Commit Graph

333 Commits

Author SHA1 Message Date
Stephen Smalley 20c9b4971e Update VERSION files to 2.8-rc3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-10 11:08:22 -04:00
Stephen Smalley 84b19ae72e libsemanage: prevent string overflow on final paths
Verify that the final path does not exceed the size of the
buffer before copying.  This can only occur if an alternate
path for the policy root and/or the policy store root has been
specified and if the resulting path would exceed PATH_MAX. A
similar check is already applied by semanage_make_final().

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-08 10:24:00 -04:00
Stephen Smalley dc03bae194 Update VERSION files to 2.8-rc2.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-26 13:20:40 -04:00
Nicolas Iooss 531fc3d8a7 libsemanage: always check append_arg return value
When split_args() calls append_arg(), the returned value needs to be
checked in order to detect memory allocation failure. Checks were
missing in two places, which are spotted by clang's static analyzer:

    semanage_store.c:1352:7: warning: Value stored to 'rc' is never
    read
            rc = append_arg(&argv, &num_args, arg);
            ^    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    semanage_store.c:1368:3: warning: Value stored to 'rc' is never read
            rc = append_arg(&argv, &num_args, arg);
            ^    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-25 10:09:13 -07:00
Stephen Smalley f04d64012a Update VERSION files to 2.8-rc1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-19 10:40:16 -04:00
Vit Mojzis 10bb459add libsemanage: do not change file mode of seusers and users_extra
Commit 8702a865e0 causes file mode of
seusers and users_extra to change based on the value defined in config
file whenever direct_commit is called and policy is not rebuilt.
(e.g. when setting a boolean).

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1512639

$ ll /var/lib/selinux/targeted/active/users_extra
-rw-------. 1 root root 101 11. dub 17.31 /var/lib/selinux/targeted/active/users_extra
$ ll /var/lib/selinux/targeted/active/seusers
-rw-------. 1 root root 73 11. dub 17.31 /var/lib/selinux/targeted/active/seusers
$ semanage boolean -m --on httpd_can_network_connect
$ ll /var/lib/selinux/targeted/active/seusers
-rw-r--r--. 1 root root 73 23. bře 16.59 /var/lib/selinux/targeted/active/seusers
$ ll /var/lib/selinux/targeted/active/users_extra
-rw-r--r--. 1 root root 101 23. bře 16.59 /var/lib/selinux/targeted/active/users_extra
$ rpm -Vq selinux-policy-targeted
.M.....T.    /var/lib/selinux/targeted/active/seusers
.M.....T.    /var/lib/selinux/targeted/active/users_extra

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-04-13 16:21:26 -04:00
Vit Mojzis 721ccb3318 libsemanage/direct_api.c: Fix iterating over array
Fix sizeof calculation in array iteration introduced by commit
6bb8282c4c
"libsemanage: replace access() checks to make setuid programs work"

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-19 09:18:28 -07:00
Nicolas Iooss 07629c0a9f
libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libselinux and libsemanage Makefiles invoke site.getsitepackages() in
order to get the path to the directory /usr/lib/pythonX.Y/site-packages
that matches the Python interpreter chosen with $(PYTHON). This method
is incompatible with Python virtual environments, as described in
https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
This issue has been opened for more than 5 years.

On the contrary python/semanage/ and python/sepolgen/ Makefiles use
distutils.sysconfig.get_python_lib() in order to get the site-packages
path into a variable named PYTHONLIBDIR. This way of computing
PYTHONLIBDIR is compatible with virtual environments and gives the same
result as PYSITEDIR.

As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and
libsemanage Makefiles use it. And as native code is installed (as part
of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64
on systems which distinguish /usr/lib64 from /usr/lib.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2018-03-17 09:03:33 +01:00
Vit Mojzis 6bb8282c4c libsemanage: replace access() checks to make setuid programs work
access() uses real UID instead of effective UID which causes false
negative checks in setuid programs.
Replace access() calls (mostly tests for file existence) by stat().

