Mixing LDFLAGS in CFLAGS can lead to compiler errors. For example in
policycoreutils/sandbox:
$ make CC=clang LDFLAGS='-Wl,-as-needed,-no-undefined'
clang -Wl,-as-needed,-no-undefined -I/usr/include
-DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W -c -o
seunshare.o seunshare.c
clang-3.8: error: -Wl,-as-needed,-no-undefined: 'linker' input
unused
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The next patch will update info() and search() to use the setools4 api.
setools4 makes heavy use of generators so info() and search() will as
well. Pre-emptively update users to cast to a list where required.
Signed-off-by: Jason Zaman <jason@perfinion.com>
search() is an overly complex wrapper around setools, several users are
simplified by just directly using setools.
Signed-off-by: Jason Zaman <jason@perfinion.com>
sandbox tried to copy all affected files to the new home
or tmp even though -M or -X was not specified and there was no new
directory.
Fixes:
$ sandbox ls ~
/usr/bin/sandbox: [Errno 17] File exists: '/root'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
xmodmap causes Xephyr X server to reset itself when it's run before wm
and even right after wm. It causes termination of the server as we use
-terminate. The -terminate option seems be important enough in order not
to left running the server when the last client connection is closed.
This patch drops the execution of xmodmap from .sandboxrc until there's
a better solution.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.
As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.
Also, for pcre2 the persistent format is architecture dependent.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used,
sefcontext_compile now respects the "-r". This flag makes
sefcontext_compile include the precompiled regular expressions
in the output file. The default is to omit them, so that the
output remains portable at the cost of having to recompile
the regular expressions at load time, or rather on first use.
Signed-off-by: Janis Danisevskis <jdanis@google.com>
Since python 3.3, shutil.copy2() tries to preserve extended file
system attributes. It means that when a user uses -i or -I, copied files
have the original labels and sandboxed process can't read them.
With this change, homedir and tmpdir is recursively relabeled with the
expected sandbox labels after all items are in their place.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
p1.stdout should be closed after it's connected to p2 according to
https://docs.python.org/3/library/subprocess.html#replacing-shell-pipeline
Fixes:
$ make PYTHON=python3 test
Verify that we can read file descriptors handed to sandbox ...
/usr/lib64/python3.5/unittest/case.py:638: ResourceWarning: unclosed
file <_io.BufferedReader name=4>
testMethod()
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The tests executed sandbox from $PATH while they should test sandbox in
cwd. At the same time, tests should be run using the same python as is
used by make to run them.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The tests currently just executed "audit2allow" which meant search in
$PATH. They should instead test the one in the pwd. The files in the
repo are not executable so prefix with "python" also.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Commit b43991f913 broke audit2why because
boolean_desc was imported indirectly via seobject. Use it directly from
sepolicy instead.
$ cd policycoreutils/audit2allow
$ make test
test_audit2why (__main__.Audit2allowTests)
Verify audit2why works ... Traceback (most recent call last):
File "/bin/audit2why", line 365, in <module>
app.main()
File "/bin/audit2why", line 353, in main
self.__output()
File "/bin/audit2why", line 295, in __output
return self.__output_audit2why()
File "/bin/audit2why", line 263, in __output_audit2why
print("\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0]))
AttributeError: 'module' object has no attribute 'boolean_desc'
FAIL
Signed-off-by: Jason Zaman <jason@perfinion.com>
audit2why is supposed to be a symlink to audit2allow. There are instead
2 files in the repo so the makefile has not been replacing audit2why.
Signed-off-by: Jason Zaman <jason@perfinion.com>
commit 4c5b8a9568 ("semanage: add
auditing of changes in records") broke semanage fcontext -D.
Fix it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
For modify action actually audit the selinux type, i.e. use setype
variable.
For deleting equal fcontext rules do not audit ftype, as the ftype value
for equal rules makes little sense.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
In case serange is empty, but the record is beeing modified
(setype was supplied), use default "s0" range. With the original
code the audit event would be printed with no range (i.e.
