Instead of running the array two times, sorting the 'hasMeta' the first
time and the !hasMeta the second, run the array once putting hasMeta in
the front and !hasMeta in the back. Then ONLY run the !hasMeta section
a second time reversing its order so its sorted as it should be.
Signed-off-by: Eric Paris <eparis@redhat.com>
Right now find_stem_from_spec does a number of things:
- calculate the length of th stem
- look for that stem
- duplicate the stem
- add the stem to the array
break those things up a bit because the mmap version isn't going to need
to do some of those things.
Signed-off-by: Eric Paris <eparis@redhat.com>
We currently duplicate code 3 times for the main file, the homedirs, and
the local file. Just put that stuff in its own function so we don't
have to deal with it multiple times.
Signed-off-by: Eric Paris <eparis@redhat.com>
We currectly run all of the regex files 2 times. The first time counts
the lines and does the simple validatation. We then allocate an array
of exactly the right size to hold the entries and run them a second time
doing stronger validation, regex compile, etc.
This is dumb. Just run them one time and use realloc to grow the size
of the array as needed. At the end the array will get sized perfectly
to fit by the sorting function, so even if we accidentally allocated
entra memory we'll get it back.
Signed-off-by: Eric Paris <eparis@redhat.com>
When we use an mmap backed version of data we need to declare the pcre
extra data since we are only given a point to the data->buffer. Since
sometimes the spec will hold a pointer to the extra data and sometimes
we want to declare it on the stack I introduce and use an accessor for
the extra data instead of using it directly.
Signed-off-by: Eric Paris <eparis@redhat.com>
We want to do the same thing in the compiler and as we do in in the code
which reads regexes in from the text file. Move that sorting into the header.
Signed-off-by: Eric Paris <eparis@redhat.com>
An illegal regex may end with a single \ followed by nul. This could
cause us to search past the end of the character array. The loop
formation looks like so:
c = regex_str;
len = strlen(c);
end = c + len;
while (c != end) {
switch (*c) {
...
case '\\': /* skip the next character */
c++;
break;
...
}
c++;
}
If the \ is the last character then we will increment c and break from
the switch. The while loop will then increment c. So now c == end+1.
This means we will keep running into infinity and beyond! Easy fix.
Make the loop check (c < end). Thus even if we jump past end, we still
exit the loop.
Signed-off-by: Eric Paris <eparis@redhat.com>
So we can use it in the new compile utility, move the
spec_hasMetaChars() function, which looks for things like .*?+^$ in
regular expressions into the internal header file.
Signed-off-by: Eric Paris <eparis@redhat.com>
The libselinux label_file backend counted the number of regexes which
had been compiled. We didn't use it and it wasn't useful information.
Stop doing it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We want to be able to find the stem and the spec from our new utility.
So move those functions to the header file.
Signed-off-by: Eric Paris <eparis@redhat.com>
If we want to use these functions in utilities we shouldn't call such
libselinux internal functions. Move the error reporting up to the
caller.
Signed-off-by: Eric Paris <eparis@redhat.com>
So the string to mode_t conversion in a helper function so it can be
used later by a regex compilation program.
Signed-off-by: Eric Paris <eparis@redhat.com>
We want to use some label_file internals in a utility to compile
fcontext files into binary data for fast use. So start pushing
structures and such into a header file.
Signed-off-by: Eric Paris <eparis@redhat.com>
The coveriety scanner is too stupid to realize that the strtok_r()
function initializes the saveptr variable. Since we are passing a
variable location without initializing it coveriety gets angry. Just
shut up the scanner, but nothing was wrong to start with.
Signed-off-by: Eric Paris <eparis@redhat.com>
If we have a malformed seusers entry we may not find the : proceeding
the level and would thus get a NULL. This can blow up. Check for this
error and bail gracefully. Found by coverity
Signed-off-by: Eric Paris <eparis@redhat.com>
We may want to force matchpathcon to respond if the path is question is
a dir, sockfile, chr, blk, etc. Add an option so you can force it to
hit the right rule types.
