CIL does not have any concept of require blocks. Instead, CIL relies on
whether or not all statements inside an optional block resolve to
determine if an optional block should be enabled/disabled. However, a
small number of optional statements require a type that is not actually
used in the optional block. In old style policy, this would cause the
optional block to be disabled. However, in CIL, because the type is never
used, the optional block will remain enabled.
To maintain compatibility, we modify pp2cil to create a new attribute,
cil_gen_require, and all types/roles/attributes that are required in a
pp module/optional block are associated with this attribute. Thus, if a
type is required but not used, it will still fail to resolve in the
typeattributeset statement, causing the optional to correctly be
disabled.
Note that when compiling the CIL this generated from compiling refpolicy
pp modules with pp2cil, the extra CIL statements cause ~12.6MB increase
in maximum memory usage (129.7 MB to 142.3 MB). Though, compilation time
decreases by ~35% (26 seconds to 17 seconds).
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The current build system assumes SHLIBDIR is ../../ relative to LIBDIR.
However, this isn't always the case. For example, Arch Linux sets both
LIBDIR and SHLIBDIR to /usr/lib, which results in broken symlinks.
Instead of making that assumption, create .so symlinks using ln
--relative so that the correct relative paths are used. Note that this
adds a dependency for the build system to use coretuils-8.16 or later.
Fixes#2
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The libsemanage Makefile currently installs libsemanage.so.1 into
SHLIBDIR, but links libsemanage.so to libsemanage.so.1 in LIBDIR. This
means things will only work if SHLIBDIR and LIBDIR are the same.
Fortunately, by default, they are the same because the default of
SHLIBDIR is set to PREFIX/lib (same as LIBDIR default) instead of the
standard DESTDIR/lib. Unfortunately, if a user overrides SHLIBDIR, by
doing something like the following:
make DESTDIR=~/tmp/ LIBDIR=~/tmp/usr/lib SHLIBDIR=~/tmp/lib install
then a broken symlink is created. Note that in some cases this may still
work even when SHLIBDIR and LIBDIR are not the same, e.g.:
make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install
But this only works because, in systems like Fedora, /lib is a symlink
to /usr/lib, so SHLIBDIR and LIBDIR are the same even though it doesn't
immediately look like it.
This patch changes the libsemanage Makefile to set the default value of
SHLIBDIR to the standard DESTDIR/lib to prevent confusion, and installs
libsemanage to LIBDIR and completely ignores SHLIBDIR.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
15b955e Fix typos in error strings
fe5a24e Disable declarations inside an optional even if in the first call pass
git-subtree-dir: libsepol/cil
git-subtree-split: 15b955ea49c86549661b6520a85291735ce5496c
Some roles (i.e. user_r, staff_r, sysadm_r, system_r, unconfined_r) are
declared in the base module, and sometimes in non-base modules. This
could result in duplicate declarations of roles, which isn't allowed in
CIL. So for these roles, only generate their declarations if they appear
in a base module, otherwise ignore their declarations. All other roles
are printed regardlss of their declaration location.
Note that this means that if a policy author does not include one of the
roles in the base module then they will not be included in the resulting
policy, likely causing a compliation error in CIL.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Avrules that have the negation, star, or complement flag set for types
need typeattributes and typeattributesets that are generated. This caused
issues when these generated statements were inserted into conditionals, since
typeattributes/sets are not allowed in conditionals.
This change always prints typeattributes and typeattributesets
immediately unless the types appear inside of an avrule in conditionals or blocks.
For this special case, we print the typeattributes after the end
of each conditional/block.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Some module fc files do not contain a trailing new line. This
caused contexts to have their last character to be deleted. When
parsing each line from a fc file, we only strip off the last character
if it is a new line.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
- Create role declarations no matter if the declaration is in base or
a module. Since CIL does not permit role re-declarations, this change
will break existing policies that have the same role declared in multiple
modules. To fix this, the policies will need to change the role to be
defined in a single place.
