Also change audit2why to look at the loaded policy rather then searching on disk for
the policy file. It is more likely that you are examining the running policy.
As per the discussion on the selinux development mailinglist, the tmux
application expects the stdin to be writeable. Although perhaps not the most
proper way, having newrole opening the descriptor in read/write keeps the
behaviour in line with what applications expect.
See also http://marc.info/?l=selinux&m=136518126930710&w=2
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When calling "sepolicy transition", a KeyError exception occurred:
~# sepolicy transition -s sysadm_t -t portage_t
Traceback (most recent call last):
File "/usr/bin/sepolicy-2.7", line 465, in <module>
args.func(args)
File "/usr/bin/sepolicy-2.7", line 309, in transition
mytrans.output()
File "/usr/lib64/python2.7/site-packages/sepolicy/transition.py", line 76, in output
print self.out(self.source)
File "/usr/lib64/python2.7/site-packages/sepolicy/transition.py", line 72, in out
buf+= self.out(x, seen, "%s%s ... " % (header, name))
File "/usr/lib64/python2.7/site-packages/sepolicy/transition.py", line 67, in out
for t in self.sdict[name]["map"]:
KeyError: 'map'
By updating the code to first check if the "map" key is known to the dictionary
(and only then executing the mentioned code) this error is no longer prevalent:
~# sepolicy transition -s sysadm_t -t portage_t
sysadm_t @ portage_exec_t --> portage_t
sysadm_t ... dhcpc_t ... initrc_t ... puppet_t @ portage_exec_t --> portage_t
sysadm_t ... dhcpc_t ... initrc_t ... puppet_t ... portage_fetch_t @ portage_exec_t --> portage_t
sysadm_t ... dhcpc_t ... initrc_t ... crond_t @ portage_exec_t --> portage_t
sysadm_t ... dhcpc_t ... initrc_t ... crond_t ... system_cronjob_t @ portage_exec_t --> portage_t
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The code did:
len = strlen(string);
new_string = malloc(len);
strncpy(new_string, string, len - 1)
Which is perfectly legal, but it pissed off coverity because 99/100
times if you do new_string = malloc(strlen(string)) you are doing it
wrong (you didn't leave room for the nul). I rewrote that area to just
use strdup and then to blank out the last character with a nul. It's
clear what's going on and nothing looks 'tricky'. It does cost us 1
byte of heap allocation. I think we can live with that to have safer
looking string handling code.
Signed-off-by: Eric Paris <eparis@redhat.com>
setfsuid return codes were not being checked. Add checks to make sure
we are switching from and to what we expect. Bail (most places) if we
didn't switch successfully.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were doing x = realloc(x, ) which is a big no no, since it leaks X
on allocation failure. Found with static analysis tool from David
Malcolm.
Signed-off-by: Eric Paris <eparis@redhat.com>
Turn verbose on for full relabel
Add check to see if / has a label, if not then force a full relabel.
Add ability to record OPTIONS into the the /.autorelabel file.
fixfiles -F onboot
writes out /.autorelabel with -F
fixfiles -B onboot
writes on /autorelaebl with -N BOOTDATE recorded.
The goal is to allow boot up sequence that sees /.autorelabel to hand any
options store in it, to fixfiles restore
OPTIONS=`cat /.autorelabel`
fixfiles $OPTIONS restore
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The semodule_path file, inside scripts, which is used to tell the
Makefile where genhomedircon should point to find semodule, was not
being updated. This patch makes sure we update this file every time
something builds, thus genhomedircon doesn't point to some wild out of
data file location.
Signed-off-by: Eric Paris <eparis@redhat.com>
/etc/mtab points to /proc/mounts in modern systems. Remove the entry to
try to update its label.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch adds support for displaying SELinux context information in
colors defined by mcstrans(8)/secolor.conf(5). The new behavior is
enabled through the use of the "-C/--color" option and requires the
"-P" option also be specified.
The reason for this addition is that in some situations, notably MLS,
users find it helpful to add SELinux context information to their prompt:
# example taken from the RHEL6 CC certification bash scripts
SEROLE=`secon -rP 2>/dev/null`
SEMLS=`secon -lP 2>/dev/null`
PS1="[\u/$SEROLE/$SEMLS@\h \W]\\$ "
export PS1
With the added functionality provided by this patch we can also display
the associated color information (note the addition of the "C" option):
SEROLE=`secon -rP 2>/dev/null`
SEMLS=`secon -lPC 2>/dev/null`
PS1="[\u/$SEROLE/$SEMLS@\h \W]\\$ "
export PS1
Note that in the example above only the MLS range is colored, but the
patch does provide support for all of the color information provided
by mcstransd/secolor.conf (user,role,type,range).
