Email: dwalsh@redhat.com
Subject: Several fixes to restorecond
Date: Tue, 17 Feb 2009 11:40:54 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Init script should be 755
libflashplayer.so has moved in the homedir and is now correct so no
longer needs to have labeling checked.
restorecond supports glob matching and should not complain on multiple
hard links if they match a glob.
So if a file has > 1 link and is an exact match complain, otherwise do not.
Also fix a couple of error messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkma6JYACgkQrlYvE4MpobOoIACfUgUfpCuhvVTWyHgsq7/8hY0z
9WcAmgPK2KktAlY84HhtRmdu/Hy+9eE/
=zcCj
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
The boundry format mapped the primary field to a boolean in the
properties bitmap. This is appropriate for the kernel policy, but in
modular policy the primary field may be an integer that indicates the
primary type that is being aliased. In this case, the primary value cannot
be assumed to be boolean.
This patch creates a new module format that writes out the primary value
as was done before the boundry format.
Signed-off-by: Caleb Case <ccase@tresys.com>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Make removing of a module a warning rather then an error.
Date: Tue, 13 Jan 2009 08:57:17 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This way if I say a command line
semodule -r mypol -i newmypol
and mypol was not there the semodule command does not error out.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklsnb0ACgkQrlYvE4MpobNwFACfTqc17wREKC2aAhLOIkfbqgeg
GxgAn2/ZBz5ljtyK1aiVkqoCBj98y9Ey
=I4uX
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Add restorecon and install methods for libselinux python bindings.
Date: Tue, 06 Jan 2009 10:31:04 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>> Luke Macken wrote restorecon and install functions used in Fedora
>> Infrastructure which can be used to install files with the proper
>> context and to fix the labels of files/directories without having to
>> exec restorecon.
>
>> diff --exclude-from=exclude -N -u -r
>> nsalibselinux/src/selinuxswig_python.i
>> libselinux-2.0.75/src/selinuxswig_python.i
>> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
>> 09:34:24.000000000 -0400
>> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
>> 17:09:50.000000000 -0500
>> @@ -6,6 +6,32 @@
>> #include "selinux/selinux.h"
>> %}
>
>> +%pythoncode %{
>> +
>> +import shutil, os
>> +
>> +def restorecon(path, recursive=False):
>> + """ Restore SELinux context on a given path """
>> + mode = os.stat(path)[stat.ST_MODE]
>
>> stat doesn't exist here, perhaps he meant mode?
>
>> + status, context = matchpathcon(path, mode)
>> + if status == 0:
>> + lsetfilecon(path, context)
>> + if recursive:
>> + os.path.walk(path, lambda arg, dirname, fnames:
>> + map(restorecon, [os.path.join(dirname, fname)
>> + s for fname in fnames]),
>> None)
>
>> typo, the s causes a syntax error
>
>> +
>> +def copytree(src, dest):
>> + """ An SELinux-friendly shutil.copytree method """
>> + shutil.copytree(src, dest)
>> + restorecon(dest, recursive=True)
>> +
>> +def install(src, dest):
>> + """ An SELinux-friendly shutil.move method """
>> + shutil.move(src, dest)
>> + restorecon(dest, recursive=True)
>> +%}
>> +
>> /* security_get_boolean_names() typemap */
>> %typemap(argout) (char ***names, int *len) {
>> PyObject* list = PyList_New(*$2);
>
>> This patch doesn't appear correct, I'll fix the things above, have you
>> been testing this at all?
>
> Must have sent you a bad patch.
>
>
> This is what the current patch looks like.
>
And this is still broken.
One more fix.
