Commit Graph

824 Commits

Author SHA1 Message Date
Sven Vermeulen
c4f415c244 libsemanage: use after free in python bindings
In python 3.2 we hit a problem where the fconext was garbage.  We didn't
see this in python 2.7.  The reason is because python3.2 would free and
reuse the memory and python 2.7 just happened to leave it alone.
Instead of using memory that python might use for something else, use
strdup() to get a local copy which we can free when we are finished with
it.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 13:29:23 -04:00
Dan Walsh
4120df1c6e libsemanage: Use default semanage.conf as a fallback
If the private semanage.conf file is unreadable for some reason (usually
ENOENT) fallback to the default file.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 13:29:23 -04:00
Eric Paris
fade75f1e2 libsemanage: semanage_store: fix snprintf length argument by using asprintf
We calculated a length, allocated a space for the string, then used
snprintf to fill the array giving it a different length.  Rather than
doing all that math ourselves, just use asprintf and let libraries get
it right.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-06-28 13:29:15 -04:00
Eric Paris
a6c9140cbb libsemanage: ignore 80 column limit for readability
80 columns just suck.  Ignore it when we are only a little bit over.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-06-28 11:21:16 -04:00
Eric Paris
824df4b60b libselinux: additional makefile support for rubywrap
SELinux ruby bindings didn't build from the top level
the swig generated .c file wasn't gitignored
use pkg-config for ruby info like we do for python

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
Eric Paris
30900902b1 libselinux: label_android_property whitespace cleanups
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
rpcraig
cfc492cf11 libselinux: New Android property labeling backend
This is already in the android repo.  This is here to prevent potential
conflicts of the selabel indices, and possibly with an eye toward an eventual
reunification of the two libselinuxes down the road.

Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
Eric Paris
5e3171f658 libselinux: seusers: getseuser: gracefully handle NULL service
getseuser() would unconditionally check strlen on the service variable
even though it could be NULL.  Whoops.  If service is NULL we should
only match on *: entries.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-06-28 11:21:16 -04:00
Eric Paris
5b344c112a libselinux: seusers: remove unused lineno
The lineno variable was being incremented, but nothing was being done
with it.  Remove it.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-06-28 11:21:16 -04:00
Eric Paris
12e2a0f9fc libselinux: matchpathcon: bad handling of symlinks in /
The realpath_not_final() function did not properly handle symlinks in
the / directory.  The reason is because when it determined the symlink
was in the root directory it would set the resolved portion of the path
to /, it would then add a / to the end of the resolved portion, and then
append the symlink name.  The fix is to instead set the resolved portion
to "".  Thus when the '/' at the end of the resolved portion is added it
will be correct.

While I am at it, strip extraneous leading / so that //tmp returns /tmp.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-06-28 11:21:16 -04:00
Eric Paris
5d19b70723 libselinux: libsemanage: remove build warning when build swig c files
swig creates C files with warnings.  Turn off the warnings so the build
is clean.  We can't help the code it produces anyway...

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
Eric Paris
9b3055ada5 libselinux: audit2why: silence -Wmissing-prototypes warning
The init functions are non-static but did not have a prototype
declaration.  They are called magically from python, so just declare the
prototype to silence the warning.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
Dan Walsh
378dfe4d6a libselinux: avc_netlink_recieve handle EINTR
should continue to poll if it receinves an EINTR rather then exiting with an error.

This was a major bug within dbus that was causing dbus to crash it was
discussed at the time whether this is a dbus bug or an libselinux bug,
it was decided that we should fix it within libselinux.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
Dan Walsh
2ca19f3f67 libselinux: asprintf return code must be checked
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
Dan Walsh
ac6ab3afc0 libselinux: Fortify source now requires all code to be compiled with -O flag
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
Stephen Smalley
84f6ac246f libsepol: Android/MacOS X build support
Android/MacOS X build support for libsepol.
Create a Android.mk file for Android build integration.
Introduce DARWIN ifdefs for building on MacOS X.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:15 -04:00
Adam Tkac
d21ec5a560 libsepol: prepend instead of append to filename_trans list
Currently expand_filename_trans() function use much CPU time to find
end of the state->out->filename_trans list. This is not needed because
data can be prepended instead of appended to the list.