Finally, one quick word on the colors themselves; the secolor.conf
configuration file allows 32-bit colors but the ANSI color coding only
allows 8-bit colors so the colors displayed by secon using the "-C"
option will be a bit lossy.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We should be able to make changed to /etc/selinux/config without using lokkit
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We only need the sepolgen python module if we are setting up permissive
types. As this has been removed from the core code in Fedora/RHEL we
include a better user error message pointing them how to find the
required module.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If there are entries in /etc/selinux/[POLICY]/logins they should be
included in the semange login -l output. So do so!
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If a user requested a label be reset but no default label is specified,
give a useful error message. Do not print the message if this is a
recursive restore, and that is very common.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The man page shows --role as an option, but the real option is --roles.
Fix the man page.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a new sandbox option to run /usr/bin/shred on all files in the temp
directories before they are deleted.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Since /tmp and /var/tmp get mounted over each other in sandbox we should
take the data from both.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We should check that a type is a valid before assigning it with
semanage. Aka we should just that a type is a port type before assigning it
to a port, or a valid user type before assigning it to a user.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
update-po is a mechanism for sucking the latest english translations
out of the source code, but it ALWAYS updates all of the po files with things
like the last time the update-po was run even if there are no changes. This
results in having to do git checkins any time you run make at the top level.
Since so few people interact with the Translators I believe this should
be done on demand when they think it is time to get new translations.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch started with work from John Reiser patch to estimate the
percent progress for restorecon/setfiles.
It has a lot of changes since then, to make it only happen on full
relabel, overwrite itself, shows 10ths of %, and does a lot better and
more useful job of estimation. We get all of the inodes on all mounted
FS. Since the number of inodes is not fixed and only an estimate I added
5% to the inode number, and forced the number to never go over 100.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
selinux.tbl is a Fedora translation file that doesn't make sense in
policycoreutils. Until we figure out how to deal with it, I'm not going
to push it. But I accidentally included it in the update-po make
target. Remove it from the make target.
Signed-off-by: Eric Paris <eparis@redhat.com>
It dynamically creates the policycoreutils "genhomedircon"
script during the build process in order not to hard-code
the full path to the semodule executable, as in general the
latter could reside in non-standard SBINDIR/USRSBINDIR
locations.
It might not be very stylish or it might appear cumbersome,
but at least the script should not break as easily as the
current static one.
The patch also edits the Makefile for the scripts so that
LOCALEDIR correctly uses $(PREFIX) rather than an absolute
path.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Ship a restorecond.conf file that relabels all mount runtime files under /etc and
not just /etc/mtab.
Mount also uses /etc/mtab~[0-9]{0,20} lock files (the number corresponds to the
PID) and the /etc/mtab.tmp temporary file.
The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
A patch is also available for the reference policy to fix this issue.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Fix fcontextRecords() in policycoreutils/semanage/seobject.py so
that semanage does not produce an error in fcontext mode when
the file_contexts.subs_dist file contains comments (prefixed by #).
Properly skip blank lines.
Treat both white space and tab as valid separators for the above
mentioned policy configuration file (v2). Minimum number of
changes (v2bis).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Eric Paris <eparis@redhat.com>
If one were to use multiple options such as both -P and -N we would have
problems. The issue is that for some reason instead of looking at
optind (the first non-option) we were looking at argc-optind. These
happen to be the same if there are 0 or 1 options, but doesn't work with
more than 1 option.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Just cosmetic. Make them all line up the same way in case anyone ever
looks at the code.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This makes semodule consistent with other commands to no reload the
policy into the kernel after the given change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix setsebool to use -N to not reload policy into the kernel optional on
permanant changes.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
add some definition to the standard types available for sandboxes so
users have a way to know about them and what they are intended to be
used for.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add -N, --noreload option to semanage to prevent reloading policy into
the kernel after a change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
fcontext customized was not returning the customized equivalency records. This
patches fixes this.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Future systems will not support html in a pygtk window as webkit is
going away. I decided to add the full set of gui tools and then remove
the one I don't want to support just in case someone wants to resurrect
this at some point.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We added new gui programs, but not Makefiles to build/install them.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
These are the python files that make up the system-config-selinux gui, used to implement
most of the functionality of the semanage command line plus some configuration.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
A number of packages have a systemd subpackage. Look for those when
doing the file list of a package to generate its policy.
