tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'aosp/upstream-master' into HEAD

Browse source 
Bug: 262469329
Test: build and boot cuttlefish
Change-Id: Ic97540265491a501cd89f40f46bf1f97d6a753e2
This commit is contained in:
Inseob Kim 2023-01-16 11:29:53 +09:00
commit ad990cb28b
75 changed files with 811 additions and 298 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -62,6 +62,9 @@ dnf install \
# For Python and Ruby bindings
dnf install \
python3-devel \
python3-pip \
python3-setuptools \
python3-wheel \
ruby-devel \
swig
```
@ -92,6 +95,9 @@ apt-get install --no-install-recommends --no-install-suggests \
# For Python and Ruby bindings
apt-get install --no-install-recommends --no-install-suggests \
python3-dev \
python3-pip \
python3-setuptools \
python3-wheel \
ruby-dev \
swig
```
@ -102,7 +108,7 @@ To build and install everything under a private directory, run:
make DESTDIR=~/obj install install-rubywrap install-pywrap
On Debian `PYTHON_SETUP_ARGS=--install-layout=deb` needs to be set when installing the python wrappers in order to create the correct python directory structure.
On Debian `PYTHON_SETUP_ARGS='--install-option "--install-layout=deb"'` needs to be set when installing the python wrappers in order to create the correct python directory structure.
To run tests with the built libraries and programs, several paths (relative to `$DESTDIR`) need to be added to variables `$LD_LIBRARY_PATH`, `$PATH` and `$PYTHONPATH`.
This can be done using [./scripts/env_use_destdir](./scripts/env_use_destdir):

2
VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

2
checkpolicy/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

10
checkpolicy/checkpolicy.c
View file

@ -1148,12 +1148,11 @@ int main(int argc, char **argv)
FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
name = malloc((strlen(ans) + 1) * sizeof(char));
name = strdup(ans);
if (name == NULL) {
fprintf(stderr, "couldn't malloc string.\n");
fprintf(stderr, "couldn't strdup string.\n");
break;
}
strcpy(name, ans);
printf("state? ");
FGETS(ans, sizeof(ans), stdin);
@ -1296,12 +1295,11 @@ int main(int argc, char **argv)
FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
name = malloc((strlen(ans) + 1) * sizeof(char));
name = strdup(ans);
if (!name) {
fprintf(stderr, "couldn't malloc string.\n");
fprintf(stderr, "couldn't strdup string.\n");
break;
}
strcpy(name, ans);
printf("port? ");
FGETS(ans, sizeof(ans), stdin);

15
checkpolicy/policy_define.c
View file

@ -117,12 +117,11 @@ int insert_id(const char *id, int push)
char *newid = 0;
int error;
newid = (char *)malloc(strlen(id) + 1);
newid = strdup(id);
if (!newid) {
yyerror("out of memory");
return -1;
}
strcpy(newid, id);
if (push)
error = queue_push(id_queue, (queue_element_t) newid);
else
@ -1417,7 +1416,7 @@ static int define_typebounds_helper(char *bounds_id, char *type_id)
if (!type->bounds)
type->bounds = bounds->s.value;
else if (type->bounds != bounds->s.value) {
yyerror2("type %s has inconsistent master {%s,%s}",
yyerror2("type %s has inconsistent bounds %s/%s",
type_id,
policydbp->p_type_val_to_name[type->bounds - 1],
policydbp->p_type_val_to_name[bounds->s.value - 1]);
@ -2209,7 +2208,7 @@ static int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
xperms = calloc(1, sizeof(av_extended_perms_t));
if (!xperms) {
yyerror("out of memory");
return - 1;
return -1;
}
r = rangelist;
@ -2246,7 +2245,7 @@ static int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
xperms = calloc(1, sizeof(av_extended_perms_t));
if (!xperms) {
yyerror("out of memory");
return - 1;
return -1;
}
r = rangelist;
@ -2290,7 +2289,7 @@ static int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
xperms = calloc(1, sizeof(av_extended_perms_t));
if (!xperms) {
yyerror("out of memory");
return - 1;
return -1;
}
r = rangelist;
@ -2353,11 +2352,11 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src)
dest->flags = src->flags;
if (type_set_cpy(&dest->stypes, &src->stypes)) {
yyerror("out of memory");
return - 1;
return -1;
}
if (type_set_cpy(&dest->ttypes, &src->ttypes)) {
yyerror("out of memory");
return - 1;
return -1;
}
dest->line = src->line;
dest->source_filename = strdup(source_file);

5
checkpolicy/test/dispol.c
View file

@ -486,12 +486,11 @@ int main(int argc, char **argv)
}
ans[strlen(ans) - 1] = 0;
name = malloc((strlen(ans) + 1) * sizeof(char));
name = strdup(ans);
if (name == NULL) {
fprintf(stderr, "couldn't malloc string.\n");
fprintf(stderr, "couldn't strdup string.\n");
break;
}
strcpy(name, ans);
printf("state? ");
if (fgets(ans, sizeof(ans), stdin) == NULL) {

2
dbus/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

2
gui/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

4
gui/polgengui.py
View file

@ -481,7 +481,7 @@ class childWindow:
my_policy = sepolicy.generate.policy(self.get_name(), self.get_type())
iter = self.boolean_store.get_iter_first()
while(iter):
while iter:
my_policy.add_boolean(self.boolean_store.get_value(iter, 0), self.boolean_store.get_value(iter, 1))
iter = self.boolean_store.iter_next(iter)
@ -527,7 +527,7 @@ class childWindow:
my_policy.set_out_udp(self.out_udp_all_checkbutton.get_active(), self.out_udp_entry.get_text())
iter = self.store.get_iter_first()
while(iter):
while iter:
if self.store.get_value(iter, 1) == FILE:
my_policy.add_file(self.store.get_value(iter, 0))
else:

2
libselinux/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

2
libselinux/src/Makefile
View file

@ -187,7 +187,7 @@ install: all
ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
install-pywrap: pywrap
$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS)
$(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)

32
libselinux/src/audit2why.c
View file

@ -191,7 +191,7 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
static int __policy_init(const char *init_path)
{
FILE *fp;
FILE *fp = NULL;
const char *curpolicy;
char errormsg[PATH_MAX+1024+20];
struct sepol_policy_file *pf = NULL;
@ -235,18 +235,17 @@ static int __policy_init(const char *init_path)
snprintf(errormsg, sizeof(errormsg),
"policydb_init failed: %m\n");
PyErr_SetString( PyExc_RuntimeError, errormsg);
fclose(fp);
return 1;
goto err;
}
sepol_policy_file_set_fp(pf, fp);
if (sepol_policydb_read(avc->policydb, pf)) {
snprintf(errormsg, sizeof(errormsg),
"invalid binary policy %s\n", curpolicy);
PyErr_SetString( PyExc_ValueError, errormsg);
fclose(fp);
return 1;
goto err;
}
fclose(fp);
fp = NULL;
sepol_set_policydb(&avc->policydb->p);
avc->handle = sepol_handle_create();
/* Turn off messages */
@ -256,13 +255,13 @@ static int __policy_init(const char *init_path)
avc->policydb, &cnt);
if (rc < 0) {
PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n");
return 1;
goto err;
}
boollist = calloc(cnt, sizeof(*boollist));
if (!boollist) {
PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
return 1;
goto err;
}
sepol_bool_iterate(avc->handle, avc->policydb,
@ -273,11 +272,26 @@ static int __policy_init(const char *init_path)
rc = sepol_sidtab_init(&sidtab);
if (rc < 0) {
PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n");
free(boollist);
return 1;
goto err;
}
sepol_set_sidtab(&sidtab);
return 0;
err:
if (boollist)
free(boollist);
if (avc){
if (avc->handle)
sepol_handle_destroy(avc->handle);
if (avc->policydb)
sepol_policydb_free(avc->policydb);
free(avc);
}
if (pf)
sepol_policy_file_free(pf);
if (fp)
fclose(fp);
return 1;
}
static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {

2
libselinux/src/avc_internal.c
View file

@ -51,7 +51,6 @@ char avc_prefix[AVC_PREFIX_SIZE] = "uavc";
int avc_running = 0;
int avc_enforcing = 1;
int avc_setenforce = 0;
int avc_netlink_trouble = 0;
/* process setenforce events for netlink and sestatus */
int avc_process_setenforce(int enforcing)
@ -295,7 +294,6 @@ void avc_netlink_loop(void)
close(fd);
fd = -1;
avc_netlink_trouble = 1;
avc_log(SELINUX_ERROR,
"%s: netlink thread: errors encountered, terminating\n",
avc_prefix);

