CU_FAIL() does not stop the execution flow.
This issue has been found using Infer static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Several static analyzers (clang's one, Facebook Infer, etc.) warn about
NULL pointer dereferences after a call to CU_ASSERT_PTR_NOT_NULL_FATAL()
in the test code written using CUnit framework. This is because this
CUnit macro is too complex for them to understand that the pointer
cannot be NULL: it is translated to a call to CU_assertImplementation()
with an argument as TRUE in order to mean that the call is fatal if the
asserted condition failed (cf.
http://cunit.sourceforge.net/doxdocs/group__Framework.html).
A possible solution could consist in replacing the
CU_ASSERT_..._FATAL() calls by assert() ones, as most static analyzers
know about assert(). Nevertheless this seems to go against CUnit's API.
An alternative solution consists in overriding CU_ASSERT_..._FATAL()
macros in order to expand to assert() after a call to the matching
CU_ASSERT_...() non-fatal macro. This appears to work fine and to remove
many false-positive warnings from various static analyzers.
As this substitution should only occur when using static analyzer, put
it under #ifdef __CHECKER__, which is the macro used by sparse when
analyzing the Linux kernel.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Other python scripts already use python3 by default. Both files don't have exec
bits so they have to be run using python interpret on command line anyway:
$ python3 ./setup.py ...
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When functions from libsemanage calls other functions that are exported,
these functions need to be "wrapped" using hidden_proto() macro. This is
done in headers such as "user_internal.h". Several functions in
genhomedircon.c are not doing this, which makes building with -flto
fail with errors such as:
/usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in
function `user_sort_func':
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:758:
undefined reference to `semanage_user_get_name'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:758:
undefined reference to `semanage_user_get_name'
/usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in
function `fcontext_matches':
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:240:
undefined reference to `semanage_fcontext_get_expr'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:248:
undefined reference to `semanage_fcontext_get_type'
/usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in
function `add_user.isra.0':
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:992:
undefined reference to `semanage_user_get_mlslevel'
/usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in
function `write_context_file':
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:892:
undefined reference to `semanage_user_key_create'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:764:
undefined reference to `semanage_user_get_name'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:897:
undefined reference to `semanage_user_query'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:905:
undefined reference to `semanage_user_get_mlslevel'
Include the missing headers.
Fixes: https://github.com/SELinuxProject/selinux/issues/169
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When building binary policy, optionally run it through
sepol_policydb_optimize() just before writing it out.
Add an optimize-policy variable to semanage.conf(5) that controls
whether optimization will be applied during libsemanage operations.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Add new test suite for semanage_user_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_port_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_node_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_ibendport_* functions. The test suite aims for
line coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_iface_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_fcontext_* functions. The test suite aims for
line coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_bool_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_handle_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
- Add functions for creating and destroying test semanage store.
- Add functions for writing SELinux policy to the test store.
- Add functions for creating semanage handle, connecting to the store and for
beginning a transaction.
- Update Makefile to compile test policies from CIL source.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
- Python 2.7 is planned to be the last of the 2.x releases
- It's generally advised to use Python 3
- Majority of python/ scripts are already switched python3
- Users with python 2 only can still use:
$ make PYTHON=/usr/bin/python ....
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
getgrnam_r() uses a preallocated buffer to store a structure containing
the broken-out fields of the record in the group database. The size of
this buffer is usually sysconf(_SC_GETGR_R_SIZE_MAX) == 1024 and it is
not enough for groups with a large number of users. In these cases,
getgrnam_r() returns -1 and sets errno to ERANGE and the caller can
retry with a larger buffer.
Fixes:
$ semanage login -a -s user_u -r s0-s0:c1.c2 '%largegroup'
libsemanage.semanage_direct_commit: semanage_genhomedircon returned error code -1. (Numerical result out of range).
OSError: Numerical result out of range
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
As reported in #109, semodule -p /path/to/policyroot -s minimum -n -B
tries to use /etc/selinux/targeted/booleans.subs_dist. This is because
it invokes the libselinux selinux_boolean_sub() interface, which uses
the active/installed policy files rather than the libsemanage ones.
Switch the selinux policy root around the selinux_boolean_sub() call
to incorporate the semanage root as a prefix and to use the specified
policy store as a suffix so that the correct booleans.subs_dist file
(if any) is used.
The underlying bug is that booleans.subs_dist is not itself managed
via libsemanage. If it was managed and therefore lived within the
policy store, then libsemanage could access the appropriate
booleans.subs_dist file without using the libselinux interface at all,
and thus would not need to modify the selinux policy root. Moving
booleans.subs_dist to a managed file is deferred to a future change.
