Import the setools classes needed for Python bindings from specific
setools modules in order to reduce the dependency footprint
of the Python bindings. Importing the top-level module causes all
setools modules to be loaded which includes the modules that require
networkx.
SELinux packages belong to the group of core system packages on Gentoo
Linux. It is desirable to keep the system set as small as possible,
and the dependency between setools and networkx seems to be the easiest
link to break without major loss of functionality.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4". In that case, set the protocol number
used by audit logs for "ipv4" to a fixed value. To ensure audit log
compatibility, let's use the same numeric value as Fedora: 4, which is
actually understood by kernel as IP over IP.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
ipaddress python module was added to standard library in Python 3.3 -
https://docs.python.org/3/library/ipaddress.html
seobject.py was the only consumer of IPy module so this dependency is not needed
anymore.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
While using Ansible's Selinux module to manage ports, I discovered
that numerical ports caused an unhandled exception in 'seobject.py'.
This appears to be a bug, and I am proposing a fix which checks the
type of the argument before operating on it. This maintains the
original functionality in the case of a string, and acts in the same
fashion if you supply an integer.
I did not find any open bug report against the SELinux project. The
downstream bug report is here:
https://github.com/ansible/ansible/issues/60968
Signed-off-by: Joshua Schmidlkofer <joshua@joshuainnovates.us>
Fixes:
# semanage port -a -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
# semanage port -d -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Return value of "customized" has to be iterable.
Fixes:
"semanage export" with no modules in the system (eg. monolithic policy)
crashes:
Traceback (most recent call last):
File "/usr/sbin/semanage", line 970, in <module>
do_parser()
File "/usr/sbin/semanage", line 949, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 771, in handleExport
for c in OBJECT.customized():
TypeError: 'NoneType' object is not iterable
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Add "customized" method to permissiveRecords which is than used for
"semanage permissive --extract" and "semanage export"
- Enable "semanage permissive --deleteall" (already implemented)
- Add "permissive" to the list of modules exported using
"semanage export"
- Update "semanage permissive" man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
seobject.py is not supposed to be used as entrypoint therefore the shebang is
unnecessary. It also doesn't need execute bits.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fix gathering boolean values by fixing always False if condition
(determining whether the values are listed from local store).
Fix listing boolean values by printing the correct values and not
forcing the use of security_get_boolean_active (which causes
crash when listing booleans that are not present in active policy).
Fixes:
# dnf install selinux-policy-mls
# cat > mypolicy.cil
(boolean xyz false)
# semodule -i mypolicy.cil -s mls
# semanage boolean -l -S mls
...
irssi_use_full_network (off , off) Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port.
mozilla_plugin_use_bluejeans (off , off) Allow mozilla plugin to use Bluejeans.
OSError: No such file or directory
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
When "store" is set, sepolicy needs to load a new policy file and selinux module
needs to set the new store root path.
With this patch, semanage is able to work correctly with non-default -S <store>
even when the default policy is not installed yet.
Fixes:
$ sudo semanage login -S minimum -m -s unconfined_u -r s0-s0:c0.c1023 __default__
libsemanage.dbase_llist_query: could not query record value
OSError: [Errno 0] Error
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>
Fixes:
$ sudo semanage
Traceback (most recent call last):
File "/usr/sbin/semanage", line 28, in <module>
import seobject
File "/usr/lib/python3.7/site-packages/seobject.py", line 1045, in <module>
class portRecords(semanageRecords):
File "/usr/lib/python3.7/site-packages/seobject.py", line 1047, in portRecords
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 203, in <genexpr>
return ({
File "/usr/lib64/python3.7/site-packages/setools/typeattrquery.py", line 65, in results
for attr in self.policy.typeattributes():
AttributeError: 'NoneType' object has no attribute 'typeattributes'
https://github.com/SELinuxProject/selinux/issues/81
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When MLS is disabled, "semanage export" shows records such as:
login -a -s sysadm_u -r 'None' me
Prevent "semanage export" from displaying None or empty strings in level
and categories arguments by checking them in all customized() methods.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Aliases are not used in the selinux database. When user enters a type
alias as a parameter it should be converted to the corresponding type
in order to be processed correctly further in the userspace logic.
Fixes e.g.:
\#sepolicy transition -s phpfpm_t
/* where phpfpm_t is a type alias of httpd_t */
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 691, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 458, in transition
mytrans = setrans(args.source, args.target)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
self._process(self.source)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
trans = _get_trans(source)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
IndexError: list index out of range
Resolves:
\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined
\# seinfo -tsvirt_sandbox_file_t -x
TypeName container_file_t
Aliases
svirt_sandbox_file_t
svirt_lxc_file_t
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
"except OSError, ImportError:" does not perform what it says: it is the
Python 2 syntax of catching OSError exceptions as "ImportError" (like
"except OSError, e:"), and this is indeed caught by Python3:
File "./python/semanage/seobject.py", line 143
except OSError, ImportError:
^
SyntaxError: invalid syntax
The correct syntax consists in using parentheses.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The corresponding except clause should only be used for
exceptions caused by audit module error or unavailability.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Test if audit module is enabled so that logger class is defined
correctly.
