Commit graph

1754 commits

Author SHA1 Message Date
Petr Lautrbach
a9604c30a5 libselinux: Change the location of _selinux.so
There was a change in swig-3.10 to use importlib instead of imp. While
the implementation with imp looked for _selinux.so also into the same directory
as __init__.py is, a new module with importlib searchs only standard paths.
It means that we need to move _selinux.so from $(PYLIBDIR)/site-packages/selinux/
to $(PYLIBDIR)/site-packages/.

Fixes:
>>> import selinux
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 21, in <module>
    _selinux = swig_import_helper()
  File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 20, in swig_import_helper
    return importlib.import_module('_selinux')
  File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
ImportError: No module named _selinux

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-07-01 12:54:12 -04:00
Stephen Smalley
e55b86e7c6 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 13:00:16 -04:00
David King
d6413cdbd2 libselinux: man: Clarify is_selinux_mls_enabled() description
Improve the description by mentioning that if is_selinux_mls_enabled(),
it simply means that the kernel has MLS support and the policy contains
MLS features. To check whether MLS support is enabled on the running
system, use selinux_getpolicytype().

Signed-off-by: David King <dking@redhat.com>
2016-06-23 12:58:15 -04:00
David King
984fd069e2 libselinux: man: Explain how to free policy type from selinux_getpolicytype()
Additionally, fix a typo.

Signed-off-by: David King <dking@redhat.com>
2016-06-23 12:58:03 -04:00
Stephen Smalley
7dd0afc9a1 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 12:57:50 -04:00
Petr Lautrbach
7c1a5e3b03 libselinux: compare absolute pathname in matchpathcon -V
filepath needs to be resolved first in order to be correctly found by
selabel_lookup_raw()

Fixes:
$ matchpathcon -V passwd
passwd has context system_u:object_r:passwd_file_t:s0, should be
system_u:object_r:passwd_file_t:s0

$ echo $?
1

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-06-23 12:56:06 -04:00
Stephen Smalley
ff65937851 Updated checkpolicy ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 12:52:58 -04:00
Petr Lautrbach
286df12fd9 checkpolicy: Fix typos in test/dispol
Reported-By: Milos Malik <mmalik@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-06-23 12:52:36 -04:00
Stephen Smalley
5f512c4e93 Updated libselinux ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 12:52:15 -04:00
Petr Lautrbach
b2c1b0baaf libselinux: add selinux_snapperd_contexts_path()
Snapper needs a way how to set a proper selinux context on btrfs
subvolumes originating in snapshot create command. Fs can't handle it on
its own so snapper will enforce .snapshots subvolume relabeling
according to a file returned by selinux_snapperd_contexts_path().

The format of the file will be similar to other contexts file:

snapperd_data = system_u:object_r:snapperd_data_t:s0

Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1247530
https://bugzilla.redhat.com/show_bug.cgi?id=1247532

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-06-23 12:51:23 -04:00
Stephen Smalley
1814207f68 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 12:45:52 -04:00
stephensmalley
bbde996ae5 Merge pull request #18 from mikedlr/master
Update sandbox types in  manual to match actual usage
2016-06-22 14:03:24 -04:00
Stephen Smalley
28e92c5325 libsepol: rewrite sepol_string_to_security_class to use hashtab_search
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-20 16:28:45 -04:00
Stephen Smalley
69da2076e5 Updated libselinux and libsepol ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-20 16:24:35 -04:00
Joshua Brindle
94df3f7d24 Correctly detect unknown classes in sepol_string_to_security_class
Bail before running off the end of the class index

Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
2016-06-20 16:10:32 -04:00
Joshua Brindle
dae5c271fc Modify audit2why analyze function to use loaded policy
Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces

Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
2016-06-20 16:10:18 -04:00
Michael De La Rue
4134b61630 Update sandbox types in sandbox manual to match actual usage as I understand it (based on Fedora 23) 2016-06-17 18:24:35 +01:00
James Carter
999747aa57 Updated libselinux, libsemanage, libsepol, and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-06-06 13:08:17 -04:00
Laurent Bigonville
fb85e5cc95 Sort object files for deterministic linking order
This patch is part of the Debian effort to make the build reproducible

Thank to Reiner Herrmann <reiner@reiner-h.de> for the patches

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-06-06 12:52:55 -04:00
Philipp Gesang
c187f0ba43 policycoreutils: fix typos in semanage manpages
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
2016-06-06 12:52:46 -04:00
Petr Lautrbach
9676142888 policycoreutils/semodule: Fix the documentation of -l,--list
It wasn't clear how to use -l option with full/standard KIND and the
example in semodule.8 man page was wrong.