Signed-off-by: Eric Paris <eparis@redhat.com>
Make selinux_boolean_sub a public method so getsebool can use it, as well as
potentially used within libsemanage.
Signed-off-by: Eric Paris <eparis@redhat.com>
Use selinux_boolean_sub to translate the boolean name handed in by the user.
Report back the correct name of the boolean.
Signed-off-by: Eric Paris <eparis@redhat.com>
Add support for booleans.subs file. Basically this allows us to finally change
badly named booleans to some standard name.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We generate pkg-config --libs and use that to build the libselinux
python so file. We do not use it to build the libsemanage versions. We
also never use the ruby equivalent. So stop calling pkg-config
uselessly.
Signed-off-by: Eric Paris <eparis@redhat.com>
We explicitly set the soname of the python and ruby files. We don't
need this. We are using the -o name as the soname, so just let the
toolchain do its thing. It just makes the Makefile nicer to read.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a -s option to getdefaultcon which allows one to specify the
service in question. This exposes all of the abilities of getseuser
instead of only the abilities of getseuserbyname.
Signed-off-by: Eric Paris <eparis@redhat.com>
In order for lxc to look up its process and file labels we add new
libselinux support. This is what we do for everything else, like
libvirt, seposgresql, etc.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
SELinux ruby bindings didn't build from the top level
the swig generated .c file wasn't gitignored
use pkg-config for ruby info like we do for python
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is already in the android repo. This is here to prevent potential
conflicts of the selabel indices, and possibly with an eye toward an eventual
reunification of the two libselinuxes down the road.
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
getseuser() would unconditionally check strlen on the service variable
even though it could be NULL. Whoops. If service is NULL we should
only match on *: entries.
Signed-off-by: Eric Paris <eparis@redhat.com>
The realpath_not_final() function did not properly handle symlinks in
the / directory. The reason is because when it determined the symlink
was in the root directory it would set the resolved portion of the path
to /, it would then add a / to the end of the resolved portion, and then
append the symlink name. The fix is to instead set the resolved portion
to "". Thus when the '/' at the end of the resolved portion is added it
will be correct.
While I am at it, strip extraneous leading / so that //tmp returns /tmp.
Signed-off-by: Eric Paris <eparis@redhat.com>
swig creates C files with warnings. Turn off the warnings so the build
is clean. We can't help the code it produces anyway...
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The init functions are non-static but did not have a prototype
declaration. They are called magically from python, so just declare the
prototype to silence the warning.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
should continue to poll if it receinves an EINTR rather then exiting with an error.
This was a major bug within dbus that was causing dbus to crash it was
discussed at the time whether this is a dbus bug or an libselinux bug,
it was decided that we should fix it within libselinux.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Description: Hide unnecessarily-exported library destructors
This change was extracted from the old monolithic Debian patch.
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Do not link python module with libpython, the interpreter is already linked against it.
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
I'd like to use this interface to implement special case handling
for the default labeling behavior on temporary database objects. Allow
userspace to use the filename_trans rules added to policy.
Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
selinux_check_access() should not error on bad class or perms if the
security_deny_unkown() function return false. If policy tells us to
allow unknown classes and perms we should respect that.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
To simplify finding why programs don't work, assert that avc_init() was
called any time avc functions are called. This means we won't get
'random' segfaults and will instead be able to hopefully quickly
determine what we did wrong as application developers.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
It's not special and doesn't need its own Makefile lines. Just make it
a normal target.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Move everything into /usr/* and just put links from /*. The whole /usr
thing hasn't really worked in all situations for a long long time. Just
accept that fact and move along.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The earlier patch to avc.c put the struct member annotation at
the end of the line, which works fine for GCC, but upsets SWIG.
Equivalent code in selinux.h demonstrates how to place the
annotation without upsetting SWIG.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
XXX: -Wno-redundant-decls really shouldn't be set, if some way
can be found to deal with warnings generated by dso.h
XXX: the maximum stack size should be much lower, but there
are too many functions using PATH_MAX which need to be rewritten
to use the heap instead.
XXX: probe for whether the user's GCC supports a flag ?
