Commit Graph

79 Commits

Author SHA1 Message Date
Christian Göttsche 3bb507efa6 Fix several misspellings
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:08:58 +02:00
Chris PeBenito d41607c714 Move user definitions to the right place during compilation.
This will allow user definitions in modules to work for monolithic policies
and base module.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-16 10:52:39 -04:00
Christian Göttsche cdfd85c35b Correct some misspellings
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-05 15:38:43 +02:00
Chris PeBenito a229fb0e39 genhomedircon: Drop Python 2 compatibility code.
Python 2 is end-of-life.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-05-13 16:12:53 -04:00
Topi Miettinen 4e1979a66b
gennetfilter: add rules for ICMP/ICMPv6 packets
Generate rules for SECMARKing ICMP and ICMPv6 packets as
icmp_packet_t.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-22 17:03:28 +03:00
Chris PeBenito 1311c7e3b7
Merge pull request #229 from topimiettinen/gennetfilter-nft
gennetfilter: generate nft tables with --nft
2020-04-16 17:19:13 -04:00
Topi Miettinen 758d626ef8 gennetfilter: handle port ranges
Don't ignore port ranges. For example:
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
can be used to generate:
base -A selinux_new_input -p udp --dport 10080:10082 -j SECMARK --selctx system_u:object_r:amanda_server_packet_t:s0
base -A selinux_new_input -p tcp --dport 10080:10083 -j SECMARK --selctx system_u:object_r:amanda_server_packet_t:s0
base -A selinux_new_output -p udp --dport 10080:10082 -j SECMARK --selctx system_u:object_r:amanda_client_packet_t:s0
base -A selinux_new_output -p tcp --dport 10080:10083 -j SECMARK --selctx system_u:object_r:amanda_client_packet_t:s0

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-16 17:06:08 -04:00
Topi Miettinen 25f29bcfa4
gennetfilter: generate nft tables with --nft
Optionally generate Netfilter NFT tables. Sample output:

```#!/usr/sbin/nft -f
flush ruleset
table inet security {
        secmark default_input_packet {
                "system_u:object_r:server_packet_t:s0"
        }
        secmark default_output_packet {
                "system_u:object_r:client_packet_t:s0"
        }
        secmark afs_bos_input {
                "system_u:object_r:afs_bos_server_packet_t:s0"
        }
        secmark afs_bos_output {
                "system_u:object_r:afs_bos_client_packet_t:s0"
        }
...
        chain INPUT {
                type filter hook input priority 0; policy accept;
                ct state new meta secmark set "default_input_packet"
                ct state new udp dport 7007 meta secmark set "afs_bos_input"
...
                ct state new ct secmark set meta secmark
                ct state established,related meta secmark set ct secmark
        }
        chain FORWARD {
                type filter hook forward priority 0; policy accept;
        }
        chain OUTPUT {
                type filter hook output priority 0; policy accept;
                ct state new meta secmark set "default_output_packet"
                ct state new udp dport 7007 meta secmark set "afs_bos_output"
...
                ct state new ct secmark set meta secmark
                ct state established,related meta secmark set ct secmark
        }
}
```

The labels are applied to TCP and/or UDP as needed. MCS and MLS are
not really handled.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-16 23:46:02 +03:00
Topi Miettinen fb120dd8df
Python string fix
Use raw string constants to avoid errors from python3.8:
    NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
                         ^
SyntaxError: invalid escape sequence \(

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-16 13:04:30 +03:00
Nicolas Iooss 73f9c0c4ef Vagrant: allow VirtualBox provisionning to use dhclient and ip
When provisioning a Debian test virtual machine with VirtualBox (using
the main Vagrantfile), vagrant runs commands dhclient and ip from a ssh
session because of this directive:

    debian.vm.network "private_network", type: "dhcp"

This triggers:

    type=AVC msg=audit(1578749426.820:68): avc:  denied  { write } for
    pid=541 comm="dhclient" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:dhcpc_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749426.820:68):
    proctitle=2F7362696E2F6468636C69656E74002D34002D76002D69002D72002D
    7066002F72756E2F6468636C69656E742E657468312E706964002D6C66002F7661
    722F6C69622F646863702F6468636C69656E742E657468312E6C6561736573002D
    49002D6466002F7661722F6C69622F646863702F6468636C69656E74362E657468
    31

