From patchwork Fri Dec 3 14:05:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 12655293 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 055EDC433EF for ; Fri, 3 Dec 2021 14:05:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381328AbhLCOI6 (ORCPT ); Fri, 3 Dec 2021 09:08:58 -0500 Received: from mailomta12-sa.btinternet.com ([213.120.69.18]:62660 "EHLO sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S240657AbhLCOI5 (ORCPT ); Fri, 3 Dec 2021 09:08:57 -0500 Received: from sa-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.38.4]) by sa-prd-fep-048.btinternet.com with ESMTP id <20211203140532.IKNW22188.sa-prd-fep-048.btinternet.com@sa-prd-rgout-001.btmx-prd.synchronoss.net>; Fri, 3 Dec 2021 14:05:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1638540332; bh=qrcFIq5Ey4TWkHSFm9kyQSuTvgvQ4mX8/PvQFGcONO8=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=gFeCOs/UsX1jqzD3oloLKM4MVfdt4FiFSfqcPKWwQJPX7mPFRmgEbPGWFs+dVFIWmEgoUZ5tG6IZTU6qPfy/+WyLHQUJFpgtGE+K25QARFuIM3M+ZfQH2Ggd9AEok+KyCAZyGeqXr+RgRzDJF6+oZf5qIbXgPYc/JLxXN5p4yZKtNol4SmVCTmftt9R0INvSk9exsEYAY2WDFoTaCB6apIK7SQPznOtQ8VhFMN7xfbADCK+t3iWJgZVbMd4mChiKGiejwKuQ/+ZhlMhcEj6gvC19UQsyF8MEF/yF72MYSGf0dD7+CRNzacUEj4o5LtmptwuI1rJ5joHryvWCe3/+Kw== Authentication-Results: btinternet.com; none X-SNCR-Rigid: 613006A90DA0619A X-Originating-IP: [81.147.31.174] X-OWM-Source-IP: 81.147.31.174 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvuddrieejgdeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepuedttdelleehueeggfeihfeitdehueekffeviedtffegffeiueegleejgeevgfeinecukfhppeekuddrudegjedrfedurddujeegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekuddrudegjedrfedurddujeegpdhmrghilhhfrhhomheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehprghulhesphgruhhlqdhmohhorhgvrdgtohhmpdhrtghpthhtoheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhg X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (81.147.31.174) by sa-prd-rgout-001.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as richard_c_haines@btinternet.com) id 613006A90DA0619A; Fri, 3 Dec 2021 14:05:32 +0000 From: Richard Haines To: selinux@vger.kernel.org Cc: paul@paul-moore.com, Richard Haines Subject: [PATCH 1/7] notebook: Minor formatting fixes Date: Fri, 3 Dec 2021 14:05:13 +0000 Message-Id: <20211203140519.30930-2-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211203140519.30930-1-richard_c_haines@btinternet.com> References: <20211203140519.30930-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Richard Haines --- src/bounds_rules.md | 2 +- src/class_permission_statements.md | 2 +- src/libselinux_functions.md | 14 +++++++------- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/bounds_rules.md b/src/bounds_rules.md index 6def780..650f817 100644 --- a/src/bounds_rules.md +++ b/src/bounds_rules.md @@ -41,7 +41,7 @@ The *type* or *typealias* identifier of the parent domain. *bounded_domain* One or more *type* or *typealias* identifiers of the child domains. -Multiple entries consist of a comma ',' separated list. +Multiple entries consist of a comma ',' separated list. **The statement is valid in:** diff --git a/src/class_permission_statements.md b/src/class_permission_statements.md index 264e022..63e7262 100644 --- a/src/class_permission_statements.md +++ b/src/class_permission_statements.md @@ -160,7 +160,7 @@ A previously declared *common* identifier. *perm_set* One or more optional permission identifiers in a space separated list enclosed -within braces \'\{\}\'. +within braces \'\{\}\'. Note: There must be at least one *common_set* or one *perm_set* defined within the statement. diff --git a/src/libselinux_functions.md b/src/libselinux_functions.md index b06018a..54b5d70 100644 --- a/src/libselinux_functions.md +++ b/src/libselinux_functions.md @@ -167,7 +167,7 @@ The SID mapping is not affected. Return 0 on success, -1 with errno set on error Log SID table statistics. Log a message with information about the