Commit Graph

297 Commits

Author SHA1 Message Date
Daniel J Walsh
36fe4c35ee Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Minor fixup of checkmodule man page.
Date: Mon, 03 May 2010 13:45:30 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quality Engineering is going through all commands on the system looking
for mismatches between man page/usage and actual code.

It found that checkmodule had a -d option that is unused and undocumented -h
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvfC7oACgkQrlYvE4MpobNPrACg0uP02CWYPs9YcdU87jts9YqT
hMAAn2QA1UWZpGLvvU4yxStmhUU1Kg1+
=topF
-----END PGP SIGNATURE-----

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-14 14:44:44 -04:00
Chad Sellers
02fd1f3308 bump policycoreutils to 2.0.83 2010-06-10 16:58:04 -04:00
Chad Sellers
0750eb5114 bump libselinux to 2.0.95 2010-06-10 16:57:28 -04:00
Steve Lawrence
582fd00c7b Author: Steve Lawrence
Email: slawrence@tresys.com
Subject: Updated sandbox patch.
Date: Mon, 07 Jun 2010 17:53:41 -0400

On Thu, 2010-05-27 at 08:57 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/26/2010 04:06 PM, Steve Lawrence wrote:
> > On Wed, 2010-05-19 at 15:59 -0400, Daniel J Walsh wrote:
> > Fixed patch that handles Spaces in homedir.
>
> > The following patch makes a few updates the the sandbox patch, though I
> > have a question:
>
> > Is the sandbox.init script needed anymore? It looks like seunshare was
> > changed to now bind mount and make private the necessary directories.
> > The only thing that seems missing is making root rshared. Also, if the
> > init script is obsolete, do the mounts also need the MS_REC flag for
> > recursive bind/private like they are mounted in the init script? e.g.
>
> The init script is needed for the xguest package/more specifically
> pam_namespace, but also needed for
> mount --make-rshared /
>
> Whether the init script belongs in policycoreutils is questionable though.
>
>
> > mount(dst, dst, NULL, (MS_BIND | MS_REC), NULL)
> > mount(dst, dst, NULL, (MS_PRIVATE | MS_REC), NULL)
>
> We probably should add these.  Although it is not likely.
>
> > Changes the following patch makes:
>
> > sandbox.py
> > - Removes unused 'import commands'
> > - Fixes the chcon function, and replaces the deprecated os.path.walk
> >   with os.walk. I think this way is a bit easier to read too.
>
> I think chcon should be added to libselinux python bindings and then
> leave the recursive flag.  (restorecon is currently in python bindings._
>
> > - Removes the 'yum install seunshare' message. This tool is not specific
> >   to RPM based distros.
>
> People are using seunshare without X now that I have added the -M flag.
>  So I will move it from the -gui package to the base package with
> sandbox and then this should not be necessary.
> > - Remove try/except around -I include to be consistent with the -i
> >   option. If we can't include a file, then this should bail, no matter
> >   if it's being included via -i or -I.
>
> Ok, I was thinking you could list a whole bunch of files in the -I case
> and if one does not exist, allow it to continue.  But I don't really care.
> > - Fix homedir/tmpdir typo in chcon call
>
> > sandbox.init (maybe obsoleted?)
> > - Fix restart so it stops and starts
> > - unmount the bind mounts when stopped
> I doubt this will work.  Two many locks in /tmp /home
> > - Abort with failure if any mounts fail
>
> > seunshare.c
> > - Define the mount flag MS_PRIVATE if it isn't already. The flag is only
> >   defined in the latest glibc but has been in the kernel since 2005.
> > - Simplify an if-statment. Also, I'm not sure the purpose of the
> >   strncmmp in that conditional, so maybe I've oversimplified.
> This is wrong.  The problem comes about when you mount within the same
> directory.
>
> seunshare -t /home/dwalsh/sanbox/tmp -h /home/dwalsh/sandbox/home   ...
>
> seunshare -t /tmp/sandbox/tmp -h /tmp/sandbox/home
>
> If you do not have the check one of the above will fail.
>
> In the first example if Homedir is mounted first,
> /home/dwalsh/sanbox/tmp will no longer exist when seunshare attempts to
> mount it on /tmp.
>
> Similarly, if /tmp is mounted first in the second example.
> /tmp/sandbox/home will no longer exist.
>
> You have to check to make sure one of the directories is not included in
> the other.
>
> It seems
> >   like maybe an error should be thrown if tmpdir_s == pw_dir or
> >   homedir_s == "/tmp", but maybe I'm missing something.
>
> See above.
>
> I was blowing up because I use
>
> ~/sandbox/tmp and ~/sandbox/home for my mountpoints.

