Commit Graph

3655 Commits

Author SHA1 Message Date
wanghuizhao
d95bc8b755 libselinux: migrating hashtab from policycoreutils
To use hashtab in libselinux, migrate the existing hashtab template
from policycoreutils/newrole to libselinux.

Signed-off-by: wanghuizhao <wanghuizhao1@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-06-05 15:15:19 -04:00
Vit Mojzis
820f019ed9 python/audit2allow: Remove unused "debug" option
The option is not referenced anywhere in the code and I couldn't figure
out its purpose from the description.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2023-05-11 09:22:41 +02:00
Vit Mojzis
97ec1f70eb python/semanage: Improve man pages
- Add missing options
- Add more examples
- Note special cases

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2023-05-11 09:22:40 +02:00
Vit Mojzis
e563837a90 python/audit2allow: Add missing options to man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2023-05-11 09:22:40 +02:00
Vit Mojzis
18232cd4db python/chcat: Improve man pages
- Explain applying range/list of categories
- "-d" removes all categories of given file/user
- Add examples

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-05-11 09:22:39 +02:00
Christian Göttsche
c9b3cbb654 libselinux: set CFLAGS for pip installation
Explicitly set CFLAGS for the pip install command, similar to calling
setup.py, to ignore known compiler warnings treated as errors, e.g.:

    selinuxswig_python_wrap.c:3593:19: error: 'sidget' is deprecated [-Werror,-Wdeprecated-declarations]
                result = (int)sidget(arg1);
                              ^
    selinuxswig_python_wrap.c:15024:1: error: no previous prototype for function 'PyInit__selinux' [-Werror,-Wmissing-prototypes]
            SWIG_init(void) {
            ^

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-05-03 09:15:41 -04:00
Christian Göttsche
b7b32cf40b checkpolicy/dispol: add output functions
Add the ability to show booleans, classes, roles, types and type
attributes of policies.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-05-03 09:15:37 -04:00
Christian Göttsche
3be312e0cf libsemanage: fix memory leak in semanage_user_roles
The output parameter `role_arr` of semanage_user_get_roles() is an array
of non-owned role names.  Since the array is never used again, as its
contents have been copied into the return value `roles`, free it.

Example leak report from useradd(8):

    Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x5597624284a8 in __interceptor_calloc (./shadow/src/useradd+0xee4a8)
    #1 0x7f53aefcbbf9 in sepol_user_get_roles src/user_record.c:270:21
2023-05-03 09:15:34 -04:00
Christian Göttsche
b5dffcd9a1 libsemanage/tests: rename bool identifiers
Avoid using the identifier `bool` to improve support with future C
standards.  C23 is about to make `bool` a predefined macro (see N2654).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-05-03 09:15:26 -04:00
Christian Göttsche
ae5a5d0ae4 libsepol: rename bool identifiers
Avoid using the identifier `bool` to improve support with future C
standards.  C23 is about to make `bool` a predefined macro (see N2654).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-05-03 09:15:24 -04:00
Christian Göttsche
d213d80f56 checkpolicy: rename bool identifiers
Avoid using the identifier `bool` to improve support with future C
standards.  C23 is about to make `bool` a predefined macro (see N2654).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-05-03 09:15:22 -04:00
Christian Göttsche
893b50c6ce libsepol/tests: rename bool indentifiers
Avoid using the identifier `bool` to improve support with future C
standards.  C23 is about to make `bool` a predefined macro (see N2654).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-05-03 09:15:20 -04:00
Christian Göttsche
513fc1570c checkpolicy: update cond_expr_t struct member name
The previous commit changed the member `bool` to `boolean` of the
libsepol type `cond_expr_t` for C23 compatibility.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-05-03 09:15:18 -04:00
Christian Göttsche
61f2138500 libsepol: rename struct member
Avoid using the identifier `bool` to improve support with future C
standards.  C23 is about to make `bool` a predefined macro (see N2654).

Since the type `cond_expr_t` is part of the public API it will break
client applications.  A quick search of the code in Debian shows only
usages in checkpolicy and setools.

Define a new macro signaling the renaming to simplify support of client
applications for new and older versions of libsepol.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-05-03 09:15:16 -04:00
Christian Göttsche
e9072e7d45 libsepol/tests: add tests for minus self neverallow rules
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-03-30 15:08:58 -04:00
Christian Göttsche
4a43831f88 libsepol/tests: add tests for not self neverallow rules
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-03-30 15:08:49 -04:00
Christian Göttsche
6f7b0ee6c4 checkpolicy: add not-self neverallow support
Add support for using negated or complemented self in the target type of
neverallow rules.

