When write_contexts() frees variables context and new_context_str after
a line has been successfully emitted, these variables are not reset to
NULL. This leads the function to free them again if an error occurs when
processing the next line. Fix this by always resetting these variables
at the beginning of the loop.
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
If "names = calloc(num_modinfos, sizeof(*names))" fails in
semanage_get_cil_paths(), the function tries to frees items in array
"names" even though it is NULL. Avoid this by returning directly.
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When pipe() fails in semanage_pipe_data(), this function closes all file
descriptors in variables output_fd, err_fd and input_fd even when they
have not been initialized. Fix this by initializing the file descriptors
to -1.
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When building and running tests on a system without SELinux with a
command similar to "make DESTDIR=/tmp/destdir install test", libsemanage
tests fail to build with the following error:
In file included from utilities.h:20:0,
from utilities.c:24:
../src/handle.h:29:26: fatal error: sepol/handle.h: No such file or
directory
#include <sepol/handle.h>
^
Fix this by adding the newly-installed directory under $DESTDIR (using
variable $PREFIX) in the search paths of the compiler.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
clang's static analyzer reports "Argument with 'nonnull' attribute
passed null" in append_str(), because argument t may be NULL but is used
in a call to memcpy().
Make append_str() do nothing when called with t=NULL.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On systems where $PYTHON is python3.5 (instead of python2 or python3),
pkg-config fails to find the Python package because it is named with a
dash (e.g. python-3.5).
Moreover the build system may have been using the pkg-config
configuration files for the wrong Python version when several Python
with the same major version number are installed (e.g. using python-3.5
on a system with both python-3.4 and python-3.5 and where
/usr/lib/pkgconfig/python3.pc is a symlink to python-3.5.pc).
In order to fix these two issues, compute $PYPREFIX from $PYTHON by
using the full major.minor version.
Moreover update Travis-Ci configuration to grab the relevant
configuration files for pkg-config from /opt/python (for example
/opt/python/3.5.2/lib/pkgconfig/python-3.5.pc) instead of using
system-provided files (/usr/lib/x86_64-linux-gnu/pkgconfig/python3.pc
and /usr/lib/x86_64-linux-gnu/pkgconfig/python2.pc).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When building with "clang -Wwrite-strings", the compiler reports the
following warnings:
direct_api.c:1030:46: error: passing 'const char [4]' to parameter
of type 'char *' discards qualifiers
[-Werror,-Wincompatible-pointer-types-discards-qualifiers]
status = semanage_direct_write_langext(sh, "cil", modinfo);
^~~~~
direct_api.c:898:11: note: passing argument to parameter 'lang_ext'
here
char *lang_ext,
^
direct_api.c:1030:46: error: passing 'const char [4]' to parameter
of type 'char *' discards qualifiers
[-Werror,-Wincompatible-pointer-types-discards-qualifiers]
status = semanage_direct_write_langext(sh, "cil", modinfo);
^~~~~
direct_api.c:898:11: note: passing argument to parameter 'lang_ext'
here
char *lang_ext,
^
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When generating file_contexts.homedirs, libsemanage enumerates the users
on the system and tries to find misconfiguration issues by comparing
their home directories with file contexts defined in the policy. The
comparison is done by fcontext_matches().
Currently this function only operates on file contexts with type ALL,
but it makes sense to also operate on the DIR ones, as a comment states
in the function.
For example on a system with the following entry in /etc/passwd:
mytestservice❌2000💯:/var/lib/mytestservice/dir:/bin/bash
and with the following file context definition:
/var/lib/mytestservice/.* -d gen_context(system_u:object_r:var_lib_t,s0)
"semodule -B" now shows the following warning:
libsemanage.get_home_dirs: mytestservice homedir
/var/lib/mytestservice/dir or its parent directory conflicts with a
file context already specified in the policy. This usually
indicates an incorrectly defined system account. If it is a system
account please make sure its uid is less than 1000 or greater than
60000 or its login shell is /sbin/nologin.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Fix unitialized variable compiler warnings when using the
"-O -Werror" flags on gcc6 by initializing the variables in
question. It was possible for err_data_len to be used without
initialization, but not cil_data_len.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
ustr library uses old (pre-C99) "extern inline" semantic. This makes it
incompatible with recent versions of gcc and clang, which default to
C99 standard. Distributions have shipped patched versions of this
library to fix issues (e.g. Gentoo package uses this patch:
https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/ustr/files/ustr-1.0.4-gcc_5-check.patch?id=7dea6f8820f36bf389e6315044bea7507553bed0
) but there is no upstream solution to make ustr compatible with C99
standard.