size and distribution of the SID table. The audit callback is used to print the message. -avc_sid_to_context*, *avc_sid_to_context_raw* - *avc.h* +*avc_sid_to_context*, *avc_sid_to_context_raw* - *avc.h* Get copy of context corresponding to SID. Return a copy of the security context corresponding to the input sid in the memory referenced by *ctx*. The caller is @@ -522,21 +522,21 @@ only the *scon* domain. *security_compute_create*, *security_compute_create_raw* - *selinux.h* -Compute a labeling decision and set *newcon to refer to it. +Compute a labeling decision and set *\*newcon* to refer to it. Caller must free via ***freecon**(3)*. *security_compute_create_name*, *security_compute_create_name_raw* - *selinux.h* -This is identical to* ***security_compute_create**(3)* but also takes the name +This is identical to ***security_compute_create**(3)* but also takes the name of the new object in creation as an argument. When a *type_transition* rule on the given class and the *scon* / *tcon* pair -has an object name extension, *newcon* will be returned according to the policy. +has an object name extension, *\*newcon* will be returned according to the policy. Note that this interface is only supported on the kernels 2.6.40 or later. For older kernels the object name is ignored. *security_compute_member*, *security_compute_member_raw* - *selinux.h* -Compute a polyinstantiation member decision and set *newcon to refer to it. +Compute a polyinstantiation member decision and set *\*newcon* to refer to it. Caller must free via ***freecon**(3)*. *security_compute_relabel*, *security_compute_relabel_raw* - *selinux.h* @@ -544,7 +544,7 @@ Caller must free via ***freecon**(3)*. Compute a relabeling decision and set *\*newcon* to refer to it. Caller must free via ***freecon**(3)*. -*security_compute_user*, security_compute_user_raw* (deprecated) - *selinux.h* +*security_compute_user*, *security_compute_user_raw* (deprecated) - *selinux.h* Compute the set of reachable user contexts and set *\*con* to refer to the NULL-terminated array of contexts. Caller must free via ***freeconary**(3)*. @@ -918,7 +918,7 @@ Return path to the securetty_types file under the policy root directory. *selinux_sepgsql_context_path* - *selinux.h* -*Return path to *sepgsql_context* file under the policy root directory. +Return path to *sepgsql_context* file under the policy root directory. *selinux_set_callback* - *selinux.h* From patchwork Fri Dec 3 14:05:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 12655291 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29566C433F5 for ; Fri, 3 Dec 2021 14:05:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240657AbhLCOI6 (ORCPT ); Fri, 3 Dec 2021 09:08:58 -0500 Received: from mailomta26-sa.btinternet.com ([213.120.69.32]:13136 "EHLO sa-prd-fep-046.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S237277AbhLCOI5 (ORCPT ); Fri, 3 Dec 2021 09:08:57 -0500 Received: from sa-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.38.4]) by sa-prd-fep-046.btinternet.com with ESMTP id <20211203140532.WMWW6353.sa-prd-fep-046.btinternet.com@sa-prd-rgout-001.btmx-prd.synchronoss.net>; Fri, 3 Dec 2021 14:05:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1638540332; bh=pzgR/eXlr2Vcrs7KLXB+1BdIgGebICa7/wbrMbKBd7c=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=VkSK9fvRghSzWXBbbJGTwN70DF6GqqRZpRJ+YgRmU4a1iDHaZOp/8BpWQVIiUQb7f3t6L/tVUKI1YNAEif76KSnhhrBUwbkn511Apv6gCieGX1qQHzpqA2ou75snoemo8GmGgwaOvVINuB9ESAvlXebxr3mjhaWX0/ycuBc3zLcKO6pTBu6lNmQ5L3fzwGOJm2c8BsaweXVx8z6fI+FR8RTVEiI5cZb5IytBGkgowAlldIwN32Dq9mPiKUvXpcM7MOz4x1xM0HwZ0Ej/wcJOZKcXzZFbqnBSnyHJHYe0u3RnOyXOfgg+rQw0BYqshbJ6AY1WjDi680xdTzjGq9MVhA== Authentication-Results: btinternet.com; none X-SNCR-Rigid: 613006A90DA0619D X-Originating-IP: [81.147.31.174] X-OWM-Source-IP: 81.147.31.174 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvuddrieejgdeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepuedttdelleehueeggfeihfeitdehueekffeviedtffegffeiueegleejgeevgfeinecukfhppeekuddrudegjedrfedurddujeegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekuddrudegjedrfedurddujeegpdhmrghilhhfrhhomheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehprghulhesphgruhhlqdhmohhorhgvrdgtohhmpdhrtghpthhtoheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhg X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (81.147.31.174) by sa-prd-rgout-001.