<snip>

Below is an updated patch that makes a few changes the the latest
Sandbox Patch [1]. This requires the chcon patch [2].

Changes this patch makes:

sandbox.py
- Remove unused 'import commands'
- Uses new chcon method in libselinux [2]
- Removes the 'yum install seunshare' message
- Converts an IOError to a string for printing a warning if a file
  listed in -I does not exist

sandbox.init
- Print the standard Starting/Stoping messages with the appropriate
  OK/FAIL
- Abort with failure if any mounts fail

seunshare.c
- Add the MS_REC flag during mounts to perform recursive mounts
- Define the mount flags MS_PRIVATE and MS_REC if they aren't already.
  The flags are only defined in the latest glibc but have been in the
  kernel since 2005.
- Calls realpath(3) on tmpdir_s and homedir_s. If relative paths are
  used, it wouldn't correctly detect that tmpdir is inside homedir and
  change the mount order. This fixes that.

[1] http://marc.info/?l=selinux&m=127429948731841&w=2
[2] http://marc.info/?l=selinux&m=127594712200878&w=2

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 16:37:59 -04:00
Daniel J Walsh
d6848ea77d Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Updated sandbox patch.
Date: Wed, 19 May 2010 15:59:28 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fixed patch that handles Spaces in homedir.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv0QyAACgkQrlYvE4MpobNBXQCgmUu92HsN5PiksOTZoGxSp0W+
1noAoKoCujFPLHduJ9BP3hrveeXvGKXO
=iqC+
-----END PGP SIGNATURE-----

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 16:35:55 -04:00
Steve Lawrence
537721089a Author: Steve Lawrence
Email: slawrence@tresys.com
Subject: Add chcon method to libselinux python bindings
Date: Mon, 7 Jun 2010 17:40:05 -0400

Adds a chcon method to the libselinux python bindings to change the
context of a file/directory tree.

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 13:56:57 -04:00
Chad Sellers
8f007923dd [PATCH] Remove duplicate slashes in paths in selabel_lookup
This patch simply removes duplicate slashes (meaning "//") from
pathnames passed into selabel_lookup. It does not do a full
realpath() calculation (e.g. following symlinks, etc.), as the
client should really do that before calling into libselinux.

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-02 14:47:45 -04:00
Joshua Brindle
edf1df5429 bump sepolgen to 2.0.82 2010-03-24 15:40:05 -04:00
Joshua Brindle
734f7621b8 bump libselinux to 2.0.94 2010-03-24 14:28:39 -04:00
Daniel J Walsh
7dcf27a791 Patch to context_new to set errno to EINVAL on bad values
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-24 14:15:40 -04:00
Joshua Brindle
d57ea2c2c0 reactivate attribute mapping unit test
This test must have been disabled a very long time ago, before attributes were present in the kernel policy. Since the attributes are now present this unit test should be turned back on, unless I'm missing something pretty major (it looks reasonable and is successful when run).

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
2010-03-24 13:55:23 -04:00
Joshua Brindle
4bbaeeb7bb bump sepolgen to 1.0.23 2010-03-24 13:47:39 -04:00
Daniel J Walsh
6e35202e20 sepolgen unit tests fail
Patch to fix unit test.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-24 13:43:53 -04:00
Karl MacMillan
bc256454b7 Bump sepolgen to 1.0.22 2010-03-23 09:11:24 -04:00
Karl MacMillan
52f9d9f2ad Sepolgen: improve parser error recovery
Sepolgen has long not recovered from parsing errors, leading to
a blacklist of none bad modules in the source. I finally tracked
down the problem (lexer state) and this patch fixes the problem
by causing the lexer to be rebuilt on error.

