Commit Graph

180 Commits

Author SHA1 Message Date
Eamon Walsh
0857e3e478 Add subdirectory .gitignore files.
These take care of executables and generated source files.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-20 21:25:55 -04:00
Eamon Walsh
c6fdb52eb7 Add top-level .gitignore file.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-20 17:25:59 -04:00
Joshua Brindle
f3c3bbd16a bump checkpolicy to 2.0.20, libsepol to 2.0.39, sepolgen to 1.0.18 2009-10-14 15:54:16 -04:00
Joshua Brindle
f830d96a48 Author: Joshua Brindle
Email: method@manicmethod.com
Subject: libsepol: Add support for multiple target OSes
Date: Tue, 13 Oct 2009 15:56:39 -0400

Paul Nuzzi wrote:
> On Wed, 2009-09-16 at 09:58 -0400, Joshua Brindle wrote:
>> I'd rather have separate ocontext structs for each system. That way it
>> is very easy to understand which ones apply to which system and you
>> don't get a crazy out of context ocontext struct.
>>
>
> I looked into having separate ocontext structs but that would involve
> changing a lot of files making the patch much larger and more intrusive.
>
>>>    	} u;
>>>    	union {
>>>    		uint32_t sclass;	/* security class for genfs */
>>> @@ -313,6 +323,17 @@ typedef struct genfs {
>>>    #define OCON_NODE6 6		/* IPv6 nodes */
>>>    #define OCON_NUM   7
>>>
>>> +/* object context array indices for Xen */
>>> +#define OCON_ISID    0    /* initial SIDs */
>>> +#define OCON_PIRQ    1    /* physical irqs */
>>> +#define OCON_IOPORT  2    /* io ports */
>>> +#define OCON_IOMEM   3    /* io memory */
>>> +#define OCON_DEVICE  4    /* pci devices */
>>> +#define OCON_DUMMY1  5    /* reserved */
>>> +#define OCON_DUMMY2  6    /* reserved */
>>> +#define OCON_NUM     7
>>> +
>>> +
>>>
>> Should these be namespaced? What if<random other system>  has io port
>> objects? You'd have to align them with each other and you have a mess of
>> keeping the numbers the same (you already do this with OCON_ISID)
>
> Variables have been namespaced and there is no more overlap with
> OCON_ISID.
>
>> Also we are relying on having the same number of OCON's which isn't good
>> I don't think. As much as I hate the policydb_compat_info (read: alot)
>> why aren't we using that to say how many ocons a xen policy really has?
>
> OCON_NUM is now dynamically read through policydb_compat_info.
>
>
>> This is messy, why not an ocontext_selinux_free() and
>> ocontext_xen_free() (note: I realize the xen_free() one won't do
>> anything except freep the ocontext_t)
>>
>
> done.
>
>>>    	len = buf[1];
>>> -	if (len != strlen(target_str)&&
>>> -	    (!alt_target_str || len != strlen(alt_target_str))) {
>>> -		ERR(fp->handle, "policydb string length %zu does not match "
>>> -		    "expected length %zu", len, strlen(target_str));
>>> +	if (len>   32) {
>>>
>> magic number 32?
>
> #defined.
>
> Thanks for your input.  Below is the updated patch for libsepol.
>

Acked-by: Joshua Brindle <method@manicmethod.com>

for the entire patchset with the following diff on top:

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 76d8ed3..e76bb1a 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -100,8 +100,8 @@ unsigned int policyvers = POLICYDB_VERSION_MAX;
 void usage(char *progname)
 {
 	printf
-	    ("usage:  %s [-b] [-d] [-U handle_unknown (allow,deny,reject) [-M]"
-	     "[-c policyvers (%d-%d)] [-o output_file] [-t platform]"
+	    ("usage:  %s [-b] [-d] [-U handle_unknown (allow,deny,reject)] [-M]"
+	     "[-c policyvers (%d-%d)] [-o output_file] [-t target_platform (selinux,xen)]"
 	     "[input_file]\n",
 	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
 	exit(1);

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-10-14 15:49:25 -04:00
pjnuzzi
6341f6a492 sepolgen: Add support for multiple target OSes
Add support to sepolgen for new Xen ocontext identifiers.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-10-14 15:46:14 -04:00
Paul Nuzzi
79d10a8f98 checkpolicy: Add support for multiple target OSes
Updated patch of checkpolicy based on input.

