audit2allow testsuite requires a system which uses SELinux with a MLS
policy. This is a lot to ask for a continuous integretation system.
Thankfully this can be worked around by using option -p to run the tools
with a specific configuration. Doing this, the testsuite can even be run
on a system without SELinux.
This approach requires building a custom policy for parsing test.log.
Add a minimal policy written in CIL for this need.
While at it:
* Do not invoke "sudo sepolgen-ifgen" but produce a file in a writable
directory (instead of /var/lib/sepolgen/interface_info)
* Use sys.executable instead of 'python', in order to really test
python3 and python2 when calling the test script with one of these
interpreters.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Importing modules inside functions is quite uncommon in Python. This is
nevertheless required with sepolicy because it loads the current SELinux
policy when it is imported (and raises ValueError when this fails).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Importing sepolicy as non-root on a system with SELinux causes the
following exception to be raised:
ValueError: No SELinux Policy installed
Ignore this when using audit2why, which allows using it with option
--policy as a non-root user.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
sepolgen testsuite reports the following warning on a system with
/etc/selinux/sepolgen.conf:
.../src/./sepolgen/defaults.py:35: ResourceWarning: unclosed file
<_io.TextIOWrapper name='/etc/selinux/sepolgen.conf' mode='r'
encoding='UTF-8'>
Fix this by properly closing the file in PathChooser.__init__().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The sorting order seems to be fragile because '100' < '99', so the policy
filename needs to be parsed in order to extract the version as an integer and
sort according to it.
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When "store" is set, sepolicy needs to load a new policy file and selinux module
needs to set the new store root path.
With this patch, semanage is able to work correctly with non-default -S <store>
even when the default policy is not installed yet.
Fixes:
$ sudo semanage login -S minimum -m -s unconfined_u -r s0-s0:c0.c1023 __default__
libsemanage.dbase_llist_query: could not query record value
OSError: [Errno 0] Error
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
load_store_policy() allows to (re)load SELinux policy based on a store name. It
is useful when SELinux is disabled and default policy is not installed; or when
a user wants to query or manipulate another policy.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>
Fixes:
$ sudo semanage
Traceback (most recent call last):
File "/usr/sbin/semanage", line 28, in <module>
import seobject
File "/usr/lib/python3.7/site-packages/seobject.py", line 1045, in <module>
class portRecords(semanageRecords):
File "/usr/lib/python3.7/site-packages/seobject.py", line 1047, in portRecords
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 203, in <genexpr>
return ({
File "/usr/lib64/python3.7/site-packages/setools/typeattrquery.py", line 65, in results
for attr in self.policy.typeattributes():
AttributeError: 'NoneType' object has no attribute 'typeattributes'
https://github.com/SELinuxProject/selinux/issues/81
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
PLY (Python Lex-Yacc) 3.11 has been released in February 2018:
- http://www.dabeaz.com/ply/index.html
- https://github.com/dabeaz/ply/releases/tag/3.11
Copy lex.py and yacc.py from this new release.
This fixes the following warning from "make test":
python run-tests.py
../src/./sepolgen/lex.py:634: DeprecationWarning: Using or importing
the ABCs from 'collections' instead of from 'collections.abc' is
deprecated, and in 3.8 it will stop working
if isinstance(t, collections.Callable):
(Python 3.3 moved collections.Callable to collections.abc.Callable)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
dontaudit rules were accidentally dropped during rewrite to SETools 4 API in
97d5f6a2
Fixes:
>>> import sepolicy
>>> sepolicy.search(['dontaudit'])
[]
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When MLS is disabled, "semanage export" shows records such as:
login -a -s sysadm_u -r 'None' me
Prevent "semanage export" from displaying None or empty strings in level
and categories arguments by checking them in all customized() methods.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Using Vagrant with fedora/28-cloud-base image, SELinux logins are
configured this way:
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
vagrant unconfined_u s0-s0:c0.c1023 *
Using "chcat -l +c42 vagrant" successfully adds the category to user
vagrant, but "chcat -l -- -c42 vagrant" fails to remove it.
semanage login -l returns:
vagrant unconfined_u s0-s0:c0.c1023,c42 *
This issue is caused by expandCats(), which refuses to return a list of
more than 25 categories. This causes chcat_user_remove() to work with
cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to
it not been able to remove 'c42' from the list.
