Include entries from file_contexts.homedirs when listing file contexts
via "semanage fcontext -l"
"semanage fcontext -l" so far ignored content of file_contexts.homedirs
file, which is confusing for users (more specific rules may be ignored in
favor of rules unseen to the user since file_contexts.homedirs has
higher priority than file_contexts).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Several "sepolic gui" tabs raise exceptions when using a policy without
MLS because some dictionaries describing users and logins lack level and
range properties. Use conditions and get() where appropriate in order
to make "sepolicy gui" usable again with a non-MLS policy.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In refpolicy, file_contexts.subs_dist begins with comments:
# This file can is used to configure base path aliases as in:
#
# /aliased_path /original_path_as_configured_in_file_contexts
#
The first line gets parsed in read_file_equiv even though it is not a
valid path substitution and the second line triggers an exception when
accessing f[1]:
IndexError: list index out of range
Parse substitutions only for lines which are not comment.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On a system without any file context customizations, "sepolicy gui"
fails to load because it tries to read a non-existing file:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/selinux/refpolicy-git/contexts/files/file_contexts.local'
Once this issue is fixed, another one is triggered:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/selinux/refpolicy-git/contexts/files/file_contexts.subs
Use try/except to catch these exceptions and use OSError/errno.ENOENT to
keep the code compatible with Python 2.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The space after "sepolicy(8)" breaks the formatting of section SEE ALSO
in man pages generated with sepolicy:
SEE ALSO
selinux(8), ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) , setsebool(8),
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This prevents the following exception to occur when using "sepolicy
manpage":
Traceback (most recent call last):
File "/bin/sepolicy", line 699, in <module>
args.func(args)
File "/bin/sepolicy", line 359, in manpage
m = ManPage(domain, path, args.root, args.source_files, args.web)
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 459, in __init__
self.__gen_man_page()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 548, in __gen_man_page
self._mcs_types()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 978, in _mcs_types
mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
StopIteration
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
"sepolicy manpage" fails when the system does not use MLS because
using x.context.range_ raises an exception. Avoid using range and levels
when _pol.mls is False.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When "sepolicy manpage" generates descriptions for file type, it uses a
mispelled _ra_content_t suffix for prettyprinting, which results in an
unwanted double-space on the line.
For example sepolicy manpage -d httpd_t produces:
.EX
.P
.B httpd_apcupsd_cgi_ra_content_t
.EE
- Set files with the httpd_apcupsd_cgi_ra_content_t type, if you
want to treat the files as httpd apcupsd cgi read/append content.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When running "sepolicy manpage" on a system without file_contexts.local,
the command fails with:
FileNotFoundError: [Errno 2] No such file or directory:
'//etc/selinux/refpolicy/contexts/files/file_contexts.local'
Verify that the file exists before using it.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Commit c624c4abaa ("sepolicy: Fix syntax errors in 'manpage -w'")
missed an occurence of print statement. While at it, fix self.os_version
test.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
SETools4 and Python 3 versions of map() and filter() uses iterators to
generates query results and these iterators can't be imply re-used. It
makes manpage and transitions operations really slow as they do lot of queries.
This patch changes it in the way that it caches results in lists for all
types, allow rules and transitions first and use cached results to
filter them using Python's filter() function.
Before:
$ time sepolicy manpage -d httpd_t sshd_t init_t
real 0m53.486s
user 0m53.171s
sys 0m0.054s
After:
$ time sepolicy manpage -d httpd_t sshd_t init_t
real 0m10.532s
user 0m10.368s
sys 0m0.114s
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fixes:
File "python/sepolicy/sepolicy/manpage.py", line 373, in _gen_css
print("%s has been created") % style_css
TypeError: unsupported operand type(s) for %: 'NoneType' and 'str'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
PYTHONLIBDIR is currently also used in sepolgen but has a different
behaviour regarding DESTDIR. Let's try to make this consistant.
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
As reported by Nicolas Iooss, there are still some inconsistencies
in the definitions and usage of Makefile variables related to bin
and sbin directories. Since we need to still support non-usrmerge
systems, we cannot completely synchronize them, but we can eliminate
unnecessary differences, remove unused variables, and drop the
USRSBINDIR variables.