On Tue, 2009-09-15 at 12:37 -0400, pjnuzzi wrote:
> Add support for multiple target OSes by adding the -t target option to
> checkpolicy.  Implemented the new Xen ocontext identifiers pirqcon,
> pcidevicecon, iomemcon and ioportcon.
>
> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
>
> ---

 checkpolicy/checkpolicy.c   |   20 ++-
 checkpolicy/policy_define.c |  272
++++++++++++++++++++++++++++++++++++++++++++
 checkpolicy/policy_define.h |    4
 checkpolicy/policy_parse.y  |   29 ++++
 checkpolicy/policy_scan.l   |   10 +
 5 files changed, 330 insertions(+), 5 deletions(-)

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-10-14 15:46:09 -04:00
Paul Nuzzi
505c75aad7 libsepol: Add support for multiple target OSes
On Wed, 2009-09-16 at 09:58 -0400, Joshua Brindle wrote:
> I'd rather have separate ocontext structs for each system. That way it
> is very easy to understand which ones apply to which system and you
> don't get a crazy out of context ocontext struct.
>

I looked into having separate ocontext structs but that would involve
changing a lot of files making the patch much larger and more intrusive.

> >   	} u;
> >   	union {
> >   		uint32_t sclass;	/* security class for genfs */
> > @@ -313,6 +323,17 @@ typedef struct genfs {
> >   #define OCON_NODE6 6		/* IPv6 nodes */
> >   #define OCON_NUM   7
> >
> > +/* object context array indices for Xen */
> > +#define OCON_ISID    0    /* initial SIDs */
> > +#define OCON_PIRQ    1    /* physical irqs */
> > +#define OCON_IOPORT  2    /* io ports */
> > +#define OCON_IOMEM   3    /* io memory */
> > +#define OCON_DEVICE  4    /* pci devices */
> > +#define OCON_DUMMY1  5    /* reserved */
> > +#define OCON_DUMMY2  6    /* reserved */
> > +#define OCON_NUM     7
> > +
> > +
> >
> Should these be namespaced? What if <random other system> has io port
> objects? You'd have to align them with each other and you have a mess of
> keeping the numbers the same (you already do this with OCON_ISID)

Variables have been namespaced and there is no more overlap with
OCON_ISID.

> Also we are relying on having the same number of OCON's which isn't good
> I don't think. As much as I hate the policydb_compat_info (read: alot)
> why aren't we using that to say how many ocons a xen policy really has?

OCON_NUM is now dynamically read through policydb_compat_info.

> This is messy, why not an ocontext_selinux_free() and
> ocontext_xen_free() (note: I realize the xen_free() one won't do
> anything except freep the ocontext_t)
>

done.

> >
> >   	len = buf[1];
> > -	if (len != strlen(target_str)&&
> > -	    (!alt_target_str || len != strlen(alt_target_str))) {
> > -		ERR(fp->handle, "policydb string length %zu does not match "
> > -		    "expected length %zu", len, strlen(target_str));
> > +	if (len>  32) {
> >
>
> magic number 32?

#defined.

Thanks for your input.  Below is the updated patch for libsepol.

----

 libsepol/include/sepol/policydb/policydb.h |   28 ++
 libsepol/src/expand.c                      |   85 +++++++-
 libsepol/src/policydb.c                    |  295
+++++++++++++++++++++++------
 libsepol/src/policydb_internal.h           |    1
 libsepol/src/private.h                     |    4
 libsepol/src/write.c                       |   93 ++++++++-
 6 files changed, 443 insertions(+), 63 deletions(-)

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-10-14 15:45:46 -04:00
Joshua Brindle
0e421afd55 bump libselinux to 2.0.87 and libsemanage to 2.0.39 2009-09-28 16:17:30 -04:00
Daniel J Walsh
00f0d550d5 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: refpolicy: nsalibselinux_utils_matchpathcon.c changes
Date: Tue, 07 Jul 2009 12:30:52 -0400