3
libselinux/src/avc_internal.h
View file

@ -180,7 +180,4 @@ int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
security_class_t tclass, access_vector_t perms,
uint32_t seqno, uint32_t enable) ;
/* netlink kernel message code */
extern int avc_netlink_trouble ;
#endif /* _SELINUX_AVC_INTERNAL_H_ */

14
libselinux/src/booleans.c
View file

@ -7,7 +7,6 @@
#ifndef DISABLE_BOOL
#include <assert.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
@ -132,7 +131,8 @@ char *selinux_boolean_sub(const char *name)
ptr++;
*ptr = '\0';
sub = strdup(dst);
if (!strchr(dst, '/'))
sub = strdup(dst);
break;
}
@ -147,12 +147,12 @@ out:
static int bool_open(const char *name, int flag) {
char *fname = NULL;
char *alt_name = NULL;
int len;
size_t len;
int fd = -1;
int ret;
char *ptr;
if (!name) {
if (!name || strchr(name, '/')) {
errno = EINVAL;
return -1;
}
@ -164,9 +164,8 @@ static int bool_open(const char *name, int flag) {
return -1;
ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name);
if (ret < 0)
if (ret < 0 || (size_t)ret >= len)
goto out;
assert(ret < len);
fd = open(fname, flag);
if (fd >= 0 || errno != ENOENT)
@ -184,9 +183,8 @@ static int bool_open(const char *name, int flag) {
fname = ptr;
ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, alt_name);
if (ret < 0)
if (ret < 0 || (size_t)ret >= len)
goto out;
assert(ret < len);
fd = open(fname, flag);
out:

15
libselinux/src/context.c
View file

@ -68,11 +68,9 @@ context_t context_new(const char *str)
for (p = tok; *p; p++) { /* empty */
}
}
n->component[i] = (char *)malloc(p - tok + 1);
n->component[i] = strndup(tok, p - tok);
if (n->component[i] == 0)
goto err;
strncpy(n->component[i], tok, p - tok);
n->component[i][p - tok] = '\0';
tok = *p ? p + 1 : p;
}
return result;
@ -149,19 +147,18 @@ static int set_comp(context_private_t * n, int idx, const char *str)
char *t = NULL;
const char *p;
if (str) {
t = (char *)malloc(strlen(str) + 1);
if (!t) {
return -1;
}
for (p = str; *p; p++) {
if (*p == '\t' || *p == '\n' || *p == '\r' ||
((*p == ':' || *p == ' ') && idx != COMP_RANGE)) {
free(t);
errno = EINVAL;
return -1;
}
}
strcpy(t, str);
t = strdup(str);
if (!t) {
return -1;
}
}
conditional_free(&n->component[idx]);
n->component[idx] = t;

3
libselinux/src/get_default_type.c
View file

@ -62,10 +62,9 @@ static int find_default_type(FILE * fp, const char *role, char **type)
return -1;
}
t = malloc(strlen(buf) - len);
t = strndup(ptr, strlen(buf) - len - 1);
if (!t)
return -1;
strcpy(t, ptr);
*type = t;
return 0;
}

13
libselinux/src/get_initial_context.c
View file

@ -23,8 +23,17 @@ int security_get_initial_context_raw(const char * name, char ** con)
return -1;
}
snprintf(path, sizeof path, "%s%s%s",
selinux_mnt, SELINUX_INITCON_DIR, name);
if (strchr(name, '/')) {
errno = EINVAL;
return -1;
}
ret = snprintf(path, sizeof path, "%s%s%s", selinux_mnt, SELINUX_INITCON_DIR, name);
if (ret < 0 || (size_t)ret >= sizeof path) {
errno = EOVERFLOW;
return -1;
}
fd = open(path, O_RDONLY | O_CLOEXEC);
if (fd < 0)
return -1;

10
libselinux/src/label_db.c
View file

@ -31,7 +31,7 @@
* For example:
* ----------------------------------------
* #
* # It is an example specfile for database obejcts
* # It is an example specfile for database objects
* #
* db_database template1 system_u:object_r:sepgsql_db_t:s0
*
@ -293,6 +293,11 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
return NULL;
}
rec->spec_file = strdup(path);
if (!rec->spec_file) {
free(catalog);
fclose(filp);
return NULL;
}
/*
* Parse for each lines
@ -322,18 +327,19 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
if (process_line(path, line_buf, ++line_num, catalog) < 0)
goto out_error;
}
free(line_buf);
if (digest_add_specfile(rec->digest, filp, NULL, sb.st_size, path) < 0)
goto out_error;
digest_gen_hash(rec->digest);
free(line_buf);
fclose(filp);
return catalog;
out_error:
free(line_buf);
for (i = 0; i < catalog->nspec; i++) {
spec_t *spec = &catalog->specs[i];

9
libselinux/src/matchpathcon.c
View file

@ -215,10 +215,9 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
if (ret < 0 || sb.st_ino != ino) {
fl->specind = specind;
free(fl->file);
fl->file = malloc(strlen(file) + 1);
fl->file = strdup(file);
if (!fl->file)
goto oom;
strcpy(fl->file, file);
return fl->specind;
}
@ -232,10 +231,9 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
__FUNCTION__, file, fl->file,
con_array[fl->specind]);
free(fl->file);
fl->file = malloc(strlen(file) + 1);
fl->file = strdup(file);
if (!fl->file)
goto oom;
strcpy(fl->file, file);
return fl->specind;
}
@ -248,10 +246,9 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
goto oom;
fl->ino = ino;
fl->specind = specind;
fl->file = malloc(strlen(file) + 1);
fl->file = strdup(file);
if (!fl->file)
goto oom_freefl;
strcpy(fl->file, file);
fl->next = prevfl->next;
prevfl->next = fl;
return fl->specind;

37
libselinux/src/regex.c
View file

@ -60,11 +60,13 @@ char const *regex_arch_string(void)
struct regex_data {
pcre2_code *regex; /* compiled regular expression */
#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
/*
* match data block required for the compiled
* pattern in pcre2
*/
pcre2_match_data *match_data;
#endif
pthread_mutex_t match_mutex;
};
@ -84,11 +86,13 @@ int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
goto err;
}
#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
(*regex)->match_data =
pcre2_match_data_create_from_pattern((*regex)->regex, NULL);
if (!(*regex)->match_data) {
goto err;
}
#endif
return 0;
err:
@ -138,10 +142,12 @@ int regex_load_mmap(struct mmap_area *mmap_area, struct regex_data **regex,
if (rc != 1)
goto err;
#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
(*regex)->match_data =
pcre2_match_data_create_from_pattern((*regex)->regex, NULL);
if (!(*regex)->match_data)
goto err;
#endif
*regex_compiled = true;
}
@ -167,7 +173,7 @@ int regex_writef(struct regex_data *regex, FILE *fp, int do_write_precompregex)
PCRE2_UCHAR *bytes = NULL;
if (do_write_precompregex) {
/* encode the patter for serialization */
/* encode the pattern for serialization */
rc = pcre2_serialize_encode((const pcre2_code **)&regex->regex,
1, &bytes, &serialized_size, NULL);
if (rc != 1) {
@ -203,8 +209,12 @@ void regex_data_free(struct regex_data *regex)
if (regex) {
if (regex->regex)
pcre2_code_free(regex->regex);
#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
if (regex->match_data)
pcre2_match_data_free(regex->match_data);
#endif
__pthread_mutex_destroy(&regex->match_mutex);
free(regex);
}
@ -213,10 +223,30 @@ void regex_data_free(struct regex_data *regex)
int regex_match(struct regex_data *regex, char const *subject, int partial)
{
int rc;
pcre2_match_data *match_data;
__pthread_mutex_lock(&regex->match_mutex);
#ifdef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
match_data = pcre2_match_data_create_from_pattern(
regex->regex, NULL);
if (match_data == NULL) {
__pthread_mutex_unlock(&regex->match_mutex);
return REGEX_ERROR;
}
#else
match_data = regex->match_data;
#endif
rc = pcre2_match(
regex->regex, (PCRE2_SPTR)subject, PCRE2_ZERO_TERMINATED, 0,
partial ? PCRE2_PARTIAL_SOFT : 0, regex->match_data, NULL);
partial ? PCRE2_PARTIAL_SOFT : 0, match_data, NULL);
#ifdef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
// pcre2_match allocates heap and it won't be freed until
// pcre2_match_data_free, resulting in heap overhead.
pcre2_match_data_free(match_data);
#endif
__pthread_mutex_unlock(&regex->match_mutex);
if (rc > 0)
return REGEX_MATCH;
@ -257,6 +287,9 @@ struct regex_data *regex_data_create(void)
{
struct regex_data *regex_data =
(struct regex_data *)calloc(1, sizeof(struct regex_data));
if (!regex_data)
return NULL;
__pthread_mutex_init(&regex_data->match_mutex, NULL);
return regex_data;
}

