Commit Graph

642 Commits

Author SHA1 Message Date
Marcus Folkesson
b24980ec07 libselinux: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 15:59:36 +01:00
Richard Haines
8bcee84421 libselinux: Correct manpages regarding removable_context
The selabel_media(5) man page incorrectly stated that the
removable_context(5) would be read if an selabel_lookup(3)
failed. Correct the man pages that fixes [1].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1395621

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-01-13 10:49:13 -08:00
Petr Lautrbach
80d6927b69 libselinux: Add support for pcre2 to pkgconfig definition
When libselinux is built using USE_PCRE2 libselinux.pc needs to require
libpcre2-8 instead of libpcre.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1487521

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-10-13 15:24:23 -04:00
Stephen Smalley
53bb2a11c2 checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
Update my email address since epoch.ncsc.mil no longer exists.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-17 14:17:12 -04:00
Stephen Smalley
1bac758bf6 Update VERSION files for 2.7 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-04 09:31:00 -04:00
Stephen Smalley
dfda6a5b2c Update VERSION files for 2.7-rc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:43:47 -04:00
Tom Cherry
00548bd9b6 libselinux: fix thread safety issues with lookup_common()
There are two problems with lookup_common() and therefore
selabel_lookup() and related functions that this patch fixes:

1) A race with the lazy compilation of regexes.  Since the struct
regex_data is allocated and assigned immediately to the parent struct
spec, it's possible for a second thread to see that this pointer is
non-NULL before the regex compilation has finished.  This typically
results in a -1 return from selabel_lookup() with ENOENT as errno.

This is fixed by adding synchronization in compile_regex().

2) A race with PCRE2 regex_match().  A struct pcre2_match_data is
created once and used for all regex matches for a given regex.  This
is problematic if two threads are attempting to evaluate the same
regex simultaneously.  This typically results in a successful return
from selabel_lookup() but with an erroneous selabel.

This is fixed by adding a pthread_mutex within regex_match() for
PCRE2.  Note, on my system, creating new matchdata takes roughly an
order of magnitude more time than locking a non-contended
pthread_mutex.  I don't believe programs will have enough contention
on this lock to justify that cost.

Bug: 63861738
Test: ueventd unit tests
Change-Id: I13bf782d81d0a0b896d444e396f307ad0dbacb6a
2017-07-26 16:23:04 -04:00
Stephen Smalley
9f1730fa39 Update VERSION files for 2.7-rc5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-18 12:01:26 -04:00
Stephen Smalley
83fbc0979d Update VERSION files for 2.7-rc4 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-30 13:41:33 -04:00
Stephen Smalley
2d1a6c63c6 libselinux,libsemanage: fix RUBYLIBS definition
The RUBYLIBS definition introduced by commit f5b9bc2a06
("libselinux,libsemanage: link Ruby wrappers with -lruby") did
not work on Debian.  Fix it based on a patch by Nicolas Iooss.

Reported-by: Laurent Bigonville <bigon@debian.org>
Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-28 09:35:57 -04:00
Stephen Smalley
6fab7923ce Update VERSION files for 2.7-rc3 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-23 13:01:45 -04:00
Patrick Steinhardt
ca07a2ad46 libselinux: avoid redefining _FORTIFY_SOURCE
Two makefiles of ours pass `-D_FORTIFY_SOURCE=2` directly to the
preprocessor. While this does not pose any problems when the value has
not been previously set, it can break the build if it is part of the
standard build flags.

The issue can easily be fixed by instead defining `_FORTIFY_SOURCE`
without specifying a concrete value. In this case, gcc will not error
out and simply keep using the previously defined value. On the other
hand, if no value has been defined, we will now compile with
`_FORTIFY_SOURCE=1`. From feature_test_macros(7):

    If _FORTIFY_SOURCE is set to 1, with compiler optimization level 1
    (gcc -O1) and above, checks that shouldn't change the behavior of
    conforming programs are performed.  With _FORTIFY_SOURCE set to 2,
    some more checking is added, but some conforming programs might
    fail.