--text follows this line--

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-28 16:17:23 -04:00
Joshua Brindle
94c51ba3b1 make swigify 2009-09-28 16:17:11 -04:00
Joshua Brindle
8569b09417 This updates commit 66d0760007
This seems to work better on my system (aux-info on temp.c didn't do anything)

Also it fixes the noted Makefile issues
2009-09-28 16:17:04 -04:00
Joshua Brindle
95d8143b35 This updates commit 66d0760007
This seems to work better on my system (aux-info on temp.c didn't do anything)
2009-09-24 13:46:12 -04:00
Daniel J Walsh
66d0760007 This patch fixes the exception handling in libselinux-python bindings
On 09/16/2009 03:35 PM, Joshua Brindle wrote:
>
>
> Joshua Brindle wrote:
>>
>>
>> Daniel J Walsh wrote:
>>> What do you think of this one. Removed excess swig cruft,
>>>
>>> You need to run
>>>
>>> make swigify to generate those changes.
>>>
>>
>> Ok, looking at this now. I don't completely get how it works. I'm trying
>> to reproduce what you are doing by hand but nothing comes out of gcc:
>>
>> [root@localhost src]# echo '#include "../include/selinux/selinux.h"' >
>> temp.c
>> [root@localhost src]# gcc -c temp.c -aux-info temp.aux
>> [root@localhost src]# ls temp.*
>> temp.c temp.o
>>
>>
>> What is the purpose of the aux-info thing, and why doesn't it work on my
>> F11 machine?
>>
>> also, I'm not sure if the best place for selinuxswig_exception.i is
>> swigify or pywrap. In the swigify case it shouldn't be in the clean
>> target because if you check out the repo and do make clean; make pywrap
>> you'll get an error. (I can make these fixes, I'm just trying to figure
>> out how it all works first).
>>
>
> Oh, one more thing, should this be python specific? (E.g, should it be
> named selinuxswig_python_exception.i ?)
Changed name to selinux_python_exception.i

WOrks for me on F11 and F12

dwalsh@localhost$ echo '#include "../include/selinux/selinux.h"' > temp.c
dwalsh@localhost$ gcc -c temp.c -aux-info temp.aux
dwalsh@localhost$ ls temp.*
temp.aux  temp.c  temp.o

cat temp.aux
/* compiled from: . */
/* /usr/include/sys/select.h:109:NC */ extern int select (int, fd_set *, fd_set *, fd_set *, struct timeval *);
/* /usr/include/sys/select.h:121:NC */ extern int pselect (int, fd_set *, fd_set *, fd_set *, const struct timespec *, const __sigset_t *);
/* /usr/include/sys/sysmacros.h:31:NC */ extern unsigned int gnu_dev_major (long long unsigned int);
/* /usr/include/sys/sysmacros.h:34:NC */ extern unsigned int gnu_dev_minor (long long unsigned int);
/* /usr/include/sys/sysmacros.h:37:NC */ extern long long unsigned int gnu_dev_makedev (unsigned int, unsigned int);
/* ../include/selinux/selinux.h:12:NC */ extern int is_selinux_enabled (void);
/* ../include/selinux/selinux.h:14:NC */ extern int is_selinux_mls_enabled (void);
/* ../include/selinux/selinux.h:19:NC */ extern void freecon (security_context_t);
/* ../include/selinux/selinux.h:22:NC */ extern void freeconary (security_context_t *);
...

commit 38d98bd958f42ea18c9376e624d733795665ee22
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Wed Sep 16 16:51:14 2009 -0400

    Add exception code
2009-09-24 13:34:42 -04:00
Joshua Brindle
6e7e247f6c bump libsemanage to 2.0.38 and policycoreutils to 2.0.74 2009-09-16 16:59:13 -04:00
Daniel J Walsh
faff0a77c6 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: libsemanage patch
Date: Wed, 16 Sep 2009 13:27:25 -0400

Updated patch.  Need check in two places.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-16 16:56:54 -04:00
Caleb Case
71178d5669 setfiles fails to relabel if selinux not enabled
Setfiles now checks the capabilities on the mounted file systems for
'seclabel' (see setfiles/setfiles.c:723:exclude_non_seclabel_mounts) on
newer kernels (>=2.6.30 see setfiles.c:734). However the 'seclabel'
feature is not available if selinux is not enabled. The result is that
setfiles silently fails to relabel any filesystems.

