[redhat-lspp] [RFC 0/7] Updated NetLabel patch

Klaus Weidner klaus at atsec.com
Thu Jun 22 02:17:35 UTC 2006 

[ removed some of the mailing lists from Cc: ]

On Wed, Jun 21, 2006 at 03:42:35PM -0400, paul.moore at hp.com wrote:
> This is an updated version of the NetLabel patch I sent out on May 25th.  It
> contains a variety of fixes and incorporates comments from James Morris,
> Stephen Smalley, and Steve Grubb.  An intermediate version of this patch set
> has also been tested against Trusted Solaris and HP-UX CMW for CIPSO
> interoperability.  I have tested this patch set on x86 and x86_64
> architectures running both the targeted/enforcing and mls/permissive SELinux
> policies.

Thanks for the patch and instructions!

Unfortunately, I couldn't get this working by following your README, the
"netlabelctl mgmt add default protocol:cipsov4,1" command fails, with the
following trace from GDB (I didn't see any other easy way to get debug
output, see also below):

nlbl_mgmt_add (sock=0, domain_list=0xbff8f124, domain_count=1, def_flag=1) at mod_mgmt.c:362
362       if (ret_val < 0)
364       if (type != NETLBL_NLTYPE_MGMT) {
370       mgmt_hdr = MGMT_HDR(ans_msg);
371       if (mgmt_hdr->opcode != NL_MGMT_ACK) {
375       msg = MGMT_DATA(ans_msg) + 4;
376       NETLBL_GETINC_U32(msg, tmp_val);
377       if (tmp_val != NETLBL_MGMT_E_OK) {
378         ret_val = -ENOMSG;

Before that, I ran "netlabelctl cipsov4 add std doi:1 tags:1
levels:0=0,1=1,2=2 categories:0=0,1=1,2=2" which worked with no errors.

I tried in permissive mode on a patched lspp.37 kernel, also on Steve's
just released lspp.38, with identical results.

Some comments about the userspace tools:

The nlbl_netlink_write() function didn't detect sendmsg errors (such as
connection refused when run as non-root) since it used unsigned size_t
for the amount of data send, and never saw negative return values. The
attached patch changes the type to ssize_t, but please check if this
needs to be changed in other places as well.

netlabelctl currently reports failure only through the exit code and
doesn't print any error messages. The attached patch adds some messages
to be more admin friendly.

(As a side note, compiling with CFLAGS=-Wall shows some warnings which it
would be nice to fix even if harmless.)

I've tried running "netlabelctl -p mgmt list" in enforcing mode as
sysadm_r or secadm_r the with current rawhide MLS policy:

	socket(PF_NETLINK, SOCK_RAW, 17)        = -1 EACCES (Permission denied)

Does it need extra policy or labels to run in enforcing mode? For my
tests, I've configured it in nonenforcing mode, then switched to
enforcing mode.

-Klaus
-------------- next part --------------
diff --minimal -r -uN netlabel_tools.tar.gz.content.24680/netlabelctl/main.c netlabel_tools/netlabelctl/main.c
--- netlabel_tools.tar.gz.content.24680/netlabelctl/main.c	2006-06-13 10:18:57.000000000 -0500
+++ netlabel_tools/netlabelctl/main.c	2006-06-21 18:54:34.000000000 -0500
@@ -109,8 +109,10 @@
  */
 int main(int argc, char *argv[])
 {
-  int ret_val = RET_OK;
+  int ret_val = RET_ERR;
   int arg_iter;
+  main_function_t *module_main = NULL;
+  char *module_name;
 
   /* sanity checks */
   if (argc < 2) {
@@ -149,20 +151,28 @@
   /* perform any setup we have to do */
   nlbl_netlink_timeout(opt_timeout);
 
+  module_name = argv[optind];
+  if (!module_name) goto exit;
+
   /* transfer control to the modules */
-  if (argv[optind] && strcmp(argv[optind], "mgmt") == 0) {
-    if (mgmt_main(argc - optind - 1, argv + optind + 1) < 0)
-      ret_val = RET_ERR;
-  } else if (argv[optind] && strcmp(argv[optind], "unlbl") == 0) {
-    if (unlbl_main(argc - optind - 1, argv + optind + 1) < 0)
-      ret_val = RET_ERR;
-  } else if (argv[optind] && strcmp(argv[optind], "cipsov4") == 0) {
-    if (cipsov4_main(argc - optind - 1, argv + optind + 1) < 0)
-      ret_val = RET_ERR;
+  if (!strcmp(module_name, "mgmt")) {
+    module_main = mgmt_main;
+  } else if (!strcmp(module_name, "unlbl")) {
+    module_main = unlbl_main;
+  } else if (!strcmp(module_name, "cipsov4")) {
+    module_main = cipsov4_main;
   } else {
-    fprintf(stderr, "error: unknown or missing module\n");
+    fprintf(stderr, "%s: error: unknown or missing module '%s'\n", argv[0], module_name);
+    goto exit;
+  }
+  ret_val = module_main(argc - optind - 1, argv + optind + 1);
+  if (ret_val < 0) {
+    fprintf(stderr, "%s: %s: error: %s\n", argv[0], module_name, strerror(-ret_val));
     ret_val = RET_ERR;
+  } else {
+    ret_val = RET_OK;
   }
 
+exit:
   return ret_val;
 }
diff --minimal -r -uN netlabel_tools.tar.gz.content.24680/netlabelctl/netlabelctl.h netlabel_tools/netlabelctl/netlabelctl.h
--- netlabel_tools.tar.gz.content.24680/netlabelctl/netlabelctl.h	2006-04-19 16:45:21.000000000 -0500
+++ netlabel_tools/netlabelctl/netlabelctl.h	2006-06-21 18:39:28.000000000 -0500
@@ -33,6 +33,7 @@
 extern unsigned int opt_pretty;
 
 /* module entry points */
+typedef int main_function_t(int argc, char *argv[]);
 int mgmt_main(int argc, char *argv[]);
 int unlbl_main(int argc, char *argv[]);
 int cipsov4_main(int argc, char *argv[]);
-------------- next part --------------
diff --minimal -r -uN -p netlabel_tools.tar.gz.content.1548/libnetlabel/netlink_comm.c netlabel_tools/libnetlabel/netlink_comm.c
--- netlabel_tools.tar.gz.content.1548/libnetlabel/netlink_comm.c	2006-04-25 15:17:03.000000000 -0500
+++ netlabel_tools/libnetlabel/netlink_comm.c	2006-06-21 19:42:33.000000000 -0500
@@ -263,7 +263,7 @@ int nlbl_netlink_write(nlbl_socket sock,
   struct msghdr msg_hdr;
   struct nlmsghdr *msg_nlhdr;
   struct iovec msg_iovec[2];
-  size_t snd_len;
+  ssize_t snd_len;
 
   /* sanity checks */
   if (sock < 0 || msg == NULL || msg_len <= 0)

More information about the redhat-lspp mailing list