Commit Graph

1587 Commits

Author SHA1 Message Date
Jason Zaman
4d340e467a policycoreutils/gui: update to python3
print functions
exceptions, e => as e
keys.sort() => sorted(d.keys())

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
af59544e5f policycoreutils: gettext compat for py2 and 3
Install gettext the same way everywhere and have fallbacks to use
str/unicode depending on python version.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
b43991f913 policycoreutils: import sepolicy directly
instead of from sepolicy import foo. Makes it easier to grep for
consumers that still need to be fixed.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
7f956419c2 sepolicy: dont alias sepolicy.search and sepolicy.info
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
f300803045 sepolicy: update exceptions and print for python3
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
b87db86f79 sepolicy: C Module init for python3
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
356a6e2566 sepolicy: Add python3 PyInt and PyString defs
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
925bb39ba2 semanage: misc style issues
Unused imports
== None should be is None

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
35d44f17af seobject: use sorted() instead of .sort()
2to3 wanted to wrap all the .keys() calls in list() but doing sorted()
directly is better.

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
b51c39499b semanage: py3 support for print function and map/filter
map and filter were turned into list comprehensions.
This was done using python's 2to3 utility.

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Steve Lawrence
4209c00afe Update libsepol ChangeLog
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-08-05 07:37:08 -04:00
William Roberts
ca3ec93ad0 module_to_cil: fix possible use of uninitialized value
Correct errors like these reported by gcc:

module_to_cil.c: In function ‘block_to_cil’:
module_to_cil.c:229:20: error: ‘attr_list’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
  struct list_node *curr = (*attr_list)->head;

Usages of attr_list_destroy() were called when list_init()
fails.

stack_init() and stack_destroy() also suffered from the
aforementioned issue.

To correct the issue, initialize stack and list variables to
NULL.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-05 07:36:24 -04:00
Steve Lawrence
6dc34b2b6f Update libselinux ChangeLog
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-08-04 08:56:52 -04:00
Laurent Bigonville
46c4f3a716 libselinux/utils/Makefile: Fix in tree compilation
Some tools need the sepol/sepol.h header
2016-08-04 08:54:15 -04:00
Steve Lawrence
af7aa0b9ad Update policycoreutils ChangeLog.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-08-04 08:43:39 -04:00
Petr Lautrbach
62a2a94419 policycoreutils: semodule - remove 'q' from getopt string
Users are confused that this option is not documented or that
'semodule -q' doesn't show:

semodule: invalid option -- 'q'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-08-04 08:42:15 -04:00
Stephen Smalley
a736d9d070 Updated libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-28 10:52:34 -04:00
James Carter
46e157b470 libsepol/cil: Warn instead of fail if permission is not resolve
If a policy module package has been created with a policy that contains
a permission and then is used on a system without that permission CIL
will fail with an error when it cannot resolve the permission.

This will prevent the installation on policy and the user will not
know that the policy has not been installed.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-07-28 10:51:38 -04:00
James Carter
d5396d8312 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-07-26 13:43:18 -04:00
Steve Lawrence
7a137eb75f libsepol/cil: Ignore object_r in userrole mappings when creating policy binary
Commit 77779d2ca, which added support for userattributes in CIL,
accidentally removed code that ignored object_r when adding userrole
mappings to the policydb. This meant that running commands like
`semanage user -l` would incorrectly show object_r. This patch adds that
code back in. Note that CIL requires that these mappings exist to
properly validate file contexts, so pp2cil's behavior of creating these
mappings is not modified.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-07-26 13:41:43 -04:00
Stephen Smalley
c17727e54f Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-25 13:57:21 -04:00
Petr Lautrbach
859c82d8e6 policycoreutils: Remove unused autoconf files from po/
None of *.in and POTFILES* files is used in current build process.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-07-25 13:54:49 -04:00
Piotr Drąg
bc69158385 policycoreutils: Remove duplicate, empty translation files
policycoreutils carries many duplicate, empty translation files.
They are a remnant of broken Transifex's system for managing
translation codes. This commit removes them.

Signed-off-by: Piotr Drąg <piotrdrag@gmail.com>
2016-07-25 13:54:43 -04:00
Stephen Smalley
4a3fbdae6e Updated checkpolicy ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-25 13:54:10 -04:00
Stephen Smalley
2c1979f0a6 Extend checkpolicy pathname matching.
checkpolicy currently imposes arbitrary limits on pathnames used
in genfscon and other statements.  This prevents specifying certain
paths in /proc such as those containing comma (,) characters.

Generalize the PATH, QPATH, and FILENAME patterns to support most
legal pathnames.

For simplicity, we do not support pathnames containing newlines or
quotes.