The patch below removes the check for seclabel if selinux is disabled.

As an alternative maybe seclabel should be available even if selinux is
disabled? It seems that whether a fs supports security labels is
independent of selinux being enabled.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-16 11:18:18 -04:00
Manoj Srivastava
96f592422a Author: Manoj Srivastava
Email: srivasta@golden-gryphon.com
Subject: policycoreutils: The error message on forkpty() failure is not clear or useful.
Date: Sun, 23 Aug 2009 09:40:58 -0500

Hi,

        This has been reported against the Debian BTS.

        The current error message when forkpty() fails is not clear or
 useful. (Arguably, the erro message in the child branch cold also be
 improved)  The following patch makes indicate what went wrong.  Probably
 something better than this could be devised, but this is still a lot
 better than the current code.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-09-16 11:16:19 -04:00
Daniel J Walsh
c282c4024d I think I sent this patch before, it is the upgrade patch.
Basically it makes semodule -u file.pp, install file.pp if it does not exist.  This matches the rpm syntax, and allows us too update/install many packages with a transaction without know whether the package is updated or installed.

Currently we can only do a -i which could hammer a newwer version.

commit 3a5ed0fdf42200d0efd6cb1064eab91d2eb5ca52
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Mon Aug 24 11:36:41 2009 -0400

    i Upgrade patch
2009-09-16 10:50:10 -04:00
Joshua Brindle
eaaafe2151 bump policycoreutils to 2.0.73 and libsemanage to 2.0.37 2009-09-04 13:26:37 -04:00
Daniel J Walsh
5aa2efb8f9 Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: Patch to semanage Date: Thu, 27 Aug 2009 17:39:27 -0400
Redone to match man page and remove reload_policy.

Chad Sellers: This patch adds the dontaudit directive to semanage to enable/disable dontaudit rules in policy.

Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-09-04 13:20:32 -04:00
Chad Sellers
f3d9262568 Fix semanage_direct_commit() to notice disable_dontaudit
Add code to semanage_direct_commit() to notice that the disable_dontaudit
flag has been changed and rebuild the policy if so.

Currently, libsemanage doesn't notice that the disable_dontaudit flag is
set so it does not rebuild the policy. semodule got around this by calling
semanage_set_rebuild() explicitly, but libsemanage should really notice
that this has changed and rebuild appropriately.
2009-09-04 13:20:01 -04:00
Daniel J Walsh
1f60e9b7a3 Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: Patch to semanage Date: Fri, 17 Jul 2009 06:10:37 -0400
Patch to semanage

Chad Sellers: I pulled this patch out of the larger patch. This patch fixes 2 small bugs in seobject.py. The first left the setrans file with the wrong permissions. The second returned a malformed dictionary from portRecords get_all method.

Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-09-04 13:19:31 -04:00
Daniel J Walsh
8ad29a2725 Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: Patch to semanage Date: Fri, 17 Jul 2009 06:10:37 -0400
Some white space fixing in seobject.py

Chad Sellers: I pulled the whitespace patch out of the larger patch as a separate commit to make the patch more manageable.

Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-09-04 13:18:44 -04:00
Stephen Smalley
b07d7f45a6 policycoreutils 2.0.72 2009-09-03 11:00:42 -04:00
Stephen Smalley
cc45b9a237 restorecon and symbolic links
Based on a patch by Martin Orr.

Restore the code to compute the realpath of all but the last component
of a symlink, and relabel both the symlink and (if it exists) the target
of the symlink when a symlink is specified to restorecon.

Thus, restorecon -R /etc/init.d will restore both the /etc/init.d symlink
context and the directory tree starting from /etc/rc.d/init.d.

This fixes the restorecon /dev/stdin performed by the Debian udev init
script that was broken by policycoreutils 2.0.70.

