Unify behaviour for all module actions.
The same behaviour is already present for -i/-u/-r/-e switches.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1545218
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Unify the way parameters are described in man pages and --help message.
Explain special syntax allowing the user to specify multiple modules when using
-i/u/r/E mods.
Point out that priority has to be specified in order to remove module at
different priority than 400 and that "-d" disables all instances of
given module across priorities.
Resolves: rhbz#1320565, rhbz#1337192
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Making stdin/stdout non-blocking causes open_init_pty to hang if
they are closed, ala
./open_init_pty bash -c 'echo hello; exec >&- 2>&- <&-; sleep 1; '
and per
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474956#10
This reverts commit fb081eb64b.
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As reported by Nicolas Iooss, there are still some inconsistencies
in the definitions and usage of Makefile variables related to bin
and sbin directories. Since we need to still support non-usrmerge
systems, we cannot completely synchronize them, but we can eliminate
unnecessary differences, remove unused variables, and drop the
USRSBINDIR variables.
Before:
$ find . -name Makefile -exec cat {} + |grep '^[A-Z_]*BINDIR' |sort -u
BINDIR=$(PREFIX)/bin
BINDIR ?= $(PREFIX)/bin
BINDIR ?= $(PREFIX)/sbin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
USRSBINDIR ?= $(PREFIX)/sbin
After:
$ find . -name Makefile -exec cat {} + | grep '^[A-Z_]*BINDIR' | sort -u
BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
This does not change the actual install location of any file.
It does drop the legacy symlink from /usr/sbin/load_policy to
/sbin/load_policy; packagers can create that separately if
desired.
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
There were several places in the makefiles where LDLIBS or CFLAGS were
supposed to include options to build. They were missing the override
keyword so would be skipped if these vars were set on the make cmdline.
Add the override directive to fix this.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Files in /tmp, /var/tmp, /var/run and /var/lib/debug labeled as
unlabeled_t or undefined_t are relabeled to match corresponding
directory label. Stop dereferencing link files in these folders
in order not to accidentally change label of other files in the
system.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1458831
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
when building packages (e.g. for openSUSE Linux)
(random) filesystem order of input files
influences ordering of functions in the output,
thus without the patch, builds (in disposable VMs) would usually differ.
See https://reproducible-builds.org/ for why this matters.
* `fixfiles -B relabel` or `fixfiles -C previouscontext relabel` would
skip the code that handles e.g. `/var/tmp`, which would be run by
`fixfiles relabel`. It would still remove all files in /tmp (subject to
user confirmation). This is confusing, undocumented, and unlikely to
be intentional.
* `fixfiles relabel path1 path2` is the same, except it would only relabel
the first path.
* `fixfiles -R ... relabel` was equivalent to `fixfiles -R ... restore`,
again contradicting the man page.
Also `fixfiles onboot` would ignore paths, -C, or -R.
fixfiles is mostly for users, where it should be acceptable to remove these
non-sensical combinations.
`fixfiles -C` is used in selinux-policy rpm install scripts. However I
believe the rpms used `fixfiles -C previouscontext restore`, and did not
either require user interaction or blow away /tmp without prompting. So
they should still work fine.
With these combinations removed, we can remove the `exit` calls which were
seen in some of the (non-error) code paths in `restore()`.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
`fixfiles -R -a` is much less useful than it was made to sound, because -R
now works recursively. Therefore `fixfiles -R -a` relabels every file on
the system, multiple times. On my system it took over 5 times as long as
plain `fixfiles` (which takes about a minute).
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
This commit allows the use of `set -u` to detect reads of unset variables.
But what I really liked was making the code more explicit about these
modes. I hope that this is easier for a new reader to reason about.
`fixfiles restore` has accumulated five different modes it can run in.
Now use a single variable to indicate the mode, out-of-band of the
variables used for the individual modes.
Apparently `set -u` / `set -o nounset` doesn't work correctly with arrays.