The git tree of ustr (http://www.and.org/ustr/ustr.git) has not been
updated since 2008 and the developer of this project did not reply to
emails.
Therefore update genhomedircon implementation in order to no longer
rely on ustr library.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Use string functions from C standard library instead of ustr. This makes
the code simpler and make utilities.c no longer depend on ustr library.
This changes how semanage_split() behaves when delim is not empty (NULL
or "") and the input string contains several successive delimiters:
semanage_split("foo::::bar", ":") returned "bar" and now returns ":bar".
This would not have any impact in the current code as semanage_split()
is only called with delim="=" (through semanage_findval(), in
libsemanage/src/genhomedircon.c), in order to split a "key=value"
statement.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Before modifying semanage_split_on_space() and semanage_split(), test in
test_utilities.c how these functions behave for example when several
delimiter tokens are concatenated in the input string.
While at it, fix the memory leaks which were present in libsemanage
tests.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In order to run libsemanage tests, libsepol and libselinux source
directories need to exist next to libsemanage source directory. This
prevents tests to be run when using the released package.
As libsemanage tests only use public API of libselinux and libsepol,
link with the shared objects which are likely to be installed on the
system (or at least present in $DESTDIR).
While at it, drop TESTSRC variable as it was used to find libsemanage
internal headers but not the tested library (libsemanage.a). Moreover
add ../src/libsemanage.a to the target dependencies of the test
executable in order to rebuild it after libsemanage.a has been updated.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When modifications to libsemanage functions break the test cases tested
with the CUnit framework, "make test" currently succeeds, even though it
prints an output similar to:
Suite: semanage_store
Test: semanage_store_access_check ...passed
Test: semanage_get_lock ...passed
Test: semanage_nc_sort ...passed
Suite: semanage_utilities
Test: semanage_is_prefix ...passed
Test: semanage_split_on_space ...FAILED
1. test_utilities.c:150 - CU_ASSERT_STRING_EQUAL(temp,"baz")
Test: semanage_split ...passed
Test: semanage_list ...passed
Test: semanage_str_count ...passed
Test: semanage_rtrim ...passed
Test: semanage_str_replace ...passed
Test: semanage_findval ...passed
Test: slurp_file_filter ...passed
Like commit 2489b50a91 ("libsepol: make "make test" fails when a CUnit
test fails") did for libsepol tests, modify the logic of function
do_tests() to return an error value when there has been at least one
failure. This makes "make test" fail as expected.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Tools like lcov (for code coverage) does not like files named
"<stdout>". For example it reports errors like:
genhtml: ERROR: cannot read
/usr/src/selinux/libsemanage/src/<stdout>
When using flex -o option, the output file name gets written in the
generated C code, which solves this issue.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The Makefiles currently install the Python wrapper libraries using .so
suffix (_selinux.so, audit2why.so and _semanage.so). Even though this
works well with CPython 2 and 3, PyPy fails to find these files because
it is looking for files with a specific version token in the suffix (eg.
_selinux.pypy-41.so).
This suffix is advertised by the imp module. Here is the result of
'import imp;print([s for s, m, t in imp.get_suffixes() if t ==
imp.C_EXTENSION])' for several Python versions:
Python 2.7.12: ['.so', 'module.so']
Python 3.5.2: ['.cpython-35m-x86_64-linux-gnu.so', '.abi3.so', '.so']
PyPy 5.4.1 (Python 2.7.10): ['.pypy-41.so']
PyPy3 5.5.0-alpha0 (Python 3.3.5): ['.pypy3-55.so', '.pypy3-55.so']
Define the name of the installed Python-C extension using the first
extension of these lists, in order to make the Python extensions
compatible with pypy.