[sds: switched use of _realpath suffix for process_one, and dropped warning
on non-existent target]

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-09-03 10:02:56 -04:00
Eamon Walsh
206e2dfe7a libselinux 2.0.86 2009-09-02 20:36:42 -04:00
Eamon Walsh
09cd8160d9 Documentation updates for the removal of recounted SID's.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-09-02 20:36:42 -04:00
Eamon Walsh
58866dd566 The userspace AVC currently has refcounted SID's. This patch strips out
the refcounting under the following justifications:

1.  Managing the refcounts by calling sidput() and sidget() as
appropriate is a difficult and bug-prone task for users of the library.

2.  The userspace AVC doesn't currently make use of the refcounts to
reclaim unused SID's unless avc_cleanup() is explicitly called.

3.  The kernel itself no longer uses refcounting for it's own SID's.

The implication of this change is that SID's (basically malloc'ed copies
of security contexts) will persist in the AVC's SID table until the next
call to avc_destroy().  This presents the potential for increased memory
usage, but in practice I don't believe this will be an issue.  ABI
compatibility is preserved: the avc_cleanup(), sidput(), and sidget()
calls are changed to no-ops.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
2009-09-02 20:36:42 -04:00
Stephen Smalley
acc3a04145 libsepol 2.0.38 2009-09-01 10:03:46 -04:00
Stephen Smalley
a0440a66c3 Unchecked input leades to integer underflow
On Mon, 2009-08-31 at 08:55 -0500, Manoj Srivastava wrote:
> On Mon, Aug 31 2009, Stephen Smalley wrote:
>
> > On Sun, 2009-08-30 at 10:19 -0500, Manoj Srivastava wrote:
> >> Hi,
> >>
> >>         This bug was discovered, and the analysis done, buy Max
> >>  Kellermann. I have never been able to replicate the problem, so I can't
> >>  help debug this error.
> >>
> >>  Strace:
> >> --8<---------------cut here---------------start------------->8---
> >> brk(0x3233000)                          = 0x3233000
> >> mmap(NULL, 18446744073703178240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 ENOMEM (Cannot allocate memory)
> >> mmap(NULL, 18446744073703313408, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 ENOMEM (Cannot allocate memory)
> >> mmap(NULL, 134217728, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7fdfda316000
> >> --8<---------------cut here---------------end--------------->8---
> >>
> >> > 0xffffffffff9ec000 == 18446744073703178240 (the size of the first
> >> > large allocation).  It's also equal to -6373376.  This just looks like
> >> > an integer underflow, doesn't it?
> >>
> >> --8<---------------cut here---------------start------------->8---
> >>  Breakpoint 4, 0x00007f9bc4c05400 in mmap64 () from /lib/libc.so.6
> >>  (gdb) p $rsi
> >>  $25 = -6373376
> >>  (gdb) bt
> >>  #0  0x00007f9bc4c05400 in mmap64 () from /lib/libc.so.6
> >>  #1  0x00007f9bc4baf6bb in _int_malloc () from /lib/libc.so.6
> >>  #2  0x00007f9bc4bb0a78 in malloc () from /lib/libc.so.6
> >>  #3  0x00007f9bc5301a8e in sepol_module_package_read (mod=0xb1d170, spf=0xb202e0, verbose=0) at module.c:533
> >>  #4  0x00007f9bc4ea7838 in ?? () from /lib/libsemanage.so.1
> >>
> >>  (gdb) frame 3
> >>  #3  0x00007f9bc5301a8e in sepol_module_package_read (mod=0xb1d170, spf=0xb202e0, verbose=0) at module.c:533
> >>  533     module.c: No such file or directory.
> >>          in module.c
> >>  (gdb) p len
> >>  $26 = 18446744073703176358
> >>  (gdb) p i
> >>  $27 = 3
> >>  (gdb) p nsec
> >>  $30 = 4
> >>  (gdb) p offsets[i+1]
> >>  $28 = 8192
> >>  (gdb) p offsets[i]
> >>  $29 = 6383450
> >> --8<---------------cut here---------------end--------------->8---
> >>
> >> > line 456:
> >> > len = offsets[i + 1] - offsets[i];
> >>
> >> > Voila, integer underflow.  The function module_package_read_offsets()
> >> > reads the offsets from the input file, but does not verify them.
> >> >         off[nsec] = policy_file_length(file);
> >> > Here, the check is missing.
> >>
> >>         We should probably have:
> >> --8<---------------cut here---------------start------------->8---
> >> 	off[nsec] = policy_file_length(file);
> >>         if (off[nsec] < off[nsec-1]) {
> >> 		ERR(file->handle, "file size smaller than previous offset (at %u, "
> >> 		    "offset %zu -> %zu", nsec, off[nsec - 1],
> >> 		    off[nsec]);
> >> 		return -1;
> >> 	}
> >> --8<---------------cut here---------------end--------------->8---
> >
> > Perhaps I am missing something, but module_package_read_offsets()
> > already checks that the offsets are increasing and aborts if not.
>
>         Well, almost. It does check for most of the offsets:
> --8<---------------cut here---------------start------------->8---
>
> 406	for (i = 0; i < nsec; i++) {
> 407		off[i] = le32_to_cpu(buf[i]);
> 408		if (i && off[i] < off[i - 1]) {
> 409			ERR(file->handle, "offsets are not increasing (at %u, "
> 410			    "offset %zu -> %zu", i, off[i - 1],
> 411			    off[i]);
> 412			return -1;
> 413		}
> 414	}
> --8<---------------cut here---------------end--------------->8---
>         So far, so good.
> --8<---------------cut here---------------start------------->8---
> 415
> 416	free(buf);
> 417	off[nsec] = policy_file_length(file);
> 418	*offsets = off;
> 419	return 0;
> --8<---------------cut here---------------end--------------->8---
>
>         The problem is line 417, where there is no check; and in the
>  case reported, the file length was less than the previous offset, and
>  this resulted in a negative number passed to the memory allocator,
>  which resulted in a huge allocation request.
>
>         Above, I just propose adding a check after line 417.

