Commit Graph

565 Commits

Author SHA1 Message Date
Steve Lawrence
2b69984b0c Update ChangeLog and VERSION for final release
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-02-23 11:31:41 -05:00
Steve Lawrence
9d76b62fa7 Update libsepol, libsemanage, and policycoreutils ChangeLogs
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-02-17 08:52:11 -05:00
Nicolas Iooss
061c4fcbd4 policycoreutils: sepolicy: do not overwrite CFLAGS
sepolicy Makefile overwrites CFLAGS value, which prevents compiling its
Python module with custom compilation flags.  Modify it to append flags
to CFLAGS instead, like other policycoreutils programs do.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-02-11 08:42:45 -05:00
Nicolas Iooss
168f653d28 policycoreutils: sepolicy: rename policy global variable
Variable policy is both a global variable and a parameter to some
functions in policycoreutils/sepolicy/search.c.  This makes the building
fail when using -Wshadow -Werror compilation flags.

Fix this by renaming the global variable global_policy.  This does not
change the API of the Python module.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-02-11 08:36:27 -05:00
Steve Lawrence
e97d3eca99 Update libsepol, libsemanage, policycoreutils, and sepolgen ChangeLogs
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-02-01 09:05:47 -05:00
Nicolas Iooss
d1b49d833e policycoreutils: newrole: add missing defined in #if
When building newrole with gcc 5.3.0 and some warning flags, the
compiler reports:

  newrole.c:77:33: error: "NAMESPACE_PRIV" is not defined [-Werror=undef]
  #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
                                  ^

Indeed, "defined" is missing here.  This nevertheless worked so far
because when NAMESPACE_PRIV was selected in the Makefile, newrole.c was
compiled with "-DNAMESPACE_PRIV", which defined NAMESPACE_PRIV to 1.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-02-01 08:54:30 -05:00
Steve Lawrence
f7088b70af Update policycoreutils ChangeLog
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-01-12 08:48:12 -05:00
Lukas Vrabec
0fc39ca4f7 Added missing descriptions for --*-key params in secon man page.
Fixed secon help, merged descriptions for --current-* and --self-*
params.

Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
2016-01-12 08:39:14 -05:00
Lukas Vrabec
dd7a9363d9 Add description of missing newrole parameter -p in newrole man page.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
2016-01-12 08:39:14 -05:00
Steve Lawrence
b3b5ede9ca Update ChangeLog and VERSION for release candidate
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-01-07 10:01:31 -05:00
Steve Lawrence
7526d1ad93 Update policycoreutils ChangeLog
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-01-07 10:01:01 -05:00
Petr Lautrbach
f590d37704 policycoreutils: semanage: list reserver_port_t
reserver_port_t was omitted in 'semanage port -l'. There seems to be no
reason for that nowadays therefore we can list it.

Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1225806

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-01-04 08:55:14 -05:00
Steve Lawrence
b3c1d4e425 Update libselinux and policycoreutils ChangeLogs
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-12-17 09:14:05 -05:00
Laurent Bigonville
7d8f5ce9b8 policycoreutils/chcat: Add a fallback in case os.getlogin() returns nothing
Some teminal emulators (like the latest version of gnome-terminal) are
not setting entries in the utmp file, this leads getlogin() to return an
empty string.

Fallback to the name of the user running the chcat process.
2015-12-17 08:56:01 -05:00
Stephen Smalley
36d164ca56 Update policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-12-01 15:36:19 -05:00
Petr Lautrbach
fa438ddf50 policycoreutils: replace string.join() with str.join()
Fixes Python 3 error:
  AttributeError: module 'string' has no attribute 'join'

Based on a patch by Tomas Radej <tradej@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-12-01 15:33:36 -05:00
Petr Lautrbach
b300d3d43a policycoreutils: fix 'semanage permissive -l' subcommand
This reverts the commit 97d06737 which introduced a regression on '-l'
which started to require at least one argument and fixes the original
problem other way. A args.parser value is set now and handlePermissive
function uses it to print an usage message when args.type is not set.

Fixes: semanage permissive -l
  usage: semanage permissive [-h] (-a | -d | -l) [-n] [-N] [-S STORE]
                             type [type ...]
  semanage permissive: error: the following arguments are required: type

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-12-01 15:33:11 -05:00
Stephen Smalley
4a1169a367 Update libselinux and policycoreutils ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-11-24 16:34:56 -05:00
Ville Skyttä
572fcef2ba libselinux, policycoreutils: Man page warning fixes
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
2015-11-24 16:32:13 -05:00
James Carter
e29d606f62 Updated policycoreutils ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-11-20 13:29:30 -05:00
Miroslav Grepl
0f4620d611 policycoreutils/sandbox: Fix sandbox to propagate specified MCS/MLS Security Level.
If "level" option is used to start sandbox commands, this level is not propagated
to specified  homedir and tmpdir directories. See rhbz #1279006.

Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
2015-11-20 13:14:10 -05:00
James Carter
50c349df8f Updated policycoreutils ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-11-19 16:19:33 -05:00
Petr Lautrbach
97d067376a policycoreutils: Require at least one argument for 'semanage permissive -d'
Fixes: python ./semanage permissive -d
Traceback (most recent call last):
  File "./semanage", line 925, in <module>
    do_parser()
  File "./semanage", line 904, in do_parser
    args.func(args)
  File "./semanage", line 708, in handlePermissive
    OBJECT.delete(args.type)
  File "/selinux.git/policycoreutils/semanage/seobject.py", line 479, in delete
    for n in name.split():
AttributeError: 'NoneType' object has no attribute 'split'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-11-19 16:17:59 -05:00
Petr Lautrbach
8922ff887f policycoreutils: improve sepolicy command line interface
Previously, when sepolicy was run without any argument, the usage message
with the error "too few arguments" was shown. Using Python 3 it threw a traceback.
This patch unifies behavior on Py2 and Py3 so that sepolicy shows the help
message in this case.

Fixes:
Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 647, in <module>
    args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-11-19 16:17:51 -05:00
Sven Vermeulen
8243069211 Open stdin as read/write
As per the discussion on the selinux development mailinglist, the tmux
application expects the stdin to be writeable. Although perhaps not the most
proper way, having newrole opening the descriptor in read/write keeps the
behaviour in line with what applications expect.

See also http://marc.info/?l=selinux&m=136518126930710&w=2

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2015-10-01 15:49:00 -04:00
Stephen Smalley
92eec06ca6 policycoreutils/newrole: Set keepcaps around setresuid calls.
Set the "keep capabilities" flag around the setresuid() calls in
drop_capabilities() so that we do not simultaneously drop all
capabilities (when newrole is setuid).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-10-01 15:47:08 -04:00
Dan Walsh
572f899267 Fix newrole to not drop capabilities from the bounding set.
Stop dropping capabilities from its children.
Add better error messages.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2015-10-01 15:44:11 -04:00
Stephen Smalley
e93f755bf7 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 15:07:52 -04:00
Petr Lautrbach
663d76dbb6 policycoreutils: audit2* - ignore setlocale errors
When a user has invalid locales set, audit2allow and audit2why fail with
a traceback. This could be safely ignored as it will stay with 'C'
locale.

Fixes:
Traceback (most recent call last):
  File "policycoreutils/audit2allow/audit2allow", line 35, in <module>
    locale.setlocale(locale.LC_ALL, '')
  File "/usr/lib64/python2.7/locale.py", line 579, in setlocale
    return _setlocale(category, locale)
locale.Error: unsupported locale setting

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-08-25 15:06:37 -04:00
James Carter
774f859bce Updated libsemanage and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 11:01:03 -04:00
Yuli Khodorkovskiy
65c6325271 policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.

If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.

If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.

Examples:

Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.

    semodule --cil --extract wireshark

Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.

    semodule -E wireshark

Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.

    semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 10:59:44 -04:00
Stephen Smalley
23f6db52a5 Updated policycoreutils and sepolgen ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-31 11:18:39 -04:00
Petr Lautrbach
7bd95d71f1 policycoreutils: Comment constraint rules in audit2allow and sepolgen output
Constraint rules in output need to be commented in order to make a policy
compilable.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1155974

Patch-by: Miroslav Grepl <mgrepl@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-07-31 11:16:00 -04:00
Stephen Smalley
38feeaddf7 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-24 09:05:33 -04:00
Jason Zaman
789d0ebbf9 policycoreutils: Fix PEP8 issues
When trying to get policycoreutils working in python3, I kept running
into TabErrors:

    Traceback (most recent call last):
      File "/usr/lib/python-exec/python3.3/semanage", line 27, in <module>
        import seobject
      File "/usr/lib64/python3.3/site-packages/seobject.py", line 154
        context = "%s%s" % (filler, raw)
                                       ^
    TabError: inconsistent use of tabs and spaces in indentation

Python3 is a lot stricter than python2 regarding whitespace and looks like
previous commits mixed the two.  When fixing this, I took the chance to fix
other PEP8 style issues at the same time.

