Commit Graph

279 Commits

Author SHA1 Message Date
Daniel J Walsh
1629d2f89a This patch cleans up a couple of crashes caused by libselinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you fail to load_policy in the init or SELinux is disabled, you need
to free the selinux_mnt variable and clear the memory.

systemd was calling load_polcy on a DISABLED system then later on it
would call is_selinux_enabled() and get incorrect response, since
selinux_mnt still had valid data.

The second bug in libselinux, resolves around calling the
selinux_key_delete(destructor_key) if the selinux_key_create call had
never been called.  This was causing data to be freed in other
applications that loaded an unloaded the libselinux library but never
setup setrans or matchpathcon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM
mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj
=jpyr
-----END PGP SIGNATURE-----

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-08 10:22:17 -04:00
Daniel J Walsh
5c6729b4d2 Resend: This patch causes the mount points created in load_policy to have a proper name
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/06/2011 05:10 PM, Daniel J Walsh wrote:
> "proc" and "selinuxfs"
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2c14AACgkQrlYvE4MpobMC7gCglauBYIKMfBRUcQPaMGKTzYZV
udUAn3X/rgUgJ55401IVwyCHC051bGQA
=47TI
-----END PGP SIGNATURE-----

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-07 15:47:50 -04:00
Harry Ciao
f89d4aca9c Userspace: display the class in role_transition rule
Add support to display the class field in the role_transition rule
in the checkpolicy/test/dismod program.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-07 12:12:58 -04:00
Harry Ciao
6db9b74210 Userspace: handle the class in role_trans_rule
Add class support to various functions to handle role_trans_rule_t
structures.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-07 12:12:58 -04:00
Harry Ciao
93417dfa28 Userspace: handle the class field in role_trans struct
Add the class support to various functions that handle role_trans
structure.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-07 12:12:58 -04:00
Harry Ciao
e95f358e3b Userspace: role_transition parser to handle class field
Handle the class field in the role_transition rule. If no class is
specified, then it would be set to the "process" class by default.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-07 12:12:58 -04:00
Harry Ciao
45b2e6ec23 Userspace: add class to role_trans & role_trans_rule
Introduce the class support to role_trans and role_trans_rule
structures, which could be the subject class("process") or the
class that the newly created object belongs to.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-07 12:12:58 -04:00
Stephen Smalley
acd3b7f9f1 Bump libselinux to 2.0.101 2011-03-23 08:56:16 -04:00
KaiGai Kohei
c4737c2e32 add db_language support on label_db.c
The attached patch add support db_language object class
to the selabel_lookup(_raw) interfaces.
It is needed to inform object manager initial label of
procedural language object.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2011-03-23 08:53:13 -04:00
Eamon Walsh
44d8ff2b0f bump libselinux to 2.0.100
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2011-03-09 11:51:06 -05:00
Eamon Walsh
f0b3127ca3 Use library destructors to destroy per-thread keys.
This prevents the key destructors, intented to free per-thread
heap storage, from being called after libselinux has been unloaded.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=680887

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2011-03-09 11:43:33 -05:00
Steve Lawrence
fdab2ec279 bump libselinux to 2.0.99
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-03-01 11:52:56 -05:00
Daniel J Walsh
6caa4cbe32 selinux man page fixes
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-03-01 11:50:42 -05:00
KaiGai Kohei
bc2a8f418e libselinux: add selinux_status_* interfaces for /selinux/status
The attached patch adds several interfaces to reference /selinux/status
according to sequential-lock logic.

selinux_status_open() open the kernel status page and mmap it with
read-only mode, or open netlink socket as a fallback in older kernels.

Then, we can obtain status information from the mmap'ed page using
selinux_status_updated(), selinux_status_getenfoce(),
selinux_status_policyload() or selinux_status_deny_unknown().

