Commit graph

1983 commits

Author SHA1 Message Date
Nicolas Iooss
baee7238b8 semanage, sepolicy: make tests not fail on systems without SELinux
selinux.security_getenforce() triggers an exception when running tests
on systems without SELinux. In order to skip tests which need SELinux in
enforcing mode, test selinux.is_selinux_enabled() too, like commit
945bc8853b ("sandbox: make test not fail on systems without SELinux").

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-17 16:48:46 -05:00
Nicolas Iooss
5b0ad2f00e libsemanage: genhomedircon: consider SEMANAGE_FCONTEXT_DIR in fcontext_matches()
When generating file_contexts.homedirs, libsemanage enumerates the users
on the system and tries to find misconfiguration issues by comparing
their home directories with file contexts defined in the policy. The
comparison is done by fcontext_matches().

Currently this function only operates on file contexts with type ALL,
but it makes sense to also operate on the DIR ones, as a comment states
in the function.

For example on a system with the following entry in /etc/passwd:

    mytestservice2000💯:/var/lib/mytestservice/dir:/bin/bash

and with the following file context definition:

    /var/lib/mytestservice/.* -d gen_context(system_u:object_r:var_lib_t,s0)

"semodule -B" now shows the following warning:

    libsemanage.get_home_dirs: mytestservice homedir
    /var/lib/mytestservice/dir or its parent directory conflicts with a
    file context already specified in the policy.  This usually
    indicates an incorrectly defined system account.  If it is a system
    account please make sure its uid is less than 1000 or greater than
    60000 or its login shell is /sbin/nologin.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-17 16:30:27 -05:00
Stephen Smalley
1cd972fc81 libselinux: selinux_restorecon: only log no default label warning for caller-supplied pathname
$ touch /tmp/foo
$ chcon -t etc_t /tmp/foo
$ restorecon /tmp/foo
Warning no default label for /tmp/foo
$ restorecon -R /tmp/foo
Warning no default label for /tmp/foo
$ restorecon -R /tmp

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-13 15:28:51 -05:00
Nick Kralevich
908898846a policy_define.c: don't free memory returned from queue_head()
Unlike queue_remove(), queue_head() does not modify the queue, but
rather, returns a pointer to an element within the queue. Freeing the
memory associated with a value returned from that function corrupts
subsequent users of the queue, who may try to reference this
now-deallocated memory.

This causes the following policy generation errors on Android:

  FAILED:
  out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
  /bin/bash -c "out/host/linux-x86/bin/checkpolicy -M -C -c 30 -o
  out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
  out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf"
  system/sepolicy/public/app.te:241:ERROR 'only ioctl extended permissions
  are supported' at token ';' on line 6784:
  #line 241
  } };
  checkpolicy:  error(s) encountered while parsing configuration

because the value of "id" in:

  id = queue_remove(id_queue);
  if (strcmp(id,"ioctl") == 0) {
    ...
  } else {
    yyerror("only ioctl extended permissions are supported");
    ...
  }

is now garbage.

This is a partial revert of the following commit:

  c1ba8311 checkpolicy: free id where it was leaked

Signed-off-by: Nick Kralevich <nnk@google.com>
2017-01-13 14:43:38 -05:00
Sandeep Patil
6a2e352de7 libselinux: replace all malloc + memset by calloc in android label backend.
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-13 10:46:29 -05:00
Stephen Smalley
d66c54e2e2 libselinux: selinux_restorecon: only log no default label warning if recursive
In commit 36f1ccbb57 ("policycoreutils: setfiles: print error if
no default label found"), a warning message was added to setfiles/restorecon
if the user explicitly does a restorecon /path/to/foo and
/path/to/foo does not have any matching label in file_contexts; in the
case of a restorecon -R or setfiles, the warning isn't supposed to be
logged.  The check on the recursive flag got dropped when this logic was
taken into selinux_restorecon(3) in libselinux.  Restore this check so
that we do not generate noisy log messages on restorecon -R or setfiles.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-13 09:57:46 -05:00
Alan Jenkins
0e67689d52 restorecon manpage: link back to fixfiles
fixfiles links to restorecon.  However if you start with restorecon
"restore file(s) default SELinux security contexts", you can easily
miss the fixfiles script.  fixfiles is more generally useful than
`restorecon -R`.   For example `restorecon -R /` is not as good as
`fixfiles restore`, because the restorecon command will try to relabel
`/sys` and fail noisily.

Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
2017-01-12 14:59:36 -05:00
Alan Jenkins
62f058980e policycoreutils, python: Fix bad manpage formatting in "SEE ALSO"
Fix missing and surplus commas.  Fix the following formatting errors:

    .BR selinux(8)

renders the the "(8)" in bold as well as the "selinux".  This is wrong.

    .B selinux
    (8)

renders with a space between "selinux" and "(8)", this is wrong.

    .B selinux (8)

commits both of the above mistakes.

    .BR selinux (8), apparmor (8)

omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:

    .BR selinux (8),
    .BR apparmor (8)

Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
2017-01-12 14:59:31 -05:00
Nicolas Iooss
c667b33a04 mcstransd: fix and reorder includes
- Sort included header files by their number of path components then
  alphabetically.
- Include unistd.h and sys/types.h only once.
- Include sys/uio.h to get readv() and writev() declarations when
  compiling with musl libc.
- Include poll.h instead of sys/poll.h as building with musl results in
  the following message:

    /usr/lib/musl/include/sys/poll.h:1:2: error: #warning redirecting
    incorrect #include <sys/poll.h> to <poll.h> [-Werror=cpp]
     #warning redirecting incorrect #include <sys/poll.h> to <poll.h>
     ^~~~~~~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 16:00:28 -05:00
Nicolas Iooss
61f760b78d checkpolicy: always include ctypes.h
The prototype of isdigit() is provided by ctypes.h header. Without
including this file, gcc fails to build checkpolicy using musl libc:

    checkpolicy.c: In function ‘main’:
    checkpolicy.c:705:8: error: implicit declaration of function
    ‘isdigit’ [-Werror=implicit-function-declaration]
        if (isdigit(ans[0])) {
            ^~~~~~~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 16:00:25 -05:00
Nicolas Iooss
3c85f9f1a0 libselinux: include errno.h instead of sys/errno.h
Building with musl libc leads to some build errors:

    setrans_client.c: In function ‘receive_response’:
    setrans_client.c:147:19: error: implicit declaration of function
    ‘readv’ [-Werror=implicit-function-declaration]
      while (((count = readv(fd, resp_hdr, 3)) < 0) && (errno == EINTR)) ;
                       ^~~~~

and:

    In file included from matchpathcon.c:10:0:
    /usr/include/sys/errno.h:1:2: error: #warning redirecting incorrect
    #include <sys/errno.h> to <errno.h> [-Werror=cpp]
     #warning redirecting incorrect #include <sys/errno.h> to <errno.h>
      ^

Fix the first one by including <sys/uio.h> and the second one by using
<errno.h> instead of <sys/errno.h>.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 16:00:22 -05:00
Nicolas Iooss
d4923b49b4 libsepol: make capability index an unsigned int
When sepol_polcap_getname() is called with a negative capnum, it
dereferences polcap_names[capnum] which produces a segmentation fault
most of the time.

For information, here is a gdb session when hll/pp loads a policy module
which has been mutated by American Fuzzy Lop:

    Program received signal SIGSEGV, Segmentation fault.
    sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34
    34      return polcap_names[capnum];
    => 0x00007ffff7a8da07 <sepol_polcap_getname+135>:   48 8b 04 f8 mov
    (%rax,%rdi,8),%rax

    (gdb) bt
    #0  sepol_polcap_getname (capnum=capnum@entry=-4259840) at
    polcaps.c:34
    #1  0x00007ffff7a7c440 in polcaps_to_cil (pdb=0x6042e0) at
    module_to_cil.c:2492
    #2  sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79c75e0
    <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at
    module_to_cil.c:4039
    #3  0x00007ffff7a7e695 in sepol_module_package_to_cil
    (fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
    module_to_cil.c:4087
    #4  0x0000000000401acc in main (argc=<optimized out>,
    argv=<optimized out>) at pp.c:150

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 16:00:14 -05:00
Nicolas Iooss
d7b0941eed checkpolicy: fix memory usage in define_bool_tunable()
In an error path of define_bool_tunable(), variable id is freed after
being used by a successful call to declare_symbol(). This may cause
trouble as this pointer may have been used as-is in the policy symtab
hash table.

