Commit graph

248 commits

Author SHA1 Message Date
James Carter
c08cf24f39 python: Remove dependency on the Python module distutils
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2022-11-09 07:51:36 -05:00
James Carter
7238ad32a3 python: Do not query the local database if the fcontext is non-local
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.

He gives the following example:
  # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
  libsemanage.dbase_llist_query: could not query record value (No such file or directory).

When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.

The error is from querying the local database when the fcontext is in
the non-local database.

Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.

Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
2022-10-24 08:26:28 -04:00
Petr Lautrbach
bba6225abc gui: Fix export file chooser dialog
It wasn't possible to choose a directory in filechooser dialog using
double-click - the dialog returned the directory name instead of
listing the directory.

Fixes:
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2593, in on_browse_select
    self.export_config(filename)
  File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2668, in export_config
    fd = open(filename, 'w')
IsADirectoryError: [Errno 21] Is a directory: '/root/Downloads'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-10-24 08:26:18 -04:00
Paul Moore
a0a216ff7d docs: provide a top level LICENSE file
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses.  Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.

This is to help meet the OpenSSF Best Practices requirements.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2022-10-05 08:20:38 -04:00
Vit Mojzis
5b5056b1b4 Update translations
Source: https://translate.fedoraproject.org/projects/selinux/

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2022-10-05 08:13:26 -04:00
Christian Göttsche
c2d58b378b Ignore egg-info directories and clean them
Test .gitignore and make clean distclean
    error: missing .gitignore entry for libselinux/src/selinux.egg-info/
    error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
    Error: Process completed with exit code 1.

    error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
    error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
    error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
    error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
    error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
    error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
    error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
    error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
    Error: Process completed with exit code 1.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-15 08:51:01 -04:00
Elijah Conners
ebb4a170c0 python: remove IOError in certain cases
In certain cases, IOError caused the much more general exception OSError
to be unreachable.

Signed-off-by: Elijah Conners <business@elijahpepe.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2022-07-19 11:10:08 +02:00
Vit Mojzis
344463076b gettext: handle unsupported languages properly
With "fallback=True" gettext.translation behaves the same as
gettext.install and uses NullTranslations in case the
translation file for given language was not found (as opposed to
throwing an exception).

Fixes:
  # LANG is set to any "unsupported" language, e.g. en_US.UTF-8
  $ chcat --help
  Traceback (most recent call last):
  File "/usr/bin/chcat", line 39, in <module>
    t = gettext.translation(PROGNAME,
  File "/usr/lib64/python3.9/gettext.py", line 592, in translation
    raise FileNotFoundError(ENOENT,
  FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python'

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2022-06-29 15:51:07 +02:00
Christian Göttsche
c14a86af9a python/audit2allow: close file stream on error
sepolgen-ifgen-attr-helper.c: In function ‘load_policy’:
    sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak]
      196 |                 fprintf(stderr, "Out of memory!\n");
          |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:58:54 -04:00
Vit Mojzis
abaf812c38 python: Split "semanage import" into two transactions
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.

Fixes:
  # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
  # semanage export | semanage import
  ValueError: Port tcp/3024 already defined

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2022-06-06 16:16:27 -04:00
Petr Lautrbach
0a8c177dac
Update VERSIONs to 3.4 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-18 16:51:03 +02:00
Vit Mojzis
b14d5de5b4 gettext: set _ on module level instead of builtins namespace
Some calls to "_" where unsuccessful because the function was
initialized with a different translation domain than the string.
e.g. selinux-polgengui calls functions from sepolicy.generate, which end
up printing untranslated strings because polgengui uses selinux-gui
domain while sepolicy uses selinux-python

- Set "_" in module namespace instead of "builtins"
- Set the whole "sepolicy.generate()" confirmation as translatable
- Drop "codeset" parameter since it is deprecated

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:29:54 -04:00
Petr Lautrbach
9df28c241a
Update VERSIONs to 3.4-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-04 19:20:37 +02:00
Petr Lautrbach
2a167d1156
Update VERSIONs to 3.4-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-04-20 21:48:57 +02:00
Christian Göttsche
fd67b2f4b1 Correct misc typos
Found by typos[1].

[1]: https://github.com/crate-ci/typos

Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-12 13:09:52 -04:00
Petr Lautrbach
73562de8fc
Update VERSIONs to 3.4-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-04-06 19:53:39 +02:00
Petr Lautrbach
8aca100c5b Update translations from translate.fedoraproject.org
Source https://translate.fedoraproject.org/projects/selinux/

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-04-06 10:53:37 +02:00
Petr Lautrbach
2d668b6214 Split po/ translation files into the relevant sub-directories
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
sub-directories, po/ translation files stayed in policycoreutils/.

