From patchwork Fri Feb 22 04:26:08 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Russell Coker <russell.coker@daisee.com>
X-Patchwork-Id: 10825187
Return-Path: <selinux-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3239413B5
	for <patchwork-selinux@patchwork.kernel.org>;
 Fri, 22 Feb 2019 04:26:16 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 19BA030D0E
	for <patchwork-selinux@patchwork.kernel.org>;
 Fri, 22 Feb 2019 04:26:16 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0BE9D30D3D; Fri, 22 Feb 2019 04:26:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4B08A30D0E
	for <patchwork-selinux@patchwork.kernel.org>;
 Fri, 22 Feb 2019 04:26:15 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726684AbfBVE0O (ORCPT
        <rfc822;patchwork-selinux@patchwork.kernel.org>);
        Thu, 21 Feb 2019 23:26:14 -0500
Received: from mail-eopbgr1370095.outbound.protection.outlook.com
 ([40.107.137.95]:43904
        "EHLO AUS01-SY3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726178AbfBVE0O (ORCPT <rfc822;selinux@vger.kernel.org>);
        Thu, 21 Feb 2019 23:26:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daisee.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=L6rnWgdsGrHEBACASbzNkDiiZw8bQ1Y3iiyXlq+84xk=;
 b=Fu9WpHvMj86FN/86K1FnGbJ2ewIea7mbC8Ac2ob7TmGwsWHfp5KObN9Cgz3xHJ3OLCUYGsbWE0jyW213NPQhjCiPFB4SKVULYSIaVO5kkK+zI+p75CaceJPAYUm6LiIAFEX26k/ANNPF11NfIa4prhHkUDZHQdlOfJYVHATYzd0=
Received: from MEXPR01MB1384.ausprd01.prod.outlook.com (10.171.18.23) by
 MEXPR01MB0934.ausprd01.prod.outlook.com (10.169.162.11) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1643.15; Fri, 22 Feb 2019 04:26:08 +0000
Received: from MEXPR01MB1384.ausprd01.prod.outlook.com
 ([fe80::d8b6:3d9a:a703:801c]) by MEXPR01MB1384.ausprd01.prod.outlook.com
 ([fe80::d8b6:3d9a:a703:801c%12]) with mapi id 15.20.1643.016; Fri, 22 Feb
 2019 04:26:08 +0000
From: Russell Coker <russell.coker@daisee.com>
To: "selinux@vger.kernel.org" <selinux@vger.kernel.org>
Subject: wildcards in file_contexts.subs for NixOS
Thread-Topic: wildcards in file_contexts.subs for NixOS
Thread-Index: AQHUyma7w4/tvRO6pkmFoMbsmh7PRg==
Date: Fri, 22 Feb 2019 04:26:08 +0000
Message-ID: <7853167.K65cXu0y11@neuromancer>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-clientproxiedby: MEAPR01CA0084.ausprd01.prod.outlook.com
 (2603:10c6:220:35::24) To MEXPR01MB1384.ausprd01.prod.outlook.com
 (2603:10c6:200:34::23)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=russell.coker@daisee.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [103.232.216.146]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9b2534d7-b6ea-451f-21ed-08d6987ddddc
x-microsoft-antispam: 
 BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600110)(711020)(4605104)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(49563074)(7193020);SRVR:MEXPR01MB0934;
x-ms-traffictypediagnostic: MEXPR01MB0934:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: 
 <MEXPR01MB09344E94705C9688091E4CED967F0@MEXPR01MB0934.ausprd01.prod.outlook.com>
x-forefront-prvs: 09565527D6
