chcat_add() defines variable cmd twice before calling
subprocess.check_call(cmd, ...). Remove the first definition.
This bug was found using lgtm.com analyzer:
eac5e661ca/files/python/chcat/chcat (L118)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- Python 2.7 is planned to be the last of the 2.x releases
- It's generally advised to use Python 3
- Majority of python/ scripts are already switched python3
- Users with python 2 only can still use:
$ make PYTHON=/usr/bin/python ....
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Previous code traceback-ed when one of the mentioned option was used without
any argument as this state was not handled by the argument parser.
action='store' stores arguments as a list while the original
action='store_const' used str therefore it's needed to convert list to str
before it's sent to moduleRecords class.
Fixes:
^_^ semanage module -a
Traceback (most recent call last):
File "/usr/sbin/semanage", line 963, in <module>
do_parser()
File "/usr/sbin/semanage", line 942, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 608, in handleModule
OBJECT.add(args.module_name, args.priority)
File "/usr/lib/python3.7/site-packages/seobject.py", line 402, in add
if not os.path.exists(file):
File "/usr/lib64/python3.7/genericpath.py", line 19, in exists
os.stat(path)
TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
seobject.py is not supposed to be used as entrypoint therefore the shebang is
unnecessary. It also doesn't need execute bits.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
setools 4.2.0 dropped support for Python 2. On systems where
/usr/bin/python is Python 2, several tools are now broken because of
this. Update the shebang of these tools to /usr/bin/python3.
For future reference, as semanage/seobject.py, sepolicy and sepolgen
import setools, every program that uses one of these modules need to be
run with Python 3. The following programs do not use any of these
modules so their shebangs have not been modified:
dbus/selinux_server.py
libsemanage/utils/semanage_migrate_store
mcstrans/share/util/mlscolor-test
mcstrans/share/util/mlstrans-test
sandbox/start
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The files in sepolicy's module directory are not supposed to used as
executable files. The shebang line is therefore not needed.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This method prints a usage message including the message to the standard error
and terminates the program with a status code of 2.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fix gathering boolean values by fixing always False if condition
(determining whether the values are listed from local store).
Fix listing boolean values by printing the correct values and not
forcing the use of security_get_boolean_active (which causes
crash when listing booleans that are not present in active policy).
Fixes:
# dnf install selinux-policy-mls
# cat > mypolicy.cil
(boolean xyz false)
# semodule -i mypolicy.cil -s mls
# semanage boolean -l -S mls
...
irssi_use_full_network (off , off) Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port.
mozilla_plugin_use_bluejeans (off , off) Allow mozilla plugin to use Bluejeans.
OSError: No such file or directory
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
modify_button_clicked() used variable "type" in a comparison instead of
"ftype". This is a bug, which has been found with flake8 3.7.0. This
linter reported:
python/sepolicy/sepolicy/gui.py:1548:20: F823 local variable 'type'
{0} referenced before assignment
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Flake8 3.7.0 added a new fatal error message when parsing Python files:
python/semanage/semanage:112:16: F632 use ==/!= to compare str, bytes, and int literals
python/semanage/semanage:124:23: F632 use ==/!= to compare str, bytes, and int literals
...