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-13 10:57:04 +00:00
Vit Mojzis 4efa673bc0 libsemanage: remove access() check to make setuid programs work
F_OK access checks only work properly as long as all directories along
the path are accessible to real user running the program.
Replace F_OK access checks by testing return value of open, write, etc.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-08 14:48:11 -05:00
Vit Mojzis 88f4710617 libsemanage: remove access() check to make setuid programs work
access() uses real UID instead of effective UID which causes false
negative checks in setuid programs. Remove redundant access() checks

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-08 14:48:07 -05:00
Nicolas Iooss 2784addb14 libsemanage: silence clang static analyzer report
clang's static analyzer reports an out-of-bound array access in
semanage_user_roles() when num_roles is zero, with the following
statement:

    strcpy(roles,roles_arr[0]);

When num_roles is zero, roles_arr[0] is not uninitialized and roles is
the result of malloc(0) so this strcpy is dangerous. Make
semanage_user_roles() return an empty string instead.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-03-08 14:43:50 -05:00
Vit Mojzis 8caec179c3 libsemanage: Improve warning for installing disabled module
Resolves: rhbz#1337199

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-02-28 11:37:31 -08:00
Marcus Folkesson e15f61e5d2 libsemanage: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 15:59:37 +01:00
Richard Haines f281fc5219 libsemanage: Allow tmp files to be kept if a compile fails
Allow the tmp build files to be kept for debugging when a policy
build fails.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-01-25 12:27:47 -08:00
Richard Haines f47c291cf8 libsemanage: Return commit number if save-previous false
Stop overwriting the commit number for the default save-previous flag
setting (false) in semanage.conf.

Allows semodule -v -i <policy> to show the correct commit number.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-01-25 10:00:52 -05:00
Petr Lautrbach eee003f810 libsemanage: Use umask(0077) for fopen() write operations
When a calling process uses umask(0) some files in the SELinux module
store can be created to be world writeable. With this patch, libsemanage
sets umask(0077) before fopen() operations and restores the original
umask value when it's done.

Fixes:
drwx------. /var/lib/selinux/targeted/active
-rw-rw-rw-. /var/lib/selinux/targeted/active/booleans.local
-rw-rw-rw-. /var/lib/selinux/targeted/active/policy.linked
-rw-rw-rw-. /var/lib/selinux/targeted/active/seusers.local

drwx------. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/cil
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/lang_ext
drwx------. /var/lib/selinux/targeted/active/modules/disabled
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/disabled/zosremote

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-12-01 08:56:10 -05:00
Jan Zarsky d80556d885 libsemanage: properly check return value of iterate function
Function dbase_llist_iterate iterates over records and checks return
value of iterate function. According to a manpage semanage_iterate(3),
handler can return value 1 for early exit. dbase_llist_iterate
currently checks for return value > 1, which does not include
expected value 1. This affects most of the semanage_*_iterate
and semanage_*_local functions.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2017-11-27 11:09:16 -08:00
Jan Zarsky c15f495a65 libsemanage: free genhomedircon fallback user
Function semanage_genhomedircon() adds fallback user and function
setup_fallback_user() may add another one. But only one fallback
user is freed. Make sure to free all fallback users in
semanage_genhomedircon().

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2017-11-08 14:55:31 +08:00
Vit Mojzis bc161a9e94 libsemanage: Add support for listing fcontext.homedirs file
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2017-10-04 14:18:58 -04:00
Vit Mojzis 5007687feb libsemanage: Keep copy of file_contexts.homedirs in policy store
This will allow listing the correct file_contexts.homedirs
using libsemanage regardless of selected policy store.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2017-10-04 14:18:58 -04:00
Stephen Smalley 1bac758bf6 Update VERSION files for 2.7 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-04 09:31:00 -04:00
Stephen Smalley dfda6a5b2c Update VERSION files for 2.7-rc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:43:47 -04:00
Stephen Smalley 9f1730fa39 Update VERSION files for 2.7-rc5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-18 12:01:26 -04:00
Stephen Smalley 83fbc0979d Update VERSION files for 2.7-rc4 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-30 13:41:33 -04:00
Stephen Smalley 2d1a6c63c6 libselinux,libsemanage: fix RUBYLIBS definition
The RUBYLIBS definition introduced by commit f5b9bc2a06
("libselinux,libsemanage: link Ruby wrappers with -lruby") did
not work on Debian.  Fix it based on a patch by Nicolas Iooss.