x-forefront-antispam-report: 
 SFV:NSPM;SFS:(10019020)(7916004)(396003)(376002)(136003)(366004)(39830400003)(346002)(199004)(189003)(6436002)(25786009)(44832011)(6486002)(6116002)(2351001)(3846002)(476003)(102836004)(14454004)(186003)(486006)(2906002)(6506007)(386003)(66066001)(99286004)(8676002)(52116002)(71190400001)(71200400001)(26005)(5660300002)(53936002)(6916009)(105586002)(5640700003)(81156014)(1730700003)(966005)(316002)(305945005)(81166006)(99936001)(86362001)(9686003)(68736007)(6306002)(33896004)(5024004)(6512007)(33716001)(508600001)(7736002)(8936002)(256004)(106356001)(2501003)(97736004)(39026011);DIR:OUT;SFP:1102;SCL:1;SRVR:MEXPR01MB0934;H:MEXPR01MB1384.ausprd01.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: daisee.com does not designate
 permitted sender hosts)
x-microsoft-exchange-diagnostics: 
 1;MEXPR01MB0934;23:7Qtx9MoM2KnoQksW+e9xAiTHQ4tUvZthzGAX8dxfo9W4CoTfxBxBRaf08IrEtNXF4tPzm8Ha7Yl1JbF1KTwaJCqseW06YhzOKBRUsx/a+Sy21H4C5QnBWyIofkwIt3ysyPLQvJYeDI8SlS6F2VCY0rsSean7wgePMSEgUBMApOrGTFHCe4C1tk3UAl5Xe+mvJe3g8/aaIbe1YZ3hHWA8dsoAORp6c5P6V2qcixxpPcPu8uVCDrYoY1HHE7FPl8BSmrqOh7iBZpR5NlJsBR5cCEK95G+KMstqv+sm8zpwymvV/epG1UkAJV9IqcQ80fPjQG99jU/Sn2W/EmQVVVQsSHWhnja0sNbsq8pP4S6rmss+5laZVl7mmcARtyIcU4HO/ugYGPuzqHiJoyrwYsVbUSZ8ywNsFHnpSQ5h9boBmX6Fo+RzQE3ACgB17UWtsuzxU3UJgjA1QHC1CD7TzphFxYNTw9vKeOiep2MNLcIipQ28fKxTHmnc31nGsNklTSYOqeFH2MeRQqq8rfDh+Qw1Ogxzn7AG6UhxoxBZhwNxnDgjyCPBf+3jaVL4V0xHaFFPdfxYdoW4q2fwjilMn3g4ZFf7V8dvLpFFBSpCJw1WP6yE24XJ+qITFvPmw/aN5lb0znxeb0ExTgWP9IBgLj/3ilW9/aTL5BZKD69pBW8XipZlpZhP4LYI7WeCICwtTNanebKlQgQk2ctHZ6u6QgYHcmznWnf3EaPxgDu84NbAONG8F3e+mKmhi5l0yU4zK3l9Qw4AjE3XyjXTIP5YpROtk3yJ6PYtnXVI3E0J5fyEEXqTpiZXYbxzdm13Jz16A6OFyhB3uMEvTiCy/842lGqTnLc0cutRX+561zpOtWJ8IFPXopF6lzJ/KTjnnxy4iZR0JsN/ILCjGGIHnGkbDTUBsYf6MqYZBFDb8UbNU79JU4P4Cnp/zX48JYL1L/M20qj2/fvjKsrZc6CSSh7okBm91FIeicPEu0GkcA+L+8vkwSE3DBATWMqXexFSmHUmI0FR8QNMf5HESQdxK4z0CdF/acL5BAhygJcKk4rNGrZtBW4Z1nEh3LYMTrwYWdHcbp4lHm4LRJ3gW/42KyIrEAHQfTMhfrx/QVMcN+hG2onRaZYgmsiI2IYvl2QE2YpTC2NKTbbiZ+xrwI7I/1Z2BmWm0hBjrAA+iEWy+tUkx28glx4BcPyOTEtE0VJ380zs7wFJPClWCXwPbUM5n8vFX66t0TUrkM2aWIbOJWX8hsJPCXvAmRp03ADD/BHVbFEq5Czg8f5wOWsAs/g6s4Wfug8iYyWyrTjr/3q1PRtQiTUFUkQ=
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 
 0J1AoDCiw9WHVoRkBOGAu1JQ8c+FQe2+bw0B8GTIhhglN7qtMa8PljZvafNHTtyL2CS9Q1AjO1Pmh3UPVsvfdHbrl6MvnN+1dRoqkcPdIlop06BumsvmzLqNpP0oMohK/P6a/0BXSdNjPo5hQeqcTTOzlBAo8K9WNrWTpsggAJzMdxghRQkk9SI2Sc/c0QPo0MavwYyYFlR1VQZKg7znOlJtXorUmPgZxDew+2fahXZdvN3wez2iTD8Z8G7SVQ91rMg0XLOuQG6DFLlu7eYf39j0/xbN5vwC3bG1nhIRmDm6AkNJWc0y+HOMntchjStdGwQP3gIYf3eQ6MG+lJwZdsg/ggoY4ARcsEXLSmE+1c8c9T0Ye/A/0xdpujW0s5Hh1bREwtbdItikI+icDsvx1L1sHNanYOD3YeL/T5/44RI=
MIME-Version: 1.0
X-OriginatorOrg: daisee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9b2534d7-b6ea-451f-21ed-08d6987ddddc
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2019 04:26:07.9608
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 44a85d1e-6dd1-4722-8002-d1fff4934f01
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEXPR01MB0934
Sender: selinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