1
libselinux/src/sestatus.c
View file

@ -343,7 +343,6 @@ error:
if (avc_using_threads)
{
fallback_netlink_thread = avc_create_thread(&avc_netlink_loop);
avc_netlink_trouble = 0;
}
fallback_sequence = 0;

2
libselinux/src/setup.py
View file

@ -4,7 +4,7 @@ from setuptools import Extension, setup
setup(
name="selinux",
version="3.4",
version="3.5-rc2",
description="SELinux python 3 bindings",
author="SELinux Project",
author_email="selinux@vger.kernel.org",

2
libselinux/src/sha1.c
View file

@ -11,7 +11,7 @@
// Modified to:
// - stop symbols being exported for libselinux shared library - October 2015
// Richard Haines <richard_c_haines@btinternet.com>
// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses.
// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment issues.
// Fixes:
// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
// CHAR64LONG16* block = (CHAR64LONG16*) workspace;

15
libselinux/src/stringrep.c
View file

@ -82,7 +82,10 @@ static struct discover_class_node * discover_class(const char *s)
goto err2;
/* load up class index */
snprintf(path, sizeof path, "%s/class/%s/index", selinux_mnt,s);
ret = snprintf(path, sizeof path, "%s/class/%s/index", selinux_mnt,s);
if (ret < 0 || (size_t)ret >= sizeof path)
goto err3;
fd = open(path, O_RDONLY | O_CLOEXEC);
if (fd < 0)
goto err3;
@ -97,7 +100,10 @@ static struct discover_class_node * discover_class(const char *s)
goto err3;
/* load up permission indices */
snprintf(path, sizeof path, "%s/class/%s/perms",selinux_mnt,s);
ret = snprintf(path, sizeof path, "%s/class/%s/perms",selinux_mnt,s);
if (ret < 0 || (size_t)ret >= sizeof path)
goto err3;
dir = opendir(path);
if (dir == NULL)
goto err3;
@ -107,7 +113,10 @@ static struct discover_class_node * discover_class(const char *s)
unsigned int value;
struct stat m;
snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
ret = snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
if (ret < 0 || (size_t)ret >= sizeof path)
goto err4;
fd = open(path, O_RDONLY | O_CLOEXEC);
if (fd < 0)
goto err4;

10
libselinux/utils/selabel_lookup_best_match.c
View file

@ -30,7 +30,7 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
exit(1);
}
static mode_t string_to_mode(char *s)
static mode_t string_to_mode(const char *s)
{
switch (s[0]) {
case 'b':
@ -53,7 +53,7 @@ static mode_t string_to_mode(char *s)
int main(int argc, char **argv)
{
int raw = 0, mode = 0, rc, opt, i, num_links, string_len;
int raw = 0, mode = 0, rc, opt, i, num_links;
char *validate = NULL, *path = NULL, *context = NULL, *file = NULL;
char **links = NULL;
@ -101,13 +101,11 @@ int main(int argc, char **argv)
}
for (i = optind, num_links = 0; i < argc; i++, num_links++) {
string_len = strlen(argv[i]) + 1;
links[num_links] = malloc(string_len);
links[num_links] = strdup(argv[i]);
if (!links[num_links]) {
fprintf(stderr, "ERROR: malloc failed.\n");
fprintf(stderr, "ERROR: strdup failed.\n");
exit(1);
}
strcpy(links[num_links], argv[i]);
}
}

2
libsemanage/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

30
libsemanage/src/semanage_store.c
View file

@ -2400,7 +2400,7 @@ static semanage_file_context_node_t
/* Sorts file contexts from least specific to most specific.
* A bucket linked list is passed in. Upon completion,
* there is only one bucket (pointed to by master) that
* there is only one bucket (pointed to by "main") that
* contains a linked list of all the file contexts in sorted order.
* Explanation of the algorithm:
* This is a stable implementation of an iterative merge sort.
@ -2411,15 +2411,15 @@ static semanage_file_context_node_t
* Buckets are merged until there is only one bucket left,
* containing the list of file contexts, sorted.
*/
static void semanage_fc_merge_sort(semanage_file_context_bucket_t * master)
static void semanage_fc_merge_sort(semanage_file_context_bucket_t * main)
{
semanage_file_context_bucket_t *current;
semanage_file_context_bucket_t *temp;
/* Loop until master is the only bucket left.
* When we stop master contains the sorted list. */
while (master->next) {
current = master;
/* Loop until "main" is the only bucket left.
* When we stop "main" contains the sorted list. */
while (main->next) {
current = main;
/* Merge buckets two-by-two.
* If there is an odd number of buckets, the last
@ -2547,7 +2547,7 @@ int semanage_fc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
semanage_file_context_node_t *temp;
semanage_file_context_node_t *head;
semanage_file_context_node_t *current;
semanage_file_context_bucket_t *master;
semanage_file_context_bucket_t *main;
semanage_file_context_bucket_t *bcurrent;
i = 0;
@ -2746,9 +2746,9 @@ int semanage_fc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
/* Create the bucket linked list from the node linked list. */
current = head->next;
bcurrent = master = (semanage_file_context_bucket_t *)
bcurrent = main = (semanage_file_context_bucket_t *)
calloc(1, sizeof(semanage_file_context_bucket_t));
if (!master) {
if (!main) {
ERR(sh, "Failure allocating memory.");
semanage_fc_node_list_destroy(head);
return -1;
@ -2772,7 +2772,7 @@ int semanage_fc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
calloc(1, sizeof(semanage_file_context_bucket_t));
if (!(bcurrent->next)) {
ERR(sh, "Failure allocating memory.");
semanage_fc_bucket_list_destroy(master);
semanage_fc_bucket_list_destroy(main);
return -1;
}
@ -2781,14 +2781,14 @@ int semanage_fc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
}
/* Sort the bucket list. */
semanage_fc_merge_sort(master);
semanage_fc_merge_sort(main);
/* First, calculate how much space we'll need for
* the newly sorted block of data. (We don't just
* use buf_len for this because we have extracted
* comments and whitespace.) */
i = 0;
current = master->data;
current = main->data;
while (current) {
i += current->path_len + 1; /* +1 for a tab */
if (current->file_type) {
@ -2803,14 +2803,14 @@ int semanage_fc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
*sorted_buf = calloc(i, sizeof(char));
if (!*sorted_buf) {
ERR(sh, "Failure allocating memory.");
semanage_fc_bucket_list_destroy(master);
semanage_fc_bucket_list_destroy(main);
return -1;
}
*sorted_buf_len = i;
/* Output the sorted semanage_file_context linked list to the char buffer. */
sorted_buf_pos = *sorted_buf;
current = master->data;
current = main->data;
while (current) {
/* Output the path. */
i = current->path_len + 1; /* +1 for tab */
@ -2834,7 +2834,7 @@ int semanage_fc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
}
/* Clean up. */
semanage_fc_bucket_list_destroy(master);
semanage_fc_bucket_list_destroy(main);
/* Sanity check. */
sorted_buf_pos++;

2
libsepol/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

2
libsepol/cil/src/cil_post.c
View file

@ -1193,7 +1193,7 @@ static int __cil_cat_expr_range_to_bitmap_helper(struct cil_list_item *i1, struc
struct cil_cat *c2 = (struct cil_cat *)d2;
if (n1->flavor == CIL_CATSET || n2->flavor == CIL_CATSET) {
cil_log(CIL_ERR, "Category sets cannont be used in a category range\n");
cil_log(CIL_ERR, "Category sets cannot be used in a category range\n");
goto exit;
}

2
libsepol/cil/src/cil_resolve_ast.c
View file

@ -778,7 +778,7 @@ int cil_resolve_classcommon(struct cil_tree_node *current, void *extra_args)
class = (struct cil_class *)class_datum;
common = (struct cil_class *)common_datum;
if (class->common != NULL) {
cil_log(CIL_ERR, "class cannot be associeated with more than one common\n");
cil_log(CIL_ERR, "class cannot be associated with more than one common\n");
rc = SEPOL_ERR;
goto exit;
}