Moreover bool_value is never freed after being used. Fix this memory
leak too. This leak has been detected with gcc Address Sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 15:01:33 -05:00
Petr Lautrbach
14f07097c3 libselinux: Rewrite restorecon() python method
When the restorecon method was added to the libselinux swig python
bindings, there was no libselinux restorecon implementation and it
he had to call matchpathcon() which is deprecated in favor of
selabel_lookup().

The new restorecon method uses selinux_restorecon method from libselinux
and which is exported by the previous commit.

https://github.com/SELinuxProject/selinux/issues/29

Fixes:
>>> selinux.restorecon('/var/lib', recursive=True)
Traceback (most recent call last):
  File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 114, in restorecon
    status, context = matchpathcon(path, mode)
FileNotFoundError: [Errno 2] No such file or directory

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-01-09 13:23:20 -05:00
Petr Lautrbach
0399ec6438 libselinux: Generate SWIG wrappers for selinux_restorecon()
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-01-09 13:23:20 -05:00
Nicolas Iooss
1004a3b3f1 libsemanage: increment the right index variable in for loop
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 14:08:26 -05:00
Nicolas Iooss
58fb53bc2b libsemanage: genhomedircon: remove duplicated test condition
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 14:07:38 -05:00
Vit Mojzis
aa115d00ff policycoreutils/restorecond: Decrease loglevel of termination message
Decrease loglevel of termination message
(eg. "restorecond[709]: terminated") to LOG_INFO because it is printed
upon normal shutdown of the daemon.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1264505

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2017-01-06 14:06:40 -05:00
Nicolas Iooss
c1ba831122 checkpolicy: free id where it was leaked
Several functions in policy_define.c do not free id after handling it.
Add the missing free(id) statements.

The places where free(id) was missing were found both with gcc Address
Sanitizer and manual code inspection.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 13:43:21 -05:00
Nicolas Iooss
47f61b0ee9 checkpolicy: do not leak queue elements in queue_destroy()
Elements which are inserted into a queue_t object are either NULL (from
insert_separator()) or strings allocated with malloc() in insert_id().
They would be freed if there are still present in the queue when it is
destroyed. Otherwise the memory allocated for these elements would be
leaked.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 13:33:15 -05:00
Nicolas Iooss
6ef96094d3 checkpolicy: fix memory leaks in genfscon statements parsing
When parsing several genfscon statements for the same filesystem, the
content of local variable "fstype" is never freed. Moreover variable
"type" is never freed when define_genfs_context_helper() succeeds.

Fix these leaks by calling free() appropriately.

These leaks have been detected with gcc Address Sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 13:28:23 -05:00
Nicolas Iooss
da00246827 checkpolicy: free id in define_port_context()
Variable id is almost never freed in define_port_context().

This leak has been detected with gcc Address Sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-01-06 13:22:38 -05:00
Nicolas Iooss
c39289c9b7 libsepol/tests: fix some memory leaks
When running "make test" with the Address Sanitizer (by adding
-fsanitize=address to compiler flags), a lot of memory leaks are
reported from checkpolicy. Anyway some leaks come from the tests and it
seems cleaner to start fixing these ones.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 13:04:09 -05:00
Nicolas Iooss
c3b8d4aa61 libsepol/tests: fix -Wsometimes-uninitialized clang warnings
When compiling libsepol tests, clang complains about some uninitialized
variables:

    test-common.c:171:14: error: variable 'my_primary' is used
    uninitialized whenever 'if' condition is false
    [-Werror,-Wsometimes-uninitialized]
                    } else if (my_flavor == TYPE_ALIAS) {
                               ^~~~~~~~~~~~~~~~~~~~~~~
    test-common.c:179:30: note: uninitialized use occurs here
                    CU_ASSERT(type->primary == my_primary);
                                               ^~~~~~~~~~
    /usr/include/CUnit/CUnit.h:123:30: note: expanded from macro
    'CU_ASSERT'
      { CU_assertImplementation((value), __LINE__, #value, __FILE__, "", CU_...
                                 ^
    test-common.c:171:10: note: remove the 'if' if its condition is
    always true
                    } else if (my_flavor == TYPE_ALIAS) {
                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    test-common.c:153:25: note: initialize the variable 'my_primary' to
    silence this warning
            unsigned int my_primary, my_flavor, my_value;
                                   ^
                                    = 0
    test-common.c:171:14: error: variable 'my_value' is used
    uninitialized whenever 'if' condition is false
    [-Werror,-Wsometimes-uninitialized]
                    } else if (my_flavor == TYPE_ALIAS) {
                               ^~~~~~~~~~~~~~~~~~~~~~~
    test-common.c:181:30: note: uninitialized use occurs here
                    CU_ASSERT(type->s.value == my_value);
                                               ^~~~~~~~
    /usr/include/CUnit/CUnit.h:123:30: note: expanded from macro
    'CU_ASSERT'
      { CU_assertImplementation((value), __LINE__, #value, __FILE__, "", CU_...
                                 ^
    test-common.c:171:10: note: remove the 'if' if its condition is
    always true
                    } else if (my_flavor == TYPE_ALIAS) {
                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    test-common.c:153:46: note: initialize the variable 'my_value' to
    silence this warning
            unsigned int my_primary, my_flavor, my_value;
                                                        ^
                                                         = 0

This is because the call to CU_FAIL("not an alias") is not fatal in
test_alias_datum(), and variables my_primary and my_value are indeed
used uninitialized in a CU_ASSERT statement later.

Silent the warning by moving the elseif condition to a CU_ASSERT
statement which replaces the CU_FAIL.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 12:59:01 -05:00
Guido Trentalancia
0abc25a3e6 libsemanage: Fix unitialized variable compiler warnings
Fix unitialized variable compiler warnings when using the
"-O -Werror" flags on gcc6 by initializing the variables in
question. It was possible for err_data_len to be used without
initialization, but not cil_data_len.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-01-06 12:15:23 -05:00
Guido Trentalancia
5db4537f64 libselinux: Fix unitialized variable compiler warnings
Fix unitialized variable compiler warnings when using the
"-O3 -Werror" flags on gcc6 by initializing the variables in
question. The variables were never used before being initialized.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-01-06 12:15:12 -05:00
Nicolas Iooss
055d14a99a libselinux/utils: do not create an empty /sbin directory
When building libselinux package, "make install" creates /sbin directory
without putting anything in it. Remove this from the Makefile.

While at it, rename USRBINDIR variable USRSBINDIR (with an S) as it
refers to /usr/sbin.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 16:20:47 -05:00
Nicolas Iooss
920ee9ee18 libsemanage: remove ustr library from Makefiles, README and pkg-config
This library is no longer used by libsemanage.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
300b8ad423 libsemanage: genhomedircon: drop ustr dependency
ustr library uses old (pre-C99) "extern inline" semantic. This makes it
incompatible with recent versions of gcc and clang, which default to
C99 standard. Distributions have shipped patched versions of this
library to fix issues (e.g. Gentoo package uses this patch:
https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/ustr/files/ustr-1.0.4-gcc_5-check.patch?id=7dea6f8820f36bf389e6315044bea7507553bed0
) but there is no upstream solution to make ustr compatible with C99
standard.

The git tree of ustr (http://www.and.org/ustr/ustr.git) has not been
updated since 2008 and the developer of this project did not reply to
emails.

Therefore update genhomedircon implementation in order to no longer
rely on ustr library.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
57a3b1b4b0 libsemanage: add semanage_str_replace() utility function
This function will be used in the next commit.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
a228bb3736 libsemanage: simplify string utilities functions
Use string functions from C standard library instead of ustr. This makes
the code simpler and make utilities.c no longer depend on ustr library.

This changes how semanage_split() behaves when delim is not empty (NULL
or "") and the input string contains several successive delimiters:
semanage_split("foo::::bar", ":") returned "bar" and now returns ":bar".
This would not have any impact in the current code as semanage_split()
is only called with delim="=" (through semanage_findval(), in
libsemanage/src/genhomedircon.c), in order to split a "key=value"
statement.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
fd6bc593b8 libsemanage/tests: test more cases of semanage_split*()
Before modifying semanage_split_on_space() and semanage_split(), test in
test_utilities.c how these functions behave for example when several
delimiter tokens are concatenated in the input string.