If we ever need bash arrays, we can simply remove `set -u`. The `set -u`
dialect is a strict subset. See http://mywiki.wooledge.org/BashFAQ/112
Extra notes:
RESTORE_MODE was created because I couldn't bring myself to use an empty
FILEPATH, as a special case to indicate the default mode. Arguments
to the script (paths) could be empty already, so it would mean I had to
work out how we behaved in that case and decide whether it was reasonable.
It turns out the `-B | -N time` mode is distinct and does not respect
paths. So we can tell the user we're not going to do anything with the
paths they passed. Make sure this distinction is shown in the usage error
message.
We already rejected the combination of `-R rpmpackage,... dir/file...`.
Being aware of the different modes just causes more bogus combinations
to be rejected.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
New users may try something like `fixfiles restore -v /dir/file` -
not realizing they are required to use `fixfiles -v restore /dir/file`.
Detect that `restorecon` aborts due to being run on the non-existent file
`-v`, and stop immediately. This will show the error much more clearly,
instead of continuing to restore `/dir/file` *without* verbose messages.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
The idea is to print a usage error, then terminate with EXIT_FAILURE.
Don't print the usage error twice when run with no command.
Don't try to check for bogus extra arguments _after_
performing a long-running operation... particularly
if that operation terminates the script with EXIT_SUCCESS first.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
$ shellcheck fixfiles
...
In fixfiles line 94:
[[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
^-- SC2076: Don't quote rhs of =~, it'll match
literally rather than as a regex.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
DIRS was suspicious because you can't store file names in a normal variable,
and it's not that common to use arrays in bash. It's not actually used.
While we're here, there's another variable which is never used
and should just be removed. (Pointed out by `shellcheck`.
It makes a couple of other points too, but I have more specific
patches I want to put those in).
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Make sure usage() in fixfiles shows all the current options.
It's printed when there's a user error, so it needs to be
helpful! (Excluding the deprecated option - see below).
manpage:
Remove the deprecated option `-l logfile`.
Add missing space in `restore|[-f] relabel`.
It's not clear why `-R rpmpackagename` was considered optional in the
second invocation. (If the user omits it, they are just performing the
first invocation). It desn't match usage() in fixfiles either.
Clean up bolding for `fixfiles onboot`.
Disable justification (troff "adjustment") in the synopsis. We want the
common options in the different invocations to line up consistently.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
...and write log messages to standard output.
Some versions of fixfiles in 2004 created a logfile by default.
Apparently they also used `tee` to log to standard output at the same time.
We're also told that the logfile was implemented because there was too
much output generated for use on a tty, and it scrolled out of reach.
https://bugzilla.redhat.com/show_bug.cgi?id=131707
In the current version, none of these original reasons for `-l` remain.
The logfile is not created by default. If no log file is specified,
messages are written to stdin [sic]... if and only stdin is a tty. If
stdin is not a tty, the log defaults to /dev/null.
When a user runs fixfiles on a tty and finds there is too much output, she
is likely to try redirecting standard output and/or standard error using
the shell. She will find this doesn't help, because fixfiles is writing
the verbose log messages to standard input.
I tried to fix the problem non-intrusively, by changing the default log
file to `/dev/stdout`. Sadly, this breaks down where you have
`echo >>$LOGFILE "Log message"` inside a specific function, which is run
with output redirected in order to "return" a string value (captured
into a variable). exclude_dirs_from_relabelling() was such a function.
I was trying to abstract over writing to both normal files and stdout, but
my abstraction "leaks" in a non-obvious way.
There is a simple solution. We can write the log messages to standard
output. When we are passed `-l` by a legacy script, we can redirect
standard output to the logfile.
This removes any distinctions between the logfile and "non-log" messages.
Some calls to restorecon were missing redirections to the log file.
"Cleaning out /tmp" was written to the log file, but "Cleaning out labels
on /tmp" was not. There were no comments to explain these distinctions.
Move call to logit() outside a function which has its output redirected.