Reported-by: Laurent Bigonville <bigon@debian.org>
Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-28 09:35:57 -04:00
Stephen Smalley 6fab7923ce Update VERSION files for 2.7-rc3 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-23 13:01:45 -04:00
Patrick Steinhardt 2c651e0a28 genhomedircon: avoid use of non-standard `getpwent_r`
The `getpwent_r` function is a non-standard but reentrant version of the
POSIX-defined `getpwent` function. While it should provide the benefit
of being safe to use in multi-threaded environments, it disallows us
from compiling with libc implementations which stick to the POSIX
standard more closely.

As libsemanage may be used in a multi-threaded environment, being
reentrant may in fact be quite important to us. As such, simply
switching out `getpwent_r` against its non-reentrant function can prove
quite dangerous. But interestingly enough, the glibc implementation of
`getpwent_r` does not even guarantee being reentrant. Quoting from
getpwent_r(7):

    NOTES

    The function getpwent_r() is not really reentrant since it shares
    the reading position in the stream with all other threads.

As such, it is non-reentrant in the same sense as its simple `getpwent`
brother and can simply be switched out without losing any guarantees
here.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2017-06-22 16:44:07 -04:00
Nicolas Iooss cdd3b1d728 libsemanage/tests: fix linking
When -lbz2 is written before libsemanage.a in the linker command line,
the linker may fail to find all needed symbols. This occurs for example
when building on Ubuntu 14.04 without the gold linker (cf. Travis build
result https://travis-ci.org/fishilico/selinux/builds/245072498):

    gcc libsemanage-tests.o test_semanage_store.o test_utilities.o utilities.o
    -L/home/travis/build/fishilico/selinux/installdir/usr/lib -o libsemanage-tests
    -lcunit -lbz2 -laudit ../src/libsemanage.a -lselinux -lsepol
    ../src/libsemanage.a(direct_api.o): In function `bzip':
    direct_api.c:(.text+0xee6): undefined reference to `BZ2_bzWriteOpen'
    direct_api.c:(.text+0xf11): undefined reference to `BZ2_bzWriteClose'
    direct_api.c:(.text+0xf79): undefined reference to `BZ2_bzWrite'
    direct_api.c:(.text+0xfa1): undefined reference to `BZ2_bzWriteClose'
    direct_api.c:(.text+0xfe0): undefined reference to `BZ2_bzWriteClose'
    ../src/libsemanage.a(direct_api.o): In function `bunzip':
    direct_api.c:(.text+0x114e): undefined reference to `BZ2_bzReadOpen'
    direct_api.c:(.text+0x1249): undefined reference to `BZ2_bzRead'
    direct_api.c:(.text+0x13b4): undefined reference to `BZ2_bzReadClose'
    ../src/libsemanage.a(seusers_local.o): In function `semanage_seuser_audit':
    seusers_local.c:(.text+0x4c5): undefined reference to `audit_open'
    seusers_local.c:(.text+0x5b6): undefined reference to `audit_log_semanage_message'
    seusers_local.c:(.text+0x5cd): undefined reference to `audit_close'

As ../src/libsemanage.a is a dependency of $(EXECUTABLE) in the
Makefile, use $^ to include it in the command line. While at it, put $^
after $(LDFLAGS) as other Makefiles do.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-21 10:31:36 -04:00
Jason Zaman 15f2740733 Makefiles: override *FLAGS and *LIBS
There were several places in the makefiles where LDLIBS or CFLAGS were
supposed to include options to build. They were missing the override
keyword so would be skipped if these vars were set on the make cmdline.
Add the override directive to fix this.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-06-20 12:15:04 -04:00
Stephen Smalley 08d4b030ea Update VERSION files for 2.7-rc2 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-16 12:50:03 -04:00
Stephen Smalley 2f602f6cb9 Update VERSION files for 2.7-rc1 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-09 10:36:06 -04:00
Bernhard M. Wiedemann c18ea1df62 sort input files
when building packages (e.g. for openSUSE Linux)
(random) filesystem order of input files
influences ordering of functions in the output,
thus without the patch, builds (in disposable VMs) would usually differ.