21
libsepol/src/kernel_to_conf.c
View file

@ -591,16 +591,21 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb)
class = pdb->class_val_to_struct[i];
if (!class) continue;
name = pdb->p_class_val_to_name[i];
sepol_printf(out, "class %s", name);
if (class->comkey) {
sepol_printf(out, " inherits %s", class->comkey);
}
perms = class_or_common_perms_to_str(&class->permissions);
if (perms) {
sepol_printf(out, " { %s }", perms);
free(perms);
/* Do not write empty classes, their declaration was alreedy
* printed in write_class_decl_rules_to_conf() */
if (perms || class->comkey) {
sepol_printf(out, "class %s", name);
if (class->comkey) {
sepol_printf(out, " inherits %s", class->comkey);
}
if (perms) {
sepol_printf(out, " { %s }", perms);
free(perms);
}
sepol_printf(out, "\n");
}
sepol_printf(out, "\n");
}
exit:

2
libsepol/src/module_to_cil.c
View file

@ -2330,7 +2330,7 @@ static int user_to_cil(int indent, struct policydb *pdb, struct avrule_block *bl
}
if (block->flags & AVRULE_OPTIONAL) {
// sensitivites in user statements in optionals do not have the
// sensitivities in user statements in optionals do not have the
// standard -1 offset
sens_offset = 0;
}

3
libsepol/src/policydb.c
View file

@ -776,12 +776,11 @@ static int roles_init(policydb_t * p)
rc = -ENOMEM;
goto out;
}
key = malloc(strlen(OBJECT_R) + 1);
key = strdup(OBJECT_R);
if (!key) {
rc = -ENOMEM;
goto out_free_role;
}
strcpy(key, OBJECT_R);
rc = symtab_insert(p, SYM_ROLES, key, role,
(p->policy_type ==
POLICY_MOD ? SCOPE_REQ : SCOPE_DECL), 1,

28
libsepol/src/policydb_validate.c
View file

@ -770,12 +770,20 @@ bad:
* Functions to validate a kernel policydb
*/
static int validate_avtab_key(const avtab_key_t *key, int conditional, validate_t flavors[])
static int validate_avtab_key(const avtab_key_t *key, int conditional, const policydb_t *p, validate_t flavors[])
{
if (validate_value(key->source_type, &flavors[SYM_TYPES]))
goto bad;
if (validate_value(key->target_type, &flavors[SYM_TYPES]))
goto bad;
if (p->policy_type == POLICY_KERN && key->specified & AVTAB_TYPE) {
if (validate_simpletype(key->source_type, p, flavors))
goto bad;
if (validate_simpletype(key->target_type, p, flavors))
goto bad;
} else {
if (validate_value(key->source_type, &flavors[SYM_TYPES]))
goto bad;
if (validate_value(key->target_type, &flavors[SYM_TYPES]))
goto bad;
}
if (validate_value(key->target_class, &flavors[SYM_CLASSES]))
goto bad;
switch (0xFFF & key->specified) {
@ -821,7 +829,7 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
{
map_arg_t *margs = args;
if (validate_avtab_key(k, 0, margs->flavors))
if (validate_avtab_key(k, 0, margs->policy, margs->flavors))
return -1;
if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors))
@ -845,13 +853,13 @@ static int validate_avtab(sepol_handle_t *handle, const avtab_t *avtab, const po
return 0;
}
static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *cond_av, validate_t flavors[])
static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *cond_av, const policydb_t *p, validate_t flavors[])
{
const struct avtab_node *avtab_ptr;
for (; cond_av; cond_av = cond_av->next) {
for (avtab_ptr = cond_av->node; avtab_ptr; avtab_ptr = avtab_ptr->next) {
if (validate_avtab_key(&avtab_ptr->key, 1, flavors)) {
if (validate_avtab_key(&avtab_ptr->key, 1, p, flavors)) {
ERR(handle, "Invalid cond av list");
return -1;
}
@ -996,9 +1004,9 @@ static int validate_cond_list(sepol_handle_t *handle, const cond_list_t *cond, c
for (; cond; cond = cond->next) {
if (validate_cond_expr(handle, cond->expr, &flavors[SYM_BOOLS]))
goto bad;
if (validate_cond_av_list(handle, cond->true_list, flavors))
if (validate_cond_av_list(handle, cond->true_list, p, flavors))
goto bad;
if (validate_cond_av_list(handle, cond->false_list, flavors))
if (validate_cond_av_list(handle, cond->false_list, p, flavors))
goto bad;
if (validate_avrules(handle, cond->avtrue_list, 1, p, flavors))
goto bad;

19
libsepol/tests/Makefile
View file

@ -1,9 +1,24 @@
ENV ?= env
M4 ?= m4
M4 ?= m4 -E -E
MKDIR ?= mkdir
EXE ?= libsepol-tests
CFLAGS += -g3 -gdwarf-2 -O0 -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter -Werror
CFLAGS += -g3 -gdwarf-2 -O0 \
-Werror -Wall -Wextra \
-Wfloat-equal \
-Wformat=2 \
-Winit-self \
-Wmissing-format-attribute \
-Wmissing-noreturn \
-Wmissing-prototypes \
-Wnull-dereference \
-Wpointer-arith \
-Wshadow \
-Wstrict-prototypes \
-Wundef \
-Wunused \
-Wwrite-strings \
-fno-common
# Statically link libsepol on the assumption that we are going to
# be testing internal functions.

2
libsepol/tests/libsepol-tests.c
View file

@ -24,6 +24,7 @@
#include "test-expander.h"
#include "test-deps.h"
#include "test-downgrade.h"
#include "test-neverallow.h"
#include <CUnit/Basic.h>
#include <CUnit/Console.h>
@ -71,6 +72,7 @@ static bool do_tests(int interactive, int verbose)
DECLARE_SUITE(expander);
DECLARE_SUITE(deps);
DECLARE_SUITE(downgrade);
DECLARE_SUITE(neverallow);
if (verbose)
CU_basic_set_mode(CU_BRM_VERBOSE);

2
libsepol/tests/policies/test-deps/base-metreq.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class sem
class msg
class msgq

2
libsepol/tests/policies/test-deps/base-notmetreq.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class msg
class msgq
class shm

2
libsepol/tests/policies/test-deps/small-base.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class sem
class msg
class msgq

2
libsepol/tests/policies/test-expander/alias-base.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class sem
class msg
class msgq

2
libsepol/tests/policies/test-expander/role-base.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class sem
class msg
class msgq

2
libsepol/tests/policies/test-expander/small-base.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class sem
class msg
class msgq

2
libsepol/tests/policies/test-expander/user-base.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class sem
class msg
class msgq

2
libsepol/tests/policies/test-hooks/cmp_policy.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class sem
class msg
class msgq

2
libsepol/tests/policies/test-hooks/small-base.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class sem
class msg
class msgq

2
libsepol/tests/policies/test-linker/small-base.conf
View file

@ -33,7 +33,7 @@ class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
# sysv-ipc-related classes
class sem
class msg
class msgq

