RichardHaines: New page: = Experimenting with X-Windows = == Section Overview == The main objectives of this section are to: * Demonstrate the use of '`selections`' using polyinstantiation and non- polyins...

2010-03-14T16:47:11Z

New page: = Experimenting with X-Windows = == Section Overview == The main objectives of this section are to: * Demonstrate the use of '<tt>selections</tt>' using polyinstantiation and non- polyins...

New page

= Experimenting with X-Windows =
== Section Overview ==
The main objectives of this section are to:

* Demonstrate the use of '<tt>selections</tt>' using polyinstantiation and non- polyinstantiation services of the XSELinux Object Manager (OM) with simple Xlib simple select and paste applications.
* Use the XSELinux OM <tt>SELinuxGet..</tt> series of functions to display various context information that is available while executing the select and paste examples.
* Build a simple menu driven test application that will allow all the <tt>SELinuxGet/Set..</tt> functions to be called and view the results. This is shown in the [[Building the XSELinux Function Test Application]] section.

It is recommended that the [http://taiga.selinuxproject.org/~rhaines/notebook-source-1.1.0-1.tar.gz Notebook Source] file is installed in your <tt>$HOME</tt> as this contains all the configuration files and source code required to produce the required modules. It also contains README and a simple Makefile for each section.

This section assumes the following:
* The message filter modules have been removed before starting this exercise, however it is not mandatory.
* SELinux is configured to use the <tt>modular-test</tt> policy in permissive mode initially to build the services. The <tt>modular-test</tt> policy is decribed in the [[Building a Basic Policy#Building the Base Policy Module|Building the Base Policy Module]] section.

== Overview of Modules and Applications ==
The loadable modules used to support these exercises are built using standard SELinux language statements and rules with customised <tt>x_contexts</tt> files to support the labeling of objects.

The test applications are written in 'C' and use the Xlib function library with Xdevice functions provided by the Xi library. There were a few problems encountered that are discussed in the [[#Calling the XSELinux Functions|Calling the XSELinux Functions]] section.

=== The x_contexts Files and Supporting Loadable Module ===
The source files required to build and manage the new <tt>x_contexts</tt> files and supporting loadable module are located in:
<pre>
./notebook-source/x-windows/x-contexts-base-module
</pre>

As the objective of the demonstration is to show how different entries in the <tt>x_contexts</tt> file affect the use of selections it was decided to build two <tt>x_contexts</tt> files based on those in the Reference Policy 20090730 build. To support the new entries created in these <tt>x_contexts</tt> files, required an additional loadable module (<tt>x_context_base.conf</tt>).

The <tt>x_contexts</tt> files are expanded to give each entry a unique label so that it could be detected in the audit log with <tt>audit2allow</tt> when in enforcing mode, a decision could then be made as to whether an <tt>allow</tt> or <tt>dontaudit</tt> rule would be added to the policy. Additional entries were also added just to experiment. A second copy of the file was made that had the <tt>poly_</tt> keyword added to the property and selection entries to test polyinstantiation.

The only entry that caused problems during testing was the:
<pre>
poly_property _XKB_RULES_NAMES .....
</pre>

This entry had to have the <tt>poly_</tt> keyword removed in the polyinstantiated file as it stopped various keys from working (up/down etc. keys) on the keyboard.

The new <tt>x_contexts</tt> files generated are called:

<tt>'''x_contexts-file-with-new-labels'''</tt> - This file is similar to that used by the reference policy. The select and paste policy uses the same method to manage the labeling as the reference policy - called derived labeling as the objects label is derived from an SELinux user name or a prefix (from the '<tt>users_extra</tt>' configuration file), then use a <tt>type_transition</tt> to transition the object to the new label on creation. For example (using standard Refpolicy):

An <tt>x_contexts</tt> entry of:
<pre>
event X11:MapNotifysystem_u:object_r:manage_xevent_t
</pre>

and the ssh policy module (after expansion) having a <tt>type_transition</tt> statement generated by the build process of:
<pre>
type_transition ssh_t manage_xevent_t : x_event ssh_manage_xevent_t;
</pre>

will relabel any objects created from <tt>manage_xevent_t</tt> to <tt>ssh_manage_xevent_t</tt>.

<tt>'''x_contexts-file-with-new-polylabels'''</tt> - This is used to support polyinstantiated entries (note - the reference policy does not currently use polyinstantiated entries). With polyinstantiation enabled, the select and paste policy uses the <tt>type_member</tt> rule to enforce the selection to a specific domain (in this example the <tt>x_select_paste_t</tt> domain) as follows:
<pre>
type_member x_select_paste_t primary_xselection_t : x_selection x_select_paste_t;
</pre>

To support these new <tt>x_contexts</tt> file entries an additional policy module was built that defines a <tt>type</tt> for each entry and a corresponding <tt>allow</tt> rule. This module is called <tt>x_context_base.conf</tt> and must be loaded and active when the <tt>modular-test</tt> policy is loaded with either of the new <tt>x_contexts</tt> files. Failure to do this will probably result in the system hanging as it tries to load X-Windows with no defined <tt>type</tt> or <tt>allow</tt> rules for the new <tt>x_contexts</tt> file.

