With CIL, the filename and language extension are no longer stored in
the modules themselves like with pp files. So parse this information
from the filename when given a file to install, and require the
information be passed when just data. Symbolic versioning is used to
maintain ABI compatability with the old install functions. API
compatability is not maintained.
Also, remove version from the module info struct and the
semanage_module_info_{get,set}_version functions. These functions have
not been part of an official release, so removing them without providing
ABI/API compatability should not break anything.
Because versioning is removed, semanage_module_upgrade can no longer
perform the necessary checks to ensure an old module is not overriding
a newer module. So, this just remove the upgrade functions from the API.
Functions are added to maintain ABI compatability, which call the
install functions.
Also, CIL has no concept of a base module, so remove the notion of a
base module, including the API functions semanage_module_base_install
and related functions. To maintain ABI compatability, functions are
added which call the new install functions, thus treating base modules
as if they are normal modules.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
The target platform used to come from the base module. However, CIL has
no concept of a base module or a target platform. This adds an option to
semanage.conf (target-platform) to control how policies should be built.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Rather than getting the list of pp modules and parsing their headers to get
the name, use the new source policy functions to get the necessary
information from the module store.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Removed in commits:
- Revert "libsemanage: introduce semanage_set_root and friends"
- Revert "libsemanage: Alternate path for semanage.conf"
- Revert "libsemanage: Use default semanage.conf as a fallback"
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This uses symbolic versioning to maintain ABI compatability with the old
versions of semanage_module_get_enabled. Also to maintain ABI, the functions
semanage_module_{enable,disable} are added back and modified to call the
new semanage_module_set_enabled function.
Removed in commits:
- Revert "Last attempt at upstreaming semodule_disable patch."
- Revert "fixes to commit 847d27b8385ce77ac71df8aa58a2d298b33d1ea4"
- Revert "libsemanage: change module disabled from rename to symlink"
- Revert "libsemanage: Cleanup/fix enable/disable/remove module."
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
include/semanage/handle.h
* Exports the handle get/set default priority functions.
include/semanage/module.h
* Exports the module info management functions.
* Exports the get/set enabled status functions.
* Exports the module key management functions.
* Exports the module install, upgrade, remove info/key functions.
include/semanage/semanage.h
This patch includes the modifications to the map file for exporting the
necessary functions.
Examples:
/* changing the default priority for a distro install */
semanage_set_default_priority(sh, 100);
/* creating module meta data */
semanage_module_info_t *modinfo = NULL;
semanage_module_info_create(sh, &modinfo);
/* filling in that data */
semanage_module_info_set_priority(
sh,
modinfo,
semanage_get_default_priority(sh));
semanage_module_info_set_name(
sh,
modinfo,
"mymodule");
semanage_module_info_set_version(
sh,
modinfo,
"0.1.2");
semanage_module_info_set_lang_ext(
sh,
modinfo,
"pp");
semanage_module_info_set_enabled(
sh,
modinfo,
-1); /* Sets enabled to default:
* If the module was already enabled/disabled
* then it will remain so after install.
* If it wasn't, then it will be enabled.
*/
/* install the module */
semanage_module_install_info(sh, modinfo, data, data_len);
/* cleanup modinfo */
semanage_module_info_destroy(sh, modinfo);
/* create a key for retrieving a module's meta data */
semanage_module_key_t *modkey = NULL;
semanage_module_key_create(sh, &modkey);
/* Only set the module name, this will find the highest
* priority module of that name.
*/
semanage_module_key_set_name(sh, modkey, "mymodule");
/* get the newly installed module */
semanage_module_get_module_info(sh, modkey, &modinfo);
/* get the priority of the module found */
uint16_t priority = 0;
semanage_module_info_get_priority(sh, modinfo, &priority);
/* set the priority in the key to the one found */
semanage_module_key_set_priority(sh, modkey, priority);
/* remove the highest priority module with the name "mymodule" */
semanage_module_remove_key(sh, modkey);
/* print all the modules installed */
semanage_module_info_t *modinfos = NULL;
int modinfos_len = 0;
semanage_module_list_all(sh, &modinfos, &modinfos_len);
char *name = NULL;
int i = 0;
for (i = 0; i < modinfos_len; i++) {
semanage_module_info_get_priority(
sh,
semanage_module_list_nth(modinfos, i),
&priority);
semanage_module_info_get_name(
sh,
semanage_module_list_nth(modinfos, i),
&name);
printf("%d\t%s\n", priority, name);
}
Signed-off-by: Chad Sellers <csellers@tresys.com>
These functions install/remove modules based on the module
info/key. The motivation for these interfaces is to provide the
additional information about a module (version, language, and enabled
status) at install time and also to separate the meta-data in
preparation for supporting source policies.