This ends with 10% speed-up of various se* commands (semodule, setsebool).

Signed-off-by: Adam Tkac <atkac@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:15 -04:00
Eric Paris
c43f5b1d34 libsepol: cosmetic changes to make the source easier to read
strict adherense to 80 characters means that we split stuff in stupid
places.  Screw 80 characters.  Buy a bigger monitor.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:15 -04:00
Eric Paris
7a1e3e1fef libsepol: reserve policycapability for redhat testing of ptrace child
Red Hat is testing ptrace_child in the wild.  reserve this policy
capability so we don't have conflicts.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-06-28 11:21:15 -04:00
Eric Paris
f508a29446 update version of libsepol 2012-04-23 16:58:01 -04:00
Eric Paris
8720c8e576 libsepol: allocate enough space to hold filename in trans rules
There is an off by one bug in which the filename length stored with
filename_trans_rules is stored as strlen (aka, no nul) however the
code to allocate space and read the name back in from policy only
allocates len, and not the len + 1 needed to hold the nul.  Allocate
enough space for the nul.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-04-23 16:57:52 -04:00
Eric Paris
7a86fe1a3d bump version and changelog for upstream push 2012-03-28 15:44:05 -04:00
Eric Paris
aa34f19543 policycoreutils: do not fail to install if unable to make load_policy lnk file
With the switch in Fedora to unify /bin to /usr/bin the link file
created for load_policy points back at itself.  This patch causes make
to continue even if the link fails.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-03-28 15:08:52 -04:00
Eric Paris
cb9a5c40af policycoreutils: remove empty po files
et, gl, and id .po files contained no translations.  This can cause
build errors.  Delete those puppies.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-03-28 14:54:50 -04:00
Eric Paris
54a83e18e2 policycoreutils: update .po files
update policycoreutils po files.  This should hopefully make the debian
build system a little happier.

Requested-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:14 -04:00
Laurent Bigonville
a4f84109b5 libselinux: Hide unnecessarily-exported library destructors
Description: Hide unnecessarily-exported library destructors
This change was extracted from the old monolithic Debian patch.

Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:14 -04:00
Laurent Bigonville
f7a75f1761 libselinux: Do not link against python library, this is considered bad practice in debian
Do not link python module with libpython, the interpreter is already linked against it.

Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:14 -04:00
Manoj Srivastava
c124df61ae policycoreutils: Only run setfiles if we found read-write filesystems to run it on
Only run setfiles if we have a R/W filesystem

Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:14 -04:00
Laurent Bigonville
2ad5471bd3 policycoreutils: fix ftbfs with hardening flags
We are now building our packages with -Werror=format-security enabled.
The attached patch fix the FTBFS. More patch related to this could
follow.

Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:14 -04:00
Kohei KaiGai
2b5a0530e7 libselinux: security_compute_create_name(3)
I'd like to use this interface to implement special case handling
for the default labeling behavior on temporary database objects.  Allow
userspace to use the filename_trans rules added to policy.

Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2012-03-28 14:52:14 -04:00
Martin Orr
72ea5dec7c policycoreutils: Fix infinite loop with inotify on 2.6.31 kernels
With kernel 2.6.31, restorecond uses 99% of my CPU.

This is because removing and readding the watch on utmp triggers inotify to
return an IN_IGNORED event for the old watch descriptor.  If the watch gets
allocated the same wd when it is readded, then restorecond thinks that utmp
has changed, so removes and readds the watch again, potentially looping.

With kernel <= 2.6.30, this never happened, because the kernel didn't reuse
watch descriptors.  So the IN_IGNORED event comes with a wd that is no
longer in use, and gets ignored.  But kernel 2.6.31 reuses the same watch
descriptor.  The kernel has been fixed to not reuse watch descriptors.
However as some kernels do reuse them, and its possible they may again,
this patch fixes that by ignoring inotify events whose only bit set is
IN_IGNORED.