This commit splits original policycoreutils translations to
policycoreutils, selinux-python, selinux-gui, and selinux-sandbox.

See original Fedora issue https://github.com/fedora-selinux/selinux/issues/43

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:52:41 +02:00
Petr Lautrbach
bf5d3d2da9 semanage-fcontext.8: Drop extra )s after FILE_SPEC
Fixes: https://github.com/SELinuxProject/selinux/issues/340

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-03-03 12:13:47 -05:00
Christian Göttsche
b8159f32f0 python/sepolgen: accept square brackets in FILENAME token
When parsing Reference Policy style files accept square brackets in file
names.  The FILENAME token is used in the TYPE_TRANSITION grammar rule
for the optional name based argument.  This name can contain square
brackets, e.g. for anonymous inodes like "[io_uring]".

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-03 12:06:30 -05:00
Christian Göttsche
c09d63852e python: mark local functions static
sepolgen-ifgen-attr-helper.c:59:5: warning: no previous prototype for ‘render_access_mask’ [-Wmissing-prototypes]
       59 | int render_access_mask(uint32_t av, avtab_key_t *key, policydb_t *policydbp,
          |     ^~~~~~~~~~~~~~~~~~
    sepolgen-ifgen-attr-helper.c:114:5: warning: no previous prototype for ‘output_avrule’ [-Wmissing-prototypes]
      114 | int output_avrule(avtab_key_t *key, avtab_datum_t *datum, void *args)
          |     ^~~~~~~~~~~~~
    sepolgen-ifgen-attr-helper.c:220:6: warning: no previous prototype for ‘usage’ [-Wmissing-prototypes]
      220 | void usage(char *progname)
          |      ^~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-15 16:00:54 -05:00
Petr Lautrbach
7f600c40bc
Update VERSIONs to 3.3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-10-21 16:31:23 +02:00
Petr Lautrbach
5319c49d8a
Update VERSIONs to 3.3-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-10-06 13:28:15 +02:00
Christian Göttsche
b1a3c2030c Correct some typos
Found by codespell

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-30 15:42:11 -04:00
Petr Lautrbach
0b833973bf
Update VERSIONs to 3.3-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-22 17:14:25 +02:00
Petr Lautrbach
38cb18e931 Update VERSIONs and Python bindings version to 3.3-rc1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-08 09:49:46 +02:00
Michał Górny
ba23ba0683 python: Import specific modules from setools for less deps
Import the setools classes needed for Python bindings from specific
setools modules in order to reduce the dependency footprint
of the Python bindings.  Importing the top-level module causes all
setools modules to be loaded which includes the modules that require
networkx.

SELinux packages belong to the group of core system packages on Gentoo
Linux.  It is desirable to keep the system set as small as possible,
and the dependency between setools and networkx seems to be the easiest
link to break without major loss of functionality.

Signed-off-by: Michał Górny <mgorny@gentoo.org>
2021-09-02 10:47:19 -04:00
Petr Lautrbach
e8b98f67f6 python/sepolicy: Fix COPY_PASTE_ERROR (CWE-398)
Fixes:
    Error: COPY_PASTE_ERROR (CWE-398): [#def3]
    selinux/python/sepolicy/sepolicy/__init__.py:1032: original: ""_key_t"" looks like the original copy.
    selinux/python/sepolicy/sepolicy/__init__.py:1035: copy_paste_error: ""_key_t"" looks like a copy-paste error.
    selinux/python/sepolicy/sepolicy/__init__.py:1035: remediation: Should it say ""_secret_t"" instead?
    # 1033|
    # 1034|       if f.endswith("_secret_t"):
    # 1035|->         return txt + "treat the files as %s secret data." % prettyprint(f, "_key_t")
    # 1036|
    # 1037|       if f.endswith("_ra_t"):