When building the Python wrappers for PyPy and PyPy3 on Linux, the
following environment variables need to be set (PyPy does not provide a
pkg-config file nor a platform-agnostic way to build the string
"-lpypy-c"):
PYTHON=pypy (or PYTHON=pypy3)
PYINC=-I$($PYTHON -c 'import sys;print(sys.prefix)')/include
PYLIBS=-lpypy-c (or PYLIBS= if LDFLAGS does not have
-Wl,-no-undefined)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Using SWIG_fail in the Python SWIG wrappers makes the wrapping function
destroy/free the memory which could have been dynamically allocated
before calling the wrapped function. This thus prevents possible memory
leaks in the wrappers of set*con(), set*con_raw(), security_compute_*(),
etc.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
clang does not support -aux-info option. When exception.sh is run with
CC=clang, use gcc to build selinuxswig_python_exception.i and
semanageswig_python_exception.i.
This does not solve the issue of building libselinux and libsemanage
Python wrappers on a system without gcc. However parsing the result of
"gcc -aux-info" is easier than parsing the header files so stay with
this command at least for now.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When linking with -Wl,-no-undefined in LDFLAGS (in order to find
possible link-time errors), the Python wrapper module needs to be
linked with the right libpython.so. This library is found using
pkg-config in a new PYLIBS variable.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Use the python interpreter to find the install directory, like commit
8162f10e67 ("libselinux: query for python site-packages dir directly")
did for libselinux.
While at it, do not install semanage.py (generated by SWIG) with
executable permission bits.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When linking with -Wl,-no-undefined in LDFLAGS (in order to find
possible link-time errors), the Ruby wrapper module needs to be linked
with the libruby.so which is used by $(RUBY). Introduce a new RUBYLIBS
variable to find this library.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This makes building libselinux and libsemanage more robust on systems
with several versions of Ruby installed: when building, only RUBY needs
to be set, without wondering about PKG_CONFIG_PATH or other environment
variables.
Using RbConfig::CONFIG["rubyarchhdrdir"] only works with Ruby >= 2.0 but
since previous Ruby versions are retired since 2015-02-23 this should
not have any impact
(https://www.ruby-lang.org/en/news/2015/02/23/support-for-ruby-1-9-3-has-ended/).
While at it, in libsemanage, use RbConfig::CONFIG["vendorarchdir"] to
install the Ruby extension, like commit 1cd80faa53 ("libselinux:
versioned ruby pkg-config and query vendorarchdir properly") did for
libselinux.
My main motivation with this patch is to make the build configuration
easier to define on Travis-CI or other continuous integration platforms.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When removing a login using semanage with Python 3 the following error
occurs:
# semanage login -l | grep my_user
my_user user_u
# semanage login --delete my_user
ValueError: Login mapping for my_user is not defined
This is due to a use-after-free in the swig-generated code for python3
bindings.
Copy the user name in semanage_seuser_key_create() and free it in
semanage_seuser_key_free(), like commit eac6f1f1b5 ("libsepol:
sepol_{bool|iface|user}_key_create: copy name") did.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When compiling libselinux with CC=clang, "make pywrap" reports the
following message:
bash exception.sh > selinuxswig_python_exception.i
clang-3.9: error: no such file or directory: 'temp.aux'
awk: fatal: cannot open file `temp.aux' for reading (No such file or
directory)
This does not make the build fail as exception.sh returns an "OK"
status. Use "bash -e" with this script to make it return an error value.
In order not to keep an empty selinuxswig_python_exception.i file after
a build fails (which would make a second run of "make pywrap" incorrectly
succeed), remove the file when exception.sh fails.
As libsemanage uses the same code to build
semanageswig_python_exception.i, modify its Makefile too.