See next commit for explanation.
The logit calls are moved into a new function LogExcluded(), similar to
LogReadOnly(). I don't see a pretty way to resolve this, so I just went
for the most explicit approach I could think of.
Behaviour change: diff_filecontext will now log *all* excluded paths.
I think that approach is an improvement, because e.g. the fact that `-C`
mode excludes `/home` was not previouslly documented anywhere.
The LogReadOnly() call which warns the user about R/O filesystems, applies
to the `-B` mode (newer() function), and the `fixfiles check` mode
(no paths).
Make sure to print it for these modes, and these modes only.
The usage of exclude_dirs() is non-obvious.
It turns out it is only used by the `-C` mode of fixfiles. The other four
modes use the narrower list generated by exclude_dirs_from_relabelling().
Let's make this distinction more obvious.
(The purpose of the extra exclusions is not clear. E.g. there's an
exclusion for /dev. Whereas the `fixfiles check` mode explicitly tells you
that it's going to relabel /dev, without causing any problem. Maybe that
part is out of date? But without some explanation of the list, I don't
want to change anything!)
setfiles is now run with $exclude_dirs.
We shouldn't need to patch the file contexts as well.
This is fortunate, since the file context patching code was broken
(by the same commit which introduced the redundancy). It takes the
list of directories to exclude from $tempdirs, but $tempdirs is
never set.
Also messages about skipping directories were printed twice. Firstly when
exclude_dirs is generated, and secondly in the file context patching code.
Also TEMPFCFILE was only removed in one path out of several.
This reverts commit ac7899fc3a,
which is not yet part of an officially tagged release
(or release candidate).
`LOGFILE=/proc/self/fd/1` was wrong.
`LOGFILE=$(tty)` was being relied on in one case (exclude_dirs),
to log messages from a function run specifically with stdout redirected
(captured into a variable).
Having `logit "message"` break inside redirected functions
is a nasty leaky abstraction.
This caused e.g. `fixfiles restore` to terminate early with the error
skipping: No such file or directory
if the user had configured any excluded paths in
/etc/selinux/fixfiles_exclude_dirs
The toolchain automatically handles them and they break cross compiling.
LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)
Gentoo-Bug: https://bugs.gentoo.org/500674
Signed-off-by: Jason Zaman <jason@perfinion.com>
If the user has the $LINGUAS environment variable set, only translations
for those languages should be installed to the system.
The gettext manual [1] says:
"Internationalized packages have usually many ll.po files. Unless
translations are disabled, all those available are installed together
with the package. However, the environment variable LINGUAS may be set,
prior to configuration, to limit the installed set. LINGUAS should then
contain a space separated list of two-letter codes, stating which
languages are allowed."
[1]: https://www.gnu.org/software/gettext/manual/html_node/Installers.html#Installers
Signed-off-by: Jason Zaman <jason@perfinion.com>
In extract_pw_data(), if "getpwuid(uid)" fails, the function returns an
error value without initializing main's pw.pw_name. This leads main() to
call "free(pw.pw_name)" on an uninitialized value.
Use memset() to initialize structure pw in main().
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In main(), if "extract_pw_data(&pw)" returns a failed value, it has
already freed pw.pw_name, pw.pw_dir and pw.pw_shell. These fields are
freed a second time in main's err_free label, which is incorrect. Work
around this by setting them to NULL after they are freed.
This issue has been found using clang's static analyzer.
While at it, make extract_pw_data() static.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This check is a remnant of the libselinux <2.5 era, back when
is_selinux_enabled() checked whether a policy had been loaded. Nowadays
it only checks whether selinuxfs is mounted, and "load_policy -i"
therefore incorrectly refuses operation when selinuxfs is mounted, but
no policy has been loaded yet.
While it doesn't make much sense to call selinux_init_load_policy()
twice, there's no harm in doing so either, so let's just drop this
safeguard instead of fixing it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Don't force output through a pipe - let them access the TTY.