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as richard_c_haines@btinternet.com) id 613006A90DA0619D; Fri, 3 Dec 2021 14:05:32 +0000 From: Richard Haines To: selinux@vger.kernel.org Cc: paul@paul-moore.com, Richard Haines Subject: [PATCH 2/7] object_classes_permissions.md: Correct the context object class entry Date: Fri, 3 Dec 2021 14:05:14 +0000 Message-Id: <20211203140519.30930-3-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211203140519.30930-1-richard_c_haines@btinternet.com> References: <20211203140519.30930-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Clarify the intent of 'contains' and 'translate' permissions. Signed-off-by: Richard Haines --- src/object_classes_permissions.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md index bbc703d..b092a9b 100644 --- a/src/object_classes_permissions.md +++ b/src/object_classes_permissions.md @@ -3081,21 +3081,18 @@ Manage the D-BUS Messaging service that is required to run various services. ### *context* -Support for the translation daemon ***mcstransd**(8)*. These permissions are -required to allow translation and querying of level and ranges for MCS and -MLS systems. +These permissions are used for SELinux configuration file context entries +and context translations for MCS/MLS policy. **Permissions** - 2 unique permissions: *contains* -- Calculate a MLS/MCS subset - Required to check what the configuration - file contains. +- Check configuration file contains a valid context entry. *translate* -- Translate a raw MLS/MCS label - Required to allow a domain to translate - contexts. +- Translate a raw label to a meaningful text string. ### *service* From patchwork Fri Dec 3 14:05:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 12655301 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F57FC433FE for ; Fri, 3 Dec 2021 14:05:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237277AbhLCOI6 (ORCPT ); Fri, 3 Dec 2021 09:08:58 -0500 Received: from mailomta4-sa.btinternet.com ([213.120.69.10]:16119 "EHLO sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1380315AbhLCOI6 (ORCPT ); Fri, 3 Dec 2021 09:08:58 -0500 Received: from sa-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.38.4]) by sa-prd-fep-048.btinternet.com with ESMTP id <20211203140533.IKNZ22188.sa-prd-fep-048.btinternet.com@sa-prd-rgout-001.btmx-prd.synchronoss.net>; Fri, 3 Dec 2021 14:05:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1638540333; bh=GT1htTvTTuYTOt5xrRbHoZJEI6wqyco/TELn/DQMw9Q=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=Ok/OJrxtQi5aFUxdSrddEB/DPceY/28c9R9MuWkNU0u9+85aDBC4ueG/U2NW5uRw2V/xhcBt2MAYV6PQpqbpaT5l2N2aZzdSUJ87LU4yJGM1ahuyIu+qjbUr3rim6Wxi/VmpV82Mz2sy0WUKA6zDmY1gpRNMkDKozfXQE4Lw/VdBN8/e8u9OggIVMOaQH3O61xO1Gwv61m5pAo7i11lRf2DDC5SaB5lO/F7INXJLQQ+j3UBK46On7tISvwaxnbj6/9r7Nk03b41k/ZZNZ7m4vnrAD0ecQcl42LV6q0OeFa/kswFLY0Ms3ROlfNdI2CsEwGtcqs4QZMqyhooJ9YBUTw== Authentication-Results: btinternet.com; none X-SNCR-Rigid: 613006A90DA061A1 X-Originating-IP: [81.147.31.174] X-OWM-Source-IP: 81.147.31.174 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvuddrieejgdeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepveekveevtdffgedvfeffieegieeijeehleelvefhudeiuefgvdehkeevvdellefhnecuffhomhgrihhnpehkvghrnhgvlhdrohhrghenucfkphepkedurddugeejrdefuddrudejgeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepkedurddugeejrdefuddrudejgedpmhgrihhlfhhrohhmpehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepphgruhhlsehprghulhdqmhhoohhrvgdrtghomhdprhgtphhtthhopehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgh X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (81.147.31.174) by sa-prd-rgout-001.