+ mode = os.stat(path)[stat.ST_MODE]
should be
+ mode = os.lstat(path)[stat.ST_MODE]
Modified to remove copytree and install functions
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Problem in sepolgen
Date: Mon, 01 Dec 2008 11:51:19 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
self.roles does not exist, need to return length of dictionary.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk0FgYACgkQrlYvE4MpobP5HwCeNgjPTSPoqBQTXa14ZA9Jc0ww
yycAoNWJhg78BXm4L5Vg9cNAdNa7ggfD
=Uz8t
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Change semanage/seobject to use semanage_mls_enabled() rather than
is_selinux_mls_enabled(). I dropped the mls enabled tests altogether
from the semanage front-end script since setting up a handle is done by
seobject.py; if those checks are actually important, we could move them
inside of the seobject methods, but I'm not clear on the real benefit of
those checks. In seobject.py, I moved the setting of the is_mls_enabled
variable inside of get_handle(store) after the connect. I also dropped
the is_mls_enabled test from setransRecords since no handle/connection
exists there (since translations are not managed via libsemanage), and
again I'm not clear that the check there was overly important/useful.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a semanage_mls_enabled() interface to libsemanage so that
semanage/seobject can be rewritten to use it to test whether MLS is
enabled for a given policy store rather than checking the runtime MLS
enabled status, which can be misleading when using semanage on a
SELinux-disabled host or when using semanage on a store other than the
active one. Sample usage:
from semanage import *
handle = semanage_handle_create()
rc = semanage_connect(handle)
rc = semanage_mls_enabled(handle)
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The current libsemanage code does not correctly add lines which include
USER in them into the homedir_template, for example:
/tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t
This line was included in the past since it has ROLE. However, with the
switch to UBAC separations, the line has changed to:
/tmp/gconfd-USER -d system_u:object_r:user_tmp_t
and is no longer included. The follwing patch fixes.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Latest policycoreutils package has a minor problem
Date: Mon, 10 Nov 2008 09:04:39 -0500
Checking _local twice.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: seobject_fcontext patch allows you to modify a preexisting file context.
Date: Fri, 07 Nov 2008 09:46:36 -0500
Currently semanage is not allowed to change a file context mapping if it
matches exactly, this patch allows you to modify the file context.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
NOTE: original patch modified to remove unused list in fcontext get_all()
Email: dwalsh@redhat.com
Subject: policycoreutils patch
Date: Thu, 23 Oct 2008 13:15:11 -0400
Change semange fcontext -a to check for local customizations rather then
global, so you can modify a file context.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: policycoreutils audit2allow patch
Date: Fri, 07 Nov 2008 09:36:44 -0500
audit2why can throw a runtime exception and typo in man page.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Currently, the message types are defined but not used.
This will allow better separation of messages when logging to facilities
such as libaudit.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
On Tue, 2008-10-14 at 02:00 +0000, korkishko Tymur wrote:
> I have checked policy_parse.y. It has following rule for genfscon:
>
> genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
> {if (define_genfs_context(1)) return -1;}
> | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
> {if (define_genfs_context(1)) return -1;}
> | GENFSCON identifier path security_context_def
> {if (define_genfs_context(0)) return -1;}
>
> The rule for path definition (in policy_scan.l) has already included '-' (dash):
>
> "/"({alnum}|[_.-/])* { return(PATH); }
>
> In my understanding (maybe wrong), path is parsed first (and path might include '-') and only then separate '-' is parsed.
> But it still produces an error if path definition is correct and includes '-'.
>
> Any ideas/patches how to fix grammar rules are welcomed.
This looks like a bug in policy_scan.l - we are not escaping (via
backslash) special characters in the pattern and thus the "-" (dash) is
being interpreted rather than taken literally. The same would seemingly
apply for "." (dot), and would seem relevant not only to PATH but also
for IDENTIFIER. The patch below seems to fix this issue for me:
Email: dwalsh@redhat.com
Subject: matchpathcon -V does not always work as expected.
Date: Tue, 30 Sep 2008 08:54:18 -0400
matchpathcon -V should be passing the mode when checking whether the
file context on a file is correct.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: kaigai@ak.jp.nec.com
Subject: Thread/Child-Domain Assignment (rev.6)
Date: Tue, 07 Oct 2008 15:39:45 +0900
>> Hmm....