Acked-by: Joshua Brindle <jbrindle@tresys.com>
2010-03-23 09:10:20 -04:00
Eamon Walsh
386ab8df8e Typo fix in ChangeLog.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-03-18 18:27:07 -04:00
Joshua Brindle
e796cee3f5 bump sepolgen to 1.0.21 2010-03-18 16:52:16 -04:00
Joshua Brindle
e53b2cebf2 Merge branch 'master' of oss.tresys.com:/home/git/selinux 2010-03-18 16:38:45 -04:00
Daniel J Walsh
5af0827097 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Small patch to fix is_selinux_enabled man page.
Date: Tue, 16 Mar 2010 12:35:22 -0400
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-18 16:38:17 -04:00
Daniel J Walsh
03cd8c2d47 This patch allows audit2allow to look at all avc's since the last time the machine booted.
Acked-by: Karl MacMillan <kmacmillan@tresys.com>
2010-03-18 16:36:22 -04:00
Daniel J Walsh
6688e96767 This simple patch fixes the output of sepolgen to match what Chris expects for upstream policy.
Acked-by: Karl MacMillan <kmacmillan@tresys.com>
2010-03-18 16:35:27 -04:00
Eamon Walsh
0b2e0bd5d0 Bump libselinux to 2.0.93 2010-03-15 19:01:31 -04:00
Eamon Walsh
dbbd0ab903 Show strerror for security_getenforce().
Patch by Colin Waters.

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2010-03-15 19:01:31 -04:00
Eamon Walsh
70aeeb918a This patch allows selabel_*() interfaces to provide an expected security context
for the given database object identified by its name and object class.
It is necessary to implement a feature something like the restorecon on databases.

The specfile shall be described as follows:
  ------------------------
  #
  # The specfile for database objects
  # (for SE-PostgreSQL)
  #
  # <object class> <object name> <security context>
  #
  db_database     *               system_u:object_r:sepgsql_db_t:s0

  db_schema       *.pg_catalog    system_u:obejct_r:sepgsql_sys_schema_t:s0
  db_schema       *.*             system_u:object_r:sepgsql_schema_t:s0

  db_table        *.pg_catalog.*  system_u:object_r:sepgsql_sysobj_t:s0
  db_table        *.*.*           system_u:object_r:sepgsql_table_t:s0
  ------------------------

- All the characters after the '#' are ignored.
- Wildcards ('*' and '?') are available.
- It returns the first match security context.

Note that hierarchy of the namespace of database objects depends on RDBMS.
So, author of the specfile needs to write correct patterns which are suitable
for the target RDBMS. The patched selabel_*() interfaces don't have any
heuristics for the namespace hierarchy to be suitable for widespread RDBMSs.
In the case of SE-PgSQL, when we lookup an expected security context for the
'my_table' table in the 'public' schema and 'postgres' database, the caller
shall provide 'postgres.public.my_table' as a key.

In the default, it tries to read a specfile which maps database objects and security
context from the /etc/selinux/$POLICYTYPE/contexts/sepgsql_contexts.
Note that when another RDBMS uses this interface, it needs to give an explicit
SELABEL_OPT_PATH option on the selabel_open().

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-03-15 19:01:30 -04:00
Joshua Brindle
78bc1a58bc Merge branch 'master' of oss.tresys.com:/home/git/selinux 2010-03-12 08:33:37 -05:00
Joshua Brindle
b5b2c2c2fe bump policycoreutils to 2.0.81 and sepolgen to 1.0.20 2010-03-12 08:32:38 -05:00
Daniel J Walsh
f509e1e8b9 Audit2allow generating dontaudit rules.
On 03/08/2010 11:11 AM, Karl MacMillan wrote:
> Accidentally sent this straight to Josh.
>
> Karl
>
> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com>  wrote:
>
>> I meant this - I don't want to pass around a boolean flag when we have
>> a flag for rule type. This allows cleanly adding support for, say,
>> generating both allow rules and auditallow rules at the same time.
>>
>>
<snip>

Ok this one only adds a flag to the policygenerator to tell it to
generate dontaudit rules.

No passing of args.

