flake8 warns about using has_key():
python/sepolgen/src/sepolgen/refparser.py:315:15: W601 .has_key() is
deprecated, use 'in'
However "spt.has_key(id)" uses function SupportMacros.has_key(), which
is not the same as the "in" operator. Silence this warning by using "#
noqa".
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
p_permissive() uses an undefined variable t, which is buggy. In order to
ignore permissive statements, the function only needs to "pass".
flake8 reported the following error:
python/sepolgen/src/sepolgen/refparser.py:789:5: F821 undefined name 't'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
SELinuxGui.files_initial_data_insert() uses both "seLinux_label" and
"selinux_label", which leads to using an undefined variable, as reported
by flake8:
python/sepolicy/sepolicy/gui.py:1191:42: F821 undefined name 'selinux_label'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
CheckPolicyType class is not used in sepolicy and has been written from
an buggy copy-paste: "newval.append(v)" does not make any sense in
CheckPolicyType.__call__, as reported by flake8:
python/sepolicy/sepolicy.py:190:13: F821 undefined name 'newval'
python/sepolicy/sepolicy.py:190:27: F821 undefined name 'v'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
sepolgen uses "return NotImplemented" (in access.py and matching.py) in
order to make Python's sorting function use an other call to compare
objects. For this to work, "NotImplemented" needs to be returned, not
raised like _compare's default implementation does.
This issue has been found using flake8. This Python linter reported:
python/sepolgen/src/sepolgen/util.py:128:9: F901 'raise
NotImplemented' should be 'raise NotImplementedError'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
util.py starts by importing "locale" and "sys", so there is no need to
import these modules again in the functions.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
flake8, a Python linter, complains:
libselinux/src/selinux.py💯1: F401 'errno' imported but unused
libselinux/src/selinux.py💯1: F401 'stat' imported but unused
libselinux/src/selinux.py💯14: E401 multiple imports on one line
libselinux/src/selinux.py:130:16: E111 indentation is not a multiple of four
libselinux/src/selinux.py:130:45: E231 missing whitespace after ','
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
"except OSError, ImportError:" does not perform what it says: it is the
Python 2 syntax of catching OSError exceptions as "ImportError" (like
"except OSError, e:"), and this is indeed caught by Python3:
File "./python/semanage/seobject.py", line 143
except OSError, ImportError:
^
SyntaxError: invalid syntax
The correct syntax consists in using parentheses.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The corresponding except clause should only be used for
exceptions caused by audit module error or unavailability.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Test if audit module is enabled so that logger class is defined
correctly.
Fixes:
"semanage fcontext -l" fails with "OSError: Protocol not supported" when
booting with audit=0
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
There are many memory leaks in mcstrans. Clean them up in order to
reduce the noise in clang's static analyzer report. Some are remaining,
because they are more complex to fix.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
refpolicy moved from github.com/TresysTechnology to
github.com/SELinuxProject. It is still used in sepolgen tests (they
build modules using Makefile.devel and build.conf) so update the
location of the repository.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
write_pid_file() leaks a file descriptor to /var/run/restorecond.pid if
it fails to write the PID to it. Close the file before returning.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
semanage_seuser_modify_local and semanage_seuser_del_local already do
the logging.
Moreover, semanage log for loginRecords.__add was flawed since it
reported old-{seuser,role,range} of default user instead of None. This
was caused by selinux.getseuserbyname, which returns values for default
user when the specified username is not found.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294663
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Add support for extended permissions to audit2allow. Extend AuditParser
to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to
generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow
to turn on generating of extended permission AV rules.
AVCMessage parses the ioctlcmd field in AVC messages. AuditParser
converts the ioctlcmd values into generic representation of extended
permissions that is stored in access vectors.
Extended permissions are represented by operations (currently only
'ioctl') and values associated to the operations. Values (for example
'~{ 0x42 1234 23-34 }') are stored in the XpermSet class.
PolicyGenerator contains new method to turn on generating of xperms.
When turned on, for each access vector, standard AV rule and possibly
several xperm AV rules are generated. Xperm AV rules are represented by
the AVExtRule class.
With xperm generating turned off, PolicyGenerator provides comments
about extended permissions in certain situations. When the AVC message
contains the ioctlcmd field and the access would be allowed according to
the policy, PolicyGenerator warns about xperm rules being the possible
cause of the denial.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
In access module, in AccessVector.__init__() method, when init_list is
not None, the access vector is initialized by from_list() method.
However, this method does not assign attributes self.audit_msgs,
self.type, and self.data. Fix this by assigning these attributes in
__init__() method.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
In refpolicy module, in AVRule.__rule_type_str() method, self.rule_type
was not checked for value self.NEVERALLOW so that string "neverallow"
was never returned. Fix this by checking all four possible values and
returning correct strings.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Using clang's static analyzer is as simple as running "scan-build make",
but in order to obtain clean and reproducible results, the build
environment has to be cleaned beforehand ("make clean distclean").