Check the last offset against the file size, and ensure that we free the
buffer and offset array in the error cases.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-09-01 09:46:19 -04:00
Stephen Smalley
e376f725fc libsemanage 2.0.36 2009-08-24 15:28:42 -04:00
Stephen Smalley
c3c7ef9c65 libsemanage issue with bzip-blocksize=0 and compressed modules in store
On Mon, 2009-08-24 at 10:57 -0400, Chris PeBenito wrote:
> On Mon, 2009-08-24 at 10:04 -0400, Stephen Smalley wrote:
> > On Mon, 2009-08-24 at 09:54 -0400, Chris PeBenito wrote:
> > > I took the current release of libsemanage and added the patch to add a
> > > bzip blocksize option[1].  The modules in my store were already
> > > compressed with the stock release.  I put bzip-blocksize=0 in my
> > > semanage.conf and I do semodule -B and get:
> > >
> > > libsepol.module_package_read_offsets: wrong magic number for module
> > > package:  expected 0xf97cff8f, got 0x39685a42 (No such file or
> > > directory).
> > > libsemanage.semanage_load_module: Error while reading from module
> > > file /etc/selinux/strict/modules/tmp/modules/apm.pp. (No such file or
> > > directory).
> > > semodule:  Failed!
> > >
> > > If I do semodule -l, it will also get the magic number error.  If I
> > > remove the blocksize option, it works again.  I was able to reinsert all
> > > of the modules to get it working again with the blocksize 0 option.
> > >
> > > [1] http://userspace.selinuxproject.org/trac/changeset/ee9827000137fed2d3300124115fc1572acafe2f
> >
> > Yes, that's what I would expect.  The expectation is that either one
> > would set that option before installing the policy for the first time,
> > or that one completely re-installs the policy after setting that option.
>
> Can we have a little better handling of this case?  I don't mind
> reinstalling the policy, but the error messages aren't helpful.  In
> addition, with semodule -l being broken, I have to look into the module
> store to see what modules are installed or guess.

Seems like it is just as easy to just support pre-existing compressed
modules, see below.