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as richard_c_haines@btinternet.com) id 613006A90DA061A1; Fri, 3 Dec 2021 14:05:33 +0000 From: Richard Haines To: selinux@vger.kernel.org Cc: paul@paul-moore.com, Richard Haines Subject: [PATCH 3/7] object_classes_permissions.md: Deprecate lockdown class Date: Fri, 3 Dec 2021 14:05:15 +0000 Message-Id: <20211203140519.30930-4-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211203140519.30930-1-richard_c_haines@btinternet.com> References: <20211203140519.30930-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add text regarding the removal of lockdown hooks from kernel 5.16. Signed-off-by: Richard Haines --- src/object_classes_permissions.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md index b092a9b..4ad8520 100644 --- a/src/object_classes_permissions.md +++ b/src/object_classes_permissions.md @@ -70,7 +70,7 @@ - [Performance Event Object Class](#performance-event-object-class) - [*perf_event*](#perf_event) - [Lockdown Object Class](#lockdown-object-class) - - [*lockdown*](#lockdown) + - [*lockdown* (Deprecated)](#lockdown-deprecated) - [IPC Object Classes](#ipc-object-classes) - [*ipc* (Deprecated)](#ipc-deprecated) - [*sem*](#sem) @@ -1674,15 +1674,15 @@ Control ***perf**(1)* events ## Lockdown Object Class -Note: If the *lockdown* LSM is enabled alongside SELinux, then the -lockdown access control will take precedence over the SELinux lockdown -implementation. +The *lockdown* class and associated SELinux LSM hook (added in kernel 5.6), +have been removed from kernel 5.16 for the reasons discussed in +. -### *lockdown* +### *lockdown* (Deprecated) Stop userspace extracting/modify kernel data. -**Permissions** - 6 unique permissions: +**Permissions** - 2 unique permissions: *confidentiality* From patchwork Fri Dec 3 14:05:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 12655299 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9971DC4321E for ; Fri, 3 Dec 2021 14:05:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381326AbhLCOI7 (ORCPT ); Fri, 3 Dec 2021 09:08:59 -0500 Received: from mailomta30-sa.btinternet.com ([213.120.69.36]:63001 "EHLO sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1381325AbhLCOI6 (ORCPT ); Fri, 3 Dec 2021 09:08:58 -0500 Received: from sa-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.38.4]) by sa-prd-fep-048.btinternet.com with ESMTP id <20211203140533.IKOB22188.sa-prd-fep-048.btinternet.com@sa-prd-rgout-001.btmx-prd.synchronoss.net>; Fri, 3 Dec 2021 14:05:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1638540333; bh=GbV2RZQhsvjogUNK0TuxgG2yUmDuDQFGTULBRr9w8d8=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=CpX+RCIbj0BAEBGqJSzHsXgQ9T2Dc2I3Rgbz8Vy0ffVuhoAINUjf43dfsm+pBGejkTDm3DxKV7SCpONq+SRANsgOJAyTWNSh80pqrH9CI1Ek3Mt+md8NUW8AiQsaZaO96qsKhEh99fTzR7/hY9im7G0zi4Sff+ffQMZa/2k0ZX1kqNLXvqaJtlbjioaqWaI3xRjEZPTbJycrp5Bb+fnXIYUN00fZY028U9aYXs2UH8gQOX/qgSmUHnqdjJ2Ut44KzzMYJ9HRGLlwn5MsUp5smJGzKxg225fs6Bc89wCgH0nJBX03F0KzjAbq+xDoWp0okMA3ykeLNK/+A0zI0bmsLg== Authentication-Results: btinternet.com; none X-SNCR-Rigid: 613006A90DA061BF X-Originating-IP: [81.147.31.174] X-OWM-Source-IP: 81.147.31.174 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvuddrieejgdeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepueejuddvjeekvedttdfgjeeitdevgffgkeegheduteejfeffkeetleegfeekveeinecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepkedurddugeejrdefuddrudejgeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehlohgtrghlhhhoshhtrdhlohgtrghlughomhgrihhnpdhinhgvthepkedurddugeejrdefuddrudejgedpmhgrihhlfhhrohhmpehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepphgruhhlsehprghulhdqmhhoohhrvgdrtghomhdprhgtphhtthhopehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepshgvlhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgh X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (81.147.31.174) by sa-prd-rgout-001.