Acked-by: Karl MacMillan <karlwmacmillan@gmail.com>
2010-03-12 08:30:04 -05:00
Eamon Walsh
61d005b739 libselinux: fix avc_netlink_loop() error caused by nonblocking mode.
avc_open() creates the netlink socket in nonblocking mode.  If the
application later takes control of the netlink socket with
avc_netlink_acquire_fd() and then calls avc_netlink_loop(), it
will fail with EWOULDBLOCK.

To remedy this, remove the O_NONBLOCK flag from the netlink socket
at the start of avc_netlink_loop().  Also, with this fix, there is
no need for avc_open() to ever create a blocking socket, so change
that and update the man page.

-v2: use poll() in avc_netlink_check_nb().  This makes both
avc_netlink_loop() and avc_netlink_check_nb() independent of the
O_NONBLOCK flag.

-v3: move poll() to avc_receive() internal function; patch by
KaiGai Kohei <kaigai@kaigai.gr.jp>

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-03-08 18:15:53 -05:00
Joshua Brindle
a73f32c3e3 bump policycoreutils to 2.0.80 2010-03-07 10:04:24 -05:00
Joshua Brindle
e6bfff4372 bump libsemanage to 2.0.45 and libselinux to 2.0.92 2010-03-06 18:10:51 -05:00
Daniel J Walsh
7420787817 updated libselinux pkgconfig does not work correctly on lib64 machines.
On 02/24/2010 02:24 PM, Daniel J Walsh wrote:
>
Ignore the first patch it was missing pc.in files.

Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-06 18:06:43 -05:00
Joshua Brindle
d03b941136 regenerate swig wrappers 2010-03-06 17:56:25 -05:00
Joshua Brindle
c1323f22c7 fixes to commit 847d27b8385ce77ac71df8aa58a2d298b33d1ea4
- implicit declaration of semanage_module_enabled()
- added nicer error messages when disabling or enabling modules already disabled or enabled
- fix comment

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-06 17:56:25 -05:00
Daniel J Walsh
654dcb897e Last attempt at upstreaming semodule_disable patch.
This patch allows you to disable/Enable policy modules.

It never seems to get upstreamed.  :^(

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-06 17:56:24 -05:00
Daniel J Walsh
660f70f4c4 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Fix memory leak on disabled selinux machines.
Date: Wed, 24 Feb 2010 14:15:31 -0500

I think this patch originally came from Eric Paris and was updated by
others but has not been adopted yet.  Not sure why.

Always free buf on exit.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-06 17:56:24 -05:00
Daniel J Walsh
c8d100bb03 Patch to run genhomedircon without looking at /etc/passwd
I want to change the default of libsemanage to not look for home
directories in getpwent.  This patch allows you to set the flag
usepasswd=false in the semanage.conf file. and genhomedircon will only
setup the labeling of /home, /export/home and any confined users homedirs.

If this patch is not acceptable because libsemanage is being rewritten,
I would like the functionality to be added to the new libsemanage.
2010-03-06 17:56:23 -05:00
Stephen Smalley
955f8d8e28 libselinux 2.0.91 2010-02-22 15:35:02 -05:00
Stephen Smalley
070505f16f label_file.c:434: error: implicit declaration of function 'fstat'
On Mon, 2010-02-15 at 14:19 -0800, Justin Mattock wrote:
> this is new:
>
>
> make[2]: Leaving directory `/home/kernel/selinux/libselinux/include'
> make -C src install
> make[2]: Entering directory `/home/kernel/selinux/libselinux/src'
> cc -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn
> -Wmissing-format-attribute -I../include -I/usr/include -D_GNU_SOURCE
> -D_FILE_OFFSET_BITS=64   -c -o label_file.o label_file.c
> cc1: warnings being treated as errors
> label_file.c: In function 'init':
> label_file.c:434: error: implicit declaration of function 'fstat'
> label_file.c:436: error: implicit declaration of function 'S_ISREG'
> make[2]: *** [label_file.o] Error 1
> make[2]: Leaving directory `/home/kernel/selinux/libselinux/src'
> make[1]: *** [install] Error 2
> make[1]: Leaving directory `/home/kernel/selinux/libselinux'
> make: *** [install] Error 1
>
> three areas where this could of been created
> update glibc
> updated kernel
> update userspace(altohugh there was not vary many commits in the pull).

