If the user is root, tmpdir is already wiped out.
Fixes:
# sandbox -T /root/tmp -- id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:sandbox_t:s0:c696,c756
Failed to remove directory /tmp/.sandbox-root-KIlB59: No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
This is to help meet the OpenSSF Best Practices requirements.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.
He gives the following example:
# semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.
The error is from querying the local database when the fcontext is in
the non-local database.
Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
It wasn't possible to choose a directory in filechooser dialog using
double-click - the dialog returned the directory name instead of
listing the directory.
Fixes:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2593, in on_browse_select
self.export_config(filename)
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2668, in export_config
fd = open(filename, 'w')
IsADirectoryError: [Errno 21] Is a directory: '/root/Downloads'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Commit bc26ddc59c ("libsepol/cil: Limit the amount of reporting for
context rule conflicts") reworked the processing of context rule
conflicts to limit the number of written conflicting statements to
increase readability of the printed error message. It forgot to set the
return value, signaling a context conflict, in the case the logging
level is higher than warning (e.g. in semodule(8), which defaults to
error).
Reported-by: Milos Malik <mmalik@redhat.com> [1]
Fixes: bc26ddc59c ("libsepol/cil: Limit the amount of reporting for context rule conflicts")
[1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Support passing an optional object name to compute_create for name
based type transitions.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses. Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.
This is to help meet the OpenSSF Best Practices requirements.
Signed-off-by: Paul Moore <paul@paul-moore.com>
This change will allow a user to set the location of their
sysconfdir, defaulted to /etc, if they are installing into
nonstandard locations.
Signed-off-by: Matt Sheets <masheets@linux.microsoft.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Some time ago pandoc started shipping a default css file for html, while
that is nice, it limits the max-width of the body element to 36em. We
have a lot of tables, code examples, etc... in the manual that are too
big for that, requiring constant scrolling.
See https://github.com/jgm/pandoc/blob/master/data/templates/styles.html
for the default used.
While some styling, perhaps even dark/light mode support in the CSS
would be nice, I didn't manage to find a simple way to achieve this, so
for now just disable the CSS.
Expand the arguments for pandoc in the Makefile for better readability.
Signed-off-by: Jonathan Hettwer (bauen1) <j2468h@gmail.com>
It appears that a recent version of pandoc (or the library it uses)
changed where the lists are found in the XML or became more strict.
Move the lists to the right location in the document.
Signed-off-by: Jonathan Hettwer (bauen1) <j2468h@gmail.com>
Function `class_perm_node_init()` is called with `dest_perms` before it
is checked that its allocation succeeded. If the allocation fails, then
a NULL pointer is passed to `memset()` inside the
`class_perm_node_init()` function.
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
CIL Reference Guide defines typetransition rule with double quotes
around object name, but those are not present in the format string.
This patch fixes this issue, so the CIL output produced by
sepol_kernel_policydb_to_cil() is in the correct format.
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Test .gitignore and make clean distclean
error: missing .gitignore entry for libselinux/src/selinux.egg-info/
error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
Error: Process completed with exit code 1.
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
Error: Process completed with exit code 1.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Clang 15 starts to complain about non strict function definitions:
user.c:172:10: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int start() {
^
void
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
Clang 15 starts to complain about non strict function definitions:
policy_define.c:4907:30: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int define_devicetree_context()
^
void
policy_define.c:5298:29: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int define_ipv4_node_context()
^
void
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
Refactor the ebitmap conversions in link.c into its own function.
Do not log an OOM message twice on type_set_or_convert() failure.
Drop the now unused state parameter from type_set_or_convert() and
type_set_convert().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Validate that
- each constraint has at least one expression
- classes reference a valid common class identifier
- the role flavor is either ROLE or ATTRIB
- types reference a valid primary identifier
- types refer to a raw type, not an attribute, as bounds
- extended permissions in avtabs have a valid specifier
- type av rules refer to a raw type (e.g. type_transition)
- conditionals have at least one expression
- the state and flags of conditionals are valid
- filename transitions have at least one datum
- low ports are not bigger than high ones in port ocontexts
- genfs declarations refer to a valid class identifier
- genfs declarations contains a filesystem name
- filename transitions refer to a raw type
- permissive types are raw ones
- the range transition hashmap is valid
- the type-attribute-maps are valid
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Do not use `bool` as a parameter name, for future C version support.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The actual policy should not be modified during validation, thus use
const pointers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The access vector table itself is not modified in avtab_map() thus
support passing a const pointer.
