Commit Graph

44 Commits

Author SHA1 Message Date
Petr Lautrbach
cf853c1a0c
Update VERSIONs to 3.2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-03-04 16:42:59 +01:00
Petr Lautrbach
d4d1f4ba7e
Update VERSIONs to 3.2-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-24 15:49:59 +01:00
Petr Lautrbach
2c7c4a84c3
Update VERSIONs to 3.2-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-03 11:26:28 +01:00
Vit Mojzis
e12f71e82f python/sepolgen: allow any policy statement in if(n)def
"ifdef/ifndef" statements can be used to conditionally define
an interface, but this syntax is not recognised by sepolgen-ifgen.
Fix sepolgen-ifgen to allow any policy statement inside an
"ifdef/ifndef" statement.

Fixes:
        $ cat <<EOF > i.if
ifndef(`apache_manage_pid_files',`
        interface(`apache_manage_pid_files',`
                manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
        ')
')

        #sepolgen-ifgen --interface=i.if
        i.if: Syntax error on line 2 interface [type=INTERFACE]
        i.if: Syntax error on line 4 ' [type=SQUOTE]

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
[OM: s/fidef/ifdef/]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2021-01-27 17:02:45 +01:00
Petr Lautrbach
c534d4e2ce
Update VERSIONs and Python bindings version to 3.2-rc1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-01-20 12:40:14 +01:00
Christian Göttsche
2a60de8eca sepolgen: sort extended rules like normal ones
Currently:

    #============= sshd_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t ptmx_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t sshd_devpts_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t user_devpts_t:chr_file ioctl;

    #============= user_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t devtty_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t user_devpts_t:chr_file ioctl;
    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;

Changed:

    #============= sshd_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t ptmx_t:chr_file ioctl;
    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t sshd_devpts_t:chr_file ioctl;
    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t user_devpts_t:chr_file ioctl;
    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };

    #============= user_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t devtty_t:chr_file ioctl;
    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t user_devpts_t:chr_file ioctl;
    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00
Christian Göttsche
9e239e5569 sepolgen: print extended permissions in hexadecimal
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.

[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00
Petr Lautrbach
7df27b78e9 Update VERSIONs and Python bindings version to 3.1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-07-10 17:17:15 +02:00
Petr Lautrbach
b3d8b99f0c Update VERSIONs to 3.1-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-06-19 13:02:31 +02:00
Christian Göttsche
c40c4e4428 refparser: add missing newline after error message
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:31:51 +02:00
Christian Göttsche
5adc269f95 sepolgen: parse gen_tunable as bool
Currently sepolgen-ifgen parses a gen_tunable statement as interface
and reports in verbose mode:

    Missing interface definition for gen_tunable

Add grammar for gen_tunable statements in the refparser

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:31:29 +02:00
Petr Lautrbach
c554c3d88a Update VERSIONs to 3.1-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-05-15 15:54:08 +02:00
Petr Lautrbach
dca7ce8195
Update VERSIONs to 3.0 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-28 13:46:48 +01:00
Petr Lautrbach
6e187f8a2a Update VERSIONs to 3.0-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-22 13:54:17 +01:00
Petr Lautrbach
6d5f7f20bc Replace www.nsa.gov references by github.com/SELinuxProject
The original page doesn't exist anymore.

Fixes: https://github.com/SELinuxProject/selinux/issues/170

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-08 09:20:29 -05:00
Petr Lautrbach
b3ed0a7a60 Update VERSIONs to 3.0-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-10-28 13:06:11 +01:00
Nicolas Iooss
b550c0e202
Fix many misspellings
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-18 22:47:35 +02:00
Petr Lautrbach
891cfee44f Update VERSIONs to 2.9 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-15 11:32:30 +01:00
Petr Lautrbach
1952be65dc Switch to python3 by default
- Python 2.7 is planned to be the last of the 2.x releases
- It's generally advised to use Python 3
- Majority of python/ scripts are already switched python3
- Users with python 2 only can still use:

$ make PYTHON=/usr/bin/python ....

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-20 16:43:27 +01:00
Nicolas Iooss
f906ae66a4
python: use == or != when comparing a variable with a string or a integer
Flake8 3.7.0 added a new fatal error message when parsing Python files:

    python/semanage/semanage:112:16: F632 use ==/!= to compare str, bytes, and int literals
    python/semanage/semanage:124:23: F632 use ==/!= to compare str, bytes, and int literals
    ...
    python/sepolgen/src/sepolgen/output.py:77:8: F632 use ==/!= to compare str, bytes, and int literals
    python/sepolgen/src/sepolgen/output.py:80:8: F632 use ==/!= to compare str, bytes, and int literals
    python/sepolgen/src/sepolgen/output.py:83:8: F632 use ==/!= to compare str, bytes, and int literals
    python/sepolicy/sepolicy/generate.py:646:16: F632 use ==/!= to compare str, bytes, and int literals
    python/sepolicy/sepolicy/generate.py:1349:16: F632 use ==/!= to compare str, bytes, and int literals