    Error: COPY_PASTE_ERROR (CWE-398): [#def4]
    selinux/python/sepolicy/sepolicy/__init__.py:1065: original: ""_tmp_t"" looks like the original copy.
    selinux/python/sepolicy/sepolicy/__init__.py:1067: copy_paste_error: ""_tmp_t"" looks like a copy-paste error.
    selinux/python/sepolicy/sepolicy/__init__.py:1067: remediation: Should it say ""_etc_t"" instead?
    # 1065|           return txt + "store %s temporary files in the /tmp directories." % prettyprint(f, "_tmp_t")
    # 1066|       if f.endswith("_etc_t"):
    # 1067|->         return txt + "store %s files in the /etc directories." % prettyprint(f, "_tmp_t")
    # 1068|       if f.endswith("_home_t"):
    # 1069|           return txt + "store %s files in the users home directory." % prettyprint(f, "_home_t")

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-07-30 09:55:33 -04:00
Petr Lautrbach
3f9ff90f9e Do not use Python slip
Python slip is not actively maintained anymore and it was used just as
a polkit proxy. It looks like polkit dbus interface is quite simple to
be used directly via python dbus module.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-07-28 15:01:47 -04:00
Petr Lautrbach
cf853c1a0c
Update VERSIONs to 3.2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-03-04 16:42:59 +01:00
Petr Lautrbach
be065c4b44
sepolicy: Do not try to load policy on import
When a policy is inaccessible, scripts fail right "import sepolicy". With
this change we let the "sepolicy" module to import and move the policy
initialization before it's used for the first time.

Fixes:
    >>> import seobject
    Traceback (most recent call last):
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
        _pol = setools.SELinuxPolicy(policy_file)
      File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
      File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
    PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
        import sepolicy
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
        raise e
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
        policy(policy_file)
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
        raise ValueError(_("Failed to read %s policy file") % policy_file)
    ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-27 21:38:24 +01:00
Petr Lautrbach
d4d1f4ba7e
Update VERSIONs to 3.2-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-24 15:49:59 +01:00
Vit Mojzis
8f0f0a28aa selinux(8,5): Describe fcontext regular expressions
Describe which type of regular expression is used in file context
definitions and which flags are in effect.

Explain how local file context modifications are processed.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-19 15:18:05 +01:00
Petr Lautrbach
2c7c4a84c3
Update VERSIONs to 3.2-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-03 11:26:28 +01:00
Vit Mojzis
e12f71e82f python/sepolgen: allow any policy statement in if(n)def
"ifdef/ifndef" statements can be used to conditionally define
an interface, but this syntax is not recognised by sepolgen-ifgen.
Fix sepolgen-ifgen to allow any policy statement inside an
"ifdef/ifndef" statement.

Fixes:
        $ cat <<EOF > i.if
ifndef(`apache_manage_pid_files',`
        interface(`apache_manage_pid_files',`
                manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
        ')
')

        #sepolgen-ifgen --interface=i.if
        i.if: Syntax error on line 2 interface [type=INTERFACE]
        i.if: Syntax error on line 4 ' [type=SQUOTE]

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
[OM: s/fidef/ifdef/]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2021-01-27 17:02:45 +01:00
Petr Lautrbach
c534d4e2ce
Update VERSIONs and Python bindings version to 3.2-rc1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-01-20 12:40:14 +01:00
Vit Mojzis
b15dff0feb python/semanage: Sort imports in alphabetical order
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2021-01-13 23:48:24 +01:00
Vit Mojzis
92e01969d0 python/semanage: empty stdout before exiting on BrokenPipeError
Empty stdout buffer before exiting when BrokenPipeError is
encountered. Otherwise python will flush the bufer during exit, which
may trigger the exception again.
https://docs.python.org/3/library/signal.html#note-on-sigpipe

Fixes:
   #semanage fcontext -l | egrep -q -e '^/home'
   BrokenPipeError: [Errno 32] Broken pipe
   Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
   BrokenPipeError: [Errno 32] Broken pipe

Note that the error above only appears occasionally (usually only the
first line is printed).

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2021-01-13 23:46:57 +01:00
Bernhard M. Wiedemann
fadcc8396c python/sepolicy: allow to override manpage date
in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/
for the definition of this variable.

This patch was done while working on reproducible builds for openSUSE.

Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
2020-11-13 10:53:59 +01:00
Christian Göttsche
2a60de8eca sepolgen: sort extended rules like normal ones
Currently:

    #============= sshd_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t ptmx_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t sshd_devpts_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t user_devpts_t:chr_file ioctl;

    #============= user_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t devtty_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t user_devpts_t:chr_file ioctl;
    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;

Changed:

    #============= sshd_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t ptmx_t:chr_file ioctl;
    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t sshd_devpts_t:chr_file ioctl;
    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t user_devpts_t:chr_file ioctl;
    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };

    #============= user_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t devtty_t:chr_file ioctl;
    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t user_devpts_t:chr_file ioctl;
    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00
Christian Göttsche
9e239e5569 sepolgen: print extended permissions in hexadecimal
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.