By the way, on Linux clang does not seem to currently support -aux-info
so it cannot be used to craft selinuxswig_python_exception.i.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The Python wrapper is already removed in the clean target (with
$(SWIGSO)) so remove the Ruby wrapper too.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Building with CC=clang, we get the following errors:
semanage_store.c:2177:20: error: implicit conversion from enumeration type 'enum semanage_final_defs' to different enumeration type 'enum semanage_store_defs' [-Werror,-Wenum-conversion]
semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~
semanage_store.c:2177:40: error: implicit conversion from enumeration type 'enum semanage_final_path_defs' to different enumeration type 'enum semanage_sandbox_defs' [-Werror,-Wenum-conversion]
semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~
This is an actual bug; semanage_verify_kernel() was never updated to
use semanage_final_path() when the rest were converted. Fix it.
This pathname is only used if a kernel policy verifier is specified
in semanage.conf, so this is not used by default.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When a non-MLS policy was used with genhomedircon context_from_record()
in sepol would report an error because an MLS level was present when MLS
is disabled. Based on a patch by Gary Tierney, amended to use
sepol_policydb_mls_enabled rather than semanage_mls_enabled because
we are testing the temporary working policy, not the active policy.
Reported-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As reported by Gary Tierney, genhomedircon suppresses logging from
libsepol when validating contexts. This can result in an
empty file_contexts.homedirs file without any warning to the user
if policy has been incorrectly configured. Remove the code that
was suppressing the logging so that errors are reported to the user.
Reported-by: Gary Tierney <gary.tierney@gmx.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Treat a users prefix like a mapping to the role for file context
specifications in users homedirs. This behavior is only applicable when
the users prefix is the identifier of a role which is valid for the
given user. If the prefix is not a valid role, then genhomedircon will
write contexts out as normal.
Additionally, this commit enables configuring RBACSEP in policy:
(tunableif enable_rbacsep
(true
(userprefix user_u user_r)
(false
(userprefix user_u object_r))))
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
The local: * entry should only be in the base entry, not in each of them.
This is part of resolving gold linker build failures reported by
Jason Zaman.
Reported-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commit 7a728e46 changed module installation so that a module pp would
be installed using its module name instead of its filename and a warning
would be printed if they were different. With this change, base modules
could no longer be installed because of the way error handling was done.
This change fixes the error handling, so that when a base module is
installed it will be installed using its filename (since it does not
have a module name).
Based on bug report by Jason Zaman
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
A mispelling in the Makefile in the root directory prevented "make
distclean" to go into subdirectories.
In libsemanage/src/, semanageswig_python_exception.i was not cleaned by
"make distclean" because the target did not use $(GENERATED) and this
variable was being redefined in the Makefile.
Fix these two bugs.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
7a728e46 commit supposed to add a warning when a module name is
different than a filename, but this warning is printed always. This
commit fixes it.
Fixes:
$ semodule -X 400 -i testmod.pp
Warning: SELinux userspace will refer to the module from testmod.pp as
testmod rather than testmod
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
When a user installs a module, the filename is used as the module name.
This change was introduced with CIL language where a module name is not
stored in the module itself. It means that when a pp module has
different filename and stored module name, the filename is used instead
of the stored module name. It brings problems with compatibility for
scripts and modules which were built and used on older system and were
migrated to the new userspace.
This patch changes the behavior of semanage_direct_install_file() which
is used by 'semodule -i' so that when a module with pp language
extension is installed, it tries to get and use a stored module name
instead of a filename. A warning message is provided.
The warning message in policycoreutils/hll/pp is updated to reflect this
change:
$ semodule -X 400 -i /root/testfile.pp
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile
$ /usr/libexec/selinux/hll/pp /root/testfile.pp testfile.cil
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Allow using other compilers such as clang. Without this, the build fails
when $(CFLAGS) contains clang-specific flags:
gcc: error: unrecognized command line option '-Weverything'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.
This commit adds support for generating home directory contexts for login
mappings using the group syntax and adds error reporting for handling cases
where there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
Removes a test in get_users() which excludes any logins that are
explicitly mapped to the default user from file context generation,
which results in logins mapped to the fallback user with home
directories outside of LU_HOMEDIRECTORY (in the absence of
usepasswd=True) having no matching file_contexts.homedirs entries.
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
libsemanage presently runs setfiles -c to validate the file_contexts
files and sefcontext_compile to compile them to file_contexts.bin
after installing the final files under /etc/selinux. As a result,
any error that occurs during this processing may leave invalid files
in /etc/selinux. Move this processing before installing the files
to their final location, and then copy the .bin files that were
generated.
