Add additional information about the log callback message types. Indicate
which types could be audited and the relevant audit record types for them.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
9e4480b921 ("Remove trailing slash on selabel_file lookups.") introduced
a bug which turns the root directory lookup "/" into an empty string.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
This will enable userspace object managers to send proper audits for policy
loads and setenforce messages generated by the userspace AVC code.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
If not initialized to the current policyload count, an enforcing change
will trigger policyload-callbacks in selinux_status_updated().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Access the shared nenory safe in regard to consistent view of the SELinux
kernel status page - not in regard to thread-safety.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Having a trailing slash on a file lookup, e.g. "/some/path/", can
cause a different result, for example, when file contexts are written to have
the directory have a different label than the contents. This is inconsistent
with normal Linux behaviors where trailing slashes are ignored.
Many callers already strip the trailing slash before the lookup or users
revise the file contexts to work around this. This fixes it comprehensively.
v2: fix length issues
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
The argument for security_check_context(_raw) is defined as `const char *`.
Say so in the man page.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
We need to install the include files before we try to build the source.
Otherwise, make DESTDIR=~/obj install can fail if there are older
headers under /usr/include.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Commit bc2a8f418e ("libselinux: add selinux_status_* interfaces for
/selinux/status") introduced the sestatus mechanism, which allows for
mmap()'ing of the kernel status page as a replacement for avc_netlink.
The mechanism was initially intended for userspace object managers that
were calculating access decisions within their application and did not
rely on the libselinux AVC implementation. In order to properly make use
of sestatus within avc_has_perm(), the status mechanism needs to
properly set avc internals during status events; else, avc_enforcing is
never updated upon sestatus changes.
This commit gets rid of the default avc_netlink_open() in
avc_init_internal(), replacing it with selinux_status_open(). In the
event that the kernel status page cannot be mapped, the netlink fallback
will be used. By default, avc_has_perm_noaudit() and
selinux_check_access() will now attempt to read the kernel status page,
which removes a system call from two critical code paths.
Since the AVC thread create/stop callbacks were intended to avoid a
system call in the critical code path, they no longer need to be created
by default. In the event that the kernel status page is successfully
mapped, threads will not be created. Threads will still be
created/stopped for the sestatus fallback codepaths.
Userspace object managers that still need a netlink socket can call
avc_netlink_acquire_fd() to open and/or obtain one.
Update the manpage to reflect the new avc_netlink_acquire_fd()
functionality.
Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
error occur when selinux_restorecon_default_handle return NULL in
restorecon_init.
fixes: https://github.com/SELinuxProject/selinux/issues/249
Signed-off-by: Ji Qin <jiqin.ji@huawei.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
As reported in https://github.com/SELinuxProject/selinux/issues/248,
setfiles -r (rootpath) fails when the alternate root contains a symlink
that is correct relative to the alternate root but not in the current root.
This is a regression introduced by commit e016502c0a ("libselinux: Save
digest of all partial matches for directory"). Do not call statfs(2) here
if acting on a symbolic link. Unfortunately there is no lstatfs() call.
Ensure that we initialize the statfs buffer always. If the supplied
file is a symlink, then we don't need to worry about the later tests of
filesystem type because we wouldn't be setting the digest anyway and
we are not performing a full sysfs relabel. While here, fix the earlier
test for a directory to use the correct test.
Reproducer:
$ mkdir /root/my-chroot && echo foo > /root/my-chroot/link-target && ln -s /link-target /root/my-chroot/symlink
$ echo "/root/my-chroot/symlink" | setfiles -vFi -r /root/my-chroot -f - /etc/selinux/targeted/contexts/files/file_contexts
Before:
setfiles: statfs(/root/my-chroot/symlink) failed: No such file or directory
After:
Relabeled /root/my-chroot/symlink from unconfined_u:object_r:admin_home_t:s0 to system_u:object_r:default_t:s0
Fixes: https://github.com/SELinuxProject/selinux/issues/248
Fixes: e016502c0a ("libselinux: Save digest of all partial matches for directory")
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Tested-by: Jonathan Lebon <jlebon@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
On Debian the `distutils` module is patched, so `get_python_lib()`
returns by default `/usr/lib/python3/dist-packages` (no minor version)
But `setuptools` affecting setup.py is not patched to create the library
directory at `/usr/lib/python3/dist-packages` by default, rather than a
command line argument `--install-layout deb` is added
Add PYTHON_SETUP_ARGS as argument to affected setup.py calls and add a
note in the global README.md
See https://www.debian.org/doc/packaging-manuals/python-policy/packaging_tools.html
Section B.1
Fixes: https://github.com/SELinuxProject/selinux/issues/187
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Errno is not set to ENOENT when lookup_all() doesn't find any match.