Newer glibc headers expose a failure to #include the required headers
for stat(2).  Also exposes a conflict in redefining close() in that
file.  Patch below should fix.
2010-02-22 15:32:20 -05:00
Stephen Smalley
0fc6c7762c libselinux: Only audit permissions specified by the policy
Only audit the permissions specified by the policy, excluding any
permissions specified via dontaudit or not specified via auditallow.
This only shows up when a single avc_has_perm() call is made with
multiple permissions where some of those permissions are dontaudit'd or
auditallow'd while others are not.  The corresponding kernel patch has
already been applied, see:
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commit;h=b6cac5a30b325e14cda425670bb3568d3cad0aa8

Signed-off-by:  Stephen D. Smalley <sds@tycho.nsa.gov>
2010-02-22 15:32:05 -05:00
Stephen Smalley
9a1814832b libsemanage 2.0.44 2010-02-02 15:34:16 -05:00
Stephen Smalley
0b2f9ef8f3 bzip support in libsemanage and out of memory (userspace ticket 7)
On Sun, 2010-01-24 at 21:29 +0100, Guido Trentalancia wrote:
> Hi !
>
> Has anybody had any time to look at this ticket:
> http://userspace.selinuxproject.org/trac/ticket/7 ?
>
> I have experienced the same issue and verified that the problem is actually triggered by the bzip support (as pointed out by Stephen Smalley back in August). In fact, if I use bzip-blocksize=0 in semanage.conf then the problem disappears...
>
> Otherwise with a default semanage.conf and bzip enabled, I get:
>
> libsepol.module_package_read_offsets: offset greater than file size (at 4, offset 200478 -> 8192 (No such file or directory).
> libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/refpolicy/modules/tmp/base.pp. (No such file or directory).
> semodule:  Failed!
>
> I am using libsepol-2.0.41 and libsemanage-2.0.42.

Looking into this more closely, I believe this is another manifestation
of:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543915#17

which was ultimately traced down to two issues:
1) A missing offset check in libsepol (fixed in libsepol 2.0.38), and
2) A bug / lack of binary mode support in the fmemopen implementation in
glibc that was later fixed, see:
http://sourceware.org/bugzilla/show_bug.cgi?id=6544

Maybe you have the older glibc still?

Looking at the libsemanage code though, I think we could in fact avoid
any dependency on fmemopen by using the native libsepol support for
operating on a memory region via sepol_policy_file_set_mem(), ala:

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2010-02-02 15:31:28 -05:00
Chad Sellers
aafcaeb751 bump policycoreutils to 2.0.79 2010-01-26 16:56:04 -05:00
Chad Sellers
3084b9a1f9 Fix double free in newrole when it fails to exec.
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-30 16:59:48 -05:00
Joshua Brindle
32cf5d539b bump checkpolicy to 2.0.21, libselinux to 2.0.90 and sepolgen to 1.0.19 2009-11-27 15:03:02 -05:00
Manoj Srivastava
a69fb97edd exception.sh contains bashisms
Hi folks,

   The script, src/exception.sh, contains so called bashisms
 (constructs not supported by POSIX, but present as bash
 extensions). This means when trying to build on systems where /bin/sh
 is not bash, the build fails with an error. This patch uses bash to
 run exception.sh. This bug affects a significant subset of Debian and
 Debian derivative machines.

	manoj

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-11-27 14:57:44 -05:00
Joshua Brindle
48412c3930 Author: Guido Trentalancia
Email: guido@trentalancia.com
Subject: Contributed manual pages for libselinux
Date: Sat, 21 Nov 2009 20:51:17 +0100

Hello Eamon !

On Fri, 2009-11-20 at 21:42 -0500, Eamon Walsh wrote:

> Hi, thanks for doing this.  Some quick review below.

You are welcome, I suppose it was a boring task for many...

Thanks very much for reviewing the changes. And please accept my
apologies for not placing "[PATCH]" in the subject of the original post.
I had just subscribed to the list.

I left you cc address intact here...

> There is too much in matchpathcon(3) now.  It's going to need to be
> split up into different pages, perhaps the init/fini/teardown stuff in
> one page, the lookup calls in another, and the non-matchpathcon prefixed
> calls in a third page.
>
> Also, .so manpage links are needed for all the calls here.