298
libsepol/tests/policies/test-neverallow/policy.conf Normal file
View file

@ -0,0 +1,298 @@
class process
class blk_file
class chr_file
class dir
class fifo_file
class file
class lnk_file
class sock_file
sid kernel
sid security
sid unlabeled
sid file
sid port
sid netif
sid netmsg
sid node
sid devnull
class process { dyntransition transition }
class file { getattr ioctl open read write }
ifdef(`enable_mls',`
sensitivity s0;
dominance { s0 }
category c0; category c1; category c2; category c3;
category c4; category c5; category c6; category c7;
category c8; category c9; category c10; category c11;
category c12; category c13; category c14; category c15;
category c16; category c17; category c18; category c19;
category c20; category c21; category c22; category c23;
level s0:c0.c23;
mlsconstrain file { write } ( h1 dom h2 );
')
########################################
#
# Test start
#
########################################
## Test 1 (basic)
type test1_t;
allow test1_t test1_t : file { read write };
neverallow test1_t test1_t : file read;
## Test 2 (wildcard permission)
type test2_t;
allow test2_t test2_t : file { read write };
neverallow test2_t test2_t : file *;
## Test 3 (complement permission)
type test3_t;
allow test3_t test3_t : file { read write };
neverallow test3_t test3_t : file ~{ write };
## Test 4 (wildcard source)
type test4_t;
allow test4_t test4_t : file { read write };
neverallow * test4_t : file read;
## Test 5 (wildcard target)
type test5_t;
allow test5_t test5_t : file { read write };
neverallow test5_t * : file read;
## Test 6 (complement source)
type test6_1_t;
type test6_2_t;
allow { test6_1_t test6_2_t } { test6_1_t test6_2_t } : file { read write };
neverallow ~{ test6_2_t } test6_1_t : file read;
## Test 7 (complement target)
type test7_1_t;
type test7_2_t;
allow { test7_1_t test7_2_t } { test7_1_t test7_2_t } : file { read write };
neverallow test7_1_t ~{ test7_2_t } : file read;
## Test 8 (source attribute)
attribute test8_a;
type test8_t, test8_a;
allow test8_a test8_a : file read;
allow test8_t test8_t : file write;
neverallow test8_a test8_t : file { read write };
## Test 9 (target attribute)
attribute test9_a;
type test9_t, test9_a;
allow test9_a test9_a : file read;
allow test9_t test9_t : file write;
neverallow test9_t test9_a : file { read write };
## Test 10 (self)
attribute test10_a;
type test10_1_t, test10_a;
type test10_2_t;
allow { test10_1_t test10_2_t } { test10_1_t test10_2_t } : file read;
neverallow test10_a self : file *;
## Test 11 (wildcard)
type test11_t;
allow test11_t self : process *;
neverallow * * : process *;
## Test 12 (complement attributes)
attribute test12_1_a;
attribute test12_2_a;
attribute test12_3_a;
type test12_1_t, test12_1_a;
type test12_2_t, test12_2_a;
type test12_3_t, test12_3_a;
allow { test12_1_a test12_2_a test12_3_a } { test12_1_a test12_2_a test12_3_a } : file *;
neverallow ~{ test12_1_a test12_2_t } ~{ test12_3_a } : file getattr;
neverallow ~{ test12_1_a } ~{ test12_2_a test12_3_t } : file open;
## Test 13 (excludes)
attribute test13_1_a;
attribute test13_2_a;
attribute test13_3_a;
type test13_1_t, test13_1_a;
type test13_2_t, test13_2_a;
type test13_3_t, test13_3_a;
allow { test13_1_a test13_2_a test13_3_a } { test13_1_a test13_2_a test13_3_a } : file { read write };
neverallow { test13_1_a test13_2_a test13_3_a -test13_2_a -test13_3_t } { test13_1_a test13_2_a test13_3_a -test13_2_t -test13_3_a } : file read;
## Test 14 (misc avrules)
type test14_t;
auditallow test14_t test14_t : file read;
dontaudit test14_t test14_t : file write;
neverallow test14_t test14_t : file { read write };
type_transition test14_t test14_t : file test14_t;
type_transition test14_t test14_t : file test14_t "objname";
neverallow test14_t test14_t : file *; # nofail
## Test 15 (extended permissions - standard allow)
type test15_t;
allow test15_t self : file ioctl;
neverallowxperm test15_t self : file ioctl 0x1111;
## Test 16 (extended permissions - allowxperm)
type test16_t;
allow test16_t self : file ioctl;
allowxperm test16_t self : file ioctl 0x1111;
neverallowxperm test16_t self : file ioctl 0x1111;
## Test 17 (extended permissions - allowxperm mismatch)
type test17_t;
allow test17_t self : file ioctl;
allowxperm test17_t self : file ioctl 0x1111;
neverallowxperm test17_t self : file ioctl 0x2222; # nofail
## Test 18 (extended permissions - allowxperm range I)
type test18_t;
allow test18_t self : file ioctl;
allowxperm test18_t self : file ioctl { 0x1100-0x1300 };
neverallowxperm test18_t self : file ioctl 0x1111;
## Test 19 (extended permissions - allowxperm range II)
type test19_t;
allow test19_t self : file ioctl;
allowxperm test19_t self : file ioctl 0x1111;
neverallowxperm test19_t self : file ioctl { 0x1100-0x1300 };
## Test 20 (extended permissions - misc targets I)
attribute test20_a;
type test20_t, test20_a;
allow test20_a test20_a : file ioctl;
allowxperm test20_a test20_a : file ioctl 0x1111;
neverallowxperm test20_a self : file ioctl 0x1111;
## Test 21 (extended permissions - misc targets II)
attribute test21_1_a;
attribute test21_2_a;
type test21_t, test21_1_a, test21_2_a;
allow test21_1_a test21_1_a : file ioctl;
allowxperm test21_1_a test21_2_a : file ioctl 0x1111;
neverallowxperm test21_1_a self : file ioctl 0x1111;
## Test 22 (extended permissions - misc targets III)
attribute test22_a;
type test22_t, test22_a;
allow test22_a test22_a : file ioctl;
allowxperm test22_t self : file ioctl 0x1111;
neverallowxperm test22_a self : file ioctl 0x1111;
## Test 23 (extended permissions - misc targets IV)
attribute test23_a;
type test23_t, test23_a;
allow test23_a test23_a : file ioctl;
allowxperm test23_t test23_t : file ioctl 0x1111;
neverallowxperm test23_a self : file ioctl 0x1111;
## Test 24 (extended permissions - misc targets V)
attribute test24_a;
type test24_t, test24_a;
allow test24_a test24_a : file ioctl;
allowxperm test24_t test24_a : file ioctl 0x1111;
neverallowxperm test24_a self : file ioctl 0x1111;
## Test 25 (extended permissions - misc targets VI)
attribute test25_a;
type test25_t, test25_a;
allow test25_a test25_a : file ioctl;
allowxperm test25_a self : file ioctl 0x1111;
neverallowxperm test25_a self : file ioctl 0x1111;
## Test 26 (extended permissions - assert twice)
attribute test26_a;
type test26_1_t, test26_a;
type test26_2_t, test26_a;
allow test26_a test26_a : file ioctl;
allowxperm test26_a test26_a : file ioctl 0x1111;
neverallowxperm test26_1_t test26_a : file ioctl 0x1111;
########################################
#
# Test End
#
########################################
type sys_isid;
role sys_role;
role sys_role types sys_isid;
gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23)
sid kernel gen_context(sys_user:sys_role:sys_isid, s0)
sid security gen_context(sys_user:sys_role:sys_isid, s0)
sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0)
sid file gen_context(sys_user:sys_role:sys_isid, s0)
sid port gen_context(sys_user:sys_role:sys_isid, s0)
sid netif gen_context(sys_user:sys_role:sys_isid, s0)
sid netmsg gen_context(sys_user:sys_role:sys_isid, s0)
sid node gen_context(sys_user:sys_role:sys_isid, s0)
sid devnull gen_context(sys_user:sys_role:sys_isid, s0)
fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0);
fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0);

2
libsepol/tests/test-linker-roles.c
View file

@ -53,7 +53,7 @@
/* this simply tests whether the passed in role only has its own
* value in its dominates ebitmap */
static void only_dominates_self(policydb_t * p, role_datum_t * role)
static void only_dominates_self(policydb_t * p __attribute__ ((unused)), role_datum_t * role)
{
ebitmap_node_t *tnode;
unsigned int i;

