update .gitignore to include files that are normally created when
working and building inside the git repo
Sigend-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
With kernel 2.6.31, restorecond uses 99% of my CPU.
This is because removing and readding the watch on utmp triggers inotify to
return an IN_IGNORED event for the old watch descriptor. If the watch gets
allocated the same wd when it is readded, then restorecond thinks that utmp
has changed, so removes and readds the watch again, potentially looping.
With kernel <= 2.6.30, this never happened, because the kernel didn't reuse
watch descriptors. So the IN_IGNORED event comes with a wd that is no
longer in use, and gets ignored. But kernel 2.6.31 reuses the same watch
descriptor.
This patch fixes that by ignoring inotify events whose only bit set is
IN_IGNORED.
Note: it is not clear to me why it is necessary to remove and readd the
watch in the first place.
Note for testing: you need to log in (to cause a change in utmp) after
starting restorecond to trigger the bug. In fact you need to log in twice
before the kernel reuses a watch descriptor.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Bump checkpolicy to 2.1.0
Bump libselinux to 2.1.0
Bump libsepol to 2.1.0
Bump libsemanage to 2.1.0
Bump policycoreutils to 2.1.0
Bump sepolgen to 1.1.0
Bump checkpolicy to 2.0.24
Bump libselinux to 2.0.102
Bump libsepol to 2.0.43
Bump policycoreutils to 2.0.86
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
mcstransd: Now selects the range color for a matching 'range' entry in secolor.conf file, and not the first range to pass the dominance check.
The second patch has the man pages to support the colour functions that match how mcstransd manages colour selection.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The majority of the patch is just handling the case of memory
allocation failures and making sure things get cleaned up correctly in
those cases.
This also moves duplicate code in parse_ebitmap() and parse_raw() into
parse_category(), and also updates the parse function to ensure the
config files are in the correct format.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
SELinux Project contribution of mcstrans. mcstrans is a userland package
specific to SELinux which allows system administrators to define
sensitivity levels and categories and provides a daemon for their
translation into human readable form. This version is a merge of Joe
Nalls git tree ( http://github.com/joenall/mcstrans) and patches
supplied by Dan Walsh and others at RedHat.
Ted
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Email: slawrence@tresys.com
Subject: Updated sandbox patch.
Date: Mon, 07 Jun 2010 17:53:41 -0400
On Thu, 2010-05-27 at 08:57 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/26/2010 04:06 PM, Steve Lawrence wrote:
> > On Wed, 2010-05-19 at 15:59 -0400, Daniel J Walsh wrote:
> > Fixed patch that handles Spaces in homedir.
>
> > The following patch makes a few updates the the sandbox patch, though I
> > have a question:
>
> > Is the sandbox.init script needed anymore? It looks like seunshare was
> > changed to now bind mount and make private the necessary directories.
> > The only thing that seems missing is making root rshared. Also, if the
> > init script is obsolete, do the mounts also need the MS_REC flag for
> > recursive bind/private like they are mounted in the init script? e.g.
>
> The init script is needed for the xguest package/more specifically
> pam_namespace, but also needed for
> mount --make-rshared /
>
> Whether the init script belongs in policycoreutils is questionable though.
>
>
> > mount(dst, dst, NULL, (MS_BIND | MS_REC), NULL)
> > mount(dst, dst, NULL, (MS_PRIVATE | MS_REC), NULL)
>
> We probably should add these. Although it is not likely.
>
> > Changes the following patch makes:
>
> > sandbox.py
> > - Removes unused 'import commands'
> > - Fixes the chcon function, and replaces the deprecated os.path.walk
> > with os.walk. I think this way is a bit easier to read too.
>
> I think chcon should be added to libselinux python bindings and then
> leave the recursive flag. (restorecon is currently in python bindings._
>
> > - Removes the 'yum install seunshare' message. This tool is not specific
> > to RPM based distros.
>
> People are using seunshare without X now that I have added the -M flag.
> So I will move it from the -gui package to the base package with
> sandbox and then this should not be necessary.
> > - Remove try/except around -I include to be consistent with the -i
> > option. If we can't include a file, then this should bail, no matter
> > if it's being included via -i or -I.
>
> Ok, I was thinking you could list a whole bunch of files in the -I case
> and if one does not exist, allow it to continue. But I don't really care.
> > - Fix homedir/tmpdir typo in chcon call
>
> > sandbox.init (maybe obsoleted?)