Based on a patch by Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-06-06 12:52:36 -04:00
Stephen Smalley
3749315847 Updated ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-19 14:22:55 -04:00
Jeff Vander Stoep
44c359aa05 Fix neverallowxperm checking on attributes
The following test incorrectly asserts a neverallowxperm failure.

	attribute test1_attr1;
	attribute test1_attr2;
	type test1_type1, test1_attr1, test1_attr2;

	allow test1_type1 test1_attr1:socket ioctl;
	allowxperm test1_type1 test1_attr2:socket ioctl { 1 };
	neverallowxperm test1_attr1 test1_attr1:socket ioctl { 0 }

To handle attributes correctly, the neverallowxperm checking has been
modified. Now when the ioctl permission is granted on an avtab entry
that matches an avrule neverallowxperm entry, the assertion checking
first determines the matching source/target/class sets between the
avtab entry and the neverallowxperm entry. Only the matching sets are
enumerated over to determine if the neverallowed extended permissions
exist and if they are granted. This is similar to how
report_assertion_avtab_matches() reports neverallow failures.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2016-05-19 14:22:07 -04:00
Laurent Bigonville
7f12c32039 policycoreutils: Minor fix in a French translation 2016-05-19 14:16:21 -04:00
Julien Pivotto
e9603092fb checkpolicy: set flex as default lexer
This makes the checkpolicy Makefile consistent with the Makefile present
in libsemanage and libsepol.
2016-05-19 14:16:04 -04:00
Stephen Smalley
44e92a6959 Updated ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-16 16:44:05 -04:00
Petr Lautrbach
b5f9debdb2 checkpolicy: Fix checkmodule output message
Originally checkmodule stated that it wrote to the input file instead of
to the output file.

Reported-By: Milos Malik <mmalik@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-05-16 16:33:29 -04:00
Julien Pivotto
3fcda02a93 libsemanage: Support overriding Makefile RANLIB 2016-05-16 16:32:41 -04:00
Petr Lautrbach
15beaf8dac policycoreutils: fix the extract example in semodule.8
The man page's example suggested to use -g instead of -E and used --cil
and --hll options on the wrong positions.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-05-16 16:30:37 -04:00
Petr Lautrbach
4f2b362ff7 policycoreutils: update sandbox.8 man page
- Handling of cgroups was remove in de0795a12e but
  -c option was still documented in sandbox.8

- Minor formatting fix

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-05-16 16:30:24 -04:00
Petr Lautrbach
44d8b89a08 policycoreutils: remove typos from chcat --help
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-05-16 16:30:01 -04:00
Julien Pivotto
b13c44c367 libselinux, libsemanage: respect CC and PKG_CONFIG environment variable
Compilation tools respects certain environment variables, like CC.
However, in libselinux and libsemanage, they are not respected
everywhere. This command fixes respect for those variables, falling back
to the previous hardcoded values if not specified.
2016-05-16 16:29:07 -04:00
Stephen Smalley
b56c16a6e5 Updated libselinux ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-13 12:32:16 -04:00
Stephen Smalley
32773a99b1 Avoid mounting /proc outside of selinux_init_load_policy().
Temporarily mounting /proc within selinuxfs_exists() can cause
problems since it can be called by a libselinux constructor and
therefore may be invoked by every program linked with libselinux.
Since this was only motivated originally by a situation where
selinuxfs_exists() was called from selinux_init_load_policy()
before /proc was mounted, fix it in selinux_init_load_policy() instead.

This reverts commit 5a8d8c499b
("libselinux: only mount /proc if necessary") and
commit 9df4988846
("libselinux: Mount procfs before checking /proc/filesystems").

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-13 12:05:04 -04:00
Stephen Smalley
77475b2228 Updated libsepol and sepolgen ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-09 08:19:30 -04:00
Nicolas Iooss
2c2c81dcdc libsepol: remove libsepol.map when cleaning
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-05-09 08:16:05 -04:00
Nicolas Iooss
18a74d7885 sepolgen: remove additional files when cleaning
Remove the files created by Python 3 and refpolicy building process.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-05-09 08:15:41 -04:00
Nicolas Iooss
8e30f76c6d Update .gitignore files
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-05-09 08:14:54 -04:00
James Carter
65bf9ae14a Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-06 09:43:42 -04:00
James Carter
175aba387b libsepol: When generating CIL use HLL line mark for neverallows
When converting pp files to CIL or generating CIL using checkpolicy
or checkmodule use CIL's HLL line mark annotations to record the
original file and line numbers for neverallow rules so that CIL can
produce more informative error messages. (Unfortunately, the original
line number information is not saved in pp files, so there is no benefit
for policy modules.)

This is only done for neverallow rules currently.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:33:29 -04:00
James Carter
67560cc7ac libsepol/cil: Remove path field from cil_tree_node struct
Remove path field from cil_tree_node struct and all references
to it in CIL. This will reduce memory usage by 5%.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:32:07 -04:00
James Carter
46b3a55598 libsepol/cil: Replace cil_log() calls with cil_tree_log()
Replace all calls to cil_log() that print path information with a
call to cil_tree_log() which will also print information about any
high-level sources.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:23:36 -04:00
James Carter
73aac8fc1e libsepol/cil: Add cil_tree_log() and supporting functions
Provide more detailed log messages containing all relevant CIL and
high-level language source file information through cil_tree_log().

cil_tree_log() uses two new functions: cil_tree_get_next_path() and
cil_tree_get_cil_path().

cil_tree_get_next_path() traverses up the parse tree or AST until
it finds the next CIL or high-level language source information nodes.
It will return the path and whether or not the path is for a CIL file.

cil_tree_get_cil_path() uses cil_tree_get_next_path() to return
the CIL path.

