Commit Graph

2542 Commits

Author SHA1 Message Date
Jan Zarsky
638e2f9df0 libsemanage: add helper functions to tests
- Add functions for creating and destroying test semanage store.
- Add functions for writing SELinux policy to the test store.
- Add functions for creating semanage handle, connecting to the store and for
  beginning a transaction.
- Update Makefile to compile test policies from CIL source.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Mike Palmiotto
544cc7957b libsepol/cil: fix mlsconstrain segfault
Installing a cil module with invalid mlsconstrain syntax currently
results in a segfault. In the following module, the right-hand side of
the second operand of the OR is a list (mlstrustedobject):

$ cat test.cil
(class test (foo) )
(classorder (unordered test))

(mlsconstrain (test (foo))
	(or
		(dom h1 h2)
		(eq t2 (mlstrustedobject))
	)
)

$ sudo semodule -i test.cil
zsh: segmentation fault  sudo semodule -i test.cil

This syntax is invalid and should error accordingly, rather than
segfaulting. This patch provides this syntax error for the same module:

$ sudo semodule -i test.cil
t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side
Bad expression tree for constraint
Bad constrain declaration at /var/lib/selinux/mls/tmp/modules/400/test/cil:4
semodule:  Failed!

Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
2019-06-19 09:01:23 -07:00
Jokke Hämäläinen
eb2a875747 libsepol: Replace constant with sizeof()
Replace constant 18 with safer use of sizeof()

Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:01:12 -07:00
Jokke Hämäläinen
e8d880e0a2 libsepol: Check strdup() failures
Check strdup() failures

Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:01:12 -07:00
Petr Lautrbach
dbffdf7135 Add CONTRIBUTING.md
Based on https://github.com/SELinuxProject/selinux/wiki/Contributing

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Paul Moore <paul@paul-moore.com>
2019-06-14 14:58:52 -04:00
Unto Sten
c758ac1ddf Trivial style fixes 2019-05-28 07:51:43 -04:00
Unto Sten
be9976e763 Trivial style improvements 2019-05-28 07:51:28 -04:00
Aleksei Nikiforov
26462e101f Update man pages translation by Olesya Gerasimenko
Signed-off-by: Olesya Gerasimenko <gammaray@basealt.ru>
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-05-28 07:50:34 -04:00
Ondrej Mosnacek
9adafb6d51 run_init: fix build when crypt() is not in unistd.h
According to [1], crypt() support in POSIX is optional, so include
also <crypt.h> when _XOPEN_CRYPT is not defined or is defined to -1.
Without this I can't build run_init from source out-of-the-box on
Fedora 29.

[1] http://man7.org/linux/man-pages/man3/crypt.3.html#NOTES

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-24 12:41:49 -04:00
Richard Haines
159d5063d3 libsepol/cil: Allow validatetrans rules to be resolved
When validatetrans rule is in CIL policy it errors with:
u3, r3, and t3 can only be used with mlsvalidatetrans rules

Will now resolve these examples:
(validatetrans binder (and (and (eq t1 t1_t) (eq t2 t2_t)) (eq t3 t3_t)))
(mlsvalidatetrans file (and (and (eq t1 t1_t) (eq t2 t2_t))
    (and (eq t3 t3_t) (domby h1 h2))))

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2019-05-21 13:49:38 -04:00
Ondrej Mosnacek
3e506bda3b libsepol: add ebitmap_for_each_set_bit macro
Most of the users of ebitmap_for_each_bit() macro only care for the set
bits, so introduce a new ebitmap_for_each_positive_bit() macro that
skips the unset bits. Replace uses of ebitmap_for_each_bit() with the
new macro where appropriate.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-20 14:00:32 -04:00
Unto Sten
baf8a1de16 Check strdup() failure 2019-05-15 17:36:18 -07:00
Unto Sten
cd1ef4d64e another style fix 2019-05-15 17:35:43 -07:00
Unto Sten
e1a74396c7 Unify code style to preserve my sanity 2019-05-15 17:35:43 -07:00
Unto Sten
5d8f44e2c3 Global replace exit(0) with more readable exit(EXIT_SUCCESS) 2019-05-15 17:34:43 -07:00
Petr Lautrbach
f46b64fccb semanage/semanage-boolean.8: Fix a minor typo
boolan -> boolean

Reported-by: Bogdan BOTEZ <bmbogdan@gmail.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-04-30 17:49:00 +02:00
Gary Tierney
ac2a3fb4fe dismod: print policy version of loaded modules
Signed-off-by: Gary Tierney <gary.tierney@fastmail.com>
2019-04-19 13:10:53 -04:00
Gary Tierney
4984a75f38 checkmodule: add support for specifying module policy version
Currently checkpolicy can produce binary policies for earlier policy versions
to provide support for building policies on one machine and loading/analyzing
them on another machine with an earlier version of the kernel or libsepol,
respectively. However, checkmodule was lacking this capability.

