Commit Graph

73 Commits

Author SHA1 Message Date
Vit Mojzis b15dff0feb python/semanage: Sort imports in alphabetical order
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2021-01-13 23:48:24 +01:00
Vit Mojzis 92e01969d0 python/semanage: empty stdout before exiting on BrokenPipeError
Empty stdout buffer before exiting when BrokenPipeError is
encountered. Otherwise python will flush the bufer during exit, which
may trigger the exception again.
https://docs.python.org/3/library/signal.html#note-on-sigpipe

Fixes:
   #semanage fcontext -l | egrep -q -e '^/home'
   BrokenPipeError: [Errno 32] Broken pipe
   Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
   BrokenPipeError: [Errno 32] Broken pipe

Note that the error above only appears occasionally (usually only the
first line is printed).

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2021-01-13 23:46:57 +01:00
Topi Miettinen da3bbc31a8 semanage: handle getprotobyname() failure case
At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4". In that case, set the protocol number
used by audit logs for "ipv4" to a fixed value. To ensure audit log
compatibility, let's use the same numeric value as Fedora: 4, which is
actually understood by kernel as IP over IP.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-25 13:28:42 -04:00
Topi Miettinen f3a1614291 semanage-node.8: describe netmask
Network Mask argument for `semanage node` accepts also the simple CIDR
mask format, so let's document it.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-09 15:44:14 -04:00
Topi Miettinen dd744247de semanage bash completion: handle semanage module
List modules for bash completion of `semanage module`.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-09 15:44:07 -04:00
Petr Lautrbach 6c6f4f7687 semanage/test-semanage.py: Return non-zero value when some of unittest tests fail
Previously python/semanage/test-semanage.py returned 0 even when there was a
fail in some test and `make test` didn't indicate any problem.

Fixes:
    $ make test
    ...
    Ran 10 tests in 110.854s
    FAILED (failures=4)
    $ echo $?
    0

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-05-13 11:11:23 +02:00
Petr Lautrbach 79f69a3ca1
python/semanage: Use ipaddress module instead of IPy
ipaddress python module was added to standard library in Python 3.3 -
https://docs.python.org/3/library/ipaddress.html

seobject.py was the only consumer of IPy module so this dependency is not needed
anymore.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-05-01 09:21:21 +02:00
Nicolas Iooss 75182f81f4 python/semanage: check rc after getting it
This issue has been found using lgtm.com:
4946f674a6/files/python/semanage/seobject.py?sort=name&dir=ASC&mode=heatmap#x5c052fffe98aee02:1

Fixes: 49706ad9f8 ("Revised Patch for local nodecon support in
semanage (was: Adding local nodecon's through semanage)")
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-04-22 16:40:34 -05:00
Joshua Schmidlkofer 5bbe32a7e5 python/semanage: check variable type of port before trying to split
While using Ansible's Selinux module to manage ports, I discovered
that numerical ports caused an unhandled exception in 'seobject.py'.
This appears to be a bug, and I am proposing a fix which checks the
type of the argument before operating on it.  This maintains the
original functionality in the case of a string, and acts in the same
fashion if you supply an integer.

I did not find any open bug report against the SELinux project. The
downstream bug report is here:
https://github.com/ansible/ansible/issues/60968

Signed-off-by: Joshua Schmidlkofer <joshua@joshuainnovates.us>
2019-12-10 15:21:16 -05:00
Vit Mojzis 95bcd6af03 python/semanage: Document DCCP and SCTP support
Add DCCP and SCTP protocols in semanage port man page and --help
message.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-10-23 10:24:38 -04:00
Vit Mojzis 711fe60723 python/semanage: Add support for DCCP and SCTP protocols
Fixes:
   # semanage port -a -p sctp -t port_t 1234
   ValueError: Protocol udp or tcp is required
   # semanage port -d -p sctp -t port_t 1234
   ValueError: Protocol udp or tcp is required

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-10-09 09:39:04 -04:00
Vit Mojzis adcc353f6e python/semanage: fix moduleRecords.customized()
Return value of "customized" has to be iterable.