Example cil_tree_log() message:
    Problem at policy.cil:21 from foo.hll:11 from bar.hll:2

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:19:45 -04:00
James Carter
681341f2f4 libsepol/cil: Store CIL filename in parse tree and AST
Use some of the functionality recently added to support high-level
language line marking to track the CIL filename.

The goal is to eventually remove the path field from the tree node
struct and offset the addtion of the hll_line field.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:15:23 -04:00
James Carter
875a6bcbe8 libsepol/cil: Add high-level language line marking support
Adds support for tracking original file and line numbers for
better error reporting when a high-level language is translated
into CIL.

This adds a field called "hll_line" to struct cil_tree_node which
increases memory usage by 5%.

Syntax:

;;* lm(s|x) LINENO FILENAME
(CIL STATEMENTS)
;;* lme

lms is used when each of the following CIL statements corresponds
to a line in the original file.

lmx is used when the following CIL statements are all expanded
from a single high-level language line.

lme ends a line mark block.

Example:

;;* lms 1 foo.hll
(CIL-1)
(CIL-2)
;;* lme
;;* lmx 10 bar.hll
(CIL-3)
(CIL-4)
;;* lms 100 baz.hll
(CIL-5)
(CIL-6)
;;* lme
(CIL-7)
;;* lme

CIL-1 is from line   1 of foo.hll
CIL-2 is from line   2 of foo.hll
CIL-3 is from line  10 of bar.hll
CIL-4 is from line  10 of bar.hll
CIL-5 is from line 100 of baz.hll
CIL-6 is from line 101 of baz.hll
CIL-7 is from line  10 of bar.hll

Based on work originally done by Yuli Khodorkovskiy of Tresys.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:13:49 -04:00
Stephen Smalley
ed4c898691 Add redhat-rpm-config as a build dependency on Fedora.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-04 15:54:27 -04:00
James Carter
aff78ca3da Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-04 13:32:03 -04:00
James Carter
5cd5ffcc50 libsepol: Change logic of bounds checking
Change logic of bounds checking to match kernel's bound checking.

The following explanation is taken from Stephen Smalley's kernel
patch.

Under the new logic, if the source type and target types are both
bounded, then the parent of the source type must be allowed the same
permissions to the parent of the target type.  If only the source
type is bounded, then the parent of the source type must be allowed
the same permissions to the target type.

Examples of the new logic and comparisons with the old logic:
1. If we have:
	typebounds A B;
then:
	allow B self:process <permissions>;
will satisfy the bounds constraint iff:
	allow A self:process <permissions>;
is also allowed in policy.

Under the old logic, the allow rule on B satisfies the
bounds constraint if any of the following three are allowed:
	allow A B:process <permissions>; or
	allow B A:process <permissions>; or
	allow A self:process <permissions>;
However, either of the first two ultimately require the third to satisfy
the bounds constraint under the old logic, and therefore this degenerates
to the same result (but is more efficient - we only need to perform
one compute_av call).

2. If we have:
	typebounds A B;
	typebounds A_exec B_exec;
then:
	allow B B_exec:file <permissions>;
will satisfy the bounds constraint iff:
	allow A A_exec:file <permissions>;
is also allowed in policy.

This is essentially the same as #1; it is merely included as
an example of dealing with object types related to a bounded domain
in a manner that satisfies the bounds relationship.  Note that
this approach is preferable to leaving B_exec unbounded and having:
	allow A B_exec:file <permissions>;
in policy because that would allow B's entrypoints to be used to
enter A.  Similarly for _tmp or other related types.

3. If we have:
	typebounds A B;
and an unbounded type T, then:
	allow B T:file <permissions>;
will satisfy the bounds constraint iff:
	allow A T:file <permissions>;
is allowed in policy.

The old logic would have been identical for this example.

4. If we have:
	typebounds A B;
and an unbounded domain D, then:
	allow D B:unix_stream_socket <permissions>;
is not subject to any bounds constraints under the new logic
because D is not bounded.  This is desirable so that we can
allow a domain to e.g. connectto a child domain without having
to allow it to do the same to its parent.

The old logic would have required:
	allow D A:unix_stream_socket <permissions>;
to also be allowed in policy.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-04 13:29:56 -04:00
Stephen Smalley
f3085990a2 Add xmlto as a build dependency (for cil).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-04 13:12:00 -04:00
Stephen Smalley
bedef7d124 libsepol,checkpolicy,secilc: Replace #ifdef DARWIN with __APPLE__.
As per discussion in https://android-review.googlesource.com/#/c/221980,
we should be using #ifdef __APPLE__ rather than our own custom-defined
DARWIN for building on MacOS X.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-03 11:54:20 -04:00