When run interactively, this acts as a workaround for
"Output of fixfiles gets garbled?"
https://bugzilla.redhat.com/show_bug.cgi?id=1435894
E.g. it would also be useful if restorecon ever decides it doesn't want to
output backspace characters on non-TTY outputs.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
I suggested that if you run a command for its informational output (by
passing `-v`), you don't expect it to be prefixed with the program name.
Prefixing is used for error messages, so you can tell where your shell
script blew up :). If a script is running a command for its informational
output, it's usually the script's responsibility to make sure it's in
context, e.g. providing headers if there are multiple sections of output.
Removing the program name from setfiles/restorecon output is particularly
useful because it generates very long lines. But also, it actually helps
highlight where there are error messages - the prefix will make them
stand out visually.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
I accidently ran `fixfiles "a b"` during testing. Let's fix this too.
Before:
/sbin/fixfiles: line 394: [: a: binary operator expected
Usage: ...
After:
Usage: ...
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
E.g. `fixfiles restore -v /usr` - before:
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
Progress and Verbose mutually exclusive
usage: /sbin/restorecon [-iFnprRv0] [-e excludedir] pathname...
usage: /sbin/restorecon [-iFnprRv0] [-e excludedir] -f filename
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
229k
after:
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
/sbin/restorecon: lstat(-v) failed: No such file or directory
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
229k
This matches the usage shown in the manual page. While we're in there,
we should handle spaces as well e.g `fixfiles restore "a b"`. Before:
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
/sbin/restorecon: lstat(b) failed: No such file or directory
After:
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
/sbin/restorecon: lstat(a b) failed: No such file or directory
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Nicolass Iooss reports that when building with "clang -Wwrite-strings",
the compiler complains about initializing the char* array
genhomedirconargv with literal strings.
Make genhomedirconargv an array of pointers to const char and cast it
as non-const when assigning it to argv.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This fixes the following bug:
UX regression: setfiles progress indicator is now misleading and
confusing in fixfiles.
The outputting of * is replaced by the number of files in 1k increments
as the previous versions. If "/" is specified on the pathname, then this
will indicate a mass relabel, an example output will be:
restorecon -nRp /etc /tmp /boot /
/etc 100.0%
/tmp 100.0%
/boot 100.0%
3.2%
Also setfiles(8) and restorecon(8) versions that are implemented using
the selinux_restorecon(3) function do not support the [-o filename]
option as this was deprecated. This has now been made clear by displaying
a message to stderr.
The documentation has also been updated to reflect these changes.
Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Define a logging callback for libselinux so that any informational
or error messages generated by libselinux functions are properly
prefixed with the program name and routed to the proper output stream.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
fixfiles was redirecting log output to `tty`. This overrides user intent
e.g. when shell redirection is used.
Redirect it to stdout, using /proc. `tty` equally depended on /proc.
We do not depend on /dev/stdout: it might not be present, if a rescue
system is booted with devtmpfs (no udev daemon).
By default, log messages were redirected into the void when not run from a
tty. We consider this a bug, which is now fixed.
1. If calling scripts happen to require the old behaviour, they can easily
write the same code themselves.
2. When fixfiles is run from Fedora's selinux-autorelabel.service,
the calling script is specifically run from a tty.
Also Fedora's calling script chooses to redirect stdout and stderr to
/dev/null. This redirection will now suceed, improving the transparency
of the code. The previous behaviour may be obtained by choosing not
to redirect the progress messages of this long-running process to
/dev/null. A patch has been submitted to Fedora to suggest this novel
approach: https://bugzilla.redhat.com/show_bug.cgi?id=1415674
Complete disclosure:
* Remove unused variable LOGGER.
* Fix logfiles containing spaces.
Disclaimer:
1. "Log" output may contain escape sequences (backspace?) e.g. in
`fixfiles -l log.txt restore`. This is not the usual understanding
of a log file.
