There was no way to print all of the role transition rules in dispol.
Add that support.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
libsemanage/src/semanage.py and libselinux/src/semanageswig_wrap.c
are both generated rather than being real code. Do not store them
in git.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
libselinux/src/selinux.py and libselinux/src/selinuxswig_wrap.c
are both generated rather than being real code. Do not store them
in git.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
With kernel 2.6.31, restorecond uses 99% of my CPU.
This is because removing and readding the watch on utmp triggers inotify to
return an IN_IGNORED event for the old watch descriptor. If the watch gets
allocated the same wd when it is readded, then restorecond thinks that utmp
has changed, so removes and readds the watch again, potentially looping.
With kernel <= 2.6.30, this never happened, because the kernel didn't reuse
watch descriptors. So the IN_IGNORED event comes with a wd that is no
longer in use, and gets ignored. But kernel 2.6.31 reuses the same watch
descriptor.
This patch fixes that by ignoring inotify events whose only bit set is
IN_IGNORED.
Note: it is not clear to me why it is necessary to remove and readd the
watch in the first place.
Note for testing: you need to log in (to cause a change in utmp) after
starting restorecond to trigger the bug. In fact you need to log in twice
before the kernel reuses a watch descriptor.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The formatting of dismod/dispol display of filename trans rules didn't
make a lot of sense. Make them more like the original rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The kernel policy parsing logic was incorrectly believing the list of
filename transition rules was always empty because we never updated the
tail pointer when we added to the list. This patch updates the pointer
to the last entry when a new entry is added.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Bump checkpolicy to 2.1.0
Bump libselinux to 2.1.0
Bump libsepol to 2.1.0
Bump libsemanage to 2.1.0
Bump policycoreutils to 2.1.0
Bump sepolgen to 1.1.0
When the link process is completed, the types type_set_t and roles
ebitmap in a role attribute are settled, then we could go on to scan
all role attributes in the base->p_roles.table checking if any non-zero
bit in its roles ebitmap is indeed another role attribute.
If this is the case, then we need to escalate the roles ebitmap of
the sub role attribute into that of the parent, and remove the sub role
attribute from parent's roles ebitmap.
Since sub-attribute's roles ebitmap may further contain other role
attributes, we need to re-scan the updated parent's roles ebitmap.
Also if a loop dependency is detected, no escalation of sub-attribute's
roles ebitmap is needed.
Note, although in the link stage all role identifiers defined in any
block/decl of any module would be copied into the base->p_roles.table,
the role-attribute relationships could still be recorded in the decl's
local symtab[SYM_ROLES] table(see get_local_role()), so before all above
escalation of sub role attribute's roles ebitmap into that of parent ever
happens, all decl in the base->global list except the global block would
have to be traversed so as to populate potential role-attribute
relationships from decl up to the base module.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
When the rolemap and pointer to the base module are available, if
a non-zero bit in role_set_t.roles is a role attribute, expand it
before remap.
Note, during module compile the rolemap may not be available, the
potential duplicates of a regular role and the role attribute that
the regular role belongs to could be properly handled by
copy_role_allow() and copy_role_trans() during module expansion.
Take advantage of the role_val_to_struct[] of the base module, since
when role_set_expand() is invoked, the role_val_to_struct[] of the
out module may have not been established yet.
Also cleanup the error handling of role_set_expand().
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
1. Copy the flavor flag into its counterpart in the out module;
2. Fix all role attributes in the base module:
2.1 remap the roles ebitmap and merge into its counterpart in the
out module;
2.2 escalate the types.types ebitmap of its counterpart in the out
module, to the counterparts for all the regular roles that belongs
to the current role attribute.
The role_fix_callback() must be called after role_copy_callback()
so that state->rolemap[] is available.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Make the flavor flag and the roles ebitmap in role_datum_t structure
properly handled during module link process:
1. the flavor flag is copied into the base module;
2. if both the current module and the base module have defined or
required the same role, check if there is a discrepency in flavor;
3. remap the roles ebitmap and merge into its counterpart in the
base module;
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add support to read/write the flavor flag and roles ebitmap in the
role_datum_t structure from/to policy module, if its version is no less
than MOD_POLICYDB_VERSION_ROLEATTRIB.
