When a policy is inaccessible, scripts fail right "import sepolicy". With
this change we let the "sepolicy" module to import and move the policy
initialization before it's used for the first time.
Fixes:
>>> import seobject
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
_pol = setools.SELinuxPolicy(policy_file)
File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
import sepolicy
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
raise e
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
policy(policy_file)
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
raise ValueError(_("Failed to read %s policy file") % policy_file)
ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Describe which type of regular expression is used in file context
definitions and which flags are in effect.
Explain how local file context modifications are processed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
"ifdef/ifndef" statements can be used to conditionally define
an interface, but this syntax is not recognised by sepolgen-ifgen.
Fix sepolgen-ifgen to allow any policy statement inside an
"ifdef/ifndef" statement.
Fixes:
$ cat <<EOF > i.if
ifndef(`apache_manage_pid_files',`
interface(`apache_manage_pid_files',`
manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
')
')
#sepolgen-ifgen --interface=i.if
i.if: Syntax error on line 2 interface [type=INTERFACE]
i.if: Syntax error on line 4 ' [type=SQUOTE]
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
[OM: s/fidef/ifdef/]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Empty stdout buffer before exiting when BrokenPipeError is
encountered. Otherwise python will flush the bufer during exit, which
may trigger the exception again.
https://docs.python.org/3/library/signal.html#note-on-sigpipe
Fixes:
#semanage fcontext -l | egrep -q -e '^/home'
BrokenPipeError: [Errno 32] Broken pipe
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
BrokenPipeError: [Errno 32] Broken pipe
Note that the error above only appears occasionally (usually only the
first line is printed).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Currently:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
Changed:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.
[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
I found that building on OpenWrt/musl failed with:
sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
Musl is less "generous" than glibc in recursively including header
files, and I suspect this is the reason for this error. Explicitly
including limits.h fixes the problem.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4". In that case, set the protocol number
used by audit logs for "ipv4" to a fixed value. To ensure audit log
compatibility, let's use the same numeric value as Fedora: 4, which is
actually understood by kernel as IP over IP.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
On a SELinux disabled system the python call
`selinux.security_policyvers()` will fail.
Move the logic to find a binary policy from the python script
`sepolgen-ifgen` to the C-helper `sepolgen-ifgen-attr-helper`.
Change the helper command line interface to accept an optional policy
path as second argument. If not given try the current loaded policy
(`selinux_current_policy_path`) and if running on a SELinux disabled
system iterate over the default store path appending policy versions
starting at the maximum supported policy version
(`sepol_policy_kern_vers_max`).
This changes the helper command line interface from:
sepolgen-ifgen-attr-helper policy_file out_file
to
sepolgen-ifgen-attr-helper out_file [policy_file]
and adds a linkage to libselinux.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Currently sepolgen-ifgen parses a gen_tunable statement as interface
and reports in verbose mode:
Missing interface definition for gen_tunable
Add grammar for gen_tunable statements in the refparser
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
xml.etree.ElementTree.Element.getiterator() was deprecated since Python 3.2 and
dropped in Python 3.9
Fixes:
Verify sepolicy interface -c -i works ... Traceback (most recent call last):
File "/usr/bin/sepolicy", line 691, in <module>
args = parser.parse_args(args=parser_args)
File "/usr/lib64/python3.9/argparse.py", line 1819, in parse_args
args, argv = self.parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 2043, in _parse_known_args
positionals_end_index = consume_positionals(start_index)
File "/usr/lib64/python3.9/argparse.py", line 2020, in consume_positionals
take_action(action, args)
File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
action(self, namespace, argument_values, option_string)
File "/usr/lib64/python3.9/argparse.py", line 1208, in __call__
subnamespace, arg_strings = parser.parse_known_args(arg_strings, None)
File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 2061, in _parse_known_args
start_index = consume_optional(start_index)
File "/usr/lib64/python3.9/argparse.py", line 2001, in consume_optional
take_action(action, args, option_string)
File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
action(self, namespace, argument_values, option_string)
File "/usr/bin/sepolicy", line 216, in __call__
interface_dict = get_interface_dict()
File "/usr/lib/python3.9/site-packages/sepolicy/interface.py", line 149, in get_interface_dict
for i in m.getiterator('interface'):
AttributeError: 'xml.etree.ElementTree.Element' object has no attribute 'getiterator'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Network Mask argument for `semanage node` accepts also the simple CIDR
mask format, so let's document it.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
List modules for bash completion of `semanage module`.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
pyflakes 2.2.0 improved the way format strings are analyzed, which
triggers new warnings in flake8:
python/sepolicy/sepolicy/manpage.py:1046:23: F999 '...' % ... has
unused named argument(s): type
python/sepolicy/sepolicy/manpage.py:1225:23: F999 '...' % ... has
unused named argument(s): user
Remove the unused arguments in order to silence these warnings.