It enables to help to implement userspace avc with heavy access control
decision; that we cannot ignore the cost to communicate with kernel for
validation of userspace caches.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-03-01 11:21:19 -05:00
Steve Lawrence
b676c84dbd bump policycoreutils to 2.0.85
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2010-12-20 15:13:33 -05:00
Steve Lawrence
cba027c249 Exit newrole if capabilities can't be dropped
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2010-12-20 15:13:33 -05:00
Daniel J Walsh
16d1c1cbe5 Move newrole to use libcap-ng
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2010-12-20 15:13:28 -05:00
Chad Sellers
d17ed0d90d bump checkpolicy to 2.0.23
bump libselinux to 2.0.98
bump libsepol to 2.0.42
bump libsemanage to 2.0.46

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-12-16 14:11:57 -05:00
Daniel J Walsh
7bc4ffb5df Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: I think it is time to turn off default user handling in libselinux
Date: Mon, 13 Dec 2010 13:28:01 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This patch will turn this handling off.  Meaning you will not end up
with some bizarro context and fail to login if the login program can not
figure how to log you in.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0GZbEACgkQrlYvE4MpobOF7QCgsD1XYuNC6B5MyIezCZvN9mYL
UX4AoOe9GsP3bhuvMBPea9LXeV/7tCPS
=B9Pk
-----END PGP SIGNATURE-----

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-12-14 15:45:10 -05:00
Justin P. Mattock
f7dd4ca760 Author: "Justin P. Mattock"
Email: justinmattock@gmail.com
Subject: libsemanage Fix warning: parameter 'key' set but not used(and others)
Date: Tue, 6 Jul 2010 15:23:30 -0700

libsemanage produced no errors with the warnings, Im just noticing
big hunks of sections with warning messages:

database_llist.c: In function 'dbase_llist_add':
database_llist.c:150:28: warning: parameter 'key' set but not used
database_llist.c: In function 'dbase_llist_count':
database_llist.c:221:50: warning: parameter 'handle' set but not used
database_llist.c: In function 'dbase_llist_del':
database_llist.c:278:41: warning: parameter 'handle' set but not used
(and so on...)
so add the GCC attribute to quiet these warnings since most go to
NULL;

Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-12-08 18:16:42 -05:00
Justin P. Mattock
033959726b Author: "Justin P. Mattock"
Email: justinmattock@gmail.com
Subject: libsepol
Date: Tue, 6 Jul 2010 15:23:29 -0700

Going through these warning messages Im getting:
(example 1 of many)
booleans.c: In function 'sepol_bool_count':
booleans.c:106:39: error: parameter 'handle' set but not used
cc1: all warnings being treated as errors

seems most of these go to NULL; Which tells me that these are here for
future use and/or need to be there for some other reason.
The biggest problem I have is Im getting errors out of these as opposed
to just a warning(-Werror) so marking the variable with a GCC
__attribute__ ((unused)) gets things going.

Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-12-08 18:13:46 -05:00
Justin P. Mattock
f997295da3 Author: "Justin P. Mattock"
Email: justinmattock@gmail.com
Subject: checkpolicy Fix error: variable 'newattr' set but not used(and others as well)
Date: Tue, 6 Jul 2010 15:23:28 -0700

The below patch fixes some warning messages Im receiving
with GCC:(in this case some are erros due to -Werror)
policy_define.c: In function 'define_type':
policy_define.c:1216:6: error: variable 'newattr' set but not used
cc1: all warnings being treated as errors

Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-12-08 17:55:59 -05:00
Eamon Walsh
705071c6b1 bump libselinux to 2.0.97
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-12-02 20:08:22 -05:00
Eamon Walsh
569ce54985 matchpathcon: Close selabel handle in thread destructor.
This is necessary because the handle is thread-local.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-12-02 19:30:06 -05:00
Eamon Walsh
a00fd94a46 selabel: Store substitution data in the handle instead of globally.
This is for thread safety.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-12-02 19:21:10 -05:00
Eamon Walsh
a29ff33baf Implement destructors for thread-local heap data.
Description of problem:
Use of __thread variables is great for creating a thread-safe variable, but
only insofar as the contents of that variable can safely be abandoned on
pthread_exit().  The moment you store malloc()d data into a __thread void*
variable, you have leaked memory when the thread exits, since there is no way
to associate a destructor with __thread variables.

