The target platform used to come from the base module. However, CIL has
no concept of a base module or a target platform. This adds an option to
semanage.conf (target-platform) to control how policies should be built.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
With pp modules, the target platform information comes form the base
module. However, CIL modules have no concept of target platform. So it
must come from somewhere else. This adds an API function that allows
setting the target platform.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Rather than getting the list of pp modules and parsing their headers to get
the name, use the new source policy functions to get the necessary
information from the module store.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Removed in commits:
- Revert "libsemanage: introduce semanage_set_root and friends"
- Revert "libsemanage: Alternate path for semanage.conf"
- Revert "libsemanage: Use default semanage.conf as a fallback"
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This uses symbolic versioning to maintain ABI compatability with the old
versions of semanage_module_get_enabled. Also to maintain ABI, the functions
semanage_module_{enable,disable} are added back and modified to call the
new semanage_module_set_enabled function.
Removed in commits:
- Revert "Last attempt at upstreaming semodule_disable patch."
- Revert "fixes to commit 847d27b8385ce77ac71df8aa58a2d298b33d1ea4"
- Revert "libsemanage: change module disabled from rename to symlink"
- Revert "libsemanage: Cleanup/fix enable/disable/remove module."
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
include/semanage/handle.h
* Exports the handle get/set default priority functions.
include/semanage/module.h
* Exports the module info management functions.
* Exports the get/set enabled status functions.
* Exports the module key management functions.
* Exports the module install, upgrade, remove info/key functions.
include/semanage/semanage.h
This patch includes the modifications to the map file for exporting the
necessary functions.
Examples:
/* changing the default priority for a distro install */
semanage_set_default_priority(sh, 100);
/* creating module meta data */
semanage_module_info_t *modinfo = NULL;
semanage_module_info_create(sh, &modinfo);
/* filling in that data */
semanage_module_info_set_priority(
sh,
modinfo,
semanage_get_default_priority(sh));
semanage_module_info_set_name(
sh,
modinfo,
"mymodule");
semanage_module_info_set_version(
sh,
modinfo,
"0.1.2");
semanage_module_info_set_lang_ext(
sh,
modinfo,
"pp");
semanage_module_info_set_enabled(
sh,
modinfo,
-1); /* Sets enabled to default:
* If the module was already enabled/disabled
* then it will remain so after install.
* If it wasn't, then it will be enabled.
*/
/* install the module */
semanage_module_install_info(sh, modinfo, data, data_len);
/* cleanup modinfo */
semanage_module_info_destroy(sh, modinfo);
/* create a key for retrieving a module's meta data */
semanage_module_key_t *modkey = NULL;
semanage_module_key_create(sh, &modkey);
/* Only set the module name, this will find the highest
* priority module of that name.
*/
semanage_module_key_set_name(sh, modkey, "mymodule");
/* get the newly installed module */
semanage_module_get_module_info(sh, modkey, &modinfo);
/* get the priority of the module found */
uint16_t priority = 0;
semanage_module_info_get_priority(sh, modinfo, &priority);
/* set the priority in the key to the one found */
semanage_module_key_set_priority(sh, modkey, priority);
/* remove the highest priority module with the name "mymodule" */
semanage_module_remove_key(sh, modkey);
/* print all the modules installed */
semanage_module_info_t *modinfos = NULL;
int modinfos_len = 0;
semanage_module_list_all(sh, &modinfos, &modinfos_len);
char *name = NULL;
int i = 0;
for (i = 0; i < modinfos_len; i++) {
semanage_module_info_get_priority(
sh,
semanage_module_list_nth(modinfos, i),
&priority);
semanage_module_info_get_name(
sh,
semanage_module_list_nth(modinfos, i),
&name);
printf("%d\t%s\n", priority, name);
}
Signed-off-by: Chad Sellers <csellers@tresys.com>
These functions install/remove modules based on the module
info/key. The motivation for these interfaces is to provide the
additional information about a module (version, language, and enabled
status) at install time and also to separate the meta-data in
preparation for supporting source policies.
This patch combines the implementations of all the
install/remove functions to use the
semanage_direct_install_info and semanage_direct_remove_key functions.
The motivation here is to reduce the amount of duplicate installation code
(for example, semanage_direct_install and semanage_direct_install_file have
separate but similar implementations).
