If /sys is not present, the attempt to mount selinuxfs will of course
fail. So we try to mount /sys first (and only if that fails fall back to
the /selinux mount point) and then try to mount selinuxfs.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
We were asked not to link to libpthread but to use gcc internals.
We were not handling properly the fact that a cache was UNSET, and this
patch fixes this.
Also change audit2why to look at the loaded policy rather then searching on disk for
the policy file. It is more likely that you are examining the running policy.
In the past pam_selinux would return a bogus login context if the login program
was running with the wrong context. If you ran sshd as unconfined_t
you might get the login user loggin in as pam_oddjob_mkhomedir_t or some other bogus
type. This change fixes the code to return an error if it can not return a good
match.
We want to allow users to setup their substitions to run fist and then run
the distro subs second. This fixes the problem where a user defines
a sub like /usr/local/foobar and we ignore it. We need this for
software collections which is setting up local subs of /opt/src/foobar/root /
Tools like cp -A try to maintain the context of a program and call *setfilecon,
currently if the file system does not support XAttrs we return ENOSUPP. We have
been requested to check if the context that is being set is the same to not return this
error. So if I try to set the label on an nfs share to system_u:object_r:nfs_t:s0 and I get
ENOSUPP, it will not return an error.
I wanted to separate this directory out in order for a new patch to mcstransd to watch
this directory for newly created files, which it could then translate.
The idea is libvirt would write to /var/run/setrans/c0:c1,c2 with the contents of vm1, then
setrans could translate the processes to show system_u:system_r:svirt_t:vm1
This allows us to specify under which the compiled policy file and context configuration
files exist. We can use this with matchpathcon to check the labels under alternate policies,
and we can use it for sepolicy manpage to build manpages during policy build.
label_file.c: In function ‘load_mmap’:
label_file.c:238:81: error: declaration of ‘stat’ shadows a global declaration [-Werror=shadow]
cc1: all warnings being treated as errors
Signed-off-by: Joe MacDonald <joe@deserted.net>
Versions of PCRE prior to 8.20 did not have pcre_free_study(). In its
absence, use pcre_free() instead.
Signed-off-by: Joe MacDonald <joe@deserted.net>
If the RANLIB variable is defined by the user, use that value instead of
the /usr/bin/ranlib binary.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If /sys is not present, the attempt to mount selinuxfs will of course
fail. So we try to mount /sys first (and only if that fails fall back to
the /selinux mount point) and then try to mount selinuxfs.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
We open the file which is to be used to write the binary format of file
contexts. If we hit an error actually writing things out, we return,
but never close the fd. Do not leak.
Signed-off-by: Eric Paris <eparis@redhat.com>
Every time matchmediacon is called we open the
selinux_media_context_path(). But we never close the file. Close the
file when we are finished with it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were opening the path, but if the fstat failed or it was not a
regular file we would return without closing the fd. Fix my using the
common error exit path rather than just returning.
Signed-off-by: Eric Paris <eparis@redhat.com>
We use strdup to store the intended context when we have an mmap'd
file backend. We, however, skipped freeing those contexts.
Signed-off-by: Eric Paris <eparis@redhat.com>
Set*con now caches the security context and only re-sets it if it changes.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Currently we ship other subs files with the _dist to indicate they come with
the distribution as opposed to being modified by the user.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We didn't handle sysconf(_SC_PAGESIZE) returning an error. It should be
very rare, obviously, be we should handle it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
EOPNOTSUPP means "operation not supoorted on socket", and ENOTSUP means
"not supported", although per POSIX they can be alised to the same
value and on Linux they do, ENOTSUP seems the more correct error code.
In addition these function are documented as returning ENOTSUP, and
given that they are implemented in means of getxattr(2) which does
return ENOTSUP too, this just consolidates their behaviour.
Signed-off-by: Guillem Jover <guillem@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
- Add man page sections '(N)' to external references, and '()' on
functions described in the same man page.
- Escape minus signs when those are expected to be used on the command
line or files.
- Mark files and variables in italic; Note headings, function names,
constants, program options and man page references in bold.
- Do not justify and hyphenate SEE ALSO section, and avoid hyphenation
on symbol names by prepending them with \%.
- Remove trailing dot from NAME section description.
- Split sections with a no-op command '.', to visually distinguish them
but to avoid introducing spurious vertical space in the formatted
output.