Explicitly probe for the bzip2 magic string prefix and fall through to
BZ2_bzReadOpen() if the module is bzipped even if bzip-blocksize=0.
Thus bzip-blocksize=0 will prevent any further compression of
subsequently installed/updated modules, but will continue to function
with existing compressed modules.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
2009-08-24 15:26:48 -04:00
Stephen Smalley
33c961d35e policycoreutils 2.0.71 2009-08-11 10:24:16 -04:00
Stephen Smalley
b0c1077c34 Patch setfiles to only warn if add_remove fails to lstat on user initiated excludes.
On Tue, 2009-08-11 at 08:12 -0400, Daniel J Walsh wrote:
> On 08/10/2009 04:12 PM, Stephen Smalley wrote:
> > On Mon, 2009-08-10 at 16:03 -0400, Stephen Smalley wrote:
> >> On Mon, 2009-08-10 at 11:13 -0400, Daniel J Walsh wrote:
> >>> Currently in F12 if you have file systems that root can not read
> >>>
> >>> # restorecon -R -v /var/lib/libvirt/
> >>> Can't stat directory "/home/dwalsh/.gvfs", Permission denied.
> >>> Can't stat directory "/home/dwalsh/redhat", Permission denied.
> >>>
> >>> After patch
> >>>
> >>> # ./restorecon -R -v /var/lib/libvirt/
> >>
> >> But if you were to run
> >> ./restorecon -R /home/dwalsh
> >> that would try to descend into .gvfs and redhat, right?
> >>
> >> I think you want instead to ignore the lstat error if the error was
> >> permission denied and add the entry to the exclude list so that
> >> restorecon will not try to descend into it.  It is ok to exclude a
> >> directory to which you lack permission.  Try this:
> >
> > Also, why limit -e to only directories?  Why not let the user exclude
> > individual files if they choose to do so?  In which case we could drop
> > the mode test altogether, and possibly drop the lstat() call altogether?
> > Or if you truly want to warn the user about non-existent paths, then
> > take the lstat() and warning to the 'e' option processing in main()
> > instead of doing it inside of add_exclude().
> >
> I agree lets remove the directory check and warn on non existing files.

Does this handle it correctly for you?

Remove the directory check for the -e option and only apply the
existence test to user-specified entries.  Also ignore permission denied
errors as it is ok to exclude a directory or file to which the caller
lacks permission.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-08-11 10:19:46 -04:00
Stephen Smalley
0fb9c99a4d libsemanage 2.0.35 2009-08-05 14:13:27 -04:00
Stephen Smalley
8edc3f9730 libsemanage: do not hard link files
Remove the support for hard linking files in semanage_copy_file, as it
is unsafe and can leave the active store corrupted if something goes
wrong during the transaction.  It also can leave the installed policy
files with incorrect file modes or security contexts.

To do this safely, we would need to change all functions that write to
the sandbox files to first unlink the destination file.  This was done
in the original patch for the write_file helper but not for other cases.
It would need to be done for all functions that open.*O_CREAT or
fopen.*w on a file in the sandbox.

We also don't want this applied to the installed policy files, as they
need to be created with appropriate file modes and security contexts
that may differ from the sandbox files.  At present, the hard link
support will only affect the installed policy files when they are first
created; afterward the link() call will always fail with EEXIST since
they are not unlinked prior to installation (nor would that be safe as
it could leave the system without a policy - rename would make more
sense in that situation).  If we were to re-introduce hard link support,
we ought to use different helpers or flags for installing the policy
files than for copying the active store to the temporary sandbox to
avoid affecting both.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
2009-08-05 14:09:43 -04:00
Stephen Smalley
76412ffad6 libsemanage 2.0.34 2009-08-05 08:40:36 -04:00
Stephen Smalley
ee98270001 libsemanage: Enable configuration of bzip behavior
Allow the administrator to customize the bzip block size and "small"
flag via semanage.conf.  After applying you can add entries like these
to your /etc/selinux/semanage.conf to trade off memory vs disk space
(block size) and to trade off memory vs runtime (small):

bzip-blocksize=4
bzip-small=true

You can also disable bzip compression altogether for your module store
via:
bzip-blocksize=0

The semanage.conf entries are now validated against legal value ranges
at handle creation time.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
2009-08-05 08:33:34 -04:00
Stephen Smalley
4445704ed1 policycoreutils 2.0.70 2009-08-04 15:59:52 -04:00
Stephen Smalley
37c5c30998 setfiles: only call realpath() on user-supplied pathnames
Change setfiles/restorecon to only call realpath() on the user-supplied
pathnames prior to invoking fts_open().  This ensures that commands such
as restorecon -R /etc/init.d and (cd /etc && restorecon shadow gshadow)
will work as expected while avoiding the overhead of calling realpath()
on each file during a file tree walk.