This commit was made using:
$ file $(find . -type f) | grep -i python | sed 's/:.*$//' > pyfiles
$ autopep8 --in-place --ignore=E501,E265 $(cat pyfiles)

The ignore E501 is long lines since there are many that would be wrapped
otherwise, and E265 is block comments that start with ## instead of just #.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2015-07-24 16:07:13 +08:00
Stephen Smalley
92cc7b0112 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-22 10:08:05 -04:00
Stephen Smalley
4031618396 policycoreutils: semanage: fix moduleRecords deleteall method
commit 2ff279e21e ("policycoreutils:
 semanage: update to new source policy infrastructure") introduced
new methods for enabling/disabling modules but failed to update
the deleteall method of class moduleRecords to use the new method.
The deleteall method was introduced by commit
3dafb1046d ("Add deleteall customizations
field for modules.") as a way to re-enable all locally disabled modules.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-22 09:59:35 -04:00
Stephen Smalley
5ee1befee4 policycoreutils: semanage: kwarg -> kwargs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-22 09:33:12 -04:00
Stephen Smalley
d7b1bf3ff2 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-22 09:21:23 -04:00
Michal Srb
7574a50f18 policycoreutils/scripts: improve compatibility with Python 3
- __builtin__ module has been renamed to "builtins" in Python 3
- use reserved word `as` in try-except
- replace print statement with print function
- migrate from commands to subprocess
- fix formatting

Signed-off-by: Michal Srb <msrb@redhat.com>
2015-07-22 09:20:44 -04:00
Michal Srb
349239e677 policycoreutils/semanage: improve compatibility with Python 3
- gettext.install() only takes "unicode" keyword argument in Python 2
- __builtin__ module has been renamed to "builtins" in Python 3
- use reserved word `as` in try-except
- replace print statement with print function

Signed-off-by: Michal Srb <msrb@redhat.com>
2015-07-22 09:20:44 -04:00
Michal Srb
a9ce2e7358 policycoreutils/sandbox: improve compatibility with Python 3
- gettext.install() only takes optional "unicode" keyword argument in
  Python 2, and its default value is "False". This keyword argument
  doesn't exist in Python 3
- __builtin__ module has been renamed to "builtins" in Python 3
- raw_input() has been renamed to input() in Python 3
- specify octal literals in form compatible with both Python 2 and 3
- migrate from commands to subprocess
- replace print statement with print function
- use reserved word `as` in try-except
- replace deprecated assert_() method with assertTrue() in unit tests

Signed-off-by: Michal Srb <msrb@redhat.com>
2015-07-22 09:20:44 -04:00
Michal Srb
d135951152 policycoreutils/audit2allow: improve compatibility with Python 3
- replace print statement with print function
- use reserved word `as` in try-except
- replace deprecated assert_() method with assertTrue() in unit tests

Signed-off-by: Michal Srb <msrb@redhat.com>
2015-07-22 09:20:44 -04:00
Stephen Smalley
1eebc7748f Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-16 13:11:01 -04:00
Stephen Smalley
696c498c46 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-16 12:29:44 -04:00
Laurent Bigonville
4fbc6623eb Set self.sename to sename after calling semanage_seuser_set_sename()
This fixes audit information that are being logged and a crash when the
python-audit binding is not installed.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734806
2015-07-16 12:27:03 -04:00
Stephen Smalley
fd60703766 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-09 09:04:10 -04:00
Petr Lautrbach
6fd8e08606 Fix typo in semanage args for minimum policy store 2015-07-09 09:03:27 -04:00
Stephen Smalley
31f7239219 Updated policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-06-12 08:59:11 -04:00
Sven Vermeulen
73b7ff410c Only invoke RPM on RPM-enabled Linux distributions
When calling "sepolgen generate" to automatically generate a SELinux
policy template, the command fails when it cannot invoke RPM related
commands on Linux distributions that do not support RPM by default:

Failed to retrieve rpm info for selinux-policy
Traceback (most recent call last):
  File "/usr/lib/python-exec/python2.7/sepolicy", line 643, in <module>
    args.func(args)
  File "/usr/lib/python-exec/python2.7/sepolicy", line 517, in generate
    print mypolicy.generate(args.path)
  File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1370, in generate
    out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file"))
  File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1219, in write_spec
    fd.write(self.generate_spec())
  File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1181, in generate_spec
    selinux_policyver = get_rpm_nvr_list("selinux-policy")[1]
TypeError: 'NoneType' object has no attribute '__getitem__'

As the RPM related steps are only needed on RPM-enabled distributions,
we should ignore these steps on other Linux distribution platforms.

In this patch, we use the Python platform module to get the Linux
distribution, and only start the RPM-related activities on Linux
distributions that use RPM as their native package manager.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2015-06-12 08:57:40 -04:00