Check to see if the file whose path is passed to selabel_open() starts
with the file_contexts.bin magic number, and if so, automatically
treat it as a file_contexts.bin file. This allows one to open
file_contexts.bin formatted files without necessarily having a .bin
file suffix. This removes the need for the previously added
.bin file suffix test.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a selabel_cmp() interface for comparing two label configurations,
and implement it for the file backend (i.e. for file_contexts). This
allows comparing two file_contexts configurations to see if the first
is a subset of, equal/identical to, a superset of, or incomparable to
the second. The motivating use case is to allow comparing two
file_contexts.bin files in Android CTS to confirm that a device
file_contexts.bin file contains all of the entries in the AOSP
general file_contexts.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
If modkey is NULL, semanage_module_key_destroy() would still try to
initialize a modkey after freeing it.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Add semanage_module_extract() to extract a module as CIL or HLL. The
function takes a module name and whether to extract as CIL or HLL.
If a CIL file is requested, but does not exist, semanage_module_extract()
will compile the HLL to CIL and cache the CIL in the store as well as
extract the module. A module that was installed from a CIL file will export
as CIL when the HLL version of the file is requested.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
In python3 it is needed to pass compare function as a key argument
instead of directly passing compare function to sort function
Signed-off-by: Robert Kuska <rkuska@redhat.com>
In Python3 output from Popen communicate function
returns bytes, to handle output as a string it is needed
to properly decode it.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
At present, the label_file backend expects to be provided the path
to the text file_contexts file and always appends the .bin suffix
when checking for the binary file_contexts.bin file. If one
attempts to directly specify the path to a file_contexts.bin file
to selabel_open(), it will fail as the code will append a second
.bin suffix to it. Check to see if the file path already has a .bin
suffix and do not append it in that case.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change the label_file backend in libselinux to support systems
that only have file_contexts.bin files installed and do not ship
a file_contexts file at all. Only fail if neither file can be
loaded.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Some platforms do not have %ms support in sscanf. This adds a tokenize()
function to be used instead of sscanf. tokenize() has the ability to split on any
delimiter. All whitespace delimiters will be squashed.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Constraint rules in output need to be commented in order to make a policy
compilable.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1155974
Patch-by: Miroslav Grepl <mgrepl@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
checkpolicy was directly assigning type sets rather than using
type_set_cpy() and therefore creating pointer aliases to the
same type set from multiple filename-based type transition rules
if they specified multiple classes. This would then yield a double
free when destroying the rules afterward and a segmentation fault.
Fix it to use type_set_cpy().
Reported-by: William C Roberts <william.c.roberts@intel.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When trying to get policycoreutils working in python3, I kept running
into TabErrors:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.3/semanage", line 27, in <module>
import seobject
File "/usr/lib64/python3.3/site-packages/seobject.py", line 154
context = "%s%s" % (filler, raw)
^
TabError: inconsistent use of tabs and spaces in indentation
Python3 is a lot stricter than python2 regarding whitespace and looks like
previous commits mixed the two. When fixing this, I took the chance to fix
other PEP8 style issues at the same time.
This commit was made using:
$ file $(find . -type f) | grep -i python | sed 's/:.*$//' > pyfiles
$ autopep8 --in-place --ignore=E501,E265 $(cat pyfiles)
The ignore E501 is long lines since there are many that would be wrapped
otherwise, and E265 is block comments that start with ## instead of just #.
Signed-off-by: Jason Zaman <jason@perfinion.com>
In some cases, if a statement failed to resolve inside an optional, we
would still log a failed to resolve error message, even though the
optional was disabled and everything successfully compiled. This was
confusing. Additionally, if a resolution failure occurred outside of an
optional, the error message did not include the actual name that could
not be resolved--it only logged the statement type (e.g. allow,
booleanif, etc.) and file/line number.
This patch removes resolution error messages which should not always be
printed, as well as improves the resolution failure message to also
print the last name that was attempted to be resolved. Also makes some
less important error messages INFO rather than WARN, which tended to
just clutter things and hide actual error messages.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
commit 2ff279e21e ("policycoreutils:
semanage: update to new source policy infrastructure") introduced
new methods for enabling/disabling modules but failed to update
the deleteall method of class moduleRecords to use the new method.