Some Refpolicy examples:

    neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *;
    neverallow domain { domain -self -dockerc_t }:dir create;
    # no violations

    neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write };

    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create };
    libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create };
    libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };

    neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write };

    libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
    libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };

Using negated self in a complement, `~{ domain -self }`, is not
supported.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-03-30 15:08:42 -04:00
Christian Göttsche
ec78788c29 libsepol: Add not self support for neverallow rules
Add not self support for neverallow rules.

Example 1
  allow TYPE1 TYPE1 : CLASS1 PERM1; # Rule 1
  allow TYPE1 TYPE2 : CLASS1 PERM1; # Rule 2
  neverallow TYPE1 ~self : CLASS1 PERM1;

Rule 1 is not a violation of the neverallow. Rule 2 is.

Example 2
  allow TYPE1 TYPE1 : CLASS2 PERM2; # Rule 1
  allow TYPE1 TYPE2 : CLASS2 PERM2; # Rule 2
  allow TYPE1 TYPE3 : CLASS2 PERM2; # Rule 3
  neverallow ATTR1 { ATTR2 -self } : CLASS2 PERM2;

Assuming TYPE1 has attribute ATTR1 and TYPE1 and TYPE2 have
attribute ATTR2, then rule 1 and 3 are not violations of the
neverallow while rule 2 is. Rule 3 is not a violation because
TYPE3 does not have attribute ATTR2.

Adopted improvements from James Carter <jwcart2@gmail.com>

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-03-30 15:08:37 -04:00
Ondrej Mosnacek
86b49aa7a3
scripts/ci: install rdma-core-devel for selinux-testsuite
It is required to build it as of commit 4b4922e115e2
("tests/infiniband*: simplify test activation").

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2023-03-20 14:44:05 +01:00
Ondrej Mosnacek
a171ba62bb
libsemanage: include more parameters in the module checksum
The check_ext_changes option currently assumes that as long as the
module content is unchanged, it is safe to assume that the policy.linked
file doesn't need to be rebuilt. However, there are some additional
parameters that can affect the content of this policy file, namely:
* the disable_dontaudit and preserve_tunables flags
* the target_platform and policyvers configuration values

Include these in the checksum so that the option works correctly when
only some of these input values are changed versus the current state.

Fixes: 286a679fad ("libsemanage: optionally rebuild policy when modules are changed externally")
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2023-03-20 10:44:08 +01:00
Jason Zaman
d6e96c5929
Update VERSIONs to 3.5 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2023-02-23 05:16:11 -08:00
Jason Zaman
83e56c8a8b
Update VERSIONs to 3.5-rc3 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:32:13 -08:00
Christian Göttsche
49e65b85d6 libselinux: getcon.3: add note about PID races
Add a note that querying a foreign process via its PID is inherently
racy.

Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:23:17 -08:00
Christian Göttsche
494eb683f3 libselinux: add getpidprevcon
Add the public interfaces getpidprevcon(3) and getpidprevcon_raw(3), and
the utility getpidprevcon to gather the previous context before the last
exec of a given process.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:23:11 -08:00
Christian Göttsche
1609b9fdfd libselinux: restore: use fixed sized integer for hash index
The hash mask is set to 2^16 - 1, which does not fit into a signed 16
bit integer.  Use uint32_t to be on the safe side.  Also use size_t for
counting in debug function.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:19:00 -08:00
Christian Göttsche
06512c4373 libselinux: restore: misc tweaks
Add const qualifier to read-only state struct.

Minimize scope of function local variables, to reduce complexity.

Pass only the file type related file flags to selabel_lookup(3).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:18:53 -08:00
Christian Göttsche
f9df9487ad libselinux: drop obsolete optimization flag
The optimization flag -funit-at-a-time is enabled by default in GCC[1]
and not supported by Clang:

    clang: error: optimization flag '-funit-at-a-time' is not supported [-Werror,-Wignored-optimization-argument]

[1]: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-02-10 22:18:46 -08:00
Vit Mojzis
d8eb8b309f python/sepolicy: Cache conditional rule queries
Commit 7506771e4b
"add missing booleans to man pages" dramatically slowed down
"sepolicy manpage -a" by removing caching of setools rule query.
Re-add said caching and update the query to only return conditional
rules.

