Commit Graph

16 Commits

Author SHA1 Message Date
Vit Mojzis
8fe1b0ca27 python/sepolicy/sepolicy: optimise sepolicy gui loading
Significantly speed up sepolicy gui loading by aggregating setools
queries.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-09 12:16:45 -05:00
Vit Mojzis
ef387e88bd python/sepolicy/sepolicy: Cleanup of gui code
Based on 77589dd354218f1f56d1c83747799606fa1b4899 by Dan Walsh.
Speed up gui loading.
Some minor bug fixes.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-09 12:16:45 -05:00
Vit Mojzis
31fcd66d39 python/sepolicy/sepolicy/gui: Reflect sepolicy changes into gui
sepolicy.get_init_entrypoint() now returns list of Type objects
instead of single string, which caused sepolicy gui to crash.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-06 12:31:37 -05:00
Vit Mojzis
4791a99d67 python: Fix some typos
Aside from typos, change the way markup is applied to a tooltip
in sepolicy/gui so that the text can be translated.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-05 15:11:08 -05:00
Kyle Walker
468a0dbac8 seobject: Handle python error returns correctly
After 9406ace8 ("libsemanage: throw exceptions in python rather than
return NULL"), calls to libsemanage functions return Python exceptions
instead of returning negative error return codes. For systems that did not
have the applicable headers installed prior to build, the difference was
not seen. Following commit 9792099f ("Properly build the swig exception
file even if the headers are missing"), that issue has been resolved and
the underlying semanage_fcontext_query_local and semanage_fcontext_query
calls now result in an OSError return. This results in the following error
when attempting to modify a fcontext defined in the systems base policy.

    libsemanage.dbase_llist_query: could not query record value (No such file or directory).
    OSError: No such file or directory

To resolve the error, handle the OSError exception, but retain the
previous query operation.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1398427

Signed-off-by: Kyle Walker <kwalker@redhat.com>
2016-11-30 11:00:51 -05:00
Vit Mojzis
86e568c27b python/semanage/semanage: Unify argument handling
Missing argument checks for "fcontext" and "boolean" were performed
outside of "argparse", resulting in shortened help message (without
argument details) and no error description.
Fix: perform these checks using "argparse" as is the case with other
semanage options.

Some "required argument" check were performed outside of "handle_opts"
obscuring the code.
Fix: Add required arguments to {fcontext boolean}_args and remove the
checks from handle{Fcontext Boolean}.

Remove unpaired parentheses from "semanage fcontext" usage message.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-30 09:33:58 -05:00
Vit Mojzis
041e00106f python/sepolicy/sepolicy/gui: Fix getting python lib path
Python code is not platform specific and resides always in
lib (as opposed to lib64 on x64 architectures).

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-30 08:49:26 -05:00
Stephen Smalley
7e09f584e1 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures
Teach audit2why to recognize type bounds failures.  This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.

This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel.  However, it
is unclear if this is needed.  It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).

Before:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

After:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
        Was caused by:
                Typebounds violation.

                Add an allow rule for the parent type.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 15:53:59 -05:00
Vit Mojzis
c034875c14 policycoreutils/sepolicy/gui: fix current selinux state radiobutton
Radiobutton was always set to "Permissive" and couldn't be switched.
Update radiobutton together with status text in bottom left corner.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-29 08:49:48 -05:00
cgzones
1e605e9905 fix semanage fcontext help message
the ftype options were incorrect
2016-11-24 20:01:26 +01:00
Stephen Smalley
7935dee8f6 Drop ChangeLog files
They can be generated as desired via git log.
No need to keep maintaining them by hand.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 12:10:58 -05:00
Stephen Smalley
25c167a6ea Add COPYING files for new subdirs.
Copied from policycoreutils/COPYING, from which these originated.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:51 -05:00
Stephen Smalley
6bd0b55380 Add VERSION files for new components
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:51 -05:00
Stephen Smalley
b97d959a6a Move policycoreutils/sepolgen-ifgen into python/audit2allow.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:51 -05:00
Stephen Smalley
50be5fcca4 Move sepolicy desktop and png files to gui.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:51 -05:00
Stephen Smalley
48dc232627 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:50 -05:00