"system_u:object_r:ssh_port_t:")
Note that default "s0" is currently used in other places
of seobject.py.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
This patch removes proto_to_audit dictionary and uses
standard socket.getprotobyname(protocol) to resolve
protocol number from given protocol name.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
Modify restorecond to make use of the libselinux selinux_restorecon*
set of functions. Also removed obsolete matchpathcon* functions.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Modify setfiles and restorecon to make use of the libselinux
selinux_restorecon* set of functions.
The output from these commands should be much the same as before
with some minor wording changes, the only exceptions being that for
setfiles(8) and restorecon(8) the following options have been added:
1) -I to ignore checking the directory digests.
2) -m to ignore reading /proc/mounts.
These additional options are described in the updated man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
The modify actions of security context mappings for
interface and node actully called add action.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
The tcp/udp protocol numbers were accidentaly swapped in
the original patch 'semanage: add auditing of changes in records'.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
-n was not being passed down to restorecon properly in the code path
for -C and -N
Patch-by: Dan Callaghan <dcallagh@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
get_rpm_nvr_list can fail to get the version of selinux-policy rpm
package, which leads to error during spec file creation (attempt to
invoke __getitem__ of "None" object).
This patch sets the policy number to "0.0.0" in case rpm failed to
get it. This change should be safe because it affects only an example
of spec file.
Variable "POLICYCOREUTILSVER" was removed (unused).
fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1321499
Failed to retrieve rpm info for selinux-policy
Traceback (most recent call last):
File "/bin/selinux-polgengui", line 360, in forward
self.generate_policy()
File "/bin/selinux-polgengui", line 506, in generate_policy
self.info(my_policy.generate(outputdir))
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1382, in generate
out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file"))
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1228, in write_spec
fd.write(self.generate_spec())
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1190, in generate_spec
selinux_policyver = get_rpm_nvr_list("selinux-policy")[1]
TypeError: 'NoneType' object has no attribute '__getitem__'
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
The commit 7574a50f tried to improve compatibility with Python 3. It changed
the code to use subprocess.getstatusoutput() instead of
commands.getstatusoutput(). Unfortunately subprocess.getstatusoutput() is not
available in Python 2. This patch changes how getstatusoutput() is imported so
the code works on Python 2 and Python 3.
Fixes:
$ chcat -d something
Traceback (most recent call last):
File "/usr/bin/chcat", line 432, in <module>
sys.exit(chcat_replace(["s0"], cmds, login_ind))
File "/usr/bin/chcat", line 271, in chcat_replace
rc = subprocess.getstatusoutput(cmd)
AttributeError: 'module' object has no attribute 'getstatusoutput'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.
A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.
The format of the audit events was discussed with the audit userspace
maintainer.
This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
Use assertNotEqual() and assertEqual() instead of assert_().
Convert print statements to print functions.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
https://bugs.python.org/issue16308
Traceback (most recent call last):
File "semanage", line 932, in <module>
do_parser()
File "semanage", line 911, in do_parser
args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Install gettext the same way everywhere and have fallbacks to use
str/unicode depending on python version.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
instead of from sepolicy import foo. Makes it easier to grep for
consumers that still need to be fixed.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2to3 wanted to wrap all the .keys() calls in list() but doing sorted()
directly is better.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
map and filter were turned into list comprehensions.
This was done using python's 2to3 utility.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Users are confused that this option is not documented or that
'semodule -q' doesn't show:
semodule: invalid option -- 'q'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
policycoreutils carries many duplicate, empty translation files.
They are a remnant of broken Transifex's system for managing
translation codes. This commit removes them.
Signed-off-by: Piotr Drąg <piotrdrag@gmail.com>
There is a signal handler so that the select returns EINTR when the
child exits. EINTR is used to then clean up and flush the remaining
buffers. It should not error.
Signed-off-by: Jason Zaman <jason@perfinion.com>
It wasn't clear how to use -l option with full/standard KIND and the
example in semodule.8 man page was wrong.