Fix all these warnings.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-31 20:57:23 +01:00
Nicolas Iooss
61f7b35b10
python: reindent lines that were over-indented
Flake8 3.7.0 warns about lines that are over-indented, i.e. lines that
are indented with more than 4 spaces:

    python/sepolgen/src/sepolgen/refparser.py:1047:26: E117 over-indented
    python/sepolgen/src/sepolgen/yacc.py:2569:21: E117 over-indented
    python/sepolicy/sepolicy/interface.py:196:13: E117 over-indented
    python/sepolicy/sepolicy/interface.py:198:13: E117 over-indented
    python/sepolicy/sepolicy/interface.py:215:13: E117 over-indented
    python/sepolicy/sepolicy/interface.py:217:13: E117 over-indented
    python/sepolicy/sepolicy/manpage.py:172:13: E117 over-indented
    python/sepolicy/sepolicy/manpage.py:174:13: E117 over-indented

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-31 20:57:17 +01:00
Nicolas Iooss
916640d786 python/sepolgen: refpolicy installs its Makefile in include/Makefile
When running "make install-headers" on refpolicy,
/usr/share/selinux/refpolicy/Makefile does not exist but
/usr/share/selinux/refpolicy/include/Makefile does. Use it when
available.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-08 10:15:46 +01:00
Nicolas Iooss
33d7a761e5 python/sepolgen: close /etc/selinux/sepolgen.conf after parsing it
sepolgen testsuite reports the following warning on a system with
/etc/selinux/sepolgen.conf:

    .../src/./sepolgen/defaults.py:35: ResourceWarning: unclosed file
    <_io.TextIOWrapper name='/etc/selinux/sepolgen.conf' mode='r'
    encoding='UTF-8'>

Fix this by properly closing the file in PathChooser.__init__().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-07 12:50:45 +01:00
Nicolas Iooss
691231e612 python/sepolgen: upgrade ply to release 3.11
PLY (Python Lex-Yacc) 3.11 has been released in February 2018:
- http://www.dabeaz.com/ply/index.html
- https://github.com/dabeaz/ply/releases/tag/3.11

Copy lex.py and yacc.py from this new release.

This fixes the following warning from "make test":

    python run-tests.py
    ../src/./sepolgen/lex.py:634: DeprecationWarning: Using or importing
    the ABCs from 'collections' instead of from 'collections.abc' is
    deprecated, and in 3.8 it will stop working
     if isinstance(t, collections.Callable):

(Python 3.3 moved collections.Callable to collections.abc.Callable)

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-04 13:52:09 +01:00
Nicolas Iooss
89e808af1d python/sepolgen: always indent with 4 spaces
p_attribute_role_def() used tabs.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-19 13:29:08 +01:00
Nicolas Iooss
6f01778406
python: remove semicolon from end of lines
Python does not need to end a statement with a semicolon. Doing this
gets reported by linters such as flake8 ("E703 statement ends with a
semicolon").

Remove such semicolons in the code and enable this warning in
scripts/run-flake8.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-19 17:55:19 +02:00
Nicolas Iooss
052dcf62fd
python/sepolgen: use self when accessing members in FilesystemUse
This silences the following flake8 errors:

    python/sepolgen/src/sepolgen/refpolicy.py:758:25: F821 undefined name 'XATTR'
    python/sepolgen/src/sepolgen/refpolicy.py:760:27: F821 undefined name 'TRANS'
    python/sepolgen/src/sepolgen/refpolicy.py:762:27: F821 undefined name 'TASK'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:09 +02:00
Nicolas Iooss
e6dd227272
python/sepolgen: remove buggy code
av_extract_params() may call __param_insert() with only 2 parameters
instead of 4, which has no chance to work fine. Moreover it uses "PERM",
which is undefined. As nobody complained about this code, it seems to be
dead, so remove it.

This issue has been found using flake8. This Python linter reported:

    python/sepolgen/src/sepolgen/interfaces.py:158:37: F821 undefined
    name 'PERM'

While at it, fix a typo in a comment.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:09 +02:00
Nicolas Iooss
20db6a5a73
python/sepolgen: silence linter warning about has_key
flake8 warns about using has_key():

    python/sepolgen/src/sepolgen/refparser.py:315:15: W601 .has_key() is
    deprecated, use 'in'

However "spt.has_key(id)" uses function SupportMacros.has_key(), which
is not the same as the "in" operator. Silence this warning by using "#
noqa".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:09 +02:00
Nicolas Iooss
3d3c51d607
python/sepolgen: fix refpolicy parsing of "permissive"
p_permissive() uses an undefined variable t, which is buggy. In order to
ignore permissive statements, the function only needs to "pass".

flake8 reported the following error:

    python/sepolgen/src/sepolgen/refparser.py:789:5: F821 undefined name 't'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:08 +02:00
Nicolas Iooss
a0c167ed22
python/sepolgen: return NotImplemented instead of raising it
sepolgen uses "return NotImplemented" (in access.py and matching.py) in
order to make Python's sorting function use an other call to compare
objects. For this to work, "NotImplemented" needs to be returned, not
raised like _compare's default implementation does.