While this leaves us with less checks for buffer overflows, it will only
enable checks that should not change behaviour of conforming programs.
With _FORTIFY_SOURCE=2, the compiler may even unintentionally change
behaviour of conforming programs. So in fact, one could even argue that
we should only be setting the value to 1 anyway to avoid surprising side
effects.

So this patch changes our CFLAGS to only pass `-D_FORTIFY_SOURCE`
without any concrete value, fixing the build issue.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2017-06-22 16:44:07 -04:00
Stephen Smalley
7b5699bfd7 Fix BINDIR/SBINDIR/... variables in Makefiles
As reported by Nicolas Iooss, there are still some inconsistencies
in the definitions and usage of Makefile variables related to bin
and sbin directories. Since we need to still support non-usrmerge
systems, we cannot completely synchronize them, but we can eliminate
unnecessary differences, remove unused variables, and drop the
USRSBINDIR variables.

Before:
$ find . -name Makefile -exec cat {} + |grep '^[A-Z_]*BINDIR' |sort -u
BINDIR=$(PREFIX)/bin
BINDIR ?= $(PREFIX)/bin
BINDIR ?= $(PREFIX)/sbin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
USRSBINDIR ?= $(PREFIX)/sbin

After:
$ find . -name Makefile -exec cat {} + | grep '^[A-Z_]*BINDIR' | sort -u
BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin

This does not change the actual install location of any file.
It does drop the legacy symlink from /usr/sbin/load_policy to
/sbin/load_policy; packagers can create that separately if
desired.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-20 12:18:26 -04:00
Jason Zaman
297877ab88 libselinux utils: override LD{FLAGS, LIBS} for libselinux.so in Makefile
the utils dir link to libselinux.so which was just built, if LDFLAGS or
LDLIBS were specificed on the make commandline then the search path is
not appended. Add the override directive to fix this.

Gentoo-Bug: https://bugs.gentoo.org/621762

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-06-19 11:23:06 -04:00
Stephen Smalley
08d4b030ea Update VERSION files for 2.7-rc2 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-16 12:50:03 -04:00
Stephen Smalley
2f602f6cb9 Update VERSION files for 2.7-rc1 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-09 10:36:06 -04:00
Stephen Smalley
d1769a9b83 libselinux: always unmount selinuxfs for SELINUX=disabled
As reported in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864479
using a kernel configuration with CONFIG_SECURITY_SELINUX_DISABLE=n
and a /etc/selinux/config with SELINUX=disabled leads to a boot
failure.

Fix this by always unmounting selinuxfs if /etc/selinux/config has
SELINUX=disabled even if unable to successfully disable SELinux.
This will ensure that subsequent is_selinux_enabled() tests will
return 0 (disabled) and userspace will therefore skip any SELinux
processing.

Reported-by: Christian Göttsche <cgzones@googlemail.com>
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-09 10:31:48 -04:00
Stephen Smalley
31f532aacb libselinux: fix selabel_lookup*() double slash bug
As originally reported in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854
, "systemd-hwdb --usr update" was assigning /lib/udev/hwdb.bin the
wrong security context.  This turned out to be a result of systemd-hwdb
calling selabel_lookup_raw() with a path with a leading double slash
(//lib/udev/hwdb.bin). While the selabel file backend already removes
duplicate slashes, this was occurring after any substitution matching
and replacement had occurred in the generic selabel frontend, and thus
the double slash was still preventing the /lib -> /usr/lib substitution
specified by file_contexts.subs_dist from occurring.  As a consequence,
the final path (/lib/udev/hwdb.bin) used to look up did not match the
/usr/lib/udev/[^/]* entry in file_contexts.

There were two options for resolving:
1) move the double slash removal to the selabel frontend code before
substitutions, or
2) move the substitution processing to the selabel file backend code
after double slash removal.

Since substitutions are currently only supported for the file backend,
and since the slash character may have no particular meaning in the
keys for other backends, it seems more correct to do the latter.
This has the advantage of taking all of the substitution data
structures and code private to the selabel file backend.

