getpwnam_r(3) might return ERANGE in case the supplied buffer was too
short for the passwd entry. Retry with a bigger buffer.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This patch adds CPPFLAGS to all of the Makefiles as suggested.
Signed-off-by: Cameron Williams <ckwilliams.work@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
`gcc-14` added a new `-Walloc-size` warning that makes sure that size of
an individual element matches size of a pointed type:
https://gcc.gnu.org/PR71219
`libsemanage` triggers it on `calloc()` calls where member size is used
as `1` (instead of member count):
genhomedircon.c: In function 'ignore_setup':
genhomedircon.c:152:21:
error: allocation of insufficient size '1' for type 'ignoredir_t'
{aka 'struct IgnoreDir'} with size '16' [-Werror=alloc-size]
152 | ptr = calloc(sizeof(ignoredir_t),1);
| ^
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Since they are being removed, there will be nothing to install.
Suggested-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The Russian translations have not been maintained and are out of
date, so remove them.
Suggested-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
utilities.c:39:22: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int create_test_store() {
^
void
utilities.c:171:23: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int destroy_test_store() {
^
void
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The output parameter `role_arr` of semanage_user_get_roles() is an array
of non-owned role names. Since the array is never used again, as its
contents have been copied into the return value `roles`, free it.
Example leak report from useradd(8):
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x5597624284a8 in __interceptor_calloc (./shadow/src/useradd+0xee4a8)
#1 0x7f53aefcbbf9 in sepol_user_get_roles src/user_record.c:270:21
Avoid using the identifier `bool` to improve support with future C
standards. C23 is about to make `bool` a predefined macro (see N2654).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The check_ext_changes option currently assumes that as long as the
module content is unchanged, it is safe to assume that the policy.linked
file doesn't need to be rebuilt. However, there are some additional
parameters that can affect the content of this policy file, namely:
* the disable_dontaudit and preserve_tunables flags
* the target_platform and policyvers configuration values
Include these in the checksum so that the option works correctly when
only some of these input values are changed versus the current state.
Fixes: 286a679fad ("libsemanage: optionally rebuild policy when modules are changed externally")
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the sysconfig module instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses. Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.
This is to help meet the OpenSSF Best Practices requirements.
Signed-off-by: Paul Moore <paul@paul-moore.com>
This change will allow a user to set the location of their
sysconfdir, defaulted to /etc, if they are installing into
nonstandard locations.
Signed-off-by: Matt Sheets <masheets@linux.microsoft.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
For the use case of rebuilding the policy after package updates, we need
the check_ext_changes operation to always do at least the do_write_kernel
step, because the various semanage dbs may have also changed content
relative to the current binary policy. As this step is itself relatively
fast, we can do it unconditionally.
Fixes: 286a679fad ("libsemanage: optionally rebuild policy when modules are changed externally")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The code generated by swig triggers the following warning:
semanageswig_wrap.c:2759:24: warning: no previous prototype for ‘PyInit__semanage’ [-Wmissing-prototypes]
2759 | # define SWIG_init PyInit__semanage
| ^~~~~~~~~~~~~~~~
semanageswig_wrap.c:17772:1: note: in expansion of macro ‘SWIG_init’
17772 | SWIG_init(void) {
| ^~~~~~~~~
Ignore -Wmissing-prototypes for swig generated source files.
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The functions helper_port_validate_local_proto(), get_type(), and
get_fcontext_new() are not used, so remove them.
Signed-off-by: James Carter <jwcart2@gmail.com>
Found by typos[1].
[1]: https://github.com/crate-ci/typos
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The cleanup goto block in `semanage_direct_set_enabled()` closes the
file stream pointer fp if not NULL. Set the stream to NULL after a
manual fclose(3), even on failure.
direct_api.c: In function ‘semanage_direct_set_enabled’:
direct_api.c:2130:25: error: pointer ‘fp’ may be used after ‘fclose’ [-Werror=use-after-free]
2130 | if (fp != NULL) fclose(fp);
| ^~~~~~~~~~
direct_api.c:2092:29: note: call to ‘fclose’ here
2092 | if (fclose(fp) != 0) {
| ^~~~~~~~~~
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>From fclose(3):
Upon successful completion, 0 is returned. Otherwise, EOF is returned
and errno is set to indicate the error. In either case, any further
access (including another call to fclose()) to the stream results in
undefined behavior.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
In some circumstances, like semanage-store being on overlayfs, rename()
could fail with EXDEV - Invalid cross-device link. This is due to the
fact that overlays doesn't support rename() if source and target are not
on the same layer, e.g. in containers built from several layers. Even
though it's not atomic operation, it's better to try to copy files from
src to dst on our own in this case. Next rebuild will probably not fail
as the new directories will be on the same layer.
Fixes: https://github.com/SELinuxProject/selinux/issues/343
Reproducer:
$ cd selinux1
$ cat Dockerfile
FROM fedora:35
RUN dnf install -y selinux-policy selinux-policy-targeted
$ podman build -t localhost/selinux . --no-cache
$ cd ../selinux2
$ cat Dockerfile
FROM localhost/selinux
RUN semodule -B
$ podman build -t localhost/selinux2 . --no-cache
STEP 2/2: RUN semodule -B
libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link).
semodule: Failed!