Logically the content might be changed by the passed callback, but C
does not support transitive const-ness well, and C also does not support
function overloading, e.g. like for strchr(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Most global functions operating on a policy database use policydb as
prefix.
Since this function is not exported there should not be any external
use.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The three members of struct ebitmap_node are all unconditionally
initialized. Hinder compilers to optimize malloc() and memset() into
calloc(), which might be slightly slower. Especially affects
ebitmap_or().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Iterate on nodes instead of single bits to save node resolution for each
single bit.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Iterate on nodes instead of single bits to save node resolution for each
single bit.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Iterate on nodes instead of single bits to save node resolution for each
single bit.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Especially in the case of __cil_permissionx_expr_range_to_bitmap_helper()
it substitutes hundreds of thousand of calls to ebitmap_set_bit() during
semodule(8) on a policy widely using extended permissions.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add an initializer for ebitmaps that sets all bits in a given range to
save node traversals for each bit to set, compared to calling
ebitmap_init() followed by iterating ebitmap_set_bit().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Preparation for several ebitmap related optimizations.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Include policydb header file required for typedef policydb_t.
This is for example helpful when working with an IDE, which needs to
resolve those symbols.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Since `struct type_set` is forward declared including
policydb/policydb.h is not necessary and creates a circular include.
Also drop the unnecessary forward declaration of `struct policydb`.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When the O_PATH emulation fails due to getxattr(2)/setxattr(2) failing
with ENOENT, e.g. because no procfs being available, override the errno
value to EBADF. This avoids confusion to the caller as it would suggest
the target of the operation does not exist, which is not the case:
setfiles: Could not set context for /: No such file or directory
Fixes: a782abf2 ("libselinux: emulate O_PATH support in fgetfilecon/fsetfilecon")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In certain cases, IOError caused the much more general exception OSError
to be unreachable.
Signed-off-by: Elijah Conners <business@elijahpepe.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Do not modify the in memory default_range value of a class datum while
writing a policy.
While on it fix indentation.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
A request is denied with SEPOL_COMPUTEAV_RBAC if the source role is not
allowed to transition to the target role, granted via a
allow source_role target_role;
statement.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Runners on https://circleci.com/ use a custom version of Python without
Debian-specific patches which added option --install-layout=deb. This
leads to the following error:
error: option --install-layout not recognized
Fix this by creating a new environment variable dedicated to detect
CircleCI platform.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
clang's static analyzer reports that s[0] can be uninitialized when used
in:
sprintf(tmp_buf, "%s %s\n",
xcontext ? "Validatetrans" : "Constraint",
s[0] ? "GRANTED" : "DENIED");
Silence this false-positive issue by making s always initialized.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
The parameter `reason` of `context_struct_compute_av()` is optional and
can be passed in as NULL, like from `type_attribute_bounds_av()`.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The variable `curcon` is NULL in case the file has no current security
context. Most C standard libraries handle it fine, avoid it nonetheless
for standard conformance.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
After the last commit this option's name and description no longer
matches the semantic, so give it a new one and update the descriptions.
The old name is still recognized and aliased to the new one for
backwards compatibility.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
For the use case of rebuilding the policy after package updates, we need
the check_ext_changes operation to always do at least the do_write_kernel
step, because the various semanage dbs may have also changed content
relative to the current binary policy. As this step is itself relatively
fast, we can do it unconditionally.
Fixes: 286a679fad ("libsemanage: optionally rebuild policy when modules are changed externally")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
With "fallback=True" gettext.translation behaves the same as
gettext.install and uses NullTranslations in case the
translation file for given language was not found (as opposed to
throwing an exception).
Fixes:
# LANG is set to any "unsupported" language, e.g. en_US.UTF-8
$ chcat --help
Traceback (most recent call last):
File "/usr/bin/chcat", line 39, in <module>
t = gettext.translation(PROGNAME,
File "/usr/lib64/python3.9/gettext.py", line 592, in translation
raise FileNotFoundError(ENOENT,
FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python'
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