Test case:
Compare the output of:
	selabel_lookup -r -b file -k //lib/udev/hwdb.bin
versus:
	selabel_lookup -r -b file -k /lib/udev/hwdb.bin

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854
Reported-by: Russell Coker <russell@coker.com.au>
Reported-by: Michael Biebl <biebl@debian.org>
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-01 15:26:53 -04:00
Bernhard M. Wiedemann
c18ea1df62 sort input files
when building packages (e.g. for openSUSE Linux)
(random) filesystem order of input files
influences ordering of functions in the output,
thus without the patch, builds (in disposable VMs) would usually differ.

See https://reproducible-builds.org/ for why this matters.
2017-06-01 14:00:30 -04:00
Stephen Smalley
e41ae676c2 libsepol,libsemanage,libselinux: Fix fallthrough warnings from gcc 7
https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/

Fixes the following warnings by annotating with a /* FALLTHRU */ comment.
Unfortunately, the __attribute__ ((fallthrough)); approach does not appear
to work with older compilers.

../cil/src/cil_parser.c: In function ‘cil_parser’:
../cil/src/cil_parser.c:253:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
    tok.value = tok.value+1;
    ~~~~~~~~~~^~~~~~~~~~~~~
../cil/src/cil_parser.c:254:3: note: here
   case SYMBOL:
   ^~~~
../cil/src/cil_parser.c:275:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (tok.type != END_OF_FILE) {
       ^
../cil/src/cil_parser.c:279:3: note: here
   case END_OF_FILE:
   ^~~~

../cil/src/cil_post.c: In function ‘cil_post_fc_fill_data’:
../cil/src/cil_post.c:104:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
    c++;
    ~^~
../cil/src/cil_post.c:105:3: note: here
   default:
   ^~~~~~~

regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:542:2: note: here
  case 3:
  ^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:544:2: note: here
  case 2:
  ^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:546:2: note: here
  case 1:
  ^~~~
regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:542:2: note: here
  case 3:
  ^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:544:2: note: here
  case 2:
  ^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:546:2: note: here
  case 1:
  ^~~~

modules.c: In function ‘semanage_module_get_path’:
modules.c:602:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (file == NULL) file = "hll";
       ^
modules.c:603:3: note: here
   case SEMANAGE_MODULE_PATH_CIL:
   ^~~~
modules.c:604:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (file == NULL) file = "cil";
       ^
modules.c:605:3: note: here
   case SEMANAGE_MODULE_PATH_LANG_EXT:
   ^~~~

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-01 13:35:45 -04:00
Nicolas Iooss
5c84f24a17 libselinux: propagate selabel_subs_init() errors
Memory allocation failures in selabel_subs_init() should be fatal,
contrary to failures which come from the non-existence of the
substitution files (subs or subs_dist).

Modify selabel_subs_init()'s prototype in order to return the error
state. This forces the pointer to the created substitution list to be
moved to an output function argument.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-05-18 08:47:21 -04:00
Nicolas Iooss
55fe40ac77 libselinux: rework selabel_subs_init() to avoid use-after-free
In selabel_subs_init(), when digest_add_specfile() fails, the returned
value is a pointer to data which has been freed (because label "err"
frees variable "sub" which is equals to the returned variable, "list").

Moreover since since commit fd56c5230c ("Separate out the calling of
local subs and dist subs in selabel_sub"), argument "list" of
selabel_subs_init() has always been NULL (rec->subs and rec->dist_subs
are both initialized to NULL in selabel_open() before
selabel_file_init() is called).

Drop selabel_file_init()'s "list" argument and free all the list items
which have been allocated in this function, when the code encounters an
error.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-05-18 08:42:26 -04:00
Nicolas Iooss
d819de173d libselinux: close the subs file if fstat failed
selabel_subs_init() returned without closing cfg when a call to fstat()
failed. Fix this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-05-15 16:36:54 -04:00
Tom Cherry
9cc62ce35d procattr.c: Use __BIONIC__ instead of __ANDROID__
This check is not specific to Android devices. If libselinux were used
with Bionic on a normal Linux system this check would still be needed.