Signed-off-by: Eric Paris <eparis@redhat.com>
Annotating the die method as taking printf format exposes
a bug in error reporting
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The public avc.h file must use a printf annotation in the struct
callback members, otherwise application code will get compiler
warnings that the method should have an annotation set.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
* include/selinux/selinux.h, src/init.c: set_selinuxmnt should take
a const char *mntpath
* src/get_default_type.c: Avoid bad cast discarding const
* load_policy.c: Fix var decl to avoid discarding const
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add 'void' parameter to all functions which take no arguments
* selinux_config.c: s/()/(void)/
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
seusers.c: In function ‘getseuser’:
seusers.c:273:3: error: jump skips variable initialization [-Werror=jump-misses-init]
seusers.c:317:2: note: label ‘err’ defined here
seusers.c:274:8: note: ‘fp’ declared here
* seusers.c: Declare FILE *fp at start of getseuser() method
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The getcon man page already includes setcon() and other non-"get"
entries. Why send people somewhere else just for freecon? Put it here.
Signed-off-by: Eric Paris <eparis@redhat.com>
Do not talk about disabling selinux in the setenforce man page. Point
people in the right direction instead.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When selabel_lookup found an invalid context with validation enabled, it
always stated it was 'file_contexts' whether media, x, db or file.
The fix is to store the spec file name in the selabel_lookup_rec on
selabel_open and use this as output for logs. Also a minor fix if key is
NULL to stop seg faults.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add service_seusers(5) - those in the ./logins directory, seusers(5),
user_contexts(5) - those in the ./contexts/users directory,
virtual_domain_context(5) and virtual_image_context(5) man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Add failsafe_context(5), local.users(5), removable_contexts(5) and
securetty_types(5) man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Add booleans(5), customizable_types(5), default_contexts(5) and
default_type(5) man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Updated selabel_x(5) with X-Windows context configuration file format and
added x_contexts(5) man page that links to it.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Updated selabel_media(5) with media context configuration file format and
added media(5) man page that links to it.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Updated selabel_db(5) with RDBMS context configuration file format and added sepgsql_contexts(5) man page that links to it.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Updated selabel_file(5) with file context configuration file format and
added file_contexts(5) man page that links to it. selabel_file(5) also
describes the .local, .homedirs, .subs and .subs_dist configuration file
formats.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
For get_default_context_with_role(3) and get_default_context_with_rolelevel(3),
return errno = EINVAL if invalid role.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
get_default_type(3) now returns with errno set to EINVAL if the entry does not
exist.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If selinux_set_mapping(3) is used to map classes, and an invalid class is used
to compute a decision (tclass = 0), the result did not obey the status of the
deny_unknown flag.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Remove assert in security_get_boolean_names(3) if the len invalid and stop seg
fault if names is null. Set EINVAL instead and return error.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a check to restorecon, to not change a context if the context on disk matches
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Sometimes sticking to 80 characters sucks a lot. I don't care. Buy a
wider monitor so I can read the code.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
symlink_realpath is used by both libselinux and policycoreutils.
Instead of coding it twice, export the libselinux version under a new
name that makes it sound more generic.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Potential file descriptor leak on this code path, need to close file
descriptor if out of memory.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If a user was in too many groups the check_group function might not pass
a large enough buffer to getgrnam_r to handle things. This could return
ERANGE which we then aborted. Instead we should make the buffer larger and
try again.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Some programs, like passwd, need to do simeple one time access checks.