Since the role ebitmap would be expanded and won't be written into
policy.X, neither is the flavor flag, kernel SELinux security server
needs no change, the maximum version number for policy.X needs no bump.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
1. Add a uint32_t "flavor" field and an ebitmap "roles" to the
role_datum_t structure;
2. Add a new "attribute_role" statement and its handler to declare
a role attribute;
3. Modify declare_role() to setup role_datum_t.flavor according
to the isattr argument;
4. Add a new "roleattribute" rule and its handler, which will record
the regular role's (policy value - 1) into the role attribute's
role_datum_t.roles ebitmap;
5. Modify the syntax for the role-types rule only to define the
role-type associations;
6. Add a new role-attr rule to support the declaration of a single
role, and optionally the role attribute that the role belongs to;
7. Check if the new_role used in role-transition rule is a regular role;
8. Support to require a role attribute;
9. Modify symtab_insert() to allow multiple declarations only for
the regular role, while a role attribute can't be declared more than once
and can't share a same name with another regular role.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The patch below allows filesystem names in fs_use_* and genfscon
statements to start with a digit, but still requires at least one
character to be a letter. A new token type for filesystem names is
created since these names having nothing to do with SELinux.
This patch is needed because some filesystem names (such as 9p) start
with a digit.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This wraps the filename token in quotes to make parsing easier and more
clear. The quotes are stripped off before being passed to checkpolicy.
The quote wrapping is only used by filename transitions. This changes
the filename transition syntax to the following:
type_transition source target : object default_type "filename";
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
currently policy will not build if I define a module as 1
policy_module(dan,1) Fails
policy_module(dan,1.0) works
The attached patch makes the first one work.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:
type_transition unconfined_t etc_t:file system_conf_t eric;
This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.
The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
We just use random numbers to make menu selections. Use #defines and
names that make some sense instead.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
When writing the roletrans rules, rules are dropped when not supported,
but the number of rules is not decreased. This sets the number of
elements to the actual number of rules that will be written.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Although the role trans code had support to handle the kernel policy
when the version was less that roletrans such support was not in the
module read/write code. This patch adds proper support for role trans
in modules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This patch adds libsepol support for filename_trans rules. These rules
allow one to make labeling decisions for new objects based partially on
the last path component. They are stored in a list. If we find that
the number of rules grows to an significant size I will likely choose to
store these in a hash, both in libsepol and in the kernel. But as long
as the number of such rules stays small, this should be good.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Bump checkpolicy to 2.0.24
Bump libselinux to 2.0.102
Bump libsepol to 2.0.43
Bump policycoreutils to 2.0.86
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add man pages for selinux_raw_context_to_color(5), selinux_colors_path(3) and secolors.conf(5).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
mcstransd: Now selects the range color for a matching 'range' entry in secolor.conf file, and not the first range to pass the dominance check.
The second patch has the man pages to support the colour functions that match how mcstransd manages colour selection.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The idea is to allow distributions to ship a subs file as well as let
the user modify subs.
In F16 we are looking at shipping a
file_contexts.subs_dist file like this
cat file_contexts.subs_dist
/run /var/run
/run/lock /var/lock
/var/run/lock /var/lock
/lib64 /lib
/usr/lib64 /usr/lib
The we will remove all (64)? from policy.
This will allow us to make sure all /usr/lib/libBLAH is labeled the same
as /usr/lib64/libBLAH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2c1ksACgkQrlYvE4MpobNXcQCgqgAiQJxmwa1+NdIq8E3tQRp6
QT0An0ihA60di9CRsEqEdVbSaHOwtte5
=LXgd
-----END PGP SIGNATURE-----
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you fail to load_policy in the init or SELinux is disabled, you need
to free the selinux_mnt variable and clear the memory.
systemd was calling load_polcy on a DISABLED system then later on it
would call is_selinux_enabled() and get incorrect response, since
selinux_mnt still had valid data.
The second bug in libselinux, resolves around calling the
selinux_key_delete(destructor_key) if the selinux_key_create call had
never been called. This was causing data to be freed in other
applications that loaded an unloaded the libselinux library but never
setup setrans or matchpathcon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM
mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj
=jpyr
-----END PGP SIGNATURE-----
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add support to display the class field in the role_transition rule
in the checkpolicy/test/dismod program.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add class support to various functions to handle role_trans_rule_t
structures.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add the class support to various functions that handle role_trans
structure.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Handle the class field in the role_transition rule. If no class is
specified, then it would be set to the "process" class by default.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Introduce the class support to role_trans and role_trans_rule
structures, which could be the subject class("process") or the
class that the newly created object belongs to.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The attached patch add support db_language object class
to the selabel_lookup(_raw) interfaces.
It is needed to inform object manager initial label of
procedural language object.
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This prevents the key destructors, intented to free per-thread
heap storage, from being called after libselinux has been unloaded.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=680887
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