2. For some reason, not all informative messages are sent to `-l` e.g.
the list of filesystems, and "cleaning up labels on /tmp".
3. `function logit` is retained, but the logfile is also written to
outside this function. Implementing support for the system log
would require another function which accepts piped input.
Also see point 1.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Policy module structure created by libsepol out of base module
contains NULL in module name, which results in segfault in "pp"
compiler. Add NULL check.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1350806
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Even though "hashtab_key_t" is an alias for "char *", "const
hashtab_key_t" is not an alias for "(const char) *" but means "(char *)
const".
Introduce const_hashtab_key_t to map "(const char) *" and use it in
hashtab_search() and hashtab key comparison functions.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fixfiles links to restorecon. However if you start with restorecon
"restore file(s) default SELinux security contexts", you can easily
miss the fixfiles script. fixfiles is more generally useful than
`restorecon -R`. For example `restorecon -R /` is not as good as
`fixfiles restore`, because the restorecon command will try to relabel
`/sys` and fail noisily.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Fix missing and surplus commas. Fix the following formatting errors:
.BR selinux(8)
renders the the "(8)" in bold as well as the "selinux". This is wrong.
.B selinux
(8)
renders with a space between "selinux" and "(8)", this is wrong.
.B selinux (8)
commits both of the above mistakes.
.BR selinux (8), apparmor (8)
omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:
.BR selinux (8),
.BR apparmor (8)
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
This removes the following warning when running sepolicy gui command:
/usr/lib/python3/dist-packages/sepolicy/gui.py:29: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '3.0') before import to ensure that the right version gets loaded.
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
When running sepolgen tests on a Linux 4.7 kernel, one test fails with
the following message:
/usr/bin/semodule_package: Failed to mmap
tmp/module_compile_test.mod.fc: Invalid argument
The .fc file is empty, which is why it cannot be used with mmap().
Anyway the current code supports empty files (with if() conditions in
main()) so do not try to mmap an empty file in file_to_data().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On Ubuntu some header files are located in /usr/lib/x86_64-linux-gnu/,
not /usr/lib64/:
$ pkg-config --cflags dbus-glib-1
-I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include
-I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
Use pkg-config instead of hard-coded paths to find glib and dbus-glib
headers and libraries.
This is needed in order to use environments provided for example by
https://travis-ci.org/.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Return column definitions to portsPage (gui fails to load otherwise).
fcontextPage:
"ftype" dropdown was filled from 2 sources (system-config-selinux.glade
and fcontextPage - from seobject module) which resulted in duplicate
and invalid options. When given to "semanage fcontext -f", ftype has to be
converted to 1 letter argument mode.
TreeView.get_selection().get_selected() can return "None" if no item is selected
(the list can be empty). Test if correct iterator was acquired.
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1344842
Signed-off-by: vmojzis <vmojzis@redhat.com>
Reverse the sense of the -D option, from disabling setting/use of
security.restorecon_last to enabling it, making disabled the default state.
Rationale:
1) Users often use restorecon to fix labels on files whose labels are
wrong even through nothing has changed in file_contexts, e.g. after
copying/moving files to a different location. They won't expect
restorecon to suddenly stop relabeling by default because the hash of
file_contexts hasn't changed.
2) Only processes running with CAP_SYS_ADMIN can set
security.restorecon_last, so this will fail for non-root users anyway.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commit f1352e7399 ("policycoreutils: setfiles - Utility to find
security.restorecon_last entries") introduced restorecon_xattr binary
without adding it to .gitignore.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
According to dbus upstream: "dbus-launch is fairly horrible code,
complicated by the historical need for it to support X11 autolaunching,
so the D-Bus maintainers would like to move it out of the critical path
and minimize its use."
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
This patch adds restorecon_xattr(8) to find and/or remove
security.restorecon_last entries added by setfiles(8) or
restorecon(8). Uses the services of selinux_restorecon_xattr(3).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Add -D option to setfiles and restorecon - Do not set or update
directory SHA1 digests when relabeling files. This will allow
users the option of not using the "security.restorecon_last"
extended attribute feature.
