Commit Graph

378 Commits

Author SHA1 Message Date
Eric Paris
35f4e6a870 policycoreutils: fixfiles: stop trying to be smart about filesystems
The type of a filesystem (ext*, btrfs, etc) really doesn't matter when
it comes to the ability to set labels.  Stop trying to be smart and just
call restorecon.  It will either work or it won't and out heuristic
isn't helping.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:22 -04:00
Eric Paris
1da72eea26 policycoreutils: fixfiles: use new kernel seclabel option
The kernel now outputs a mount option called 'seclabel' which indicates
if the filesystem supposed security labeling.  Use that instead of
having to update some hard coded list of acceptable filesystems (that
may or may not be acceptable depending on if they were compiled with
security xattrs)

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:20 -04:00
Eric Paris
e2769ff670 policycoreutils: fixfiles: pipe everything to cat before sending to LOGFILE
We do this so we can eliminate foolish avcs about restorecon trying to
write to a random directory.  We allow apps to communicate with fds
globably.  So this allows the access no AVC's I am happy

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Eric Paris
275560b2a3 policycoreutils: fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs
Introduce a new file /etc/selinux/fixfiles_exclude_dirs which contains a
list of directories which should not be relabeled.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Eric Paris
5e096d9ceb policycoreutils: semodule: support for alternative root paths
Add a -p option to semodule which will allow it to operate on the
specified semanaged root instead of the default.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Dan Walsh
4b00b5c6a4 libsemanage: print error debug info for buggy fc files
Currently if you have a bug in a fc file, the store only reports that you have
a problem but not the name of the module, or any hint of what is wrong. This
patch will print out as much as been collected in the file_spec at the time
of the error.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Eric Paris
9cd587f553 libsemanage: introduce semanage_set_root and friends
Allow applications to specify an alternate root for selinux stores.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Eric Paris
9406ace82b libsemanage: throw exceptions in python rather than return NULL
Python doesn't really work on the basis of negative error code.  It
throws exceptions.  This patch automatically generates little stub
functions which will catch negative error codes and will throw
exceptions in their place.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Daniel J Walsh
78d58d73b4 libsemanage: python3 support.
Dave Malcolm has been working on adding python3 support to libsemanage
(and libselinux).

Change to Makefile to:

Support building the Python bindings multiple times, against various Python
runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build
targets with "PYPREFIX":

Should build python2 version by default, without the user doing any changes.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Russell Coker
d784fd71b5 libsemanage: patch for MCS/MLS in user files
The attached patch makes the
/etc/selinux/default/contexts/files/file_contexts.homedirs generation process
include the MCS/MLS level.

This means that if you have a user with a MCS/MLS level that isn't SystemLow
then their home directory will be labeled such that they can have read/write
access to it by default.

Unless anyone has any better ideas for how to solve this problem I will upload
this to Debian shortly.

What do the MLS users do in this situation?  Just relabel home directories
manually?

Finally it seems that when you run "semanage user -m" the
file_contexts.homedirs doesn't get updated, it's only when you run
"semanage login -m" that it takes affect.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Russell Coker <russell@coker.com.au>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Richard Haines
34d9c258da libselinux: mapping fix for invalid class/perms after selinux_set_mapping call
Please find another libselinux patch. I've tested quite extensively with the compute_av and string functions with and without mapping and seems okay.

The patch covers:
When selinux_set_mapping(3) is used to set the class and permissions allowed by an object manager, then an invalid class and/or permissions are selected (e.g. using security_class_to_string), then mapping.c in libselinux forces an assert. This patch removes the asserts and allows the functions to return a class/perm of 0 (unknown) with errno set to EINVAL. A minor patch to set EINVAL in security_av_perm_to_string_compat is also included. All the functions to convert perms & classes to strings and back should now return the correct errno with or without mapping enabled.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Eric Paris
8faf23de0b libselinux: audit2why: work around python bug not defining SIZEOF_SOCKET_T
A at least one broken python headers didn't define SIZEOF_SOCKET_T.
Define it if we happen upon one of those.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Eric Paris
4ad1896954 libselinux: resolv symlinks and dot directories before matching paths
matchpathcon cannot handle ./ or ../ in pathnames and doesn't do well
with symlinks.  This patch uses the glibc function realpath() to try to
determine a real path with resolved symlinks and dot directories.  For
example before this pach we would see:

$ matchpathcon /tmp/../eric
/tmp/../eric	<<none>>
$ matchpathcon /eric
/eric	system_u:object_r:default_t:s0

Whereas after the path we get the same results.  The one quirk with the
patch is that we need special code to make sure that realpath() does not
follow a symlink if it is the final component.  aka if we have a symlink
from /eric to /tmp/eric we do not want to resolv to /tmp/eric.  We want
to just resolv to the actual symlink /eric.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:48 -04:00
Dan Walsh
5619635063 checkpolicy: add missing ; to attribute_role_def
The commit to add role attributes forgot a ; in policy_parse.y for
attribute_role_def. Add the missing ;

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 13:21:44 -04:00
Dan Walsh
d72a9ec825 checkpolicy: Redo filename/filesystem syntax to support filename trans rules
In order to support filenames, which might start with "." or filesystems
that start with a number we need to rework the matching rules a little
bit.  Since the new filename rule is so permissive it must be moved to
the bottom of the matching list to not cover other definitions.

Signed-of-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 13:21:28 -04:00
Eric Paris
4749940426 update repo for 2011-08-03 with version and changelog updates 2011-08-03 18:09:02 -04:00
Eric Paris
2ac99a505e policycoreutils: semanage: fix indention
Part of the if clause used tabs, part spaces.  Be consistent.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:38 -04:00
Harry Ciao
dbc9a61819 libsepol: Only call role_fix_callback for base.p_roles during expansion.
expand_role_attributes() would merge the sub role attribute's roles
ebitmap into that of the parent, then clear it off from the parent's
roles ebitmap. This supports the assertion in role_fix_callback() that
any role attribute's roles ebitmap contains just regular roles.

expand_role_attribute() works on base.p_roles table but not any
block/decl's p_roles table, so the above assertion in role_fix_callback
could fail when it is called for block/decl and some role attribute is
added into another.

Since the effect of get_local_role() would have been complemented by
the populate_roleattributes() at the end of the link phase, there is
no needs(and wrong) to call role_fix_callback() for block/decl in the
expand phase.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:38 -04:00
Eric Paris
e1ae7b43f1 policycoreutils: semodule_package: fix man page typo
Just drop an extra bit of cruft from the man page.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:38 -04:00
Eric Paris
c52ff76180 policycoreutils: semodule_expand: update man page with -a
Update the man page to include -a.  Passing -a causes semodule_expand to
not check assertions.  Include this in the man info.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:38 -04:00
Eric Paris
f2a74f4f87 policycoreutils: semanage: handle os errors
Rather than traceback, handle os errors and exit cleanly.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:38 -04:00
Eric Paris
b5c0a182ef policycoreutils: semanage: fix traceback with bad options
$ semanage fcontext add delete
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 565, in <module>
    process_args(sys.argv[1:])
  File "/usr/sbin/semanage", line 396, in process_args
    raise ValueError(_("%s bad option") % o)
UnboundLocalError: local variable 'o' referenced before assignment

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
b1820fcca6 policycoreutils: semanage: show usage on -h or --help
Raise a more sensicle useage rather than value error on help request
from user.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
72a83a110d policycoreutils: semanage: introduce more deleteall options
Some semanage objects have a deleteall function, some don't.  This adds
them to login seluser node and interface.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
849e7d5be7 policycoreutils: semanage: verify ports < 65536
We could currently create a rule with a port number of one million.
This doesn't make sense.  Bounds test it.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
c3226ebac9 policycoreutils: transaction into semanageRecords
In order to allow semanage to perform a transaction on several seobjects
at the same time, the transaction lock has to be at the class level
versus being in each object.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
3fd3a927e2 policycoreutils: make get_handle a method of semanageRecords
Right now it is needlessly global.  Make it a method of semanageRecords.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
7e00948bdb policycoreutils: remove a needless blank line
Yeah, that's really it.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
5763e720d8 policycoreutils: make process_one error if not initialized correctly
Rather than blow up in horible ways, error out if we detect
initialization wasn't done properly.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
2b4d32dc4b policycoreutils: fixfiles: correct usage for r_opts.rootpath
The error usable displays r_opts.rootpath, but r_opts is supposed to be
an internal code thing, not something users care about.  When printing
the error message just call it 'rootpath'