Signed-off-by: Eric Paris <eparis@redhat.com>
These are the tools that the Fedora team uses to build new policy. sepolgen is a
console app that will take an executable and generate policy based on the RPM
specification and using nm -D to analyze the application.
We have found it very useful for generating quick policy to get the policy writer
working quickly.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Stop printing stuff on stderr when building the po translations. (I'd
leave it alone if I knew how to put it on stdout)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The Fedora community has been working to translate a number of messages.
Commit those to the tree so all SELinux users can enjoy.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
.tx is the transifex configuration directory which is used to pull the
latest translations from the transifex web site.
Signed-off-by: Eric Paris <eparis@redhat.com>
Fix --enable and --disable for modules to only work under -m options.
Without this patch you couldn't do -m and --enable. We want that to
work.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
process_one_realpath returns 1 if it changed the context of the file but
process_glob treats all non-zero values as errors. This results in
setfiles exiting with non-zero status even though it was successful.
Fix process_glob to only treat negative return values of
process_one_realpath as errors.
cf. http://bugs.debian.org/662990
Signed-off-by: Martin Orr <martin@martinorr.name>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
restorecon should return 0 when a file has changed context with no
error. With the last version it's returning 1.
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662990
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
file_name trans should be good enough to handle this now, so why launch
it for every user?
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Basically this change stops sysloging if the change did not actually
happen.
By default we do not modify a label if the type of the SELinug context
was unchanged, but we were sending a syslog message as if something had
changed.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fixfiles restore is called by auditrelabel, and was happening early in
the boot process, before the syslog system was up and running. A bug
in systemd was causing relabels to take forever, while it waited for
the syslog's to complete. This was fixed, but I still see no reason
to write thousands/millions of lines to syslog on a badly mislabled
machine and wanted this featured turned off.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch allows us to use restorecon on MCS Separated File Systems or MLS
Environments, Basically allows a user to check his type enforcement.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If you run newrole as root and it drops capabilities, the next shell
script does not have any capabilities and can not function.
newrole -L TopSecret
Would end up with a root shell and no capabilities.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Sometimes using open_init_pty isn't possible. So just call exec() if
that is the case. We no longer ship open_init_pty in Fedora or RHEL6
since it was causing more problems then it was worth. This fix makes
it optional to use the open_init_pty.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
- improves the manual page for both setfiles and restorecon (formatting
including alphabetical re-ordering of options, undocumented options,
references and a few cosmetic changes);
- de-hardcodes a couple of constants in the source files and makes a
dynamic use of them to create the manual pages after the compilation
and prior to the installation: more specifically the constants are the
number of errors for the setfiles' validation process abort condition
and the sensitivity of the progress meter for both programs (uses
external programs grep and awk);
- improves the usage message for both programs and introduces a -h
(aliased with currently existing -?) option where not already
available;
- print out the usage message for restorecon when it is called without
arguments;
- white-space/tab conversion to get proper indentation towards the end
of the main source file.
[eparis add .gitignore]
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
The following patch aims to improve the manual page (section 8) for the
"genhomedircon" script (policycoreutils).
- remove probably redundant GNU licence notice;
- try to further clarify the functionality made available by the
"genhomedircon" script as well as all the configurable options that
control its execution and affect its behavior;
- extend the references section (SEE ALSO).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
We still want to be able to use sepolgen even if setools isn't
installed. Degrade functionality, but still work if it can't be found.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwlash@redhat.com>
The locallist option was specified as --locallist= but it does not take
an option. We also had --localist (notice the 'l' is missing) which
wasn't doing anything, so drop those.
Signed-off-by: Eric Paris <eparis@redhat.com>
The OBJECT was not being set early enough and thus would miss the checks
for things like deleteall and extract. Move the setting of OBJECT where
it happens for everything else.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
semanage fcontext -e man page update to make it easier to understand
what it does.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The range and level user options default to s0. State that in the man
page.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add an -f option to run mcstransd in the foreground. This will allow better
integration into systemd.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We open and take a flock on the .restorecond file. But we could leak
this file across exec. Open O_CLOEXEC.
