Currently neverallowxperm rules will be resolved correctly when
building policy, however they are not detectable when using tools
such as an updated version of setools. This patch will allow
these to be viewed in the same way as neverallow rules are in a
text based kernel policy file (e.g. policy.conf).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
If "level" option is used to start sandbox commands, this level is not propagated
to specified homedir and tmpdir directories. See rhbz #1279006.
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
Fixes: python ./semanage permissive -d
Traceback (most recent call last):
File "./semanage", line 925, in <module>
do_parser()
File "./semanage", line 904, in do_parser
args.func(args)
File "./semanage", line 708, in handlePermissive
OBJECT.delete(args.type)
File "/selinux.git/policycoreutils/semanage/seobject.py", line 479, in delete
for n in name.split():
AttributeError: 'NoneType' object has no attribute 'split'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Previously, when sepolicy was run without any argument, the usage message
with the error "too few arguments" was shown. Using Python 3 it threw a traceback.
This patch unifies behavior on Py2 and Py3 so that sepolicy shows the help
message in this case.
Fixes:
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 647, in <module>
args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
In Py3.0, the cmp parameter in sort() function was removed and key keyword is
available since Py2.4.
Fixes: # cat avc.log | audit2allow -R
Traceback (most recent call last):
File "/usr/bin/audit2allow", line 363, in <module>
app.main()
File "/usr/bin/audit2allow", line 351, in main
self.__output()
File "/usr/bin/audit2allow", line 308, in __output
g.set_gen_refpol(ifs, perm_maps)
File "/usr/lib64/python3.4/site-packages/sepolgen/policygen.py", line 101, in set_gen_refpol
self.ifgen = InterfaceGenerator(if_set, perm_maps)
File "/usr/lib64/python3.4/site-packages/sepolgen/policygen.py", line 353, in __init__
self.hack_check_ifs(ifs)
File "/usr/lib64/python3.4/site-packages/sepolgen/policygen.py", line 365, in hack_check_ifs
params.sort(param_comp)
TypeError: must use keyword argument for key function
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Resolves https://github.com/SELinuxProject/cil/issues/3
An 'unordered' keyword provides the ability to append classes to the current
list of ordered classes. This allows users to not need knowledge of existing
classes when creating a class and fixes dependencies on classes when removing a
module. This enables userspace object managers with custom objects to be
modularized.
If a class is declared in both an unordered and ordered statement, then the
ordered statement will supercede the unordered declaration.
Example usage:
; Appends new_class to the existing list of classes
(class new_class ())
(classorder (unordered new_class))
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Some error's were reported by valgrind (below) fix them. The test
cases on which these leaks were detected:
1. properly formed file_contexts file.
2. malformed file_contexts file, unknown type.
3. malformed file_contexts file, type that fails on validate callback.
4. malformed file_contexts file, invalid regex.
5. malformed file_contexts file, invalid mode.
==3819== Conditional jump or move depends on uninitialised value(s)
==3819== at 0x12A682: closef (label_file.c:577)
==3819== by 0x12A196: selabel_close (label.c:163)
==3819== by 0x10A2FD: cleanup (checkfc.c:218)
==3819== by 0x5089258: __run_exit_handlers (exit.c:82)
==3819== by 0x50892A4: exit (exit.c:104)
==3819== by 0x10A231: main (checkfc.c:361)
==3819== Uninitialised value was created by a heap allocation
==3819== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819== by 0x4C2CF1F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819== by 0x12BB31: process_file (label_file.h:273)
==3819== by 0x12A2BA: selabel_file_init (label_file.c:522)
==3819== by 0x12A0BB: selabel_open (label.c:88)
==3819== by 0x10A038: main (checkfc.c:292)
==3819==
==3819==
==3819== HEAP SUMMARY:
==3819== in use at exit: 729 bytes in 19 blocks
==3819== total heap usage: 21,126 allocs, 21,107 frees, 923,854 bytes allocated
==3819==
==3819== 81 bytes in 1 blocks are definitely lost in loss record 1 of 2
==3819== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819== by 0x50D5839: strdup (strdup.c:42)
==3819== by 0x12A2A6: selabel_file_init (label_file.c:517)
==3819== by 0x12A0BB: selabel_open (label.c:88)
==3819== by 0x10A038: main (checkfc.c:292)
==3819==
==4238== 40 bytes in 1 blocks are definitely lost in loss record 1 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x12A1D2: selabel_file_init (label_file.c:886)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 81 bytes in 1 blocks are definitely lost in loss record 2 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x50D5839: strdup (strdup.c:42)