This prevents an error like:
semanage fcontext -a -t httpd_exec_t "/foo["
from reaching the /etc/selinux directory at all, e.g.
$ sudo semanage fcontext -a -t httpd_exec_t "/foo["
[sudo] password for sds:
/var/lib/selinux/final/targeted/contexts/files/file_contexts.local: line 4 has invalid regex /foo[: missing terminating ] for character class
/var/lib/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
OSError: Error
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This patch is part of the Debian effort to make the build reproducible
Thank to Reiner Herrmann <reiner@reiner-h.de> for the patches
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
Compilation tools respects certain environment variables, like CC.
However, in libselinux and libsemanage, they are not respected
everywhere. This command fixes respect for those variables, falling back
to the previous hardcoded values if not specified.
Originally the fallback regex for the username was either ".*" or
"[^/]*". The second is more correct but still can match nothing.
changing the * to + means that it must match at least one character.
Signed-off-by: Jason Zaman <jason@perfinion.com>
The fallback user is used in all the write functions, making all the
functions take the struct directly allows us to have everything
consistent between normal and fallback users.
Signed-off-by: Jason Zaman <jason@perfinion.com>
All the write_*_contexts() methods use exactly the same code.
This splits it off into a common helper function.
Signed-off-by: Jason Zaman <jason@perfinion.com>
libsemanage/tests/Makefile currently overwrites CFLAGS and LDFLAGS
contents. This makes building with custom flags (e.g. with address
sanitizer) harder. Append flags to these variables instead.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In semanage_direct_set_module_info() and semanage_direct_list_all()
functions, when modinfo_tmp variable gets initialized, a branch to
"cleanup" label may have already been taken. This leads to this
variable being possibly used uninitialized in these functions.
This is reported by clang:
direct_api.c:2491:41: error: variable 'modinfo_tmp' may be
uninitialized when used here [-Werror,-Wconditional-uninitialized]
ret = semanage_module_info_destroy(sh, modinfo_tmp);
^~~~~~~~~~~
direct_api.c:2334:2: note: variable 'modinfo_tmp' is declared here
semanage_module_info_t *modinfo_tmp = NULL;
^
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In semanage_direct_commit() error path, bools_modified can be used in a
if statement without being initialized (when a "goto cleanup" is taken
early). clang warns about this bug:
direct_api.c:1441:18: error: variable 'bools_modified' may be
uninitialized when used here [-Werror,-Wconditional-uninitialized]
if (modified || bools_modified) {
^~~~~~~~~~~~~~
direct_api.c:1087:48: note: initialize the variable 'bools_modified'
to silence this warning
preserve_tunables_modified, bools_modified,
^
= 0
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
users_extra is needed by genhomedircon and when listing seusers, so it
must be kept in the policy store. Also move the FC_TMPL unlink() closer
to where the FC_TMPL is created; not a functional change, but eaiser to
follow.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
We don't currently store homedir_template in the policy store, which
means genhomedircon only has a template file to use if the
homedir_template was generated from the file contexts in the same
transaction. But homedir_template isn't always generated, as in the
case with setsebool -P. In this and other cases, genhomedircon will not
have a template file resulting in an empty file_contexts.homedir file.
This commit changes this so that homedir_template is always stored in
the policy store so it can be used by genhomedircon regardless of how
policy was built. Also add the homedir_template file to the migration
script.
Signed-off by: Steve Lawrence <slawrence@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
If modkey is NULL, semanage_module_key_destroy() would still try to
initialize a modkey after freeing it.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Add semanage_module_extract() to extract a module as CIL or HLL. The
function takes a module name and whether to extract as CIL or HLL.
