util.py starts by importing "locale" and "sys", so there is no need to
import these modules again in the functions.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
"except OSError, ImportError:" does not perform what it says: it is the
Python 2 syntax of catching OSError exceptions as "ImportError" (like
"except OSError, e:"), and this is indeed caught by Python3:
File "./python/semanage/seobject.py", line 143
except OSError, ImportError:
^
SyntaxError: invalid syntax
The correct syntax consists in using parentheses.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The corresponding except clause should only be used for
exceptions caused by audit module error or unavailability.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Test if audit module is enabled so that logger class is defined
correctly.
Fixes:
"semanage fcontext -l" fails with "OSError: Protocol not supported" when
booting with audit=0
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
semanage_seuser_modify_local and semanage_seuser_del_local already do
the logging.
Moreover, semanage log for loginRecords.__add was flawed since it
reported old-{seuser,role,range} of default user instead of None. This
was caused by selinux.getseuserbyname, which returns values for default
user when the specified username is not found.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294663
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Add support for extended permissions to audit2allow. Extend AuditParser
to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to
generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow
to turn on generating of extended permission AV rules.
AVCMessage parses the ioctlcmd field in AVC messages. AuditParser
converts the ioctlcmd values into generic representation of extended
permissions that is stored in access vectors.
Extended permissions are represented by operations (currently only
'ioctl') and values associated to the operations. Values (for example
'~{ 0x42 1234 23-34 }') are stored in the XpermSet class.
PolicyGenerator contains new method to turn on generating of xperms.
When turned on, for each access vector, standard AV rule and possibly
several xperm AV rules are generated. Xperm AV rules are represented by
the AVExtRule class.
With xperm generating turned off, PolicyGenerator provides comments
about extended permissions in certain situations. When the AVC message
contains the ioctlcmd field and the access would be allowed according to
the policy, PolicyGenerator warns about xperm rules being the possible
cause of the denial.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
In access module, in AccessVector.__init__() method, when init_list is
not None, the access vector is initialized by from_list() method.
However, this method does not assign attributes self.audit_msgs,
self.type, and self.data. Fix this by assigning these attributes in
__init__() method.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
In refpolicy module, in AVRule.__rule_type_str() method, self.rule_type
was not checked for value self.NEVERALLOW so that string "neverallow"
was never returned. Fix this by checking all four possible values and
returning correct strings.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
self.store is always a string (actual store name or "") because of
semanageRecords.__init__. Fix check for not defined store.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This allows sepolgen to generate policy from AVC messages that contain
contexts translated by mcstrans.
Fixes:
\# echo "type=USER_AVC msg=audit(1468415802.940:2199604): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:SystemLow-SystemHigh tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'" | audit2allow
libsepol.mls_from_string: invalid MLS context SystemLow-SystemHigh
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:system_r:systemd_logind_t:SystemLow-SystemHigh to sid
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
in class policy, ports is usually initialized with the result of
get_all_ports(), which is a dict. If this function failed, the error was
not fatal but ports was left initialized as a list, which would trigger
other errors when accessing it.
Initialize ports as an empty dict in order to fix this issue.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When using sepolgen GUI on a system with a non-MLS policy,
sepolicy.info(sepolicy.PORT) does not define "range" attributes (since
commit 908340e8e7 ("sepolicy: support non-MLS policy in manpage")).
Replace them with None in get_all_ports() result.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When a translated string takes parameters with %, the % and the
parameters need to be after the call to the underline function in order
to work properly.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
It was removed from Python 3
Fixes:
File "polgengui.py", line 390, in forward
self.generate_policy()
File "polgengui.py", line 491, in generate_policy
my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1)
File "/home/plautrba/devel/github/bachradsusi/SELinuxProject-selinux/python/sepolicy/sepolicy/generate.py", line 468, in set_use_syslog
if not isinstance(val, types.BooleanType):
AttributeError: module 'types' has no attribute 'BooleanType'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
map() returns an iterator in python3, list in python2
Fixes:
File "/usr/lib/python3.6/site-packages/sepolicy/generate.py", line 114, in get_all_users
users.remove("system_u")
AttributeError: 'map' object has no attribute 'remove'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
moduleRecords.modify() calls nonexistent function
semanage_module_update_file (maybe it should have been
semanage_module_upgrade_file which is now obsolete and calls
semanage_module_install_file) and the job of updating a module is done
by moduleRecords.add().
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Commit 985753f changed behavior of seobject class constructors. While
semanage itself was fixed, there are other tools like
system-config-selinux and chcat which depend on the original behavior.
This change make the constructors backward compatible.
Fixes: $ system-config-selinux
Traceback (most recent call last):
File "/usr/share/system-config-selinux/system-config-selinux.py", line 196, in <module>
app = childWindow()
File "/usr/share/system-config-selinux/system-config-selinux.py", line 100, in __init__
self.add_page(booleansPage.booleansPage(xml))
File "/usr/share/system-config-selinux/booleansPage.py", line 142, in __init__
self.load(self.filter)
File "/usr/share/system-config-selinux/booleansPage.py", line 212, in load
self.booleans = seobject.booleanRecords()
TypeError: __init__() missing 1 required positional argument: 'args'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Arguments generate and gui was mixed together and information didn't make sense. This fix split gui and generate sections.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
Update Infiniband "port" and "key" listing and export to work on
python3.
