The selinux_restorecon(3) man page details this function.
It has been built using the work from Android where an SHA1 hash
of the specfiles is held in an extended attribute to enhance
performance. Also contains components from policycoreutils/setfiles.
The utils/selinux_restorecon.c utility demonstrates the functionality.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This replaces the openssl library with SHA1 hash functions
extracted from [1] as this is a public domain implementation.
util/selabel_digest -v option still compares the result with
the openssl command "openssl dgst -sha1 -hex .." for validation.
[1] https://github.com/WaterJuice/CryptLib
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
If selabel_open is called with no request for a digest it will fail
with ENOENT. This fixes all the labeling routines to resolve this
problem. The utils/selabel_digest example has also been updated
to allow calling selabel_open with and without digest requests to
aid testing.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
selabel_digest(3) if enabled by the SELABEL_OPT_DIGEST option during
selabel_open(3) will return an SHA1 digest of the spec files, plus
a list of the specfiles used to calculate the digest. There is a
test utility supplied that will demonstrate the functionality.
The use case for selabel_digest(3) is to implement an selinux_restorecon
function based on the Android version that writes a hash of the
file_contexts files to an extended attribute to enhance performance
(see external/libselinux/src/android.c selinux_android_restorecon()).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Add -p option that will take a binary policy file to validate
context entries in the text file_contexts file.
Should validation fail the binary file will not be written.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
File labels assigned using the lookup_best_match() function do not
assign the best match if its regex contains metacharacters in the
binary file_contexts file version.
This change adds a new entry in the binary file with the calculated
prefix length that is then read when processing the file. This fix
also bumps SELINUX_COMPILED_FCONTEXT_MAX_VERS.
This patch relies on patch [1] that fixes the same problem
for text based file_contexts files.
[1] http://marc.info/?l=selinux&m=143576498713964&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
If you add some local file contexts via semanage fcontext -a and
later delete them all via semanage fcontext -D, you get an empty
file_contexts.local file. Then when you try to load it, getline()
returns 0 and we fall through to the out path without having set rc.
In label_file.c, rc will always be non-zero at this point because
we will have failed the load_mmap() call. In sefcontext_compile,
rc may contain random garbage at this point. Explicitly set rc
before the loop.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Update file contexts generation and loading to use common code.
Remove "status = 0; after "status = sort_specs(data);" otherwise
the function will never indicate a failure.
The file labeling code also has minor formatting, white space
removal etc. changes.
label_file.c - Move process_line function to label_file.h
sefcontext_compile.c - Update to use common process_line code. Now frees
all malloc'ed memory, checked by valgrind. Also added optional -o output
file parameter - updated man page to reflect this change.
V2 - Revert to using compat_validate instead of selabel_validate.
V3 - Revert to using callback for validation now the problem has been
fixed by commit e889148494
("libselinux: build sefcontext_compile with static libselinux")
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
sefcontext_compile depends on libselinux internals, so it might
as well use static libselinux. Hide read_spec_entries as this is not
intended as a public interface for shared library users.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Currently sscanf is used with %ms parameters that are not supported
on all platforms. The new read_spec_entries function may be used
to replace these where required. This patch updates
sefcontext_compile, label_file and label_android_property services
to use the new function.
The file and property services have been tested on Android emulator
and the file service on Fedora 21.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Currently sefcontext_compile defines the mode field as mode_t whose
size will vary depending on the architecture (e.g. 32 bit / 64 bit).
This patch sets the size when writing/reading binary files to
uint32_t. The file version is set to SELINUX_COMPILED_FCONTEXT_MODE
V2 fixes those listed in http://marc.info/?l=selinux&m=143273965514292&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Ensure that the array of strings is NULL terminated to stop core
dumps. Also cleaned up code.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Add support for new API functions selabel_partial_match and
selabel_lookup_best_match ported from the Android libselinux
fork.
Add supporting man(3) pages and test utilities: selabel_lookup,
selabel_lookup_best_match and selabel_partial_match.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The mudflap run time checker was removed in GCC 4.9. The
option no longer does anything and triggers a warning from gcc 4.9
and later. Remove it. We might want to add -fsanitize=address
to enable AddressSanitizer in its place, but that should be a separate
change.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fixes two types of errors which appear when building with gcc-5.0.0
- format ‘%d’ expects argument of type ‘int’, but argument X has type ‘unsigned int’
- format ‘%a’ expects argument of type ‘float *’, but argument X has type ‘char **’
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
restorecon on file names with newlines are not handled properly.
Use PCRE_DOTALL so that dots in regular expressions match all
characters, and don't exclude the newline character.
See https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02001.html
for background.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Currently the compiled file context files can end up with different
permissions then the original. This can lead to non priv users
not being able to read the compiled versions.
Also remove all internal uses by libselinux.
This requires deleting the old class/perm string lookup tables
and compatibility code for kernels that predate the /sys/fs/selinux/class
tree, i.e. Linux < 2.6.23.