python/sepolgen/src/sepolgen/output.py:77:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolgen/src/sepolgen/output.py:80:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolgen/src/sepolgen/output.py:83:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolicy/sepolicy/generate.py:646:16: F632 use ==/!= to compare str, bytes, and int literals
python/sepolicy/sepolicy/generate.py:1349:16: F632 use ==/!= to compare str, bytes, and int literals
Fix all these warnings.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Flake8 3.7.0 warns about lines that are over-indented, i.e. lines that
are indented with more than 4 spaces:
python/sepolgen/src/sepolgen/refparser.py:1047:26: E117 over-indented
python/sepolgen/src/sepolgen/yacc.py:2569:21: E117 over-indented
python/sepolicy/sepolicy/interface.py:196:13: E117 over-indented
python/sepolicy/sepolicy/interface.py:198:13: E117 over-indented
python/sepolicy/sepolicy/interface.py:215:13: E117 over-indented
python/sepolicy/sepolicy/interface.py:217:13: E117 over-indented
python/sepolicy/sepolicy/manpage.py:172:13: E117 over-indented
python/sepolicy/sepolicy/manpage.py:174:13: E117 over-indented
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Using "sepolicy gui" sometimes leads to an exception when entering the
Files tab:
Traceback (most recent call last):
File "python/sepolicy/sepolicy/gui.py", line 1345, in tab_change
self.show_mislabeled_files_only.set_visible(self.mislabeled_files)
AttributeError: 'SELinuxGui' object has no attribute 'mislabeled_files'
Indeed, when application_selected() calls show_applications_page(), this
function calls tab_change(), which can use mislabeled_files in this
line:
self.show_mislabeled_files_only.set_visible(self.mislabeled_files)
Make sure that mislabeled_files is initialized by defining it in
__init__(), in order to fix this error. Its value will be properly set
later, by calling several initializers, which is why the original
assignment to False is kept in:
self.mislabeled_files = False
self.executable_files_initialize(app)
self.network_initialize(app)
self.writable_files_initialize(app)
self.transitions_into_initialize(app)
self.transitions_from_initialize(app)
self.application_files_initialize(app)
self.transitions_files_initialize(app)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When running "make install-headers" on refpolicy,
/usr/share/selinux/refpolicy/Makefile does not exist but
/usr/share/selinux/refpolicy/include/Makefile does. Use it when
available.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Introduce option --attr-helper to sepolgen-ifgen to make it possible to
override /usr/bin/sepolgen-ifgen-attr-helper and use it in the testuite
in order to test the helper which has been compiled from the project
instead of the one installed on the system.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
audit2allow testsuite requires a system which uses SELinux with a MLS
policy. This is a lot to ask for a continuous integretation system.
Thankfully this can be worked around by using option -p to run the tools
with a specific configuration. Doing this, the testsuite can even be run
on a system without SELinux.
This approach requires building a custom policy for parsing test.log.
Add a minimal policy written in CIL for this need.
While at it:
* Do not invoke "sudo sepolgen-ifgen" but produce a file in a writable
directory (instead of /var/lib/sepolgen/interface_info)
* Use sys.executable instead of 'python', in order to really test
python3 and python2 when calling the test script with one of these
interpreters.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Importing modules inside functions is quite uncommon in Python. This is
nevertheless required with sepolicy because it loads the current SELinux
policy when it is imported (and raises ValueError when this fails).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Importing sepolicy as non-root on a system with SELinux causes the
following exception to be raised:
ValueError: No SELinux Policy installed
Ignore this when using audit2why, which allows using it with option
--policy as a non-root user.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
sepolgen testsuite reports the following warning on a system with
/etc/selinux/sepolgen.conf:
.../src/./sepolgen/defaults.py:35: ResourceWarning: unclosed file
<_io.TextIOWrapper name='/etc/selinux/sepolgen.conf' mode='r'
encoding='UTF-8'>
Fix this by properly closing the file in PathChooser.__init__().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The sorting order seems to be fragile because '100' < '99', so the policy
filename needs to be parsed in order to extract the version as an integer and
sort according to it.
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When "store" is set, sepolicy needs to load a new policy file and selinux module
needs to set the new store root path.
With this patch, semanage is able to work correctly with non-default -S <store>
even when the default policy is not installed yet.