Signed-off-by: Eric Paris <eparis@redhat.com>
Instead of all calls to the usage output resulting in a 0 return code we
should show the usage menu when something is wrong but we should return
non-zero.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
With the switch in Fedora to unify /bin to /usr/bin the link file
created for load_policy points back at itself. This patch causes make
to continue even if the link fails.
Signed-off-by: Eric Paris <eparis@redhat.com>
update policycoreutils po files. This should hopefully make the debian
build system a little happier.
Requested-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Only run setfiles if we have a R/W filesystem
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We are now building our packages with -Werror=format-security enabled.
The attached patch fix the FTBFS. More patch related to this could
follow.
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
With kernel 2.6.31, restorecond uses 99% of my CPU.
This is because removing and readding the watch on utmp triggers inotify to
return an IN_IGNORED event for the old watch descriptor. If the watch gets
allocated the same wd when it is readded, then restorecond thinks that utmp
has changed, so removes and readds the watch again, potentially looping.
With kernel <= 2.6.30, this never happened, because the kernel didn't reuse
watch descriptors. So the IN_IGNORED event comes with a wd that is no
longer in use, and gets ignored. But kernel 2.6.31 reuses the same watch
descriptor. The kernel has been fixed to not reuse watch descriptors.
However as some kernels do reuse them, and its possible they may again,
this patch fixes that by ignoring inotify events whose only bit set is
IN_IGNORED.
Signed-off-by: Martin Orr <martin@martinorr.name>
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This means you can still run setuid programs, but don't need special
perms to run seunshare.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The previous time upstream was released, there were changes to
MCSTrans, but the version was never updated, In order for us to
release these fixes to Fedora we needed to bump the version.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Move everything into /usr/* and just put links from /*. The whole /usr
thing hasn't really worked in all situations for a long long time. Just
accept that fact and move along.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Also if the user specifies a store that is not the current store, we should not be sending audit messages.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
semanage command was not reporting proper audit messages for the LSPP
certification. Needed to report additional information such as prior
roles before and after update. Many other changes, were reviewed by
Steve Grubb to make sure were were doing proper auditing.
Should be reporting AUDIT_ROLE_ASSIGN instead of AUDIT_USER_ROLE_CHANGE.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix the handling of namespaces in seunshare/sandbox.
Currently mounting of directories within sandbox is propogating to the
parent namesspace. This fix will basically isolate any mounting that
happens after the unshare from the parent namespace.
Signed-off-by: Eric Paris <eparis@redhat.com
Acked-by: Dan Walsh <dwalsh@redhat.com>
Include -W
Set LDLIBS consistently (include -L$(LIBDIR))
Don't explicitly call $(CC) let make do it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
In order to handle properly the display on boot the sandbox init
script has to source the functions file.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Added new man page selinux_config(5) detailing the SELinux config file
format to new man/man5 directory plus Makefile.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
sestatus has been modified to present additional information: SELinux root
directory, MLS flag and the deny_unknow flag. The man page has been updated
to reflect these changes and an sestatus.conf(5) man page has also been added.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
No real code change. Just to make it clear what a src and dst means.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Check for conflict on equivalence when adding a file context.
If a user adds a file context that begins with an equivalence string, we
throw an exception.
/usr/sbin/semanage: File spec /usr/lib64/dan conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/dan' instead
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Print out the list of local and distribution file context equivalencies
rather than just local rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If sandbox init script is run multiple times to start it should still
return 0 rather than an error. Things should still be set up.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Instead of force an arbitrary 100 category requirement, only bomb if
there is a problem. Error out if there are 0 categories or if we cannot
find a free category in a reasonable number of attempts.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We calculate the number of available legit category sets for a given
user and then try to find one that many times. If we don't find one,
bail out.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
100 is very high, but at least we know the chances of finding a valid
combination is high.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Since this file lives in /etc/sysconfig/ it does not include a .conf
extention. Thus the man page should not include a .conf in the
filename.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
There are code paths where ret can be returned without being initialized
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When testing for mount points to exclude we read /proc/mounts. Close
this file when we are finished reading it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Instead of coding the exact same thing and calling it symlink_realpath
use the function exported by libselinux.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix sandbox Makefile so that make DESTDIR=~/out install works again.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
semodule_unpackage was not being removed on clean. Simple Makefile fix.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Make restorecond -u watch the terminal io channel for and exit indicator
and then exit itself if it is not being run from dbus. If being run
from dbus, dbus takes care of the session cleanup.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Do not assume it is always a success and error gracefully when it isn't.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Basically this patch makes restorecond a dbus session service that can
be run in the users session to watch the creation of files in the
homedir. Most of the changes are just to get it to run as a dbus
session and then to allow it to read its own config.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
I think I was trying to allow an admin to set a bunch of booleans
from a file, but I later added -i and -o options, which would seem to
be a better way to handle many changes at once.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Basically we want to trigger a modify of booleans record if the user
specifies --on or --off on a boolean.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If someone modifies the boolean settings using semanage, we would
expect them to be reflected on the local system. This change would
change the active settings IFF you are changing the currently running
system.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch removes /root from the excluded dirs.