Signed-off-by: Tom Cherry <tomcherry@google.com>
2017-05-12 08:54:04 -04:00
Stephen Smalley
63aa7fc036 libselinux: Fix CFLAGS definition
commit 16c123f4b1 ("libselinux:
support ANDROID_HOST=1 on Mac") split up warning flags in
CFLAGS based on compiler support in a manner that could lead to
including a subset that is invalid, e.g. upon
make DESTDIR=/path/to/dest install.  Fix it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-09 10:47:39 -04:00
Christian Göttsche
d1ff68ffee libselinux: add security_get_checkreqprot
Add security_get_checkreqprot() function, returning the current active
checkreqprot value
2017-05-08 12:44:07 -04:00
Nicolas Iooss
232ff757d4 libselinux/utils: add noreturn attribute to selinux_check_access's usage
When building libselinux, clang reports the following warning:

    selinux_check_access.c:8:1: error: function 'usage' could be
    declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]

While at it, make progname const.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-05-05 13:07:04 -04:00
Richard Haines
ef95c6ddf9 libselinux: Remove util/selinux_restorecon.c
Remove util/selinux_restorecon.c and tidy up. This is removed as
the functionality is now in policycoreutils/setfiles.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-05-02 11:03:06 -04:00
Richard Haines
a63858b52f libselinux: Add selinux_check_access utility
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-05-02 10:58:22 -04:00
Richard Haines
9cba8f6151 libselinux: Add permissive= entry to avc audit log
Add audit log entry to specify whether the decision was made in
permissive mode/permissive domain or enforcing mode.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-04-28 09:42:37 -04:00
Colin Walters
f3a264c2e1 config: Don't finalize mount state in selinux_set_policy_root()
This breaks every further call to e.g. `is_selinux_enabled()` after a policy
root has been set.  This tripped up some code landed in libostree:
https://github.com/ostreedev/ostree/pull/797
Since in some cases we initialize a policy twice in process, and we'd
call `is_selinux_enabled()` each time.

More info in: http://marc.info/?l=selinux&m=149323809332417&w=2

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-04-27 08:38:58 -04:00
Jason Zaman
fcb5d5cc72 Makefiles: drop -L/-I to system paths
The toolchain automatically handles them and they break cross compiling.

LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)

Gentoo-Bug: https://bugs.gentoo.org/500674

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:27:05 -04:00
Jason Zaman
b5fe48da20 libselinux: PCRE_LDFLAGS is actually LDLIBS
>From Make's manual:

LDFLAGS
Extra flags to give to compilers when they are supposed to invoke the
linker, ‘ld’, such as -L. Libraries (-lfoo) should be added to the
LDLIBS variable instead.

LDLIBS
Library flags or names given to compilers when they are supposed to
invoke the linker, ‘ld’. Non-library linker flags, such as -L, should go
in the LDFLAGS variable.

https://www.gnu.org/software/make/manual/html_node/Implicit-Variables.html

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:23:45 -04:00
Jason Zaman
3eebfc2873 libselinux: get pcre CFLAGS/LDFLAGS from pkg-config
Gentoo-Bug: https://bugs.gentoo.org/500674

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:21:50 -04:00
Nick Kralevich
64afa1aff1 libselinux: add O_CLOEXEC
Makes libselinux safer and less likely to leak file descriptors when
used as part of a multithreaded program.

Signed-off-by: Nick Kralevich <nnk@google.com>
2017-04-12 14:51:41 -04:00
Nicolas Iooss
bb3f428c08 libselinux: getsebool: always free names
When getsebool's main() fails to allocate memory for the boolean names,
it returns without freeing variables first, even though other errors do
this (with label "out").