To experiment with additional <tt>x_context</tt> entries:

* Add a new entry in the appropriate <tt>x_contexts</tt> file such as:
<pre>
property WM_ZOOM_HINTS system_u:object_r:wm_zoom_hints_xproperty_t
</pre>

or
<pre>
poly_property WM_ZOOM_HINTS system_u:object_r:wm_zoom_hints_xproperty_t
</pre>

* Add new entries in the <tt>x_context_base.conf</tt> for the<tt> type</tt> and <tt>allow</tt> statements:
<pre>
type wm_zoom_hints_xproperty_t;
allow unconfined_t wm_zoom_hints_xproperty_t : x_property *;
</pre>

* Run the <tt>make module</tt> command (in the <tt>./x-windows/x-contexts-base-module</tt> directory) and copy over the appropriate <tt>x_contexts</tt> file to <tt>/etc/selinux/modular-test/contexts</tt>.

=== The Select - Paste Applications and Loadable Module ===
The source files required to build and manage the application and loadable module are located in:
<pre>
./notebook-source/x-windows/x-select+paste
</pre>

There are two simple X-Windows applications that select (X-select) and paste (X-paste) “Hello World” using Xlib selection functions. When they are loaded they show the application name and their context in the title bar as shown in [http://taiga.selinuxproject.org/~rhaines/diagrams/Derived-Test1.png Figure 1]. Integrated with these applications are calls to the <tt>XSELinuxGet..</tt> functions to return context information as the Xlib functions are executed.

The output from the applications can also be captured in a file by adding the capture file name as an argument:
<pre>
X-select poly-demo.txt

# The output will be in poly-demo.txt, with some text also
# displayed on the screen.
</pre>

When the two applications are built they are moved to <tt>/usr/local/bin</tt> and have the default label of <tt>unconfined_t</tt>. When they are both loaded in the <tt>unconfined_t</tt> domain, there are no enforced rules (i.e. there are no restrictions). If the <tt>x_select_paste.conf</tt> module is built and loaded, then when they are run as:
<pre>
runcon -t x_select_paste_t X-select
</pre>

and
<pre>
runcon -t x_select_paste_t X-paste
</pre>

Policy will be enforced as required depending on a boolean that when set to:
<pre>
setsebool -P poly-selection false
</pre>

and the <tt>x_contexts-file-with-new-labels</tt> file is installed as the <tt>x_contexts</tt> file, then the derived policy rules will be enforced.

If the boolean is set to:
<pre>
setsebool -P poly-selection true
</pre>

and the <tt>x_contexts-file-with-new-polylabels</tt> file is installed as the <tt>x_contexts</tt> file, then the polyinstantiated policy rules will be enforced.

==== Test Conclusions ====
After a number of experiments the following conclusions were reached:

* Using the non-polyinstantiated <tt>x_contexts</tt> file (with <tt>poly-selection = FALSE</tt>), resulted in selections being seen across all windows whether running in <tt>unconfined_t</tt> or <tt>x_select_paste_t</tt> domains.
* Using the polyinstantiated <tt>x_contexts</tt> file (with <tt>poly-selection = TRUE</tt>), resulted in selections being restricted to windows running in their own domains (e.g. if running the X-select in the <tt>unconfined_t</tt> domain and X-paste in the <tt>x_select_paste_t</tt> domains, the selected text will not be pasted).
* If the following multiple selection entries are added to the <tt>x_contexts</tt> file, then the non <tt>poly_</tt> entry takes precedence. This means that polyinstantiation for selections will not work (even if a different label is used for each entry).
<pre>
# The poly and non-poly entries cannot be in the x_contexts
# file as the non-poly entry takes precedence:
poly_selection PRIMARY system_u:object_r:primary_xselection_t
selection PRIMARY system_u:object_r:primary_xselection_t

# Even if different labels are used:
poly_selection PRIMARY system_u:object_r:poly_primary_xselection_t
selection PRIMARY system_u:object_r:primary_xselection_t
</pre>

Therefore the overall conclusion is that for non-MLS policies, the only effective way to control selections is using polyinstatiation with the <tt>type_member</tt> rule.

The reason for stating non-MLS policy is that the MLS policy uses <tt>mlsconstrain</tt> rules to manage restrictions. Various constrain rules were used for non-MLS policy testing but no satisfactory result could be obtained - do you know different !!!