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { read } for
    pid=544 comm="ip" path="pipe:[14005]" dev="pipefs" ino=14005
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { write } for
    pid=544 comm="ip" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749427.868:69):
    proctitle=6970002D34006164647200666C757368006465760065746831006C61
    62656C0065746831

Handle this by adding attribute vagrant_provisioning_cmd_type to the
relevant domains, in the policy module specific to the Vagrant test
environments.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 22:45:18 +01:00
Nicolas Iooss 7317bd64c0
Vagrantfile: add a specific SELinux policy module
When using Vagrant to run virtual machines with SELinux enabled, several
specific accesses need to be allowed. It does not make much sense to add
the needed rules to the refpolicy, as they are very specific to the use
of Vagrant to provision a virtual machine to test a policy. Therefore,
create a dedicated module to allow the required accesses.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 18:17:36 +01:00
Chris PeBenito 0bfd1387ac Remove incorrect usages of "is" operator from Python scripts.
Closes #128

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-11-23 10:12:53 -05:00
Chris PeBenito dffe3df251 fc_sort.py: Use "==" for comparing integers.
"is" is for testing two references are the same object.  The fact that this
worked is specific to the Python implementation.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-10-08 15:45:27 -04:00
Christian Göttsche 16af31d5a1 re-implement fc_sort in python
fc_sort is the only/last build tool that requires a C compiler

Re-implement it in python, so that gcc dependencies can be dropped

The output of the C and the python version differ slightly in the order of equally specific file contexts

old:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /opt/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
    /usr/.*		system_u:object_r:usr_t
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /run/.*		<<none>>
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t

new:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t
    /opt/.*		system_u:object_r:usr_t
    /run/.*		<<none>>
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /usr/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
2019-10-06 00:11:30 +02:00
Christian Göttsche 67a27c2738 segenxml.py: fix format usage in warning message 2019-10-01 20:38:58 +02:00
Ondrej Mosnacek cd77bbc1ed Fix find commands in Makefiles
Without this fix, building a custom module in a directory that contains
a file with special characters in its name (e.g. '(') triggers a syntax
error:

$ cat >foo.te <<EOF
module foo 1.0;
require {
	class file entrypoint;
	type shell_exec_t;
	type vmtools_unconfined_t;
}
allow vmtools_unconfined_t shell_exec_t : file entrypoint;
EOF
$ touch "my broken (file)"
$ make -f /usr/share/selinux/devel/Makefile foo.pp
/bin/sh: -c: line 0: syntax error near unexpected token `('
/bin/sh: -c: line 0: `find anaconda-ks.cfg my broken (file) vncserver.strace systemd.strace rhel-server-7.6-x86_64-boot.iso rt_minimal.c vnc.cil foo.te rsyslog tmp virt-install.log evil_banner.sh livemedia.log program.log foo.if rhel7-minimal.ks TestZip.java TestZip.class foo.fc sudoloop foo.pp strace.log -maxdepth 0 -type d'

Link: https://bugzilla.redhat.com/show_bug.cgi?id=1692676
Reported-by: Renaud Métrich <rmetrich@redhat.com>
Suggested-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-22 09:00:23 +02:00
Chris PeBenito 0af99256c6 genhomedircon.py: Fix top-level exception handling.
Fixes errors like this:

Traceback (most recent call last):
  File "support/genhomedircon.py", line 490, in <module>
    errorExit("Options Error " + error)
TypeError: Can't convert 'GetoptError' object to str implicitly

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-15 09:41:49 -04:00
David Sugar 8e18a55457 Update CUSTOM_BUILDOPT
Have Makefile include CUSTOM_BUILDOPT in generated build.conf
Update Makefile.devel to pass CUSTOM_BUILDOPT while building module

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-10-27 14:56:34 -04:00
Sven Vermeulen 744482a3e6 Update segenxml to include support for templated booleans and tunables
The segenxml tool is used to generate documentation regarding the policy
definitions. Its output is an XML file that contains the in-line
comments associated with boolean generation as well as interface
definitions.