Fixes:
"semanage fcontext -l" fails with "OSError: Protocol not supported" when
booting with audit=0
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
semanage_seuser_modify_local and semanage_seuser_del_local already do
the logging.
Moreover, semanage log for loginRecords.__add was flawed since it
reported old-{seuser,role,range} of default user instead of None. This
was caused by selinux.getseuserbyname, which returns values for default
user when the specified username is not found.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294663
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
self.store is always a string (actual store name or "") because of
semanageRecords.__init__. Fix check for not defined store.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
moduleRecords.modify() calls nonexistent function
semanage_module_update_file (maybe it should have been
semanage_module_upgrade_file which is now obsolete and calls
semanage_module_install_file) and the job of updating a module is done
by moduleRecords.add().
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Commit 985753f changed behavior of seobject class constructors. While
semanage itself was fixed, there are other tools like
system-config-selinux and chcat which depend on the original behavior.
This change make the constructors backward compatible.
Fixes: $ system-config-selinux
Traceback (most recent call last):
File "/usr/share/system-config-selinux/system-config-selinux.py", line 196, in <module>
app = childWindow()
File "/usr/share/system-config-selinux/system-config-selinux.py", line 100, in __init__
self.add_page(booleansPage.booleansPage(xml))
File "/usr/share/system-config-selinux/booleansPage.py", line 142, in __init__
self.load(self.filter)
File "/usr/share/system-config-selinux/booleansPage.py", line 212, in load
self.booleans = seobject.booleanRecords()
TypeError: __init__() missing 1 required positional argument: 'args'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Update Infiniband "port" and "key" listing and export to work on
python3.
{}.keys() does not support .sort() operation on Py3.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Replace nonexistent switch "-x" by "-z" (entry name).
Fix invalid index (the dictionary key is a 2-tuple).
Add MLS/MCS range (present in all entries).
Fixes:
#semanage ibendport -E
File "/usr/sbin/semanage", line 1049, in <module>
do_parser()
File "/usr/sbin/semanage", line 1028, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 605, in handleIbendport
for i in OBJECT.customized():
File "/usr/lib64/python2.7/site-packages/seobject/__init__.py", line 1806, in customized
l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
IndexError: tuple index out of range
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
We want to call semanage_set_reload() only if -N option is used.
Fixes:
$ sudo umount /sys/fs/selinux
$ sudo semanage fcontext -a --type=postfix_local_tmp_t /var/opt/01789667
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
In order to do that we need to propagate args into seobject objects and
use args.store to get a store name.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Include entries from file_contexts.homedirs when listing file contexts
via "semanage fcontext -l"
"semanage fcontext -l" so far ignored content of file_contexts.homedirs
file, which is confusing for users (more specific rules may be ignored in
favor of rules unseen to the user since file_contexts.homedirs has
higher priority than file_contexts).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Commits a3d2c7a 6a7a5aa introduced inconsistent use of tabs and spaces
in indentation what makes python3.6 unhappy.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Update libsepol and libsemanage to work with ibendport records. Add local
storage for new and modified ibendport records in ibendports.local.
Update semanage to parse the ibendport command options to add, modify,
and delete them.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Update libsepol and libsemanage to work with pkey records. Add local
storage for new and modified pkey records in pkeys.local. Update semanage
to parse the pkey command options to add, modify, and delete pkeys.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior
A backslash-character pair that is not a valid escape sequence now
generates a DeprecationWarning. Although this will eventually become a
SyntaxError, that will not be for several Python releases.
The problem appears when you use '-W error':
$ python3 -W error -c 'import re; re.findall("[^a-zA-Z0-9_\-\.]", " *%$")'
File "<string>", line 1
SyntaxError: invalid escape sequence \-
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
[ Edited commit message as per suggestion from Petr Lautrbach ]
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Aside from typos, change the way markup is applied to a tooltip
in sepolicy/gui so that the text can be translated.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
After 9406ace8 ("libsemanage: throw exceptions in python rather than
return NULL"), calls to libsemanage functions return Python exceptions
instead of returning negative error return codes. For systems that did not
have the applicable headers installed prior to build, the difference was
not seen. Following commit 9792099f ("Properly build the swig exception
file even if the headers are missing"), that issue has been resolved and
the underlying semanage_fcontext_query_local and semanage_fcontext_query
calls now result in an OSError return. This results in the following error
when attempting to modify a fcontext defined in the systems base policy.
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
OSError: No such file or directory
To resolve the error, handle the OSError exception, but retain the
previous query operation.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1398427
Signed-off-by: Kyle Walker <kwalker@redhat.com>