Yes, matchpathcon is a mess. Following your guidelines, I have now
splitted the huge and messy page in several different man pages. It's
easier to consult and easier to maintain.

The first part (page) is strictly related to _init, its variant
_init_index, _fini, matchpathcon and its variant matchpathcon_index.
Nice and concise. References are provided in the "SEE ALSO" section to
the rest.

The second page describes the auxiliary lookup calls
(matchpathcon_checkmatches) and the inode associations functions
(matchpathcon_filespec_{add,destroy,eval}). The reference section points
to the main matchpathcon page.

A third page has been created for the functions that are used to set the
flags (set_matchpathcon_flags) or to configure the behaviour of the main
matchpathcon functions (set_matchpathcon_invalidcon and
set_matchpathcon_printf).

A fourth and fifth page is devoted to functions that should never had
ended up in matchpathcon (selinux_file_context_cmp and
selinux_file_context_verify in one page and selinux_lsetfilecon_default
in another one): we do not really need to save electrons needed for new
pages...

>
>
> > * print_access_vector
> >
>
> Looks good.

No modifications.

> > * security_disable
> >
>
> See the selinux.h comments for this.  It needs to be documented that
> this function can only be called at startup time.

Ok. I have stressed that now and also mentioned that after the policy
has been loaded at startup, then only "setenforce" can be used to alter
(not disable) the mode of the SELinux kernel code (for example by
placing it into "permissive" mode).

> > * security_set_boolean_list
> >
>
> a RETURN VALUE section is needed in this page, documenting at least this
> call if not the others in that page.

I have now added a "RETURN VALUE" section.

Also, to avoid confusion, I have rephrased the word "returns" in
"provides" when not strictly referring the to the return value of the
function (take for example security_get_boolean_names(), strictly
speaking the function returns an integer representing 0=success or
-1=failure, although from a conceptual point of view it also returns a
list trough modification of one of its parameters passed by reference).

Usually when an application developer looks at the "RETURN VALUE"
section it is because he/she has already planned/coded the call to the
function (and thus also the handling to parameters passed by reference)
and only needs to check for the function exit status so that it can be
handled properly at the call point.

> > * selinux_check_passwd_access
> >
>
> This is a replacement for the inconsistently named "checkPasswdAccess"
> function.  So, the existing description of checkPasswdAccess should be
> moved to this function, and checkPasswdAccess should be changed to "this
> is a deprecated alias for selinux_check_passwd_access".

Yes, I have now mentioned that checkPasswdAccess is deprecated. We are
referring to file security_compute_av.3 as the description of these two
functions lives there...

By the way, it has been pointed out that this function should not
hard-code a string. I also agree with him, there is a generic constant
for such "passwd" object class, it is defined in flask.h could be used
instead of the string, thus avoiding hard-coding and also allowing to
save a few cycles and be theoretically future-proof (if ever the name
would change, say to "password", "auth-token" or anything else).

libselinux/src/checkAccess.c.orig   2009-11-21 20:07:21.000000000
libselinux/src/checkAccess.c        2009-11-21 20:08:36.000000000
@@ -13,17 +13,12 @@ int selinux_check_passwd_access(access_v
        if (is_selinux_enabled() == 0)
                return 0;
        if (getprevcon_raw(&user_context) == 0) {
-               security_class_t passwd_class;
                struct av_decision avd;
                int retval;

-               passwd_class = string_to_security_class("passwd");
-               if (passwd_class == 0)
-                       return 0;
-
                retval = security_compute_av_raw(user_context,
                                                     user_context,
-                                                    passwd_class,
+                                                    SECCLASS_PASSWD,
                                                     requested,
                                                     &avd);

Note that the above code, should really live in the application and not
in the selinux library. It used to be like that, then for some reason it
has been introduced. Redhat's passwd and cronie are calling the library
function and thus at the moment they rely on it. But for example,
util-linux-ng has the code in it and does not call this function, as I
believe it should be. A very minor issue anyway...

> > * selinux_init_load_policy
> >
>
> A paragraph break is needed in the DESCRIPTION section before this function.

Done. I have also added a note to the already mentioned fact that after
initial policy load, SELinux cannot be anymore disabled using calls to
security_disable(3).