Fix this issue by splitting the list of categories before calling
expandCats().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
flake8 reports many warnings for chcat:
chcat:7:1: E265 block comment should start with '# '
chcat:29:1: F401 'string' imported but unused
chcat:44:1: E722 do not use bare 'except'
chcat:104:9: F841 local variable 'e' is assigned to but never used
chcat:144:9: F841 local variable 'e' is assigned to but never used
chcat:186:9: F841 local variable 'e' is assigned to but never used
chcat:234:9: F841 local variable 'e' is assigned to but never used
chcat:262:9: F841 local variable 'e' is assigned to but never used
chcat:281:5: F841 local variable 'e' is assigned to but never used
chcat:385:9: E722 do not use bare 'except'
chcat:402:1: E305 expected 2 blank lines after class or function definition, found 1
chcat:436:5: F841 local variable 'e' is assigned to but never used
Fix all of them.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Use "check_call" instead of "getstatusoutput" in order for special
characters and spaces in filenames to be handled correctly.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Aliases are not used in the selinux database. When user enters a type
alias as a parameter it should be converted to the corresponding type
in order to be processed correctly further in the userspace logic.
Fixes e.g.:
\#sepolicy transition -s phpfpm_t
/* where phpfpm_t is a type alias of httpd_t */
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 691, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 458, in transition
mytrans = setrans(args.source, args.target)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
self._process(self.source)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
trans = _get_trans(source)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
IndexError: list index out of range
Resolves:
\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined
\# seinfo -tsvirt_sandbox_file_t -x
TypeName container_file_t
Aliases
svirt_sandbox_file_t
svirt_lxc_file_t
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Change in internal setools API causes sepolicy to crash when processing
AVRules.
File "python/sepolicy/sepolicy/__init__.py", line 277, in _setools_rule_to_dict
if isinstance(rule, setools.policyrep.terule.AVRule):
AttributeError: module 'setools.policyrep' has no attribute 'terule'
See https://github.com/SELinuxProject/setools/issues/8 for more details.
Stop using internal setools API:
- use AttributeError instead of setools specific exceptions
- evaluate conditional expressions using conditional.evaluate() instead
of qpol_symbol.is_enabled()
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Currently, in:
# semanage ibendport --help
usage: semanage ibendport [-h] [-n] [-N] [-s STORE] [ --add -t TYPE
-z IBDEV_NAME -r RANGE ( port ) | --delete -z IBDEV_NAME -r RANGE(
port ) | --deleteall | --extract | --list -C | --modify -t TYPE -z
IBDEV_NAME -r RANGE ( port ) ]
... a space is missing between "RANGE" and "( port )" in the usage of
--delete. Add it by splitting the string correctly in the usage line
definition.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Both "semanage user --help" and "man 8 semanage-user" state that
"semanage user" accepts option -s, but this is incorrect: -s is not
needed to specify the SELinux user on the command line, contrary to
"semanage login" for example. Fix the documention.
While at it, remove many spaces from the helptext of option --roles. I
do not know where they came from, but they were reduced to a single
space when displayed anyway.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Python does not need to end a statement with a semicolon. Doing this
gets reported by linters such as flake8 ("E703 statement ends with a
semicolon").
Remove such semicolons in the code and enable this warning in
scripts/run-flake8.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This module is not used and its name conflicts with variable "types".
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy/generate.py:657:5: F811 redefinition of
unused 'types' from line 31
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy.py:582:5: F811 redefinition of unused
'DAEMON' from line 582
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Some function used variables which were not defined when populating
self.cur_dict with an operation. Fix this, even though the old values do
not seem to be used.
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy/gui.py:2020:101: F821 undefined name 'oldsetype'
python/sepolicy/sepolicy/gui.py:2020:122: F821 undefined name 'oldmls'
python/sepolicy/sepolicy/gui.py:2020:142: F821 undefined name 'oldclass'
python/sepolicy/sepolicy/gui.py:2050:133: F821 undefined name 'oldmls'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
procotol -> protocol
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy/gui.py:2525:132: F821 undefined name 'procotol'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This silences the following flake8 errors:
python/sepolgen/src/sepolgen/refpolicy.py:758:25: F821 undefined name 'XATTR'
python/sepolgen/src/sepolgen/refpolicy.py:760:27: F821 undefined name 'TRANS'
python/sepolgen/src/sepolgen/refpolicy.py:762:27: F821 undefined name 'TASK'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
av_extract_params() may call __param_insert() with only 2 parameters
instead of 4, which has no chance to work fine. Moreover it uses "PERM",
which is undefined. As nobody complained about this code, it seems to be
dead, so remove it.
