In python 3.2 we hit a problem where the fconext was garbage. We didn't
see this in python 2.7. The reason is because python3.2 would free and
reuse the memory and python 2.7 just happened to leave it alone.
Instead of using memory that python might use for something else, use
strdup() to get a local copy which we can free when we are finished with
it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If the private semanage.conf file is unreadable for some reason (usually
ENOENT) fallback to the default file.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We calculated a length, allocated a space for the string, then used
snprintf to fill the array giving it a different length. Rather than
doing all that math ourselves, just use asprintf and let libraries get
it right.
Signed-off-by: Eric Paris <eparis@redhat.com>
SELinux ruby bindings didn't build from the top level
the swig generated .c file wasn't gitignored
use pkg-config for ruby info like we do for python
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is already in the android repo. This is here to prevent potential
conflicts of the selabel indices, and possibly with an eye toward an eventual
reunification of the two libselinuxes down the road.
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
getseuser() would unconditionally check strlen on the service variable
even though it could be NULL. Whoops. If service is NULL we should
only match on *: entries.
Signed-off-by: Eric Paris <eparis@redhat.com>
The realpath_not_final() function did not properly handle symlinks in
the / directory. The reason is because when it determined the symlink
was in the root directory it would set the resolved portion of the path
to /, it would then add a / to the end of the resolved portion, and then
append the symlink name. The fix is to instead set the resolved portion
to "". Thus when the '/' at the end of the resolved portion is added it
will be correct.
While I am at it, strip extraneous leading / so that //tmp returns /tmp.
Signed-off-by: Eric Paris <eparis@redhat.com>
swig creates C files with warnings. Turn off the warnings so the build
is clean. We can't help the code it produces anyway...
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The init functions are non-static but did not have a prototype
declaration. They are called magically from python, so just declare the
prototype to silence the warning.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
should continue to poll if it receinves an EINTR rather then exiting with an error.
This was a major bug within dbus that was causing dbus to crash it was
discussed at the time whether this is a dbus bug or an libselinux bug,
it was decided that we should fix it within libselinux.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Android/MacOS X build support for libsepol.
Create a Android.mk file for Android build integration.
Introduce DARWIN ifdefs for building on MacOS X.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Currently expand_filename_trans() function use much CPU time to find
end of the state->out->filename_trans list. This is not needed because
data can be prepended instead of appended to the list.
This ends with 10% speed-up of various se* commands (semodule, setsebool).
Signed-off-by: Adam Tkac <atkac@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
strict adherense to 80 characters means that we split stuff in stupid
places. Screw 80 characters. Buy a bigger monitor.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
There is an off by one bug in which the filename length stored with
filename_trans_rules is stored as strlen (aka, no nul) however the
code to allocate space and read the name back in from policy only
allocates len, and not the len + 1 needed to hold the nul. Allocate
enough space for the nul.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
With the switch in Fedora to unify /bin to /usr/bin the link file
created for load_policy points back at itself. This patch causes make
to continue even if the link fails.
Signed-off-by: Eric Paris <eparis@redhat.com>
update policycoreutils po files. This should hopefully make the debian
build system a little happier.
Requested-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Description: Hide unnecessarily-exported library destructors
This change was extracted from the old monolithic Debian patch.
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Do not link python module with libpython, the interpreter is already linked against it.
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Only run setfiles if we have a R/W filesystem
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We are now building our packages with -Werror=format-security enabled.
The attached patch fix the FTBFS. More patch related to this could
follow.
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
I'd like to use this interface to implement special case handling
for the default labeling behavior on temporary database objects. Allow
userspace to use the filename_trans rules added to policy.
Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
With kernel 2.6.31, restorecond uses 99% of my CPU.
This is because removing and readding the watch on utmp triggers inotify to
return an IN_IGNORED event for the old watch descriptor. If the watch gets
allocated the same wd when it is readded, then restorecond thinks that utmp
has changed, so removes and readds the watch again, potentially looping.
With kernel <= 2.6.30, this never happened, because the kernel didn't reuse
watch descriptors. So the IN_IGNORED event comes with a wd that is no
longer in use, and gets ignored. But kernel 2.6.31 reuses the same watch
descriptor. The kernel has been fixed to not reuse watch descriptors.
However as some kernels do reuse them, and its possible they may again,
this patch fixes that by ignoring inotify events whose only bit set is
IN_IGNORED.
Signed-off-by: Martin Orr <martin@martinorr.name>
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Having magic numbers in the code is a bad idea, using a macro is better.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This allow to build the ruby module for both ruby 1.8 and 1.9.1 (the
way it's done for the python module)
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Do not link against libpython, the interpreter is already linked to it.
In Debian this is usually considered bad practice.
Signed-off-by: Author: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
I am running into an issue with sepolgen. Debian ships more
than one version of the refpolicy, a default one, and a MLS enabled
one. So, the include files live in either
/usr/share/selinux/{default,mls}/include sepolgen (in
src/sepolgen/defaults.py) sets refpolicy_devel() to a single
location -- and thus, only one version of the security policy may be
supported. So, sepolgen-ifgen from policycoreutils can only work
with one policy, which may not be the one installed on the target
machine. Could this be made configurable, somehow? As far as I can
see, sepolgen's python library does not offer any way to set the
value. This change fixes that. Now you may set the path to look for
development headers in /etc/selinux/sepolgen.conf, in the variable
SELINUX_DEVEL_PATH. The builtin default will have it work on Debian
and fedora machines out of the box.
Signed-off-by: Laurent Bigonville bigon@debian.org
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
selinux_check_access() should not error on bad class or perms if the
security_deny_unkown() function return false. If policy tells us to
allow unknown classes and perms we should respect that.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
To simplify finding why programs don't work, assert that avc_init() was
called any time avc functions are called. This means we won't get
'random' segfaults and will instead be able to hopefully quickly
determine what we did wrong as application developers.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This means you can still run setuid programs, but don't need special
perms to run seunshare.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The previous time upstream was released, there were changes to
MCSTrans, but the version was never updated, In order for us to
release these fixes to Fedora we needed to bump the version.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
FIPS does not allow md5 as a valid algorithm. Although we don't really
care about cryptographic strength since the algorithm isn't allowed to
be used at all use something strong, like sha256.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
It's not special and doesn't need its own Makefile lines. Just make it
a normal target.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Move everything into /usr/* and just put links from /*. The whole /usr
thing hasn't really worked in all situations for a long long time. Just
accept that fact and move along.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Move everything into /usr/* and just put links from /*. The whole /usr
thing hasn't really worked in all situations for a long long time. Just
accept that fact and move along.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Also if the user specifies a store that is not the current store, we should not be sending audit messages.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
semanage command was not reporting proper audit messages for the LSPP
certification. Needed to report additional information such as prior
roles before and after update. Many other changes, were reviewed by
Steve Grubb to make sure were were doing proper auditing.
Should be reporting AUDIT_ROLE_ASSIGN instead of AUDIT_USER_ROLE_CHANGE.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>