Based on a patch by Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The man page's example suggested to use -g instead of -E and used --cil
and --hll options on the wrong positions.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- Handling of cgroups was remove in de0795a12e but
-c option was still documented in sandbox.8
- Minor formatting fix
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Since CIL treats files as modules and does not have a separate
module statement it can cause confusion when a Refpolicy module
has a name that is not the same as its base filename because older
SELinux userspaces will refer to the module by its module name while
a CIL-based userspace will refer to it by its filename.
Because of this, provide a warning message when converting a policy
package to CIL and the output filename is different than the module
name.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
sepolicy Makefile overwrites CFLAGS value, which prevents compiling its
Python module with custom compilation flags. Modify it to append flags
to CFLAGS instead, like other policycoreutils programs do.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Variable policy is both a global variable and a parameter to some
functions in policycoreutils/sepolicy/search.c. This makes the building
fail when using -Wshadow -Werror compilation flags.
Fix this by renaming the global variable global_policy. This does not
change the API of the Python module.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When building newrole with gcc 5.3.0 and some warning flags, the
compiler reports:
newrole.c:77:33: error: "NAMESPACE_PRIV" is not defined [-Werror=undef]
#if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
^
Indeed, "defined" is missing here. This nevertheless worked so far
because when NAMESPACE_PRIV was selected in the Makefile, newrole.c was
compiled with "-DNAMESPACE_PRIV", which defined NAMESPACE_PRIV to 1.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
reserver_port_t was omitted in 'semanage port -l'. There seems to be no
reason for that nowadays therefore we can list it.
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1225806
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Some teminal emulators (like the latest version of gnome-terminal) are
not setting entries in the utmp file, this leads getlogin() to return an
empty string.
Fallback to the name of the user running the chcat process.
Fixes Python 3 error:
AttributeError: module 'string' has no attribute 'join'
Based on a patch by Tomas Radej <tradej@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
This reverts the commit 97d06737 which introduced a regression on '-l'
which started to require at least one argument and fixes the original
problem other way. A args.parser value is set now and handlePermissive
function uses it to print an usage message when args.type is not set.
Fixes: semanage permissive -l
usage: semanage permissive [-h] (-a | -d | -l) [-n] [-N] [-S STORE]
type [type ...]
semanage permissive: error: the following arguments are required: type
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
If "level" option is used to start sandbox commands, this level is not propagated
to specified homedir and tmpdir directories. See rhbz #1279006.
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
Fixes: python ./semanage permissive -d
Traceback (most recent call last):
File "./semanage", line 925, in <module>
do_parser()
File "./semanage", line 904, in do_parser
args.func(args)
File "./semanage", line 708, in handlePermissive
OBJECT.delete(args.type)
File "/selinux.git/policycoreutils/semanage/seobject.py", line 479, in delete
for n in name.split():
AttributeError: 'NoneType' object has no attribute 'split'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Previously, when sepolicy was run without any argument, the usage message
with the error "too few arguments" was shown. Using Python 3 it threw a traceback.
This patch unifies behavior on Py2 and Py3 so that sepolicy shows the help
message in this case.
Fixes:
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 647, in <module>
args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
As per the discussion on the selinux development mailinglist, the tmux
application expects the stdin to be writeable. Although perhaps not the most
proper way, having newrole opening the descriptor in read/write keeps the
behaviour in line with what applications expect.
See also http://marc.info/?l=selinux&m=136518126930710&w=2
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Set the "keep capabilities" flag around the setresuid() calls in
drop_capabilities() so that we do not simultaneously drop all
capabilities (when newrole is setuid).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When a user has invalid locales set, audit2allow and audit2why fail with
a traceback. This could be safely ignored as it will stay with 'C'
locale.