This fixes failures in Travis-CI such as
https://travis-ci.org/github/SELinuxProject/selinux/jobs/686230518#L5153
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: William Roberts <william.c.roberts@intel.com>
Previously python/semanage/test-semanage.py returned 0 even when there was a
fail in some test and `make test` didn't indicate any problem.
Fixes:
$ make test
...
Ran 10 tests in 110.854s
FAILED (failures=4)
$ echo $?
0
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On Debian the `distutils` module is patched, so `get_python_lib()`
returns by default `/usr/lib/python3/dist-packages` (no minor version)
But `setuptools` affecting setup.py is not patched to create the library
directory at `/usr/lib/python3/dist-packages` by default, rather than a
command line argument `--install-layout deb` is added
Add PYTHON_SETUP_ARGS as argument to affected setup.py calls and add a
note in the global README.md
See https://www.debian.org/doc/packaging-manuals/python-policy/packaging_tools.html
Section B.1
Fixes: https://github.com/SELinuxProject/selinux/issues/187
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
The range of unreserved ports starts from 1024 and ends to
65535 (inclusive). (Secure) RPC ports can be between 512 and
1023 (inclusive).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Delete an unused column from view "Application Transitions From". The
second column displays names of the executable files instead of
booleans.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
ipaddress python module was added to standard library in Python 3.3 -
https://docs.python.org/3/library/ipaddress.html
seobject.py was the only consumer of IPy module so this dependency is not needed
anymore.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
While using Ansible's Selinux module to manage ports, I discovered
that numerical ports caused an unhandled exception in 'seobject.py'.
This appears to be a bug, and I am proposing a fix which checks the
type of the argument before operating on it. This maintains the
original functionality in the case of a string, and acts in the same
fashion if you supply an integer.
I did not find any open bug report against the SELinux project. The
downstream bug report is here:
https://github.com/ansible/ansible/issues/60968
Signed-off-by: Joshua Schmidlkofer <joshua@joshuainnovates.us>
Commit 73b7ff410c ("Only invoke RPM on RPM-enabled Linux distributions") used
platform.linux_distribution() function to detect whether the system is rpm
based. This function is deprecated since Python 3.5 and it's removed from Python
3.8 - https://bugs.python.org/issue28167
The original problem is already fixed by another commit
671f83b42b ("policycoreutils/sepolicy: Check get_rpm_nvr_list() return
value"):
$ sepolicy generate --customize -p mypolicy -n testpolicy -d httpd_sys_script_t -w /home
Failed to retrieve rpm info for selinux-policy
Created the following files:
mypolicy/testpolicy.te # Type Enforcement file
mypolicy/testpolicy.if # Interface file
mypolicy/testpolicy.fc # File Contexts file
mypolicy/testpolicy_selinux.spec # Spec file
mypolicy/testpolicy.sh # Setup Script
Fixes:
File "/usr/lib/python3.8/site-packages/sepolicy/generate.py", line 1384, in generate
if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")):
AttributeError: module 'platform' has no attribute 'linux_distribution'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fixes:
# semanage port -a -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
# semanage port -d -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Return value of "customized" has to be iterable.
Fixes:
"semanage export" with no modules in the system (eg. monolithic policy)
crashes:
Traceback (most recent call last):
File "/usr/sbin/semanage", line 970, in <module>
do_parser()
File "/usr/sbin/semanage", line 949, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 771, in handleExport
for c in OBJECT.customized():
TypeError: 'NoneType' object is not iterable
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Add "customized" method to permissiveRecords which is than used for
"semanage permissive --extract" and "semanage export"
- Enable "semanage permissive --deleteall" (already implemented)
- Add "permissive" to the list of modules exported using
"semanage export"
- Update "semanage permissive" man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Other python scripts already use python3 by default. Both files don't have exec
bits so they have to be run using python interpret on command line anyway:
$ python3 ./setup.py ...
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Using the "s0" default means that new login mappings are always added with "s0"
range instead of the range of SELinux user.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
chcat_add() defines variable cmd twice before calling
subprocess.check_call(cmd, ...). Remove the first definition.
This bug was found using lgtm.com analyzer:
eac5e661ca/files/python/chcat/chcat (L118)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>