This patch combines the implementations of all the
install/remove functions to use the
semanage_direct_install_info and semanage_direct_remove_key functions.
The motivation here is to reduce the amount of duplicate installation code
(for example, semanage_direct_install and semanage_direct_install_file have
separate but similar implementations).
With this patch the transition from the old store layout to the new one
is finished. This is accomplished mostly through the modification of
install functions and semanage_get_modules_names.
Signed-off-by: Chad Sellers <csellers@tresys.com>
The base module is being moved in with the other modules so that it can
benefit from the priority framework. This patch provides a utility
function for getting the highest priority base module path.
Signed-off-by: Chad Sellers <csellers@tresys.com>
This provides the functions for enabling/disabling modules via a
semanage_module_key_t and getting/setting module info.
Enabled/disabled status is indicated by the presence of an empty file in
the disabled directory:
/var/lib/selinux/<policy type>/disabled/<module name>
The presence of a file there indicates that the module is disabled at
all priorities. Enable/disabling of modules is done across all
priorities simultaneously to avoid confusion that would likely arise
from per priority settings.
semanage_module_get_module_info gathers up the on disk information about
a module indicated by the module key and puts the information into
module info. In order to facilitate an easy mechanism for getting the
highest priority module of a given name, the key's priority value may
be 0 and the highest priority module with the given name will be located.
semanage_direct_set_module_info is a helper function that writes module
info to disk. The unused attribute is used to suppress warnings for
compilation and is removed in the module install patch later in the
series.
semanage_module_list_all behaves similar to semanage_module_list except
it returns all modules at all priorities. semanage_module_list will only
include the highest priority, enabled, non-base modules (this is its
current behavior). See the module install patch later in the series for
the modified semanage_module_list.
Adds a helper function for creating a directory if it doesn't already
exist (used to automatically create the disabled, priority, and module
dirs).
Signed-off-by: Chad Sellers <csellers@tresys.com>
Adds priority, language ext, and enabled fields to
semanage_module_info_t.
Adds get/set functions for all semanage_module_info_t/key_t fields. This
is necessary so that semanage_module_info_t/key_t can be used in the
specifing meta data on source policies.
Adds create, destroy, and init functions for semanage_module_info_t and
semanage_module_key_t. Create initializes and allocates, destroy
deallocates fields (but not struct), and init initializes fields.
Provide several utility functions for converting a string priority to a
uint16_t and validating fields.
Adds semanage_module_get_path for getting module specific file paths.
Signed-off-by: Chad Sellers <csellers@tresys.com>
For backwards compatiblity purposes we need to provide a default
priority that the current set of module install/upgrade/remove functions
can use.
The default priority is 400.
Adds semanage_module_validate_priority so that it can be used to verify
the given priority. See next patch for other validation functions.
Signed-off-by: Chad Sellers <csellers@tresys.com>
This patch moves the final files from inside
/var/lib/selinux/<store>/[active|previous|tmp] to
/var/lib/selinux/tmp/<store>. The move is done to facilitate using
source control management on the /var/lib/selinux/<store> directory. If
these files remain in /var/lib/selinux/<store> they will pose a size
problem if an SCM like git is used as we'd be storing lots of binary
diffs. We are suggesting making this change now, rather than later when
source policy, SCM, and CIL[1] support are available, to ease the
migration burden.
These are the files that have been moved:
/var/lib/selinux/<store>/active/... /var/lib/selinux/tmp/<store>/...
file_contexts contexts/files/file_contexts
file_contexts.homedirs contexts/files/file_contexts.homedirs
file_contexts.local contexts/files/file_contexts.local
netfilter_contexts contexts/netfilter_contexts
policy.kern policy/policy.<policyversion>
seusers.final seusers
The layout of these files in /var/lib/selinux/tmp/<store> is designed to
mirror their locations in /etc/selinux/<store>. This should help clarify
the relationship between these final files and the files installed in
etc.
