Currently the packet class in SELinux is not checked if there are no
SECMARK rules in the security or mangle netfilter tables. Similarly, the
peer class is not checked if there is no NetLabel or labeled IPSEC. Some
systems prefer that these classes are always checked, for example, to
protect the system should the netfilter rules fail to load or if the
nefilter rules were maliciously flushed.
Add the always_check_network policy capability which, when enabled, treats
these mechanisms as enabled, even if there are no labeling rules.
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
If an initial SID is missing a labeling statement, the compiler will
segfault when trying to copy the context during expand. Check for this
situation to handle it gracefully.
This fixes ocontext_copy_selinux() and ocontext_copy_xen().
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
If an initial SID is missing a labeling statement, the compiler will
segfault on the context_copy(). Move the context copy after the
switch block so that the existance of the initial SID label can be checked
before trying to copy the context.
This fixes both ocontext_copy_selinux() and ocontext_copy_xen().
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
The coveriety scanner is too stupid to realize that the strtok_r()
function initializes the saveptr variable. Since we are passing a
variable location without initializing it coveriety gets angry. Just
shut up the scanner, but nothing was wrong to start with.
Signed-off-by: Eric Paris <eparis@redhat.com>
If we have a malformed seusers entry we may not find the : proceeding
the level and would thus get a NULL. This can blow up. Check for this
error and bail gracefully. Found by coverity
Signed-off-by: Eric Paris <eparis@redhat.com>
We may want to force matchpathcon to respond if the path is question is
a dir, sockfile, chr, blk, etc. Add an option so you can force it to
hit the right rule types.
Signed-off-by: Eric Paris <eparis@redhat.com>
Make selinux_boolean_sub a public method so getsebool can use it, as well as
potentially used within libsemanage.
Signed-off-by: Eric Paris <eparis@redhat.com>
Use selinux_boolean_sub to translate the boolean name handed in by the user.
Report back the correct name of the boolean.
Signed-off-by: Eric Paris <eparis@redhat.com>
Add support for booleans.subs file. Basically this allows us to finally change
badly named booleans to some standard name.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Return low quality matches as well as high quality matches. Sometimes
we just want the crap with the sugar.
Signed-off-by: Eric Paris <eparis@redhat.com>
We generate pkg-config --libs and use that to build the libselinux
python so file. We do not use it to build the libsemanage versions. We
also never use the ruby equivalent. So stop calling pkg-config
uselessly.
Signed-off-by: Eric Paris <eparis@redhat.com>
We explicitly set the soname of the python and ruby files. We don't
need this. We are using the -o name as the soname, so just let the
toolchain do its thing. It just makes the Makefile nicer to read.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a -s option to getdefaultcon which allows one to specify the
service in question. This exposes all of the abilities of getseuser
instead of only the abilities of getseuserbyname.
Signed-off-by: Eric Paris <eparis@redhat.com>
If one were to use multiple options such as both -P and -N we would have
problems. The issue is that for some reason instead of looking at
optind (the first non-option) we were looking at argc-optind. These
happen to be the same if there are 0 or 1 options, but doesn't work with
more than 1 option.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Just cosmetic. Make them all line up the same way in case anyone ever
looks at the code.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This makes semodule consistent with other commands to no reload the
policy into the kernel after the given change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix setsebool to use -N to not reload policy into the kernel optional on
permanant changes.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
add some definition to the standard types available for sandboxes so
users have a way to know about them and what they are intended to be
used for.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add -N, --noreload option to semanage to prevent reloading policy into
the kernel after a change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
fcontext customized was not returning the customized equivalency records. This
patches fixes this.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Future systems will not support html in a pygtk window as webkit is
going away. I decided to add the full set of gui tools and then remove
the one I don't want to support just in case someone wants to resurrect
this at some point.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We added new gui programs, but not Makefiles to build/install them.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
These are the python files that make up the system-config-selinux gui, used to implement
most of the functionality of the semanage command line plus some configuration.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
A number of packages have a systemd subpackage. Look for those when
doing the file list of a package to generate its policy.
Signed-off-by: Eric Paris <eparis@redhat.com>
These are the tools that the Fedora team uses to build new policy. sepolgen is a
console app that will take an executable and generate policy based on the RPM
specification and using nm -D to analyze the application.
We have found it very useful for generating quick policy to get the policy writer
working quickly.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
In order for lxc to look up its process and file labels we add new
libselinux support. This is what we do for everything else, like
libvirt, seposgresql, etc.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Stop printing stuff on stderr when building the po translations. (I'd
leave it alone if I knew how to put it on stdout)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The Fedora community has been working to translate a number of messages.
Commit those to the tree so all SELinux users can enjoy.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
.tx is the transifex configuration directory which is used to pull the
latest translations from the transifex web site.
Signed-off-by: Eric Paris <eparis@redhat.com>
Fix --enable and --disable for modules to only work under -m options.
Without this patch you couldn't do -m and --enable. We want that to
work.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
process_one_realpath returns 1 if it changed the context of the file but
process_glob treats all non-zero values as errors. This results in
setfiles exiting with non-zero status even though it was successful.
Fix process_glob to only treat negative return values of
process_one_realpath as errors.
cf. http://bugs.debian.org/662990
Signed-off-by: Martin Orr <martin@martinorr.name>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
restorecon should return 0 when a file has changed context with no
error. With the last version it's returning 1.
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662990
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
file_name trans should be good enough to handle this now, so why launch
it for every user?
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Basically this change stops sysloging if the change did not actually
happen.
By default we do not modify a label if the type of the SELinug context
was unchanged, but we were sending a syslog message as if something had
changed.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fixfiles restore is called by auditrelabel, and was happening early in
the boot process, before the syslog system was up and running. A bug
in systemd was causing relabels to take forever, while it waited for
the syslog's to complete. This was fixed, but I still see no reason
to write thousands/millions of lines to syslog on a badly mislabled
machine and wanted this featured turned off.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch allows us to use restorecon on MCS Separated File Systems or MLS
Environments, Basically allows a user to check his type enforcement.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If you run newrole as root and it drops capabilities, the next shell
script does not have any capabilities and can not function.
newrole -L TopSecret
Would end up with a root shell and no capabilities.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Sometimes using open_init_pty isn't possible. So just call exec() if
that is the case. We no longer ship open_init_pty in Fedora or RHEL6
since it was causing more problems then it was worth. This fix makes
it optional to use the open_init_pty.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
