Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses. Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.
This is to help meet the OpenSSF Best Practices requirements.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Test .gitignore and make clean distclean
error: missing .gitignore entry for libselinux/src/selinux.egg-info/
error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
Error: Process completed with exit code 1.
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
Error: Process completed with exit code 1.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In certain cases, IOError caused the much more general exception OSError
to be unreachable.
Signed-off-by: Elijah Conners <business@elijahpepe.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
With "fallback=True" gettext.translation behaves the same as
gettext.install and uses NullTranslations in case the
translation file for given language was not found (as opposed to
throwing an exception).
Fixes:
# LANG is set to any "unsupported" language, e.g. en_US.UTF-8
$ chcat --help
Traceback (most recent call last):
File "/usr/bin/chcat", line 39, in <module>
t = gettext.translation(PROGNAME,
File "/usr/lib64/python3.9/gettext.py", line 592, in translation
raise FileNotFoundError(ENOENT,
FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python'
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
sepolgen-ifgen-attr-helper.c: In function ‘load_policy’:
sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak]
196 | fprintf(stderr, "Out of memory!\n");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.
Fixes:
# semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
# semanage export | semanage import
ValueError: Port tcp/3024 already defined
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Some calls to "_" where unsuccessful because the function was
initialized with a different translation domain than the string.
e.g. selinux-polgengui calls functions from sepolicy.generate, which end
up printing untranslated strings because polgengui uses selinux-gui
domain while sepolicy uses selinux-python
- Set "_" in module namespace instead of "builtins"
- Set the whole "sepolicy.generate()" confirmation as translatable
- Drop "codeset" parameter since it is deprecated
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Found by typos[1].
[1]: https://github.com/crate-ci/typos
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
sub-directories, po/ translation files stayed in policycoreutils/.
This commit splits original policycoreutils translations to
policycoreutils, selinux-python, selinux-gui, and selinux-sandbox.
See original Fedora issue https://github.com/fedora-selinux/selinux/issues/43
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
When parsing Reference Policy style files accept square brackets in file
names. The FILENAME token is used in the TYPE_TRANSITION grammar rule
for the optional name based argument. This name can contain square
brackets, e.g. for anonymous inodes like "[io_uring]".
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Import the setools classes needed for Python bindings from specific
setools modules in order to reduce the dependency footprint
of the Python bindings. Importing the top-level module causes all
setools modules to be loaded which includes the modules that require
networkx.
SELinux packages belong to the group of core system packages on Gentoo
Linux. It is desirable to keep the system set as small as possible,
and the dependency between setools and networkx seems to be the easiest
link to break without major loss of functionality.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Fixes:
Error: COPY_PASTE_ERROR (CWE-398): [#def3]
selinux/python/sepolicy/sepolicy/__init__.py:1032: original: ""_key_t"" looks like the original copy.
selinux/python/sepolicy/sepolicy/__init__.py:1035: copy_paste_error: ""_key_t"" looks like a copy-paste error.
selinux/python/sepolicy/sepolicy/__init__.py:1035: remediation: Should it say ""_secret_t"" instead?
# 1033|
# 1034| if f.endswith("_secret_t"):
# 1035|-> return txt + "treat the files as %s secret data." % prettyprint(f, "_key_t")
# 1036|
# 1037| if f.endswith("_ra_t"):
Error: COPY_PASTE_ERROR (CWE-398): [#def4]
selinux/python/sepolicy/sepolicy/__init__.py:1065: original: ""_tmp_t"" looks like the original copy.
selinux/python/sepolicy/sepolicy/__init__.py:1067: copy_paste_error: ""_tmp_t"" looks like a copy-paste error.
selinux/python/sepolicy/sepolicy/__init__.py:1067: remediation: Should it say ""_etc_t"" instead?
# 1065| return txt + "store %s temporary files in the /tmp directories." % prettyprint(f, "_tmp_t")
# 1066| if f.endswith("_etc_t"):
# 1067|-> return txt + "store %s files in the /etc directories." % prettyprint(f, "_tmp_t")
# 1068| if f.endswith("_home_t"):
# 1069| return txt + "store %s files in the users home directory." % prettyprint(f, "_home_t")
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Python slip is not actively maintained anymore and it was used just as
a polkit proxy. It looks like polkit dbus interface is quite simple to
be used directly via python dbus module.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When a policy is inaccessible, scripts fail right "import sepolicy". With
this change we let the "sepolicy" module to import and move the policy
initialization before it's used for the first time.
Fixes:
>>> import seobject
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
_pol = setools.SELinuxPolicy(policy_file)
File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
import sepolicy
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
raise e
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
policy(policy_file)
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
raise ValueError(_("Failed to read %s policy file") % policy_file)
ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Describe which type of regular expression is used in file context
definitions and which flags are in effect.