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as richard_c_haines@btinternet.com) id 613006A90DA061BF; Fri, 3 Dec 2021 14:05:33 +0000 From: Richard Haines To: selinux@vger.kernel.org Cc: paul@paul-moore.com, Richard Haines Subject: [PATCH 4/7] policy_config_files.md: Update openrc_contexts contents Date: Fri, 3 Dec 2021 14:05:16 +0000 Message-Id: <20211203140519.30930-5-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211203140519.30930-1-richard_c_haines@btinternet.com> References: <20211203140519.30930-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This config file will only be present if openrc is installed. See https://github.com/OpenRC/openrc Signed-off-by: Richard Haines --- src/policy_config_files.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/policy_config_files.md b/src/policy_config_files.md index d186b98..4b2c091 100644 --- a/src/policy_config_files.md +++ b/src/policy_config_files.md @@ -680,12 +680,34 @@ matching of network packets - Never been used. ## *contexts/openrc_contexts* -**To be determined** +OpenRC is a dependency-based init system that works with the system-provided +*init* program, normally */sbin/init*. This config file will only be present +if *openrc* is installed, see +[**https://github.com/OpenRC/openrc**](https://github.com/OpenRC/openrc) **The file format is as follows:** +``` +run_init=[domain] +``` + +**Where:** + +*run_init* + +- The keyword *run_init*. Note that there must not be any spaces around + the '=' sign. + +*domain* + +- The domain type for the process. + **Example file contents:** +``` +run_init=run_init_t +``` + **Supporting libselinux API functions are:** - ***selinux_context_path**(3)* From patchwork Fri Dec 3 14:05:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 12655295 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 553B0C43219 for ; Fri, 3 Dec 2021 14:05:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379840AbhLCOI7 (ORCPT ); Fri, 3 Dec 2021 09:08:59 -0500 Received: from mailomta10-sa.btinternet.com ([213.120.69.16]:37223 "EHLO sa-prd-fep-048.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1381326AbhLCOI6 (ORCPT ); Fri, 3 Dec 2021 09:08:58 -0500 Received: from sa-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.38.4]) by sa-prd-fep-048.btinternet.com with ESMTP id <20211203140533.IKOC22188.sa-prd-fep-048.btinternet.com@sa-prd-rgout-001.btmx-prd.synchronoss.net>; Fri, 3 Dec 2021 14:05:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1638540333; bh=3+PPY81aVoixhZGQ2WTru8CUTKFlpDf4d18Ysi5yDjQ=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=OY66lIkq7mZLRlIQLGRh0p9QKJlLMHk/pqYejq8T+9MIdNvQfpwmWK6yi7LkgcCywQOlo61aYjSxpcofP95i+JPL+jFKIrkyAGKn4w4JDwrD3Zz3+WhUmU3y3qC6Oy+uZg/zwovA8vXm3mZ4z2kIJuz2eQ0uQeU2HTlmtW3u6J4XsGMjYtpmbfMj4+EOoUc29X1oVyB+V69XP77T1yb3rGP34xc01bYDWFr/1Vq2QGOEASFlm/g/ROo4Ukc9a7Cd8HDrYxCwXRBF9Y4HkaTO+K5/bp30ctYTtn10asN3sczH6uqo+Xmt+nqFTx/UiqgeKatbXtBx4+Ss6EJLzif9zA== Authentication-Results: btinternet.com; none X-SNCR-Rigid: 613006A90DA061CA X-Originating-IP: [81.147.31.174] X-OWM-Source-IP: 81.147.31.174 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvuddrieejgdeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepuedttdelleehueeggfeihfeitdehueekffeviedtffegffeiueegleejgeevgfeinecukfhppeekuddrudegjedrfedurddujeegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekuddrudegjedrfedurddujeegpdhmrghilhhfrhhomheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehprghulhesphgruhhlqdhmohhorhgvrdgtohhmpdhrtghpthhtoheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhg X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (81.147.31.174) by sa-prd-rgout-001.