get_bools should return a list of booleans that can affect given type,
but it did not handle non trivial conditional statements properly
(returning the whole conditional statement instead of a list of booleans
in the statement).
e.g. for
allow httpd_t spamc_t:process transition; [ httpd_can_check_spam && httpd_can_sendmail ]:True
get_bools used to return [("httpd_can_check_spam && httpd_can_sendmail", False)] instead of
[("httpd_can_check_spam", False), ("httpd_can_sendmail", False)]
- rename "boolean" in sepolicy rule dictionary to "booleans" to suggest
it can contain multiple values and make sure it is populated correctly
- add "conditional" key to the rule dictionary to accommodate
get_conditionals, which requires the whole conditional statement
- extend get_bools search to dontaudit rules so that it covers booleans
like httpd_dontaudit_search_dirs
Note: get_bools uses security_get_boolean_active to get the boolean
value, but the value is later used to represent the default.
Not ideal, but I'm not aware of a way to get the actual defaults.
Fixes:
"sepolicy manpage" generates man pages that are missing booleans
which are included in non trivial conditional expressions
e.g. httpd_selinux(8) does not include httpd_can_check_spam,
httpd_tmp_exec, httpd_unified, or httpd_use_gpg
This fix, however, also adds some not strictly related booleans
to some man pages. e.g. use_nfs_home_dirs and
use_samba_home_dirs are added to httpd_selinux(8)
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Found by codespell(1) and typos[1].
[1]: https://github.com/crate-ci/typos
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When installing to a destdir with pip install --prefix= --root=, pip tries to
uninstall the existing root-owned package and fails
Fixes:
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master` .
Processing /tmp/selinux-release/selinux-master/python/sepolicy
Preparing metadata (setup.py) ... done
Building wheels for collected packages: sepolicy
Building wheel for sepolicy (setup.py) ... done
Created wheel for sepolicy: filename=sepolicy-3.4-py3-none-any.whl size=1663564 sha256=229546db123e7d84613d190d49c192291b1a4f7f2a037657b39283b04ac391a4
Stored in directory: /tmp/pip-ephem-wheel-cache-50r2x4cn/wheels/b2/9e/63/6a6212a84d65a709923228719d065ed34e66a90c7fed01e8cf
Successfully built sepolicy
Installing collected packages: sepolicy
Attempting uninstall: sepolicy
Found existing installation: sepolicy 3.4
Uninstalling sepolicy-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: 'generate.py'
Consider using the `--user` option or check the permissions.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Since commit 7494bb1298 ("sepolicy: generate man pages in parallel")
man pages are generated in parallel and there's a race between
os.path.exists() and os.makedirs().
The check os.path.exists() is not necessary when os.makedirs() is called
with exist_ok=True.
Fixes:
/usr/bin/sepolicy manpage -a -p /__w/usr/share/man/man8/ -w -r /__w/
FileExistsError: [Errno 17] File exists: '/__w/usr/share/man/man8/'
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit c08cf24f39 ("python: Remove dependency on the Python module
distutils") replace usage of distutils.sysconfig by sysconfig but it was
forgotten on the fact that the later provide a different api.
Fixes:
self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'sysconfig' has no attribute 'get_python_lib'
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
distro module uses /etc/os-release file which contains operating system
identification data, see os-release(5). Given that the mechanism doesn't
use `rpm` it should be possible to generate man pages on other
distributions.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit 7494bb1298 ("sepolicy: generate man pages in parallel")
improved sepolicy performance but broke `sepolicy manpage -w ...` as it
didn't collect data about domains and roles from ManPage() and so
HTMLManPages() generated only empty page. This is fixed now, domains
and roles are being collected and used for HTML pages.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.
Fixes:
#cat > /usr/sbin/audit.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#semanage boolean -l
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.
He gives the following example:
# semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.
The error is from querying the local database when the fcontext is in
the non-local database.
Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
It wasn't possible to choose a directory in filechooser dialog using
double-click - the dialog returned the directory name instead of
listing the directory.
Fixes:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2593, in on_browse_select
self.export_config(filename)
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2668, in export_config
fd = open(filename, 'w')
IsADirectoryError: [Errno 21] Is a directory: '/root/Downloads'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses. Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.
This is to help meet the OpenSSF Best Practices requirements.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Test .gitignore and make clean distclean
error: missing .gitignore entry for libselinux/src/selinux.egg-info/
error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
Error: Process completed with exit code 1.
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
Error: Process completed with exit code 1.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In certain cases, IOError caused the much more general exception OSError
to be unreachable.
Signed-off-by: Elijah Conners <business@elijahpepe.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
With "fallback=True" gettext.translation behaves the same as
gettext.install and uses NullTranslations in case the
translation file for given language was not found (as opposed to
throwing an exception).
Fixes:
# LANG is set to any "unsupported" language, e.g. en_US.UTF-8
$ chcat --help
Traceback (most recent call last):
File "/usr/bin/chcat", line 39, in <module>
t = gettext.translation(PROGNAME,
File "/usr/lib64/python3.9/gettext.py", line 592, in translation
raise FileNotFoundError(ENOENT,
FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python'
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
sepolgen-ifgen-attr-helper.c: In function ‘load_policy’:
sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak]
196 | fprintf(stderr, "Out of memory!\n");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.
Fixes:
# semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
# semanage export | semanage import
ValueError: Port tcp/3024 already defined
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Some calls to "_" where unsuccessful because the function was
initialized with a different translation domain than the string.
e.g. selinux-polgengui calls functions from sepolicy.generate, which end
up printing untranslated strings because polgengui uses selinux-gui
domain while sepolicy uses selinux-python
- Set "_" in module namespace instead of "builtins"
- Set the whole "sepolicy.generate()" confirmation as translatable
- Drop "codeset" parameter since it is deprecated
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Found by typos[1].
[1]: https://github.com/crate-ci/typos
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
sub-directories, po/ translation files stayed in policycoreutils/.
This commit splits original policycoreutils translations to
policycoreutils, selinux-python, selinux-gui, and selinux-sandbox.
See original Fedora issue https://github.com/fedora-selinux/selinux/issues/43
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
When parsing Reference Policy style files accept square brackets in file
names. The FILENAME token is used in the TYPE_TRANSITION grammar rule
for the optional name based argument. This name can contain square
brackets, e.g. for anonymous inodes like "[io_uring]".
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Followed the following steps:
# aosp mirror does not have the upstream tags. Manually mark the
# 3.3 release. See
# https://github.com/SELinuxProject/selinux/releases/tag/3.3
git tag 3.3 7f600c40bc
repo start update_3_3 .
git merge 3.3 --no-ff # No merge conflicts were found.
lunch && m
repo upload .
Bug: 37755687
Test: Build aosp_bramble-userdebug and manually compare the generated
/{system,vendor,product}/etc/selinux* files with their previous
versions. All are identical.
Change-Id: I6a514d7db9a752c44cc61d343f7c1a60f750f317