Notes:
* When using polyinstantiation the <tt>poly_</tt> keyword must be present in the <tt>x_contexts</tt> file and there must be a corresponding <tt>type_member</tt> rule in the policy.
* When analysing the output from the XSELinux function calls between non-polyinstantiated (or derived) and polyinstantiated services when the X-select and X-paste applications are running (apart from their context information), the only major difference was that when calling the <tt>SELinuxListSelections</tt> function, the polyinstantiated service had an additional <tt>PRIMARY</tt> entry as follows:

<pre>
# Non-polyinstantiated (derived) running in x_select_paste_t:
#
Calling SELinuxListSelections (21) for this display:

SELinuxListSelections (1 of 10) - Atom: CLIPBOARD
Object Context: system_u:object_r:clipboard_xselection_t
Data Context: system_u:object_r:clipboard_xselection_t

SELinuxListSelections (2 of 10) - Atom: PRIMARY
Object Context: system_u:object_r:primary_xselection_t
Data Context: system_u:object_r:primary_xselection_t

# Polyinstantiated (derived) running in x_select_paste_t:
#
Calling SELinuxListSelections (21) for this display:

SELinuxListSelections (1 of 11) - Atom: CLIPBOARD
Object Context: system_u:object_r:clipboard_xselection_t
Data Context: system_u:object_r:clipboard_xselection_t

SELinuxListSelections (2 of 11) - Atom: PRIMARY
Object Context: system_u:object_r:primary_xselection_t
Data Context: system_u:object_r:primary_xselection_t

SELinuxListSelections (3 of 11) - Atom: PRIMARY
Object Context: system_u:object_r:x_select_paste_t
Data Context: system_u:object_r:x_select_paste_t
</pre>

* The Reference Policy does not use polyinstantiation but supports isolation only with the MLS policy where <tt>mlsconstrain</tt> rules are enforced (see the <tt>mlsconstrain x_selection</tt> entries in the <tt>mls</tt> configuration file).
* Various <tt>constrain</tt> rules were tried to limit selections with the non-polyinstantiated <tt>x_contexts</tt> file, but no satisfactory solution was found - any offers !!, therefore when using non-MLS policy, the only way to limit selections is via polyinstantiation. Some example constrain rules tried that had the following results:
<pre>
# Add constrain rule to base.conf:
constrain x_selection { read getattr } (t1 == unconfined_t);

# When running "runcon -t x_select_paste_t X-paste" it flags the following
# AVC entry in the Xorg.0.log file:

(WW) avc: denied { getattr } for request=X11:GetSelectionOwner comm=X-paste selection=PRIMARY scontext=user_u:unconfined_r:x_select_paste_t tcontext=system_u:object_r:primary_xselection_t tclass=x_selection

# When running X-paste (in unconfined_t) then no errors in log.
</pre>

<pre>
# Add constrain rule to base.conf:
constrain x_selection { read getattr } (t1 == secure_select);
# Where secure_select is an attribute declared in base.conf

# With the following added to x_select_paste.conf:
require { attribute secure_select; .... }
typeattribute x_select_paste_t secure_select;

# When running "runcon -t x_select_paste_t X-paste" there are no errors in
# the log.

# When running X-paste (in unconfined_t) it flags the following AVC entry
# in the Xorg.0.log file:</nowiki>

(WW) avc: denied { getattr } for request=X11:GetSelectionOwner comm=X-paste selection=PRIMARY scontext=user_u:unconfined_r:unconfined_t tcontext=system_u:object_r:primary_xselection_t tclass=x_selection
</pre>

==== Calling the XSELinux Functions ====
The <tt>X-select</tt>, <tt>X-paste</tt> and <tt>X-setest</tt> applications call the object manager <tt>XSELinuxGet/Set..</tt> functions to get and set contexts as required. To use these functions the standard Xlib <tt>GetReq</tt>, <tt>_XSend</tt> and <tt>_XReply</tt> functions need to be called to manage the request / response sequences. As there are 23 functions it was decided to build these into a separate 'C' module called <tt>XSELinuxOMFunctions.c</tt> that is supported by a header file called <tt>Xlib-selinux.h</tt>. that are located in the <tt>./x-windows/x-common</tt> directory.

The header file is based on the XSELinux extension source header <tt>xselinux.h</tt> and has been expanded to support the Xlib <tt>GetReq</tt> macro and associated functions. The only point to note is that the <tt>SELinuxQueryVersion</tt> request header structure size had to be set to 4 instead of 6 as the <tt>client_major</tt> and <tt>client_minor</tt> entries were not used and caused errors when added.

The error handling caused much grief (as not an Xlib expert), and it will be seen that there are a number of flags to indicate certain error sequences. The source code has plenty of comments regarding these and if anyone has better methods let the author know.