Error: error building at STEP "RUN semodule -B": error while running runtime: exit status 1
With the fix:
$ podman build -t localhost/selinux2 . --no-cache
STEP 2/2: RUN semodule -B
libsemanage.semanage_rename: Warning: rename(/var/lib/selinux/targeted/active, /var/lib/selinux/targeted/previous) failed: Invalid cross-device link, fall back to non-atomic semanage_copy_dir_flags()
COMMIT localhost/selinux2
--> d2cfcebc1a1
Successfully tagged localhost/selinux2:latest
d2cfcebc1a1b34f1c2cd661ac18292b0612c3e5fa71d6fa1441be244da91b1af
Reported-by: Joseph Marrero Corchado <jmarrero@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
"semanage login -a" accepts whitespaces in user/group name
(e.g. users/groups from Active Directory), which may lead to issues down
the line since libsemanage doesn't expect whitespaces in
/var/lib/selinux/targeted/active/seusers and other config files.
Fixes:
Artificial but simple reproducer
# groupadd server_admins
# sed -i "s/^server_admins/server admins/" /etc/group
# semanage login -a -s staff_u %server\ admins
# semanage login -l (or "semodule -B")
libsemanage.parse_assert_ch: expected character ':', but found 'a' (/var/lib/selinux/targeted/active/seusers: 6):
%server admins:staff_u:s0-s0:c0.c1023 (No such file or directory).
libsemanage.seuser_parse: could not parse seuser record (No such file or directory).
libsemanage.dbase_file_cache: could not cache file database (No such file or directory).
libsemanage.enter_ro: could not enter read-only section (No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
In Fedora/RHEL's selinux-policy package we ship a pre-built SELinux
policy store in the RPMs. When updating the main policy RPM, care must
be taken to rebuild the policy using `semodule -B` if there are any
other SELinux modules installed (whether shipped via another RPM or
manually installed locally).
However, this way of shipping/managing the policy creates complications
on systems, where system files are managed by rpm-ostree (such as Fedora
CoreOS or Red Hat CoreOS), where the "package update" process is more
sophisticated.
(Disclaimer: The following is written according to my current limited
understanding of rpm-ostree and may not be entirely accurate, but the
gist of it should match the reality.)
Basically, one can think of rpm-ostree as a kind of Git for system
files. The package content is provided on a "branch", where each
"commit" represents a set of package updates layered on top of the
previous commit (i.e. it is a rolling release with some defined
package content snapshots). The user can then maintain their own branch
with additional package updates/installations/... and "rebase" it on top
of the main branch as needed. On top of that, the user can also have
additional configuration files (or modifications to existing files) in
/etc, which represent an additional layer on top of the package content.
When updating the system (i.e. rebasing on a new "commit" of the "main
branch"), the files on the running system are not touched and the new
system state is prepared under a new root directory, which is chrooted
into on the next reboot.
When an rpm-ostree system is updated, there are three moments when the
SELinux module store needs to be rebuilt to ensure that all modules are
included in the binary policy:
1. When the local RPM installations are applied on top of the base
system snapshot.
2. When local user configuartion is applied on top of that.
3. On system shutdown, to ensure that any changes in local configuration
performed since (2.) are reflected in the final new system image.
Forcing a full rebuild at each step is not optimal and in many cases is
not necessary, as the user may not have any custom modules installed.
Thus, this patch extends libsemanage to compute a checksum of the
content of all enabled modules, which is stored in the store, and adds a
flag to the libsemanage handle that instructs it to check the module
content checksum against the one from the last successful transaction
and force a full policy rebuild if they don't match.
This will allow rpm-ostree systems to potentially reduce delays when
reconciling the module store when applying updates.
I wasn't able to measure any noticeable overhead of the hash
computation, which is now added for every transaction (both before and
after this change a full policy rebuild took about 7 seconds on my test
x86 VM). With the new option check_ext_changes enabled, rebuilding a
policy store with unchanged modules took only about 0.96 seconds.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
In order to reduce exisiting and future code duplication and to avoid
some unnecessary allocations and copying, factor the compressed file
utility functions out into a separate C/header file and refactor their
interface.
Note that this change effectively removes the __fsetlocking(3) call from
semanage_load_files() - I haven't been able to figure out what purpose
it serves, but it seems pointless...
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
The main goal of this move is to have the SHA-256 implementation under
libsemanage, since upcoming patches will make use of SHA-256 for a
different (but similar) purpose in libsemanage. Having the hashing code
in libsemanage will reduce code duplication and allow for easier hash
algorithm upgrade in the future.
Note that libselinux currently also contains a hash function
implementation (for yet another different purpose). This patch doesn't
make any effort to address that duplicity yet.
This patch also changes the format of the hash string printed by
semodule to include the name of the hash. The intent is to avoid
ambiguity and potential collisions when the algorithm is potentially
changed in the future.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
See: RFC 2606
foo.com seems to be privately owned.
Signed-off-by: Markus Linnala <Markus.Linnala@knowit.fi>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Do not sort empty records to avoid calling qsort(3) with a NULL pointer.
qsort(3) might be annotated with the function attribute nonnull and
UBSan then complains:
database_join.c:80:2: runtime error: null pointer passed as argument 1, which is declared to never be null
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Petr Lautrbach
Christian Göttsche
Cameron Williams
Sergei Trofimovich
James Carter
Ondrej Mosnacek
Jason Zaman
Vit Mojzis
Paul Moore
Matt Sheets
Petr Lautrbach
Markus Linnala