Fixes:
   "semanage export" with no modules in the system (eg. monolithic policy)
   crashes:

   Traceback (most recent call last):
     File "/usr/sbin/semanage", line 970, in <module>
       do_parser()
     File "/usr/sbin/semanage", line 949, in do_parser
       args.func(args)
     File "/usr/sbin/semanage", line 771, in handleExport
       for c in OBJECT.customized():
   TypeError: 'NoneType' object is not iterable

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-10-01 14:04:03 -04:00
Vit Mojzis 3a9b4505bf python/semanage: Improve handling of "permissive" statements
- Add "customized" method to permissiveRecords which is than used for
  "semanage permissive --extract" and "semanage export"
- Enable "semanage permissive --deleteall" (already implemented)
- Add "permissive" to the list of modules exported using
  "semanage export"
- Update "semanage permissive" man page

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-10-01 14:03:55 -04:00
Petr Lautrbach 68fbb6b0a0 python/semanage: Do not use default s0 range in "semanage login -a"
Using the "s0" default means that new login mappings are always added with "s0"
range instead of the range of SELinux user.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-09-26 08:32:10 -04:00
Nicolas Iooss b550c0e202
Fix many misspellings
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-18 22:47:35 +02:00
Aleksei Nikiforov 26462e101f Update man pages translation by Olesya Gerasimenko
Signed-off-by: Olesya Gerasimenko <gammaray@basealt.ru>
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-05-28 07:50:34 -04:00
Petr Lautrbach f46b64fccb semanage/semanage-boolean.8: Fix a minor typo
boolan -> boolean

Reported-by: Bogdan BOTEZ <bmbogdan@gmail.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-04-30 17:49:00 +02:00
Petr Lautrbach 1952be65dc Switch to python3 by default
- Python 2.7 is planned to be the last of the 2.x releases
- It's generally advised to use Python 3
- Majority of python/ scripts are already switched python3
- Users with python 2 only can still use:

$ make PYTHON=/usr/bin/python ....

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-20 16:43:27 +01:00
Petr Lautrbach 3b868abd2e Always use /usr/bin/python3 in Python scripts
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-20 16:43:27 +01:00
Petr Lautrbach 60a9285786
python/semanage module: Fix handling of -a/-e/-d/-r options
Previous code traceback-ed when one of the mentioned option was used without
any argument as this state was not handled by the argument parser.

action='store' stores arguments as a list while the original
action='store_const' used str therefore it's needed to convert list to str
before it's sent to moduleRecords class.

Fixes:
^_^ semanage module -a
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 963, in <module>
    do_parser()
  File "/usr/sbin/semanage", line 942, in do_parser
    args.func(args)
  File "/usr/sbin/semanage", line 608, in handleModule
    OBJECT.add(args.module_name, args.priority)
  File "/usr/lib/python3.7/site-packages/seobject.py", line 402, in add
    if not os.path.exists(file):
  File "/usr/lib64/python3.7/genericpath.py", line 19, in exists
    os.stat(path)
TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-17 22:35:15 +01:00
Petr Lautrbach f9ba759d15
python/semanage: Update semanage to use python3
semanage uses seobject which uses setools which is python 3 only.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-17 22:35:15 +01:00
Petr Lautrbach f9dbd6e83c
python/semanage: Drop python shebang from seobject.py
seobject.py is not supposed to be used as entrypoint therefore the shebang is
unnecessary. It also doesn't need execute bits.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-17 22:35:14 +01:00
Petr Lautrbach 9b848852a7
python/semanage: Use standard argparse.error() method in handlePermissive
This method prints a usage message including the message to the standard error
and terminates the program with a status code of 2.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-10 17:06:09 +01:00
Vit Mojzis 259ab083fa
python/semanage/seobject: Fix listing boolean values
Fix gathering boolean values by fixing always False if condition
(determining whether the values are listed from local store).

Fix listing boolean values by printing the correct values and not
forcing the use of security_get_boolean_active (which causes
crash when listing booleans that are not present in active policy).