== Building the X-Windows Select and Paste Examples ==
To build and test the infrastructure to support modified <tt>x_contexts</tt> files for the X-Windows object manager, the following will be required:

* The Base Module described in the [[Building a Basic Policy#Building the Base Policy Module|Building the Base Policy Module]] section. This will install the base policy module and supporting files in the <tt>/etc/selinux/modular-test</tt> area.
* Two modified <tt>x_contexts</tt> files. The Reference Policy sample has been modified to capture additional entries and for each entry allocate its own unique object label. There is one file to support the way the Reference Policy (build 20090730) supports these objects<ref name="ftn3">Also known as 'derived type' because the objects are assigned labels that are derivied from a name based on the SELinux user or a prefix (e.g. from the '<tt>users_extra</tt>' configuration file) and then uses a <tt>type_transition</tt> statement to transition the object to the new label on creation.</ref>, and the other has the additional '<tt>poly_</tt>' keyword added to support polyinstantiated property and selection entries.

Important note - These sample <tt>x_contexts</tt> files must not be used with the reference policy as they are incompatible and will cause the system to hang when X-Windows is being loaded

* A loadable module (<tt>x_context_base.conf</tt>) that contains the policy type statements and allow rules of the newly defined <tt>x_contexts</tt> file entries described in bullet b). This will allow the X-Windows object manager to load the new <tt>x_contexts</tt> file without any errors.
* Two simple X-Windows applications - <tt>X-select</tt> to automatically select some text (<tt>Hello World</tt>), and <tt>X-paste</tt> to paste the text onto the screen. These applications use the minimum <tt>Xlib</tt> functions possible, however they also contain calls to the SELinux X-Windows functions that are built into the object manager to retrieve context information as the applications execute.
* A loadable module (<tt>x_select_paste.conf</tt>) that contains the policy for enforcing the <tt>X-select</tt> and <tt>X-paste</tt> applications when running in the <tt>x_select_paste_t</tt> domain. This policy supports the polyinstantiated <tt>x_contexts</tt> file by setting a boolean (<tt>poly-selection</tt>) to <tt>TRUE</tt> and the the derived <tt>x_contexts</tt> file by setting the boolean to <tt>FALSE</tt>.

The build and testing will be carried out in the following stages:

* Ensure that the <tt>modular-test</tt> base module has been built and tested as described in the [[Building a Basic Policy#Building the Base Policy Module|Building the Base Policy Module]] section.
* Build the new <tt>x_contexts</tt> files and a loadable module (<tt>x_context_base.conf</tt>). The files to are available in the source file and located in the <tt>./notebook-source/x-windows/x-contexts-base-module</tt> directory.
* Build the X-select, X-paste applications and their supporting loadable module for running in the <tt>x_select_paste_t</tt> domain.
* Install the derived (non-polyinstantiated) <tt>x_contexts</tt> file and test using the X-select and X-paste applications in various scenarios using the <tt>unconfined_t</tt> and <tt>x_select_paste_t</tt> domains, recording the results.
* Install the polyinstantiated <tt>x_contexts</tt> file and test using the X-select and X-paste applications in various scenarios using the <tt>unconfined_t</tt> and <tt>x_select_paste_t</tt> domains, recording the results.

=== Building the x_contexts Files and Loadable Module ===
Before building and installing these, ensure that the <tt>modular-test</tt> base module has been built, if it has proceed as follows:

* Ensure you are logged on as root and SELinux is running in permissive mode (setenforce 0) to perform the build process. It is assumed that the files are built in the <tt>./notebook-source/x-windows/x-contexts-base-module</tt> directory.
* Produce a derived <tt>x_contexts</tt> file called [http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-contexts-base-module/x_contexts-file-with-new-labels x_contexts-file-with-new-labels]
* Produce a polyinstantiated <tt>x_contexts</tt> file called [http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-contexts-base-module/x_contexts-file-with-new-polylabels x_contexts-file-with-new-polylabels].
* Produce the policy file [http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-contexts-base-module/x_context_base.conf x_context_base.conf].
* Compile, package and load the module as follows:
<pre>
checkmodule -m x_context_base.conf -o x_context_base.mod
semodule_package -o x_context_base.pp -m x_context_base.mod
semodule -v -s modular-test -i x_context_base.pp
</pre>

Use the semodule command to check the module has loaded as follows:
<pre>
semodule -l

x_context_base 1.0.0
</pre>

* Copy the derived <tt>x_contexts-file-with-new-labels</tt> to the <tt>modular-test</tt> policy area as the new <tt>x_contexts</tt> file:
<pre>
cp x_contexts-file-with-new-labels /etc/selinux/modular-test/contexts/x_contexts
</pre>

* Optionally clear the log file so that they are clear for easier reading after the reboot:
<pre>
> /var/log/audit/audit.log
</pre>

* Ensure that SELinux is configured to run in permissive mode with the <tt>modular-test</tt> policy enabled, then reboot the system to ensure X-windows loads the new <tt>x_contexts</tt> file entries.
<pre>
reboot
</pre>

The system should reload with no errors, however if the screen should remain blank then the chances are that the <tt>x_contexts</tt> file is incorrect and the repair disk will be required to replace the <tt>x_contexts</tt> file with the one produced in the [[Building a Basic Policy#Building the Base Policy Module|Building the Base Policy Module]] section. Alternatively, reboot with a know good policy and check the <tt>modular-test</tt> policy <tt>x_contexts</tt> entries.