Fixes:
Traceback (most recent call last):
File "policycoreutils/audit2allow/audit2allow", line 35, in <module>
locale.setlocale(locale.LC_ALL, '')
File "/usr/lib64/python2.7/locale.py", line 579, in setlocale
return _setlocale(category, locale)
locale.Error: unsupported locale setting
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Constraint rules in output need to be commented in order to make a policy
compilable.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1155974
Patch-by: Miroslav Grepl <mgrepl@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When trying to get policycoreutils working in python3, I kept running
into TabErrors:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.3/semanage", line 27, in <module>
import seobject
File "/usr/lib64/python3.3/site-packages/seobject.py", line 154
context = "%s%s" % (filler, raw)
^
TabError: inconsistent use of tabs and spaces in indentation
Python3 is a lot stricter than python2 regarding whitespace and looks like
previous commits mixed the two. When fixing this, I took the chance to fix
other PEP8 style issues at the same time.
This commit was made using:
$ file $(find . -type f) | grep -i python | sed 's/:.*$//' > pyfiles
$ autopep8 --in-place --ignore=E501,E265 $(cat pyfiles)
The ignore E501 is long lines since there are many that would be wrapped
otherwise, and E265 is block comments that start with ## instead of just #.
Signed-off-by: Jason Zaman <jason@perfinion.com>
commit 2ff279e21e ("policycoreutils:
semanage: update to new source policy infrastructure") introduced
new methods for enabling/disabling modules but failed to update
the deleteall method of class moduleRecords to use the new method.
The deleteall method was introduced by commit
3dafb1046d ("Add deleteall customizations
field for modules.") as a way to re-enable all locally disabled modules.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
- __builtin__ module has been renamed to "builtins" in Python 3
- use reserved word `as` in try-except
- replace print statement with print function
- migrate from commands to subprocess
- fix formatting
Signed-off-by: Michal Srb <msrb@redhat.com>
- gettext.install() only takes "unicode" keyword argument in Python 2
- __builtin__ module has been renamed to "builtins" in Python 3
- use reserved word `as` in try-except
- replace print statement with print function
Signed-off-by: Michal Srb <msrb@redhat.com>
- gettext.install() only takes optional "unicode" keyword argument in
Python 2, and its default value is "False". This keyword argument
doesn't exist in Python 3
- __builtin__ module has been renamed to "builtins" in Python 3
- raw_input() has been renamed to input() in Python 3
- specify octal literals in form compatible with both Python 2 and 3
- migrate from commands to subprocess
- replace print statement with print function
- use reserved word `as` in try-except
- replace deprecated assert_() method with assertTrue() in unit tests
Signed-off-by: Michal Srb <msrb@redhat.com>
- replace print statement with print function
- use reserved word `as` in try-except
- replace deprecated assert_() method with assertTrue() in unit tests
Signed-off-by: Michal Srb <msrb@redhat.com>
When calling "sepolgen generate" to automatically generate a SELinux
policy template, the command fails when it cannot invoke RPM related
commands on Linux distributions that do not support RPM by default:
Failed to retrieve rpm info for selinux-policy
Traceback (most recent call last):
File "/usr/lib/python-exec/python2.7/sepolicy", line 643, in <module>
args.func(args)
File "/usr/lib/python-exec/python2.7/sepolicy", line 517, in generate
print mypolicy.generate(args.path)
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1370, in generate
out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file"))
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1219, in write_spec
fd.write(self.generate_spec())
File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1181, in generate_spec
selinux_policyver = get_rpm_nvr_list("selinux-policy")[1]
TypeError: 'NoneType' object has no attribute '__getitem__'
As the RPM related steps are only needed on RPM-enabled distributions,
we should ignore these steps on other Linux distribution platforms.
In this patch, we use the Python platform module to get the Linux
distribution, and only start the RPM-related activities on Linux
distributions that use RPM as their native package manager.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
libselinux provides a proper getpeercon() implementation that uses
getsockopt with SO_PEERSEC to reliably obtain the peer's security
context from the kernel. mcstransd for reasons unknown rolled its
own get_peer_con() function that uses getsockopt SO_PEERCRED
to obtain the peer PID and then calls getpidcon_raw(). That's
less efficient and less secure (subject to races; peer context
may have changed since connect). Don't do that.
