = strdup(root_dir); if (!root_path) { printf("malloc error (%s)\n", strerror(errno)); return -1; } /* actually blank the '/' */ root_path[strlen(root_path) - 1] = '\0'; printf("%s\n", root_path); free(root_path); /* Dump all the path information */ printf_tab("Loaded policy name:"); pol_path = strdup(selinux_policy_root()); if (pol_path) { pol_name = basename(pol_path); puts(pol_name); free(pol_path); } else { printf("error (%s)\n", strerror(errno)); } printf_tab("Current mode:"); rc = security_getenforce(); switch (rc) { case 1: printf("enforcing\n"); break; case 0: printf("permissive\n"); break; default: printf("unknown (%s)\n", strerror(errno)); break; } printf_tab("Mode from config file:"); if (selinux_getenforcemode(&rc) == 0) { switch (rc) { case 1: printf("enforcing\n"); break; case 0: printf("permissive\n"); break; case -1: printf("disabled\n"); break; } } else { printf("error (%s)\n", strerror(errno)); } printf_tab("Policy MLS status:"); rc = is_selinux_mls_enabled(); switch (rc) { case 0: printf("disabled\n"); break; case 1: printf("enabled\n"); break; default: printf("error (%s)\n", strerror(errno)); break; } printf_tab("Policy deny_unknown status:"); rc = security_deny_unknown(); switch (rc) { case 0: printf("allowed\n"); break; case 1: printf("denied\n"); break; default: printf("error (%s)\n", strerror(errno)); break; } rc = security_policyvers(); printf_tab("Max kernel policy version:"); if (rc < 0) printf("unknown (%s)\n", strerror(errno)); else printf("%d\n", rc); if (show_bools) { /* show booleans */ if (security_get_boolean_names(&bools, &nbool) >= 0) { printf("\nPolicy booleans:\n"); for (i = 0; i < nbool; i++) { if (strlen(bools[i]) + 1 > COL) COL = strlen(bools[i]) + 1; } for (i = 0; i < nbool; i++) { printf_tab(bools[i]); rc = security_get_boolean_active(bools[i]); switch (rc) { case 1: printf("on"); break; case 0: printf("off"); break; default: printf("unknown (%s)", strerror(errno)); break; } c = security_get_boolean_pending(bools[i]); if (c != rc) switch (c) { case 1: printf(" (activate pending)"); break; case 0: printf(" (inactivate pending)"); break; default: printf(" (pending error: %s)", strerror(errno)); break; } printf("\n"); /* free up the booleans */ free(bools[i]); } free(bools); } } /* only show contexts if -v is given */ if (!verbose) return 0; load_checks(pc, &npc, fc, &nfc); printf("\nProcess contexts:\n"); printf_tab("Current context:"); if (getcon(&context) >= 0) { printf("%s\n", context); freecon(context); } else printf("unknown (%s)\n", strerror(errno)); printf_tab("Init context:"); if (getpidcon(1, &context) >= 0) { printf("%s\n", context); freecon(context); } else printf("unknown (%s)\n", strerror(errno)); for (i = 0; i < npc; i++) { rc = pidof(pc[i]); if (rc > 0) { if (getpidcon(rc, &context) < 0) continue; printf_tab(pc[i]); printf("%s\n", context); freecon(context); } } printf("\nFile contexts:\n"); /* controlling term */ printf_tab("Controlling terminal:"); if (lgetfilecon(cterm, &context) >= 0) { printf("%s\n", context); freecon(context); } else { printf("unknown (%s)\n", strerror(errno)); } for (i = 0; i < nfc; i++) { if (lgetfilecon(fc[i], &context) >= 0) { printf_tab(fc[i]); /* check if this is a symlink */ if (lstat(fc[i], &m)) { printf ("%s (could not check link status (%s)!)\n", context, strerror(errno)); freecon(context); continue; } if (S_ISLNK(m.st_mode)) { /* print link target context */ printf("%s -> ", context); freecon(context); if (getfilecon(fc[i], &context) >= 0) { printf("%s\n", context); freecon(context); } else { printf("unknown (%s)\n", strerror(errno)); } } else { printf("%s\n", context); freecon(context); } } } return 0; }