The deleteall method was introduced by commit
3dafb1046d ("Add deleteall customizations
field for modules.") as a way to re-enable all locally disabled modules.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This patch writes file_contexts and seusers to the policy store as well as
/etc/selinux/. Additionally, file_contexts and seusers are now parsed from the
store rather than the final directory which was the old behavior. This allows
all policy related files to be kept in the policy store.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
- __builtin__ module has been renamed to "builtins" in Python 3
- use reserved word `as` in try-except
- replace print statement with print function
- migrate from commands to subprocess
- fix formatting
Signed-off-by: Michal Srb <msrb@redhat.com>
- gettext.install() only takes "unicode" keyword argument in Python 2
- __builtin__ module has been renamed to "builtins" in Python 3
- use reserved word `as` in try-except
- replace print statement with print function
Signed-off-by: Michal Srb <msrb@redhat.com>
- gettext.install() only takes optional "unicode" keyword argument in
Python 2, and its default value is "False". This keyword argument
doesn't exist in Python 3
- __builtin__ module has been renamed to "builtins" in Python 3
- raw_input() has been renamed to input() in Python 3
- specify octal literals in form compatible with both Python 2 and 3
- migrate from commands to subprocess
- replace print statement with print function
- use reserved word `as` in try-except
- replace deprecated assert_() method with assertTrue() in unit tests
Signed-off-by: Michal Srb <msrb@redhat.com>
- replace print statement with print function
- use reserved word `as` in try-except
- replace deprecated assert_() method with assertTrue() in unit tests
Signed-off-by: Michal Srb <msrb@redhat.com>
https://github.com/systemd/systemd/issues/475 identified a problem
in libselinux with using getpid(3) rather than getpid(2) due to direct
use of the clone() system call by systemd. We could change libselinux
to use getpid(2) instead, but this would impose a getpid(2) system call
overhead on each get*con() or set*con() call. Rather than do this,
we can instead simplify the procattr cache and get rid of the
caching of the pid and tid entirely, along with the atfork handler.
With commit 3430519109 ("use
/proc/thread-self when available"), we only need the tid when
on Linux < 3.17, so we can just always call gettid() in that case (as
done prior to the procattr cache) and drop the cached tid. The cached
pid and atfork handlers were only needed to reset the cached tid, so
those can also be dropped. The rest of the cached attributes are not
reset by the kernel on fork, only on exec, so we do not need to
flush them upon fork/clone.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
By default in Python3 hash uses random seed as salt, this leads to
different order in output from functions which rely on hash as are
dicts and sets. Tests in sepolgen relied on the frozen order.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Replace usage of print statement with print function.
Use `in` instead of `has_key` when checking for key in dict.
When using `raise` add text (if any) as parameter of exception function.
Add Python3 imports of moved modules.
Replace `map` with list comprehension.
Use reserved word `as` in try-except when catching exception.
Replace `ifilter` function with `filter`.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
xrange function is gone in Python3 and instead range is
xrange by default. Also it doesnt seem to be important
to have xrange used in tests on Python2.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
In Python3 all strings are by default Unicode and both Unicode and String
types are removed from types module. We introduce separate
variables `bytes_type` and `string_type` to reflect Python3 understanding
of strings, on Python2 `bytes_type` refers to <str> and `string_type` to
<unicode>, on Python3 `bytes_type` are <bytes> and `string_type` <str>.
As all strings are Unicodes by default on Python3 we encode them to
bytes when needed as late as possible.
Also other attributes were replaced with their equivalents from
builtins which are available for both Python3 and Python2.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
In Python3 the __cmp__ function is removed, and rich
comparison should be used instead.
Also the cmp function is gone in Python3 therefore it is
reimplemented in util.py and used if running on Python3.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
sha256 hash operates with bytes and in Python3 all strings are unicode
by default, we must encode the data before hashing to ensure they
are bytes in Python3
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Since Python 2.4 .sort() as well as the new sorted() function
take a key parameter which should be a function that returns
a sorting key.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
In Python 3, special function attributes have been
renamed for consistency with other attributes.
__code__ attribute is also present in py2.7 and py2.6
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Python 3 changes the syntax for imports from within a package,
requiring you to use the relative import syntax,
saying from . import mymodule instead of the just import mymodule.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