Rather than set up a full avc cache and use that infrastructure they
were directly using security_compute_av. A problem with this approach
is the lack of audit on denials. This patch creates a new interface
that is simple to use and which will still listen to things like
permissive and output audit messages on denials.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Return early to save an indent. Clean up all memory on ENOMEM
conditions. Use '\0' instead of 0 for nul terminiator. Style changes
to make Eric happy.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The makefile which generated the package config files did not have the
VERSION file as a dependancy. Thus if you updated a tree you have
previously build the .pc file wouldn't be rebuilt and the old version
would be reinstalled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Handle situation where selinux=0 passed to the kernel and both /selinux and
/sys/fs/selinux directories do not exist. We used to handle selinux=0
(or kernel compile without selinux) by getting ENODEV when we tried to
mount selinuxfs on /selinux. Now selinux=0 means that /sys/fs/selinux
won't exist and we never create the real directory /selinux at all. So
we get ENOENT instead of ENODEV. The solution is to check to see if the
mount failure was for ENODEV and if not to check if selinuxfs exists in
/proc/filesystems at all. If it doesn't exist, that's equivalent to
ENODEV.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is purely personal preference. Most of the Makefiles use $() for
Makefile variables, but a couple of places use ${}. Since this obscured
some later Makefile changes I figured I'd just make them all the same up
front.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Change the default "make" target for the libraries from "install" to
"all" in the makefiles.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Commit 874bac80bb incorrectly changed the default install location
of libselinux.so.1 from /lib to /usr/lib. This patch fixes that problem
by reverting that portion of the change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We declare rc both for a function and inside a stanze. We only need it in the
stanze so remove the declaration for the whole function.
Signed-off-by: Eric Paris <eparis@redhat.com>
selinux_file_context_verify(3) should now return the correct codes and
matchpathcon(8) has been modified to handle them.
The selinux_file_context_verify(3)and selinux_file_context_cmp(3) man pages
have also been updated (re-written really) to correct return codes.
I found that selabel_open left errno set to ENOENT because a
file_contexts.subs file did not exist on my system, but left selabel_open
alone and set errno = 0 before calling selinux_filecontext_cmp.
[fix uninitialize init variable in matchpathcon.c::main - eparis]
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Instead of only doing path simplification and symlink following for the
matchpathcon helper instead do it in the library potion. This was an
issue when in python some called selinux.matchpatchcon("//lib64", 0) and
got the wrong answer (because the // wasn't being dealt with)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Allow Change libselinux Makefile to be able to build by default and to build
if you change the version of Python
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Please find another libselinux patch. I've tested quite extensively with the compute_av and string functions with and without mapping and seems okay.
The patch covers:
When selinux_set_mapping(3) is used to set the class and permissions allowed by an object manager, then an invalid class and/or permissions are selected (e.g. using security_class_to_string), then mapping.c in libselinux forces an assert. This patch removes the asserts and allows the functions to return a class/perm of 0 (unknown) with errno set to EINVAL. A minor patch to set EINVAL in security_av_perm_to_string_compat is also included. All the functions to convert perms & classes to strings and back should now return the correct errno with or without mapping enabled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
A at least one broken python headers didn't define SIZEOF_SOCKET_T.
Define it if we happen upon one of those.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
matchpathcon cannot handle ./ or ../ in pathnames and doesn't do well
with symlinks. This patch uses the glibc function realpath() to try to
determine a real path with resolved symlinks and dot directories. For
example before this pach we would see:
$ matchpathcon /tmp/../eric
/tmp/../eric <<none>>
$ matchpathcon /eric
/eric system_u:object_r:default_t:s0
Whereas after the path we get the same results. The one quirk with the
patch is that we need special code to make sure that realpath() does not
follow a symlink if it is the final component. aka if we have a symlink
from /eric to /tmp/eric we do not want to resolv to /tmp/eric. We want
to just resolv to the actual symlink /eric.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
I believe this is just to stop flooding the screen with libsepol
statistics every time you run audit2allow or any other libsepol command.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch just makes python bindings for restorecon work on relative
paths.
$ cd /etc
$ python
> import selinux
> selinux.restorecon("resolv.conf")
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
There is a missing error check in audit2why.c. Check for error and
return NULL if we can't initialize instead of just pretending it worked.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
python3 does not have PyString_FromString use PyBytes_FromString
instead. The same for PyString_Check->PyBytes_Check and for
PyString_AsString->PyBytes_AsString
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Tools like restorecon or systemd, which load the fcontext database to
make labeling decisions do not need to check for duplicate rules. Only
the first rule will be used. Instead we should only check for
duplicates when new rules are added to the database. And fail the
transaction if we find one.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Allow the specification of python3 in the swig creation
This patch adds the new option PYPREFIX which causes the swig created
libraries to have a prefix. This allows one to build both the python2
and python3 libraries in the same source tree. The install will then
later strip this prefix back off when it drops the files into the python
approriate site package directory.