Before commit 7506771e:
 #time sepolicy manpage -a
 real	1m43.153s
 # time sepolicy manpage -d httpd_t
 real	0m4.493s

After commit 7506771e:
 #time sepolicy manpage -a
 real   1h56m43.153s
 # time sepolicy manpage -d httpd_t
 real	0m8.352s

After this commit:
 #time sepolicy manpage -a
 real	1m41.074s
 # time sepolicy manpage -d httpd_t
 real	0m7.358s

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-02-06 15:38:58 +01:00
Petr Lautrbach
62d6d13f70 Update translations
Source: https://translate.fedoraproject.org/projects/selinux/

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2023-02-06 15:34:01 +01:00
Jason Zaman
b5f01626fe ci: bump to python 3.11 in GitHub Actions
- Also drop py3.5, py3.6 since they are no longer supported in the
  github 22.04 runners

Signed-off-by: Jason Zaman <jason@perfinion.com>
2023-02-01 16:48:21 +01:00
Christian Göttsche
4622ac0064 mcstrans: preserve runtime directory
Do not remove the runtime directory /run/setrans/, which is the parent
for the security context translation socket .setrans-unix, when the
service is stopped, so the path can not be taken over by a foreign
program, which could lead to a compromise of the context translation of
libselinux.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-02-01 15:58:41 +01:00
Jason Zaman
3ccea01c69
Update VERSIONs to 3.5-rc2 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2023-01-15 15:40:55 -08:00
lujiev
27e1c7c8e9 checkpolicy: delete invalid spaces
Closes: https://github.com/SELinuxProject/selinux/pull/372
Signed-off-by: lujiev <572084868@qq.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-01-15 14:52:25 -08:00
Inseob Kim
30b3e9d25f libselinux: Workaround for heap overhead of pcre
pcre's behavior is changed so that pcre2_match always allocates heap for
match_data, rather than stack, regardless of size. The heap isn't freed
until explicitly calling pcre2_match_data_free. This new behavior may
result in heap overhead, which may increase the peak memory usage about
a few megabytes. It's because regex_match is first called for regex_data
objects, and then regex_data objects are freed at once.

To workaround it, free match_data as soon as we call regex_match. It's
fine because libselinux currently doesn't use match_data, but use only
the return value.

Signed-off-by: Inseob Kim <inseob@google.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-01-15 14:17:15 -08:00
Vit Mojzis
7506771e4b python/sepolicy: add missing booleans to man pages
get_bools should return a list of booleans that can affect given type,
but it did not handle non trivial conditional statements properly
(returning the whole conditional statement instead of a list of booleans
in the statement).

e.g. for
allow httpd_t spamc_t:process transition; [ httpd_can_check_spam && httpd_can_sendmail ]:True
get_bools used to return [("httpd_can_check_spam && httpd_can_sendmail", False)] instead of
[("httpd_can_check_spam", False), ("httpd_can_sendmail", False)]

- rename "boolean" in sepolicy rule dictionary to "booleans" to suggest
  it can contain multiple values and make sure it is populated correctly
- add "conditional" key to the rule dictionary to accommodate
  get_conditionals, which requires the whole conditional statement
- extend get_bools search to dontaudit rules so that it covers booleans
  like httpd_dontaudit_search_dirs

Note: get_bools uses security_get_boolean_active to get the boolean
      value, but the value is later used to represent the default.
      Not ideal, but I'm not aware of a way to get the actual defaults.

Fixes:
        "sepolicy manpage" generates man pages that are missing booleans
        which are included in non trivial conditional expressions
        e.g. httpd_selinux(8) does not include httpd_can_check_spam,
        httpd_tmp_exec, httpd_unified, or httpd_use_gpg

        This fix, however, also adds some not strictly related booleans
        to some man pages. e.g. use_nfs_home_dirs and
        use_samba_home_dirs are added to httpd_selinux(8)

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Jason Zaman <jason@perfinion.com>
2023-01-15 14:12:34 -08:00
Christian Göttsche
986a3fe27e libsepol: do not write empty class definitions
Do not write class definitions for classes without any permission and
any inherited common class.  The classes are already declared in
write_class_decl_rules_to_conf().  Skipping those empty definitions,
which are equal to the corresponding class declarations, will enable to
parse the generated policy conf file with checkpolicy, as checkpolicy
does not accept class declarations after initial sid declarations.

This will enable simple round-trip tests with checkpolicy.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-01-11 08:48:19 -05:00
Christian Göttsche
b32e85cf67 Correct misc typos
Found by codespell(1) and typos[1].

[1]: https://github.com/crate-ci/typos

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-01-11 08:45:08 -05:00
Petr Lautrbach
d0b3d89c11 sepolicy: Make generated boolean descriptions translatable
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-01-11 08:43:54 -05:00
Christian Göttsche
fa936a0a30 libsepol: reject attributes in type av rules for kernel policies
The kernel does not support type attributes as source or target in type
av rules (type_transition, type_member, type_change)[1].  Such rules
should have been expanded[2].

[1]: abe3c63144/security/selinux/ss/services.c (L1843)
[2]: 0a8c177dac/libsepol/src/expand.c (L1981)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-01-11 08:43:09 -05:00
kkz
60a0d7285d sepolicy: fix a spelling mistake
Signed-off-by: zhaoshuang <zhaoshuang@uniontech.com>
Signed-off-by: zhaoshuang <izhaoshuang@163.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-01-11 08:42:11 -05:00
Jie Lu
1fe82e5cf5 policycoreutils: fix potential NULL reference in load_checks
In load_checks(), add return check for malloc() to avoid NULL reference.

Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-01-11 08:40:33 -05:00
Jason Zaman
013ecfd7fa Update VERSIONs to 3.5-rc1 for release.
Signed-off-by: Jason Zaman <jason@perfinion.com>
2022-12-22 13:10:26 -08:00
Jason Zaman
d1e3170556 python: Ignore installed when installing to DESTDIR
When installing to a destdir with pip install --prefix= --root=, pip tries to
uninstall the existing root-owned package and fails

Fixes:
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master`  .
Processing /tmp/selinux-release/selinux-master/python/sepolicy
  Preparing metadata (setup.py) ... done
Building wheels for collected packages: sepolicy
  Building wheel for sepolicy (setup.py) ... done
  Created wheel for sepolicy: filename=sepolicy-3.4-py3-none-any.whl size=1663564 sha256=229546db123e7d84613d190d49c192291b1a4f7f2a037657b39283b04ac391a4
  Stored in directory: /tmp/pip-ephem-wheel-cache-50r2x4cn/wheels/b2/9e/63/6a6212a84d65a709923228719d065ed34e66a90c7fed01e8cf
Successfully built sepolicy
Installing collected packages: sepolicy
  Attempting uninstall: sepolicy
    Found existing installation: sepolicy 3.4
    Uninstalling sepolicy-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: 'generate.py'
Consider using the `--user` option or check the permissions.

Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2022-12-22 08:59:05 -08:00
Jason Zaman
daf687247a libselinux: Ignore installed when installing python bindings to DESTDIR
When the python bindings are installed to a destdir with pip install
--prefix= --root=, pip tries to uninstall the existing root-owned
package and fails

Fixes:
running build_ext
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master`  .
Processing /tmp/selinux-release/selinux-master/libselinux/src
  Preparing metadata (setup.py) ... done
Building wheels for collected packages: selinux
  Building wheel for selinux (setup.py) ... done
  Created wheel for selinux: filename=selinux-3.4-cp310-cp310-linux_x86_64.whl size=725511 sha256=b35e9cdb2a6efce389eeece45446826b4ac6b41f81fdc128893f947036f27e8e
  Stored in directory: /tmp/pip-ephem-wheel-cache-kemjh99e/wheels/ca/2d/1e/d1ab52426d9add92931471cfa0d2558bcbeed89084af2388c9
Successfully built selinux
Installing collected packages: selinux
  Attempting uninstall: selinux
    Found existing installation: selinux 3.4
    Uninstalling selinux-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: '__init__.cpython-310.pyc'
Consider using the `--user` option or check the permissions.

Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2022-12-22 08:58:30 -08:00
Petr Lautrbach
4f9e836f98 Use pip install instead of setup.py install
Fixes:
    /usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-12-16 17:09:27 -05:00
James Carter
2a91411d7f Revert "Use pip install instead of setup.py install"
This reverts commit 2c3b818f5d.

An earlier version of the patch was commited by mistake.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-12-16 17:08:58 -05:00
Petr Lautrbach
7ff1d7f1c2 sepolicy: Call os.makedirs() with exist_ok=True
Since commit 7494bb1298 ("sepolicy: generate man pages in parallel")
man pages are generated in parallel and there's a race between
os.path.exists() and os.makedirs().

The check os.path.exists() is not necessary when os.makedirs() is called
with exist_ok=True.

Fixes:
/usr/bin/sepolicy manpage -a -p /__w/usr/share/man/man8/ -w -r /__w/
FileExistsError: [Errno 17] File exists: '/__w/usr/share/man/man8/'

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-12-16 16:43:48 -05:00
Petr Lautrbach
98c637c4cc python: Fix detection of sepolicy.glade location
Commit c08cf24f39 ("python: Remove dependency on the Python module
distutils") replace usage of distutils.sysconfig by sysconfig but it was
forgotten on the fact that the later provide a different api.

Fixes:
    self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
                     ^^^^^^^^^^^^^^^^^^^^^^^^
    AttributeError: module 'sysconfig' has no attribute 'get_python_lib'

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-12-16 16:43:41 -05:00
Petr Lautrbach
a9517c3896 sepolicy: Switch main selection menu to GtkPopover
Fixes: https://github.com/SELinuxProject/selinux/issues/206

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-12-16 16:43:17 -05:00
Jie Lu
4c47f92758 libselinux:add check for malloc
Add return check for regex_data_create() to avoid NULL reference of regex_data

(gdb) bt
 #0  0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6
 #1  0x00007fbde5e3a489 in regex_data_create () at regex.c:260
 #2  0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76
 #3  0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407
 #4  lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>)
     at label_file.c:949
 #5  0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092
 #6  0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167

Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-12-16 16:32:04 -05:00