Moreover the project requires running "make install" before "make test"
in order to install the dependencies needed for the tests, and running
these tests with the newly-built libraries requires a specific
LD_LIBRARY_PATH. This new script takes care of setting up everything
which is needed.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When write_binary_policy() fails to open the binary policy, it calls
sepol_handle_destroy(f.handle) but structure f has not been initialized
at this point. Use variable handle instead.
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
f.handle is never set in read_binary_policy() so there is no need to
call sepol_handle_destroy() on it. Moreover clang's static analyzer
warns about an uninitialized argument value in the first call.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
va_copy()'s manpage [1] states:
Each invocation of va_copy() must be matched by a corresponding
invocation of va_end() in the same function.
create_str_helper() is using va_copy() without va_end(). Add the missing
call.
[1] https://linux.die.net/man/3/va_copy
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
require_class() allocate memory for its variable "class_datum_t *datum"
and calls symtab_init(&datum->permissions, PERM_SYMTAB_SIZE). If this
second call fails, datum is not freed.
Fix this memory leak.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
sepol_ppfile_to_module_package() does not use its variable "FILE *f =
NULL;" but to fclose() it. This variable has been unneeded since the
introduction of function ppfile_to_module_package() in commit
893851c0a1 ("policycoreutils: add a HLL compiler to convert policy
packages (.pp) to CIL").
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
clang's static analyzer reports that ebitmap_to_names() can call
malloc(0) when the bitmap is empty. If malloc() returns NULL, this
triggers a misleading "Out of memory" error.
Work around this by treating empty bitmaps as appropriate.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
clang's static analyzer warns about dead assignments to local variables.
In module_to_cil.c, there are some which are quite straightforward to
review. Remove them.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When list_prepend() returns an error, it always means it failed to
allocate some memory and does not hold any reference to its argument
data. This argument needs to be freed by the caller in order to prevent
a memory leak.
While reviewing list_prepend() callers, I spend quite some time
understanding why typealiases_gather_map() does not need to strdup(key)
or free(key) when calling list_prepend(..., key) even though "key" comes
from pdb->p_types.table: because typealias_list_destroy() does not free
the inserted items. Add a comment to make this clearer in the code.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In cil_tree_print_expr(), "rc < 0" is equivalent to "rc != 0" but
clang's static analyzer does not know about this. Help it.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Ruby 2.5 is not installed by default, force reinstall with rvm
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
from getpwnam_r(3): "The call sysconf(_SC_GETPW_R_SIZE_MAX) returns
either -1, without changing errno, or an initial suggested size for buf.
(If this size is too small, the call fails with ERANGE, in which case
the caller can retry with a larger buffer.)"
The same can happen for _SC_GETGR_R_SIZE_MAX. 1024 appears to be a good
fallback but may need revisiting in the future.
This triggered an error on musl libc but could happen other places too.
Signed-off-by: Jason Zaman <jason@perfinion.com>
musl doesn't implement GLOB_BRACE and GLOB_TILDE, so simply don't use
them there. This affects restorecond -u but braces are not used in the
example configs. GLOB_TILDE is on the roadmap[1] for musl 1.1.21 so
restorecond -u should be fine soon.
[1]: https://wiki.musl-libc.org/roadmap.html
Signed-off-by: Jason Zaman <jason@perfinion.com>
musl doesn't implement GLOB_BRACE and GLOB_TILDE, so simply don't use
them there. This only affects "setfiles -f", which I don't expect many
people use, and it's undocumented anyway that it expands globs.
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason Zaman <jason@perfinion.com>
Musl libc does not include the fts(3) functions so need to link to the
musl-fts library
https://github.com/pullmoll/musl-fts
Signed-off-by: Jason Zaman <jason@perfinion.com>
Fix the following ambiguous output (from booting with init=/bin/sh):
# /usr/sbin/fixfiles onboot
/usr/sbin/fixfiles: line 313: /.autorelabel: Read-only file system
/usr/sbin/fixfiles: line 317: /.autorelabel: Read-only file system
System will relabel on next boot
System will not relabel on next boot if we couldn't create ./autorelabel
(In case anyone reading this description is still confused: To run
`fixfiles onboot` after booting with init=/bin/sh, you must first run
`mount / -oremount,rw`).
Verify that the final path does not exceed the size of the
buffer before copying. This can only occur if an alternate
path for the policy root and/or the policy store root has been
specified and if the resulting path would exceed PATH_MAX. A
similar check is already applied by semanage_make_final().
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>