Fixes:
$ sudo semanage login -S minimum -m -s unconfined_u -r s0-s0:c0.c1023 __default__
libsemanage.dbase_llist_query: could not query record value
OSError: [Errno 0] Error
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
load_store_policy() allows to (re)load SELinux policy based on a store name. It
is useful when SELinux is disabled and default policy is not installed; or when
a user wants to query or manipulate another policy.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>
Fixes:
$ sudo semanage
Traceback (most recent call last):
File "/usr/sbin/semanage", line 28, in <module>
import seobject
File "/usr/lib/python3.7/site-packages/seobject.py", line 1045, in <module>
class portRecords(semanageRecords):
File "/usr/lib/python3.7/site-packages/seobject.py", line 1047, in portRecords
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 203, in <genexpr>
return ({
File "/usr/lib64/python3.7/site-packages/setools/typeattrquery.py", line 65, in results
for attr in self.policy.typeattributes():
AttributeError: 'NoneType' object has no attribute 'typeattributes'
https://github.com/SELinuxProject/selinux/issues/81
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
PLY (Python Lex-Yacc) 3.11 has been released in February 2018:
- http://www.dabeaz.com/ply/index.html
- https://github.com/dabeaz/ply/releases/tag/3.11
Copy lex.py and yacc.py from this new release.
This fixes the following warning from "make test":
python run-tests.py
../src/./sepolgen/lex.py:634: DeprecationWarning: Using or importing
the ABCs from 'collections' instead of from 'collections.abc' is
deprecated, and in 3.8 it will stop working
if isinstance(t, collections.Callable):
(Python 3.3 moved collections.Callable to collections.abc.Callable)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
dontaudit rules were accidentally dropped during rewrite to SETools 4 API in
97d5f6a2
Fixes:
>>> import sepolicy
>>> sepolicy.search(['dontaudit'])
[]
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When MLS is disabled, "semanage export" shows records such as:
login -a -s sysadm_u -r 'None' me
Prevent "semanage export" from displaying None or empty strings in level
and categories arguments by checking them in all customized() methods.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Using Vagrant with fedora/28-cloud-base image, SELinux logins are
configured this way:
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
vagrant unconfined_u s0-s0:c0.c1023 *
Using "chcat -l +c42 vagrant" successfully adds the category to user
vagrant, but "chcat -l -- -c42 vagrant" fails to remove it.
semanage login -l returns:
vagrant unconfined_u s0-s0:c0.c1023,c42 *
This issue is caused by expandCats(), which refuses to return a list of
more than 25 categories. This causes chcat_user_remove() to work with
cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to
it not been able to remove 'c42' from the list.
Fix this issue by splitting the list of categories before calling
expandCats().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
flake8 reports many warnings for chcat:
chcat:7:1: E265 block comment should start with '# '
chcat:29:1: F401 'string' imported but unused
chcat:44:1: E722 do not use bare 'except'
chcat:104:9: F841 local variable 'e' is assigned to but never used
chcat:144:9: F841 local variable 'e' is assigned to but never used
chcat:186:9: F841 local variable 'e' is assigned to but never used
chcat:234:9: F841 local variable 'e' is assigned to but never used
chcat:262:9: F841 local variable 'e' is assigned to but never used
chcat:281:5: F841 local variable 'e' is assigned to but never used
chcat:385:9: E722 do not use bare 'except'
chcat:402:1: E305 expected 2 blank lines after class or function definition, found 1
chcat:436:5: F841 local variable 'e' is assigned to but never used
Fix all of them.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Use "check_call" instead of "getstatusoutput" in order for special
characters and spaces in filenames to be handled correctly.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Aliases are not used in the selinux database. When user enters a type
alias as a parameter it should be converted to the corresponding type
in order to be processed correctly further in the userspace logic.
Fixes e.g.:
\#sepolicy transition -s phpfpm_t
/* where phpfpm_t is a type alias of httpd_t */
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 691, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 458, in transition
mytrans = setrans(args.source, args.target)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
self._process(self.source)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
trans = _get_trans(source)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
IndexError: list index out of range
Resolves:
\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined
\# seinfo -tsvirt_sandbox_file_t -x
TypeName container_file_t
Aliases
svirt_sandbox_file_t
svirt_lxc_file_t
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
