In commit 36f1ccbb57 ("policycoreutils: setfiles: print error if
no default label found"), a warning message was added to setfiles/restorecon
if the user explicitly does a restorecon /path/to/foo and
/path/to/foo does not have any matching label in file_contexts; in the
case of a restorecon -R or setfiles, the warning isn't supposed to be
logged. The check on the recursive flag got dropped when this logic was
taken into selinux_restorecon(3) in libselinux. Restore this check so
that we do not generate noisy log messages on restorecon -R or setfiles.
Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Building with musl libc leads to some build errors:
setrans_client.c: In function ‘receive_response’:
setrans_client.c:147:19: error: implicit declaration of function
‘readv’ [-Werror=implicit-function-declaration]
while (((count = readv(fd, resp_hdr, 3)) < 0) && (errno == EINTR)) ;
^~~~~
and:
In file included from matchpathcon.c:10:0:
/usr/include/sys/errno.h:1:2: error: #warning redirecting incorrect
#include <sys/errno.h> to <errno.h> [-Werror=cpp]
#warning redirecting incorrect #include <sys/errno.h> to <errno.h>
^
Fix the first one by including <sys/uio.h> and the second one by using
<errno.h> instead of <sys/errno.h>.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When the restorecon method was added to the libselinux swig python
bindings, there was no libselinux restorecon implementation and it
he had to call matchpathcon() which is deprecated in favor of
selabel_lookup().
The new restorecon method uses selinux_restorecon method from libselinux
and which is exported by the previous commit.
https://github.com/SELinuxProject/selinux/issues/29
Fixes:
>>> selinux.restorecon('/var/lib', recursive=True)
Traceback (most recent call last):
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 114, in restorecon
status, context = matchpathcon(path, mode)
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fix unitialized variable compiler warnings when using the
"-O3 -Werror" flags on gcc6 by initializing the variables in
question. The variables were never used before being initialized.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When building libselinux package, "make install" creates /sbin directory
without putting anything in it. Remove this from the Makefile.
While at it, rename USRBINDIR variable USRSBINDIR (with an S) as it
refers to /usr/sbin.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The majority of prototypes don't put a space between the "*" and the
parameter name. i.e. this style is incorrect:
char * foo;
Instead, we want:
char *foo;
Fix a bunch of references that use this uncommon style.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
The section number shouldn't be bolded. Fix a few references in
selinux(8) to match all the other man pages.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Teach audit2why to recognize type bounds failures. This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.
This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel. However, it
is unclear if this is needed. It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).
Before:
type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
After:
type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
Was caused by:
Typebounds violation.
Add an allow rule for the parent type.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When code is compiled within the Android tree, the resulting binaries
are intended to run either on the "host" (the machine doing the
building) or the "target" (the machine running the Android operating
system).
"ANDROID" is defined if the code is being compiled for the host or the
target, whereas "__ANDROID__" is only defined for code being compiled for
the target. (yes, I agree, this is not obvious).
gettid() is only declared in the target environment, not the host
environment, so adjust the #ifdef to properly emit the gettid()
definition for binaries targeting the host.
Signed-off-by: Nick Kralevich <nnk@google.com>
process_line called compat_validate, but never actually looked at the
return value. When an invalid entry is found, a warning is printed, but
since the upper layers of the code don't see the error, validation
appears to succeed.
Steps to reproduce on Android:
1) Edit system/sepolicy/private/file_contexts and create an entry with
an invalid label.
2) Recompile Android, which executes out/host/linux-x86/bin/checkfc to
check if file_contexts is valid.
Expected: Compile failure.
Actual: Compile succeeds with warnings.
Change-Id: I20fa18c7b11b5ffdd243c3274bedc4518431e1fb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Normalize enforce values received from the kernel via
/sys/fs/selinux/enforce or netlink selinux notifications
to ensure that we always return a 0 or 1 to userspace code.
selinux_status_getenforce(), which reads the enforce value
via the SELinux kernel status page (/sys/fs/selinux/status)
already normalizes its result, so we do not need to update it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The Makefiles currently install the Python wrapper libraries using .so
suffix (_selinux.so, audit2why.so and _semanage.so). Even though this
works well with CPython 2 and 3, PyPy fails to find these files because
it is looking for files with a specific version token in the suffix (eg.
_selinux.pypy-41.so).