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as richard_c_haines@btinternet.com) id 613006A90DA061CA; Fri, 3 Dec 2021 14:05:33 +0000 From: Richard Haines To: selinux@vger.kernel.org Cc: paul@paul-moore.com, Richard Haines Subject: [PATCH 5/7] policy_config_files.md: Update openssh_contexts contents Date: Fri, 3 Dec 2021 14:05:17 +0000 Message-Id: <20211203140519.30930-6-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211203140519.30930-1-richard_c_haines@btinternet.com> References: <20211203140519.30930-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Used by openssh for privilege separated processes in the preauthentication phase. Signed-off-by: Richard Haines --- src/policy_config_files.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/policy_config_files.md b/src/policy_config_files.md index 4b2c091..9f2996c 100644 --- a/src/policy_config_files.md +++ b/src/policy_config_files.md @@ -715,10 +715,26 @@ run_init=run_init_t ## *contexts/openssh_contexts* -**To be determined** +Used by *openssh* (***ssh**(1)*) for privilege separated processes in the +preauthentication phase. **The file format is as follows:** +``` +privsep_preauth=[domain] +``` + +**Where:** + +*privsep_preauth* + +- The keyword *privsep_preauth* + +*domain* + +- The domain type for the privilege separated processes in the + preauthentication phase. + **Example file contents:** ``` From patchwork Fri Dec 3 14:05:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 12655305 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2BE9DC43217 for ; Fri, 3 Dec 2021 14:05:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381327AbhLCOJA (ORCPT ); Fri, 3 Dec 2021 09:09:00 -0500 Received: from mailomta6-sa.btinternet.com ([213.120.69.12]:49293 "EHLO sa-prd-fep-041.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1381329AbhLCOI6 (ORCPT ); Fri, 3 Dec 2021 09:08:58 -0500 Received: from sa-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.38.4]) by sa-prd-fep-041.btinternet.com with ESMTP id <20211203140533.GKH30965.sa-prd-fep-041.btinternet.com@sa-prd-rgout-001.btmx-prd.synchronoss.net>; Fri, 3 Dec 2021 14:05:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1638540333; bh=Cqp6+TX0CQHo51L27Em1XZZ2IjmCUyP1aPLF2x5Reqc=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=mLa7M5bebutg29rBCjfBUJbHpU7yTpQDuE3hLUDVpG5YqDkyOoQVnocW4Ymrwst4kg8CYfvJqcngDSjBGaP9RfqIwZe9MFrFgTlFcD7qLa5ZtgOpgKVRImFqf7KmEhunI6QXfCMWTM62vJQ/jqRYaG1Ug3B5mpgylZfNXnF8QgYdR8xkf4CCZXKrh2dJOF8WahhILkjfQJy7Fll3SnkeSFfpiRUxF0H9a3YzVYmT7F1niFzk3e6khUyfo4aqy4Mac6fn1YH6bFRsnRp/ZD6Oj3SG7sJETnKxJ25S3mmcUMD+x/SQtHuZZam9SNplmTOlqNlefTzX493kGt7KjwRMIQ== Authentication-Results: btinternet.com; none X-SNCR-Rigid: 613006A90DA061D2 X-Originating-IP: [81.147.31.174] X-OWM-Source-IP: 81.147.31.174 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvuddrieejgdeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepuedttdelleehueeggfeihfeitdehueekffeviedtffegffeiueegleejgeevgfeinecukfhppeekuddrudegjedrfedurddujeegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekuddrudegjedrfedurddujeegpdhmrghilhhfrhhomheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehprghulhesphgruhhlqdhmohhorhgvrdgtohhmpdhrtghpthhtoheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhg X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (81.147.31.174) by sa-prd-rgout-001.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as richard_c_haines@btinternet.com) id 613006A90DA061D2; Fri, 3 Dec 2021 14:05:33 +0000 From: Richard Haines To: selinux@vger.kernel.org Cc: paul@paul-moore.com, Richard Haines Subject: [PATCH 6/7] policy_config_files.md: Update snapperd_contexts contents Date: Fri, 3 Dec 2021 14:05:18 +0000 Message-Id: <20211203140519.30930-7-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211203140519.30930-1-richard_c_haines@btinternet.com> References: <20211203140519.30930-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Used by snapper(8) for filesystem snapshot management. Signed-off-by: Richard Haines --- src/policy_config_files.