Policy module structure created by libsepol out of base module
contains NULL in module name, which results in segfault in "pp"
compiler. Add NULL check.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1350806
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Even though "hashtab_key_t" is an alias for "char *", "const
hashtab_key_t" is not an alias for "(const char) *" but means "(char *)
const".
Introduce const_hashtab_key_t to map "(const char) *" and use it in
hashtab_search() and hashtab key comparison functions.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fixfiles links to restorecon. However if you start with restorecon
"restore file(s) default SELinux security contexts", you can easily
miss the fixfiles script. fixfiles is more generally useful than
`restorecon -R`. For example `restorecon -R /` is not as good as
`fixfiles restore`, because the restorecon command will try to relabel
`/sys` and fail noisily.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Fix missing and surplus commas. Fix the following formatting errors:
.BR selinux(8)
renders the the "(8)" in bold as well as the "selinux". This is wrong.
.B selinux
(8)
renders with a space between "selinux" and "(8)", this is wrong.
.B selinux (8)
commits both of the above mistakes.
.BR selinux (8), apparmor (8)
omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:
.BR selinux (8),
.BR apparmor (8)
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
This removes the following warning when running sepolicy gui command:
/usr/lib/python3/dist-packages/sepolicy/gui.py:29: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '3.0') before import to ensure that the right version gets loaded.
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
When running sepolgen tests on a Linux 4.7 kernel, one test fails with
the following message:
/usr/bin/semodule_package: Failed to mmap
tmp/module_compile_test.mod.fc: Invalid argument
The .fc file is empty, which is why it cannot be used with mmap().
Anyway the current code supports empty files (with if() conditions in
main()) so do not try to mmap an empty file in file_to_data().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On Ubuntu some header files are located in /usr/lib/x86_64-linux-gnu/,
not /usr/lib64/:
$ pkg-config --cflags dbus-glib-1
-I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include
-I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
Use pkg-config instead of hard-coded paths to find glib and dbus-glib
headers and libraries.
This is needed in order to use environments provided for example by
https://travis-ci.org/.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Return column definitions to portsPage (gui fails to load otherwise).
fcontextPage:
"ftype" dropdown was filled from 2 sources (system-config-selinux.glade
and fcontextPage - from seobject module) which resulted in duplicate
and invalid options. When given to "semanage fcontext -f", ftype has to be
converted to 1 letter argument mode.
TreeView.get_selection().get_selected() can return "None" if no item is selected
(the list can be empty). Test if correct iterator was acquired.
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1344842
Signed-off-by: vmojzis <vmojzis@redhat.com>
Reverse the sense of the -D option, from disabling setting/use of
security.restorecon_last to enabling it, making disabled the default state.
Rationale:
1) Users often use restorecon to fix labels on files whose labels are
wrong even through nothing has changed in file_contexts, e.g. after
copying/moving files to a different location. They won't expect
restorecon to suddenly stop relabeling by default because the hash of
file_contexts hasn't changed.
2) Only processes running with CAP_SYS_ADMIN can set
security.restorecon_last, so this will fail for non-root users anyway.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commit f1352e7399 ("policycoreutils: setfiles - Utility to find
security.restorecon_last entries") introduced restorecon_xattr binary
without adding it to .gitignore.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
According to dbus upstream: "dbus-launch is fairly horrible code,
complicated by the historical need for it to support X11 autolaunching,
so the D-Bus maintainers would like to move it out of the critical path
and minimize its use."
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
This patch adds restorecon_xattr(8) to find and/or remove
security.restorecon_last entries added by setfiles(8) or
restorecon(8). Uses the services of selinux_restorecon_xattr(3).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Add -D option to setfiles and restorecon - Do not set or update
directory SHA1 digests when relabeling files. This will allow
users the option of not using the "security.restorecon_last"
extended attribute feature.
Also review and update the man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
When a user installs a module, the filename is used as the module name.
This change was introduced with CIL language where a module name is not
stored in the module itself. It means that when a pp module has
different filename and stored module name, the filename is used instead
of the stored module name. It brings problems with compatibility for
scripts and modules which were built and used on older system and were
migrated to the new userspace.
This patch changes the behavior of semanage_direct_install_file() which
is used by 'semodule -i' so that when a module with pp language
extension is installed, it tries to get and use a stored module name
instead of a filename. A warning message is provided.
The warning message in policycoreutils/hll/pp is updated to reflect this
change:
$ semodule -X 400 -i /root/testfile.pp
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile
$ /usr/libexec/selinux/hll/pp /root/testfile.pp testfile.cil
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Mixing LDFLAGS in CFLAGS can lead to compiler errors. For example in
policycoreutils/sandbox:
$ make CC=clang LDFLAGS='-Wl,-as-needed,-no-undefined'
clang -Wl,-as-needed,-no-undefined -I/usr/include
-DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W -c -o
seunshare.o seunshare.c
clang-3.8: error: -Wl,-as-needed,-no-undefined: 'linker' input
unused
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