[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00
W. Michael Petullo
ccd973f721
python/audit2allow: add #include <limits.h> to sepolgen-ifgen-attr-helper.c
I found that building on OpenWrt/musl failed with:

  sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...

Musl is less "generous" than glibc in recursively including header
files, and I suspect this is the reason for this error. Explicitly
including limits.h fixes the problem.

Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-07-21 08:14:43 +02:00
Petr Lautrbach
7df27b78e9 Update VERSIONs and Python bindings version to 3.1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-07-10 17:17:15 +02:00
Topi Miettinen
da3bbc31a8 semanage: handle getprotobyname() failure case
At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4". In that case, set the protocol number
used by audit logs for "ipv4" to a fixed value. To ensure audit log
compatibility, let's use the same numeric value as Fedora: 4, which is
actually understood by kernel as IP over IP.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-25 13:28:42 -04:00
Petr Lautrbach
b3d8b99f0c Update VERSIONs to 3.1-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-06-19 13:02:31 +02:00
Christian Göttsche
4613038d8e sepolgen-ifgen: refactor default policy path retrieval
On a SELinux disabled system the python call
`selinux.security_policyvers()` will fail.

Move the logic to find a binary policy from the python script
`sepolgen-ifgen` to the C-helper `sepolgen-ifgen-attr-helper`.
Change the helper command line interface to accept an optional policy
path as second argument.  If not given try the current loaded policy
(`selinux_current_policy_path`) and if running on a SELinux disabled
system iterate over the default store path appending policy versions
starting at the maximum supported policy version
(`sepol_policy_kern_vers_max`).

This changes the helper command line interface from:
    sepolgen-ifgen-attr-helper policy_file out_file
to
    sepolgen-ifgen-attr-helper out_file [policy_file]
and adds a linkage to libselinux.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:32:07 +02:00
Christian Göttsche
c40c4e4428 refparser: add missing newline after error message
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:31:51 +02:00
Christian Göttsche
5adc269f95 sepolgen: parse gen_tunable as bool
Currently sepolgen-ifgen parses a gen_tunable statement as interface
and reports in verbose mode:

    Missing interface definition for gen_tunable

Add grammar for gen_tunable statements in the refparser

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:31:29 +02:00
Petr Lautrbach
f5ac1209f9 python/sepolicy: Use xml.etree.ElementTree.Element.iter()
xml.etree.ElementTree.Element.getiterator() was deprecated since Python 3.2 and
dropped in Python 3.9

Fixes:
Verify sepolicy interface -c -i works ... Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 691, in <module>
    args = parser.parse_args(args=parser_args)
  File "/usr/lib64/python3.9/argparse.py", line 1819, in parse_args
    args, argv = self.parse_known_args(args, namespace)
  File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
    namespace, args = self._parse_known_args(args, namespace)
  File "/usr/lib64/python3.9/argparse.py", line 2043, in _parse_known_args
    positionals_end_index = consume_positionals(start_index)
  File "/usr/lib64/python3.9/argparse.py", line 2020, in consume_positionals
    take_action(action, args)
  File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
    action(self, namespace, argument_values, option_string)
  File "/usr/lib64/python3.9/argparse.py", line 1208, in __call__
    subnamespace, arg_strings = parser.parse_known_args(arg_strings, None)
  File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
    namespace, args = self._parse_known_args(args, namespace)
  File "/usr/lib64/python3.9/argparse.py", line 2061, in _parse_known_args
    start_index = consume_optional(start_index)
  File "/usr/lib64/python3.9/argparse.py", line 2001, in consume_optional
    take_action(action, args, option_string)
  File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
    action(self, namespace, argument_values, option_string)
  File "/usr/bin/sepolicy", line 216, in __call__
    interface_dict = get_interface_dict()
  File "/usr/lib/python3.9/site-packages/sepolicy/interface.py", line 149, in get_interface_dict
    for i in m.getiterator('interface'):
AttributeError: 'xml.etree.ElementTree.Element' object has no attribute 'getiterator'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:29:21 +02:00
Topi Miettinen
f3a1614291 semanage-node.8: describe netmask
Network Mask argument for `semanage node` accepts also the simple CIDR
mask format, so let's document it.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-09 15:44:14 -04:00