The peer context doesn't appear to be used for anything currently,
although there is a comment suggesting adding a permission check to
see if the requester dominates the label to be translated to control
what labels can be translated by what peers. Could likely dispense
with it altogether.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
A spec file was incorrectly stored as rootpath when -r option was used
Fixes:
/sbin/setfiles: /tmp/install_root is not located in /etc/selinux/targeted/contexts/files/file_contexts
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fedora permits obtaining local policy customizations and the list
of policy modules without admin authentication, but we would prefer
more conservative defaults upstream.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Move code to convert a policy module to CIL from the policy package to
CIL conversion tool, pp, in policycoreutils to libsepol. The only changes
to the code are the additions of the prefix "sepol_" to the functions
sepol_module_package_to_cil() and sepol_ppfile_to_module_package(). This
code is being changed from GPL to LGPL with permission from Tresys.
Convert pp to use the renamed functions in libsepol.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
open_init_pty uses select() to handle all the file descriptors. There is
a very high CPU usage due to select() always returning immediately with
the fd is available for write. This uses a ring buffer and only calls
select on the read/write fds that have data that needs to be
read/written which eliminates the high CPU usage.
This also correctly returns the exit code from the child process.
This was originally from debian where they have been carrying it as a
patch for a long time. Then we got a bug report in gentoo which this
also happens to fix. The original debian patch had the ring buffer
written in C++ so I modified the class into a struct and some static
methods so it is C-only at the request of Steve Lawrence.
Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474956
Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=532616
Signed-off-by: Jason Zaman <jason@perfinion.com>
Tested-by: Laurent Bigonville <bigon@bigon.be>
If /usr/sbin/open_init_pty is not found or is not executable,
access("/usr/sbin/open_init_pty", X_OK) returns -1, not zero.
Use "!= 0" like in other places in SELinux userland libraries and tools.
This expands IOMEMCON device context entries to 64 bits. This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space. The policy version number change
is shared with the next patch.
While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Fixes two types of errors which appear when building with gcc-5.0.0
- format ‘%d’ expects argument of type ‘int’, but argument X has type ‘unsigned int’
- format ‘%a’ expects argument of type ‘float *’, but argument X has type ‘char **’
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Add "RuntimeDirectory=setrans" to the mcstrans.service, this will make
systemd automatically create the /run/setrans directory before starting
the service.
This directory contains the ".setrans-unix" socket created by the
daemon.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Currently, roletype statements are only added for types when they are
declared (not required). This means that in policy like:
require {
type foo_t;
}
type bar_t;
role staff_r types foo_t, bar_t;
only bar_t is associated with staff_r. This patch moves the code that
generates roletype statements for types to outside the SCOPE_DECL check
so that roletype statements are generated for all types, regardless of
the required/declared scope. It further moves the code outside of the
type/typeattribute flavor check so that roletype statements are also
generated for typeattributes.
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Tested-by: Jason Zaman <jason@perfinion.com>
Previously, type aliases were converted to CIL in the global namespace,
regardless of which scope they were actually defined in. So essentially
type aliases could never be in optionals. For the most part this worked,
however, in some small number of cases, a type alias could reference a
type defined inside an optional. If that optional was disabled, the type
would be disabled and so the type alias would fail to resolve, causing
policy to fail to build.
Unfortunately, type alises are stored in pp modules different than other
symbols (e.g. types/roles/etc) so they must be added to scopes
differently. So this patch gathers up all type aliases in a list and
keeps track of which scope each type alias is defined in. When we enter
a new scope, use that list to determine which type alias are defined
there and print the appropriate CIL statements.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
CIL does not have any concept of require blocks. Instead, CIL relies on
whether or not all statements inside an optional block resolve to
determine if an optional block should be enabled/disabled. However, a
small number of optional statements require a type that is not actually
used in the optional block. In old style policy, this would cause the
optional block to be disabled. However, in CIL, because the type is never
used, the optional block will remain enabled.
To maintain compatibility, we modify pp2cil to create a new attribute,
cil_gen_require, and all types/roles/attributes that are required in a
pp module/optional block are associated with this attribute. Thus, if a
type is required but not used, it will still fail to resolve in the
typeattributeset statement, causing the optional to correctly be
disabled.