This commit adds an identical `-c` flag that can be passed to checkmodule that
will build a modular policy file of the specified version.

Signed-off-by: Gary Tierney <gary.tierney@fastmail.com>
2019-04-19 13:10:44 -04:00
Joshua Brindle
25ce102907 Add security_validatetrans support
It seems validatetrans support was never added to libselinux, despite being added to
selinuxfs in kernel version 4.5

There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:

$ cat validatetrans.cil
(mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))

$ sudo semodule -i validatetrans.cil

$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Invalid argument

$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Operation not permitted

$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned 0 errno: Success

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-04-09 06:51:02 -07:00
Laurent Bigonville
42f73af507
restorecond: Do not link against libpcre
For some reasons, restorecond was explicitly linking against libpcre but
the code is not using any of its symbols

Closes: https://github.com/SELinuxProject/selinux/issues/137

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-03-26 22:21:31 +01:00
Nicolas Iooss
5fc701fe11
restorecond: use /run instead of /var/run
On most distributions, /var/run is a symbolic link to /run so using
/var/run or /run lead to the same result. Nevertheless systemd started
to warn about using /var/run in a service file, logging entries such as:

    /usr/lib/systemd/system/restorecond.service:8: PIDFile= references
    path below legacy directory /var/run/, updating
    /var/run/restorecond.pid → /run/restorecond.pid; please update the
    unit file accordingly.

Switch to /run in order to follow this advice.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-03-18 22:07:08 +01:00
Petr Lautrbach
5d149b23de
gui: Install .desktop files to /usr/share/applications by default
/usr/share/applications is a standard directory for .desktop files.
Installation path can be changed using DESKTOPDIR variable in installation
phase, e.g.

make DESKTOPDIR=/usr/local/share/applications install

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-18 22:06:40 +01:00
Petr Lautrbach
c778509dd0
gui: Install polgengui.py to /usr/bin/selinux-polgengui
polgengui.py is a standalone gui tool which should be in /usr/bin with other
tools.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-17 20:09:59 +01:00
Petr Lautrbach
891cfee44f Update VERSIONs to 2.9 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-15 11:32:30 +01:00
Petr Lautrbach
707e4b8610 libselinux: Do not define gettid() if glibc >= 2.30 is used
Since version 2.30 glibc implements gettid() system call wrapper, see
https://sourceware.org/bugzilla/show_bug.cgi?id=6399

Fixes:
cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I../include -D_GNU_SOURCE  -DNO_ANDROID_BACKEND   -c -o procattr.o procattr.c
procattr.c:28:14: error: static declaration of ‘gettid’ follows non-static declaration
   28 | static pid_t gettid(void)
      |              ^~~~~~
In file included from /usr/include/unistd.h:1170,
                 from procattr.c:2:
/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
   34 | extern __pid_t gettid (void) __THROW;
      |                ^~~~~~

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-13 13:23:50 -04:00
Petr Lautrbach
486aa7d991 libselinux: Add security_reject_unknown(3) man page
Commit c19395d722 ("libselinux: selinux_set_mapping: fix handling of unknown
classes/perms") added a new interface security_reject_unknown() which needs to
be documented.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-11 11:47:36 -04:00
Petr Lautrbach
ee1809f453 Update VERSIONs to 2.9-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-01 13:58:20 +01:00
Stephen Smalley
c19395d722 libselinux: selinux_set_mapping: fix handling of unknown classes/perms
The libselinux selinux_set_mapping() implementation was never updated
to handle unknown classes/permissions based on the policy handle_unknown
flag.  Update it and the internal mapping functions to gracefully
handle unknown classes/permissions.  Add a security_reject_unknown()
interface to expose the corresponding selinuxfs node and use it when
creating a mapping to decide whether to fail immediately or proceed.

This enables dbus-daemon and XSELinux, which use selinux_set_mapping(),
to continue working with the dummy policy or other policies that lack
their userspace class/permission definitions as long as the policy
was built with -U allow.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2019-03-01 12:51:31 +01:00
Petr Lautrbach
478c745d82 README: Update Fedora python 3 dependencies
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-20 16:43:27 +01:00
Petr Lautrbach
1952be65dc Switch to python3 by default
- Python 2.7 is planned to be the last of the 2.x releases
- It's generally advised to use Python 3
- Majority of python/ scripts are already switched python3
- Users with python 2 only can still use:

$ make PYTHON=/usr/bin/python ....

