Commit graph

450 commits

Author SHA1 Message Date
Harry Ciao
80f26c5ee8 checkpolicy: Separate tunable from boolean during compile.
Both boolean and tunable keywords are processed by define_bool_tunable(),
argument 0 and 1 would be passed for boolean and tunable respectively.
For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags.

Note, when creating an if-else conditional we can not know if the
tunable identifier is indeed a tunable(for example, a boolean may be
misused in tunable_policy() or vice versa), thus the TUNABLE flag
for cond_node_t would be calculated and used in expansion when all
booleans/tunables copied during link.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:01 -04:00
Harry Ciao
f87ae53825 libsepol: Indicate when boolean is indeed a tunable.
Add flags to cond_bool_datum_t and cond_node_t structures to differentiate
the tunables' identifiers and conditionals from those of booleans.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:01 -04:00
Dan Walsh
ab1195dcfe sepolgen: look for booleans that might solve problems
This patch allows audit2allow to do analysis on the AVC's to see if a
boolean would have solved the problem or if the AVC is caused by a
constraint.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:00 -04:00
Dan Walsh
eecf746aa8 sepolgen: Change perm-map and add open to try to get better results on matches
This patch adds open to sepolgen checks and resets the priorities to
get better matches on AVCs

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:00 -04:00
Dan Walsh
216f456401 policycoreutils: sandbox: cntrl-c should kill entire process control group
Change the signal handler to handle ctrl-C and exit properly

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:00 -04:00
Dan Walsh
e8575bf497 policycoreutils: sandbox: add level based kill option
add kill option to seunshare to kill all processes that are still running
with the execcon MCS label.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:00 -04:00
Eric Paris
f37a6a71cb policycoreutils: sandbox: do not bind mount so much
pam_namespace and sandbox both do the bind mounts internally now.  No
reason to force this on everyone.  Hopefully the sandbox init script
will be disappearing with systemd doing this by default.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:00 -04:00
Eric Paris
31edb319af policycoreutils: sandbox: rewrite /tmp handling
seunshare now creates a runtime temporary directory owned by root and
with the sticky bit set properly.  Files from the user-specified directory
are copied to the runtime directory and the changes synced back (using rsync)
at the end of the seunshare run.

This is hoped to address CVE-2011-1011

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:53:46 -04:00
Eric Paris
4347a5c01d policycoreutils: sandbox: add sandbox cgroup support
Add cgroup support

Signed-off-by: Eric Paris <eparis@redhat.com>
2011-09-15 19:20:44 -04:00
Eric Paris
3e532cffac policycoreutils: sandbox: add -Wall and -Werror to makefile
Just like everything else we should be erroring out on warnings.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-15 19:20:43 -04:00
Dan Walsh
1d54976d73 policycoreutils: setfiles: do not wrap * output at 80 characters
Russell Coker pointed out most displays are no 80 chars so we should just
put out * and let the terminal wrap itself.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
2011-09-15 19:20:43 -04:00
Dan Walsh
f23e078018 policycoreutils: setfiles: Fix potential crash using dereferenced ftsent
If fts_read() fails for any reason ftsent will be NULL.  Previously we
would have reported the error and then continued processing.  Now we
report the error and stop using the NULL pointer.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-15 19:20:43 -04:00
Eric Paris
a2db3f2df8 policycoreutils: setfiles: switch from stat to stat64
When we converted from nftw to fts we had to remove the automatic large
file support had to be removed.  Thus we switch from stat to stat64 on
all archs.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-15 19:20:42 -04:00
Eric Paris
f14912ee6e policycoreutils: audit2allow: sepolgen-ifgen use the attr helper
This patch adds support to actually use the new sepolgen-ifgen attr
helper.  We included the helper which generates attribute information
but this patch makes use of it.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-15 19:20:42 -04:00
Dan Walsh
037285e936 sepolgen: src: sepolgen: add attribute storing infrastructure
add attribute handling to sepolgen so it can take into account the attributes
within an interface

Signed-off-by: Eric Paris <eparis@redhat.com>
2011-09-15 19:19:58 -04:00
Eric Paris
f4ecef50b2 policycoreutils: audit2allow: use alternate policy file
Add a --policy option to audit2allow to make it use an
alternate use specified policy instead of the running
policy.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-15 17:19:20 -04:00
Eric Paris
5a2173519c policycoreutils: sepolgen-ifgen: new attr-helper does something
This program is used by sepolgen-ifgen to get the access for all of the
attributes in the policy so that it can resolve the typeattribute statements
in the interfaces.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-15 17:19:20 -04:00
Harry Ciao
0299119625 libsepol: Skip writing role attributes for policy.X and downgraded pp.
Role attributes are redundant for policy.X, their destiny has been
fulfilled in the expand phase when their types.types ebitmap have
been populated to that of their sub regular roles.