The _only_ safe way to use thread-local caching of malloc()d data is to use
pthread_key_create, and associate a destructor that will call free() on the
resulting data when the thread exits.

libselinux is guilty of abusing __thread variables to store malloc()d data as a
form of a cache, to minimize computation by reusing earlier results from the
same thread.  As a result of this memory leak, repeated starting and stopping
of domains via libvirt can result in the OOM killer triggering, since libvirt
fires up a thread per domain, and each thread uses selinux calls such as
fgetfilecon.

Version-Release number of selected component (if applicable):
libselinux-2.0.94-2.el6.x86_64
libvirt-0.8.1-27.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
0. These steps are run as root, assuming hardware kvm support and existence of
a VM named fedora (adjust the steps below as appropriate); if desired, I can
reduce this to a simpler test case that does not rely on libvirt, by using a
single .c file that links against libselinux and repeatedly spawns threads.
1. service libvirtd stop
2. valgrind --quiet --leak-check=full /usr/sbin/libvirtd& pid=$!
3. virsh start fedora
4. kill $pid

Actual results:
The biggest leak reported is due to libselinux' abuse of __thread:

==26696== 829,730 (40 direct, 829,690 indirect) bytes in 1 blocks are
definitely lost in loss record 500 of 500
==26696==    at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==26696==    by 0x3022E0D48C: selabel_open (label.c:165)
==26696==    by 0x3022E11646: matchpathcon_init_prefix (matchpathcon.c:296)
==26696==    by 0x3022E1190D: matchpathcon (matchpathcon.c:317)
==26696==    by 0x3033ED7FB5: SELinuxRestoreSecurityFileLabel (security_selinux.c:381)
==26696==    by 0x3033ED8539: SELinuxRestoreSecurityAllLabel (security_selinux.c:749)
==26696==    by 0x459153: qemuSecurityStackedRestoreSecurityAllLabel (qemu_security_stacked.c:257)
==26696==    by 0x43F0C5: qemudShutdownVMDaemon (qemu_driver.c:4311)
==26696==    by 0x4555C9: qemudStartVMDaemon (qemu_driver.c:4234)
==26696==    by 0x458416: qemudDomainObjStart (qemu_driver.c:7268)
==26696==    by 0x45896F: qemudDomainStart (qemu_driver.c:7308)
==26696==    by 0x3033E75412: virDomainCreate (libvirt.c:4881)
==26696==

Basically, libvirt created a thread that used matchpathcon during 'virsh start
fedora', and matchpathcon stuffed over 800k of malloc'd data into:

static __thread char **con_array;

which are then inaccessible when libvirt exits the thread as part of shutting
down on SIGTERM.

Expected results:
valgrind should not report any memory leaks related to libselinux.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Reported-by: Eric Blake <eblake@redhat.com>
Tested-by: Eric Blake <eblake@redhat.com>
2010-12-02 19:15:40 -05:00
Steve Lawrence
7bb6003219 bump policycoreutils to 2.0.84
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2010-11-16 11:23:01 -05:00
Steve Lawrence
7e0f012474 Cleanup/minor fixes to mcstrans
The majority of the patch is just handling the case of memory
allocation failures and making sure things get cleaned up correctly in
those cases.

This also moves duplicate code in parse_ebitmap() and parse_raw() into
parse_category(), and also updates the parse function to ensure the
config files are in the correct format.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2010-10-27 16:50:00 -04:00
Xavier Toth
c89625db93 Add mcstrans to policycoreutils
SELinux Project contribution of mcstrans. mcstrans is a userland package
specific to SELinux which allows system administrators to define
sensitivity levels and categories and provides a daemon for their
translation into human readable form. This version is a merge of Joe
Nalls git tree ( http://github.com/joenall/mcstrans) and patches
supplied by Dan Walsh and others at RedHat.

Ted

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2010-07-21 15:40:00 -04:00
Chad Sellers
fe19c7a6ac bump libselinux to 2.0.96 and checkpolicy to 2.0.22
Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-14 16:33:29 -04:00
KaiGai Kohei
6a17cfaafc Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: libselinux APIs should take "const" qualifier?
Date: Tue, 23 Mar 2010 11:56:36 +0900

(2010/03/19 22:32), Stephen Smalley wrote:
> On Fri, 2010-03-19 at 16:52 +0900, KaiGai Kohei wrote:
>> Right now, security_context_t is an alias of char *, declared in selinux.h.
>>
>> Various kind of libselinux API takes security_context_t arguments,
>> however, it is inconvenience in several situations.
>>
>> For example, the following query is parsed, then delivered to access
>> control subsystem with the security context as "const char *" cstring.
>>
>>    ALTER TABLE my_tbl SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:SystemHigh';
>>                  const char *<----    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> In this case, we want to call selinux_trans_to_raw_context() to translate
>> the given security context into raw format. But it takes security_context_t
>> argument for the source context, although this pointer is read-only.
>> In the result, compiler raises warnings because we gave "const char *" pointer
>> into functions which take security_context_t (= char *).
>>
>> Any comments?
>>
>> It seems to me the following functions' prototype should be qualified by
>> "const".
>
> That seems reasonable and should have no impact on library ABI.
> On the other hand, others have pointed out that security_context_t is
> not a properly encapsulated data type at all, and perhaps should be
> deprecated and replaced with direct use of char*/const char* throughout.
>
> There are other library API issues as well that have come up in the
> past, such as lack of adequate namespacing (with approaches put forth),
> but we don't ever seem to get a round tuit.

At first, I tried to add const qualifiers read-only security_context_t
pointers, but didn't replace them by char */const char * yet, right now.

BTW, I could find out the following code:

  int security_compute_create(security_context_t scon,
                              security_context_t tcon,
                              security_class_t tclass,
                              security_context_t * newcon)
  {
          int ret;
          security_context_t rscon = scon;
          security_context_t rtcon = tcon;
          security_context_t rnewcon;

          if (selinux_trans_to_raw_context(scon, &rscon))
                  return -1;
          if (selinux_trans_to_raw_context(tcon, &rtcon)) {
                  freecon(rscon);
                  return -1;
          }
      :

In this case, scon and tcon can be qualified by const, and the first
argument of selinux_trans_to_raw_context() can take const pointer.
But it tries to initialize rscon and tscon by const pointer, although
these are used to store raw security contexts.
The selinux_trans_to_raw_context() always set dynamically allocated
text string on the second argument, so we don't need to initialize it
anyway. I also removed these initializations in this patch.

Does the older mcstrans code could return without allocation of raw
format when the given scon is already raw format? I don't know why
these are initialized in this manner.

Thanks.
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-14 15:21:51 -04:00
Steve Lawrence
8867e1694f Author: Steve Lawrence
Email: slawrence@tresys.com
Subject: Minor fixup of checkmodule man page.
Date: Fri, 11 Jun 2010 15:25:58 -0400

On Mon, 2010-05-03 at 13:45 -0400, Daniel J Walsh wrote:
> Quality Engineering is going through all commands on the system looking
> for mismatches between man page/usage and actual code.
>
> It found that checkmodule had a -d option that is unused and undocumented -h

Reviewed-by: Steve Lawrence <slawrence@tresys.com>

I'd just add the long --help option to the man page for completeness:

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-14 14:45:46 -04:00
Daniel J Walsh
36fe4c35ee Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Minor fixup of checkmodule man page.
Date: Mon, 03 May 2010 13:45:30 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quality Engineering is going through all commands on the system looking
for mismatches between man page/usage and actual code.

It found that checkmodule had a -d option that is unused and undocumented -h
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvfC7oACgkQrlYvE4MpobNPrACg0uP02CWYPs9YcdU87jts9YqT
hMAAn2QA1UWZpGLvvU4yxStmhUU1Kg1+
=topF
-----END PGP SIGNATURE-----

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-14 14:44:44 -04:00
Chad Sellers
02fd1f3308 bump policycoreutils to 2.0.83 2010-06-10 16:58:04 -04:00
Chad Sellers
0750eb5114 bump libselinux to 2.0.95 2010-06-10 16:57:28 -04:00
Steve Lawrence
582fd00c7b Author: Steve Lawrence
Email: slawrence@tresys.com
Subject: Updated sandbox patch.
Date: Mon, 07 Jun 2010 17:53:41 -0400

On Thu, 2010-05-27 at 08:57 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/26/2010 04:06 PM, Steve Lawrence wrote:
> > On Wed, 2010-05-19 at 15:59 -0400, Daniel J Walsh wrote:
> > Fixed patch that handles Spaces in homedir.
>
> > The following patch makes a few updates the the sandbox patch, though I
> > have a question:
>
> > Is the sandbox.init script needed anymore? It looks like seunshare was
> > changed to now bind mount and make private the necessary directories.
> > The only thing that seems missing is making root rshared. Also, if the
> > init script is obsolete, do the mounts also need the MS_REC flag for
> > recursive bind/private like they are mounted in the init script? e.g.
>
> The init script is needed for the xguest package/more specifically
> pam_namespace, but also needed for
> mount --make-rshared /
>
> Whether the init script belongs in policycoreutils is questionable though.
>
>
> > mount(dst, dst, NULL, (MS_BIND | MS_REC), NULL)
> > mount(dst, dst, NULL, (MS_PRIVATE | MS_REC), NULL)
>
> We probably should add these.  Although it is not likely.
>
> > Changes the following patch makes:
>
> > sandbox.py
> > - Removes unused 'import commands'
> > - Fixes the chcon function, and replaces the deprecated os.path.walk
> >   with os.walk. I think this way is a bit easier to read too.
>
> I think chcon should be added to libselinux python bindings and then
> leave the recursive flag.  (restorecon is currently in python bindings._
>
> > - Removes the 'yum install seunshare' message. This tool is not specific
> >   to RPM based distros.
>
> People are using seunshare without X now that I have added the -M flag.
>  So I will move it from the -gui package to the base package with
> sandbox and then this should not be necessary.
> > - Remove try/except around -I include to be consistent with the -i
> >   option. If we can't include a file, then this should bail, no matter
> >   if it's being included via -i or -I.
>
> Ok, I was thinking you could list a whole bunch of files in the -I case
> and if one does not exist, allow it to continue.  But I don't really care.
> > - Fix homedir/tmpdir typo in chcon call
>
> > sandbox.init (maybe obsoleted?)
> > - Fix restart so it stops and starts
> > - unmount the bind mounts when stopped
> I doubt this will work.  Two many locks in /tmp /home
> > - Abort with failure if any mounts fail
>
> > seunshare.c
> > - Define the mount flag MS_PRIVATE if it isn't already. The flag is only
> >   defined in the latest glibc but has been in the kernel since 2005.
> > - Simplify an if-statment. Also, I'm not sure the purpose of the
> >   strncmmp in that conditional, so maybe I've oversimplified.
> This is wrong.  The problem comes about when you mount within the same
> directory.
>
> seunshare -t /home/dwalsh/sanbox/tmp -h /home/dwalsh/sandbox/home   ...
>
> seunshare -t /tmp/sandbox/tmp -h /tmp/sandbox/home
>
> If you do not have the check one of the above will fail.
>
> In the first example if Homedir is mounted first,
> /home/dwalsh/sanbox/tmp will no longer exist when seunshare attempts to
> mount it on /tmp.
>
> Similarly, if /tmp is mounted first in the second example.
> /tmp/sandbox/home will no longer exist.
>
> You have to check to make sure one of the directories is not included in
> the other.
>
> It seems
> >   like maybe an error should be thrown if tmpdir_s == pw_dir or
> >   homedir_s == "/tmp", but maybe I'm missing something.
>
> See above.
>
> I was blowing up because I use
>
> ~/sandbox/tmp and ~/sandbox/home for my mountpoints.

<snip>

Below is an updated patch that makes a few changes the the latest
Sandbox Patch [1]. This requires the chcon patch [2].

Changes this patch makes:

sandbox.py
- Remove unused 'import commands'
- Uses new chcon method in libselinux [2]
- Removes the 'yum install seunshare' message
- Converts an IOError to a string for printing a warning if a file
  listed in -I does not exist

sandbox.init
- Print the standard Starting/Stoping messages with the appropriate
  OK/FAIL
- Abort with failure if any mounts fail

seunshare.c
- Add the MS_REC flag during mounts to perform recursive mounts
- Define the mount flags MS_PRIVATE and MS_REC if they aren't already.
  The flags are only defined in the latest glibc but have been in the
  kernel since 2005.
- Calls realpath(3) on tmpdir_s and homedir_s. If relative paths are
  used, it wouldn't correctly detect that tmpdir is inside homedir and
  change the mount order. This fixes that.

[1] http://marc.info/?l=selinux&m=127429948731841&w=2
[2] http://marc.info/?l=selinux&m=127594712200878&w=2

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 16:37:59 -04:00
Daniel J Walsh
d6848ea77d Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Updated sandbox patch.
Date: Wed, 19 May 2010 15:59:28 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fixed patch that handles Spaces in homedir.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv0QyAACgkQrlYvE4MpobNBXQCgmUu92HsN5PiksOTZoGxSp0W+
1noAoKoCujFPLHduJ9BP3hrveeXvGKXO
=iqC+
-----END PGP SIGNATURE-----

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 16:35:55 -04:00
Steve Lawrence
537721089a Author: Steve Lawrence
Email: slawrence@tresys.com
Subject: Add chcon method to libselinux python bindings
Date: Mon, 7 Jun 2010 17:40:05 -0400

Adds a chcon method to the libselinux python bindings to change the
context of a file/directory tree.

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 13:56:57 -04:00
Chad Sellers
8f007923dd [PATCH] Remove duplicate slashes in paths in selabel_lookup
This patch simply removes duplicate slashes (meaning "//") from
pathnames passed into selabel_lookup. It does not do a full
realpath() calculation (e.g. following symlinks, etc.), as the
client should really do that before calling into libselinux.

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-02 14:47:45 -04:00
Joshua Brindle
edf1df5429 bump sepolgen to 2.0.82 2010-03-24 15:40:05 -04:00
Joshua Brindle
734f7621b8 bump libselinux to 2.0.94 2010-03-24 14:28:39 -04:00
Daniel J Walsh
7dcf27a791 Patch to context_new to set errno to EINVAL on bad values
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-24 14:15:40 -04:00
Joshua Brindle
d57ea2c2c0 reactivate attribute mapping unit test
This test must have been disabled a very long time ago, before attributes were present in the kernel policy. Since the attributes are now present this unit test should be turned back on, unless I'm missing something pretty major (it looks reasonable and is successful when run).

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
2010-03-24 13:55:23 -04:00
Joshua Brindle
4bbaeeb7bb bump sepolgen to 1.0.23 2010-03-24 13:47:39 -04:00
Daniel J Walsh
6e35202e20 sepolgen unit tests fail
Patch to fix unit test.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-24 13:43:53 -04:00
Karl MacMillan
bc256454b7 Bump sepolgen to 1.0.22 2010-03-23 09:11:24 -04:00
Karl MacMillan
52f9d9f2ad Sepolgen: improve parser error recovery
Sepolgen has long not recovered from parsing errors, leading to
a blacklist of none bad modules in the source. I finally tracked
down the problem (lexer state) and this patch fixes the problem
by causing the lexer to be rebuilt on error.

Acked-by: Joshua Brindle <jbrindle@tresys.com>
2010-03-23 09:10:20 -04:00
Eamon Walsh
386ab8df8e Typo fix in ChangeLog.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-03-18 18:27:07 -04:00
Joshua Brindle
e796cee3f5 bump sepolgen to 1.0.21 2010-03-18 16:52:16 -04:00
Joshua Brindle
e53b2cebf2 Merge branch 'master' of oss.tresys.com:/home/git/selinux 2010-03-18 16:38:45 -04:00