This silences a warning reported by clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:46:02 -04:00
Nicolas Iooss
a9094fae2c libselinux: avoid calling strcmp() on a NULL pointer
When curcon is NULL, calling strcmp(curcon, newcon) produces an undefined
behavior. Avoid this by checking whether curcon is NULL beforehand.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:44:55 -04:00
Nicolas Iooss
9d3091a6d3 libselinux: ensure that 4 columns are read from /proc/mounts
If exclude_non_seclabel_mounts() ever gets run on a kernel where
/proc/mounts only contains three columns, mount_info[3] will be used
"without being initialized in "strtok(mount_info[3], ",")" because
variable index would be 3 at the end of this loop:

    index = 0;
    item = strtok(buf, " ");
    while (item != NULL) {
        mount_info[index] = item;
        if (index == 3)
            break;
        index++;
        item = strtok(NULL, " ");
    }

Swap the condition on index and its increment so that it gets to 4 only
when there are at least four columns.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-11 14:32:16 -04:00
Nicolas Iooss
c09fb32384 libselinux: make process_boolean() fail on invalid lines
When security_load_booleans() calls process_boolean() to parse a boolean
definition, process_boolean() returns a successful value when it fails
to use strtok_r() (e.g. when there is no "=" in the parsed line). This
leads security_load_booleans() to use uninitialized name and/or val when
setting the boolean into the policy.

This issue has been found using clang's static analyzer and is similar
to the one which has been fixed in libsepol with commit 76f8c04c19
("libsepol: make process_boolean() fail on invalid lines"). Fix it in
the same way.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-11 14:27:01 -04:00
Nicolas Iooss
55b5b7a646 libselinux: do not dereference a NULL pointer when calloc() fails
selabel_is_digest_set() contains the following code:

        digest = calloc(1, sizeof(*digest));
        if (!digest)
            goto err;

    /* ... */

    err:
        free(digest->digest);

If calloc() failed, digest is NULL but is dereferenced when the
execution jumps to label err.

Check that digest is not NULL before freeing its fields.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-11 14:19:52 -04:00
Nicolas Iooss
b6579d262e libsepol: constify sepol_genbools()'s boolpath parameter
This allows removing an unnecessary cast to (char *) in libselinux.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-29 10:26:44 -04:00
Nicolas Iooss
ded385d377 libselinux: initialize temp value in SWIG wrapper to prevent freeing garbage
Currently this Python program triggers a segmentation fault in
libselinux SWIG wrapper:

    import selinux
    selinux.get_ordered_context_list()

gdb shows that the segmentation fault occurs when freeing some memory:

    Reading symbols from python...(no debugging symbols found)...done.
    Starting program: /usr/bin/python -c import\
    selinux\;selinux.get_ordered_context_list\(\)
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/usr/lib/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff789a304 in free () from /usr/lib/libc.so.6
    (gdb) bt
    #0  0x00007ffff789a304 in free () from /usr/lib/libc.so.6
    #1  0x00007ffff6011499 in freeconary (con=0x7ffff6ac5d00) at
    freeconary.c:14
    #2  0x00007ffff6296899 in _wrap_get_ordered_context_list
    (self=<optimized out>, args=<optimized out>) at
    selinuxswig_wrap.c:6185
    #3  0x00007ffff741891f in _PyCFunction_FastCallDict () from
    /usr/lib/libpython3.6m.so.1.0
    ...

SWIG generated the following code for _wrap_get_ordered_context_list():

    char ***arg3 = (char ***) 0 ;
    char **temp3 ;
    arg3 = &temp3;
    if (!PyArg_ParseTuple(args, "OO:get_ordered_context_list",&obj0,&obj1))
        SWIG_fail;
    /* ... */
  fail:
    if (*arg3) freeconary(*arg3);

If PyArg_ParseTuple fails, freeconary() is called on the value of
"temp3", which has not been initialized. Fix this by initializing temp
to NULL in the SWIG template.

A similar issue exists with security_get_boolean_names(). Fix it too.

This issue has been found using clang's static analyzer, on a system
which uses SWIG 3.0.12.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-01 10:42:45 -05:00
Nicolas Iooss
1cd3e1a40a libselinux, libsemanage: make PYPREFIX computation more robust
On systems where $PYTHON is python3.5 (instead of python2 or python3),
pkg-config fails to find the Python package because it is named with a
dash (e.g. python-3.5).