> > - Fix restart so it stops and starts
> > - unmount the bind mounts when stopped
> I doubt this will work. Two many locks in /tmp /home
> > - Abort with failure if any mounts fail
>
> > seunshare.c
> > - Define the mount flag MS_PRIVATE if it isn't already. The flag is only
> > defined in the latest glibc but has been in the kernel since 2005.
> > - Simplify an if-statment. Also, I'm not sure the purpose of the
> > strncmmp in that conditional, so maybe I've oversimplified.
> This is wrong. The problem comes about when you mount within the same
> directory.
>
> seunshare -t /home/dwalsh/sanbox/tmp -h /home/dwalsh/sandbox/home ...
>
> seunshare -t /tmp/sandbox/tmp -h /tmp/sandbox/home
>
> If you do not have the check one of the above will fail.
>
> In the first example if Homedir is mounted first,
> /home/dwalsh/sanbox/tmp will no longer exist when seunshare attempts to
> mount it on /tmp.
>
> Similarly, if /tmp is mounted first in the second example.
> /tmp/sandbox/home will no longer exist.
>
> You have to check to make sure one of the directories is not included in
> the other.
>
> It seems
> > like maybe an error should be thrown if tmpdir_s == pw_dir or
> > homedir_s == "/tmp", but maybe I'm missing something.
>
> See above.
>
> I was blowing up because I use
>
> ~/sandbox/tmp and ~/sandbox/home for my mountpoints.
<snip>
Below is an updated patch that makes a few changes the the latest
Sandbox Patch [1]. This requires the chcon patch [2].
Changes this patch makes:
sandbox.py
- Remove unused 'import commands'
- Uses new chcon method in libselinux [2]
- Removes the 'yum install seunshare' message
- Converts an IOError to a string for printing a warning if a file
listed in -I does not exist
sandbox.init
- Print the standard Starting/Stoping messages with the appropriate
OK/FAIL
- Abort with failure if any mounts fail
seunshare.c
- Add the MS_REC flag during mounts to perform recursive mounts
- Define the mount flags MS_PRIVATE and MS_REC if they aren't already.
The flags are only defined in the latest glibc but have been in the
kernel since 2005.
- Calls realpath(3) on tmpdir_s and homedir_s. If relative paths are
used, it wouldn't correctly detect that tmpdir is inside homedir and
change the mount order. This fixes that.
[1] http://marc.info/?l=selinux&m=127429948731841&w=2
[2] http://marc.info/?l=selinux&m=127594712200878&w=2
Signed-off-by: Chad Sellers <csellers@tresys.com>
On 03/08/2010 11:11 AM, Karl MacMillan wrote:
> Accidentally sent this straight to Josh.
>
> Karl
>
> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com> wrote:
>
>> I meant this - I don't want to pass around a boolean flag when we have
>> a flag for rule type. This allows cleanly adding support for, say,
>> generating both allow rules and auditallow rules at the same time.
>>
>>
<snip>
Ok this one only adds a flag to the policygenerator to tell it to
generate dontaudit rules.
No passing of args.
Acked-by: Karl MacMillan <karlwmacmillan@gmail.com>
Apparently I failed to split out the whitespace changes from a
previous patchset, and a bit of the equivalence patch of the
day snuck in. This causes a stack trace when you execute
semanage fcontext -l. This patch reverts the accidentally
included code.
Signed-off-by: Chad Sellers <csellers@tresys.com>
This patch fixes a bug that causes semanage node -a to not work
(failing with a python traceback). You can test the bug with any
semanage node -a command, such as:
semanage node -a -t node_t -p ipv4 -M 255.255.255.0 192.168.1.0
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Add modules support to semanage
Date: Thu, 12 Nov 2009 11:23:15 -0500
On 11/11/2009 01:52 PM, Chad Sellers wrote:
> On 9/30/09 2:33 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
>
>> Includes enable and disable.
>>
> I presume I should hold off on this patch until you have a chance to
> resubmit the libsemanage support that it relies on. Let me know if that's
> not the case.
>
> Thanks,
> Chad
>
Lets do this patch.
Moves load_policy from /usr/sbin to /sbin
Removed cruft.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Remove setrans management from semanage
Date: Wed, 30 Sep 2009 14:07:49 -0400
This will not work correctly using the current mcstrans code base. I believe an admin has to edit this code directly and probably should have never been added to semanage.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: tliu@redhat.com
Subject: policycoreutils: share setfiles restore function with restorecond
Date: Wed, 19 Aug 2009 15:51:44 -0400
This is the first of two patches.
This patch splits all of the restore functionality in setfiles
into another two files, restore.c and restore.h.
The reason for this is shown in the next patch, which patches
restorecond to share this code.