fixes: https://src.fedoraproject.org/tests/selinux/issue/51
Signed-off-by: Richard Filo <rfilo@redhat.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
Mount selinuxfs with mount flags noexec and nosuid. It's not likely
that this has any effect, but it's visually more pleasing.
Option nodev can't be used because of /sys/fs/selinux/null device,
which is used by Android.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Follow-up of: 9eb9c93275 ("Get rid of security_context_t and fix const declarations.")
Acked-by: William Roberts <william.c.roberts@intel.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The SWIG C build should allow deprecated functions and not warn on them
because it is exposing the full interface including deprecated routines.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Utility matchpathcon uses the matchpathcon interface which has been
deprectaed. However, this tool will continue to live on, so allow it to
use the deprecated interface.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Update the one internal tree caller in the same file to
call selinux_check_passwd_access_internal.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Now that matchpathcon_fini is marked deprecated, create an
matchpathcon_fini_internal interface for internal users. We create
a new header file for matchpathcon_internal interfaces.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Now that avc_init is marked deprecated, create an avc_init_internal interface
for internal users.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
In libselinux, most functions set errno and return -1 when an error
occurs. But some functions return 1 instead, such as context_type_set(),
context_role_set(), etc. This increases the difficulty of writing Python
bindings of these functions without much benefit.
Return -1 instead (errno was already set).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The function comment of selinux_status_open() states:
It returns 0 on success, or -1 on error.
However the implementation of this function can also return 1. This is
documented in its manpage (libselinux/man/man3/selinux_status_open.3) as
intended. Copy the reason near the function definition in order to make
the code more auditable.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The Python bindings for libselinux expose functions such as
avc_has_perm(), get_ordered_context_list(), etc. When these functions
encounter an error, they set errno accordingly and return a negative
value. In order to get the value of errno from Python code, it needs to
be "forwarded" in a way. This is achieved by glue code in
selinuxswig_python_exception.i, which implement raising an OSError
exception from the value of errno.
selinuxswig_python_exception.i was only generating glue code from
functions declared in selinux.h and not in other headers. Add other
headers.
selinuxswig_python_exception.i is generated by "bash exception.sh". Mark
the fact that exception.sh is a Bash script by adding a shebang. This
makes "shellcheck" not warn about the Bash array which is used to list
header files.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: William Roberts <william.c.roberts@intel.com>
Replace
python3 -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])'
<string>:1: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
.cpython-38-x86_64-linux-gnu.so
with
python3 -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])'
.cpython-38-x86_64-linux-gnu.so
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Currently, the src/Makefile provides the FTS_LDLIBS when building against musl
or uClibc. However, this is missing from utils/Makefile, which causes linking
to fail.
Add the FTS_LDLIBS variable to the LDLIBS variable in utils/Makefile to fix
compiling against uClibc and musl.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Previously, libselinux was exporting the following symbols:
- dir_xattr_list;
- map_class;
- map_decision;
- map_perm;
- myprintf_compat;
- unmap_class;
- unmap_perm;
However, these appear to be unused and can safely be dropped.
This is done as a seperate commit to so it can easily be reverted
seperately for any reasons.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Add a linker script that exports only what was previosly exported by
libselinux.
This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
And diffing them:
diff old.map new.map
Fixes: #179
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Add -fno-semantic-interposition to CFLAGS. This will restore
the DSO infrastructures protections to insure internal callers
of exported symbols call into libselinux and not something laoding first
in the library list.
Clang has this enabled by default.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
commit 1f89c4e787 ("libselinux: Eliminate
use of security_compute_user()") eliminated the use of
security_compute_user() by get_ordered_context_list(). Deprecate
all use of security_compute_user() by updating the headers and man
pages and logging a warning message on any calls to it. Remove
the example utility that called the interface. While here, also
fix the documentation of correct usage of the user argument to these
interfaces.
Fixes: https://github.com/SELinuxProject/selinux/issues/70
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