Run the <tt>setenforce 1</tt> command and then check the audit log for <tt>USER_AVC</tt> errors (there should not be any errors).

Note that the <tt>x_contexts</tt> file currently loaded is the standard (non-poly) version.

=== Building the X-select and X-paste Applications ===
Before building and installing these applications, ensure that the libraries and development packages have been installed.

The easiest way to build these applications is to use the notebook-source files (the X-select and X-paste code is in the <tt>./notebook-source/x-windows/x-select+paste</tt> directory). The code to manage the XSELinux functions is quite long and also requires a header file (these are contained in the <tt>./notebook-source/x-windows/x-common</tt> directory). The source files also contain a pre-compiled set of applications that only need to be copied to <tt>/usr/local/bin</tt>. However to build from scratch proceed as follows:

* Ensure you are logged on as root and SELinux is running in permissive mode (setenforce 0) to perform the build process. It is assumed that the applications will be built in the <tt>./notebook-source/x-windows/x-select+paste</tt> directory, but the XSELinux function call code will be in the <tt>./notebook-source/x-windows/x-common</tt> directory as it is shared by the <tt>X-setest</tt> application as well.
* In the <tt>./notebook-source/x-windows/x-common</tt> directory, produce the header file with the following entries [http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-common/Xlib-selinux.h Xlib-selinux.h].
* In the <tt>./notebook-source/x-windows/x-common</tt> directory, produce the [http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-common/XSELinuxOMFunctions.c XSELinuxOMFunctions.c] source file.
* In the <tt>./notebook-source/x-windows/x-select+paste</tt> directory, produce the [http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-select+paste/X-select.c X-select.c]] source file.
* In the <tt>./notebook-source/x-windows/x-select+paste</tt> directory, produce the [http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-select+paste/X-paste.c X-paste.c] source file.
* From the <tt>./notebook-source/x-windows/x-select+paste</tt> directory, compile and link the X-select and X-paste applications as follows:
<pre>
gcc X-paste.c ../x-common/XSELinuxOMFunctions.c -o X-paste -l selinux -l X11 -l Xi
</pre>

<pre>
gcc X-select.c ../x-common/XSELinuxOMFunctions.c -o X-select -l selinux -l X11 -l Xi
</pre>

* Copy the X-select and X-paste application binaries to <tt>/usr/local/bin</tt> as follows:
<pre>
cp X-select /usr/local/bin
cp X-paste /usr/local/bin
</pre>

* The applications can be tested by calling them from separate virtual terminals, although they will only be running in the <tt>unconfined_t</tt> domain as shown in [http://taiga.selinuxproject.org/~rhaines/diagrams/Derived-Test1.png Figure 1] (until the policy module is built as described in the next section). Note that the <tt>x_contexts</tt> file loaded in the previous section is the standard (non-poly) version.

=== Building the X-select and X-paste Loadable Module ===
This loadable module is to enforce policy on the X-select and X-paste applications when they are run in the <tt>x_select_paste_t</tt> domain using the SELinux <tt>runcon</tt> commands as follows:
<pre>
# Note the runcon commands would be run from different virtual
# terminals to activate and test the applications.

runcon -t x_select_paste_t X-select
runcon -t x_select_paste_t X-select
</pre>

The policy has a <tt>poly-selection</tt> boolean that by default is set to <tt>FALSE</tt> and controls what policy rules are enforced depending on what verion of the <tt>x_contexts</tt> file is loaded (although note that the boolean does NOT control what file is loaded, that is a user copy function):

* Testing the standard <tt>x_contexts</tt> file <tt>poly-selection = FALSE</tt>.
* Testing the polyinstantiated <tt>x_contexts</tt> file <tt>poly-selection = TRUE</tt>.

The [[#Testing Derived Labels|Testing Derived Labels]] and [[#Testing Polyinstantiated Labels|Testing Polyinstantiated Labels]] sections run through a number of tests to check what happens with each setting.