{}.keys() does not support .sort() operation on Py3.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Replace nonexistent switch "-x" by "-z" (entry name).
Fix invalid index (the dictionary key is a 2-tuple).
Add MLS/MCS range (present in all entries).
Fixes:
#semanage ibendport -E
File "/usr/sbin/semanage", line 1049, in <module>
do_parser()
File "/usr/sbin/semanage", line 1028, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 605, in handleIbendport
for i in OBJECT.customized():
File "/usr/lib64/python2.7/site-packages/seobject/__init__.py", line 1806, in customized
l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
IndexError: tuple index out of range
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
We want to call semanage_set_reload() only if -N option is used.
Fixes:
$ sudo umount /sys/fs/selinux
$ sudo semanage fcontext -a --type=postfix_local_tmp_t /var/opt/01789667
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
In order to do that we need to propagate args into seobject objects and
use args.store to get a store name.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Include entries from file_contexts.homedirs when listing file contexts
via "semanage fcontext -l"
"semanage fcontext -l" so far ignored content of file_contexts.homedirs
file, which is confusing for users (more specific rules may be ignored in
favor of rules unseen to the user since file_contexts.homedirs has
higher priority than file_contexts).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Several "sepolic gui" tabs raise exceptions when using a policy without
MLS because some dictionaries describing users and logins lack level and
range properties. Use conditions and get() where appropriate in order
to make "sepolicy gui" usable again with a non-MLS policy.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In refpolicy, file_contexts.subs_dist begins with comments:
# This file can is used to configure base path aliases as in:
#
# /aliased_path /original_path_as_configured_in_file_contexts
#
The first line gets parsed in read_file_equiv even though it is not a
valid path substitution and the second line triggers an exception when
accessing f[1]:
IndexError: list index out of range
Parse substitutions only for lines which are not comment.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On a system without any file context customizations, "sepolicy gui"
fails to load because it tries to read a non-existing file:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/selinux/refpolicy-git/contexts/files/file_contexts.local'
Once this issue is fixed, another one is triggered:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/selinux/refpolicy-git/contexts/files/file_contexts.subs
Use try/except to catch these exceptions and use OSError/errno.ENOENT to
keep the code compatible with Python 2.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The space after "sepolicy(8)" breaks the formatting of section SEE ALSO
in man pages generated with sepolicy:
SEE ALSO
selinux(8), ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) , setsebool(8),
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This prevents the following exception to occur when using "sepolicy
manpage":
Traceback (most recent call last):
File "/bin/sepolicy", line 699, in <module>
args.func(args)
File "/bin/sepolicy", line 359, in manpage
m = ManPage(domain, path, args.root, args.source_files, args.web)
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 459, in __init__
self.__gen_man_page()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 548, in __gen_man_page
self._mcs_types()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 978, in _mcs_types
mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
StopIteration
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
"sepolicy manpage" fails when the system does not use MLS because
using x.context.range_ raises an exception. Avoid using range and levels
when _pol.mls is False.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When "sepolicy manpage" generates descriptions for file type, it uses a
mispelled _ra_content_t suffix for prettyprinting, which results in an
unwanted double-space on the line.
For example sepolicy manpage -d httpd_t produces:
.EX
.P
.B httpd_apcupsd_cgi_ra_content_t
.EE
- Set files with the httpd_apcupsd_cgi_ra_content_t type, if you
want to treat the files as httpd apcupsd cgi read/append content.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When running "sepolicy manpage" on a system without file_contexts.local,
the command fails with:
FileNotFoundError: [Errno 2] No such file or directory:
'//etc/selinux/refpolicy/contexts/files/file_contexts.local'
Verify that the file exists before using it.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Commit c624c4abaa ("sepolicy: Fix syntax errors in 'manpage -w'")
missed an occurence of print statement. While at it, fix self.os_version
test.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
SETools4 and Python 3 versions of map() and filter() uses iterators to
generates query results and these iterators can't be imply re-used. It
makes manpage and transitions operations really slow as they do lot of queries.
This patch changes it in the way that it caches results in lists for all
types, allow rules and transitions first and use cached results to
filter them using Python's filter() function.
Before:
$ time sepolicy manpage -d httpd_t sshd_t init_t
real 0m53.486s
user 0m53.171s
sys 0m0.054s
After:
$ time sepolicy manpage -d httpd_t sshd_t init_t
real 0m10.532s
user 0m10.368s
sys 0m0.114s
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fixes:
File "python/sepolicy/sepolicy/manpage.py", line 373, in _gen_css
print("%s has been created") % style_css
TypeError: unsupported operand type(s) for %: 'NoneType' and 'str'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