> > * selinux_lsetfilecon_default
> >
>
> See notes above about the matchpathcon manpage.

Yes, separate man page now.

> > * selinux_mkload_policy
> >
>
> Looks good.

No modifications.

> > * set_selinuxmnt
> >
>
> This manpage includes two static functions that are not part of the
> libselinux API (at least, not anymore) and should be removed.
>
> Also, I'm not comfortable with the description given.  Instead, use the
> comments in selinux.h, which are more accurate and verbose.
>

Please let me know if things are any better now.

I did also provide on the same day a patch for beautifying and improving
the command-line option parsing of a few utilities (a ticket had been
created by somebody). That patch provides those improvement according to
GNU-style parsing of "help" and "version" options (including long-option
variants). I think it also fixes a couple of typos here and there. Feel
free to include that patch too if you like it, so that the ticket can be
closed ! I will attach it again in another separate message: it has been
slightly modified in order to apply cleanly to the latest git snapshot.

More important, I was also thinking about fingerprinting (and
subsequently checking) the libraries with some cryptographic hash
function such as the NIST-recommended SHA2. It is beginning to be done
for security-related projects like OpenSSL, so I believe it is even more
essential for SELinux. Ever thought about anything like that ?

Best regards,

Guido

Signed-off-By: Joshua Brindle <method@manicmethod.com>
2009-11-27 14:44:41 -05:00
Guido Trentalancia
bf57d2349e Patch for Ticket #1 [1672486] (checkpolicy/checkmodule)
This patch is proposed to solve Ticket #1 [1672486] (command line
binaries should support --version and --help).

It adds handling of -h, -V and the long formats --help and --version to
all binaries (checkpolicy/checkmodule).

It also adds handling of long options for some of the available options.

Manual pages have also been updated accordingly (and a few undocumented
options have been documented).

Guido Trentalancia

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-11-27 13:39:03 -05:00
Stephen Smalley
a3ccf607a2 policycoreutils: audit2allow -l doesn't work with dmesg pipe
On Mon, 2009-08-24 at 23:37 +1000, Russell Coker wrote:
> On Mon, 24 Aug 2009, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503252
> > >>
> > >> audit2allow -l is looking for the load_policy message which does not go
> > >> to the dmesg, /var/log/messages.  Therefore the tool has no idea when
> > >> policy was last loaded.
> > >
> > > That would be a kernel bug then.
> >
> > Well I believe the messages that are intercepted by the audit.log do not go
> > into dmesg, by design. Although Steve, James or Eric could probably say for
> > sure.
>
> When auditd is not running on a Debian system with CentOS kernel
> 2.6.18-92.1.13.el5xen or Debian/Lenny kernel 2.6.26-2-xen-686 then nothing
> goes to the kernel message log which is interpreted by audit2allow as a
> candidate for the "-l" functionality.
>
> It's OK if all the AVC messages go to the audit log and "dmesg|audit2allow -l"
> gives no output.  But if all AVC messages other than the load_policy message
> go to the kernel message log then it's a bug.

Originally audit2allow used the avc: allowed message generated by
auditallow statement for load_policy to identify policy reloads.  Later
it was switched to use the MAC_POLICY_LOAD events generated by the audit
framework.  Those events should still get logged via printk if auditd is
not running, but it appears that the code (audit_printk_skb) will then
log the type= field as an integer rather than a string, and
audit2allow/sepolgen only looks for the string MAC_POLICY_LOAD.

So I suspect that this would be resolved by modifying sepolgen/audit.py
to also match on type=1403 for load messages.  Try this:

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-11-27 13:33:52 -05:00
Joshua Brindle
7b9904bef3 bump libsemanage to 2.0.43 and policycoreutils to 2.0.78 2009-11-27 13:02:43 -05:00
Manoj Srivastava
a6700ba05f libsemanage: Fix the format of the NAME lines
Each manual page should start with a "NAME" section, which lists the
name and a brief description of the page separated by "\-". These
sections are parsed by "mandb" and stored in a database for the use of
"apropos" and "whatis", so they must be in a certain format. These
manual pages apparently use the wrong format and cannot be parsed by
"mandb". This commit fixes that.

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-11-27 12:51:57 -05:00