While at it, fix the memory leaks which were present in libsemanage
tests.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
9e0cf6ec8a libsemanage/tests: make tests standalone
In order to run libsemanage tests, libsepol and libselinux source
directories need to exist next to libsemanage source directory. This
prevents tests to be run when using the released package.

As libsemanage tests only use public API of libselinux and libsepol,
link with the shared objects which are likely to be installed on the
system (or at least present in $DESTDIR).

While at it, drop TESTSRC variable as it was used to find libsemanage
internal headers but not the tested library (libsemanage.a). Moreover
add ../src/libsemanage.a to the target dependencies of the test
executable in order to rebuild it after libsemanage.a has been updated.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
e51b233831 libsemanage/tests: make "make test" fail when a CUnit test fails
When modifications to libsemanage functions break the test cases tested
with the CUnit framework, "make test" currently succeeds, even though it
prints an output similar to:

    Suite: semanage_store
      Test: semanage_store_access_check ...passed
      Test: semanage_get_lock ...passed
      Test: semanage_nc_sort ...passed
    Suite: semanage_utilities
      Test: semanage_is_prefix ...passed
      Test: semanage_split_on_space ...FAILED
        1. test_utilities.c:150  - CU_ASSERT_STRING_EQUAL(temp,"baz")
      Test: semanage_split ...passed
      Test: semanage_list ...passed
      Test: semanage_str_count ...passed
      Test: semanage_rtrim ...passed
      Test: semanage_str_replace ...passed
      Test: semanage_findval ...passed
      Test: slurp_file_filter ...passed

Like commit 2489b50a91 ("libsepol: make "make test" fails when a CUnit
test fails") did for libsepol tests, modify the logic of function
do_tests() to return an error value when there has been at least one
failure. This makes "make test" fail as expected.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Vit Mojzis
bec41c4ff6 policycoreutils/setfiles: Mention customizable types in restorecon man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-21 09:36:22 -05:00
Gary Tierney
af18b86e0b libsepol/cil: remove avrules with no affected types
Adds a check for avrules with type attributes that have a bitmap cardinality
of 0 (i.e., no types in their set) before adding them to the libsepol policy in
__cil_avrule_to_avtab().  Also adds an exception for neverallow rules to
prevent breaking anything from AOSP mentioned in
f9927d9370.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
2016-12-13 10:56:59 -05:00
Mike Frysinger
7179fd8738 man: standardize spacing with pointers in prototypes
The majority of prototypes don't put a space between the "*" and the
parameter name.  i.e. this style is incorrect:
	char * foo;
Instead, we want:
	char *foo;

Fix a bunch of references that use this uncommon style.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2016-12-12 14:44:26 -05:00
Mike Frysinger
fc3d8ceafc selinux(8): fix display of man page references
The section number shouldn't be bolded.  Fix a few references in
selinux(8) to match all the other man pages.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2016-12-12 14:44:22 -05:00
Vit Mojzis
8fe1b0ca27 python/sepolicy/sepolicy: optimise sepolicy gui loading
Significantly speed up sepolicy gui loading by aggregating setools
queries.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-09 12:16:45 -05:00
Vit Mojzis
ef387e88bd python/sepolicy/sepolicy: Cleanup of gui code
Based on 77589dd354218f1f56d1c83747799606fa1b4899 by Dan Walsh.
Speed up gui loading.
Some minor bug fixes.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-09 12:16:45 -05:00
Stephen Smalley
d479baa82d libsepol: Define extended_socket_class policy capability
Define the extended_socket_class policy capability used to enable
the use of separate socket security classes for all network address
families rather than the generic socket class. This also enables
separate security classes for ICMP and SCTP sockets, which were previously
mapped to the rawip_socket class.