If a CIL file is requested, but does not exist, semanage_module_extract()
will compile the HLL to CIL and cache the CIL in the store as well as
extract the module. A module that was installed from a CIL file will export
as CIL when the HLL version of the file is requested.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This patch writes file_contexts and seusers to the policy store as well as
/etc/selinux/. Additionally, file_contexts and seusers are now parsed from the
store rather than the final directory which was the old behavior. This allows
all policy related files to be kept in the policy store.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
This patch writes policy.kern and file_contexts.local to the policy store as
well as /etc/selinux/. Additionally, policy.kern and file_contexts.local
are now parsed from the store rather than the final directory which was
the old behavior. This allows all policy related files to be kept in the
policy store.
This patch also renames /var/lib/selinux/tmp to 'final' and changes
policy.kern in the store to longer be a symlink.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
When a compressed module doesn't have two extensions with lang and
compression, 'semodule -i <module>.<lang>' fails. This changes the
language detection to allow to use modules only with .<lang>
extension.
Fixes:
libsemanage.semanage_direct_install_file: Module does not have a valid
extension. (No such file or directory).
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
The modules from the old store were previously copied to the new one
using setfscreatecon and shutil.copy2(). Now that refpolicy has rules
about the new policy location[1], copying the contexts is redundant.
More importantly, the setcreatefscon caused a constraint violation[2]
which made the migration fail. In python3, shutil.copy2() copies xattrs
as well which again causes problems. shutil.copy() is enough for our
needs here as it will copy the file and permissions in both py2 and 3.
We do not need the extra things that copy2() does (mtime, xattr, etc).
[1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html
[2]
type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0
constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED
allow semanage_t semanage_store_t:dir create;
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Changes from v1:
- Changed some methods to not take a src param anymore.
Unconditionally check the magic number before BZ2_bzReadOpen()
instead of only when bzip_blocksize=0, since it falls through.
That way if the file is not compressed it will return immediately
and map_file can mmap it. If the file is compressed then it will
go through the BZ2 functions and any errors will be reported correctly.
This fixes 0afd5de5c1 so that a bz2 error
isn't reported when a uncompressed pp is installed successfully.
Signed-off-by: Thomas Hurd <thurd@tresys.com>
There's no guaranty that last item in "char fname[]" will be a null character.
Fixes segfault on some systems:
Test: semanage_nc_sort ...passedtest_semanage_findval: : Invalid argument
libsemanage-tests: TestRun.c:160: CU_assertImplementation: Assertion `((void *)0) != f_pCurTest' failed.
make[1]: *** [test] Aborted (core dumped)
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- Do not pass in the policydb where not necessary
- Tell CIL what policy version and target platform to use when building
the policydb
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
- Free args as they are parsed and strdup args when neccessary. Memory used for
lex initialization is now freed using yylex_destroy().
- Add noyywrap option to flex. This is the correct way to make the scanner
not call yywrap upon an end of file. Before, we were overriding the
function and returning 1.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
This adds a 'remove-hll' option to semanage.conf. If set to 'true', all
HLL files will be removed from the SELinux store after successfully
buildling the SELinux modules. The default for this option is 'false'.
In order to delete already compiled HLL files, the modules need to be
recompiled with the ignore-module-cache option.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Fixes segfault on systems with less than 256K stack size.
After change, I was able to run semodule -l with a 32K stack size.
Additionally, fix potential memory leak on realloc failure.
Signed-off-by: Thomas Hurd <thurd@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
All files in /var/lib/selinux/ are now labeled the same as those in
/etc/selinux/<store>/modules/active, which in refpolicy is semanage_store_t.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Stops leaking of file descriptors to things like load_policy and
setfiles.
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Mainly used the 2to3 conversion tool. Also added in a __future__
import so that the script continues to work on Python 2.
Tested on 2.7, 3.3, 3.4. Should work on 2.6 too but untested.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
The libsemanage Makefile currently installs libsemanage.so.1 into
SHLIBDIR, but links libsemanage.so to libsemanage.so.1 in LIBDIR. This
means things will only work if SHLIBDIR and LIBDIR are the same.
Fortunately, by default, they are the same because the default of
SHLIBDIR is set to PREFIX/lib (same as LIBDIR default) instead of the
standard DESTDIR/lib. Unfortunately, if a user overrides SHLIBDIR, by
doing something like the following:
make DESTDIR=~/tmp/ LIBDIR=~/tmp/usr/lib SHLIBDIR=~/tmp/lib install
then a broken symlink is created. Note that in some cases this may still
work even when SHLIBDIR and LIBDIR are not the same, e.g.:
make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install
But this only works because, in systems like Fedora, /lib is a symlink
to /usr/lib, so SHLIBDIR and LIBDIR are the same even though it doesn't
immediately look like it.