Since we are now only acting on user-supplied pathnames, drop the
special case handling of symlinks (when a user invokes restorecon
-R /etc/init.d he truly wants it to descend /etc/rc.d/init.d).  We can
also defer allocation of the pathname buffer to libc by passing NULL
(freeing on the out path) and we can drop the redundant exclude() check
as it will now get handled on the normal path.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-08-04 15:58:38 -04:00
Joshua Brindle
1e5fdf6140 bump policycoreutils to 2.0.69 2009-07-30 22:14:16 -04:00
Daniel J Walsh
73a1f3a8f3 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Fixfiles has a bug when looking at btrfs file systems.
Date: Thu, 09 Jul 2009 16:06:58 -0400

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-07-30 21:52:30 -04:00
Stephen Smalley
6be2be0a07 policycoreutils: get setfiles to skip mounts without seclabel
On Fri, 2009-07-24 at 16:12 -0400, Stephen Smalley wrote:
> On Fri, 2009-07-17 at 10:48 -0400, Thomas Liu wrote:
> > Get setfiles to check paths for seclabel and skip them
> > if it is not supported.
> >
> > Parse /proc/mounts and add paths that do not have seclabel
> > to the exclude list.  If another path shows up that does
> > have seclabel, remove it from the exclude list, since setfiles
> > will try and when it fails it will skip it.
> >
> > Also made one of the error messages in add_exclude more
> > descriptive.
> >
> > Signed-off-by: Thomas Liu <tliu@redhat.com>
> > Signed-off-by: Dan Walsh <dwalsh@redhat.com>
> > ---
>
> Thanks, merged in policycoreutils 2.0.68.

Applied this patch on top to free the buffer allocated by getline() and
to free any removed entries from the excludeArray.  valgrind
--leak-check=full then shows no leakage.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-07-27 09:22:15 -04:00
Stephen Smalley
709a754bfc policycoreutils 2.0.68 2009-07-24 16:10:18 -04:00
Thomas Liu
a6a29764a6 policycoreutils: get setfiles to skip mounts without seclabel
Get setfiles to check paths for seclabel and skip them
if it is not supported.

Parse /proc/mounts and add paths that do not have seclabel
to the exclude list.  If another path shows up that does
have seclabel, remove it from the exclude list, since setfiles
will try and when it fails it will skip it.

Also made one of the error messages in add_exclude more
descriptive.

Signed-off-by: Thomas Liu <tliu@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-07-24 16:08:44 -04:00
Stephen Smalley
919c989847 libselinux 2.0.85 2009-07-14 11:00:37 -04:00
Stephen Smalley
8c372f665d libselinux: lazy init
Revive Steve Grubb's patch for libselinux lazy init and extend it to
address not only the reading of /etc/selinux/config but also probing
for /selinux/class and reading of /selinux/mls.  This should reduce the
need for dontaudit rules for programs that link with libselinux and it
should reduce unnecessary overhead.

I did not convert init_selinuxmnt over to lazy init since the functions
that use selinux_mnt are not localized, and it only requires stat'ing
of /selinux in the common case.

I couldn't see a valid reason why we needed fini_obj_class_compat(), as
the existence of /selinux/class will only change across a reboot with
different kernel versions.  fini_context_translations() already had a
comment saying that it was unnecessary as well.

Before:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY)  = 3
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat64("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3

After:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY)  = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0

Original-patch-by:  Steve Grubb <linux_4ever@yahoo.com>
Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
2009-07-14 10:55:34 -04:00
Stephen Smalley
1ac1ff6382 Revert Tomas Mraz's fix for freeing thread local storage in libselinux.
This reverts commit a842c9dae8.
2009-07-14 10:42:48 -04:00
Joshua Brindle
3ba84a9f7f Merge branch 'master' of jbrindle@oss.tresys.com:/home/git/selinux 2009-07-07 16:22:10 -04:00
Daniel J Walsh
834253d13a Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: libsemanage direct_api can return errors < 0.
Date: Mon, 08 Jun 2009 15:07:59 -0400

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-07-07 16:22:00 -04:00