172
libsepol/tests/test-neverallow.c Normal file
View file

@ -0,0 +1,172 @@
#define _GNU_SOURCE /* vasprintf(3) */
#include "test-neverallow.h"
#include "helpers.h"
#include "test-common.h"
#include <sepol/debug.h>
#include <sepol/policydb/link.h>
#include <sepol/policydb/expand.h>
#include <stdio.h>
#include <stdarg.h>
extern int mls;
int neverallow_test_init(void)
{
return 0;
}
int neverallow_test_cleanup(void)
{
return 0;
}
static struct msg_list {
char *msg;
struct msg_list *next;
} *messages;
static void messages_clean(void)
{
while (messages) {
struct msg_list *n = messages->next;
free(messages->msg);
free(messages);
messages = n;
}
}
static void messages_check(unsigned count, const char *const expected[count])
{
unsigned i;
const struct msg_list *m = messages;
for (i = 0; i < count; i++, m = m->next) {
if (!m) {
CU_FAIL("less messages than expected");
fprintf(stderr, "\n<expected %u, got %u>\n", count, i);
return;
}
if (strcmp(expected[i], m->msg) != 0) {
CU_FAIL("messages differ from expected");
fprintf(stderr, "\n<expected: '''%s''', got: '''%s'''>\n", expected[i], m->msg);
}
}
if (m) {
CU_FAIL("more messages than expected");
fprintf(stderr, "\n<expected %u; next message: '''%s'''>\n", count, m->msg);
}
}
__attribute__ ((format(printf, 3, 4)))
static void msg_handler(void *varg __attribute__ ((unused)),
sepol_handle_t * handle __attribute__ ((unused)),
const char *fmt, ...)
{
char *msg;
va_list ap;
int r;
va_start(ap, fmt);
r = vasprintf(&msg, fmt, ap);
if (r < 0)
CU_FAIL_FATAL("oom");
va_end(ap);
struct msg_list *new = malloc(sizeof(*new));
if (!new)
CU_FAIL_FATAL("oom");
new->msg = msg;
new->next = messages;
messages = new;
}
#define ARRAY_SIZE(a) (sizeof(a) / sizeof(*a))
static void test_neverallow_basic(void)
{
policydb_t basemod, base_expanded;
sepol_handle_t *handle;
static const char *const expected_messages[] = {
"30 neverallow failures occurred",
"neverallow on line 53 of policies/test-neverallow/policy.conf.std (or line 53 of policies/test-neverallow/policy.conf.std) violated by allow test1_t test1_t:file { read };",
"neverallow on line 60 of policies/test-neverallow/policy.conf.std (or line 60 of policies/test-neverallow/policy.conf.std) violated by allow test2_t test2_t:file { read write };",
"neverallow on line 67 of policies/test-neverallow/policy.conf.std (or line 67 of policies/test-neverallow/policy.conf.std) violated by allow test3_t test3_t:file { read };",
"neverallow on line 74 of policies/test-neverallow/policy.conf.std (or line 74 of policies/test-neverallow/policy.conf.std) violated by allow test4_t test4_t:file { read };",
"neverallow on line 81 of policies/test-neverallow/policy.conf.std (or line 81 of policies/test-neverallow/policy.conf.std) violated by allow test5_t test5_t:file { read };",
"neverallow on line 89 of policies/test-neverallow/policy.conf.std (or line 89 of policies/test-neverallow/policy.conf.std) violated by allow test6_1_t test6_1_t:file { read };",
"neverallow on line 97 of policies/test-neverallow/policy.conf.std (or line 97 of policies/test-neverallow/policy.conf.std) violated by allow test7_1_t test7_1_t:file { read };",
"neverallow on line 106 of policies/test-neverallow/policy.conf.std (or line 106 of policies/test-neverallow/policy.conf.std) violated by allow test8_t test8_t:file { write };",
"neverallow on line 106 of policies/test-neverallow/policy.conf.std (or line 106 of policies/test-neverallow/policy.conf.std) violated by allow test8_t test8_t:file { read };",
"neverallow on line 115 of policies/test-neverallow/policy.conf.std (or line 115 of policies/test-neverallow/policy.conf.std) violated by allow test9_t test9_t:file { read };",
"neverallow on line 115 of policies/test-neverallow/policy.conf.std (or line 115 of policies/test-neverallow/policy.conf.std) violated by allow test9_t test9_t:file { write };",
"neverallow on line 124 of policies/test-neverallow/policy.conf.std (or line 124 of policies/test-neverallow/policy.conf.std) violated by allow test10_1_t test10_1_t:file { read };",
"neverallow on line 131 of policies/test-neverallow/policy.conf.std (or line 131 of policies/test-neverallow/policy.conf.std) violated by allow test11_t test11_t:process { dyntransition transition };",
"neverallow on line 143 of policies/test-neverallow/policy.conf.std (or line 143 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_1_t:file { getattr };",
"neverallow on line 143 of policies/test-neverallow/policy.conf.std (or line 143 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_2_t:file { getattr };",
"neverallow on line 144 of policies/test-neverallow/policy.conf.std (or line 144 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_1_t:file { open };",
"neverallow on line 144 of policies/test-neverallow/policy.conf.std (or line 144 of policies/test-neverallow/policy.conf.std) violated by allow test12_2_t test12_1_t:file { open };",
"neverallow on line 156 of policies/test-neverallow/policy.conf.std (or line 156 of policies/test-neverallow/policy.conf.std) violated by allow test13_1_t test13_1_t:file { read };",
"neverallowxperm on line 174 of policies/test-neverallow/policy.conf.std (or line 174 of policies/test-neverallow/policy.conf.std) violated by\nallow test15_t test15_t:file { ioctl };",
"neverallowxperm on line 182 of policies/test-neverallow/policy.conf.std (or line 182 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test16_t test16_t:file ioctl { 0x1111 };",
"neverallowxperm on line 198 of policies/test-neverallow/policy.conf.std (or line 198 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test18_t test18_t:file ioctl { 0x1111 };",
"neverallowxperm on line 206 of policies/test-neverallow/policy.conf.std (or line 206 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test19_t test19_t:file ioctl { 0x1111 };",
"neverallowxperm on line 216 of policies/test-neverallow/policy.conf.std (or line 216 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test20_a test20_a:file ioctl { 0x1111 };",
"neverallowxperm on line 227 of policies/test-neverallow/policy.conf.std (or line 227 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test21_1_a test21_2_a:file ioctl { 0x1111 };",
"neverallowxperm on line 237 of policies/test-neverallow/policy.conf.std (or line 237 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test22_t test22_t:file ioctl { 0x1111 };",
"neverallowxperm on line 247 of policies/test-neverallow/policy.conf.std (or line 247 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test23_t test23_t:file ioctl { 0x1111 };",
"neverallowxperm on line 257 of policies/test-neverallow/policy.conf.std (or line 257 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test24_t test24_a:file ioctl { 0x1111 };",
"neverallowxperm on line 267 of policies/test-neverallow/policy.conf.std (or line 267 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test25_t test25_t:file ioctl { 0x1111 };",
"neverallowxperm on line 277 of policies/test-neverallow/policy.conf.std (or line 277 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test26_a test26_a:file ioctl { 0x1111 };",
"neverallowxperm on line 277 of policies/test-neverallow/policy.conf.std (or line 277 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test26_a test26_a:file ioctl { 0x1111 };",
};
if (policydb_init(&base_expanded))
CU_FAIL_FATAL("Failed to initialize policy");
if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy.conf"))
CU_FAIL_FATAL("Failed to load policy");
if (link_modules(NULL, &basemod, NULL, 0, 0))
CU_FAIL_FATAL("Failed to link base module");
if (expand_module(NULL, &basemod, &base_expanded, 0, 0))
CU_FAIL_FATAL("Failed to expand policy");
if ((handle = sepol_handle_create()) == NULL)
CU_FAIL_FATAL("Failed to initialize handle");
sepol_msg_set_callback(handle, msg_handler, NULL);
if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1)
CU_FAIL("Assertions did not trigger");
messages_check(ARRAY_SIZE(expected_messages), expected_messages);
sepol_handle_destroy(handle);
messages_clean();
policydb_destroy(&basemod);
policydb_destroy(&base_expanded);
}
int neverallow_add_tests(CU_pSuite suite)
{
/*
* neverallow rules operate only on types and are unaffected by MLS
* (avoid adjusting the messages for std and mls)
*/
if (mls)
return 0;
if (NULL == CU_add_test(suite, "neverallow_basic", test_neverallow_basic)) {
CU_cleanup_registry();
return CU_get_error();
}
return 0;
}

10
libsepol/tests/test-neverallow.h Normal file
View file

@ -0,0 +1,10 @@
#ifndef TEST_NEVERALLOW_H__
#define TEST_NEVERALLOW_H__
#include <CUnit/Basic.h>
int neverallow_test_init(void);
int neverallow_test_cleanup(void);
int neverallow_add_tests(CU_pSuite suite);
#endif /* TEST_NEVERALLOW_H__ */

2
mcstrans/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

2
policycoreutils/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

2
policycoreutils/newrole/newrole.c
View file

@ -1289,7 +1289,7 @@ int main(int argc, char *argv[])
/*
* Step 5: Execute a new shell with the new context in `new_context'.
*
* Establish context, namesapce and any options for the new shell
* Establish context, namespace and any options for the new shell
*/
if (optind < 1)
optind = 1;