This patch also needs to update the PYINC definition as newer python
patckages on fedora exist in /usr/include/python3.2mu instead of
/usr/include/python3.2 as the other method of detemrining PYINC would
have found.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
There is a .gitignore at the head of the directory but only contains
entries for the utils directory. Move to the utils directory.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This utility will tell what context a new task will have after exec
based on the pathname and the context of the launching task.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
libselinux selabel_open function always processed the substitution files (if
installed) from the active policy contexts/files/file_contexts.subs and
subs_dist irrespective of the backend type or SELABEL_OPT_PATH setting. This
patch now processes the correct subs files when selabel_open is called with
SELABEL_CTX_FILE. The other backends could also process their own substitution
files if needed in their own areas.
[move the init declaration to label_internal.h - eparis]
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The Fedora Distribution is looking to standardize kernel subsystem file
systems to be mounted under /sys/fs. They would like us to move /selinux
to /sys/fs/selinux. This patch changes libselinux in the following
ways:
1. load_policy will first check if /sys/fs/selinux exists and mount the
selinuxfs at this location, if it does not exists it will fall back to
mounting the file system at /selinux (if it exists).
2. The init functions of selinux will now check if /sys/fs/selinux is
mounted, if it is and has an SELinuxfs mounted on it, the code will then
check if the selinuxfs is mounted rw, if it is, libselinux will set the
mountpoint, if it is readonly, libselinux will return no mountpoint. If
/sys/fs/selinux does not exists, the same check will be done for
/selinux and finally for an entry in /proc/mounts.
NOTE: We added the check for RO, to allow tools like mock to be able to
tell a chroot that SELinux is disabled while enforcing it outside the
chroot.
$ getenforce
Enabled
$ mount --bind /selinux /var/chroot/selinux
$ mount -o remount,ro /var/chroot/selinux
$ chroot /var/chroot
$ getenforce
Disabled
3. In order to make this work, I needed to stop enabled from checking if
/proc/filesystem for entries if selinux_mnt did not exist. Now enabeled
checks if selinux_mnt has been discovered otherwise it will report
selinux disabled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The makefile does:
SRCS= $(filter-out $A, $(filter-out $B, *))
When it can just do:
SRCS= $(filter-out $A $B, *)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
libselinux/src/selinux.py and libselinux/src/selinuxswig_wrap.c
are both generated rather than being real code. Do not store them
in git.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Bump checkpolicy to 2.1.0
Bump libselinux to 2.1.0
Bump libsepol to 2.1.0
Bump libsemanage to 2.1.0
Bump policycoreutils to 2.1.0
Bump sepolgen to 1.1.0
Bump checkpolicy to 2.0.24
Bump libselinux to 2.0.102
Bump libsepol to 2.0.43
Bump policycoreutils to 2.0.86
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add man pages for selinux_raw_context_to_color(5), selinux_colors_path(3) and secolors.conf(5).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The idea is to allow distributions to ship a subs file as well as let
the user modify subs.
In F16 we are looking at shipping a
file_contexts.subs_dist file like this
cat file_contexts.subs_dist
/run /var/run
/run/lock /var/lock
/var/run/lock /var/lock
/lib64 /lib
/usr/lib64 /usr/lib
The we will remove all (64)? from policy.
This will allow us to make sure all /usr/lib/libBLAH is labeled the same
as /usr/lib64/libBLAH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2c1ksACgkQrlYvE4MpobNXcQCgqgAiQJxmwa1+NdIq8E3tQRp6
QT0An0ihA60di9CRsEqEdVbSaHOwtte5
=LXgd
-----END PGP SIGNATURE-----
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you fail to load_policy in the init or SELinux is disabled, you need
to free the selinux_mnt variable and clear the memory.
systemd was calling load_polcy on a DISABLED system then later on it
would call is_selinux_enabled() and get incorrect response, since
selinux_mnt still had valid data.