With this patch the transition from the old store layout to the new one
is finished. This is accomplished mostly through the modification of
install functions and semanage_get_modules_names.
Signed-off-by: Chad Sellers <csellers@tresys.com>
The base module is being moved in with the other modules so that it can
benefit from the priority framework. This patch provides a utility
function for getting the highest priority base module path.
Signed-off-by: Chad Sellers <csellers@tresys.com>
This provides the functions for enabling/disabling modules via a
semanage_module_key_t and getting/setting module info.
Enabled/disabled status is indicated by the presence of an empty file in
the disabled directory:
/var/lib/selinux/<policy type>/disabled/<module name>
The presence of a file there indicates that the module is disabled at
all priorities. Enable/disabling of modules is done across all
priorities simultaneously to avoid confusion that would likely arise
from per priority settings.
semanage_module_get_module_info gathers up the on disk information about
a module indicated by the module key and puts the information into
module info. In order to facilitate an easy mechanism for getting the
highest priority module of a given name, the key's priority value may
be 0 and the highest priority module with the given name will be located.
semanage_direct_set_module_info is a helper function that writes module
info to disk. The unused attribute is used to suppress warnings for
compilation and is removed in the module install patch later in the
series.
semanage_module_list_all behaves similar to semanage_module_list except
it returns all modules at all priorities. semanage_module_list will only
include the highest priority, enabled, non-base modules (this is its
current behavior). See the module install patch later in the series for
the modified semanage_module_list.
Adds a helper function for creating a directory if it doesn't already
exist (used to automatically create the disabled, priority, and module
dirs).
Signed-off-by: Chad Sellers <csellers@tresys.com>
Adds priority, language ext, and enabled fields to
semanage_module_info_t.
Adds get/set functions for all semanage_module_info_t/key_t fields. This
is necessary so that semanage_module_info_t/key_t can be used in the
specifing meta data on source policies.
Adds create, destroy, and init functions for semanage_module_info_t and
semanage_module_key_t. Create initializes and allocates, destroy
deallocates fields (but not struct), and init initializes fields.
Provide several utility functions for converting a string priority to a
uint16_t and validating fields.
Adds semanage_module_get_path for getting module specific file paths.
Signed-off-by: Chad Sellers <csellers@tresys.com>
For backwards compatiblity purposes we need to provide a default
priority that the current set of module install/upgrade/remove functions
can use.
The default priority is 400.
Adds semanage_module_validate_priority so that it can be used to verify
the given priority. See next patch for other validation functions.
Signed-off-by: Chad Sellers <csellers@tresys.com>
This patch moves the final files from inside
/var/lib/selinux/<store>/[active|previous|tmp] to
/var/lib/selinux/tmp/<store>. The move is done to facilitate using
source control management on the /var/lib/selinux/<store> directory. If
these files remain in /var/lib/selinux/<store> they will pose a size
problem if an SCM like git is used as we'd be storing lots of binary
diffs. We are suggesting making this change now, rather than later when
source policy, SCM, and CIL[1] support are available, to ease the
migration burden.
These are the files that have been moved:
/var/lib/selinux/<store>/active/... /var/lib/selinux/tmp/<store>/...
file_contexts contexts/files/file_contexts
file_contexts.homedirs contexts/files/file_contexts.homedirs
file_contexts.local contexts/files/file_contexts.local
netfilter_contexts contexts/netfilter_contexts
policy.kern policy/policy.<policyversion>
seusers.final seusers
The layout of these files in /var/lib/selinux/tmp/<store> is designed to
mirror their locations in /etc/selinux/<store>. This should help clarify
the relationship between these final files and the files installed in
etc.
One consequence of this move is that reverting to the previous policy
version requires a policy rebuild. Currently you can revert without
rebuilding.
[1] CIL RFC: http://marc.info/?l=selinux&m=124759244409438&w=2
Signed-off-by: Chad Sellers <csellers@tresys.com>
This patch moves the module store from /etc/selinux/<store>/modules to
/var/lib/selinux/<store>.
This move will allow for the use of a read-only /etc/selinux. Currently
that is not possible with semanage because of the lock files.
A consequence of this move is that packagers of libsemanage should
create the /var/lib/selinux directory.
