Since CIL treats files as modules and does not have a separate
module statement it can cause confusion when a Refpolicy module
has a name that is not the same as its base filename because older
SELinux userspaces will refer to the module by its module name while
a CIL-based userspace will refer to it by its filename.
Because of this, provide a warning message when converting a policy
package to CIL and the output filename is different than the module
name.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
sepolicy Makefile overwrites CFLAGS value, which prevents compiling its
Python module with custom compilation flags. Modify it to append flags
to CFLAGS instead, like other policycoreutils programs do.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Variable policy is both a global variable and a parameter to some
functions in policycoreutils/sepolicy/search.c. This makes the building
fail when using -Wshadow -Werror compilation flags.
Fix this by renaming the global variable global_policy. This does not
change the API of the Python module.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When building newrole with gcc 5.3.0 and some warning flags, the
compiler reports:
newrole.c:77:33: error: "NAMESPACE_PRIV" is not defined [-Werror=undef]
#if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
^
Indeed, "defined" is missing here. This nevertheless worked so far
because when NAMESPACE_PRIV was selected in the Makefile, newrole.c was
compiled with "-DNAMESPACE_PRIV", which defined NAMESPACE_PRIV to 1.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
reserver_port_t was omitted in 'semanage port -l'. There seems to be no
reason for that nowadays therefore we can list it.
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1225806
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Some teminal emulators (like the latest version of gnome-terminal) are
not setting entries in the utmp file, this leads getlogin() to return an
empty string.
Fallback to the name of the user running the chcat process.
Fixes Python 3 error:
AttributeError: module 'string' has no attribute 'join'
Based on a patch by Tomas Radej <tradej@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
This reverts the commit 97d06737 which introduced a regression on '-l'
which started to require at least one argument and fixes the original
problem other way. A args.parser value is set now and handlePermissive
function uses it to print an usage message when args.type is not set.
Fixes: semanage permissive -l
usage: semanage permissive [-h] (-a | -d | -l) [-n] [-N] [-S STORE]
type [type ...]
semanage permissive: error: the following arguments are required: type
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
If "level" option is used to start sandbox commands, this level is not propagated
to specified homedir and tmpdir directories. See rhbz #1279006.
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
Fixes: python ./semanage permissive -d
Traceback (most recent call last):
File "./semanage", line 925, in <module>
do_parser()
File "./semanage", line 904, in do_parser
args.func(args)
File "./semanage", line 708, in handlePermissive
OBJECT.delete(args.type)
File "/selinux.git/policycoreutils/semanage/seobject.py", line 479, in delete
for n in name.split():
AttributeError: 'NoneType' object has no attribute 'split'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Previously, when sepolicy was run without any argument, the usage message
with the error "too few arguments" was shown. Using Python 3 it threw a traceback.
This patch unifies behavior on Py2 and Py3 so that sepolicy shows the help
message in this case.
Fixes:
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 647, in <module>
args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
As per the discussion on the selinux development mailinglist, the tmux
application expects the stdin to be writeable. Although perhaps not the most
proper way, having newrole opening the descriptor in read/write keeps the
behaviour in line with what applications expect.
See also http://marc.info/?l=selinux&m=136518126930710&w=2
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Set the "keep capabilities" flag around the setresuid() calls in
drop_capabilities() so that we do not simultaneously drop all
capabilities (when newrole is setuid).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When a user has invalid locales set, audit2allow and audit2why fail with
a traceback. This could be safely ignored as it will stay with 'C'
locale.
Fixes:
Traceback (most recent call last):
File "policycoreutils/audit2allow/audit2allow", line 35, in <module>
locale.setlocale(locale.LC_ALL, '')
File "/usr/lib64/python2.7/locale.py", line 579, in setlocale
return _setlocale(category, locale)
locale.Error: unsupported locale setting
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Constraint rules in output need to be commented in order to make a policy
compilable.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1155974
Patch-by: Miroslav Grepl <mgrepl@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When trying to get policycoreutils working in python3, I kept running
into TabErrors:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.3/semanage", line 27, in <module>
import seobject
File "/usr/lib64/python3.3/site-packages/seobject.py", line 154
context = "%s%s" % (filler, raw)
^
TabError: inconsistent use of tabs and spaces in indentation
Python3 is a lot stricter than python2 regarding whitespace and looks like
previous commits mixed the two. When fixing this, I took the chance to fix
other PEP8 style issues at the same time.
This commit was made using:
$ file $(find . -type f) | grep -i python | sed 's/:.*$//' > pyfiles
$ autopep8 --in-place --ignore=E501,E265 $(cat pyfiles)
The ignore E501 is long lines since there are many that would be wrapped
otherwise, and E265 is block comments that start with ## instead of just #.
Signed-off-by: Jason Zaman <jason@perfinion.com>
commit 2ff279e21e ("policycoreutils:
semanage: update to new source policy infrastructure") introduced
new methods for enabling/disabling modules but failed to update
the deleteall method of class moduleRecords to use the new method.
The deleteall method was introduced by commit
3dafb1046d ("Add deleteall customizations
field for modules.") as a way to re-enable all locally disabled modules.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
- __builtin__ module has been renamed to "builtins" in Python 3
- use reserved word `as` in try-except
- replace print statement with print function
- migrate from commands to subprocess
- fix formatting
Signed-off-by: Michal Srb <msrb@redhat.com>
- gettext.install() only takes "unicode" keyword argument in Python 2
- __builtin__ module has been renamed to "builtins" in Python 3
- use reserved word `as` in try-except
- replace print statement with print function
Signed-off-by: Michal Srb <msrb@redhat.com>
- gettext.install() only takes optional "unicode" keyword argument in
Python 2, and its default value is "False". This keyword argument
doesn't exist in Python 3
- __builtin__ module has been renamed to "builtins" in Python 3
- raw_input() has been renamed to input() in Python 3
- specify octal literals in form compatible with both Python 2 and 3
- migrate from commands to subprocess
- replace print statement with print function
- use reserved word `as` in try-except
- replace deprecated assert_() method with assertTrue() in unit tests
Signed-off-by: Michal Srb <msrb@redhat.com>
- replace print statement with print function
- use reserved word `as` in try-except
- replace deprecated assert_() method with assertTrue() in unit tests
Signed-off-by: Michal Srb <msrb@redhat.com>
Stephen Smalley
Laurent Bigonville
James Carter
Steve Lawrence
Nicolas Iooss
Lukas Vrabec
Petr Lautrbach
Ville Skyttä
Miroslav Grepl
Sven Vermeulen
Dan Walsh
Yuli Khodorkovskiy
Jason Zaman
Michal Srb