With booleans also generated inside templates, this information was
(until now) ignored. Templates such as apache's apache_content_template
which created new booleans were not properly documented, as the
in-template comments were ignored.

In this patch, we will go over module code first and seek template
calls. When a template call is matched, the module code is updated
(expanded) with the template content (while substituting the arguments
to get a proper code listing). Only after all templates have been
expanded we seek the necessary boolean definitions.

Changes since v2:
- Fix BOOLEAN statements to match backtick (`) and tick (') usages as
  well
- Fix match for arguments to also include multiple entries ( { ... } )

Changes since v1:
- Also apply the regexp on BOOLEAN to allow generating templated
  boolean/tunable documentation

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
Sven Vermeulen 9d8bb4eb93 Add gentemplates.sh to extract template content
Some of the templates in the reference policy generate new booleans and
tunables, based on the $1, $2, ... parameters passed on. To allow
segenxml, which generates the necessary documentation on booleans, to
keep track of template-generated booleans as well, we need to allow it
to substitute template calls with the actual template content.

The gentemplates.sh script is a helper script that will extract template
code and store it as files (one file per template). These files are then
later on used by the segenxml tool.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
Chris PeBenito ef6e79a082 Switch all remaining Python references to the Python 3 interpreter. 2018-05-31 17:41:59 -04:00
William Roberts 65620e0f94 fc_sort: use calloc instead of malloc
Rather than using malloc to allocated nodes and setting all the fields,
just use calloc.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-10-18 19:26:36 -07:00
Adam Duskett 6c9cc47e6c fix regex escape sequence error.
python3.6 will error out with the message "invalid escape sequence"
in genhomedircon.py.  This patch fixes these errors by turning the string
in the into a raw string.
2017-10-10 18:00:30 -04:00
Guido Trentalancia 5490639ac9 fc_sort: memory leakages
Avoid memory leakages in the fc_sort executable (now passes
all valgrind AND Clang static analyzer tests fine).

Some NULL pointer checks with or without associated error
reporting.

Some white space and comment formatting fixes.

Optimization: avoid unnecessary operations (unnecessary
memory allocation/deallocation and list copying).

Reverts 7821eb6f37 as such
trick is no longer needed, given that all memory leakages
have now been fixed.

This is the sixth version of this patch. Please do not use
the first version as it introduces a serious bug.

For reference, the original issue reported by the Cland
static analyzer is as follows:

support/fc_sort.c:494:6: warning: Potential leak of memory
pointed to by 'head'
            malloc(sizeof(file_context_bucket_t));

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
2017-10-04 19:29:47 -04:00
Luis A. Lozano cd20f0ba9f Avoid memory leak warning.
Using the LLVM static analyzer, we get a warning about leaked memory
pointed by bcurrent. Since the warning happens within "main" and we
don't care about deallocating the memory and just call "exit" which
gets rid of the warning.
2017-09-05 16:20:44 -07:00
David Sugar f8a4b8e28b Strip spaces from NAME
Strip trailing space(s) from 'NAME' being read from /etc/selinux/config as a trailing space in that name will cause a weird error during the make process for modules built out of tree.  This is seen on current RedHat machines which have space in the 'SELINUXTYPE' variable.
2017-08-31 21:19:32 -04:00
Guido Trentalancia 89b53fafa9 fc_sort: avoid compiler warning/error
Fix a "-Werror=implicit-fallthrough" compiler warning/error on
the switch statement.

This third version (v3) fixes a bug introduced in the first
version and improves the style over the second version.