To use it, instantiate a restore_opts struct with the proper options
and then pass a pointer to it into restore_init, and call restore_destroy
later.
Signed-off-by: Thomas Liu <tliu@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
I've rebased this so that it will apply to current trunk.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Setfiles now checks the capabilities on the mounted file systems for
'seclabel' (see setfiles/setfiles.c:723:exclude_non_seclabel_mounts) on
newer kernels (>=2.6.30 see setfiles.c:734). However the 'seclabel'
feature is not available if selinux is not enabled. The result is that
setfiles silently fails to relabel any filesystems.
The patch below removes the check for seclabel if selinux is disabled.
As an alternative maybe seclabel should be available even if selinux is
disabled? It seems that whether a fs supports security labels is
independent of selinux being enabled.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: srivasta@golden-gryphon.com
Subject: policycoreutils: The error message on forkpty() failure is not clear or useful.
Date: Sun, 23 Aug 2009 09:40:58 -0500
Hi,
This has been reported against the Debian BTS.
The current error message when forkpty() fails is not clear or
useful. (Arguably, the erro message in the child branch cold also be
improved) The following patch makes indicate what went wrong. Probably
something better than this could be devised, but this is still a lot
better than the current code.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Basically it makes semodule -u file.pp, install file.pp if it does not exist. This matches the rpm syntax, and allows us too update/install many packages with a transaction without know whether the package is updated or installed.
Currently we can only do a -i which could hammer a newwer version.
commit 3a5ed0fdf42200d0efd6cb1064eab91d2eb5ca52
Author: Dan Walsh <dwalsh@redhat.com>
Date: Mon Aug 24 11:36:41 2009 -0400
i Upgrade patch
Redone to match man page and remove reload_policy.
Chad Sellers: This patch adds the dontaudit directive to semanage to enable/disable dontaudit rules in policy.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Patch to semanage
Chad Sellers: I pulled this patch out of the larger patch. This patch fixes 2 small bugs in seobject.py. The first left the setrans file with the wrong permissions. The second returned a malformed dictionary from portRecords get_all method.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Some white space fixing in seobject.py
Chad Sellers: I pulled the whitespace patch out of the larger patch as a separate commit to make the patch more manageable.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Based on a patch by Martin Orr.
Restore the code to compute the realpath of all but the last component
of a symlink, and relabel both the symlink and (if it exists) the target
of the symlink when a symlink is specified to restorecon.
Thus, restorecon -R /etc/init.d will restore both the /etc/init.d symlink
context and the directory tree starting from /etc/rc.d/init.d.
This fixes the restorecon /dev/stdin performed by the Debian udev init
script that was broken by policycoreutils 2.0.70.
[sds: switched use of _realpath suffix for process_one, and dropped warning
on non-existent target]
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On Tue, 2009-08-11 at 08:12 -0400, Daniel J Walsh wrote:
> On 08/10/2009 04:12 PM, Stephen Smalley wrote:
> > On Mon, 2009-08-10 at 16:03 -0400, Stephen Smalley wrote:
> >> On Mon, 2009-08-10 at 11:13 -0400, Daniel J Walsh wrote:
> >>> Currently in F12 if you have file systems that root can not read
> >>>
> >>> # restorecon -R -v /var/lib/libvirt/
> >>> Can't stat directory "/home/dwalsh/.gvfs", Permission denied.
> >>> Can't stat directory "/home/dwalsh/redhat", Permission denied.
> >>>
> >>> After patch
> >>>
> >>> # ./restorecon -R -v /var/lib/libvirt/
> >>
> >> But if you were to run
> >> ./restorecon -R /home/dwalsh
> >> that would try to descend into .gvfs and redhat, right?
> >>
> >> I think you want instead to ignore the lstat error if the error was
> >> permission denied and add the entry to the exclude list so that
> >> restorecon will not try to descend into it. It is ok to exclude a
> >> directory to which you lack permission. Try this:
> >
> > Also, why limit -e to only directories? Why not let the user exclude
> > individual files if they choose to do so? In which case we could drop
> > the mode test altogether, and possibly drop the lstat() call altogether?
> > Or if you truly want to warn the user about non-existent paths, then
> > take the lstat() and warning to the 'e' option processing in main()
> > instead of doing it inside of add_exclude().
> >
> I agree lets remove the directory check and warn on non existing files.
Does this handle it correctly for you?
Remove the directory check for the -e option and only apply the
existence test to user-specified entries. Also ignore permission denied
errors as it is ok to exclude a directory or file to which the caller
lacks permission.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
