Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
1. check the return of strdup to avoid a potential NULL reference.
2. make sure line_buf is freed.
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
`fixfiles -M relabel` temporary bind mounts file systems before
relabeling, but it left the / directory mounted in /tmp/tmp.XXXX when a
user hit CTRL-C. It means that if the user run `fixfiles -M relabel`
again and answered Y to clean out /tmp directory, it would remove all
data from mounted fs.
This patch changes the location where `fixfiles` mounts fs to /run, uses
private mount namespace via unshare and adds a handler for exit signals
which tries to umount fs mounted by `fixfiles`.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2125355
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Tested-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
distro module uses /etc/os-release file which contains operating system
identification data, see os-release(5). Given that the mechanism doesn't
use `rpm` it should be possible to generate man pages on other
distributions.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit 7494bb1298 ("sepolicy: generate man pages in parallel")
improved sepolicy performance but broke `sepolicy manpage -w ...` as it
didn't collect data about domains and roles from ManPage() and so
HTMLManPages() generated only empty page. This is fixed now, domains
and roles are being collected and used for HTML pages.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Boolean names, taken by security_get_boolean_pending(3),
security_get_boolean_active(3) and security_set_boolean(3), as well as
user names, taken by security_get_initial_context(3), are used in path
constructions. Ensure they do not contain path separators to avoid
unwanted path traversal.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Bail out if computed paths based on user input are being truncated, to
avoid wrong files to be opened.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Using strndup(3) instead of malloc(3) followed by strncpy(3) simplifies
the code and pleases GCC:
In file included from /usr/include/string.h:535,
from context.c:2:
In function ‘strncpy’,
inlined from ‘context_new’ at context.c:74:3:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:95:10: error: ‘__builtin_strncpy’ destination unchanged after copying no bytes [-Werror=stringop-truncation]
95 | return __builtin___strncpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
96 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add tests for neverallow assertion checks.
This creates a foundation for the status quo, and enables to spot
regressions in future changes to the - quite complex - assertion logic.
One example is the support for not-self rules.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use the more strict C compiler warnings from the root Makefile.
Also fail on warnings from the m4 macro processor.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The internal variable avc_netlink_trouble is only assigned but never
read from.
Unused since the initial commit 13cd4c8960 ("initial import from svn
trunk revision 2950").
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use strdup(3) instead of allocating memory and then manually copying the
content.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use strdup(3) instead of allocating memory and then manually copying the
content.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use strdup(3)/strndup(3) instead of allocating memory and then manually
copying the content.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
selinux_check_access relies on string_to_security_class to resolve the
class index from its char* argument. There is no input validation done
on the string provided. It is possible to supply an argument containing
trailing backslashes (i.e., "sock_file//////") so that the paths built
in discover_class get truncated. The processing will then reference the
same permission file multiple time (e.g., perms/watch_reads will be
truncated to perms/watch). This will leak the memory allocated when
strdup'ing the permission name. The discover_class_cache will end up in
an invalid state (but not corrupted).
Ensure that the class provided does not contain any path separator.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently "-i" only ignores a file whose parent directory exists. Start also
ignoring paths with missing components.
Fixes:
# restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
255
restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.
Fixes:
#cat > /usr/sbin/audit.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#semanage boolean -l
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
With the removal of any dependence on the python disutils module,
Debian no longer depends on the python3-disutils package.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the sysconfig module instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the sysconfig module instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
XDG_RUNTIME_DIR (/run/user/$UID) is used for user-specific data files
such as sockets, named pipes and so on. Therefore, it should not be
available to sandboxed processes.
Usage:
# ls -a $XDG_RUNTIME_DIR
. .. bus pipewire-0 systemd
# sandbox -R /root/sandbox/user -- sh -c "ls -a $XDG_RUNTIME_DIR"
. ..
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
If the user is root, tmpdir is already wiped out.
Fixes:
# sandbox -T /root/tmp -- id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:sandbox_t:s0:c696,c756
Failed to remove directory /tmp/.sandbox-root-KIlB59: No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
This is to help meet the OpenSSF Best Practices requirements.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.
He gives the following example:
# semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.
The error is from querying the local database when the fcontext is in
the non-local database.
Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
It wasn't possible to choose a directory in filechooser dialog using
double-click - the dialog returned the directory name instead of
listing the directory.
Fixes:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2593, in on_browse_select
self.export_config(filename)
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2668, in export_config
fd = open(filename, 'w')
IsADirectoryError: [Errno 21] Is a directory: '/root/Downloads'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Commit bc26ddc59c ("libsepol/cil: Limit the amount of reporting for
context rule conflicts") reworked the processing of context rule
conflicts to limit the number of written conflicting statements to
increase readability of the printed error message. It forgot to set the
return value, signaling a context conflict, in the case the logging
level is higher than warning (e.g. in semodule(8), which defaults to
error).
Reported-by: Milos Malik <mmalik@redhat.com> [1]
Fixes: bc26ddc59c ("libsepol/cil: Limit the amount of reporting for context rule conflicts")
[1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Support passing an optional object name to compute_create for name
based type transitions.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses. Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.
This is to help meet the OpenSSF Best Practices requirements.
Signed-off-by: Paul Moore <paul@paul-moore.com>
This change will allow a user to set the location of their
sysconfdir, defaulted to /etc, if they are installing into
nonstandard locations.
Signed-off-by: Matt Sheets <masheets@linux.microsoft.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Some time ago pandoc started shipping a default css file for html, while
that is nice, it limits the max-width of the body element to 36em. We
have a lot of tables, code examples, etc... in the manual that are too
big for that, requiring constant scrolling.
See https://github.com/jgm/pandoc/blob/master/data/templates/styles.html
for the default used.
While some styling, perhaps even dark/light mode support in the CSS
would be nice, I didn't manage to find a simple way to achieve this, so
for now just disable the CSS.
Expand the arguments for pandoc in the Makefile for better readability.
Signed-off-by: Jonathan Hettwer (bauen1) <j2468h@gmail.com>
It appears that a recent version of pandoc (or the library it uses)
changed where the lists are found in the XML or became more strict.
Move the lists to the right location in the document.
Signed-off-by: Jonathan Hettwer (bauen1) <j2468h@gmail.com>
Function `class_perm_node_init()` is called with `dest_perms` before it
is checked that its allocation succeeded. If the allocation fails, then
a NULL pointer is passed to `memset()` inside the
`class_perm_node_init()` function.
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
CIL Reference Guide defines typetransition rule with double quotes
around object name, but those are not present in the format string.
This patch fixes this issue, so the CIL output produced by
sepol_kernel_policydb_to_cil() is in the correct format.
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Test .gitignore and make clean distclean
error: missing .gitignore entry for libselinux/src/selinux.egg-info/
error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
Error: Process completed with exit code 1.
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
Error: Process completed with exit code 1.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Clang 15 starts to complain about non strict function definitions:
user.c:172:10: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int start() {
^
void
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