36
policycoreutils/scripts/fixfiles
View file

@ -207,6 +207,25 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
}
# unmount tmp bind mount before exit
umount_TMP_MOUNT() {
if [ -n "$TMP_MOUNT" ]; then
umount "${TMP_MOUNT}${m}" || exit 130
rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
fi
exit 130
}
fix_labels_on_mountpoint() {
test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
mkdir -p "${TMP_MOUNT}${m}" || exit 1
mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
umount "${TMP_MOUNT}${m}" || exit 1
rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
}
export -f fix_labels_on_mountpoint
#
# restore
# if called with -n will only check file context
@ -252,14 +271,15 @@ case "$RESTORE_MODE" in
# we bind mount so we can fix the labels of files that have already been
# mounted over
for m in `echo $FILESYSTEMSRW`; do
TMP_MOUNT="$(mktemp -d)"
test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
mkdir -p "${TMP_MOUNT}${m}" || exit 1
mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
umount "${TMP_MOUNT}${m}" || exit 1
rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
TMP_MOUNT="$(mktemp -p /run -d fixfiles.XXXXXXXXXX)"
export SETFILES VERBOSE EXCLUDEDIRS FORCEFLAG THREADS FC TMP_MOUNT m
if type unshare &> /dev/null; then
unshare -m bash -c "fix_labels_on_mountpoint $*" || exit $?
else
trap umount_TMP_MOUNT EXIT
fix_labels_on_mountpoint $*
trap EXIT
fi
done;
fi
else

4
policycoreutils/sestatus/sestatus.c
View file

@ -140,6 +140,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
pc[*npc] =
(char *)malloc((buf_len) *
sizeof(char));
if (!pc[*npc])
break;
memcpy(pc[*npc], bufp, buf_len);
(*npc)++;
bufp = NULL;
@ -150,6 +152,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
fc[*nfc] =
(char *)malloc((buf_len) *
sizeof(char));
if (!fc[*nfc])
break;
memcpy(fc[*nfc], bufp, buf_len);
(*nfc)++;
bufp = NULL;

2
python/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

2
python/audit2allow/audit2allow.1
View file

@ -151,7 +151,7 @@ policy_module(local, 1.0)
gen_require(`
type myapp_t;
type etc_t;
};
\[aq])
files_read_etc_files(myapp_t)
<review local.te and customize as desired>

2
python/semanage/semanage
View file

@ -130,7 +130,7 @@ class SetImportFile(argparse.Action):
sys.exit(1)
setattr(namespace, self.dest, values)
# define dictionary for seobject OBEJCTS
# define dictionary for seobject OBJECTS
object_dict = {
'login': seobject.loginRecords,
'user': seobject.seluserRecords,

2
python/sepolgen/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

4
python/sepolgen/src/sepolgen/policygen.py
View file

@ -324,9 +324,9 @@ def call_interface(interface, av):
ifcall.args.append(av.obj_class)
else:
print(params[i].type)
assert(0)
assert 0
assert(len(ifcall.args) > 0)
assert len(ifcall.args) > 0
return ifcall

2
python/sepolicy/Makefile
View file

@ -27,7 +27,7 @@ test:
@$(PYTHON) test_sepolicy.py -v
install:
$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS)
$(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
install -m 755 sepolicy.py $(DESTDIR)$(BINDIR)/sepolicy
(cd $(DESTDIR)$(BINDIR); ln -sf sepolicy sepolgen)

13
python/sepolicy/sepolicy.py
View file

@ -332,9 +332,10 @@ def manpage_work(domain, path, root, source_files, web):
from sepolicy.manpage import ManPage
m = ManPage(domain, path, root, source_files, web)
print(m.get_man_page_path())
return (m.manpage_domains, m.manpage_roles)
def manpage(args):
from sepolicy.manpage import HTMLManPages, manpage_domains, manpage_roles, gen_domains
from sepolicy.manpage import HTMLManPages, gen_domains
path = args.path
if not args.policy and args.root != "/":
@ -347,9 +348,17 @@ def manpage(args):
else:
test_domains = args.domain
manpage_domains = set()
manpage_roles = set()
p = Pool()
async_results = []
for domain in test_domains:
p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web])
async_results.append(p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web]))
for result in async_results:
domains, roles = result.get()
manpage_domains.update(domains)
manpage_roles.update(roles)
p.close()
p.join()

52
python/sepolicy/sepolicy/__init__.py
View file

@ -335,7 +335,12 @@ def _setools_rule_to_dict(rule):
pass
try:
d['boolean'] = [(str(rule.conditional), enabled)]
d['booleans'] = [(str(b), b.state) for b in rule.conditional.booleans]
except AttributeError:
pass
try:
d['conditional'] = str(rule.conditional)
except AttributeError:
pass
@ -440,29 +445,29 @@ def get_conditionals(src, dest, tclass, perm):
x['source'] in src_list and
x['target'] in dest_list and
set(perm).issubset(x[PERMS]) and
'boolean' in x,
'conditional' in x,
get_all_allow_rules()))
try:
for i in allows:
tdict.update({'source': i['source'], 'boolean': i['boolean']})
tdict.update({'source': i['source'], 'conditional': (i['conditional'], i['enabled'])})
if tdict not in tlist:
tlist.append(tdict)
tdict = {}
except KeyError:
return(tlist)
return tlist
return (tlist)
return tlist
def get_conditionals_format_text(cond):
enabled = False
for x in cond:
if x['boolean'][0][1]:
if x['conditional'][1]:
enabled = True
break
return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['conditional'][0], x['conditional'][1]), cond))))
def get_types_from_attribute(attribute):
@ -716,9 +721,9 @@ def get_boolean_rules(setype, boolean):
boollist = []
permlist = search([ALLOW], {'source': setype})
for p in permlist:
if "boolean" in p:
if "booleans" in p:
try:
for b in p["boolean"]:
for b in p["booleans"]:
if boolean in b:
boollist.append(p)
except:
@ -1141,7 +1146,7 @@ def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x and x['source'] == setype, get_all_allow_rules())):
for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))):
for b in i:
if not isinstance(b, tuple):
continue
@ -1222,31 +1227,18 @@ def boolean_desc(boolean):
return _(booleans_dict[boolean][2])
else:
desc = boolean.split("_")
return "Allow %s to %s" % (desc[0], " ".join(desc[1:]))
return _("Allow {subject} to {rest}").format(subject=desc[0], rest=" ".join(desc[1:]))
def get_os_version():
os_version = ""
pkg_name = "selinux-policy"
system_release = ""
try:
try:
from commands import getstatusoutput
except ImportError:
from subprocess import getstatusoutput
rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
if rc == 0:
os_version = output.split(".")[-2]
except:
os_version = ""
import distro
system_release = distro.name(pretty=True)
except IOError:
system_release = "Misc"
if os_version[0:2] == "fc":
os_version = "Fedora" + os_version[2:]
elif os_version[0:2] == "el":
os_version = "RHEL" + os_version[2:]
else:
os_version = ""
return os_version
return system_release
def reinit():

4
python/sepolicy/sepolicy/generate.py
View file

@ -1346,9 +1346,9 @@ allow %s_t %s_t:%s_socket name_%s;
if len(temp_dirs) != 0:
for i in temp_dirs:
if i in self.dirs.keys():
del(self.dirs[i])
del self.dirs[i]
elif i in self.files.keys():
del(self.files[i])
del self.files[i]
else:
continue