Also review and update the man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
When a user installs a module, the filename is used as the module name.
This change was introduced with CIL language where a module name is not
stored in the module itself. It means that when a pp module has
different filename and stored module name, the filename is used instead
of the stored module name. It brings problems with compatibility for
scripts and modules which were built and used on older system and were
migrated to the new userspace.
This patch changes the behavior of semanage_direct_install_file() which
is used by 'semodule -i' so that when a module with pp language
extension is installed, it tries to get and use a stored module name
instead of a filename. A warning message is provided.
The warning message in policycoreutils/hll/pp is updated to reflect this
change:
$ semodule -X 400 -i /root/testfile.pp
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile
$ /usr/libexec/selinux/hll/pp /root/testfile.pp testfile.cil
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Mixing LDFLAGS in CFLAGS can lead to compiler errors. For example in
policycoreutils/sandbox:
$ make CC=clang LDFLAGS='-Wl,-as-needed,-no-undefined'
clang -Wl,-as-needed,-no-undefined -I/usr/include
-DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W -c -o
seunshare.o seunshare.c
clang-3.8: error: -Wl,-as-needed,-no-undefined: 'linker' input
unused
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The next patch will update info() and search() to use the setools4 api.
setools4 makes heavy use of generators so info() and search() will as
well. Pre-emptively update users to cast to a list where required.
Signed-off-by: Jason Zaman <jason@perfinion.com>
search() is an overly complex wrapper around setools, several users are
simplified by just directly using setools.
Signed-off-by: Jason Zaman <jason@perfinion.com>
sandbox tried to copy all affected files to the new home
or tmp even though -M or -X was not specified and there was no new
directory.
Fixes:
$ sandbox ls ~
/usr/bin/sandbox: [Errno 17] File exists: '/root'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
xmodmap causes Xephyr X server to reset itself when it's run before wm
and even right after wm. It causes termination of the server as we use
-terminate. The -terminate option seems be important enough in order not
to left running the server when the last client connection is closed.
This patch drops the execution of xmodmap from .sandboxrc until there's
a better solution.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.
As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.
Also, for pcre2 the persistent format is architecture dependent.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used,
sefcontext_compile now respects the "-r". This flag makes
sefcontext_compile include the precompiled regular expressions
in the output file. The default is to omit them, so that the
output remains portable at the cost of having to recompile
the regular expressions at load time, or rather on first use.
Signed-off-by: Janis Danisevskis <jdanis@google.com>
Since python 3.3, shutil.copy2() tries to preserve extended file
system attributes. It means that when a user uses -i or -I, copied files
have the original labels and sandboxed process can't read them.
With this change, homedir and tmpdir is recursively relabeled with the
expected sandbox labels after all items are in their place.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
p1.stdout should be closed after it's connected to p2 according to
https://docs.python.org/3/library/subprocess.html#replacing-shell-pipeline
Fixes:
$ make PYTHON=python3 test
Verify that we can read file descriptors handed to sandbox ...
/usr/lib64/python3.5/unittest/case.py:638: ResourceWarning: unclosed
file <_io.BufferedReader name=4>
testMethod()
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The tests executed sandbox from $PATH while they should test sandbox in
cwd. At the same time, tests should be run using the same python as is
used by make to run them.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The tests currently just executed "audit2allow" which meant search in
$PATH. They should instead test the one in the pwd. The files in the
repo are not executable so prefix with "python" also.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Commit b43991f913 broke audit2why because
boolean_desc was imported indirectly via seobject. Use it directly from
sepolicy instead.