When pp is downgraded, role_datum_t's the flavor flag and roles
ebitmap would be discarded, resulting in role attributes useless
at all. So for such case they should also be skipped.

Deduct the number of role attributes from p_roles.table->nel when
they are skipped.

Last, uncount attributes number before converting endianness.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-15 17:19:20 -04:00
Eric Paris
60c780ffb6 libsemanage: change module disabled from rename to symlink
Change the way libsemanage handles disabled modules.  In the current
method libsemanage renames the FOO.pp file to FOO.pp.disabled and then
the rebuild process ignores *.disabled modules.

Since we want to start shipping

/etc/selinux/targeted/modules/active/modules/*.pp within the payload of
the rpm.  If we continued this method, a policy update would re-enable a
module.

The new mechanism will just create a symbolic link between FOO.pp and
FOO.pp.disabled.  Then the library will check all modules, and if a
module has a link, it will not be compiled into the policy.  This solves
the rpm update problem. and actually gives us an easier update
capability since if FOO.pp.disabled already exists using the old method,
it will continue to work with the new method.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-15 17:17:48 -04:00
Eric Paris
1f8cf403be update changelog and versions for 2011-08-26 2011-08-26 15:11:58 -04:00
Eric Paris
3f1446944e sepolgen: refparser: include open among valid permissions
The perser doesn't recognize 'open'.  Make it so.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:46:02 -04:00
Eric Paris
de311acdc9 sepolgen: refparser: add support for filename_trans rules
The parser cannot handle the new format of filename_trans rules.  Nor
can it handle the " now used.  Add support for both.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:44:33 -04:00
Dan Walsh
ddc5063c16 policycoreutils: setfiles: Fix process_glob to handle error situations properly
Rather than error when a glob does not match return success as this is
not a problem.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
2011-08-26 14:31:57 -04:00
Dan Walsh
a0e2e16878 policycoreutils: sandbox: Allow seunshare to run as root
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:31:56 -04:00
Dan Walsh
37644bfa93 policycoreutils: sandbox: trap sigterm to make sure sandbox exits with the proper exit code
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:31:55 -04:00
Dan Walsh
83e6416bca policycoreutils: sandbox: pass DPI from the desktop
Fix sandbox to pass DPI from the desktop to the sandbox program.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:31:54 -04:00
Eric Paris
f6558d9cec policycoreutils: sandbox: seunshare: introduce helper spawn_command
Introduce a helper which will spawn children and wait for them to exit
so we don't have to keep writing that code over and over.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:31:50 -04:00
Eric Paris
bf22cff3ea policycoreutils: sandbox: seunshare: introduce new filesystem helpers
These are just simple new helpers which make it easy to check uid, gid,
if two stat results are the same and things like that.