/* * sepgsql_compute_avd * * It actually asks SELinux what permissions are allowed on a pair of * the security contexts and object class. It also returns what permissions * should be audited on access violation or allowed. * In most cases, subject's security context (scontext) is a client, and * target security context (tcontext) is a database object. * * The access control decision shall be set on the given av_decision. * The av_decision.allowed has a bitmask of SEPG_<class>__<perms> * to suggest a set of allowed actions in this object class. */ void sepgsql_compute_avd(const char *scontext, const char *tcontext, uint16 tclass, struct av_decision *avd) { const char *tclass_name; security_class_t tclass_ex; struct av_decision avd_ex; int i, deny_unknown = security_deny_unknown(); /* Get external code of the object class*/ Assert(tclass < SEPG_CLASS_MAX); Assert(tclass == selinux_catalog[tclass].class_code); tclass_name = selinux_catalog[tclass].class_name; tclass_ex = string_to_security_class(tclass_name); if (tclass_ex == 0) { /* * If the current security policy does not support permissions * corresponding to database objects, we fill up them with dummy * data. * If security_deny_unknown() returns positive value, undefined * permissions should be denied. Otherwise, allowed */ avd->allowed = (security_deny_unknown() > 0 ? 0 : ~0); avd->auditallow = 0U; avd->auditdeny = ~0U; avd->flags = 0; return; } /* * Ask SELinux what is allowed set of permissions on a pair of the * security contexts and the given object class. */ if (security_compute_av_flags_raw((security_context_t)scontext, (security_context_t)tcontext, tclass_ex, 0, &avd_ex) < 0) ereport(ERROR, (errcode(ERRCODE_INTERNAL_ERROR), errmsg("SELinux could not compute av_decision: " "scontext=%s tcontext=%s tclass=%s", scontext, tcontext, tclass_name))); /* * SELinux returns its access control decision as a set of permissions * represented in external code which depends on run-time environment. * So, we need to translate it to the internal representation before * returning results for the caller. */ memset(avd, 0, sizeof(struct av_decision)); for (i=0; selinux_catalog[tclass].av[i].av_name; i++) { access_vector_t av_code_ex; const char *av_name = selinux_catalog[tclass].av[i].av_name; uint32 av_code = selinux_catalog[tclass].av[i].av_code; av_code_ex = string_to_av_perm(tclass_ex, av_name); if (av_code_ex == 0) { /* fill up undefined permissions */ if (!deny_unknown) avd->allowed |= av_code; avd->auditdeny |= av_code; continue; } if (avd_ex.allowed & av_code_ex) avd->allowed |= av_code; if (avd_ex.auditallow & av_code_ex) avd->auditallow |= av_code; if (avd_ex.auditdeny & av_code_ex) avd->auditdeny |= av_code; } return; }
/* Check the permission from the caller (via getpeercon) to nscd. Returns 0 if access is allowed, 1 if denied, and -1 on error. The SELinux policy, enablement, and permission bits are all dynamic and the caching done by glibc is not entirely correct. This nscd support should be rewritten to use selinux_check_permission. A rewrite is risky though and requires some refactoring. Currently we use symbolic mappings instead of compile time constants (which SELinux upstream says are going away), and we use security_deny_unknown to determine what to do if selinux-policy* doesn't have a definition for the the permission or object class we are looking up. */ int nscd_request_avc_has_perm (int fd, request_type