Before:
$ find . -name Makefile -exec cat {} + |grep '^[A-Z_]*BINDIR' |sort -u
BINDIR=$(PREFIX)/bin
BINDIR ?= $(PREFIX)/bin
BINDIR ?= $(PREFIX)/sbin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
USRSBINDIR ?= $(PREFIX)/sbin
After:
$ find . -name Makefile -exec cat {} + | grep '^[A-Z_]*BINDIR' | sort -u
BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
This does not change the actual install location of any file.
It does drop the legacy symlink from /usr/sbin/load_policy to
/sbin/load_policy; packagers can create that separately if
desired.
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fixes:
$ sepolicy network -d httpd_t
httpd_t: tcp name_connect
Traceback (most recent call last):
File /usr/bin/sepolicy, line 699, in <module>
args.func(args)
File /usr/bin/sepolicy, line 319, in network
_print_net(d, tcp, name_connect)
File /usr/bin/sepolicy, line 276, in _print_net
port_strings.sort(numcmp)
TypeError: must use keyword argument for key function
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fixes:
Verify sepolicy interface -c -i works ... Traceback (most recent call last):
File "/usr/bin/sepolicy", line 699, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 508, in interface
print_interfaces(args.interfaces, args)
File "/usr/bin/sepolicy", line 492, in print_interfaces
interface_compile_test(i)
File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 226, in interface_compile_test
fd.write(generate_compile_te(interface, idict))
File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 184, in generate_compile_te
from templates import test_module
ModuleNotFoundError: No module named 'templates'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Commits a3d2c7a 6a7a5aa introduced inconsistent use of tabs and spaces
in indentation what makes python3.6 unhappy.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Update libsepol and libsemanage to work with ibendport records. Add local
storage for new and modified ibendport records in ibendports.local.
Update semanage to parse the ibendport command options to add, modify,
and delete them.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Update libsepol and libsemanage to work with pkey records. Add local
storage for new and modified pkey records in pkeys.local. Update semanage
to parse the pkey command options to add, modify, and delete pkeys.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Fixes:
$ sepolicy manpage -a
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 699, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 359, in manpage
m = ManPage(domain, path, args.root, args.source_files, args.web)
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in __init__
self.__gen_man_page()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 495, in __gen_man_page
self._entrypoints()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 903, in _entrypoints
if len(entrypoints) > 1:
TypeError: object of type 'map' has no len()
$ sepolicy manpage -a
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 699, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 359, in manpage
m = ManPage(domain, path, args.root, args.source_files, args.web)
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in __init__
self.__gen_man_page()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 497, in __gen_man_page
self._mcs_types()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 927, in _mcs_types
attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
TypeError: 'generator' object is not subscriptable
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
This fixes a problem introduced in 18410c86 where ruletype is specified
as a string not a list.
Fixes:
>>> sepolicy.get_all_role_allows()
Traceback (most recent call last):
File "/usr/lib64/python3.6/site-packages/setools/policyrep/util.py", line 60, in lookup
return cls(value)
File "/usr/lib64/python3.6/enum.py", line 291, in __call__
return cls.__new__(cls, value)
File "/usr/lib64/python3.6/enum.py", line 533, in __new__
return cls._missing_(value)
File "/usr/lib64/python3.6/enum.py", line 546, in _missing_
raise ValueError("%r is not a valid %s" % (value, cls.__name__))
ValueError: 'a' is not a valid RBACRuletype
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fixes:
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 1447, in stripsort
return cmp(val1, val2)
NameError: name 'cmp' is not defined
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fixes python3 problem:
>>> print("Failed to retrieve rpm info for %s") % package
Failed to retrieve rpm info for %s
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
TypeError: unsupported operand type(s) for %: 'NoneType' and 'str'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
map() and filter() changed their return values from list to iterators in
Python 3. This change drops filter() and map() from gui.py to make it
work on Python 2 and 3
Fixes:
Traceback (most recent call last):
File "/bin/sepolicy", line 700, in <module>
args.func(args)
File "/bin/sepolicy", line 326, in gui_run
sepolicy.gui.SELinuxGui(args.domain, args.test)
File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 238, in __init__
if self.populate_system_policy() < 2:
File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 835, in populate_system_policy
types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0]
TypeError: 'map' object is not subscriptable
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
semodule in policycoreutils-2.4 changed the list format. With this
patch, org.selinux.semodule_list uses 'semodule --list=full' and the
code using this was adapted to the new format.