To build the loadable module:

* In the <tt>./notebook-source/x-windows/x-select+paste</tt> directory, produce the [http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-select+paste/x_select_paste.conf x_select_paste.conf] policy configuration file.
* Compile and load the policy module using the following SELinux commands:
<pre>
checkmodule -m x_select_paste.conf -o x_select_paste.mod
semodule_package -o x_select_paste.pp -m x_select_paste.mod
semodule -v -s modular-test -i x_select_paste.pp
</pre>

* The policy modules loaded should now consist of the following:
<pre>
semodule -l
x_context_base 1.0.0
x_select_paste 1.0.0
</pre>

* The system is now ready for testing various select / paste scenarios. Note that by default the <tt>poly-selection</tt> boolean is set to <tt>FALSE</tt> and the <tt>x_contexts-file-with-new-labels</tt> file has been installed as the <tt>/etc/selinux/modular-test/contexts/x_contexts</tt> file.

=== Testing Derived Labels ===
The following steps will determine if the test set-up is correct:

* Check the correct modules are loaded by:
<pre>
semodule -l
x_context_base 1.0.0
x_select_paste 1.0.0
</pre>

* Check the Boolean is set correctly by:
<pre>
getsebool poly-selection
poly-selection --> off

# If 'on', then run:
setsebool -P poly-selection false
</pre>

* Ensure the correct <tt>x_contexts</tt> file is installed. This can be done by checking that there are no <tt>poly_</tt> entries in the <tt>/etc/selinux/modular-test/contexts/x_contexts</tt> file. If the file is not correct, then copy the correct version over by:
<pre>
cp $HOME/notebook-source/x-windows/x-contexts-base-module/x_contexts-file-with-new-labels /etc/selinux/modular-test/contexts/x_contexts
</pre>

* If the X-select and X-paste applications were not built as described in the [[#Building the X-select and X-paste Applications|Building the X-select and X-paste Applications]] section, then the executables can be copied from the <tt>./notebook-source/x-windows/x_select+paste</tt> directory to the <tt>/usr/local/bin directory</tt>. They should default to <tt>unconfined_t</tt> that can be checked as follows:
<pre>
ls -Z /usr/local/bin
-rwxr-xr-x. root root system_u:object_r:unconfined_t X-paste
-rwxr-xr-x. root root system_u:object_r:unconfined_t X-select
</pre>

* Open two virtual terminal sessions so that the applications can be run. A third can be opened for monitoring the audit log for errors.
* Run <tt>setenforce 1</tt> for enforcing mode.

'''Test 1:'''

The X-select and X-paste applications are called directly, one in each terminal session and will therefore run under the <tt>unconfined_t</tt> domain:

Terminal 1: <tt>X-paste</tt>
Terminal 2: <tt>X-select</tt>

The results can be seen in [http://taiga.selinuxproject.org/~rhaines/diagrams/Derived-Test1.png Figure 1] where "Hello World" is displayed on Terminal 1 (note that if any text has been selected by another window, then that text will probably be displayed instead of "Hello World").

There is other information displayed that shows the various context information using the <tt>SELinuxGet..</tt> functions that can be examined if required.

To exit the applications '<tt>Ctrl c</tt>' is used.

'''Test 2:'''

The applications are then loaded using <tt>runcon</tt>:

Terminal 1: <tt>runcon -t x_select_paste_t X-paste</tt>
Terminal 2: <tt>runcon -t x_select_paste_t X-select</tt>

The results can be seen in [http://taiga.selinuxproject.org/~rhaines/diagrams/Derived-Test2.png Figure 2] where "Hello World" is displayed on Terminal 1.

'''Test 3:'''

The applications are then loaded as follows:

Terminal 1: <tt>runcon -t x_select_paste_t X-paste</tt>
Terminal 2: <tt>X-select</tt>

As shown in [http://taiga.selinuxproject.org/~rhaines/diagrams/Derived-Test3.png Figure 3], the X-paste application still receives "Hello World", showing that selections are not blocked.

'''Test 4:'''

With this test the <tt>poly-selection</tt> boolean is set to TRUE:
<pre>
setsebool -P poly-selection true
</pre>

The applications are then loaded as follows:

Terminal 1: <tt>runcon -t x_select_paste_t X-paste</tt>
Terminal 2: <tt>X-select</tt>

The results are the same as Test 3 in that “Hello World” is displayed.

==== Derived Object Test Conclusions ====
As can be seen the selected text can be pasted from both the <tt>unconfined_t</tt> and <tt>x_select_paste_t</tt> domains. This means that using standard reference policy type x_contexts file entries for selections, separation cannot be achieved (although note that the MLS version of reference policy may do - need to check one day).