==4238== by 0x12A2A6: selabel_file_init (label_file.c:517)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 386 bytes in 24 blocks are definitely lost in loss record 3 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x50D5889: strndup (strndup.c:45)
==4238== by 0x12CDDF: read_spec_entries (label_support.c:37)
==4238== by 0x12B72D: process_file (label_file.h:392)
==4238== by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 648 bytes in 18 blocks are definitely lost in loss record 4 of 6
==4238== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x117C9B: avtab_insert_node (avtab.c:105)
==4238== by 0x117C10: avtab_insert (avtab.c:163)
==4238== by 0x11880A: avtab_read_item (avtab.c:566)
==4238== by 0x118BD3: avtab_read (avtab.c:600)
==4238== by 0x125BDD: policydb_read (policydb.c:3854)
==4238== by 0x109F87: main (checkfc.c:273)
==4238==
==4238== 1,095 bytes in 12 blocks are definitely lost in loss record 5 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x12D8D1: pcre_compile2 (pcre_compile.c:9217)
==4238== by 0x12B239: compile_regex (label_file.h:357)
==4238== by 0x12B9C7: process_file (label_file.h:429)
==4238== by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 1,296 bytes in 12 blocks are definitely lost in loss record 6 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x13EBE5: pcre_study (pcre_study.c:1565)
==4238== by 0x12B25D: compile_regex (label_file.h:366)
==4238== by 0x12B9C7: process_file (label_file.h:429)
==4238== by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When running sepolgen-ifgen on refpolicy (git master branch), the
following messages show up:
/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error
on line 3369 gen_context [type=GEN_CONTEXT]
/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
line 188379 ' [type=SQUOTE]
/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
line 188385 ' [type=SQUOTE]
The line numbers are incorrect because the lineno member of the lexer
object is not resetted after each file has been processed. After fixing
this, the messages are nicer:
/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error
on line 43 gen_context [type=GEN_CONTEXT]
/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
line 1416 ' [type=SQUOTE]
/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
line 1422 ' [type=SQUOTE]
As line 43 of kernel/selinux.if contains a genfscon statement with a
gen_context component, the reported line numbers are now correct.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This replaces the openssl library with SHA1 hash functions
extracted from [1] as this is a public domain implementation.
util/selabel_digest -v option still compares the result with
the openssl command "openssl dgst -sha1 -hex .." for validation.
[1] https://github.com/WaterJuice/CryptLib
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
If selabel_open is called with no request for a digest it will fail
with ENOENT. This fixes all the labeling routines to resolve this
problem. The utils/selabel_digest example has also been updated
to allow calling selabel_open with and without digest requests to
aid testing.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
selabel_digest(3) if enabled by the SELABEL_OPT_DIGEST option during
selabel_open(3) will return an SHA1 digest of the spec files, plus
a list of the specfiles used to calculate the digest. There is a
test utility supplied that will demonstrate the functionality.
The use case for selabel_digest(3) is to implement an selinux_restorecon
function based on the Android version that writes a hash of the
file_contexts files to an extended attribute to enhance performance
(see external/libselinux/src/android.c selinux_android_restorecon()).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Commit 966855d9a1 added selinux.py as a requirement for pywrap.
This file is generated during the swig step but there is no explicit
rule in the Makefile so parallel build fails. This adds another rule
so the ordering is correct.
jason@meriadoc ~/code/gentoo/selinux/libselinux $ make -j3 pywrap
.... SNIP ....
sed -e 's/@VERSION@/2.4/; s:@prefix@:/usr:; s:@libdir@:lib:; s:@includedir@:/usr/include:' < libselinux.pc.in > libselinux.pc
bash exception.sh > selinuxswig_python_exception.i
make[1]: *** No rule to make target 'selinux.py', needed by 'pywrap'. Stop.
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/home/jason/code/gentoo/selinux/libselinux/src'
Makefile:36: recipe for target 'pywrap' failed
make: *** [pywrap] Error 2
Signed-off-by: Jason Zaman <jason@perfinion.com>
As per the discussion on the selinux development mailinglist, the tmux
application expects the stdin to be writeable. Although perhaps not the most
proper way, having newrole opening the descriptor in read/write keeps the
behaviour in line with what applications expect.