req) { /* Initialize to NULL so we know what to free in case of failure. */ security_context_t scon = NULL; security_context_t tcon = NULL; security_id_t ssid = NULL; security_id_t tsid = NULL; int rc = -1; security_class_t sc_nscd; access_vector_t perm; int avc_deny_unknown; /* Check if SELinux denys or allows unknown object classes and permissions. It is 0 if they are allowed, 1 if they are not allowed and -1 on error. */ if ((avc_deny_unknown = security_deny_unknown ()) == -1) dbg_log (_("Error querying policy for undefined object classes " "or permissions.")); /* Get the security class for nscd. If this fails we will likely be unable to do anything unless avc_deny_unknown is 0. */ sc_nscd = string_to_security_class ("nscd"); if (sc_nscd == 0 && avc_deny_unknown == 1) dbg_log (_("Error getting security class for nscd.")); /* Convert permission to AVC bits. */ perm = string_to_av_perm (sc_nscd, perms[req]); if (perm == 0 && avc_deny_unknown == 1) dbg_log (_("Error translating permission name " "\"%s\" to access vector bit."), perms[req]); /* If the nscd security class was not found or perms were not found and AVC does not deny unknown values then allow it. */ if ((sc_nscd == 0 || perm == 0) && avc_deny_unknown == 0) return 0; if (getpeercon (fd, &scon) < 0) { dbg_log (_("Error getting context of socket peer")); goto out; } if (getcon (&tcon) < 0) { dbg_log (_("Error getting context of nscd")); goto out; } if (avc_context_to_sid (scon, &ssid) < 0 || avc_context_to_sid (tcon, &tsid) < 0) { dbg_log (_("Error getting sid from context")); goto out; } /* The SELinux API for avc_has_perm conflates access denied and error into the return code -1, while nscd_request_avs_has_perm has distinct error (-1) and denied (1) return codes. We map the avc_has_perm access denied or error into an access denied at the nscd interface level (we do accurately report error for the getpeercon, getcon, and avc_context_to_sid interfaces used above). */ rc = avc_has_perm (ssid, tsid, sc_nscd, perm, &aeref, NULL) < 0; out: if (scon) freecon (scon); if (tcon) freecon (tcon); if (ssid) sidput (ssid); if (tsid) sidput (tsid); return rc; }
int selinux_set_mapping(struct security_class_mapping *map) { size_t size = sizeof(struct selinux_mapping); security_class_t i, j; unsigned k; bool print_unknown_handle = false; bool reject = (security_reject_unknown() == 1); bool deny = (security_deny_unknown() == 1); free(current_mapping); current_mapping = NULL; current_mapping_size = 0; if (avc_reset() < 0) goto err; /* Find number of classes in the input mapping */ if (!map) { errno = EINVAL; goto err; } i = 0; while (map[i].name) i++; /* Allocate space for the class records, plus one for class zero */ current_mapping = (struct selinux_mapping *)calloc(++i, size); if (!current_mapping) goto err; /* Store the raw class and permission values */ j = 0; while (map[j].name) { struct security_class_mapping *p_in = map + (j++); struct selinux_mapping *p_out = current_mapping + j; p_out->value = string_to_security_class(p_in->name); if (!p_out->value) { selinux_log(SELINUX_INFO, "SELinux: Class %s not defined in policy.\n", p_in->name); if (reject) goto err2; p_out->num_perms = 0; print_unknown_handle = true; continue; } k = 0; while (p_in->perms[k]) { /* An empty permission string skips ahead */ if (!*p_in->perms[k]) { k++; continue; } p_out->perms[k] = string_to_av_perm(p_out->value, p_in->perms[k]); if (!p_out->perms[k]) { selinux_log(SELINUX_INFO, "SELinux: Permission %s in class %s not defined in policy.\n", p_in->perms[k], p_in->name); if (reject) goto err2; print_unknown_handle = true; } k++; } p_out->num_perms = k; } if (print_unknown_handle) selinux_log(SELINUX_INFO, "SELinux: the above unknown classes and permissions will be %s\n", deny ? "denied" : "allowed"); /* Set the mapping size here so the above lookups are "raw" */ current_mapping_size = i; return 0; err2: free(current_mapping); current_mapping = NULL; current_mapping_size = 0; err: return -1; }