One consequence of this move is that reverting to the previous policy
version requires a policy rebuild. Currently you can revert without
rebuilding.
[1] CIL RFC: http://marc.info/?l=selinux&m=124759244409438&w=2
Signed-off-by: Chad Sellers <csellers@tresys.com>
This patch moves the module store from /etc/selinux/<store>/modules to
/var/lib/selinux/<store>.
This move will allow for the use of a read-only /etc/selinux. Currently
that is not possible with semanage because of the lock files.
A consequence of this move is that packagers of libsemanage should
create the /var/lib/selinux directory.
Signed-off-by: Chad Sellers <csellers@tresys.com>
It is not a requirement that all file context files exists (e.g.
file_contexts.local is not mandatory). However, sefcontext_compile is
executed for all file contexts files regardless of existance, which
results in an error when they do not exist and causes policy load to
fail. This modifies libsemanage so that sefcontext_compile is only
executed on file contexts that do exist.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The %name-prefix="foo" syntax was deprecated in bison 2.3b [1], which
was released in 2006. This patches fixes the syntax to use the newer
syntax. This breaks support for older versions of bison.
[1] http://lists.gnu.org/archive/html/help-bison/2009-10/msg00018.html
Reported-by: Ilya Frolov <ilya.a.frolov@gmail.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Since booleans are only set, not added/removed, we do not need to re-link
modules when setting them. We can instead just take the existing binary
policy and mutate it for the new values.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Running "libsemanage/src/pywrap-test.py -v -F" gives following error:
Traceback (most recent call last):
File "pywrap-test.py", line 1139, in <module>
sys.exit(main())
File "pywrap-test.py", line 1121, in main
tests.run(sh)
File "pywrap-test.py", line 107, in run
self.test_writefcontext(handle)
File "pywrap-test.py", line 622, in test_writefcontext
if self.verbose: print "SEFContext type set: ", semanage.semanage_fcontext_get_type_str(fcon)
TypeError: in method 'semanage_fcontext_get_type_str', argument 1 of type 'int'
The argument of semanage_fcontext_get_type_str is the type recorded in
fcon and not fcon itself. This type can be retrieved with
semanage_fcontext_get_type.
2.1.99 is just a placeholder to distinguish it from the prior release.
2.2 will be the released version. Switching to 2-component versions.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In the past we wrote audit into the semanage tool chain. But if a tool like useradd
called dirreclty into libsemanage we did not get auditing. Now useradd calls directly,
so we need this patch.
Another fix in this patch is to default the login mappings MLS to the selected SELinux User.
If a caller just specified the name staff_u, then the code will look up the range of staff_u
and apply it to the mapping.
In the patch to fix a minor memory leak, I introduced a garuanteed
segfault. The point to the stack variable will never be NULL, whereas
the value on the stack will be.
Signed-off-by: Eric Paris <eparis@redhat.com>
If vork() failed we would leak the arguments created in split_args().
Reorder the function so it will hopefully be easy to read and will not
leak memory.
Signed-off-by: Eric Paris <eparis@redhat.com>
We have minuid_set = 0 at the top of the function and then do a test
like:
if (!minuid_set || something)
But since minuid_set is always 0, we always call this code. Get rid of
the pointless conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Right before the call to semanage_list_sort() we do some cleanup.
Including endpwent(); free(rbuf); semanage_list_destroy(&shells); If
the call to the list sort fails we will go to fail: and will do those
cleanups a second time. Whoops. Do the list sort before the generic
cleanups so the failure code isn't run after the default cleanup.
Signed-off-by: Eric Paris <eparis@redhat.com>
If the strdup failed, we would return without freeing tmp_key. This is
obviously a memory leak. So free that if we are finished with it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We generate a list of users, but we do not free that list on error.
Just keep popping and freeing them on error.
Signed-off-by: Eric Paris <eparis@redhat.com>
We use creat to create the lock file needed later. But we never close
that fd, so it just sits around until the program exits. After we
create the file we don't need to hold onto the fd. close it.
Signed-off-by: Eric Paris <eparis@redhat.com>
If get_home_dirs() was called without usepasswd we would generate the
entire shell list, but would never use that list. We would then not
free that list when we returned the homedir_list. Instead, do not
create the list of shells until after we know it will be used.
Signed-off-by: Eric Paris <eparis@redhat.com>