28
python/sepolicy/sepolicy/gui.py
View file

@ -130,14 +130,13 @@ class SELinuxGui():
self.application = app
self.filter_txt = ""
builder = Gtk.Builder() # BUILDER OBJ
self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
self.code_path = sysconfig.get_path('purelib', vars={'base': "/usr"}) + "/sepolicy/"
glade_file = self.code_path + "sepolicy.glade"
builder.add_from_file(glade_file)
self.outer_notebook = builder.get_object("outer_notebook")
self.window = builder.get_object("SELinux_window")
self.main_selection_window = builder.get_object("Main_selection_menu")
self.main_selection_popover = builder.get_object("Main_selection_menu")
self.main_advanced_label = builder.get_object("main_advanced_label")
self.popup = 0
self.applications_selection_button = builder.get_object("applications_selection_button")
self.revert_button = builder.get_object("Revert_button")
self.busy_cursor = Gdk.Cursor(Gdk.CursorType.WATCH)
@ -531,7 +530,6 @@ class SELinuxGui():
dic = {
"on_combo_button_clicked": self.open_combo_menu,
"on_disable_ptrace_toggled": self.on_disable_ptrace,
"on_SELinux_window_configure_event": self.hide_combo_menu,
"on_entrycompletion_obj_match_selected": self.set_application_label,
"on_filter_changed": self.get_filter_data,
"on_save_changes_file_equiv_clicked": self.update_to_file_equiv,
@ -635,7 +633,7 @@ class SELinuxGui():
for k in self.cur_dict:
for j in self.cur_dict[k]:
if i == ctr:
del(self.cur_dict[k][j])
del self.cur_dict[k][j]
return
i += 1
@ -808,18 +806,8 @@ class SELinuxGui():
return self.help_show_page()
def open_combo_menu(self, *args):
if self.popup == 0:
self.popup = 1
location = self.window.get_position()
self.main_selection_window.move(location[0] + 2, location[1] + 65)
self.main_selection_window.show()
else:
self.main_selection_window.hide()
self.popup = 0
def hide_combo_menu(self, *args):
self.main_selection_window.hide()
self.popup = 0
self.main_selection_popover.set_relative_to(self.applications_selection_button)
self.main_selection_popover.popup()
def set_application_label(self, *args):
self.set_application_label = True
@ -860,7 +848,7 @@ class SELinuxGui():
if val is True or val is False or val is None:
continue
# Returns true if filter_txt exists within the val
if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1):
if val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1:
return True
except (AttributeError, TypeError):
pass
@ -2174,7 +2162,7 @@ class SELinuxGui():
model.set_value(iter, 0, not model.get_value(iter, 0))
active = model.get_value(iter, 0)
if name in self.cur_dict["boolean"]:
del(self.cur_dict["boolean"][name])
del self.cur_dict["boolean"][name]
else:
self.cur_dict["boolean"][name] = {"active": active}
self.new_updates()
@ -2335,7 +2323,7 @@ class SELinuxGui():
self.active_button = self.network_radio_button
def clearbuttons(self, clear=True):
self.main_selection_window.hide()
self.main_selection_popover.hide()
self.boolean_radio_button.set_visible(False)
self.files_radio_button.set_visible(False)
self.network_radio_button.set_visible(False)

88
python/sepolicy/sepolicy/manpage.py
View file

@ -21,7 +21,7 @@
# 02111-1307 USA
#
#
__all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_domains']
__all__ = ['ManPage', 'HTMLManPages', 'gen_domains']
import string
import selinux
@ -147,13 +147,6 @@ def _gen_types():
def prettyprint(f, trim):
return " ".join(f[:-len(trim)].split("_"))
# for HTML man pages
manpage_domains = []
manpage_roles = []
fedora_releases = ["Fedora17", "Fedora18"]
rhel_releases = ["RHEL6", "RHEL7"]
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
@ -184,7 +177,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
Generate a HHTML Manpages on an given SELinux domains
Generate a HTML Manpages on an given SELinux domains
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@ -192,18 +185,12 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
self.new_path = self.old_path + self.os_version + "/"
if self.os_version in fedora_releases or self.os_version in rhel_releases:
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
exit(1)
self.new_path = self.old_path
self.__gen_html_manpages()
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
self._gen_body()
self._gen_css()
def _write_html_manpage(self):
@ -221,67 +208,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
index = self.old_path + "index.html"
fd = open(index, 'w')
fd.write("""
<html>
<head>
<link rel=stylesheet type="text/css" href="style.css" title="style">
<title>SELinux man pages online</title>
</head>
<body>
<h1>SELinux man pages</h1>
<br></br>
Fedora or Red Hat Enterprise Linux Man Pages.</h2>
<br></br>
<hr>
<h3>Fedora</h3>
<table><tr>
<td valign="middle">
</td>
</tr></table>
<pre>
""")
for f in fedora_releases:
fd.write("""
<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
fd.write("""
</pre>
<hr>
<h3>RHEL</h3>
<table><tr>
<td valign="middle">
</td>
</tr></table>
<pre>
""")
for r in rhel_releases:
fd.write("""
<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
fd.write("""
</pre>
""")
fd.close()
print("%s has been created" % index)
def _gen_body(self):
html = self.new_path + self.os_version + ".html"
html = self.new_path + "index.html"
fd = open(html, 'w')
fd.write("""
<html>
<head>
<link rel=stylesheet type="text/css" href="../style.css" title="style">
<title>Linux man-pages online for Fedora18</title>
<link rel=stylesheet type="text/css" href="style.css" title="style">
<title>SELinux man pages</title>
</head>
<body>
<h1>SELinux man pages for Fedora18</h1>
<h1>SELinux man pages for %s</h1>
<hr>
<table><tr>
<td valign="middle">
<h3>SELinux roles</h3>
""")
""" % self.os_version)
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
@ -408,6 +349,8 @@ class ManPage:
"""
modules_dict = None
enabled_str = ["Disabled", "Enabled"]
manpage_domains = []
manpage_roles = []
def __init__(self, domainname, path="/tmp", root="/", source_files=False, html=False):
self.html = html
@ -433,8 +376,7 @@ class ManPage:
self.fcdict = sepolicy.get_fcdict(self.fcpath)
if not os.path.exists(path):
os.makedirs(path)
os.makedirs(path, exist_ok=True)
self.path = path
@ -453,10 +395,10 @@ class ManPage:
if self.domainname + "_r" in self.all_roles:
self.__gen_user_man_page()
if self.html:
manpage_roles.append(self.man_page_path)
self.manpage_roles.append(self.man_page_path)
else:
if self.html:
manpage_domains.append(self.man_page_path)
self.manpage_domains.append(self.man_page_path)
self.__gen_man_page()
self.fd.close()
@ -797,7 +739,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
.br

9
python/sepolicy/sepolicy/sepolicy.glade
View file

@ -10,11 +10,8 @@
<column type="gchararray"/>
</columns>
</object>
<object class="GtkWindow" id="Main_selection_menu">
<object class="GtkPopover" id="Main_selection_menu">
<property name="can_focus">False</property>
<property name="default_width">265</property>
<property name="default_height">100</property>
<property name="decorated">False</property>
<child>
<object class="GtkBox" id="vbox2">
<property name="visible">True</property>
@ -53,7 +50,6 @@
<property name="primary_icon_stock">gtk-find</property>
<property name="primary_icon_activatable">False</property>
<property name="secondary_icon_activatable">False</property>
<signal name="activate" handler="on_SELinux_window_configure_event" swapped="no"/>
<signal name="changed" handler="on_completion_entry_changed" swapped="no"/>
</object>
<packing>
@ -306,7 +302,6 @@
</columns>
</object>
<object class="GtkEntryCompletion" id="entrycompletion_obj">
<signal name="match-selected" handler="on_SELinux_window_configure_event" swapped="no"/>
<signal name="match-selected" handler="on_completion_entry_changed" swapped="no"/>
<signal name="match-selected" handler="on_entrycompletion_obj_match_selected" swapped="no"/>
</object>
@ -1707,9 +1702,7 @@
<property name="window_position">center-always</property>
<property name="default_width">650</property>
<property name="default_height">420</property>
<signal name="configure-event" handler="on_SELinux_window_configure_event" swapped="no"/>
<signal name="delete-event" handler="on_confirmation_close" swapped="no"/>
<signal name="focus-in-event" handler="on_SELinux_window_configure_event" swapped="no"/>
<child>
<object class="GtkBox" id="vbox1">
<property name="visible">True</property>

2
python/sepolicy/sepolicy/templates/script.py
View file

@ -75,7 +75,7 @@ rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_buil
"""
manpage="""\
# Generate a man page off the installed module
# Generate a man page of the installed module
sepolicy manpage -p . -d DOMAINTYPE_t
"""

2
python/sepolicy/setup.py
View file

@ -6,7 +6,7 @@ from setuptools import setup
setup(
name="sepolicy",
version="3.4",
version="3.5-rc2",
description="Python SELinux Policy Analyses bindings",
author="Daniel Walsh",
author_email="dwalsh@redhat.com",

2
restorecond/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

2
sandbox/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

6
sandbox/sandbox
View file

@ -111,7 +111,7 @@ def copyfile(file, srcdir, dest):
def savefile(new, orig, X_ind):
copy = False
if(X_ind):
if X_ind:
import gi
gi.require_version('Gtk', '3.0')
from gi.repository import Gtk
@ -131,9 +131,9 @@ def savefile(new, orig, X_ind):
except NameError:
pass
ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig)
if(re.match(_("[yY]"), ans)):
if re.match(_("[yY]"), ans):
copy = True
if(copy):
if copy:
shutil.copy2(new, orig)

2
secilc/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2

2
semodule-utils/VERSION
View file

@ -1 +1 @@
3.4
3.5-rc2