static JSBool rpmsx_getprop(JSContext *cx, JSObject *obj, jsid id, jsval *vp) { void * ptr = JS_GetInstancePrivate(cx, obj, &rpmsxClass, NULL); jsint tiny = JSVAL_TO_INT(id); #if defined(WITH_SELINUX) security_context_t con = NULL; #endif /* XXX the class has ptr == NULL, instances have ptr != NULL. */ if (ptr == NULL) return JS_TRUE; switch (tiny) { case _DEBUG: *vp = INT_TO_JSVAL(_debug); break; #if defined(WITH_SELINUX) case _CURRENT: *vp = _GET_CON(!getcon(&con)); break; case _PID: *vp = _GET_CON(!getpidcon(getpid(), &con)); break; case _PPID: *vp = _GET_CON(!getpidcon(getppid(), &con)); break; case _PREV: *vp = _GET_CON(!getprevcon(&con)); break; case _EXEC: *vp = _GET_CON(!getexeccon(&con)); break; case _FSCREATE: *vp = _GET_CON(!getfscreatecon(&con)); break; case _KEYCREATE: *vp = _GET_CON(!getkeycreatecon(&con)); break; case _SOCKCREATE: *vp = _GET_CON(!getsockcreatecon(&con)); break; case _ENFORCE: *vp = INT_TO_JSVAL(security_getenforce()); break; case _DENY: *vp = INT_TO_JSVAL(security_deny_unknown()); break; case _POLICYVERS: *vp = INT_TO_JSVAL(security_policyvers()); break; case _ENABLED: *vp = INT_TO_JSVAL(is_selinux_enabled()); break; case _MLSENABLED: *vp = INT_TO_JSVAL(is_selinux_mls_enabled()); break; #ifdef NOTYET case _BOOLS: *vp = ; break; #endif case _ROOT: *vp = _GET_STR(selinux_policy_root()); break; case _BINARY: *vp = _GET_STR(selinux_binary_policy_path()); break; case _FAILSAFE: *vp = _GET_STR(selinux_failsafe_context_path());break; case _REMOVABLE: *vp = _GET_STR(selinux_removable_context_path());break; case _DEFAULT: *vp = _GET_STR(selinux_default_context_path()); break; case _USER: *vp = _GET_STR(selinux_user_contexts_path()); break; case _FCON: *vp = _GET_STR(selinux_file_context_path()); break; case _FCONHOME: *vp = _GET_STR(selinux_file_context_homedir_path());break; case _FCONLOCAL: *vp = _GET_STR(selinux_file_context_local_path());break; case _FCONSUBS: *vp = _GET_STR(selinux_file_context_subs_path());break; case _HOMEDIR: *vp = _GET_STR(selinux_homedir_context_path()); break; case _MEDIA: *vp = _GET_STR(selinux_media_context_path()); break; case _VIRTDOMAIN: *vp = _GET_STR(selinux_virtual_domain_context_path());break; case _VIRTIMAGE: *vp = _GET_STR(selinux_virtual_image_context_path());break; case _X: *vp = _GET_STR(selinux_x_context_path()); break; case _CONTEXTS: *vp = _GET_STR(selinux_contexts_path()); break; case _SECURETTY: *vp = _GET_STR(selinux_securetty_types_path()); break; case _BOOLEANS: *vp = _GET_STR(selinux_booleans_path()); break; case _CUSTOMTYPES: *vp = _GET_STR(selinux_customizable_types_path());break; case _USERS: *vp = _GET_STR(selinux_users_path()); break; case _USERSCONF: *vp = _GET_STR(selinux_usersconf_path()); break; case _XLATIONS: *vp = _GET_STR(selinux_translations_path()); break; case _COLORS: *vp = _GET_STR(selinux_colors_path()); break; case _NETFILTER: *vp = _GET_STR(selinux_netfilter_context_path());break; case _PATH: *vp = _GET_STR(selinux_path()); break; #endif default: break; } #if defined(WITH_SELINUX) if (con) { freecon(con); con = NULL; } #endif return JS_TRUE; }