>> It seems to me what you pointed out is a bug of my patch. It prevents to deliver
>> actual number of type/attribute symbols to policy file, but it is unclear why does
>> it makes libsepol ignore the policyvers.
>> (I guess it may be a separated matter.)
>>
>>> Rather than trying to calculate the length without attributes I just removed
>>> the attribute check. This causes attributes to be written for all versions,
>>> but this should not cause any problems at all.
>> The reason why I injected such an ad-hoc code is that we cannot decide the policy
>> version written when type_attr_remove() is invoked.
>> Is it impossible to move it to policydb_write()?
>> It is invoked after the policyvers is fixed by caller.
>
> It isn't impossible. You are going to have to make it walk to type
> symbol table to calculate the length without attributes, then write
> that length instead of the total symtab length.
The attached patch enables to fixup the number of type/attribute entries
to be written. The type_attr_uncount() decrements the number of attribute
entries skipped at type_write().
At first, I had a plan to invoke type_attr_remove() with
hashtab_map_remove_on_error(), but it means the given policydb structure
is modified at policydb_write() and implicit changes to external interface.
Differences from the previous version are here:
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: method@manicmethod.com
Subject: BUGREPORT: A type alias of invisible primary one
Date: Mon, 22 Sep 2008 16:43:04 -0400
KaiGai Kohei wrote:
> Joshua Brindle wrote:
>> KaiGai Kohei wrote:
>>> I found a strange type_datum_t object which has 0 for its s.value
>>> during development of new type hierarchy checks.
>>>
>>> The strange one is "xguest_javaplugin_default_xproperty_t" which
>>> is an alias type of "xguest_javaplugin_xproperty_t".
>>>
>>> I doubted my patch at first, but it can be reproduced on the normal
>>> libsepol. It seems to me an original matter which is not exposed yet,
>>> and I am innocence. :-)
>>>
>>> During tracing the matter, I noticed the primary type is invisible
>>> at expand_module(), but the aliased one is visible. It can make the
>>> strange type_datum_t object.
>>>
>>> * at the expand_module()
>>> 1. The expand_state_t which includes typemap is initialized.
>>>
>>> 2. The type_copy_callback is invoked for any types via hashtab_map.
>>> It only copies primary and visible types into newer hashtab,
>>> and set up typemap to translate between old and new s.value.
>>> Thus, the given primary type is invisible, its slot of typemap
>>> is kept to zero.
>>> (*) is_id_enabled() for "xguest_javaplugin_xproperty_t" returned false.
>>>
>>> 3. The alias_copy_callback is invoked for any types via hashtab_map.
>>> It only copies alias and visible types into newer hashtab.
>>> Here is no check whether the primary side is visible, or not.
>>> A copied type_datum_t object for the given alias has new s.value
>>> which is picked up from state->typemap.
>>>
>>> 4. However, the target slot of state->typemap was zero, because
>>> its primary one is invisible. The aliased type has a strange
>>> s.value.
>>>
>>> 5. Type hierarchy checks got a segmentation fault, due to
>>> "p->type_val_to_name[datum->s.value - 1]".
>>> ^^^^^^^^^^^^^^^^^^ == -1
>>> Yes, we can identify cause of the matter.
>> Do you have a policy that can be used to reproduce this?
>
> Yes, the following policy can reproduce the matter.
> - - - - [ cut here ] - - - -
> policy_module(baz, 1.0)
>
> optional_policy(`
> gen_require(`
> type invisible_primary_t;
> ')
> typealias invisible_primary_t alias visible_alias_t;
> ')
> - - - - - - - - - - - - - - -
>
> The attached patch can inject some of printf()'s.
> You can see that invisible_primary_t is skipped at type_copy_callback()
> and an incorrect s.value is assigned at alias_copy_callback().
>
> Thanks,
>
This should fix it. I tested with and without your patchset on a few policies. Let me know if it doesn't work for you:
