The patch below allows filesystem names in fs_use_* and genfscon
statements to start with a digit, but still requires at least one
character to be a letter. A new token type for filesystem names is
created since these names having nothing to do with SELinux.
This patch is needed because some filesystem names (such as 9p) start
with a digit.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This wraps the filename token in quotes to make parsing easier and more
clear. The quotes are stripped off before being passed to checkpolicy.
The quote wrapping is only used by filename transitions. This changes
the filename transition syntax to the following:
type_transition source target : object default_type "filename";
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
currently policy will not build if I define a module as 1
policy_module(dan,1) Fails
policy_module(dan,1.0) works
The attached patch makes the first one work.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:
type_transition unconfined_t etc_t:file system_conf_t eric;
This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.
The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
We just use random numbers to make menu selections. Use #defines and
names that make some sense instead.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
When writing the roletrans rules, rules are dropped when not supported,
but the number of rules is not decreased. This sets the number of
elements to the actual number of rules that will be written.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Although the role trans code had support to handle the kernel policy
when the version was less that roletrans such support was not in the
module read/write code. This patch adds proper support for role trans
in modules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This patch adds libsepol support for filename_trans rules. These rules
allow one to make labeling decisions for new objects based partially on
the last path component. They are stored in a list. If we find that
the number of rules grows to an significant size I will likely choose to
store these in a hash, both in libsepol and in the kernel. But as long
as the number of such rules stays small, this should be good.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Bump checkpolicy to 2.0.24
Bump libselinux to 2.0.102
Bump libsepol to 2.0.43
Bump policycoreutils to 2.0.86
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add man pages for selinux_raw_context_to_color(5), selinux_colors_path(3) and secolors.conf(5).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
mcstransd: Now selects the range color for a matching 'range' entry in secolor.conf file, and not the first range to pass the dominance check.
The second patch has the man pages to support the colour functions that match how mcstransd manages colour selection.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The idea is to allow distributions to ship a subs file as well as let
the user modify subs.
In F16 we are looking at shipping a
file_contexts.subs_dist file like this
cat file_contexts.subs_dist
/run /var/run
/run/lock /var/lock
/var/run/lock /var/lock
/lib64 /lib
/usr/lib64 /usr/lib
The we will remove all (64)? from policy.
This will allow us to make sure all /usr/lib/libBLAH is labeled the same
as /usr/lib64/libBLAH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2c1ksACgkQrlYvE4MpobNXcQCgqgAiQJxmwa1+NdIq8E3tQRp6
QT0An0ihA60di9CRsEqEdVbSaHOwtte5
=LXgd
-----END PGP SIGNATURE-----
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you fail to load_policy in the init or SELinux is disabled, you need
to free the selinux_mnt variable and clear the memory.
systemd was calling load_polcy on a DISABLED system then later on it
would call is_selinux_enabled() and get incorrect response, since
selinux_mnt still had valid data.
The second bug in libselinux, resolves around calling the
selinux_key_delete(destructor_key) if the selinux_key_create call had
never been called. This was causing data to be freed in other
applications that loaded an unloaded the libselinux library but never
setup setrans or matchpathcon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM
mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj
=jpyr
-----END PGP SIGNATURE-----
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add support to display the class field in the role_transition rule
in the checkpolicy/test/dismod program.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add class support to various functions to handle role_trans_rule_t
structures.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add the class support to various functions that handle role_trans
structure.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Handle the class field in the role_transition rule. If no class is
specified, then it would be set to the "process" class by default.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Introduce the class support to role_trans and role_trans_rule
structures, which could be the subject class("process") or the
class that the newly created object belongs to.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The attached patch add support db_language object class
to the selabel_lookup(_raw) interfaces.
It is needed to inform object manager initial label of
procedural language object.
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This prevents the key destructors, intented to free per-thread
heap storage, from being called after libselinux has been unloaded.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=680887
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
The attached patch adds several interfaces to reference /selinux/status
according to sequential-lock logic.
selinux_status_open() open the kernel status page and mmap it with
read-only mode, or open netlink socket as a fallback in older kernels.
Then, we can obtain status information from the mmap'ed page using
selinux_status_updated(), selinux_status_getenfoce(),
selinux_status_policyload() or selinux_status_deny_unknown().
It enables to help to implement userspace avc with heavy access control
decision; that we cannot ignore the cost to communicate with kernel for
validation of userspace caches.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Email: dwalsh@redhat.com
Subject: I think it is time to turn off default user handling in libselinux
Date: Mon, 13 Dec 2010 13:28:01 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch will turn this handling off. Meaning you will not end up
with some bizarro context and fail to login if the login program can not
figure how to log you in.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0GZbEACgkQrlYvE4MpobOF7QCgsD1XYuNC6B5MyIezCZvN9mYL
UX4AoOe9GsP3bhuvMBPea9LXeV/7tCPS
=B9Pk
-----END PGP SIGNATURE-----
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: justinmattock@gmail.com
Subject: libsemanage Fix warning: parameter 'key' set but not used(and others)
Date: Tue, 6 Jul 2010 15:23:30 -0700
libsemanage produced no errors with the warnings, Im just noticing
big hunks of sections with warning messages:
database_llist.c: In function 'dbase_llist_add':
database_llist.c:150:28: warning: parameter 'key' set but not used
database_llist.c: In function 'dbase_llist_count':
database_llist.c:221:50: warning: parameter 'handle' set but not used
database_llist.c: In function 'dbase_llist_del':
database_llist.c:278:41: warning: parameter 'handle' set but not used
(and so on...)
so add the GCC attribute to quiet these warnings since most go to
NULL;
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: justinmattock@gmail.com
Subject: libsepol
Date: Tue, 6 Jul 2010 15:23:29 -0700
Going through these warning messages Im getting:
(example 1 of many)
booleans.c: In function 'sepol_bool_count':
booleans.c:106:39: error: parameter 'handle' set but not used
cc1: all warnings being treated as errors
seems most of these go to NULL; Which tells me that these are here for
future use and/or need to be there for some other reason.
The biggest problem I have is Im getting errors out of these as opposed
to just a warning(-Werror) so marking the variable with a GCC
__attribute__ ((unused)) gets things going.
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: justinmattock@gmail.com
Subject: checkpolicy Fix error: variable 'newattr' set but not used(and others as well)
Date: Tue, 6 Jul 2010 15:23:28 -0700
The below patch fixes some warning messages Im receiving
with GCC:(in this case some are erros due to -Werror)
policy_define.c: In function 'define_type':
policy_define.c:1216:6: error: variable 'newattr' set but not used
cc1: all warnings being treated as errors
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
Description of problem:
Use of __thread variables is great for creating a thread-safe variable, but
only insofar as the contents of that variable can safely be abandoned on
pthread_exit(). The moment you store malloc()d data into a __thread void*
variable, you have leaked memory when the thread exits, since there is no way
to associate a destructor with __thread variables.
The _only_ safe way to use thread-local caching of malloc()d data is to use
pthread_key_create, and associate a destructor that will call free() on the
resulting data when the thread exits.
libselinux is guilty of abusing __thread variables to store malloc()d data as a
form of a cache, to minimize computation by reusing earlier results from the
same thread. As a result of this memory leak, repeated starting and stopping
of domains via libvirt can result in the OOM killer triggering, since libvirt
fires up a thread per domain, and each thread uses selinux calls such as
fgetfilecon.
Version-Release number of selected component (if applicable):
libselinux-2.0.94-2.el6.x86_64
libvirt-0.8.1-27.el6.x86_64
How reproducible:
100%
Steps to Reproduce:
0. These steps are run as root, assuming hardware kvm support and existence of
a VM named fedora (adjust the steps below as appropriate); if desired, I can
reduce this to a simpler test case that does not rely on libvirt, by using a
single .c file that links against libselinux and repeatedly spawns threads.
1. service libvirtd stop
2. valgrind --quiet --leak-check=full /usr/sbin/libvirtd& pid=$!
3. virsh start fedora
4. kill $pid
Actual results:
The biggest leak reported is due to libselinux' abuse of __thread:
==26696== 829,730 (40 direct, 829,690 indirect) bytes in 1 blocks are
definitely lost in loss record 500 of 500
==26696== at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==26696== by 0x3022E0D48C: selabel_open (label.c:165)
==26696== by 0x3022E11646: matchpathcon_init_prefix (matchpathcon.c:296)
==26696== by 0x3022E1190D: matchpathcon (matchpathcon.c:317)
==26696== by 0x3033ED7FB5: SELinuxRestoreSecurityFileLabel (security_selinux.c:381)
==26696== by 0x3033ED8539: SELinuxRestoreSecurityAllLabel (security_selinux.c:749)
==26696== by 0x459153: qemuSecurityStackedRestoreSecurityAllLabel (qemu_security_stacked.c:257)
==26696== by 0x43F0C5: qemudShutdownVMDaemon (qemu_driver.c:4311)
==26696== by 0x4555C9: qemudStartVMDaemon (qemu_driver.c:4234)
==26696== by 0x458416: qemudDomainObjStart (qemu_driver.c:7268)
==26696== by 0x45896F: qemudDomainStart (qemu_driver.c:7308)
==26696== by 0x3033E75412: virDomainCreate (libvirt.c:4881)
==26696==
Basically, libvirt created a thread that used matchpathcon during 'virsh start
fedora', and matchpathcon stuffed over 800k of malloc'd data into:
static __thread char **con_array;
which are then inaccessible when libvirt exits the thread as part of shutting
down on SIGTERM.
Expected results:
valgrind should not report any memory leaks related to libselinux.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Reported-by: Eric Blake <eblake@redhat.com>
Tested-by: Eric Blake <eblake@redhat.com>
The majority of the patch is just handling the case of memory
allocation failures and making sure things get cleaned up correctly in
those cases.
This also moves duplicate code in parse_ebitmap() and parse_raw() into
parse_category(), and also updates the parse function to ensure the
config files are in the correct format.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
SELinux Project contribution of mcstrans. mcstrans is a userland package
specific to SELinux which allows system administrators to define
sensitivity levels and categories and provides a daemon for their
translation into human readable form. This version is a merge of Joe
Nalls git tree ( http://github.com/joenall/mcstrans) and patches
supplied by Dan Walsh and others at RedHat.
Ted
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Email: kaigai@ak.jp.nec.com
Subject: libselinux APIs should take "const" qualifier?
Date: Tue, 23 Mar 2010 11:56:36 +0900
(2010/03/19 22:32), Stephen Smalley wrote:
> On Fri, 2010-03-19 at 16:52 +0900, KaiGai Kohei wrote:
>> Right now, security_context_t is an alias of char *, declared in selinux.h.
>>
>> Various kind of libselinux API takes security_context_t arguments,
>> however, it is inconvenience in several situations.
>>
>> For example, the following query is parsed, then delivered to access
>> control subsystem with the security context as "const char *" cstring.
>>
>> ALTER TABLE my_tbl SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:SystemHigh';
>> const char *<---- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> In this case, we want to call selinux_trans_to_raw_context() to translate
>> the given security context into raw format. But it takes security_context_t
>> argument for the source context, although this pointer is read-only.
>> In the result, compiler raises warnings because we gave "const char *" pointer
>> into functions which take security_context_t (= char *).
>>
>> Any comments?
>>
>> It seems to me the following functions' prototype should be qualified by
>> "const".
>
> That seems reasonable and should have no impact on library ABI.
> On the other hand, others have pointed out that security_context_t is
> not a properly encapsulated data type at all, and perhaps should be
> deprecated and replaced with direct use of char*/const char* throughout.
>
> There are other library API issues as well that have come up in the
> past, such as lack of adequate namespacing (with approaches put forth),
> but we don't ever seem to get a round tuit.
At first, I tried to add const qualifiers read-only security_context_t
pointers, but didn't replace them by char */const char * yet, right now.
BTW, I could find out the following code:
int security_compute_create(security_context_t scon,
security_context_t tcon,
security_class_t tclass,
security_context_t * newcon)
{
int ret;
security_context_t rscon = scon;
security_context_t rtcon = tcon;
security_context_t rnewcon;
if (selinux_trans_to_raw_context(scon, &rscon))
return -1;
if (selinux_trans_to_raw_context(tcon, &rtcon)) {
freecon(rscon);
return -1;
}
:
In this case, scon and tcon can be qualified by const, and the first
argument of selinux_trans_to_raw_context() can take const pointer.
But it tries to initialize rscon and tscon by const pointer, although
these are used to store raw security contexts.
The selinux_trans_to_raw_context() always set dynamically allocated
text string on the second argument, so we don't need to initialize it
anyway. I also removed these initializations in this patch.
Does the older mcstrans code could return without allocation of raw
format when the given scon is already raw format? I don't know why
these are initialized in this manner.
Thanks.
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: slawrence@tresys.com
Subject: Minor fixup of checkmodule man page.
Date: Fri, 11 Jun 2010 15:25:58 -0400
On Mon, 2010-05-03 at 13:45 -0400, Daniel J Walsh wrote:
> Quality Engineering is going through all commands on the system looking
> for mismatches between man page/usage and actual code.
>
> It found that checkmodule had a -d option that is unused and undocumented -h
Reviewed-by: Steve Lawrence <slawrence@tresys.com>
I'd just add the long --help option to the man page for completeness:
Signed-off-by: Chad Sellers <csellers@tresys.com>