Moreover the build system may have been using the pkg-config
configuration files for the wrong Python version when several Python
with the same major version number are installed (e.g. using python-3.5
on a system with both python-3.4 and python-3.5 and where
/usr/lib/pkgconfig/python3.pc is a symlink to python-3.5.pc).

In order to fix these two issues, compute $PYPREFIX from $PYTHON by
using the full major.minor version.

Moreover update Travis-Ci configuration to grab the relevant
configuration files for pkg-config from /opt/python (for example
/opt/python/3.5.2/lib/pkgconfig/python-3.5.pc) instead of using
system-provided files (/usr/lib/x86_64-linux-gnu/pkgconfig/python3.pc
and /usr/lib/x86_64-linux-gnu/pkgconfig/python2.pc).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-21 13:42:52 -05:00
Richard Haines
454768f56d setfiles: Fix setfiles progress indicator
This fixes the following bug:
UX regression: setfiles progress indicator is now misleading and
confusing in fixfiles.

The outputting of * is replaced by the number of files in 1k increments
as the previous versions. If "/" is specified on the pathname, then this
will indicate a mass relabel, an example output will be:
restorecon -nRp /etc /tmp /boot /
/etc 100.0%
/tmp 100.0%
/boot 100.0%
3.2%

Also setfiles(8) and restorecon(8) versions that are implemented using
the selinux_restorecon(3) function do not support the [-o filename]
option as this was deprecated. This has now been made clear by displaying
a message to stderr.

The documentation has also been updated to reflect these changes.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-01-27 09:39:22 -05:00
Lokesh Mandvekar
b9213c7f1a libselinux: selinux_restorecon.3 man page typo fix
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2017-01-25 15:51:45 -05:00
Thomas Petazzoni
05abcb1d13 libselinux/src/regex.c: support old compilers for the endian check
libselinux 2.6 has added some code in regex.c that uses __BYTE_ORDER__
to determine the system endianness. Unfortunately, this definition
provided directly by the compiler doesn't exist in older gcc versions
such as gcc 4.4.

In order to address this, this commit extends the logic to use
<endian.h> definitions if __BYTE_ORDER__ is not provided by the
compiler. This allows libselinux to build properly with gcc 4.4.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-01-25 09:18:16 -05:00
Stephen Smalley
b88c4a4707 libselinux: disable filespec hash table stats on non-debug builds
Disable generating filespec hash table stats on non-debug builds,
as they are not useful information for users and cause fixfiles
check to produce noisy output.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-24 14:45:24 -05:00
Nicolas Iooss
6c853f3fb9 libselinux: fix argument order in get_default_context_with_rolelevel() doc
libselinux/src/get_context_list.c defines

    get_default_context_with_rolelevel(user, role, level...

libselinux/utils/getdefaultcon.c uses

    get_default_context_with_rolelevel(seuser, role, level...

but libselinux/include/selinux/get_context_list.h declares

    get_default_context_with_rolelevel(user, level, role...

and libselinux/man/man3/get_ordered_context_list.3 follows this
declaration.

Fix the header and the man page.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 11:52:41 -05:00
Nicolas Iooss
6351fed560 libselinux: always free catalog in db_init()
This variable may be leaked in some error paths.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 08:48:49 -05:00
Nicolas Iooss
dcd135cc06 Re-link programs after libsepol.a is updated
After libsepol is modified (for example while developing new features or
fixing bugs), running "make install" in the top-level directory does not
update the programs which use libsepol.a. Add this static library to the
target dependencies in order to force their updates. This makes "make"
use libsepol.a in the linking command without using LDLIBS.

While at it, copy what commit 14d7064348 ("libselinux: Allow
overriding libsepol.a location during build") introduced in libselinux
Makefile by using a new LIBSEPOLA variable in all Makefiles.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-18 16:41:34 -05:00