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-20 16:43:27 +01:00
Petr Lautrbach
3b868abd2e Always use /usr/bin/python3 in Python scripts
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-20 16:43:27 +01:00
Stephen Smalley
6b89b1f9c1 libselinux: fix selinux_restorecon() on non-SELinux hosts
The kernel only supports seclabel if it is >= 2.6.30 _and_
SELinux is enabled, since seclabel is generated by SELinux
based partly on policy (e.g. is the filesystem type configured in policy
with a labeling behavior that supports userspace labeling). For some
reason, when this logic was moved from setfiles to libselinux,
the test of whether SELinux was enabled was dropped.  Restore it.

This is necessary to enable use of setfiles on non-SELinux hosts
without requiring explicit use of the -m option.

Fixes: 602347c742 ("policycoreutils: setfiles - Modify to use selinux_restorecon")
Reported-by: sajjad ahmed <sajjad_ahmed782@yahoo.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Richard Haines <richard_c_haines@btinternet.com>
Reported-by: sajjad ahmed &lt;<a href="mailto:sajjad_ahmed782@yahoo.com" target="_blank">sajjad_ahmed782@yahoo.com</a>&gt;<br>
Signed-off-by: Stephen Smalley &lt;<a href="mailto:sds@tycho.nsa.gov" target="_blank">sds@tycho.nsa.gov</a>&gt;<br>
2019-02-20 11:21:33 +01:00
Petr Lautrbach
60a9285786
python/semanage module: Fix handling of -a/-e/-d/-r options
Previous code traceback-ed when one of the mentioned option was used without
any argument as this state was not handled by the argument parser.

action='store' stores arguments as a list while the original
action='store_const' used str therefore it's needed to convert list to str
before it's sent to moduleRecords class.

Fixes:
^_^ semanage module -a
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 963, in <module>
    do_parser()
  File "/usr/sbin/semanage", line 942, in do_parser
    args.func(args)
  File "/usr/sbin/semanage", line 608, in handleModule
    OBJECT.add(args.module_name, args.priority)
  File "/usr/lib/python3.7/site-packages/seobject.py", line 402, in add
    if not os.path.exists(file):
  File "/usr/lib64/python3.7/genericpath.py", line 19, in exists
    os.stat(path)
TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-17 22:35:15 +01:00
Petr Lautrbach
f9ba759d15
python/semanage: Update semanage to use python3
semanage uses seobject which uses setools which is python 3 only.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-17 22:35:15 +01:00
Petr Lautrbach
f9dbd6e83c
python/semanage: Drop python shebang from seobject.py
seobject.py is not supposed to be used as entrypoint therefore the shebang is
unnecessary. It also doesn't need execute bits.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-17 22:35:14 +01:00
Nicolas Iooss
72dc5c6241
python: always use python3 in the shebang of programs using setools
setools 4.2.0 dropped support for Python 2. On systems where
/usr/bin/python is Python 2, several tools are now broken because of
this. Update the shebang of these tools to /usr/bin/python3.

For future reference, as semanage/seobject.py, sepolicy and sepolgen
import setools, every program that uses one of these modules need to be
run with Python 3. The following programs do not use any of these
modules so their shebangs have not been modified:

    dbus/selinux_server.py
    libsemanage/utils/semanage_migrate_store
    mcstrans/share/util/mlscolor-test
    mcstrans/share/util/mlstrans-test
    sandbox/start

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-02-17 22:34:50 +01:00
Nicolas Iooss
9336e435dd
python/sepolicy: drop python shebang from the module
The files in sepolicy's module directory are not supposed to used as
executable files. The shebang line is therefore not needed.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-02-17 22:34:42 +01:00
Petr Lautrbach
ffc59f6015 libsemanage: genhomedircon - improve handling large groups
getgrnam_r() uses a preallocated buffer to store a structure containing
the broken-out fields of the record in the group database. The size of
this buffer is usually sysconf(_SC_GETGR_R_SIZE_MAX) == 1024 and it is
not enough for groups with a large number of users.  In these cases,
getgrnam_r() returns -1 and sets errno to ERANGE and the caller can
retry with a larger buffer.