Note that when compiling the CIL this generated from compiling refpolicy
pp modules with pp2cil, the extra CIL statements cause ~12.6MB increase
in maximum memory usage (129.7 MB to 142.3 MB). Though, compilation time
decreases by ~35% (26 seconds to 17 seconds).
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Some roles (i.e. user_r, staff_r, sysadm_r, system_r, unconfined_r) are
declared in the base module, and sometimes in non-base modules. This
could result in duplicate declarations of roles, which isn't allowed in
CIL. So for these roles, only generate their declarations if they appear
in a base module, otherwise ignore their declarations. All other roles
are printed regardlss of their declaration location.
Note that this means that if a policy author does not include one of the
roles in the base module then they will not be included in the resulting
policy, likely causing a compliation error in CIL.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Avrules that have the negation, star, or complement flag set for types
need typeattributes and typeattributesets that are generated. This caused
issues when these generated statements were inserted into conditionals, since
typeattributes/sets are not allowed in conditionals.
This change always prints typeattributes and typeattributesets
immediately unless the types appear inside of an avrule in conditionals or blocks.
For this special case, we print the typeattributes after the end
of each conditional/block.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Some module fc files do not contain a trailing new line. This
caused contexts to have their last character to be deleted. When
parsing each line from a fc file, we only strip off the last character
if it is a new line.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
- Create role declarations no matter if the declaration is in base or
a module. Since CIL does not permit role re-declarations, this change
will break existing policies that have the same role declared in multiple
modules. To fix this, the policies will need to change the role to be
defined in a single place.
- Pass around the avrule_decl stack rather than just the most recent
decl. The full stack is needed to determine if identifiers are in
scope
- Only create roletype statements for a role and a type in two cases:
1) The role is declared/required and the type is declared/required in
the same scope or an ancestor scope of the role
2) The type is declared/required and the role is declared/required in
an ancestor scope of the type
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
This fixes the build with "make PYTHON=python2" on systems where python
is python3.
For PYLIBVER and PYTHONLIBDIR definitions, I tested Python 2.5, 2.6, 2.7,
3.3 and 3.4. For each of them, these commands print the expected result:
python -c 'import sys;print("python%d.%d" % sys.version_info[0:2])'"
python -c "from distutils.sysconfig import *;print(get_python_lib(1))"
Acked-by: Steve Lawrence <slawrence@tresys.com>
In C, defining a function with () means "any number of parameters", not
"no parameter". Use (void) instead where applicable and add unused
parameters when needed.
Acked-by: Steve Lawrence <slawrence@tresys.com>
log_err, cil_printf and cil_println use printf formats to process their
arguments. Use __attribute__((format(printf,...))) to make "gcc
-Wformat -Wformat-security" detect issues.
This detected this issue several times on a x86_64 system:
format '%lx' expects argument of type 'long unsigned int', but
argument has type 'uint32_t'
Fix this by introducing an explicit cast to unsigned long.
While at it, constify the format string argument of each function.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Building from the root directory with "make DEBUG=1" enables -Wshadow
option. This makes the compilation fail with the following error:
semodule_unpackage.c: In function 'usage':
semodule_unpackage.c:17:25: error: declaration of 'progname' shadows a global declaration [-Werror=shadow]
static void usage(char *progname)
^
semodule_unpackage.c:14:7: error: shadowed declaration is here [-Werror=shadow]
char *progname = NULL;
^
Fix this error by no longer passing a global variable as a parameter to
usage function.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Building from the root directory with "make DEBUG=1" enables -Wshadow
option. This makes the compilation fails with the following error:
cc -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror -g
-I/usr/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
-W -c -o seunshare.o seunshare.c
seunshare.c: In function 'spawn_command':
seunshare.c:141:6: error: declaration of 'child' shadows a global declaration [-Werror=shadow]
int child;
^
seunshare.c:58:12: error: shadowed declaration is here [-Werror=shadow]
static int child = 0;
^
Fix this error by renaming the "child" variable in spawn_command.
