In the past we wrote audit into the semanage tool chain. But if a tool like useradd
called dirreclty into libsemanage we did not get auditing. Now useradd calls directly,
so we need this patch.
Another fix in this patch is to default the login mappings MLS to the selected SELinux User.
If a caller just specified the name staff_u, then the code will look up the range of staff_u
and apply it to the mapping.
We were asked not to link to libpthread but to use gcc internals.
We were not handling properly the fact that a cache was UNSET, and this
patch fixes this.
Also change audit2why to look at the loaded policy rather then searching on disk for
the policy file. It is more likely that you are examining the running policy.
In the past pam_selinux would return a bogus login context if the login program
was running with the wrong context. If you ran sshd as unconfined_t
you might get the login user loggin in as pam_oddjob_mkhomedir_t or some other bogus
type. This change fixes the code to return an error if it can not return a good
match.
We want to allow users to setup their substitions to run fist and then run
the distro subs second. This fixes the problem where a user defines
a sub like /usr/local/foobar and we ignore it. We need this for
software collections which is setting up local subs of /opt/src/foobar/root /
Tools like cp -A try to maintain the context of a program and call *setfilecon,
currently if the file system does not support XAttrs we return ENOSUPP. We have
been requested to check if the context that is being set is the same to not return this
error. So if I try to set the label on an nfs share to system_u:object_r:nfs_t:s0 and I get
ENOSUPP, it will not return an error.
I wanted to separate this directory out in order for a new patch to mcstransd to watch
this directory for newly created files, which it could then translate.
The idea is libvirt would write to /var/run/setrans/c0:c1,c2 with the contents of vm1, then
setrans could translate the processes to show system_u:system_r:svirt_t:vm1
This allows us to specify under which the compiled policy file and context configuration
files exist. We can use this with matchpathcon to check the labels under alternate policies,
and we can use it for sepolicy manpage to build manpages during policy build.
In the patch to fix a minor memory leak, I introduced a garuanteed
segfault. The point to the stack variable will never be NULL, whereas
the value on the stack will be.
Signed-off-by: Eric Paris <eparis@redhat.com>
We open the file which is to be used to write the binary format of file
contexts. If we hit an error actually writing things out, we return,
but never close the fd. Do not leak.
Signed-off-by: Eric Paris <eparis@redhat.com>
Every time matchmediacon is called we open the
selinux_media_context_path(). But we never close the file. Close the
file when we are finished with it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were opening the path, but if the fstat failed or it was not a
regular file we would return without closing the fd. Fix my using the
common error exit path rather than just returning.
Signed-off-by: Eric Paris <eparis@redhat.com>
The code did:
len = strlen(string);
new_string = malloc(len);
strncpy(new_string, string, len - 1)
Which is perfectly legal, but it pissed off coverity because 99/100
times if you do new_string = malloc(strlen(string)) you are doing it
wrong (you didn't leave room for the nul). I rewrote that area to just
use strdup and then to blank out the last character with a nul. It's
clear what's going on and nothing looks 'tricky'. It does cost us 1
byte of heap allocation. I think we can live with that to have safer
looking string handling code.
Signed-off-by: Eric Paris <eparis@redhat.com>
If vork() failed we would leak the arguments created in split_args().
Reorder the function so it will hopefully be easy to read and will not
leak memory.
Signed-off-by: Eric Paris <eparis@redhat.com>
We have minuid_set = 0 at the top of the function and then do a test
like:
if (!minuid_set || something)
But since minuid_set is always 0, we always call this code. Get rid of
the pointless conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Right before the call to semanage_list_sort() we do some cleanup.
Including endpwent(); free(rbuf); semanage_list_destroy(&shells); If
the call to the list sort fails we will go to fail: and will do those
cleanups a second time. Whoops. Do the list sort before the generic
cleanups so the failure code isn't run after the default cleanup.
Signed-off-by: Eric Paris <eparis@redhat.com>
If the strdup failed, we would return without freeing tmp_key. This is
obviously a memory leak. So free that if we are finished with it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We generate a list of users, but we do not free that list on error.
Just keep popping and freeing them on error.
Signed-off-by: Eric Paris <eparis@redhat.com>
We use creat to create the lock file needed later. But we never close
that fd, so it just sits around until the program exits. After we
create the file we don't need to hold onto the fd. close it.
Signed-off-by: Eric Paris <eparis@redhat.com>
If get_home_dirs() was called without usepasswd we would generate the
entire shell list, but would never use that list. We would then not
free that list when we returned the homedir_list. Instead, do not
create the list of shells until after we know it will be used.
Signed-off-by: Eric Paris <eparis@redhat.com>
Inside split_args we do a = realloc(b) and strdup. If the realloc
succeeds and then the strdup fails, we return NULL to the caller. The
caller will then jump to an error code which will do a free(b). This is
fine if the realloc failed, but is a big problem if realloc worked. If
it worked b is now meaningless and a needs to be freed.
I change the function interface to return an error and to update "b"
from the caller.
Signed-off-by: Eric Paris <eparis@redhat.com>
We did a bunch of:
if ((blah = function(a0, a1, a2)) == NULL) {
goto err;
} else {
something = blah;
}
Which takes 5 lines and is a pain to read. Instead:
blah = function(a0, a1, a2);
if (blah == NULL)
goto err;
something = blah;
Which takes 4 lines and is easier to read!
Winning!
Signed-off-by: Eric Paris <eparis@redhat.com>
setfsuid return codes were not being checked. Add checks to make sure
we are switching from and to what we expect. Bail (most places) if we
didn't switch successfully.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were doing x = realloc(x, ) which is a big no no, since it leaks X
on allocation failure. Found with static analysis tool from David
Malcolm.
Signed-off-by: Eric Paris <eparis@redhat.com>
Turn verbose on for full relabel
Add check to see if / has a label, if not then force a full relabel.
Add ability to record OPTIONS into the the /.autorelabel file.
fixfiles -F onboot
writes out /.autorelabel with -F
fixfiles -B onboot
writes on /autorelaebl with -N BOOTDATE recorded.
The goal is to allow boot up sequence that sees /.autorelabel to hand any
options store in it, to fixfiles restore
OPTIONS=`cat /.autorelabel`
fixfiles $OPTIONS restore
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The semodule_path file, inside scripts, which is used to tell the
Makefile where genhomedircon should point to find semodule, was not
being updated. This patch makes sure we update this file every time
something builds, thus genhomedircon doesn't point to some wild out of
data file location.
Signed-off-by: Eric Paris <eparis@redhat.com>
We use strdup to store the intended context when we have an mmap'd
file backend. We, however, skipped freeing those contexts.
Signed-off-by: Eric Paris <eparis@redhat.com>