Signed-off-by: Martin Orr <martin@martinorr.name>
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:14 -04:00
Russell Coker
38e93bad1f libsemanage: fallback-user-level
Having magic numbers in the code is a bad idea, using a macro is better.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:14 -04:00
Laurent Bigonville
e55a295b1d libsemanage: Allow to build for several ruby version
This allow to build the ruby module for both ruby 1.8 and 1.9.1 (the
way it's done for the python module)

Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:14 -04:00
Laurent Bigonville
a8a766ac9f libsemanage: do not link against libpython, this is considered bad in Debian
Do not link against libpython, the interpreter is already linked to it.
In Debian this is usually considered bad practice.

Signed-off-by: Author: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Manoj Srivastava
98455c5524 sepolgen: fix detection of policy loads
I am running into an issue with sepolgen. Debian ships more
than one version of the refpolicy, a default one, and a MLS enabled
one. So, the include files live in either
/usr/share/selinux/{default,mls}/include sepolgen (in
src/sepolgen/defaults.py) sets refpolicy_devel() to a single
location -- and thus, only one version of the security policy may be
supported. So, sepolgen-ifgen from policycoreutils can only work
with one policy, which may not be the one installed on the target
machine. Could this be made configurable, somehow? As far as I can
see, sepolgen's python library does not offer any way to set the
value. This change fixes that. Now you may set the path to look for
development headers in /etc/selinux/sepolgen.conf, in the variable
SELINUX_DEVEL_PATH. The builtin default will have it work on Debian
and fedora machines out of the box.

Signed-off-by: Laurent Bigonville bigon@debian.org
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
40b0cea919 policycoreutils: newrole: Use correct capng calls in newrole
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
c7d749efe2 libselinux: take security_deny_unknown into account
selinux_check_access() should not error on bad class or perms if the
security_deny_unkown() function return false.  If policy tells us to
allow unknown classes and perms we should respect that.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
e5a81c715f policycoreutils: Add bash-completion scripts for setsebool and semanage
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
ed5dc69dad libselinux: assert if avc_init() not called
To simplify finding why programs don't work, assert that avc_init() was
called any time avc functions are called.  This means we won't get
'random' segfaults and will instead be able to hopefully quickly
determine what we did wrong as application developers.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
1f0b5bd920 policycoreutils: seunshare: Only drop caps not the Bounding Set from seunshare
This means you can still run setuid programs, but don't need special
perms to run seunshare.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
5766295bb2 libselinux: build with either ruby 1.9 or ruby 1.8
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
dc21b09c25 libselinux: pkg-config to figure out where ruby include files are located
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
ae04ac5055 policycoreutils: mcstrans: Version should have been bumped on last check in
The previous time upstream was released, there were changes to
MCSTrans, but the version was never updated, In order for us to
release these fixes to Fedora we needed to bump the version.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
8f3207eda0 sepolgen: do not use md5 when calculating hash signatures
FIPS does not allow md5 as a valid algorithm.  Although we don't really
care about cryptographic strength since the algorithm isn't allowed to
be used at all use something strong, like sha256.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
9b796ead1a libselinux: utils: Stop separating out matchpathcon as something special
It's not special and doesn't need its own Makefile lines.  Just make it
a normal target.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
a56e91742f policycoreutils: scripts: Update Makefiles to handle /usrmove
Move everything into /usr/* and just put links from /*.  The whole /usr
thing hasn't really worked in all situations for a long long time.  Just
accept that fact and move along.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
46d294f645 libselinux: Update Makefiles to handle /usrmove
Move everything into /usr/* and just put links from /*.  The whole /usr
thing hasn't really worked in all situations for a long long time.  Just
accept that fact and move along.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
bc6a56ce20 policycoreutils: semanage: audit message to show what record(s) and item(s) have chaged
Also if the user specifies a store that is not the current store, we should not be sending audit messages.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
a0e538c208 policycoreutils: semanage: proper auditting of user changes for LSPP
semanage command was not reporting proper audit messages for the LSPP
certification.  Needed to report additional information such as prior
roles before and after update. Many other changes, were reviewed by
Steve Grubb to make sure were were doing proper auditing.

Should be reporting AUDIT_ROLE_ASSIGN instead of AUDIT_USER_ROLE_CHANGE.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Daniel P. Berrange
c9a8ff9bae libselinux: Ensure there is a prototype for 'matchpathcon_lib_destructor'
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00