The second bug in libselinux, resolves around calling the
selinux_key_delete(destructor_key) if the selinux_key_create call had
never been called. This was causing data to be freed in other
applications that loaded an unloaded the libselinux library but never
setup setrans or matchpathcon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM
mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj
=jpyr
-----END PGP SIGNATURE-----
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The attached patch add support db_language object class
to the selabel_lookup(_raw) interfaces.
It is needed to inform object manager initial label of
procedural language object.
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This prevents the key destructors, intented to free per-thread
heap storage, from being called after libselinux has been unloaded.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=680887
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
The attached patch adds several interfaces to reference /selinux/status
according to sequential-lock logic.
selinux_status_open() open the kernel status page and mmap it with
read-only mode, or open netlink socket as a fallback in older kernels.
Then, we can obtain status information from the mmap'ed page using
selinux_status_updated(), selinux_status_getenfoce(),
selinux_status_policyload() or selinux_status_deny_unknown().
It enables to help to implement userspace avc with heavy access control
decision; that we cannot ignore the cost to communicate with kernel for
validation of userspace caches.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Email: dwalsh@redhat.com
Subject: I think it is time to turn off default user handling in libselinux
Date: Mon, 13 Dec 2010 13:28:01 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch will turn this handling off. Meaning you will not end up
with some bizarro context and fail to login if the login program can not
figure how to log you in.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0GZbEACgkQrlYvE4MpobOF7QCgsD1XYuNC6B5MyIezCZvN9mYL
UX4AoOe9GsP3bhuvMBPea9LXeV/7tCPS
=B9Pk
-----END PGP SIGNATURE-----
Signed-off-by: Chad Sellers <csellers@tresys.com>
Description of problem:
Use of __thread variables is great for creating a thread-safe variable, but
only insofar as the contents of that variable can safely be abandoned on
pthread_exit(). The moment you store malloc()d data into a __thread void*
variable, you have leaked memory when the thread exits, since there is no way
to associate a destructor with __thread variables.
The _only_ safe way to use thread-local caching of malloc()d data is to use
pthread_key_create, and associate a destructor that will call free() on the
resulting data when the thread exits.
libselinux is guilty of abusing __thread variables to store malloc()d data as a
form of a cache, to minimize computation by reusing earlier results from the
same thread. As a result of this memory leak, repeated starting and stopping
of domains via libvirt can result in the OOM killer triggering, since libvirt
fires up a thread per domain, and each thread uses selinux calls such as
fgetfilecon.
Version-Release number of selected component (if applicable):
libselinux-2.0.94-2.el6.x86_64
libvirt-0.8.1-27.el6.x86_64
How reproducible:
100%
Steps to Reproduce:
0. These steps are run as root, assuming hardware kvm support and existence of
a VM named fedora (adjust the steps below as appropriate); if desired, I can
reduce this to a simpler test case that does not rely on libvirt, by using a
single .c file that links against libselinux and repeatedly spawns threads.
1. service libvirtd stop
2. valgrind --quiet --leak-check=full /usr/sbin/libvirtd& pid=$!
3. virsh start fedora
4. kill $pid
Actual results:
The biggest leak reported is due to libselinux' abuse of __thread:
==26696== 829,730 (40 direct, 829,690 indirect) bytes in 1 blocks are
definitely lost in loss record 500 of 500
==26696== at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==26696== by 0x3022E0D48C: selabel_open (label.c:165)
==26696== by 0x3022E11646: matchpathcon_init_prefix (matchpathcon.c:296)
==26696== by 0x3022E1190D: matchpathcon (matchpathcon.c:317)
==26696== by 0x3033ED7FB5: SELinuxRestoreSecurityFileLabel (security_selinux.c:381)
==26696== by 0x3033ED8539: SELinuxRestoreSecurityAllLabel (security_selinux.c:749)
==26696== by 0x459153: qemuSecurityStackedRestoreSecurityAllLabel (qemu_security_stacked.c:257)
==26696== by 0x43F0C5: qemudShutdownVMDaemon (qemu_driver.c:4311)
==26696== by 0x4555C9: qemudStartVMDaemon (qemu_driver.c:4234)
==26696== by 0x458416: qemudDomainObjStart (qemu_driver.c:7268)
==26696== by 0x45896F: qemudDomainStart (qemu_driver.c:7308)
==26696== by 0x3033E75412: virDomainCreate (libvirt.c:4881)
==26696==
Basically, libvirt created a thread that used matchpathcon during 'virsh start
fedora', and matchpathcon stuffed over 800k of malloc'd data into:
static __thread char **con_array;
which are then inaccessible when libvirt exits the thread as part of shutting
down on SIGTERM.