The legacy redhat1 policy capability that was only ever used in testing
within Fedora for ptrace_child is reclaimed for this purpose; as far as
I can tell, this policy capability is not enabled in any supported distro
policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 09:17:17 -05:00
Vit Mojzis
31fcd66d39 python/sepolicy/sepolicy/gui: Reflect sepolicy changes into gui
sepolicy.get_init_entrypoint() now returns list of Type objects
instead of single string, which caused sepolicy gui to crash.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-06 12:31:37 -05:00
Vit Mojzis
4791a99d67 python: Fix some typos
Aside from typos, change the way markup is applied to a tooltip
in sepolicy/gui so that the text can be translated.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-05 15:11:08 -05:00
Kyle Walker
468a0dbac8 seobject: Handle python error returns correctly
After 9406ace8 ("libsemanage: throw exceptions in python rather than
return NULL"), calls to libsemanage functions return Python exceptions
instead of returning negative error return codes. For systems that did not
have the applicable headers installed prior to build, the difference was
not seen. Following commit 9792099f ("Properly build the swig exception
file even if the headers are missing"), that issue has been resolved and
the underlying semanage_fcontext_query_local and semanage_fcontext_query
calls now result in an OSError return. This results in the following error
when attempting to modify a fcontext defined in the systems base policy.

    libsemanage.dbase_llist_query: could not query record value (No such file or directory).
    OSError: No such file or directory

To resolve the error, handle the OSError exception, but retain the
previous query operation.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1398427

Signed-off-by: Kyle Walker <kwalker@redhat.com>
2016-11-30 11:00:51 -05:00
James Carter
9e81e611c7 libsepol: Fix neverallow checking to also check the other types when
self is included in a target type set.

When neverallow checking was refactored in commit 9e6840e, self
was not handled correctly. The assumption was made that self only
appeared by itself as a target type, when it may appear in a list of
types. Because of this, if self appears in a target type set of a
neverallow, the other types in the type set are not checked.

Example:

allow TYPE1 TYPE2:CLASS1 { PERM1 };
neverallow TYPE1 {TYPE2 self}:CLASS1 { PERM1 };

The old assertion checking would not find a violation in the rules
above because the target type TYPE2 would be ignored.

This fix will cause all of the types in a target list that includes
self to be checked.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-30 10:19:02 -05:00
James Carter
93e677d830 secilc: Add secil2conf which creates a policy.conf from CIL policy
The program secil2conf uses the libsepol function
cil_write_policy_conf() to create a policy.conf file from CIL policy.

By default a file called "policy.conf" will be created, but the "-o"
option can be used to write to a different file. The "-M" option can
be used to override the mls statement in CIL. The "-P" option will
cause tunables to be treated as booleans.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-30 10:18:19 -05:00
James Carter
3fe4499f7d libsepol/cil: Add ability to write policy.conf file from CIL AST
The ability to create a policy.conf file from the CIL AST has been
a desire from the beginning to assist in debugging and for general
flexibility. Some work towards this end was started early in CIL's
history, but cil_policy.c has not been remotely functional in a long
time. Until now.

The function cil_write_policy_conf() will write a policy.conf file
from a CIL AST after cil_build_ast(), cil_resolve_ast(),
cil_fqn_qualify(), and cil_post_process() have been called.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-30 10:18:12 -05:00
Vit Mojzis
86e568c27b python/semanage/semanage: Unify argument handling
Missing argument checks for "fcontext" and "boolean" were performed
outside of "argparse", resulting in shortened help message (without
argument details) and no error description.
Fix: perform these checks using "argparse" as is the case with other
semanage options.

Some "required argument" check were performed outside of "handle_opts"
obscuring the code.
Fix: Add required arguments to {fcontext boolean}_args and remove the
checks from handle{Fcontext Boolean}.

Remove unpaired parentheses from "semanage fcontext" usage message.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-30 09:33:58 -05:00
Vit Mojzis
041e00106f python/sepolicy/sepolicy/gui: Fix getting python lib path
Python code is not platform specific and resides always in
lib (as opposed to lib64 on x64 architectures).

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-30 08:49:26 -05:00
Stephen Smalley
7e09f584e1 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures
Teach audit2why to recognize type bounds failures.  This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.

This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel.  However, it
is unclear if this is needed.  It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).

Before:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

After:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
        Was caused by:
                Typebounds violation.

                Add an allow rule for the parent type.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 15:53:59 -05:00