- Add explicit .sp commands in the SYNOPSIS section between function
prototypes, and fix space placement in function protoypes.
- Split header includes with .br (instead of the explicit or implicit
.sp) so that they are vertically contiguous.
- Add missing {} around SELINUXTYPE and POLICYTYPE variable text in
paths.
- Remove unneeded formatting commands.
- Remove spurious blank lines.
Signed-off-by: Guillem Jover <guillem@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix typos, or wrong function prototypes.
Signed-off-by: Guillem Jover <guillem@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
coreutils needs to be able to take a statbuf and ask permissions
questions. This gives us the interface to translate that statbuf mode_t
into a security class which can be used.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If init() was already called then avc will be set. If avc is set just
return.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If audit2why.finish is called more than once the global avc variable
will be NULL, and thus dereferencing it will obviously cause problems.
Thus just bail if avc is NULL and we know cleanup is done.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We were listing a number of service man pages (like httpd_selinux) in
the see also section of selinux.8. As that number of pages explodes it
does not make sense to try to list them all. Instead tell people to use
man -k selinux to find them.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
On failure, common if .bin is older than the text version, we will leak
the mmapfd. Don't do that.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When loading the filecontext database, check to see if there is a newer
binary version. If so, mmap that file, is used to populate the regex db
instead of reading from the text representation and compiling regex's as
needed. If the text file is newer it will use the text version and
ignore the binary version.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is a new 'compiler' which tranforms the file context database into
a binary format. This binary format may be mmap'd in later removing the
need to compile the regular expression at run time.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We use strncpy which could leave a non-nul terminated string if the
source is longer than PATH_MAX. Add that nul.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Manual page improvements for the file_contexts and related policy
configuration files (section 5):
- create links to selabel_file.5 not only for file_contexts.5 but
also for the other optional policy configuration files (including
the so-called file contexts "substitution" files);
- clarify the above mentioned manual page(s), in particular relatively
to the action performed by the so-called file contexts "substitution"
policy configuration files (aliasing/equivalence versus substitution);
- improve the explanation of the form that the "substitution" files
shall have.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Instead of running the array two times, sorting the 'hasMeta' the first
time and the !hasMeta the second, run the array once putting hasMeta in
the front and !hasMeta in the back. Then ONLY run the !hasMeta section
a second time reversing its order so its sorted as it should be.
Signed-off-by: Eric Paris <eparis@redhat.com>
Right now find_stem_from_spec does a number of things:
- calculate the length of th stem
- look for that stem
- duplicate the stem
- add the stem to the array
break those things up a bit because the mmap version isn't going to need
to do some of those things.
Signed-off-by: Eric Paris <eparis@redhat.com>
We currently duplicate code 3 times for the main file, the homedirs, and
the local file. Just put that stuff in its own function so we don't
have to deal with it multiple times.
Signed-off-by: Eric Paris <eparis@redhat.com>
We currectly run all of the regex files 2 times. The first time counts
the lines and does the simple validatation. We then allocate an array
of exactly the right size to hold the entries and run them a second time
doing stronger validation, regex compile, etc.
This is dumb. Just run them one time and use realloc to grow the size
of the array as needed. At the end the array will get sized perfectly
to fit by the sorting function, so even if we accidentally allocated
entra memory we'll get it back.
Signed-off-by: Eric Paris <eparis@redhat.com>
When we use an mmap backed version of data we need to declare the pcre
extra data since we are only given a point to the data->buffer. Since
sometimes the spec will hold a pointer to the extra data and sometimes
we want to declare it on the stack I introduce and use an accessor for
the extra data instead of using it directly.
Signed-off-by: Eric Paris <eparis@redhat.com>
We want to do the same thing in the compiler and as we do in in the code
which reads regexes in from the text file. Move that sorting into the header.
Signed-off-by: Eric Paris <eparis@redhat.com>
An illegal regex may end with a single \ followed by nul. This could
cause us to search past the end of the character array. The loop
formation looks like so:
c = regex_str;
len = strlen(c);
end = c + len;
while (c != end) {
switch (*c) {
...
case '\\': /* skip the next character */
c++;
break;
...
}
c++;
}
If the \ is the last character then we will increment c and break from
the switch. The while loop will then increment c. So now c == end+1.
This means we will keep running into infinity and beyond! Easy fix.
Make the loop check (c < end). Thus even if we jump past end, we still
exit the loop.