Signed-off-by: Chad Sellers <csellers@tresys.com>
semanage currently uses /var/lib/selinux/tmp to create permissive
modules. However, with the move to /var, the same tmp directory is used
for building policy binaries, causing a conflict. This patch creates a
random temporary directory in /tmp and moves permissive module creation
to that directory, avoiding the directory conflict.
This patch also imports shutil for rmtree to easily delete all created
temporary files.
Signed-off-by: Chad Sellers <csellers@tresys.com>
It is not a requirement that all file context files exists (e.g.
file_contexts.local is not mandatory). However, sefcontext_compile is
executed for all file contexts files regardless of existance, which
results in an error when they do not exist and causes policy load to
fail. This modifies libsemanage so that sefcontext_compile is only
executed on file contexts that do exist.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The addition of this rule caused interface vectors to be less accurate.
The grammar looks correct without the rule, so remove it.
Reverted hunk from commit 17cc87e56b
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Currently the compiled file context files can end up with different
permissions then the original. This can lead to non priv users
not being able to read the compiled versions.
The %name-prefix="foo" syntax was deprecated in bison 2.3b [1], which
was released in 2006. This patches fixes the syntax to use the newer
syntax. This breaks support for older versions of bison.
[1] http://lists.gnu.org/archive/html/help-bison/2009-10/msg00018.html
Reported-by: Ilya Frolov <ilya.a.frolov@gmail.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Since booleans are only set, not added/removed, we do not need to re-link
modules when setting them. We can instead just take the existing binary
policy and mutate it for the new values.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Also remove all internal uses by libselinux.
This requires deleting the old class/perm string lookup tables
and compatibility code for kernels that predate the /sys/fs/selinux/class
tree, i.e. Linux < 2.6.23.
This also fixes a longstanding bug in the stringrep code; it was allocating
NVECTORS (number of vectors in the legacy av_perm_to_string table, i.e.
the total number of legacy permissions) entries in the per-class perms array
rather than MAXVECTORS (the maximum number of permissions in any
access vector). Ho hum. I already fixed this in Android but forgot it
here.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Hi,
in https://github.com/TresysTechnology/refpolicy/pull/1 db_exception
and db_datatype were added to reference policy. This small patch
extends ability of label_db backend to work with these objects.
Regards.
Running "libsemanage/src/pywrap-test.py -v -F" gives following error:
Traceback (most recent call last):
File "pywrap-test.py", line 1139, in <module>
sys.exit(main())
File "pywrap-test.py", line 1121, in main
tests.run(sh)
File "pywrap-test.py", line 107, in run
self.test_writefcontext(handle)
File "pywrap-test.py", line 622, in test_writefcontext
if self.verbose: print "SEFContext type set: ", semanage.semanage_fcontext_get_type_str(fcon)
TypeError: in method 'semanage_fcontext_get_type_str', argument 1 of type 'int'
The argument of semanage_fcontext_get_type_str is the type recorded in
fcon and not fcon itself. This type can be retrieved with
semanage_fcontext_get_type.
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
libcap-ng set, setexeccon will cause execve to fail. This also
makes setting selinux context the very last action taken by
seunshare prior to exec, as it may otherwise cause things to fail.
Note that this won't work without adjusting the system policy to
allow this use of setcurrent. This rule appears to work:
allow unconfined_t sandbox_t:process dyntransition;
although a better rule would probably relax the unconfined_t
restriction.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
If you run selinux_init_load_policy() after a chroot/switch-root, it's
possible that your *previous* root loaded policy, but your *new* root
wants SELinux disabled.
We can't disable SELinux in this case, but we *do* need to make sure
it's permissive. Otherwise we may continue to enforce the old policy.
So, if seconfig = -1, but security_disable() fails, we set *enforce=0,
and then let the existing code handle the security_{get,set}enforce
stuff.
Once that's handled, exit with failure via "goto noload", as before.
Quote the component name.
Reorder the arguments to more closely align with the rule syntax.
Use a more descriptive text that will more clearly correspond to the original rule.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This change was incorrect and can yield duplicate file name transition rules.
Revert it and look at converting the filename_trans list to a hashtab
as has already been done in the kernel in the future.
This reverts commit a29f6820c5.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This is a program for displaying the contents of a binary policy file.
Change-Id: Iba94d6b13ac1abbc084da5631dc2bf4107e548d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