If the policy is analysed, it will be seen that even though a type transition has been defined for the <tt>primary_xselection_t</tt> object:

* Extracts from the x_select_paste.conf policy:
<pre>
# Added type with derived name to transition new object instances:
type user_primary_xselection_t;

#Added type transition for the object:
type_transition x_select_paste_t primary_xselection_t : x_selection user_primary_xselection_t;
</pre>

a new object is never created:
<pre>
# audit2allow never indicated that an allow rule was needed
# like this (that would be required if a new instance was created)

allow x_select_paste_t user_ primary_xselection_t : x_selection { read ... };
</pre>

=== Testing Polyinstantiated Labels ===
The following steps will determine if the test set-up is correct:

* Check the correct modules are loaded by:
<pre>
semodule -l
x_context_base 1.0.0
x_select_paste 1.0.0
</pre>

* Check the Boolean is set correctly by:
<pre>
getsebool poly-selection
poly-selection --> on

# If 'on', then run:
setsebool -P poly-selection true
</pre>

* Ensure the correct <tt>x_contexts</tt> file is installed. This can be done by checking that there are <tt>poly_</tt> entries in the <tt>/etc/selinux/modular-test/contexts/x_contexts</tt> file. If the file is not correct, then copy the correct version over by:
<pre>
cp $HOME/notebook-source/x-windows/x-contexts-base-module/x_contexts-file-with-new-polylabels /etc/selinux/modular-test/contexts/x_contexts
</pre>

* If the X-select and X-paste applications were not built as described in the [[#Building the X-select and X-paste Applications|Building the X-select and X-paste Applications]] section, then the executables can be copied from the <tt>./notebook-source/x-windows/x_select+paste</tt> directory to the <tt>/usr/local/bin directory</tt>. They should default to <tt>unconfined_t</tt> that can be checked as follows:
<pre>
ls -Z /usr/local/bin
-rwxr-xr-x. root root system_u:object_r:unconfined_t X-paste
-rwxr-xr-x. root root system_u:object_r:unconfined_t X-select
</pre>

* Open two virtual terminal sessions so that the applications can be run. A third can be opened for monitoring the audit log for errors.
* Run <tt>setenforce 1</tt> for enforcing mode.

'''Test 1:'''

The X-select and X-paste applications are called directly, one in each terminal session and will therefore run under the <tt>unconfined_t</tt> domain:

Terminal 1: <tt>X-paste</tt>
Terminal 2: <tt>X-select</tt>

The results can be seen in [http://taiga.selinuxproject.org/~rhaines/diagrams/Poly-Test1.png Figure 4] where "Hello World" is displayed on Terminal 1 (note that if any text has been selected by another window, then that text will probably be displayed instead of "Hello World").

There is other information displayed that shows the various context information using the <tt>SELinuxGet..</tt> functions that can be examined if required.

To exit the applications '<tt>Ctrl c</tt>' is used.

'''Test 2:'''

The applications are then loaded using <tt>runcon</tt>:

Terminal 1: <tt>runcon -t x_select_paste_t X-paste</tt>
Terminal 2: <tt>runcon -t x_select_paste_t X-select</tt>

The results can be seen in [http://taiga.selinuxproject.org/~rhaines/diagrams/Poly-Test2.png Figure 5] where "Hello World" is displayed on Terminal 1.

'''Test 3:'''

The applications are then loaded as follows:

Terminal 1: <tt>runcon -t x_select_paste_t X-paste</tt>
Terminal 2: <tt>X-select</tt>

As shown in [http://taiga.selinuxproject.org/~rhaines/diagrams/Poly-Test3.png Figure 6], the X-paste application does NOT receive "Hello World” as the selections are blocked by the polyinstantiation functionality.

'''Test 4:'''

With this test the <tt>poly-selection</tt> boolean is set to FALSE:
<pre>
setsebool -P poly-selection false
</pre>

The applications are then loaded as follows:

Terminal 1: <tt>runcon -t x_select_paste_t X-paste</tt>
Terminal 2: <tt>X-select</tt>

As shown in [http://taiga.selinuxproject.org/~rhaines/diagrams/Poly-Test4.png Figure 7], the X-paste application running on terminal 1 does not receive "Hello World" for the following reasons:

* The selections are being detected by the X-paste application because the <tt>type_member</tt> rule has been disabled, therefore polyinstantiation is not being enforced by the policy (as to enforce polyinstantiation both the <tt>poly_</tt> entries in the <tt>x_contexts</tt> file is required plus a supporting <tt>type_member</tt> rule (and of course any <tt>allow</tt> rules)).
* The application name and context is not displayed in the X-Window title bar and the terminal screen shows two error returns when getting the property context entries as shown below (the <tt>resourceID: 39</tt> is <tt>WM_NAME</tt> - see <tt>Xatom.h</tt>).
<pre>
Calling SELinuxGetPropertyContext (12) with WM_NAME for Property Owner Window:

The SELinuxGetPropertyContext (12) function returned an _XReply error:
BadMatch - Lookup failed for resourceID: 39

Calling SELinuxGetPropertyDataContext (13) with WM_NAME for Property Owner Window:
The SELinuxGetPropertyDataContext (13) function returned an _XReply error:
BadMatch - Lookup failed for resourceID: 39
</pre>