See https://reproducible-builds.org/ for why this matters.
2017-06-01 14:00:30 -04:00
Stephen Smalley f60244365c libsemanage: Fix snprintf warnings from gcc 7
Fixes the following warning from gcc7 by increasing the
buffer size to PATH_MAX.

semanage_store.c: In function ‘semanage_remove_directory’:
semanage_store.c:819:30: warning: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 254 [-Wformat-truncation=]
   snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name);
                              ^~
semanage_store.c:819:3: note: ‘snprintf’ output 2 or more bytes (assuming 257) into a destination of size 255
   snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name);
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-01 13:35:56 -04:00
Stephen Smalley e41ae676c2 libsepol,libsemanage,libselinux: Fix fallthrough warnings from gcc 7
https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/

Fixes the following warnings by annotating with a /* FALLTHRU */ comment.
Unfortunately, the __attribute__ ((fallthrough)); approach does not appear
to work with older compilers.

../cil/src/cil_parser.c: In function ‘cil_parser’:
../cil/src/cil_parser.c:253:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
    tok.value = tok.value+1;
    ~~~~~~~~~~^~~~~~~~~~~~~
../cil/src/cil_parser.c:254:3: note: here
   case SYMBOL:
   ^~~~
../cil/src/cil_parser.c:275:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (tok.type != END_OF_FILE) {
       ^
../cil/src/cil_parser.c:279:3: note: here
   case END_OF_FILE:
   ^~~~

../cil/src/cil_post.c: In function ‘cil_post_fc_fill_data’:
../cil/src/cil_post.c:104:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
    c++;
    ~^~
../cil/src/cil_post.c:105:3: note: here
   default:
   ^~~~~~~

regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:542:2: note: here
  case 3:
  ^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:544:2: note: here
  case 2:
  ^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:546:2: note: here
  case 1:
  ^~~~
regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:542:2: note: here
  case 3:
  ^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:544:2: note: here
  case 2:
  ^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:546:2: note: here
  case 1:
  ^~~~

modules.c: In function ‘semanage_module_get_path’:
modules.c:602:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (file == NULL) file = "hll";
       ^
modules.c:603:3: note: here
   case SEMANAGE_MODULE_PATH_CIL:
   ^~~~
modules.c:604:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (file == NULL) file = "cil";
       ^
modules.c:605:3: note: here
   case SEMANAGE_MODULE_PATH_LANG_EXT:
   ^~~~

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-01 13:35:45 -04:00
Petr Lautrbach 5b61d8fba8 Fix recently introduced TabError's
Commits a3d2c7a 6a7a5aa introduced inconsistent use of tabs and spaces
in indentation what makes python3.6 unhappy.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-26 10:19:10 -04:00
Daniel Jurgens 9a3d2c7a9b semanage: Update semanage to allow runtime labeling of ibendports
Update libsepol and libsemanage to work with ibendport records. Add local
storage for new and modified ibendport records in ibendports.local.
Update semanage to parse the ibendport command options to add, modify,
and delete them.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens 6a7a5aafe5 semanage: Update semanage to allow runtime labeling of Infiniband Pkeys
Update libsepol and libsemanage to work with pkey records. Add local
storage for new and modified pkey records in pkeys.local. Update semanage
to parse the pkey command options to add, modify, and delete pkeys.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Jason Zaman fcb5d5cc72 Makefiles: drop -L/-I to system paths
The toolchain automatically handles them and they break cross compiling.

LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)

Gentoo-Bug: https://bugs.gentoo.org/500674

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:27:05 -04:00
Stephen Smalley 8702a865e0 libsemanage: Save linked policy, skip re-link when possible
In commit b61922f727 ("libsemanage: revert
"Skip policy module re-link when only setting booleans"), we reverted
an optimization for setting booleans since it produced incorrect behavior.
This incorrect behavior was due to operating on the policy with local
changes already merged. However, reverting this change leaves us with
undesirable overhead for setsebool -P.  We also have long wanted
to support the same optimization for making other changes that do
not truly require module re-compilation/re-linking.

If we save the linked policy prior to merging local changes, we
can skip re-linking the policy modules in most cases, thereby
significantly improvement the performance and memory overhead of
semanage and setsebool -P commands.  Save the linked policy in the
policy sandbox and use it when we are not making a change that requires
recompilation of the CIL modules.  With this change, a re-link
is not performed when setting booleans or when adding, deleting, or
modifying port, node, interface, user, login (seusers) or fcontext
mappings.  We save linked versions of the kernel policy, seusers,
and users_extra produced from the CIL modules before any local
changes are merged.  This has an associated storage cost, primarily
storing an extra copy of the kernel policy file.

Before:
$ time setsebool -P zebra_write_config=1
real	0m8.714s
user	0m7.937s
sys	0m0.748s

After:
$ time setsebool -P zebra_write_config=1
real	0m1.070s
user	0m0.343s
sys	0m0.703s

Resolves: https://github.com/SELinuxProject/selinux/issues/50
Reported-by: Carlos Rodrigues <cefrodrigues@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-04-12 14:56:29 -04:00
Nicolas Iooss 86e6ae67fd libsemanage: drop checks on semanage_module_info_destroy() value
semanage_module_info_destroy() always returns 0. Nevertheless
semanage_direct_list_all() uses its return value in a surprising way:

    cleanup:
        if (priorities != NULL) {
            /* ... */
            free(priorities);
        }
        /* ... */
        ret = semanage_module_info_destroy(sh, modinfo_tmp);
        if (ret != 0) {
            status = -1;
            goto cleanup;
        }

The last "goto cleanup;" leads clang's static analyzer to believe a
double free is possible. Even though this is a false positive, the
body of condition "if (ret != 0)" contains dead code. Remove it.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-11 14:22:59 -04:00
Stephen Smalley b61922f727 libsemanage: revert "Skip policy module re-link when only setting booleans."
commit e5aaa01f81 ("Skip policy module
re-link when only setting booleans.") can lead to duplicate entries
(e.g. portcon entries) being added into the kernel policy because the
existing linked policy already includes the local customizations.
Revert this commit until we can come up with an approach that handles
this properly.  This means that setsebool -P triggers a full policy
rebuild.

From the original bug report:
I've noticed a strange interaction with custom ports and booleans.
After setting a boolean, the list of ports for a particular type
(which has been customized) shows duplicate entries.

Example:

    $ semanage port -a -t http_port_t -p tcp 12345
    $ semanage port -l | grep http_port_t
    http_port_t                    tcp      12345, 80, 81, ...
    $ setsebool -P zebra_write_config false
    $ semanage port -l | grep http_port_t
    http_port_t                    tcp      12345, 12345, 80, 81, ...
    $ setsebool -P zebra_write_config false
    $ semanage port -l | grep http_port_t
    http_port_t                    tcp      12345, 12345, 12345, 80, 81, ...

As can be seen, each time a boolean is set persistently (it doesn't
matter which boolean or which state), the custom port 12345 is
duplicated. Running "semodule -B" clears the duplicates.