See also http://marc.info/?l=selinux&m=136518126930710&w=2
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Set the "keep capabilities" flag around the setresuid() calls in
drop_capabilities() so that we do not simultaneously drop all
capabilities (when newrole is setuid).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This improves the robustness of programs using selinux_check_access()
in the face of policy updates that alter the values of the class or
permissions that they are checking. Otherwise, a policy update can
trigger false permission denials, as in
https://bugzilla.redhat.com/show_bug.cgi?id=1264051
Changes to the userspace class/permission definitions should still be
handled with care, as not all userspace object managers have been converted
to use selinux_check_access() and even those that do use it are still not
entirely safe against an interleaving of a policy reload and a call to
selinux_check_access(). The change does however address the issue in
the above bug and avoids the need to restart systemd.
This change restores the flush_class_cache() function that was removed in
commit 435fae64a9 ("libselinux: Remove unused flush_class_cache method")
because it had no users at the time, but makes it hidden to avoid exposing
it as part of the libselinux ABI.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When a path has no context, for example, when the file was created when
selinux was disabled, selinux.restorecon(path) will fail:
>>> selinux.restorecon('/etc/multipath.conf.new')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 88,
in restorecon
status, oldcontext = lgetfilecon(path)
OSError: [Errno 61] No data available
This failure does not seems to be useful, as we can successfully match
the context for this path using selinux.matchpathcon(), and set it
successfully using selinux.chcon(). The failure is caused by trying to
avoid the lsetfilecon() call if the current context is does not need
update.
This patch handles this specific error from lgetfilecon(), preventing
this failure.
Signed-off-by: Nir Soffer <nsoffer@redhat.com>
Neverallow rules for ioctl extended permissions will pass in two
cases:
1. If extended permissions exist for the source-target-class set
the test will pass if the neverallow values are excluded.
2. If extended permissions do not exist for the source-target-class
set the test will pass if the ioctl permission is not granted.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Add support for detecting recursive blockinherits, and print a trace of
the detected loop. Output will look something like this upon detection:
Recursive blockinherit found:
test.cil:42: block a
test.cil:43: blockinherit b
test.cil:36: block b
test.cil:37: blockinherit c
test.cil:39: block c
test.cil:40: blockinherit a
Additionally, improve support for detecting recursive macros/calls. Due
to the way calls are copied, the existing code only detected recursion
with call depth of three or more. Smaller depths, like
(macro m ()
(call m))
were not detected and caused a segfault. The callstack that was used for
this was not sufficient, so that is removed and replaced with a method
similar to the block recursion detection. A similar trace is also
displayed for recursive macros/calls.
Also, cleanup sidorder, classorder, catorder, sensorder, and in lists at
the end of resolve, fixing a potential memory leak if errors occur
during resolve.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Ensure the mmap start address and length are not modified so the memory
used can be released when selabel_close(3) is called.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
On older versions of gcc, an error is incorrectly given about
uninitialized variables. This will initialize the culprits.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Fixes https://github.com/SELinuxProject/cil/issues/7.
This fixes a bug where cil_verify_classperms was executed on NULL
classperms lists. A check is now performed when verifying
classpermissions and classmap to ensure the classperms lists are not
empty.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This adds a userattribute statement that may be used in userroles and
constraints. The syntax is the same as typeattributset.
Also, disallow roleattributes where roles are accepted in contexts.
Specify a userattribute
(userattribute foo)
Add users to the set foo
(userattributeset foo (u1 u2))
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When we copy a blockinherit statement, we perform actions that assume
the blockinherit statement was already resolved. However, this isn't the
case if the statement was copied from a tunableif or an in-statement,
since those are resolve before blockinherits and blocks. So when
copying a blockinherit that hasn't been resolved, ignore the code that
associates blocks with the blockinherit; that will all be handled when
the copied blockinherit is actually resolved later.
Additionally, restrict block, blockabstract, and blockinherit statements
from appearing in macros. These statements are all resolved before
macros due to ordering issues, so they must not appear inside macros.
Note that in addition to doing the checks in build_ast, they are also
done in resolve_ast. This is because an in-statement could copy a block
statement into a macro, which we would not know about until after the
in-statement was resolved.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When copying classpermission or classpermissionset statements, we did
not properly initialize the new structs. This would cause a segfault
when one used either of these statements inside a tunableif block, e.g.
(tunableif foo
(true
(classpermissionset cps (cls (perm1 perm2))))
(false
(classpermissionset cps (cls (perm1)))))
Reported-by: Dominick Grift <dac.override@gmail.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