Expected results:
valgrind should not report any memory leaks related to libselinux.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Reported-by: Eric Blake <eblake@redhat.com>
Tested-by: Eric Blake <eblake@redhat.com>
Email: kaigai@ak.jp.nec.com
Subject: libselinux APIs should take "const" qualifier?
Date: Tue, 23 Mar 2010 11:56:36 +0900
(2010/03/19 22:32), Stephen Smalley wrote:
> On Fri, 2010-03-19 at 16:52 +0900, KaiGai Kohei wrote:
>> Right now, security_context_t is an alias of char *, declared in selinux.h.
>>
>> Various kind of libselinux API takes security_context_t arguments,
>> however, it is inconvenience in several situations.
>>
>> For example, the following query is parsed, then delivered to access
>> control subsystem with the security context as "const char *" cstring.
>>
>> ALTER TABLE my_tbl SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:SystemHigh';
>> const char *<---- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> In this case, we want to call selinux_trans_to_raw_context() to translate
>> the given security context into raw format. But it takes security_context_t
>> argument for the source context, although this pointer is read-only.
>> In the result, compiler raises warnings because we gave "const char *" pointer
>> into functions which take security_context_t (= char *).
>>
>> Any comments?
>>
>> It seems to me the following functions' prototype should be qualified by
>> "const".
>
> That seems reasonable and should have no impact on library ABI.
> On the other hand, others have pointed out that security_context_t is
> not a properly encapsulated data type at all, and perhaps should be
> deprecated and replaced with direct use of char*/const char* throughout.
>
> There are other library API issues as well that have come up in the
> past, such as lack of adequate namespacing (with approaches put forth),
> but we don't ever seem to get a round tuit.
At first, I tried to add const qualifiers read-only security_context_t
pointers, but didn't replace them by char */const char * yet, right now.
BTW, I could find out the following code:
int security_compute_create(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
security_context_t * newcon)
{
int ret;
security_context_t rscon = scon;
security_context_t rtcon = tcon;
security_context_t rnewcon;
if (selinux_trans_to_raw_context(scon, &rscon))
return -1;
if (selinux_trans_to_raw_context(tcon, &rtcon)) {
freecon(rscon);
return -1;
}
:
In this case, scon and tcon can be qualified by const, and the first
argument of selinux_trans_to_raw_context() can take const pointer.
But it tries to initialize rscon and tscon by const pointer, although
these are used to store raw security contexts.
The selinux_trans_to_raw_context() always set dynamically allocated
text string on the second argument, so we don't need to initialize it
anyway. I also removed these initializations in this patch.
Does the older mcstrans code could return without allocation of raw
format when the given scon is already raw format? I don't know why
these are initialized in this manner.
Thanks.
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: slawrence@tresys.com
Subject: Add chcon method to libselinux python bindings
Date: Mon, 7 Jun 2010 17:40:05 -0400
Adds a chcon method to the libselinux python bindings to change the
context of a file/directory tree.
Signed-off-by: Chad Sellers <csellers@tresys.com>
This patch simply removes duplicate slashes (meaning "//") from
pathnames passed into selabel_lookup. It does not do a full
realpath() calculation (e.g. following symlinks, etc.), as the
client should really do that before calling into libselinux.
Signed-off-by: Chad Sellers <csellers@tresys.com>