- Pass around the avrule_decl stack rather than just the most recent
decl. The full stack is needed to determine if identifiers are in
scope
- Only create roletype statements for a role and a type in two cases:
1) The role is declared/required and the type is declared/required in
the same scope or an ancestor scope of the role
2) The type is declared/required and the role is declared/required in
an ancestor scope of the type
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
This fixes the build with "make PYTHON=python2" on systems where python
is python3.
For PYLIBVER and PYTHONLIBDIR definitions, I tested Python 2.5, 2.6, 2.7,
3.3 and 3.4. For each of them, these commands print the expected result:
python -c 'import sys;print("python%d.%d" % sys.version_info[0:2])'"
python -c "from distutils.sysconfig import *;print(get_python_lib(1))"
Acked-by: Steve Lawrence <slawrence@tresys.com>
test-linker-roles.c: In function 'module_role_tests':
test-linker-roles.c:147:7: error: array subscript is above array bounds
[-Werror=array-bounds]
decls[2] = (test_find_decl_by_sym(base, SYM_TYPES,"tag_g_m2"))->decl_id;
^
Acked-by: Steve Lawrence <slawrence@tresys.com>
In C, defining a function with () means "any number of parameters", not
"no parameter". Use (void) instead where applicable and add unused
parameters when needed.
Acked-by: Steve Lawrence <slawrence@tresys.com>
This fixes a warning from "gcc -Wwrite-strings", when
semanage_module_install_hll is called with "pp" as last parameter.
Acked-by: Steve Lawrence <slawrence@tresys.com>
gcc puts literal strings lie in read-only memory. On x86_64, trying to
write to them triggers a segmentation fault.
To detect such issues at build time, variables holding a pointer to such
strings should be "const char*". "gcc -Wwrite-strings" warns when using
non-const pointers to literal strings.
Remove gcc warnings by adding const to local variables and argumens of
internal functions.
This does *not* fix this warning:
policydb_public.c:208:10: warning: passing argument 2 of 'hashtab_search' discards 'const' qualifier from pointer target type
return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) ==
^
In file included from ../include/sepol/policydb/symtab.h:16:0,
from ../include/sepol/policydb/policydb.h:60,
from policydb_public.c:4:
../include/sepol/policydb/hashtab.h:98:24: note: expected 'hashtab_key_t' but argument is of type 'const char *'
extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
^
Moreover the "const" word in hashtab_search prototype does not make the
second parameter "const char*" but "char* const".
Acked-by: Steve Lawrence <slawrence@tresys.com>
Once __attribute__ ((format(printf, 1, 2))) is added to yyerror2,
"gcc -Wformat -Wformat-security" shows some issues. Fix them.
Acked-by: Steve Lawrence <slawrence@tresys.com>
log_err, cil_printf and cil_println use printf formats to process their
arguments. Use __attribute__((format(printf,...))) to make "gcc
-Wformat -Wformat-security" detect issues.
This detected this issue several times on a x86_64 system:
format '%lx' expects argument of type 'long unsigned int', but
argument has type 'uint32_t'
Fix this by introducing an explicit cast to unsigned long.
While at it, constify the format string argument of each function.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Building from the root directory with "make DEBUG=1" enables -Wshadow
option. This makes the compilation fail with the following error:
semodule_unpackage.c: In function 'usage':
semodule_unpackage.c:17:25: error: declaration of 'progname' shadows a global declaration [-Werror=shadow]
static void usage(char *progname)
^
semodule_unpackage.c:14:7: error: shadowed declaration is here [-Werror=shadow]
char *progname = NULL;
^
Fix this error by no longer passing a global variable as a parameter to
usage function.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Building from the root directory with "make DEBUG=1" enables -Wshadow
option. This makes the compilation fails with the following error:
cc -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror -g
-I/usr/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
-W -c -o seunshare.o seunshare.c
seunshare.c: In function 'spawn_command':
seunshare.c:141:6: error: declaration of 'child' shadows a global declaration [-Werror=shadow]
int child;
^
seunshare.c:58:12: error: shadowed declaration is here [-Werror=shadow]
static int child = 0;
^
Fix this error by renaming the "child" variable in spawn_command.