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
2017-06-07 19:13:28 -04:00
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Nicolas Iooss 82e7e4e638
Use raw strings in regular expressions
Python 3.6 complains about the strings which are used as regular
expression in the support scripts:

    File "support/segenxml.py", line 37
        INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
                              ^
    SyntaxError: invalid escape sequence \s
2017-04-08 12:29:07 +02:00
cgzones 33fd9ae139 fix travis and genhomedircon 2017-03-18 18:38:20 +01:00
cgzones 3b3e6f75d3 travis: run make xml, html and install(-.*)? targets 2017-03-18 15:35:15 +01:00
cgzones 82b0a6d4d5 convert build scripts to python3 2017-03-15 02:09:20 +01:00
cgzones d3462090d5 m4 errprint: add __program__ info 2017-03-08 17:16:27 +01:00
Chris PeBenito 4c16ca2d66 Only display the WERROR notice if there actually are errors. 2017-02-18 13:59:33 -05:00
Chris PeBenito dd03d589e2 Implement WERROR build option to treat warnings as errors.
Add this to all Travis-CI builds.
2017-02-18 10:20:20 -05:00
cgzones d8cb498284 remove trailing whitespaces 2016-12-06 13:45:13 +01:00
Chris PeBenito 2035047958 Merge pull request #43 from williamcroberts/google-patch
fc_sort: cleanup warnings caught by clang tidy / static analyzer.
2016-10-19 18:37:25 -04:00
Rahul Chaudhry 0412d1ace4 fc_sort: cleanup warnings caught by clang tidy / static analyzer.
Value stored to 'i' is never read.
Variable 'j' is never used.
2016-10-19 13:29:20 -07:00
Sean Placchetti 71f96eb3c4 Update specfile
Minor tweaks to specfile
2016-10-17 07:37:51 -04:00
Sean Placchetti 502463589e Update to refpolicy spec file
Missing forwardslash
2016-10-11 15:35:07 -04:00
William Roberts cb4491c19e fc_sort: strip whitespace errors
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-07 08:41:32 -08:00
Chris PeBenito bf0cfe940a Add systemd build option. 2015-10-20 15:01:23 -04:00
Nicolas Iooss ad2d828797 Create tmp directory when compiling a .mod.fc file in a modular way
When compiling modules using support/Makefile.devel (which is installed
in /usr/share/selinux/*/include/Makefile) with "make -j9", the build
fails because tmp/ does not exist.

Add the missing command to create tmp/ when running tmp/%.mod.fc target.

Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=530178
2014-12-02 09:26:54 -05:00
Chris PeBenito 5b2a2998b8 Need the __future__ import for python2 if using print(). 2014-05-13 09:39:00 -04:00
Nicolas Iooss 1c8c76c927 Make support/policyvers.py compatible with Python 3
Add parenthesis around print statement, like in other Python scripts.
2014-05-13 08:18:46 -04:00
Nicolas Iooss aa3fa6d2fd fc_sort: make outfile argument optional
When working on fc_sort to try to understand why using /usr/s?bin/... file
contexts has been reported not to work properly [1], I found it frustrating not
to be able to do "tmp/fc_sort my_filecontexts.fc" and see the result printed on
the screen.  This patch implements this behavior by making optional the second
argument of fc_sort.

[1] commit 36e2216f8 of contrib repository,
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36e2216f82192660d063012e69281f27ba20864b
2014-04-04 15:50:57 -04:00
Nicolas Iooss 572c617c91 fc_sort: initialize allocated memory to fix execution on an empty file
When running fc_sort on an empty context file, this program uses uninitialized
pointers when accessing to the elements of a list.  On my system, it goes in a
very long loop (maybe infinite) because uninitialized fields in malloc'ed
structures happen to contain valid pointers in the heap.

This patch fixes this bug by initializing ->next and ->data fields before they
may be read.
2014-04-04 15:47:36 -04:00
Nicolas Iooss eedc944a54 fc_sort: fix typos in comments 2014-04-04 15:47:36 -04:00
Chris PeBenito 0656a81019 Fix support/policyvers.py not to error if building policy on a SELinux-disabled system. 2013-09-23 14:26:32 -04:00
Chris PeBenito 3bf7fd504c Use python libselinux bindings to determine policy version.
This eliminates the hardcoded /selinux in Rules.monolithic, which
broke when the filesystem mount was moved to /sys/fs/selinux.
2013-06-06 09:27:40 -04:00