Signed-off-by: Eric Paris <eparis@redhat.com>
2011-08-26 14:28:25 -04:00
Dan Walsh
149afc688a policycoreutils: sandbox: add -C option to not drop all capabilities
Some sandbox might want to be able to run a suid app.  Add the -C option
to allow capabilities to stay in the bounding set, and thus be allowed
inside the sandbox.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:23 -04:00
Eric Paris
d6c09608cd policycoreutils: sandbox: split seunshare caps dropping
Split drop_capabilities into drop_privs, which does the same thing, and
drop_caps, which only drops caps but doesn't affect the uid.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:22 -04:00
Eric Paris
64b7a309c5 policycoreutils: sandbox: use dbus-launch
Instead of directly calling, use dbus-launch.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:19 -04:00
Eric Paris
26ff83cf87 policycoreutils: sandbox: numerous simple updates to sandbox
Little things like better error messages, usage text, code duplication
and the like.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:18 -04:00
Eric Paris
da7ae7951c policycoreutils: sandbox: do not require selinux context
seunshare can be used on non-selinux systems.  It can also be used
without transition to a new context.  Thus we should not require that a
context be set.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:16 -04:00
Eric Paris
3c5abbc341 policycoreutils: sandbox: Makefile: new man pages
we have man pages which aren't being instelled with make install.  We
also do not include -Werror -Wall -Wextra in the build like we do with
other packages, so include those.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:14 -04:00
Eric Paris
baf4d59407 policycoreutils: sandbox: rename dir to srcdir
Just a simple variable rename to make it clear what it does.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:12 -04:00
Eric Paris
d725841239 policycoreutils: sandbox: allow users specify sandbox window size
This allows users to create sandbox windows of a specified size on the
command line.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:11 -04:00
Eric Paris
74bb5c01d6 policycoreutils: sandbox: check for paths up front
When launching a sandbox x environment we should check up front to make
sure that the seunshare and sandboxsh files exist and bail politely if
they do not exist.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:09 -04:00
Eric Paris
1701e786ea policycoreutils: sandbox: use defined values for paths rather than open coding
Rather than putting pathnames all throughout the file define them as
variables and reuse these variables where needed.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:07 -04:00
Eric Paris
406ae12e31 policycoreutils: sandbox: move seunshare globals to the top
Just coding style, globals go at the top of .c files, not randomly
throughout.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:05 -04:00
Eric Paris
89e3dd6c30 policycoreutils: sandbox: whitespace fix
couple of whitespace at the end of the line.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:03 -04:00
Dan Walsh
8fb9a4571d policycoreutils: semodule_package: Add semodule_unpackage executable
Much like semodule_package this utility will unpack!

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:02 -04:00
Eric Paris
242a98cd21 policycoreutils: setfiles: get rid of some stupid globals
We have some useless globals in setfiles that don't need to be.  Stop
it.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:28:00 -04:00
Eric Paris
5ffa296798 policycoreutils: setfiles: move exclude_non_seclabel_mounts to a generic location
move exclude_non_seclabel_mounts from setfiles.c to restore.c so it can
be used by other functions later.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:27:59 -04:00
Eric Paris
142209161f global: Makefile: create global 'all' target
This does 2 things.  It does a little cleanup by de-duplicating code.
It also adds a new target 'all' as the default target.  Previous the
default target was 'install'.  There was no 'all' target.  This patch
should allow one to build all of the tree as a non-root user.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:27:57 -04:00
Eric Paris
e759841c08 checkpolicy: fix spacing in output message
The output formatting had two items crammed together without a space.
Add a space.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:27:56 -04:00
Dan Walsh
acb4ecaa01 libsemanage: python wrapper makefile changes
Allow Change libsemanage Makefile to be able to build by default and to build
if you change the version of Python

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:27:54 -04:00
Richard Haines
bc1a8e2a4a libselinux: selinux_file_context_verify function returns wrong value.
selinux_file_context_verify(3) should now return the correct codes and
matchpathcon(8) has been modified to handle them.

The selinux_file_context_verify(3)and selinux_file_context_cmp(3) man pages
have also been updated (re-written really) to correct return codes.

I found that selabel_open left errno set to ENOENT because a
file_contexts.subs file did not exist on my system, but left selabel_open
alone and set errno = 0 before calling selinux_filecontext_cmp.

[fix uninitialize init variable in matchpathcon.c::main - eparis]
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:27:51 -04:00
Eric Paris
7df397d3d9 libselinux: move realpath helper to matchpathcon library
Instead of only doing path simplification and symlink following for the
matchpathcon helper instead do it in the library potion.  This was an
issue when in python some called selinux.matchpatchcon("//lib64", 0) and
got the wrong answer (because the // wasn't being dealt with)

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:27:37 -04:00
Dan Walsh
57c6012f86 libselinux: python wrapper makefile changes
Allow Change libselinux Makefile to be able to build by default and to build
if you change the version of Python

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:27:34 -04:00
Eric Paris
6b6b475dcf update changelog and VERSION for latest changes 2011-08-17 11:17:28 -04:00