Signed-off-by: Eric Paris <eparis@redhat.com>
So we can use it in the new compile utility, move the
spec_hasMetaChars() function, which looks for things like .*?+^$ in
regular expressions into the internal header file.
Signed-off-by: Eric Paris <eparis@redhat.com>
The libselinux label_file backend counted the number of regexes which
had been compiled. We didn't use it and it wasn't useful information.
Stop doing it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We want to be able to find the stem and the spec from our new utility.
So move those functions to the header file.
Signed-off-by: Eric Paris <eparis@redhat.com>
If we want to use these functions in utilities we shouldn't call such
libselinux internal functions. Move the error reporting up to the
caller.
Signed-off-by: Eric Paris <eparis@redhat.com>
So the string to mode_t conversion in a helper function so it can be
used later by a regex compilation program.
Signed-off-by: Eric Paris <eparis@redhat.com>
We want to use some label_file internals in a utility to compile
fcontext files into binary data for fast use. So start pushing
structures and such into a header file.
Signed-off-by: Eric Paris <eparis@redhat.com>
The coveriety scanner is too stupid to realize that the strtok_r()
function initializes the saveptr variable. Since we are passing a
variable location without initializing it coveriety gets angry. Just
shut up the scanner, but nothing was wrong to start with.
Signed-off-by: Eric Paris <eparis@redhat.com>
If we have a malformed seusers entry we may not find the : proceeding
the level and would thus get a NULL. This can blow up. Check for this
error and bail gracefully. Found by coverity
Signed-off-by: Eric Paris <eparis@redhat.com>
We may want to force matchpathcon to respond if the path is question is
a dir, sockfile, chr, blk, etc. Add an option so you can force it to
hit the right rule types.
Signed-off-by: Eric Paris <eparis@redhat.com>
Make selinux_boolean_sub a public method so getsebool can use it, as well as
potentially used within libsemanage.
Signed-off-by: Eric Paris <eparis@redhat.com>
Use selinux_boolean_sub to translate the boolean name handed in by the user.
Report back the correct name of the boolean.
Signed-off-by: Eric Paris <eparis@redhat.com>
Add support for booleans.subs file. Basically this allows us to finally change
badly named booleans to some standard name.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We generate pkg-config --libs and use that to build the libselinux
python so file. We do not use it to build the libsemanage versions. We
also never use the ruby equivalent. So stop calling pkg-config
uselessly.
Signed-off-by: Eric Paris <eparis@redhat.com>
We explicitly set the soname of the python and ruby files. We don't
need this. We are using the -o name as the soname, so just let the
toolchain do its thing. It just makes the Makefile nicer to read.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a -s option to getdefaultcon which allows one to specify the
service in question. This exposes all of the abilities of getseuser
instead of only the abilities of getseuserbyname.
Signed-off-by: Eric Paris <eparis@redhat.com>
In order for lxc to look up its process and file labels we add new
libselinux support. This is what we do for everything else, like
libvirt, seposgresql, etc.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
SELinux ruby bindings didn't build from the top level
the swig generated .c file wasn't gitignored
use pkg-config for ruby info like we do for python
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is already in the android repo. This is here to prevent potential
conflicts of the selabel indices, and possibly with an eye toward an eventual
reunification of the two libselinuxes down the road.
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
getseuser() would unconditionally check strlen on the service variable
even though it could be NULL. Whoops. If service is NULL we should
only match on *: entries.
Signed-off-by: Eric Paris <eparis@redhat.com>
The realpath_not_final() function did not properly handle symlinks in
the / directory. The reason is because when it determined the symlink
was in the root directory it would set the resolved portion of the path
to /, it would then add a / to the end of the resolved portion, and then
append the symlink name. The fix is to instead set the resolved portion
to "". Thus when the '/' at the end of the resolved portion is added it
will be correct.
While I am at it, strip extraneous leading / so that //tmp returns /tmp.
Signed-off-by: Eric Paris <eparis@redhat.com>
swig creates C files with warnings. Turn off the warnings so the build
is clean. We can't help the code it produces anyway...
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The init functions are non-static but did not have a prototype
declaration. They are called magically from python, so just declare the
prototype to silence the warning.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
should continue to poll if it receinves an EINTR rather then exiting with an error.
This was a major bug within dbus that was causing dbus to crash it was
discussed at the time whether this is a dbus bug or an libselinux bug,
it was decided that we should fix it within libselinux.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
