This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.
As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.
Also, for pcre2 the persistent format is architecture dependent.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used,
sefcontext_compile now respects the "-r". This flag makes
sefcontext_compile include the precompiled regular expressions
in the output file. The default is to omit them, so that the
output remains portable at the cost of having to recompile
the regular expressions at load time, or rather on first use.
Signed-off-by: Janis Danisevskis <jdanis@google.com>
Since python 3.3, shutil.copy2() tries to preserve extended file
system attributes. It means that when a user uses -i or -I, copied files
have the original labels and sandboxed process can't read them.
With this change, homedir and tmpdir is recursively relabeled with the
expected sandbox labels after all items are in their place.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
p1.stdout should be closed after it's connected to p2 according to
https://docs.python.org/3/library/subprocess.html#replacing-shell-pipeline
Fixes:
$ make PYTHON=python3 test
Verify that we can read file descriptors handed to sandbox ...
/usr/lib64/python3.5/unittest/case.py:638: ResourceWarning: unclosed
file <_io.BufferedReader name=4>
testMethod()
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The tests executed sandbox from $PATH while they should test sandbox in
cwd. At the same time, tests should be run using the same python as is
used by make to run them.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
make test in sepolgen was broken because checkmodule now requires
the module name to match the file name. Fix it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The current process_file() code will open the file
twice on the case of a binary file, correct this.
The general flow through process_file() was a bit
difficult to read, streamline the routine to be
more readable.
Detailed statistics of before and after:
Source lines of code reported by cloc on modified files:
before: 735
after: 742
Object size difference:
before: 195530 bytes
after: 195485 bytes
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Even though g_b_role_2 is used both in
tests/policies/test-linker/small-base.conf and
tests/policies/test-linker/module1.conf, it seems to only exists in the
scope of the base policy.
This fixes the following failure of "make -C libsepol test":
./libsepol-tests
CUnit - A unit testing framework for C - Version 2.1-3
http://cunit.sourceforge.net/
Suite: cond
Test: cond_expr_equal ...passed
Suite: linker
Test: linker_indexes ...passed
Test: linker_types ...passed
Test: linker_roles ...sym g_b_role_2 has 1 decls, 2 expected
FAILED
1. test-common.c:43 - scope->decl_ids_len == len
2. test-common.c:52 - found == 1
Test: linker_cond ...passed
Suite: expander
Test: expander_indexes ...passed
Test: expander_attr_mapping ...passed
Test: expander_role_mapping ...passed
Test: expander_user_mapping ...passed
Test: expander_alias ...passed
Suite: deps
Test: deps_modreq_global ...passed
Test: deps_modreq_opt ...passed
Suite: downgrade
Test: downgrade ...passed
Run Summary: Type Total Ran Passed Failed Inactive
suites 5 5 n/a 0 0
tests 13 13 12 1 0
asserts 1274 1274 1272 2 n/a
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This fixes most of the errors reported in "make -C libsepol test":
./libsepol-tests
CUnit - A unit testing framework for C - Version 2.1-3
http://cunit.sourceforge.net/
Suite: cond
Test: cond_expr_equal ...passed
Suite: linker
Test: linker_indexes ...passed
Test: linker_types ...passed
Test: linker_roles ...
role o1_b_role_1 has 0 types, 1 expected
role o1_b_role_1 has 0 types, 1 expected
role o1_m1_role_1 has 0 types, 1 expected
sym g_b_role_2 has 1 decls, 2 expected
Role o1_b_role_2 had type o1_b_type_1 not in types array
role o1_b_role_2 has 0 types, 1 expected
Role g_b_role_4 had type g_m1_type_2 not in types array
role g_b_role_4 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o4_b_role_1 has 0 types, 1 expected
Role o4_b_role_1 had type g_m1_type_1 not in types array
FAILED
1. test-common.c:216 - found == len
2. test-common.c:216 - found == len
3. test-common.c:216 - found == len
4. test-common.c:43 - scope->decl_ids_len == len
5. test-common.c:52 - found == 1
6. test-common.c:213 - new == 1
7. test-common.c:216 - found == len
8. test-common.c:213 - new == 1
9. test-common.c:216 - found == len
10. test-common.c:216 - found == len
11. test-common.c:216 - found == len
12. test-common.c:216 - found == len
13. test-common.c:213 - new == 1
Test: linker_cond ...passed
Suite: expander
Test: expander_indexes ...passed
Test: expander_attr_mapping ...passed
Test: expander_role_mapping ...passed
Test: expander_user_mapping ...passed
Test: expander_alias ...passed
Suite: deps
Test: deps_modreq_global ...passed
Test: deps_modreq_opt ...passed
Suite: downgrade
Test: downgrade ...passed
Run Summary: Type Total Ran Passed Failed Inactive
suites 5 5 n/a 0 0
tests 13 13 12 1 0
asserts 1269 1269 1256 13 n/a
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.
This commit adds support for generating home directory contexts for login
mappings using the group syntax and adds error reporting for handling cases
where there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
Removes a test in get_users() which excludes any logins that are
explicitly mapped to the default user from file context generation,
which results in logins mapped to the fallback user with home
directories outside of LU_HOMEDIRECTORY (in the absence of
usepasswd=True) having no matching file_contexts.homedirs entries.