Acked-by: Steve Lawrence <slawrence@tresys.com>
"gcc -O2 -Wall -Werror" failed with two errors when building pp due to
the use of unitialized variables.
Acked-by: Steve Lawrence <slawrence@tresys.com>
mcstrans still uses CONTEXT__CONTAINS from av_permissions.h to calculate
a permission access vector. However, av_permissions.h was deprecated, so
it does not have access to the constant. This updates mcstrans to use
string_to_av_perm() to get the value for context contains.
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a new -S option to semodule. This option overrides store_root
in semanage.conf and sets the SELinux store's root path. If neither -S,
nor store_root are specified in semanage.conf, then the default
location is used.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Providing --ignore-module-cache will cause the recompilating of all HLL
modules, and recaching of the resulting CIL files.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Reads in a policy package file via stdin or via filename, and writes out
the equivilent CIL to stdout or to an output file, depending on the
parameters passed in.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
- Remove version references
- Use new methods for enabling/disabling modules
- Add support to set priority when adding/removing modules
- Modify module --list output to include priority and language extension
- Update permissiveRecords call to support cil policy
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: Jason Dana <jdana@tresys.com>
Providing --upgrade or --base will now just call --install, and display
a deprecation message to the user. Additionally, because CIL has no
concept of version numbers, this removes the version output from --list.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
semanage currently uses /var/lib/selinux/tmp to create permissive
modules. However, with the move to /var, the same tmp directory is used
for building policy binaries, causing a conflict. This patch creates a
random temporary directory in /tmp and moves permissive module creation
to that directory, avoiding the directory conflict.
This patch also imports shutil for rmtree to easily delete all created
temporary files.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Also remove all internal uses by libselinux.
This requires deleting the old class/perm string lookup tables
and compatibility code for kernels that predate the /sys/fs/selinux/class
tree, i.e. Linux < 2.6.23.
This also fixes a longstanding bug in the stringrep code; it was allocating
NVECTORS (number of vectors in the legacy av_perm_to_string table, i.e.
the total number of legacy permissions) entries in the per-class perms array
rather than MAXVECTORS (the maximum number of permissions in any
access vector). Ho hum. I already fixed this in Android but forgot it
here.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
libcap-ng set, setexeccon will cause execve to fail. This also
makes setting selinux context the very last action taken by
seunshare prior to exec, as it may otherwise cause things to fail.
Note that this won't work without adjusting the system policy to
allow this use of setcurrent. This rule appears to work:
allow unconfined_t sandbox_t:process dyntransition;
although a better rule would probably relax the unconfined_t
restriction.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Currently, the selevel/serange values (which are often set on a default
's0' value) are used for ports, users, contexts and logins. This breaks
non-MLS setups.
This patch will only call the necessary mls functions if mls is actually
enabled.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Sandbox policy is huge do to macro expansion. We do not install this by default
but sandbox command can fail without it installed. This patch prints a message to the
user to install the package.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Use Type=forking and pass PIDFile option, this allows better tracking of
the livecycle of the daemon.
Only attempt to start the daemon if selinux is enabled.
Drop After=syslog.target, syslog is socket activated anyway
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The default encoding patch, was never upstreamed. default_encoding module
switched python2 to always use unicode. Potentially in some languages
semanage will blow up when errors are reported.
The need for this patch is going away in python3, which should be the default
in Fedora 21/22.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJ5DT4ACgkQrlYvE4MpobMvrgCfcEvZY4q7F17q9dbYJrHJXpae
Ut8AoM2TP99Ca0/lJAjoMTGsqr50P35/
=BHTe
-----END PGP SIGNATURE-----
The restorecon is unable to resolve paths using braced expressions like this: /sbin/
./restorecon: lstat(/sbin/ip{6,}tables*) failed: No such file or directory
The problem is that restorecon calls glob function without GLOB_BRACE flag, which en
2.1.99 is just a placeholder to distinguish it from the prior release.
2.2 will be the released version. Switching to 2-component versions.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>