Reported-by: Inamdar Sharif <isharif@nvidia.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-14 11:41:28 -04:00
Stephen Smalley
c983674138 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-12 15:36:44 -04:00
Jason Zaman
0576ba5268 open_init_pty: Do not error on EINTR
There is a signal handler so that the select returns EINTR when the
child exits. EINTR is used to then clean up and flush the remaining
buffers. It should not error.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-07-12 15:35:23 -04:00
James Carter
77e86c0b8c Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-07-12 14:27:57 -04:00
Petr Lautrbach
747a440fdd libsepol: Add missing return to sepol_node_query()
Due to the missing return in sepol_node_query(), the function always
set *response to NULL whenever a protocol was SEPOL_PROTO_IP6

Fixes:
sudo semanage node -a -M ::1 -p ipv6 -t node_t ::1
sudo semanage node -m -M ::1 -p ipv6 -t node_t ::1
[1]    12968 segmentation fault (core dumped)  semanage node -m -M ::1 -p ipv6 -t node_t ::1

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-07-12 13:48:05 -04:00
Stephen Smalley
144b74905c Updated libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-01 13:04:15 -04:00
Thomas Petazzoni
0635cd495b Add missing <stdarg.h> include
Add missing <stdarg.h> include

This is needed to fix the build on uClibc, due to the usage of
va_list.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-01 13:02:15 -04:00
Stephen Smalley
74e25b1e81 Updated ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-01 12:58:23 -04:00
Petr Lautrbach
03e87ff2a9 policycoreutils: fix [-s STORE] typos in semanage
semanage and semanage man pages used wrong usage of
[-S STORE] in synopsis

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-07-01 12:54:17 -04:00
Petr Lautrbach
a9604c30a5 libselinux: Change the location of _selinux.so
There was a change in swig-3.10 to use importlib instead of imp. While
the implementation with imp looked for _selinux.so also into the same directory
as __init__.py is, a new module with importlib searchs only standard paths.
It means that we need to move _selinux.so from $(PYLIBDIR)/site-packages/selinux/
to $(PYLIBDIR)/site-packages/.

Fixes:
>>> import selinux
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 21, in <module>
    _selinux = swig_import_helper()
  File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 20, in swig_import_helper
    return importlib.import_module('_selinux')
  File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
ImportError: No module named _selinux

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-07-01 12:54:12 -04:00
Stephen Smalley
e55b86e7c6 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 13:00:16 -04:00
David King
d6413cdbd2 libselinux: man: Clarify is_selinux_mls_enabled() description
Improve the description by mentioning that if is_selinux_mls_enabled(),
it simply means that the kernel has MLS support and the policy contains
MLS features. To check whether MLS support is enabled on the running
system, use selinux_getpolicytype().

Signed-off-by: David King <dking@redhat.com>
2016-06-23 12:58:15 -04:00
David King
984fd069e2 libselinux: man: Explain how to free policy type from selinux_getpolicytype()
Additionally, fix a typo.

Signed-off-by: David King <dking@redhat.com>
2016-06-23 12:58:03 -04:00
Stephen Smalley
7dd0afc9a1 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 12:57:50 -04:00
Petr Lautrbach
7c1a5e3b03 libselinux: compare absolute pathname in matchpathcon -V
filepath needs to be resolved first in order to be correctly found by
selabel_lookup_raw()

Fixes:
$ matchpathcon -V passwd
passwd has context system_u:object_r:passwd_file_t:s0, should be
system_u:object_r:passwd_file_t:s0

$ echo $?
1

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-06-23 12:56:06 -04:00
Stephen Smalley
ff65937851 Updated checkpolicy ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 12:52:58 -04:00
Petr Lautrbach
286df12fd9 checkpolicy: Fix typos in test/dispol
Reported-By: Milos Malik <mmalik@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-06-23 12:52:36 -04:00
Stephen Smalley
5f512c4e93 Updated libselinux ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 12:52:15 -04:00
Petr Lautrbach
b2c1b0baaf libselinux: add selinux_snapperd_contexts_path()
Snapper needs a way how to set a proper selinux context on btrfs
subvolumes originating in snapshot create command. Fs can't handle it on
its own so snapper will enforce .snapshots subvolume relabeling
according to a file returned by selinux_snapperd_contexts_path().

The format of the file will be similar to other contexts file:

snapperd_data = system_u:object_r:snapperd_data_t:s0

Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1247530
https://bugzilla.redhat.com/show_bug.cgi?id=1247532

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-06-23 12:51:23 -04:00
Stephen Smalley
1814207f68 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-23 12:45:52 -04:00
stephensmalley
bbde996ae5 Merge pull request #18 from mikedlr/master
Update sandbox types in  manual to match actual usage
2016-06-22 14:03:24 -04:00
Stephen Smalley
28e92c5325 libsepol: rewrite sepol_string_to_security_class to use hashtab_search
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-20 16:28:45 -04:00
Stephen Smalley
69da2076e5 Updated libselinux and libsepol ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-20 16:24:35 -04:00
Joshua Brindle
94df3f7d24 Correctly detect unknown classes in sepol_string_to_security_class
Bail before running off the end of the class index

Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
2016-06-20 16:10:32 -04:00
Joshua Brindle
dae5c271fc Modify audit2why analyze function to use loaded policy
Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces

Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
2016-06-20 16:10:18 -04:00
Michael De La Rue
4134b61630 Update sandbox types in sandbox manual to match actual usage as I understand it (based on Fedora 23) 2016-06-17 18:24:35 +01:00