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/policy_config_files.md b/src/policy_config_files.md index 9f2996c..ffc4fac 100644 --- a/src/policy_config_files.md +++ b/src/policy_config_files.md @@ -816,10 +816,25 @@ db_schema *.* system_u:object_r:sepgsql_schema_t:s0 ## *contexts/snapperd_contexts* -**To be determined** +Used by ***snapper**(8)* for filesystem snapshot management to set an SELinux +context on ***btrfs**(8)* subvolumes. **The file format is as follows:** +``` +snapperd_data = user:role:type[:range] +``` + +**Where:** + +*snapperd_data* + +- The keyword *snapperd_data* + +*user:role:type[:range]* + +- The security context including the MLS / MCS *level* or *range* if applicable. + **Example file contents:** ``` From patchwork Fri Dec 3 14:05:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 12655303 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BD91C433F5 for ; Fri, 3 Dec 2021 14:05:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381325AbhLCOJA (ORCPT ); Fri, 3 Dec 2021 09:09:00 -0500 Received: from mailomta11-sa.btinternet.com ([213.120.69.17]:57734 "EHLO sa-prd-fep-046.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1381330AbhLCOI6 (ORCPT ); Fri, 3 Dec 2021 09:08:58 -0500 Received: from sa-prd-rgout-001.btmx-prd.synchronoss.net ([10.2.38.4]) by sa-prd-fep-046.btinternet.com with ESMTP id <20211203140533.WMWY6353.sa-prd-fep-046.btinternet.com@sa-prd-rgout-001.btmx-prd.synchronoss.net>; Fri, 3 Dec 2021 14:05:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1638540333; bh=5RA/VN5JYNfEkn8QzUgtaoeQHs22yvKz8LpKsVcZB0Q=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=RrZE466SOS+/H4UH60Fwqv74Dz7QeDx5Tccn2JT2e1cBZAnakZO90ZJ7NsTyzgns9YCx/6q74RrUGCa0i8vvsjb/a011hNONjlsdNr9yFdgWa8eU8JWQvpuAI1r5sVPJsAdNTwta1BlabWsNoghR/XOAkPkM4foCEamPiFoTLlp3L4oTouC6MZIiYx82MeUbGVIIzsUoOFmKev25qNFyP+OiueRdwFiO9t/2W6LcH4sBWXOs1Mkg5W04zH3OezttIeDVGoEWK7lb56FX5iK6MMqDk7YjRZPDHeFT1VDdFXKosg43Y99bfQkoxuq0i7EC9XwoIsfwJOlD1roGcFNP2Q== Authentication-Results: btinternet.com; none X-SNCR-Rigid: 613006A90DA061D7 X-Originating-IP: [81.147.31.174] X-OWM-Source-IP: 81.147.31.174 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvuddrieejgdeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepjedtveeglefhvdetuedttdelffejvdetheekgfevkefggfeiueejkefhtdffteehnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpsghuihhlugdrmhgunecukfhppeekuddrudegjedrfedurddujeegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekuddrudegjedrfedurddujeegpdhmrghilhhfrhhomheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehprghulhesphgruhhlqdhmohhorhgvrdgtohhmpdhrtghpthhtoheprhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhdprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhg X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (81.147.31.174) by sa-prd-rgout-001.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as richard_c_haines@btinternet.com) id 613006A90DA061D7; Fri, 3 Dec 2021 14:05:33 +0000 From: Richard Haines To: selinux@vger.kernel.org Cc: paul@paul-moore.com, Richard Haines Subject: [PATCH 7/7] title.md: Clarify example code location Date: Fri, 3 Dec 2021 14:05:19 +0000 Message-Id: <20211203140519.30930-8-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211203140519.30930-1-richard_c_haines@btinternet.com> References: <20211203140519.30930-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Clarify that the example code is not embedded, but linked. Signed-off-by: Richard Haines --- src/title.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/title.md b/src/title.md index caf5b41..03c5795 100644 --- a/src/title.md +++ b/src/title.md @@ -82,6 +82,13 @@ Android. **Object Classes and Permissions** - Describes the SELinux object classes and permissions. +#### Notebook Examples + +The Notebook examples are not embedded into any of the document formats +described in +****, +however they will have links to them in their build directories. + ### Updated Editions The SELinux Notebook is being maintained as part of the SELinux project, more