This also adds /var/lib/BackupPC to list of directories to ignore
labeling. Mainly because this directory tends to be Huge and causes a
huge spike in the amount of time it takes to relabel. Especially if
there is a relabel caused by a policy update.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When running an app within a sandbox, the application currently
switches to no LANG. This patch will cause the sandboxed app to use
the users LANG.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patches moves some ebitmap functions (and, xor, not, etc.) from
mcstrans into libsepol, where they really belong and could be used by
other applications (e.g. CIL)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is purely personal preference. Most of the Makefiles use $() for
Makefile variables, but a couple of places use ${}. Since this obscured
some later Makefile changes I figured I'd just make them all the same up
front.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Some versions of python are reporting an indentation error when trying
to use this file. Fix the whitespace messup.
Signed-off-by: Eric Paris <eparis@redhat.com>
Change sandbox init script to not load functions any longer, we don't use them
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Change the default "make" target for the libraries from "install" to
"all" in the makefiles.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Exit cleanly instead of python getting angry when SELinux is disabled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
module names must begin with a letter, optionally followed by letters,
numbers, "-", "_", "."\n' some of these were being denied.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
If you tell semanage to list the contents of an object and the list is
empty, we should not print the header.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
By default only the effective branch of a tunable conditional would be
expanded and written to raw policy, while all needless unused branches
would be discarded.
Add a new option '-P' or "--preserve_tunables" to the semodule program.
By default it is 0, if set to 1 then the above preserve_tunables flag
in the sepol_handle_t would be set to 1 accordingly.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
add kill option to seunshare to kill all processes that are still running
with the execcon MCS label.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
pam_namespace and sandbox both do the bind mounts internally now. No
reason to force this on everyone. Hopefully the sandbox init script
will be disappearing with systemd doing this by default.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
seunshare now creates a runtime temporary directory owned by root and
with the sticky bit set properly. Files from the user-specified directory
are copied to the runtime directory and the changes synced back (using rsync)
at the end of the seunshare run.
This is hoped to address CVE-2011-1011
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Russell Coker pointed out most displays are no 80 chars so we should just
put out * and let the terminal wrap itself.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
If fts_read() fails for any reason ftsent will be NULL. Previously we
would have reported the error and then continued processing. Now we
report the error and stop using the NULL pointer.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When we converted from nftw to fts we had to remove the automatic large
file support had to be removed. Thus we switch from stat to stat64 on
all archs.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch adds support to actually use the new sepolgen-ifgen attr
helper. We included the helper which generates attribute information
but this patch makes use of it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a --policy option to audit2allow to make it use an
alternate use specified policy instead of the running
policy.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This program is used by sepolgen-ifgen to get the access for all of the
attributes in the policy so that it can resolve the typeattribute statements
in the interfaces.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Rather than error when a glob does not match return success as this is
not a problem.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
Introduce a helper which will spawn children and wait for them to exit
so we don't have to keep writing that code over and over.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
These are just simple new helpers which make it easy to check uid, gid,
if two stat results are the same and things like that.
Signed-off-by: Eric Paris <eparis@redhat.com>
Some sandbox might want to be able to run a suid app. Add the -C option
to allow capabilities to stay in the bounding set, and thus be allowed
inside the sandbox.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Split drop_capabilities into drop_privs, which does the same thing, and
drop_caps, which only drops caps but doesn't affect the uid.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Little things like better error messages, usage text, code duplication
and the like.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
seunshare can be used on non-selinux systems. It can also be used
without transition to a new context. Thus we should not require that a
context be set.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
we have man pages which aren't being instelled with make install. We
also do not include -Werror -Wall -Wextra in the build like we do with
other packages, so include those.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This allows users to create sandbox windows of a specified size on the
command line.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When launching a sandbox x environment we should check up front to make
sure that the seunshare and sandboxsh files exist and bail politely if
they do not exist.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