This issue has been found using flake8. This Python linter reported:
python/sepolgen/src/sepolgen/interfaces.py:158:37: F821 undefined
name 'PERM'
While at it, fix a typo in a comment.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
flake8 warns about using has_key():
python/sepolgen/src/sepolgen/refparser.py:315:15: W601 .has_key() is
deprecated, use 'in'
However "spt.has_key(id)" uses function SupportMacros.has_key(), which
is not the same as the "in" operator. Silence this warning by using "#
noqa".
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
p_permissive() uses an undefined variable t, which is buggy. In order to
ignore permissive statements, the function only needs to "pass".
flake8 reported the following error:
python/sepolgen/src/sepolgen/refparser.py:789:5: F821 undefined name 't'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
SELinuxGui.files_initial_data_insert() uses both "seLinux_label" and
"selinux_label", which leads to using an undefined variable, as reported
by flake8:
python/sepolicy/sepolicy/gui.py:1191:42: F821 undefined name 'selinux_label'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
CheckPolicyType class is not used in sepolicy and has been written from
an buggy copy-paste: "newval.append(v)" does not make any sense in
CheckPolicyType.__call__, as reported by flake8:
python/sepolicy/sepolicy.py:190:13: F821 undefined name 'newval'
python/sepolicy/sepolicy.py:190:27: F821 undefined name 'v'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
sepolgen uses "return NotImplemented" (in access.py and matching.py) in
order to make Python's sorting function use an other call to compare
objects. For this to work, "NotImplemented" needs to be returned, not
raised like _compare's default implementation does.
This issue has been found using flake8. This Python linter reported:
python/sepolgen/src/sepolgen/util.py:128:9: F901 'raise
NotImplemented' should be 'raise NotImplementedError'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
util.py starts by importing "locale" and "sys", so there is no need to
import these modules again in the functions.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
"except OSError, ImportError:" does not perform what it says: it is the
Python 2 syntax of catching OSError exceptions as "ImportError" (like
"except OSError, e:"), and this is indeed caught by Python3:
File "./python/semanage/seobject.py", line 143
except OSError, ImportError:
^
SyntaxError: invalid syntax
The correct syntax consists in using parentheses.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The corresponding except clause should only be used for
exceptions caused by audit module error or unavailability.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Test if audit module is enabled so that logger class is defined
correctly.
Fixes:
"semanage fcontext -l" fails with "OSError: Protocol not supported" when
booting with audit=0
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
semanage_seuser_modify_local and semanage_seuser_del_local already do
the logging.
Moreover, semanage log for loginRecords.__add was flawed since it
reported old-{seuser,role,range} of default user instead of None. This
was caused by selinux.getseuserbyname, which returns values for default
user when the specified username is not found.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294663
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Add support for extended permissions to audit2allow. Extend AuditParser
to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to
generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow
to turn on generating of extended permission AV rules.
AVCMessage parses the ioctlcmd field in AVC messages. AuditParser
converts the ioctlcmd values into generic representation of extended
permissions that is stored in access vectors.
Extended permissions are represented by operations (currently only
'ioctl') and values associated to the operations. Values (for example
'~{ 0x42 1234 23-34 }') are stored in the XpermSet class.
PolicyGenerator contains new method to turn on generating of xperms.
When turned on, for each access vector, standard AV rule and possibly
several xperm AV rules are generated. Xperm AV rules are represented by
the AVExtRule class.
With xperm generating turned off, PolicyGenerator provides comments
about extended permissions in certain situations. When the AVC message
contains the ioctlcmd field and the access would be allowed according to
the policy, PolicyGenerator warns about xperm rules being the possible
cause of the denial.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
In access module, in AccessVector.__init__() method, when init_list is
not None, the access vector is initialized by from_list() method.
However, this method does not assign attributes self.audit_msgs,
self.type, and self.data. Fix this by assigning these attributes in
__init__() method.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
In refpolicy module, in AVRule.__rule_type_str() method, self.rule_type
was not checked for value self.NEVERALLOW so that string "neverallow"
was never returned. Fix this by checking all four possible values and
returning correct strings.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