Acked-by: Steve Lawrence <slawrence@tresys.com>
"gcc -O2 -Wall -Werror" failed with two errors when building pp due to
the use of unitialized variables.
Acked-by: Steve Lawrence <slawrence@tresys.com>
"gcc -O2 -Wall -Werror" fails to compile seusers_local.c:
seusers_local.c: In function 'semanage_seuser_modify_local':
seusers_local.c:122:6: error: 'rc' may be used uninitialized in this
function [-Werror=maybe-uninitialized]
It seems rc is not initialized when the call to semanage_seuser_clone
fails in semanage_seuser_modify_local.
Acked-by: Steve Lawrence <slawrence@tresys.com>
When using "gcc -O2 -Wall -Werror" to compile libsepol, the following
error happens:
services.c: In function 'constraint_expr_eval_reason':
services.c:820:2: error: 'answer_list' may be used uninitialized in this
function [-Werror=maybe-uninitialized]
free(answer_list);
^
Indeed, because of a goto statement in constraint_expr_eval_reason
function, "free(answer_list)" can be called before answer_list has been
initialized.
Fix this error by moving the definition of answer_list to the beginning
of constraint_expr_eval_reason.
Acked-by: Steve Lawrence <slawrence@tresys.com>
mcstrans still uses CONTEXT__CONTAINS from av_permissions.h to calculate
a permission access vector. However, av_permissions.h was deprecated, so
it does not have access to the constant. This updates mcstrans to use
string_to_av_perm() to get the value for context contains.
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a new -S option to semodule. This option overrides store_root
in semanage.conf and sets the SELinux store's root path. If neither -S,
nor store_root are specified in semanage.conf, then the default
location is used.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Allow an alternative selinux store root path to be used. The option
can be set in semanage.conf as store_root. If no option is provided, the
default path for the store_root is "/var/lib/selinux".
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Providing --ignore-module-cache will cause the recompilating of all HLL
modules, and recaching of the resulting CIL files.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
An HLL to CIL compiler must exist in the compiler_directory path which
is configubrable in semanage.conf. By default, this path is
/usr/libexec/selinux/hll/. The compiler name needs to match the HLL
language extension. For example, for pp files,
/usr/libexec/selinux/hll/pp must exist.
The HLL infrastructure uncompresses the HLL module and pipes the data to
the appropriate CIL compiler. The output CIL from the compiler is read
from another pipe, compressed, and saved to the module store as a cached
CIL file. This file will be used on all subsequent policy builds, unless
a new module is installed with the same name at the same priority, at
which point the cache is deleted and is subsequently rebuilt and cached.
A new option is added to semanage.conf, ignore_cache, which if set to
true will cause the cached CIL files to be ignored and all HLL files to
be recompiled and the resulting CIL to be recached.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Reads in a policy package file via stdin or via filename, and writes out
the equivilent CIL to stdout or to an output file, depending on the
parameters passed in.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
- Remove version references
- Use new methods for enabling/disabling modules
- Add support to set priority when adding/removing modules
- Modify module --list output to include priority and language extension
- Update permissiveRecords call to support cil policy
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: Jason Dana <jdana@tresys.com>
We created a migration script to ease the burden of transition from the
old libsemanage store layout to the new. The script will detect all the
stores in /etc/selinux using the old layout and convert them to the new
layout in /var/lib/selinux. It also allows you to specify the default
priority to use with -p and store to operate on with -s. After migration
the script by default will leave the old store unchanged, but can be
told to remove the old modules directory with -c. Reloading policy post
migration can be disabled with the -n option.
Examples:
semanage_migrate_store
Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
Attempting to rebuild policy from /var/lib/selinux
semanage_migrate_store -s targeted
Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
Attempting to rebuild policy from /var/lib/selinux
semanage_migrate_store -p 150
Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
Attempting to rebuild policy from /var/lib/selinux
Signed-off-by: Chad Sellers <csellers@tresys.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