https://nixos.org/

The NixOS distribution of Linux is based on having hashes of packages in the 
path names.

/nix/store/l2b7y9waqwp4i1f03899yfsmzk8i7rid-shadow-4.5/bin/usermod
/nix/store/l2b7y9waqwp4i1f03899yfsmzk8i7rid-shadow-4.5/bin/vipw
/nix/store/lvrxkcf4b398nyiayknsqr44p8pl51s9-drbd-8.4.4/bin/drbdadm
/nix/store/lvrxkcf4b398nyiayknsqr44p8pl51s9-drbd-8.4.4/bin/drbdsetup
/nix/store/mzxhj1cxrhbqvsga4155xhw44iigwxxs-shadow-4.5-su/bin/su
/nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xenconsoled
/nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xenstored
/nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xl
/nix/store/n419slr5x6h4ydk2dd56nkwki7qpkf6v-fuse-2.9.7/bin/fusermount
/nix/store/n419slr5x6h4ydk2dd56nkwki7qpkf6v-fuse-2.9.7/bin/mount.fuse
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/libvirtd
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virsh
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virtlockd
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virtlogd
/nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/blkid
/nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/dmsetup
/nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/e2fsck

Above is a random sample of binaries that need labelling on a NixOS system.  
Before anyone asks, the naming of such paths is core to the way NixOS works, 
requesting a change in that regard is not viable.

NixOS can run as a full OS (managing grub etc) or it can run on a system 
running a regular Linux distribution.  Running as a full OS or as a labelled 
chroot are the use cases that interest me.

semanage fcontext -a -e / "/nix/store/*"

setfiles -r /chroot/nix /etc/selinux/default/contexts/files/file_contexts \
/chroot/nix/store -v

I've written a patch to support commands like the above to label a Nix store 
(the above is a chroot example but the next step is to get full SE Linux 
support in NixOS).

I've attached the patch.  I don't expect this version to be accepted upstream 
as-is.  But it's a place to start the discussion about how to approach this 
problem.

Russell Coker

PS Please use my personal address russell@coker.com.au for SE Linux 
discussions unrelated to NixOS.

Description: Support wildcard source (EG /lib/*) in file_contexts.subs_dist

Index: libselinux-2.8/src/label_file.c
===================================================================
--- libselinux-2.8.orig/src/label_file.c
+++ libselinux-2.8/src/label_file.c
@@ -581,6 +581,25 @@ static char *selabel_sub(struct selabel_
 
 	while (ptr) {
 		if (strncmp(src, ptr->src, ptr->slen) == 0 ) {
+			if (ptr->wildcard)
+			{
+				if ( src[ptr->slen] == 0 || !strchr(src+ptr->slen, '/') )
+				{
+					ptr = ptr->next;
+					continue;
+				}
+				for(len = ptr->slen + 1 ; src[len] && src[len] != '/' ; len++)
+					;
+				if(!src[len])
+				{
+					ptr = ptr->next;
+					continue;
+				}
+				len++;
+				if (asprintf(&dst, "%s%s", ptr->dst, &src[len]) < 0)
+					return NULL;
+				return dst;
+			}
 			if (src[ptr->slen] == '/' ||
 			    src[ptr->slen] == 0) {
 				if ((src[ptr->slen] == '/') &&
@@ -606,6 +625,7 @@ static int selabel_subs_init(const char
 	struct selabel_sub *list = NULL, *sub = NULL;
 	struct stat sb;
 	int status = -1;
+	int len;
 
 	*out_subs = NULL;
 	if (!cfg) {
@@ -630,6 +650,8 @@ static int selabel_subs_init(const char
 		*ptr++ = '\0';
 		if (! *src) continue;
 
+		if(!strcmp("/*", src)) continue;
+
 		dst = ptr;
 		while (*dst && isspace(*dst))
 			dst++;
@@ -645,6 +667,16 @@ static int selabel_subs_init(const char
 			goto err;
 		memset(sub, 0, sizeof(*sub));
 
+		len = strlen(src);
+		if(len < 2) continue;
+		if(src[len - 1] == '*')
+		{
+			sub->wildcard = 1;
+			src[len - 1] = 0;
+			len--;
+		}
+		else
+			sub->wildcard = 0;
 		sub->src=strdup(src);
 		if (! sub->src)
 			goto err;
Index: libselinux-2.8/src/label_file.h
===================================================================
--- libselinux-2.8.orig/src/label_file.h
+++ libselinux-2.8/src/label_file.h
@@ -35,6 +35,7 @@ struct selabel_sub {
 	char *src;
 	int slen;
 	char *dst;
+	int wildcard;
 	struct selabel_sub *next;
 };