Fixes:
$ semanage login -a -s user_u -r s0-s0:c1.c2 '%largegroup'
libsemanage.semanage_direct_commit: semanage_genhomedircon returned error code -1. (Numerical result out of range).
OSError: Numerical result out of range

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-13 13:49:05 +01:00
Nicolas Iooss
913613da66
libsepol/cil: silence static analyser's use-after-free warning
clang's static analyze reports a use-after-free in
__cil_expr_to_string(), when __cil_expr_to_string_helper() does not
modify its third parameter (variable s1 here) in this loop:

    for (curr = curr->next; curr; curr = curr->next) {
        __cil_expr_to_string_helper(curr, flavor, &s1);
        cil_asprintf(&c2, "%s %s", c1, s1);
        free(c1);
        free(s1);
        c1 = c2;
    }

Silence this warning by making sure s1 is always NULL at the beginning
of every iteration of the loop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-02-10 19:32:15 +01:00
Petr Lautrbach
5d59284381
libselinux: Fix RESOURCE_LEAK defects reported by coverity scan
Fixes:

libselinux/src/checkAccess.c:93: leaked_storage: Variable "user_context" going out of scope leaks the storage it points to.
libselinux/src/label_db.c:286: leaked_storage: Variable "filp" going out of scope leaks the storage it points to.
libselinux/src/label_db.c:291: leaked_storage: Variable "filp" going out of scope leaks the storage it points to.
libselinux/src/label_file.c:405: leaked_storage: Variable "str_buf" going out of scope leaks the storage it points to.
libselinux/src/load_policy.c:266: leaked_storage: Variable "names" going out of scope leaks the storage it points to.
libselinux/src/selinux_config.c:183: leaked_storage: Variable "end" going out of scope leaks the storage it points to.
libselinux/src/selinux_config.c:184: overwrite_var: Overwriting "end" in "end = type + strlen(type) - 1" leaks the storage that "end" points to.
libselinux/src/selinux_restorecon.c:376: leaked_storage: Variable "new_entry" going out of scope leaks the storage it points to.
libselinux/src/selinux_restorecon.c:855: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-10 17:52:09 +01:00
Petr Lautrbach
9b848852a7
python/semanage: Use standard argparse.error() method in handlePermissive
This method prints a usage message including the message to the standard error
and terminates the program with a status code of 2.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-10 17:06:09 +01:00
Petr Lautrbach
347719d15f
libselinux/selinux_restorecon: Skip customized files also without -v
In the original code, customizable file contexts were not changed only if -v was
used. It lead to different behavior when selinux_restorecon was run with -v and
without it.

Based on an initial patch by Jan Zarsky <jzarsky@redhat.com>

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-10 17:06:00 +01:00
Vit Mojzis
4634e8fe39
gui: Make all polgen button labels translatable
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-02-10 17:05:48 +01:00
Dan Walsh
e103c5b2ee
dbus: Fix name of polkit function
Add missing action org.selinux.change_default_mode for change_default_mode() and
remove unused action org.selinux.change_policy_type.

Fixes: e8718ef514 ("Make sure we do the polkit check on all dbus interfaces.")

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-10 17:04:19 +01:00
Vit Mojzis
3cad474303
checkpolicy: Update manpage
- Add description of -S option
- Sort the option descriptions based on the synopsis
- Add missing options to synopsis

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-02-10 17:03:58 +01:00
Vit Mojzis
259ab083fa
python/semanage/seobject: Fix listing boolean values
Fix gathering boolean values by fixing always False if condition
(determining whether the values are listed from local store).

Fix listing boolean values by printing the correct values and not
forcing the use of security_get_boolean_active (which causes
crash when listing booleans that are not present in active policy).

Fixes:
    # dnf install selinux-policy-mls
    # cat > mypolicy.cil
    (boolean xyz false)

    # semodule -i mypolicy.cil -s mls

    # semanage boolean -l -S mls
    ...
    irssi_use_full_network         (off  ,  off)  Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port.
    mozilla_plugin_use_bluejeans   (off  ,  off)  Allow mozilla plugin to use Bluejeans.
    OSError: No such file or directory

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-02-06 21:20:12 +01:00
Nicolas Iooss
bac905ce86 libsepol: do not use uninitialized value for low_value
clang's static analyzer reports a warning when low_bit is used without
having been initialized in statements such as:

    low_value = low_bit << 8;

The warning is: "Result of operation is garbage or undefined".

This is caused by low_bit being only initialized when in_range is true.
This issue is not critical because low_value is only used in an
"if (in_range)" block. Silence this warning by moving low_value's
assignment inside this block.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-02-06 09:08:58 +01:00
James Carter
4ba87e3d2c libsepol: Fix RESOURCE_LEAK defects reported by coverity scan
These were reported by Petr Lautrbach (plautrba@redhat.com) and this
patch was based on his patch with only a few changes.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2019-02-05 09:56:34 +01:00
Petr Lautrbach
f0f68ab2ff scripts/release: Update links to use release assets instead of wiki links
- new release files are created in release/$RELEASE_TAG
- download links refers to new release assets

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-05 09:56:34 +01:00
Dan Walsh
6ded76aa06
python/semanage: Examples are no longer in the main semanage man page
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-02-04 22:11:26 +01:00