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1281309
Fixes:
File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 670, in lockdown_init
self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"])
KeyError: 'unconfined'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fixes:
(sepolicy:2183): Gtk-WARNING **: Could not load image 'images/booleans.png': Failed to open file '/usr/lib64/python3.4/site-packages/sepolicy/images/booleans.png': No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The toolchain automatically handles them and they break cross compiling.
LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)
Gentoo-Bug: https://bugs.gentoo.org/500674
Signed-off-by: Jason Zaman <jason@perfinion.com>
https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior
A backslash-character pair that is not a valid escape sequence now
generates a DeprecationWarning. Although this will eventually become a
SyntaxError, that will not be for several Python releases.
The problem appears when you use '-W error':
$ python3 -W error -c 'import re; re.findall("[^a-zA-Z0-9_\-\.]", " *%$")'
File "<string>", line 1
SyntaxError: invalid escape sequence \-
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
[ Edited commit message as per suggestion from Petr Lautrbach ]
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
HTMLManPages got domain name by splitting name of selinux manpage
on "_selinux" which doesn't work properly when domain name contains
"_selinux".
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Strip the following characters
\x1c File Separator
\x1d Group Separator
\x1e Record Separator
\x85 Next Line (C1 Control Code)
from audit message fields to make sure they are not evaluated
as part of some identifier (eg. ausearch used insert \x1d into
--raw output resulting in "unrecognized class" error messages).
This is done as part of str.split() in python3.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1406328
After libsepol is modified (for example while developing new features or
fixing bugs), running "make install" in the top-level directory does not
update the programs which use libsepol.a. Add this static library to the
target dependencies in order to force their updates. This makes "make"
use libsepol.a in the linking command without using LDLIBS.
While at it, copy what commit 14d7064348 ("libselinux: Allow
overriding libsepol.a location during build") introduced in libselinux
Makefile by using a new LIBSEPOLA variable in all Makefiles.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
selinux.security_getenforce() triggers an exception when running tests
on systems without SELinux. In order to skip tests which need SELinux in
enforcing mode, test selinux.is_selinux_enabled() too, like commit
945bc8853b ("sandbox: make test not fail on systems without SELinux").
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Fix missing and surplus commas. Fix the following formatting errors:
.BR selinux(8)
renders the the "(8)" in bold as well as the "selinux". This is wrong.
.B selinux
(8)
renders with a space between "selinux" and "(8)", this is wrong.
.B selinux (8)
commits both of the above mistakes.
.BR selinux (8), apparmor (8)
omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:
.BR selinux (8),
.BR apparmor (8)
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Based on 77589dd354218f1f56d1c83747799606fa1b4899 by Dan Walsh.
Speed up gui loading.
Some minor bug fixes.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
sepolicy.get_init_entrypoint() now returns list of Type objects
instead of single string, which caused sepolicy gui to crash.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Aside from typos, change the way markup is applied to a tooltip
in sepolicy/gui so that the text can be translated.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
After 9406ace8 ("libsemanage: throw exceptions in python rather than
return NULL"), calls to libsemanage functions return Python exceptions
instead of returning negative error return codes. For systems that did not
have the applicable headers installed prior to build, the difference was
not seen. Following commit 9792099f ("Properly build the swig exception
file even if the headers are missing"), that issue has been resolved and
the underlying semanage_fcontext_query_local and semanage_fcontext_query
calls now result in an OSError return. This results in the following error
when attempting to modify a fcontext defined in the systems base policy.
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
OSError: No such file or directory
To resolve the error, handle the OSError exception, but retain the
previous query operation.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1398427
Signed-off-by: Kyle Walker <kwalker@redhat.com>
Missing argument checks for "fcontext" and "boolean" were performed
outside of "argparse", resulting in shortened help message (without
argument details) and no error description.
Fix: perform these checks using "argparse" as is the case with other
semanage options.
Some "required argument" check were performed outside of "handle_opts"
obscuring the code.
Fix: Add required arguments to {fcontext boolean}_args and remove the
checks from handle{Fcontext Boolean}.
Remove unpaired parentheses from "semanage fcontext" usage message.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Python code is not platform specific and resides always in
lib (as opposed to lib64 on x64 architectures).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Teach audit2why to recognize type bounds failures. This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.
This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel. However, it
is unclear if this is needed. It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).
Before:
type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
After:
type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
Was caused by:
Typebounds violation.
Add an allow rule for the parent type.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Radiobutton was always set to "Permissive" and couldn't be switched.
Update radiobutton together with status text in bottom left corner.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
