The secure_mode_policyload Boolean labeling statement was lost moving the
statement to the proper place in the policy.conf/base.conf.
Fix this for all other labeling statements too.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Also do not supply the policy path, it is ignored since at least 2008
(13cd4c8960).
/usr/sbin/load_policy: Warning! Policy file argument (/etc/selinux/debian/policy/policy.32) is no longer supported, installed policy is always loaded. Continuing...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Ignore version mismatch when OUTPUT_POLICY is defined and the kernel
supports a higher policy version.
Currently Debian ships SELinux userland tools 3.1, which supports
version 32, and Linux 5.10, which supports version 33.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
When building a monolithic policy with 'make load', the
selinux_config(5) file 'SELINUXTYPE' entry determines what policy
is loaded as load_policy(8) does not take a path value (it always loads
the active system policy as defined by /etc/selinux/config).
Currently it is possible to load the wrong binary policy, for example if
the Reference Policy source is located at:
/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=targeted
Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when
'make load' is executed.
Resolve this by using selinux_binary_policy_path(3) to determine the
current configured policy name and its location.
Another example is that if the Reference Policy source is located at:
/tmp/custom-rootfs/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=refpolicy
Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when
'make DESTDIR=/tmp/custom-rootfs load' is executed (not the
/tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy.<ver> that the
developer thought would be loaded).
Resolve this by checking if DESTDIR has been set.
Remove the '@touch $(tmpdir)/load' line as the file is never referenced.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This will allow user definitions in modules to work for monolithic policies
and base module.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Build SECMARK rules for iptables and NFT, install them as
/usr/share/doc/$PKGNAME/netfilter_contexts{,.nft}.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
During normal m4 parsing, m4 outputs a blank line for each define() call. This results in the first roughly 500 lines of the .tmp files for each module being largely blank lines. Adding divert() calls to the m4 generation for generated_definitions redirects this output, so the beginning of the actual policy appears near the top of the .tmp files.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
Allow class sets , e.g. defined in policy/support/obj_perm_sets.spt, to
be used in default_* statements in the file policy/context_defaults
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
fc_sort is the only/last build tool that requires a C compiler
Re-implement it in python, so that gcc dependencies can be dropped
The output of the C and the python version differ slightly in the order of equally specific file contexts
old:
/.* system_u:object_r:default_t
/sys(/.*)? system_u:object_r:sysfs_t
/mnt(/[^/]*) -l system_u:object_r:mnt_t
/mnt(/[^/]*)? -d system_u:object_r:mnt_t
/opt/.* system_u:object_r:usr_t
/var/.* system_u:object_r:var_t
/usr/.* system_u:object_r:usr_t
/srv/.* system_u:object_r:var_t
/tmp/.* <<none>>
/run/.* <<none>>
/dev/.* system_u:object_r:device_t
/etc/.* system_u:object_r:etc_t
new:
/.* system_u:object_r:default_t
/sys(/.*)? system_u:object_r:sysfs_t
/mnt(/[^/]*) -l system_u:object_r:mnt_t
/mnt(/[^/]*)? -d system_u:object_r:mnt_t
/dev/.* system_u:object_r:device_t
/etc/.* system_u:object_r:etc_t
/opt/.* system_u:object_r:usr_t
/run/.* <<none>>
/srv/.* system_u:object_r:var_t
/tmp/.* <<none>>
/usr/.* system_u:object_r:usr_t
/var/.* system_u:object_r:var_t
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.
Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.
This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Before this commit, "make -j2" would execute twice at the same time the rules
written to build tmp/all_post.conf because these rules were applied every time
tmp/all_post.conf, tmp/all_attrs_types.conf and tmp/only_te_rules.conf needed
to be built. However, executing twice in parallel such line is buggy:
$(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> \
tmpdir)/all_post.conf
This is why "make" reports following error for parallel builds:
Compiling refpolicy-patched base module
/usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
policy/modules/kernel/ubac.te":710:ERROR 'syntax error' at token
'fs_use_trans' on line 26520:
fs_use_trans devtmpfs system_u:object_r:device_t:s0;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1
This commit fixes this bug by splitting the rules in 3 different targets, in
both monolithic and modular builds.
Chris PeBenito
Christian Göttsche
Richard Haines
Chris PeBenito
Topi Miettinen
Daniel Burgener
Daniel Jurgens
Chris PeBenito
Nicolas Iooss