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
The removal of attributes that are only used in neverallow rules is
hindering AOSP adoption of the CIL compiler. This is because AOSP
extracts neverallow rules from its policy.conf for use in the Android
compatibility test suite. These neverallow rules are applied against
the binary policy being tested to check for a violation. Any neverallow
rules with an attribute that has been removed cannot be checked.
Now attributes are kept unless they are not used in any allow rule and
they are auto-generated or named "cil_gen_require" or do not have any
types associated with them.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Rather than duplicating the following sequence:
1. Read len from file
2. alloc up space based on 1
3. read the contents into the buffer from 2
4. null terminate the buffer from 2
Use the str_read() function that is in the kernel, which
collapses steps 2 and 4. This not only reduces redundant
code, but also has the side-affect of providing a central
check on zero_or_saturated lengths from step 1 when
generating string values.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The usage patterns between these structures seem similair
to role_val_to_struct usages. Calloc these up to prevent
any unitialized usages.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The tests currently just executed "audit2allow" which meant search in
$PATH. They should instead test the one in the pwd. The files in the
repo are not executable so prefix with "python" also.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Commit b43991f913 broke audit2why because
boolean_desc was imported indirectly via seobject. Use it directly from
sepolicy instead.
$ cd policycoreutils/audit2allow
$ make test
test_audit2why (__main__.Audit2allowTests)
Verify audit2why works ... Traceback (most recent call last):
File "/bin/audit2why", line 365, in <module>
app.main()
File "/bin/audit2why", line 353, in main
self.__output()
File "/bin/audit2why", line 295, in __output
return self.__output_audit2why()
File "/bin/audit2why", line 263, in __output_audit2why
print("\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0]))
AttributeError: 'module' object has no attribute 'boolean_desc'
FAIL
Signed-off-by: Jason Zaman <jason@perfinion.com>
audit2why is supposed to be a symlink to audit2allow. There are instead
2 files in the repo so the makefile has not been replacing audit2why.
Signed-off-by: Jason Zaman <jason@perfinion.com>
commit 4c5b8a9568 ("semanage: add
auditing of changes in records") broke semanage fcontext -D.
Fix it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
libsemanage presently runs setfiles -c to validate the file_contexts
files and sefcontext_compile to compile them to file_contexts.bin
after installing the final files under /etc/selinux. As a result,
any error that occurs during this processing may leave invalid files
in /etc/selinux. Move this processing before installing the files
to their final location, and then copy the .bin files that were
generated.
This prevents an error like:
semanage fcontext -a -t httpd_exec_t "/foo["
from reaching the /etc/selinux directory at all, e.g.
$ sudo semanage fcontext -a -t httpd_exec_t "/foo["
[sudo] password for sds:
/var/lib/selinux/final/targeted/contexts/files/file_contexts.local: line 4 has invalid regex /foo[: missing terminating ] for character class
/var/lib/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
OSError: Error
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
pcre_study() can return a NULL result if no additional information
could be determined for the pattern. Thus, sefcontext_compile
needs to correctly handle the case where the study data is NULL
when generating file_contexts.bin, and libselinux needs to correctly
handle it when loading file_contexts.bin. Fix them both.
This change enables:
semanage fcontext -a -t httpd_exec_t "(/.*)?"
to succeed, since the regex itself is valid but there is no
additional information produced by pcre_study().
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Throughout libsepol, values taken from sepolicy are used in
places where length == 0 or length == <saturated> matter,
find and fix these.
Also, correct any type mismatches noticed along the way.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When initializing role_datum_t array, initialize the array.
This corrects this issue:
==25766== Conditional jump or move depends on uninitialised value(s)
==25766== at 0x40ABFE: context_is_valid (context.c:59)
==25766== by 0x40AAED: policydb_context_isvalid (context.c:19)
==25766== by 0x43CBF4: context_read_and_validate (policydb.c:1881)
==25766== by 0x43E7B3: ocontext_read_selinux (policydb.c:2631)
==25766== by 0x43EC4D: ocontext_read (policydb.c:2729)
==25766== by 0x442019: policydb_read (policydb.c:3937)
==25766== by 0x442F15: sepol_policydb_read (policydb_public.c:174)
==25766== by 0x407ED4: init (check_seapp.c:885)
==25766== by 0x408D83: main (check_seapp.c:1230)
Also, check for NULL when determining if a role can be associated
with a type.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The newc variable is calloc'd and assigned to a new
owner during a loop. After the first assignment of newc
to newgenfs->head, the subsequent iteration could fail
before the newc is reseated with a new heap allocation
pointer. When the subsequent iteration fails, the
newc variable is freed. Later, an attempt it made to
free the same pointer assigned to newgenfs->head.
To correct this, clear newc after every loop iteration.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When count is 0 and the highbit is not zero, the ebitmap is not
valid and the internal node is not allocated. This causes issues
when routines, like mls_context_isvalid() attempt to use the
ebitmap_for_each_bit() and ebitmap_node_get_bit() as they assume
a highbit > 0 will have a node allocated.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
In type_set_expand:
When nprim, the table index counter, is greater than the value of initizalized
entries in the type_val_to_struct[] array, detect this as invalid
and return an error.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
For modify action actually audit the selinux type, i.e. use setype
variable.
For deleting equal fcontext rules do not audit ftype, as the ftype value
for equal rules makes little sense.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