Fixes:
    # dnf install selinux-policy-mls
    # cat > mypolicy.cil
    (boolean xyz false)

    # semodule -i mypolicy.cil -s mls

    # semanage boolean -l -S mls
    ...
    irssi_use_full_network         (off  ,  off)  Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port.
    mozilla_plugin_use_bluejeans   (off  ,  off)  Allow mozilla plugin to use Bluejeans.
    OSError: No such file or directory

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-02-06 21:20:12 +01:00
Dan Walsh 6ded76aa06
python/semanage: Examples are no longer in the main semanage man page
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-04 22:11:26 +01:00
Nicolas Iooss f906ae66a4
python: use == or != when comparing a variable with a string or a integer
Flake8 3.7.0 added a new fatal error message when parsing Python files:

    python/semanage/semanage:112:16: F632 use ==/!= to compare str, bytes, and int literals
    python/semanage/semanage:124:23: F632 use ==/!= to compare str, bytes, and int literals
    ...
    python/sepolgen/src/sepolgen/output.py:77:8: F632 use ==/!= to compare str, bytes, and int literals
    python/sepolgen/src/sepolgen/output.py:80:8: F632 use ==/!= to compare str, bytes, and int literals
    python/sepolgen/src/sepolgen/output.py:83:8: F632 use ==/!= to compare str, bytes, and int literals
    python/sepolicy/sepolicy/generate.py:646:16: F632 use ==/!= to compare str, bytes, and int literals
    python/sepolicy/sepolicy/generate.py:1349:16: F632 use ==/!= to compare str, bytes, and int literals

Fix all these warnings.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-31 20:57:23 +01:00
Aleksei Nikiforov 0445e65d83 Allow installing translated man pages
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-01-28 12:03:57 +01:00
Aleksei Nikiforov e3e3873de7 Add man pages translation by Olesya Gerasimenko
Signed-off-by: Olesya Gerasimenko <gammaray@basealt.ru>
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-01-28 12:03:57 +01:00
Nicolas Iooss fbc7248ffa python/semanage: explain why sepolicy is imported in a function
Importing modules inside functions is quite uncommon in Python. This is
nevertheless required with sepolicy because it loads the current SELinux
policy when it is imported (and raises ValueError when this fails).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-07 12:50:45 +01:00
Petr Lautrbach 2d825c616d
python/semanage: Load a store policy and set the store SELinux policy root
When "store" is set, sepolicy needs to load a new policy file and selinux module
needs to set the new store root path.

With this patch, semanage is able to work correctly with non-default -S <store>
even when the default policy is not installed yet.

Fixes:
$ sudo semanage login -S minimum -m -s unconfined_u -r s0-s0:c0.c1023 __default__
libsemanage.dbase_llist_query: could not query record value
OSError: [Errno 0] Error

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-05 14:49:46 +01:00
Petr Lautrbach e718c2ab77
python/semanage: import sepolicy only when it's needed
Related:
https://github.com/SELinuxProject/selinux/issues/81

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-05 14:48:18 +01:00
Petr Lautrbach a73b0bba1a
python/semanage: move valid_types initialisations to class constructors
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>

Fixes:
$ sudo semanage
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 28, in <module>
    import seobject
  File "/usr/lib/python3.7/site-packages/seobject.py", line 1045, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib/python3.7/site-packages/seobject.py", line 1047, in portRecords
    valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
  File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 203, in <genexpr>
    return ({
  File "/usr/lib64/python3.7/site-packages/setools/typeattrquery.py", line 65, in results
    for attr in self.policy.typeattributes():
AttributeError: 'NoneType' object has no attribute 'typeattributes'

https://github.com/SELinuxProject/selinux/issues/81

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-05 14:47:49 +01:00
Nicolas Iooss 16e3953a76
python/semanage: do not show "None" levels when using a non-MLS policy
When MLS is disabled, "semanage export" shows records such as:

    login -a -s sysadm_u -r 'None' me

Prevent "semanage export" from displaying None or empty strings in level
and categories arguments by checking them in all customized() methods.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-15 10:02:46 +01:00
Vit Mojzis 9cb9b18b17
python/semanage: Start exporting "ibendport" and "ibpkey" entries
Include "ibendport" and "ibpkey" entries in "semanage export".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-09 16:09:08 +01:00
Vit Mojzis 73135989de
python/semanage: Include MCS/MLS range when exporting local customizations
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-09 16:08:53 +01:00
Vit Mojzis a3be73bea4
python: replace aliases with corresponding type names
Aliases are not used in the selinux database. When user enters a type
alias as a parameter it should be converted to the corresponding type
in order to be processed correctly further in the userspace logic.