This patch changes the libsemanage Makefile to set the default value of
SHLIBDIR to the standard DESTDIR/lib to prevent confusion, and installs
libsemanage to LIBDIR and completely ignores SHLIBDIR.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
In C, defining a function with () means "any number of parameters", not
"no parameter". Use (void) instead where applicable and add unused
parameters when needed.
Acked-by: Steve Lawrence <slawrence@tresys.com>
This fixes a warning from "gcc -Wwrite-strings", when
semanage_module_install_hll is called with "pp" as last parameter.
Acked-by: Steve Lawrence <slawrence@tresys.com>
"gcc -O2 -Wall -Werror" fails to compile seusers_local.c:
seusers_local.c: In function 'semanage_seuser_modify_local':
seusers_local.c:122:6: error: 'rc' may be used uninitialized in this
function [-Werror=maybe-uninitialized]
It seems rc is not initialized when the call to semanage_seuser_clone
fails in semanage_seuser_modify_local.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Allow an alternative selinux store root path to be used. The option
can be set in semanage.conf as store_root. If no option is provided, the
default path for the store_root is "/var/lib/selinux".
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
An HLL to CIL compiler must exist in the compiler_directory path which
is configubrable in semanage.conf. By default, this path is
/usr/libexec/selinux/hll/. The compiler name needs to match the HLL
language extension. For example, for pp files,
/usr/libexec/selinux/hll/pp must exist.
The HLL infrastructure uncompresses the HLL module and pipes the data to
the appropriate CIL compiler. The output CIL from the compiler is read
from another pipe, compressed, and saved to the module store as a cached
CIL file. This file will be used on all subsequent policy builds, unless
a new module is installed with the same name at the same priority, at
which point the cache is deleted and is subsequently rebuilt and cached.
A new option is added to semanage.conf, ignore_cache, which if set to
true will cause the cached CIL files to be ignored and all HLL files to
be recompiled and the resulting CIL to be recached.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
We created a migration script to ease the burden of transition from the
old libsemanage store layout to the new. The script will detect all the
stores in /etc/selinux using the old layout and convert them to the new
layout in /var/lib/selinux. It also allows you to specify the default
priority to use with -p and store to operate on with -s. After migration
the script by default will leave the old store unchanged, but can be
told to remove the old modules directory with -c. Reloading policy post
migration can be disabled with the -n option.
Examples:
semanage_migrate_store
Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
Attempting to rebuild policy from /var/lib/selinux
semanage_migrate_store -s targeted
Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
Attempting to rebuild policy from /var/lib/selinux
semanage_migrate_store -p 150
Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
Attempting to rebuild policy from /var/lib/selinux
Signed-off-by: Chad Sellers <csellers@tresys.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
With CIL, the filename and language extension are no longer stored in
the modules themselves like with pp files. So parse this information
from the filename when given a file to install, and require the
information be passed when just data. Symbolic versioning is used to
maintain ABI compatability with the old install functions. API
compatability is not maintained.
Also, remove version from the module info struct and the
semanage_module_info_{get,set}_version functions. These functions have
not been part of an official release, so removing them without providing
ABI/API compatability should not break anything.
Because versioning is removed, semanage_module_upgrade can no longer
perform the necessary checks to ensure an old module is not overriding
a newer module. So, this just remove the upgrade functions from the API.
Functions are added to maintain ABI compatability, which call the
install functions.