This issue has been found using flake8. This Python linter reported:

    python/sepolgen/src/sepolgen/util.py:128:9: F901 'raise
    NotImplemented' should be 'raise NotImplementedError'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:08 +02:00
Nicolas Iooss
03c708d28d
python/sepolgen: do not import twice the modules
util.py starts by importing "locale" and "sys", so there is no need to
import these modules again in the functions.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:07 +02:00
Jan Zarsky
42b4a44b74 python: add xperms support to audit2allow
Add support for extended permissions to audit2allow. Extend AuditParser
to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to
generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow
to turn on generating of extended permission AV rules.

AVCMessage parses the ioctlcmd field in AVC messages. AuditParser
converts the ioctlcmd values into generic representation of extended
permissions that is stored in access vectors.

Extended permissions are represented by operations (currently only
'ioctl') and values associated to the operations. Values (for example
'~{ 0x42 1234 23-34 }') are stored in the XpermSet class.

PolicyGenerator contains new method to turn on generating of xperms.
When turned on, for each access vector, standard AV rule and possibly
several xperm AV rules are generated. Xperm AV rules are represented by
the AVExtRule class.

With xperm generating turned off, PolicyGenerator provides comments
about extended permissions in certain situations. When the AVC message
contains the ioctlcmd field and the access would be allowed according to
the policy, PolicyGenerator warns about xperm rules being the possible
cause of the denial.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2018-06-16 10:36:14 +02:00
Jan Zarsky
474f9b08d4 python/sepolgen: fix access vector initialization
In access module, in AccessVector.__init__() method, when init_list is
not None, the access vector is initialized by from_list() method.
However, this method does not assign attributes self.audit_msgs,
self.type, and self.data. Fix this by assigning these attributes in
__init__() method.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2018-06-16 10:34:53 +02:00
Jan Zarsky
a98314d8c1 python/sepolgen: print all AV rules correctly
In refpolicy module, in AVRule.__rule_type_str() method, self.rule_type
was not checked for value self.NEVERALLOW so that string "neverallow"
was never returned. Fix this by checking all four possible values and
returning correct strings.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2018-06-16 10:34:53 +02:00
Nicolas Iooss
91ef21e31f python/sepolgen: fix typo in PathChoooser name
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-06-06 15:56:45 -04:00
Vit Mojzis
1ac7716df4 python/sepolgen: Try to translate SELinux contexts to raw
This allows sepolgen to generate policy from AVC messages that contain
contexts translated by mcstrans.

Fixes:

\# echo "type=USER_AVC msg=audit(1468415802.940:2199604): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:SystemLow-SystemHigh tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'" | audit2allow

libsepol.mls_from_string: invalid MLS context SystemLow-SystemHigh
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:system_r:systemd_logind_t:SystemLow-SystemHigh to sid

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-04-13 13:41:46 -04:00
Jan Zarsky
29d84c6280 python/sepolgen: fix typo in PolicyGenerator 2018-03-08 14:56:19 -05:00
Marcus Folkesson
88a6216ddb python: build: move modules from platform-specific to platform-shared
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 20:02:02 +01:00
Marcus Folkesson
11aaf180ef python: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 20:02:01 +01:00
Ville Skyttä
fba9d01035 Python 3.6 invalid escape sequence deprecation fixes
https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior

A backslash-character pair that is not a valid escape sequence now
generates a DeprecationWarning. Although this will eventually become a
SyntaxError, that will not be for several Python releases.

The problem appears when you use '-W error':

$ python3 -W error -c 'import re; re.findall("[^a-zA-Z0-9_\-\.]", " *%$")'
  File "<string>", line 1
SyntaxError: invalid escape sequence \-

Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>

[ Edited commit message as per suggestion from Petr Lautrbach ]
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-03-10 15:56:36 -05:00
Vit Mojzis
ed51e23f15 sepolgen: strip non-printable characters when parsing audit messages
Strip the following characters
\x1c	File Separator
\x1d	Group Separator
\x1e	Record Separator
\x85	Next Line (C1 Control Code)
from audit message fields to make sure they are not evaluated
as part of some identifier (eg. ausearch used insert \x1d into
--raw output resulting in "unrecognized class" error messages).

This is done as part of str.split() in python3.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1406328
2017-02-21 13:43:09 -05:00
Stephen Smalley
7935dee8f6 Drop ChangeLog files
They can be generated as desired via git log.
No need to keep maintaining them by hand.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 12:10:58 -05:00
Stephen Smalley
48dc232627 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:50 -05:00