Test:
dnf install selinux-policy-minimum selinux-policy-targeted
cd / && tar cf - etc/selinux var/lib/selinux | (cd ~/policy-root; tar xvpf -)
strace semodule -p ~/policy-root -s minimum -n -B
Before:
openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5
After:
openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5
Fixes https://github.com/SELinuxProject/selinux/issues/109
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The manpage explicitly states that:
The getpwent() function returns a pointer to a passwd structure, or
NULL if there are no more entries or an error occurred. If an error
occurs, errno is set appropriately. If one wants to check errno after
the call, it should be set to zero before the call.
Without this, genhomedircon can wrongly return the following:
libsemanage.get_home_dirs: Error while fetching users. Returning list so far.
https://github.com/SELinuxProject/selinux/issues/121
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
The script used both tabs and space to indent the code, using a tab
length of 8 (in calls to parser.add_option(...)). Make the code more
readable by using spaces for indentation everywhere.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
flake8 reports many warnings on script semanage_migrate_store:
E225 missing whitespace around operator
E302 expected 2 blank lines, found 1
E701 multiple statements on one line (colon)
E703 statement ends with a semicolon
E722 do not use bare 'except'
...
Fix some of them in order to reduce the noise.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The selinux/semanage python module import error in semanage_migrate_store
was misleading. Before, it would report that the selinux/semanage modules
were not installed even though they were on the system.
Now the import failure is only reported if the modules are not installed.
Otherwise, a stack trace is printed for all other errors in the selinux/semanage
python modules.
Signed-off-by: Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>
I missed this bug in commit 9ec0ea143ab5 ("libsemanage: use previous
seuser when getting the previous name").
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Use "previous" user name when no new user is available in
semanage_seuser_audit. Otherwise "id=0" is logged instead of
"acct=user_name" ("id=0" is hard coded value).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1622045
Restrictive umask may cause creating directories with with unintended
access mode. Reset umask before creating directories to avoid this
issue.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186422
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This program can be useful in order to test the Python API of
libsemanage. Make it usable in Python 3 using 2to3 and some tweaks.
While at it, fix warnings reported by flake8 linter.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Only use spaces to indent Python code. This reduces the number of
warnings reported by Python linters.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
from getpwnam_r(3): "The call sysconf(_SC_GETPW_R_SIZE_MAX) returns
either -1, without changing errno, or an initial suggested size for buf.
(If this size is too small, the call fails with ERANGE, in which case
the caller can retry with a larger buffer.)"
The same can happen for _SC_GETGR_R_SIZE_MAX. 1024 appears to be a good
fallback but may need revisiting in the future.
This triggered an error on musl libc but could happen other places too.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Verify that the final path does not exceed the size of the
buffer before copying. This can only occur if an alternate
path for the policy root and/or the policy store root has been
specified and if the resulting path would exceed PATH_MAX. A
similar check is already applied by semanage_make_final().
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When split_args() calls append_arg(), the returned value needs to be
checked in order to detect memory allocation failure. Checks were
missing in two places, which are spotted by clang's static analyzer:
semanage_store.c:1352:7: warning: Value stored to 'rc' is never
read
rc = append_arg(&argv, &num_args, arg);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
semanage_store.c:1368:3: warning: Value stored to 'rc' is never read
rc = append_arg(&argv, &num_args, arg);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Fix sizeof calculation in array iteration introduced by commit
6bb8282c4c
"libsemanage: replace access() checks to make setuid programs work"
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
libselinux and libsemanage Makefiles invoke site.getsitepackages() in
order to get the path to the directory /usr/lib/pythonX.Y/site-packages
that matches the Python interpreter chosen with $(PYTHON). This method
is incompatible with Python virtual environments, as described in
https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
This issue has been opened for more than 5 years.
On the contrary python/semanage/ and python/sepolgen/ Makefiles use
distutils.sysconfig.get_python_lib() in order to get the site-packages
path into a variable named PYTHONLIBDIR. This way of computing
PYTHONLIBDIR is compatible with virtual environments and gives the same
result as PYSITEDIR.
As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and
libsemanage Makefiles use it. And as native code is installed (as part
of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64
on systems which distinguish /usr/lib64 from /usr/lib.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
access() uses real UID instead of effective UID which causes false
negative checks in setuid programs.
Replace access() calls (mostly tests for file existence) by stat().
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
F_OK access checks only work properly as long as all directories along
the path are accessible to real user running the program.
Replace F_OK access checks by testing return value of open, write, etc.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