This also fixes a longstanding bug in the stringrep code; it was allocating
NVECTORS (number of vectors in the legacy av_perm_to_string table, i.e.
the total number of legacy permissions) entries in the per-class perms array
rather than MAXVECTORS (the maximum number of permissions in any
access vector). Ho hum. I already fixed this in Android but forgot it
here.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In attempting to enable building various part of Android with -Wall -Werror,
we found that the const security_context_t declarations in libselinux
are incorrect; const char * was intended, but const security_context_t
translates to char * const and triggers warnings on passing
const char * from the caller. Easiest fix is to replace them all with
const char *. And while we are at it, just get rid of all usage of
security_context_t itself as it adds no value - there is no true
encapsulation of the security context strings and callers already
directly use string functions on them. typedef left to permit
building legacy users until such a time as all are updated.
This is a port of Change-Id I2f9df7bb9f575f76024c3e5f5b660345da2931a7
from Android, augmented to deal with all of the other code in upstream
libselinux and updating the man pages too.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
This allows us to specify under which the compiled policy file and context configuration
files exist. We can use this with matchpathcon to check the labels under alternate policies,
and we can use it for sepolicy manpage to build manpages during policy build.
We open the file which is to be used to write the binary format of file
contexts. If we hit an error actually writing things out, we return,
but never close the fd. Do not leak.
Signed-off-by: Eric Paris <eparis@redhat.com>
This is a new 'compiler' which tranforms the file context database into
a binary format. This binary format may be mmap'd in later removing the
need to compile the regular expression at run time.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We may want to force matchpathcon to respond if the path is question is
a dir, sockfile, chr, blk, etc. Add an option so you can force it to
hit the right rule types.
Signed-off-by: Eric Paris <eparis@redhat.com>
Use selinux_boolean_sub to translate the boolean name handed in by the user.
Report back the correct name of the boolean.
Signed-off-by: Eric Paris <eparis@redhat.com>
Add a -s option to getdefaultcon which allows one to specify the
service in question. This exposes all of the abilities of getseuser
instead of only the abilities of getseuserbyname.
Signed-off-by: Eric Paris <eparis@redhat.com>
It's not special and doesn't need its own Makefile lines. Just make it
a normal target.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Move everything into /usr/* and just put links from /*. The whole /usr
thing hasn't really worked in all situations for a long long time. Just
accept that fact and move along.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Annotating the die method as taking printf format exposes
a bug in error reporting
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We declare rc both for a function and inside a stanze. We only need it in the
stanze so remove the declaration for the whole function.
Signed-off-by: Eric Paris <eparis@redhat.com>
selinux_file_context_verify(3) should now return the correct codes and
matchpathcon(8) has been modified to handle them.
The selinux_file_context_verify(3)and selinux_file_context_cmp(3) man pages
have also been updated (re-written really) to correct return codes.
I found that selabel_open left errno set to ENOENT because a
file_contexts.subs file did not exist on my system, but left selabel_open
alone and set errno = 0 before calling selinux_filecontext_cmp.
[fix uninitialize init variable in matchpathcon.c::main - eparis]
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Instead of only doing path simplification and symlink following for the
matchpathcon helper instead do it in the library potion. This was an
issue when in python some called selinux.matchpatchcon("//lib64", 0) and
got the wrong answer (because the // wasn't being dealt with)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
matchpathcon cannot handle ./ or ../ in pathnames and doesn't do well
with symlinks. This patch uses the glibc function realpath() to try to
determine a real path with resolved symlinks and dot directories. For
example before this pach we would see:
$ matchpathcon /tmp/../eric
/tmp/../eric <<none>>
$ matchpathcon /eric
/eric system_u:object_r:default_t:s0
Whereas after the path we get the same results. The one quirk with the
patch is that we need special code to make sure that realpath() does not
follow a symlink if it is the final component. aka if we have a symlink
from /eric to /tmp/eric we do not want to resolv to /tmp/eric. We want
to just resolv to the actual symlink /eric.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
There is a .gitignore at the head of the directory but only contains
entries for the utils directory. Move to the utils directory.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This utility will tell what context a new task will have after exec
based on the pathname and the context of the launching task.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Email: dwalsh@redhat.com
Subject: Patch to getdefaultcon to print just the correct match and add verbose option
Date: Wed, 04 Mar 2009 15:41:37 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I really want to rename this to selinuxdefaultcon, which is what we ship
in Fedora.
Also exit with proper error on failure.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmu54AACgkQrlYvE4MpobNoZACdHgQDP2Hp/KDBpGCD7G08HjOX
p68An25Uu83SlOqjKyy9EG8ZgdIcuTCB
=L6UU
-----END PGP SIGNATURE-----
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: We have moved matchpathcon to /sbin from /usr/sbin
Date: Wed, 01 Apr 2009 10:21:53 -0400
Some init scripts wanted to use matchpathcon before /usr is mounted.
Author: Chad Sellers
Email: csellers@tresys.com
Added matchpathcon to clean target
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Patch matchpathcon to eliminate file "/"
Date: Wed, 04 Mar 2009 15:39:31 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So
matchpathcon /etc/
Will work the same as
matchpathcon /etc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmu5wMACgkQrlYvE4MpobNK4gCgiVeXXEZcCMsJKXM7jqh6r1u3
OScAoLcmXBIR63gpvA8RS3g07pcPC6IF
=e+Re
-----END PGP SIGNATURE-----
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: matchpathcon -V does not always work as expected.
Date: Tue, 30 Sep 2008 08:54:18 -0400
matchpathcon -V should be passing the mode when checking whether the
file context on a file is correct.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