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
89ca0c2e29 policycoreutils: put -p in help for restorecon and fixfiles
restorecon and fixfiles both have the -p option to display a * every
10000 files.  Put it in the usage and man pages.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
2d0c192355 policycoreutils: fixfiles: do not try to only label known filesystems
In the old fixfiles we had to make sure we only attempted to relabel
files that were on file systems that supported extended attributes.
With the new restorecon, we no longer need this.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
593154505a policycoreutils: fixfiles clean up /var/run and /var/lib/debug
clean up /var/run and /var/lib/debug just like we do for /tmp and
/var/tmp since they can easily get unlabeled files.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
2bd5fd1642 policycoreutils: fixfiles delete tmp sockets and pipes rather than relabel then
We cannot reasonably relabel pipes and sockets in /tmp to tmp_t so just
delete them instead of trying to put and unuable label.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
6084f72aaf policycoreutils: fixfile use find -delete instead of pipe to rm
fixfiles uses a find command then than pipes that to rm -f.  Just use
the find delete predicate instead of causing all of those extra calls to
rm.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
da484b88d5 policycoreutils: chcat man page typo
Fix the page to point to the the seusers file, not the seuser file.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
6a1c070ea6 policycoreutils: add man page for genhomedircon
Nothing special, just a man page to say what it's about.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
a57385c578 policycoreutils: setfiles fix typo
Apparently we cannot spelll.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
4c63498a4c policycoreutils: setsebool should inform users they need to be root
Add a different error message when setsebool is unable to run because
the user is not root.  This just helps people who try to change booleans
based on setroubleshoot output and don't know what went wrong.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
98dcd24976 policycoreutils: setsebool typos
Apparently we can't spelll.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
10374e5e89 policycoreutils: open_init_tty man page typos
Apparently we can't spelll.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
0b8af757b6 policycoreutils: Don't add user site directory to sys.path
SELinux pythons applications should not allow the user to change the
sys.path

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
e3ffa8c31f policycoreutils: newrole retain CAP_SETPCAP
We retain CAP_SETPCAP so that we can drop the additional capabilities
we held onto to set up namespaces.

While we are at it, just add some console whine in case things fail.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
802369fbe2 audit2allow: do not print statistics
I believe this is just to stop flooding the screen with libsepol
statistics every time you run audit2allow or any other libsepol command.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:32 -04:00
Eric Paris
c7ed95f449 libselinux: make python bindings for restorecon work on relative path
This patch just makes python bindings for restorecon work on relative
paths.

$ cd /etc
$ python
> import selinux
> selinux.restorecon("resolv.conf")

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:28 -04:00
Eric Paris
2ea80c28a5 libselinux: fix python audit2why binding error
There is a missing error check in audit2why.c.  Check for error and
return NULL if we can't initialize instead of just pretending it worked.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:19 -04:00
Eric Paris
63df0f7ef1 libselinux: support new python3 functions
python3 does not have PyString_FromString use PyBytes_FromString
instead. The same for PyString_Check->PyBytes_Check and for
PyString_AsString->PyBytes_AsString

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:14 -04:00
Eric Paris
4f621a1686 libselinux: do not check fcontext duplicates on use
Tools like restorecon or systemd, which load the fcontext database to
make labeling decisions do not need to check for duplicate rules.  Only
the first rule will be used.  Instead we should only check for
duplicates when new rules are added to the database.  And fail the
transaction if we find one.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:07 -04:00
Daniel J Walsh
874bac80bb Patch for python3 for libselinux
Allow the specification of python3 in the swig creation

This patch adds the new option PYPREFIX which causes the swig created
libraries to have a prefix.  This allows one to build both the python2
and python3 libraries in the same source tree.  The install will then
later strip this prefix back off when it drops the files into the python
approriate site package directory.

This patch also needs to update the PYINC definition as newer python
patckages on fedora exist in /usr/include/python3.2mu instead of
/usr/include/python3.2 as the other method of detemrining PYINC would
have found.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:01:58 -04:00
Eric Paris
1867652e54 libsepol: use mapped role number instead of module role number
When expanding a module which includes role transitions we were
comparing the numeric value of the base policy role with the numberic
value of the unmapped role in the module.  Comparisions between
role values need to both be in terms of the mapped role in the base
module.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Harry Ciao <qingtao.cao@windriver.com>
2011-08-03 18:01:54 -04:00