$ cd policycoreutils/audit2allow
$ make test
test_audit2why (__main__.Audit2allowTests)
Verify audit2why works ... Traceback (most recent call last):
File "/bin/audit2why", line 365, in <module>
app.main()
File "/bin/audit2why", line 353, in main
self.__output()
File "/bin/audit2why", line 295, in __output
return self.__output_audit2why()
File "/bin/audit2why", line 263, in __output_audit2why
print("\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0]))
AttributeError: 'module' object has no attribute 'boolean_desc'
FAIL
Signed-off-by: Jason Zaman <jason@perfinion.com>
audit2why is supposed to be a symlink to audit2allow. There are instead
2 files in the repo so the makefile has not been replacing audit2why.
Signed-off-by: Jason Zaman <jason@perfinion.com>
commit 4c5b8a9568 ("semanage: add
auditing of changes in records") broke semanage fcontext -D.
Fix it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
For modify action actually audit the selinux type, i.e. use setype
variable.
For deleting equal fcontext rules do not audit ftype, as the ftype value
for equal rules makes little sense.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
In case serange is empty, but the record is beeing modified
(setype was supplied), use default "s0" range. With the original
code the audit event would be printed with no range (i.e.
"system_u:object_r:ssh_port_t:")
Note that default "s0" is currently used in other places
of seobject.py.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
This patch removes proto_to_audit dictionary and uses
standard socket.getprotobyname(protocol) to resolve
protocol number from given protocol name.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
Modify restorecond to make use of the libselinux selinux_restorecon*
set of functions. Also removed obsolete matchpathcon* functions.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Modify setfiles and restorecon to make use of the libselinux
selinux_restorecon* set of functions.
The output from these commands should be much the same as before
with some minor wording changes, the only exceptions being that for
setfiles(8) and restorecon(8) the following options have been added:
1) -I to ignore checking the directory digests.
2) -m to ignore reading /proc/mounts.
These additional options are described in the updated man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
The modify actions of security context mappings for
interface and node actully called add action.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
The tcp/udp protocol numbers were accidentaly swapped in
the original patch 'semanage: add auditing of changes in records'.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
-n was not being passed down to restorecon properly in the code path
for -C and -N
Patch-by: Dan Callaghan <dcallagh@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
get_rpm_nvr_list can fail to get the version of selinux-policy rpm
package, which leads to error during spec file creation (attempt to
invoke __getitem__ of "None" object).
This patch sets the policy number to "0.0.0" in case rpm failed to
get it. This change should be safe because it affects only an example
of spec file.
Variable "POLICYCOREUTILSVER" was removed (unused).
fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1321499
Failed to retrieve rpm info for selinux-policy
Traceback (most recent call last):
File "/bin/selinux-polgengui", line 360, in forward
self.generate_policy()
File "/bin/selinux-polgengui", line 506, in generate_policy
self.info(my_policy.generate(outputdir))
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1382, in generate
out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file"))
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1228, in write_spec
fd.write(self.generate_spec())
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1190, in generate_spec
selinux_policyver = get_rpm_nvr_list("selinux-policy")[1]
TypeError: 'NoneType' object has no attribute '__getitem__'
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
The commit 7574a50f tried to improve compatibility with Python 3. It changed
the code to use subprocess.getstatusoutput() instead of
commands.getstatusoutput(). Unfortunately subprocess.getstatusoutput() is not
available in Python 2. This patch changes how getstatusoutput() is imported so
the code works on Python 2 and Python 3.
Fixes:
$ chcat -d something
Traceback (most recent call last):
File "/usr/bin/chcat", line 432, in <module>
sys.exit(chcat_replace(["s0"], cmds, login_ind))
File "/usr/bin/chcat", line 271, in chcat_replace
rc = subprocess.getstatusoutput(cmd)
AttributeError: 'module' object has no attribute 'getstatusoutput'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.
A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.
The format of the audit events was discussed with the audit userspace
maintainer.
This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
Use assertNotEqual() and assertEqual() instead of assert_().
Convert print statements to print functions.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
https://bugs.python.org/issue16308
Traceback (most recent call last):
File "semanage", line 932, in <module>
do_parser()
File "semanage", line 911, in do_parser
args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