Also, CIL has no concept of a base module, so remove the notion of a
base module, including the API functions semanage_module_base_install
and related functions. To maintain ABI compatability, functions are
added which call the new install functions, thus treating base modules
as if they are normal modules.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
The target platform used to come from the base module. However, CIL has
no concept of a base module or a target platform. This adds an option to
semanage.conf (target-platform) to control how policies should be built.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Rather than getting the list of pp modules and parsing their headers to get
the name, use the new source policy functions to get the necessary
information from the module store.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Removed in commits:
- Revert "libsemanage: introduce semanage_set_root and friends"
- Revert "libsemanage: Alternate path for semanage.conf"
- Revert "libsemanage: Use default semanage.conf as a fallback"
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This uses symbolic versioning to maintain ABI compatability with the old
versions of semanage_module_get_enabled. Also to maintain ABI, the functions
semanage_module_{enable,disable} are added back and modified to call the
new semanage_module_set_enabled function.
Removed in commits:
- Revert "Last attempt at upstreaming semodule_disable patch."
- Revert "fixes to commit 847d27b8385ce77ac71df8aa58a2d298b33d1ea4"
- Revert "libsemanage: change module disabled from rename to symlink"
- Revert "libsemanage: Cleanup/fix enable/disable/remove module."
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
include/semanage/handle.h
* Exports the handle get/set default priority functions.
include/semanage/module.h
* Exports the module info management functions.
* Exports the get/set enabled status functions.
* Exports the module key management functions.
* Exports the module install, upgrade, remove info/key functions.
include/semanage/semanage.h
This patch includes the modifications to the map file for exporting the
necessary functions.
Examples:
/* changing the default priority for a distro install */
semanage_set_default_priority(sh, 100);
/* creating module meta data */
semanage_module_info_t *modinfo = NULL;
semanage_module_info_create(sh, &modinfo);
/* filling in that data */
semanage_module_info_set_priority(
sh,
modinfo,
semanage_get_default_priority(sh));
semanage_module_info_set_name(
sh,
modinfo,
"mymodule");
semanage_module_info_set_version(
sh,
modinfo,
"0.1.2");
semanage_module_info_set_lang_ext(
sh,
modinfo,
"pp");
semanage_module_info_set_enabled(
sh,
modinfo,
-1); /* Sets enabled to default:
* If the module was already enabled/disabled
* then it will remain so after install.
* If it wasn't, then it will be enabled.
*/
/* install the module */
semanage_module_install_info(sh, modinfo, data, data_len);
/* cleanup modinfo */
semanage_module_info_destroy(sh, modinfo);
/* create a key for retrieving a module's meta data */
semanage_module_key_t *modkey = NULL;
semanage_module_key_create(sh, &modkey);
/* Only set the module name, this will find the highest
* priority module of that name.
*/
semanage_module_key_set_name(sh, modkey, "mymodule");
/* get the newly installed module */
semanage_module_get_module_info(sh, modkey, &modinfo);
/* get the priority of the module found */
uint16_t priority = 0;
semanage_module_info_get_priority(sh, modinfo, &priority);
/* set the priority in the key to the one found */
semanage_module_key_set_priority(sh, modkey, priority);
/* remove the highest priority module with the name "mymodule" */
semanage_module_remove_key(sh, modkey);
/* print all the modules installed */
semanage_module_info_t *modinfos = NULL;
int modinfos_len = 0;
semanage_module_list_all(sh, &modinfos, &modinfos_len);
char *name = NULL;
int i = 0;
for (i = 0; i < modinfos_len; i++) {
semanage_module_info_get_priority(
sh,
semanage_module_list_nth(modinfos, i),
&priority);
semanage_module_info_get_name(
sh,
semanage_module_list_nth(modinfos, i),
&name);
printf("%d\t%s\n", priority, name);
}
Signed-off-by: Chad Sellers <csellers@tresys.com>
These functions install/remove modules based on the module
info/key. The motivation for these interfaces is to provide the
additional information about a module (version, language, and enabled
status) at install time and also to separate the meta-data in
preparation for supporting source policies.
This patch combines the implementations of all the
install/remove functions to use the
semanage_direct_install_info and semanage_direct_remove_key functions.
The motivation here is to reduce the amount of duplicate installation code
(for example, semanage_direct_install and semanage_direct_install_file have
separate but similar implementations).
With this patch the transition from the old store layout to the new one
is finished. This is accomplished mostly through the modification of
install functions and semanage_get_modules_names.
Signed-off-by: Chad Sellers <csellers@tresys.com>