* If apol is used to view the Conditional Expressions for the policy, the following will be seen:
<pre>
conditional expression 1: [poly-selection]

TRUE list:
allow x_select_paste_t wm_name_xproperty_t : x_property { write create }; [Disabled]
allow x_select_paste_t x_select_paste_t : x_selection { getattr setattr read }; [Disabled]
type_member x_select_paste_t primary_xselection_t : x_selection x_select_paste_t; [Disabled]

FALSE list:
type_transition x_select_paste_t wm_name_xproperty_t : x_property user_wm_name_xproperty_t;
</pre>

Whereas, they should be:
<pre>
conditional expression 1: [poly-selection]

TRUE list:
allow x_select_paste_t wm_name_xproperty_t : x_property { write create }; [Enabled]
allow x_select_paste_t x_select_paste_t : x_selection { getattr setattr read }; [Enabled]
type_member x_select_paste_t primary_xselection_t : x_selection x_select_paste_t; [Enabled]

FALSE list:
type_transition x_select_paste_t wm_name_xproperty_t : x_property user_wm_name_xproperty_t;
</pre>

==== Polyinstantiated Object Test Conclusions ====
As can be seen the selected text cannot be pasted between the <tt>unconfined_t</tt> and <tt>x_select_paste_t</tt> domains. This means that using polyinstantiated entries will allow selections to be isolated.

If the policy is analysed, it will be seen that the policy enforces the separation with a type member rule. The X-Windows object manager / XACE manages the actual selection polyinstantiation.
<pre>
# Extracts from the x_select_paste.conf policy:

# This type_member rules enforces polyinstantiation of the
# "poly_selection PRIMARY primary_xselection_t" x_contexts entry:
type_member x_select_paste_t primary_xselection_t : x_selection x_select_paste_t;

# Additional allow rules:
allow x_select_paste_t self:x_selection { getattr setattr read };
</pre>

←Older revision		Revision as of 15:10, 15 March 2010
Line 217:		Line 217:

	* The Base Module described in the [[Building a Basic Policy#Building the Base Policy Module\|Building the Base Policy Module]] section. This will install the base policy module and supporting files in the <tt>/etc/selinux/modular-test</tt> area.		* The Base Module described in the [[Building a Basic Policy#Building the Base Policy Module\|Building the Base Policy Module]] section. This will install the base policy module and supporting files in the <tt>/etc/selinux/modular-test</tt> area.
-	* Two modified <tt>x_contexts</tt> files. The Reference Policy sample has been modified to capture additional entries and for each entry allocate its own unique object label. There is one file to support the way the Reference Policy (build 20090730) supports these objects<ref name="~~ftn3~~">Also known as 'derived type' because the objects are assigned labels that are derivied from a name based on the SELinux user or a prefix (e.g. from the '<tt>users_extra</tt>' configuration file) and then uses a <tt>type_transition</tt> statement to transition the object to the new label on creation.</ref>, and the other has the additional '<tt>poly_</tt>' keyword added to support polyinstantiated property and selection entries.	+	* Two modified <tt>x_contexts</tt> files. The Reference Policy sample has been modified to capture additional entries and for each entry allocate its own unique object label. There is one file to support the way the Reference Policy (build 20090730) supports these objects<ref name="ref1">Also known as 'derived type' because the objects are assigned labels that are derivied from a name based on the SELinux user or a prefix (e.g. from the '<tt>users_extra</tt>' configuration file) and then uses a <tt>type_transition</tt> statement to transition the object to the new label on creation.</ref>, and the other has the additional '<tt>poly_</tt>' keyword added to support polyinstantiated property and selection entries.

	Important note - These sample <tt>x_contexts</tt> files must not be used with the reference policy as they are incompatible and will cause the system to hang when X-Windows is being loaded		Important note - These sample <tt>x_contexts</tt> files must not be used with the reference policy as they are incompatible and will cause the system to hang when X-Windows is being loaded
Line 578:		Line 578:
	allow x_select_paste_t self:x_selection { getattr setattr read };		allow x_select_paste_t self:x_selection { getattr setattr read };
	</pre>		</pre>
		+
		+
		+	<references/>

Experimenting With X-Windows - Revision history

RichardHaines at 15:10, 15 March 2010

RichardHaines: New page: = Experimenting with X-Windows = == Section Overview == The main objectives of this section are to: * Demonstrate the use of '`selections`' using polyinstantiation and non- polyins...

Experimenting With X-Windows - Revision history

RichardHaines at 15:10, 15 March 2010

RichardHaines: New page: = Experimenting with X-Windows = == Section Overview == The main objectives of this section are to: * Demonstrate the use of 'selections' using polyinstantiation and non- polyins...

RichardHaines: New page: = Experimenting with X-Windows = == Section Overview == The main objectives of this section are to: * Demonstrate the use of '`selections`' using polyinstantiation and non- polyins...