However, if only the local customizations are listed, the port is
always listed only once:

    $ semanage port -l -C
    SELinux Port Type              Proto    Port Number
    http_port_t                    tcp      12345

Resolves: https://github.com/SELinuxProject/selinux/issues/50
Reported-by: Carlos Rodrigues <cefrodrigues@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-04-10 11:04:39 -04:00
Nicolas Iooss 03298a22f7 libsemanage: genhomedircon: fix possible double-free
When write_contexts() frees variables context and new_context_str after
a line has been successfully emitted, these variables are not reset to
NULL. This leads the function to free them again if an error occurs when
processing the next line. Fix this by always resetting these variables
at the beginning of the loop.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-29 10:26:59 -04:00
Nicolas Iooss 85da6194ea libsemanage: do not dereference a NULL pointer when calloc() fails
If "names = calloc(num_modinfos, sizeof(*names))" fails in
semanage_get_cil_paths(), the function tries to frees items in array
"names" even though it is NULL. Avoid this by returning directly.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-29 10:26:55 -04:00
Nicolas Iooss 0438d5c421 libsemanage: do not close uninitialized file descriptors
When pipe() fails in semanage_pipe_data(), this function closes all file
descriptors in variables output_fd, err_fd and input_fd even when they
have not been initialized. Fix this by initializing the file descriptors
to -1.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-29 10:26:50 -04:00
Nicolas Iooss ccfbd9aa17 libsemanage/tests: include libsepol headers from $DESTDIR
When building and running tests on a system without SELinux with a
command similar to "make DESTDIR=/tmp/destdir install test", libsemanage
tests fail to build with the following error:

    In file included from utilities.h:20:0,
                     from utilities.c:24:
    ../src/handle.h:29:26: fatal error: sepol/handle.h: No such file or
    directory
     #include <sepol/handle.h>
                              ^

Fix this by adding the newly-installed directory under $DESTDIR (using
variable $PREFIX) in the search paths of the compiler.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-01 10:42:34 -05:00
Nicolas Iooss 4176a29235 libsemanage: never call memcpy with a NULL value
clang's static analyzer reports "Argument with 'nonnull' attribute
passed null" in append_str(), because argument t may be NULL but is used
in a call to memcpy().

Make append_str() do nothing when called with t=NULL.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-01 10:42:28 -05:00
Nicolas Iooss 1cd3e1a40a libselinux, libsemanage: make PYPREFIX computation more robust
On systems where $PYTHON is python3.5 (instead of python2 or python3),
pkg-config fails to find the Python package because it is named with a
dash (e.g. python-3.5).

Moreover the build system may have been using the pkg-config
configuration files for the wrong Python version when several Python
with the same major version number are installed (e.g. using python-3.5
on a system with both python-3.4 and python-3.5 and where
/usr/lib/pkgconfig/python3.pc is a symlink to python-3.5.pc).

In order to fix these two issues, compute $PYPREFIX from $PYTHON by
using the full major.minor version.

Moreover update Travis-Ci configuration to grab the relevant
configuration files for pkg-config from /opt/python (for example
/opt/python/3.5.2/lib/pkgconfig/python-3.5.pc) instead of using
system-provided files (/usr/lib/x86_64-linux-gnu/pkgconfig/python3.pc
and /usr/lib/x86_64-linux-gnu/pkgconfig/python2.pc).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-21 13:42:52 -05:00
Nicolas Iooss 68a4203f87 libsemanage/tests: fix -Wwrite-strings warnings
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:06:10 -05:00
Nicolas Iooss a51b30ae23 libsemanage: make lang_ext parameter const in semanage_direct_write_langext()
When building with "clang -Wwrite-strings", the compiler reports the
following warnings:

    direct_api.c:1030:46: error: passing 'const char [4]' to parameter
    of type 'char *' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    status = semanage_direct_write_langext(sh, "cil", modinfo);
                                                               ^~~~~
    direct_api.c:898:11: note: passing argument to parameter 'lang_ext'
    here
                                    char *lang_ext,
                                          ^
    direct_api.c:1030:46: error: passing 'const char [4]' to parameter
    of type 'char *' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    status = semanage_direct_write_langext(sh, "cil", modinfo);
                                                               ^~~~~
    direct_api.c:898:11: note: passing argument to parameter 'lang_ext'
    here
                                    char *lang_ext,
                                          ^

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:38 -05:00