Explain how local file context modifications are processed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
"ifdef/ifndef" statements can be used to conditionally define
an interface, but this syntax is not recognised by sepolgen-ifgen.
Fix sepolgen-ifgen to allow any policy statement inside an
"ifdef/ifndef" statement.
Fixes:
$ cat <<EOF > i.if
ifndef(`apache_manage_pid_files',`
interface(`apache_manage_pid_files',`
manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
')
')
#sepolgen-ifgen --interface=i.if
i.if: Syntax error on line 2 interface [type=INTERFACE]
i.if: Syntax error on line 4 ' [type=SQUOTE]
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
[OM: s/fidef/ifdef/]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Empty stdout buffer before exiting when BrokenPipeError is
encountered. Otherwise python will flush the bufer during exit, which
may trigger the exception again.
https://docs.python.org/3/library/signal.html#note-on-sigpipe
Fixes:
#semanage fcontext -l | egrep -q -e '^/home'
BrokenPipeError: [Errno 32] Broken pipe
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
BrokenPipeError: [Errno 32] Broken pipe
Note that the error above only appears occasionally (usually only the
first line is printed).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Currently:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
Changed:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.
[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
I found that building on OpenWrt/musl failed with:
sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
Musl is less "generous" than glibc in recursively including header
files, and I suspect this is the reason for this error. Explicitly
including limits.h fixes the problem.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4". In that case, set the protocol number
used by audit logs for "ipv4" to a fixed value. To ensure audit log
compatibility, let's use the same numeric value as Fedora: 4, which is
actually understood by kernel as IP over IP.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
On a SELinux disabled system the python call
`selinux.security_policyvers()` will fail.
Move the logic to find a binary policy from the python script
`sepolgen-ifgen` to the C-helper `sepolgen-ifgen-attr-helper`.
Change the helper command line interface to accept an optional policy
path as second argument. If not given try the current loaded policy
(`selinux_current_policy_path`) and if running on a SELinux disabled
system iterate over the default store path appending policy versions
starting at the maximum supported policy version
(`sepol_policy_kern_vers_max`).
This changes the helper command line interface from:
sepolgen-ifgen-attr-helper policy_file out_file
to
sepolgen-ifgen-attr-helper out_file [policy_file]
and adds a linkage to libselinux.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Currently sepolgen-ifgen parses a gen_tunable statement as interface
and reports in verbose mode:
Missing interface definition for gen_tunable
Add grammar for gen_tunable statements in the refparser
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
xml.etree.ElementTree.Element.getiterator() was deprecated since Python 3.2 and
dropped in Python 3.9
Fixes:
Verify sepolicy interface -c -i works ... Traceback (most recent call last):
File "/usr/bin/sepolicy", line 691, in <module>
args = parser.parse_args(args=parser_args)
File "/usr/lib64/python3.9/argparse.py", line 1819, in parse_args
args, argv = self.parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 2043, in _parse_known_args
positionals_end_index = consume_positionals(start_index)
File "/usr/lib64/python3.9/argparse.py", line 2020, in consume_positionals
take_action(action, args)
File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
action(self, namespace, argument_values, option_string)
File "/usr/lib64/python3.9/argparse.py", line 1208, in __call__
subnamespace, arg_strings = parser.parse_known_args(arg_strings, None)
File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 2061, in _parse_known_args
start_index = consume_optional(start_index)
File "/usr/lib64/python3.9/argparse.py", line 2001, in consume_optional
take_action(action, args, option_string)
File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
action(self, namespace, argument_values, option_string)
File "/usr/bin/sepolicy", line 216, in __call__
interface_dict = get_interface_dict()
File "/usr/lib/python3.9/site-packages/sepolicy/interface.py", line 149, in get_interface_dict
for i in m.getiterator('interface'):
AttributeError: 'xml.etree.ElementTree.Element' object has no attribute 'getiterator'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Network Mask argument for `semanage node` accepts also the simple CIDR
mask format, so let's document it.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
List modules for bash completion of `semanage module`.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
pyflakes 2.2.0 improved the way format strings are analyzed, which
triggers new warnings in flake8:
python/sepolicy/sepolicy/manpage.py:1046:23: F999 '...' % ... has
unused named argument(s): type
python/sepolicy/sepolicy/manpage.py:1225:23: F999 '...' % ... has
unused named argument(s): user
Remove the unused arguments in order to silence these warnings.
This fixes failures in Travis-CI such as
https://travis-ci.org/github/SELinuxProject/selinux/jobs/686230518#L5153
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: William Roberts <william.c.roberts@intel.com>