Fixes e.g.:

\#sepolicy transition -s phpfpm_t
/* where phpfpm_t is a type alias of httpd_t */

Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 691, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 458, in transition
    mytrans = setrans(args.source, args.target)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
    self._process(self.source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
    trans = _get_trans(source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
    src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
IndexError: list index out of range
2018-11-10 17:26:13 +01:00
Vit Mojzis 48aeea9ce6
python/semanage: Stop rejecting aliases in semanage commands
Resolves:

\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined

\# seinfo -tsvirt_sandbox_file_t -x
   TypeName container_file_t
   Aliases
      svirt_sandbox_file_t
      svirt_lxc_file_t

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:55 +02:00
Nicolas Iooss c5389c7c45
semanage: add a missing space in ibendport help
Currently, in:

    # semanage ibendport --help
    usage: semanage ibendport [-h] [-n] [-N] [-s STORE] [ --add -t TYPE
    -z IBDEV_NAME -r RANGE ( port ) | --delete -z IBDEV_NAME -r RANGE(
    port ) | --deleteall  | --extract  | --list -C | --modify -t TYPE -z
    IBDEV_NAME -r RANGE ( port ) ]

... a space is missing between "RANGE" and "( port )" in the usage of
--delete. Add it by splitting the string correctly in the usage line
definition.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-09-09 21:35:51 +02:00
Nicolas Iooss 7dd66ea49a
semanage: "semanage user" does not use -s, fix documentation
Both "semanage user --help" and "man 8 semanage-user" state that
"semanage user" accepts option -s, but this is incorrect: -s is not
needed to specify the SELinux user on the command line, contrary to
"semanage login" for example. Fix the documention.

While at it, remove many spaces from the helptext of option --roles. I
do not know where they came from, but they were reduced to a single
space when displayed anyway.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-09-09 21:35:44 +02:00
Nicolas Iooss f6e7613bd3
python/semanage: fix Python syntax of catching several exceptions
"except OSError, ImportError:" does not perform what it says: it is the
Python 2 syntax of catching OSError exceptions as "ImportError" (like
"except OSError, e:"), and this is indeed caught by Python3:

      File "./python/semanage/seobject.py", line 143
        except OSError, ImportError:
                      ^
    SyntaxError: invalid syntax

The correct syntax consists in using parentheses.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-06 22:06:48 +02:00
Vit Mojzis b12e246739 python/semanage: Replace bare except with specific one
The corresponding except clause should only be used for
exceptions caused by audit module error or unavailability.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-07-14 18:00:25 +02:00
Vit Mojzis cf8eed5431 python/semanage: Fix logger class definition
Test if audit module is enabled so that logger class is defined
correctly.

Fixes:
"semanage fcontext -l" fails with "OSError: Protocol not supported" when
booting with audit=0

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-07-14 17:59:56 +02:00
Yuri Chornoivan f032946cf9 Fix minor typos
Signed-off-by: Yuri Chornoivan <yurchor@ukr.net>
2018-06-30 20:28:25 +02:00
Vit Mojzis 5e33a44c66 python/semanage: Stop logging loginRecords changes
semanage_seuser_modify_local and semanage_seuser_del_local already do
the logging.
Moreover, semanage log for loginRecords.__add was flawed since it
reported old-{seuser,role,range} of default user instead of None. This
was caused by selinux.getseuserbyname, which returns values for default
user when the specified username is not found.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294663

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-06-26 09:53:16 -04:00
Vit Mojzis 9a9b0e9d61 python/semanage/seobject.py: Fix undefined store check
self.store is always a string (actual store name or "") because of
semanageRecords.__init__. Fix check for not defined store.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-05-08 08:13:24 -04:00
Lee Stubbs e4348941ee Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type. 2018-02-26 09:33:19 -05:00
Marcus Folkesson 88a6216ddb python: build: move modules from platform-specific to platform-shared
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 20:02:02 +01:00
Marcus Folkesson 11aaf180ef python: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 20:02:01 +01:00
Vit Mojzis 2f26c1db5d python/semanage: Remove redundant and broken moduleRecords.modify()
moduleRecords.modify() calls nonexistent function
semanage_module_update_file (maybe it should have been
semanage_module_upgrade_file which is now obsolete and calls
semanage_module_install_file) and the job of updating a module is done
by moduleRecords.add().

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-01-16 09:23:40 -05:00
Petr Lautrbach 653b393f42 python/semanage: bring semanageRecords.set_reload back
It's used by third parties, e.g. Ansible modules

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1527745

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2018-01-16 09:07:05 -05:00