This suffix is advertised by the imp module. Here is the result of
'import imp;print([s for s, m, t in imp.get_suffixes() if t ==
imp.C_EXTENSION])' for several Python versions:
Python 2.7.12: ['.so', 'module.so']
Python 3.5.2: ['.cpython-35m-x86_64-linux-gnu.so', '.abi3.so', '.so']
PyPy 5.4.1 (Python 2.7.10): ['.pypy-41.so']
PyPy3 5.5.0-alpha0 (Python 3.3.5): ['.pypy3-55.so', '.pypy3-55.so']
Define the name of the installed Python-C extension using the first
extension of these lists, in order to make the Python extensions
compatible with pypy.
When building the Python wrappers for PyPy and PyPy3 on Linux, the
following environment variables need to be set (PyPy does not provide a
pkg-config file nor a platform-agnostic way to build the string
"-lpypy-c"):
PYTHON=pypy (or PYTHON=pypy3)
PYINC=-I$($PYTHON -c 'import sys;print(sys.prefix)')/include
PYLIBS=-lpypy-c (or PYLIBS= if LDFLAGS does not have
-Wl,-no-undefined)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This structure has been empty since its introduction and makes clang
complain when $(filter-out -Werror, $(CFLAGS)) is removed in the
Makefile target for audit2why.lo:
audit2why.c:443:1: error: empty struct has size 0 in C, size 1 in
C++ [-Werror,-Wc++-compat]
struct module_state {
^
1 error generated.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Using SWIG_fail in the Python SWIG wrappers makes the wrapping function
destroy/free the memory which could have been dynamically allocated
before calling the wrapped function. This thus prevents possible memory
leaks in the wrappers of set*con(), set*con_raw(), security_compute_*(),
etc.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
clang does not support -aux-info option. When exception.sh is run with
CC=clang, use gcc to build selinuxswig_python_exception.i and
semanageswig_python_exception.i.
This does not solve the issue of building libselinux and libsemanage
Python wrappers on a system without gcc. However parsing the result of
"gcc -aux-info" is easier than parsing the header files so stay with
this command at least for now.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When linking with -Wl,-no-undefined in LDFLAGS (in order to find
possible link-time errors), the Python wrapper module needs to be
linked with the right libpython.so. This library is found using
pkg-config in a new PYLIBS variable.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When linking with -Wl,-no-undefined in LDFLAGS (in order to find
possible link-time errors), the Ruby wrapper module needs to be linked
with the libruby.so which is used by $(RUBY). Introduce a new RUBYLIBS
variable to find this library.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This makes building libselinux and libsemanage more robust on systems
with several versions of Ruby installed: when building, only RUBY needs
to be set, without wondering about PKG_CONFIG_PATH or other environment
variables.
Using RbConfig::CONFIG["rubyarchhdrdir"] only works with Ruby >= 2.0 but
since previous Ruby versions are retired since 2015-02-23 this should
not have any impact
(https://www.ruby-lang.org/en/news/2015/02/23/support-for-ruby-1-9-3-has-ended/).
While at it, in libsemanage, use RbConfig::CONFIG["vendorarchdir"] to
install the Ruby extension, like commit 1cd80faa53 ("libselinux:
versioned ruby pkg-config and query vendorarchdir properly") did for
libselinux.
My main motivation with this patch is to make the build configuration
easier to define on Travis-CI or other continuous integration platforms.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
commit 16c123f4b1 ("libselinux:
support ANDROID_HOST=1 on Mac") broke the ability to run make
in the src subdirectory of libselinux (because OS and COMPILER
were not defined) and also caused some warning flags that could
be overridden via command-line CFLAGS to be mandatory. Fix it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When compiling libselinux with CC=clang, "make pywrap" reports the
following message:
bash exception.sh > selinuxswig_python_exception.i
clang-3.9: error: no such file or directory: 'temp.aux'
awk: fatal: cannot open file `temp.aux' for reading (No such file or
directory)
This does not make the build fail as exception.sh returns an "OK"
status. Use "bash -e" with this script to make it return an error value.
In order not to keep an empty selinuxswig_python_exception.i file after
a build fails (which would make a second run of "make pywrap" incorrectly
succeed), remove the file when exception.sh fails.
As libsemanage uses the same code to build
semanageswig_python_exception.i, modify its Makefile too.
By the way, on Linux clang does not seem to currently support -aux-info
so it cannot be used to craft selinuxswig_python_exception.i.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The Python wrapper of rpm_execcon() has several flaws:
* An invalid call like selinux.rpm_execcon() triggers a segmentation
fault.
* The size of the buffer which is allocated to copy argv and envp is
too small to hold all the values.
* This allocated memory is leaked if one argument of rpm_execon() is not
a sequence of bytes.
The Ruby wrapper has no such flaws but can not be used as it is because
it misses some glue code to convert argv and envp arguments to char
*const [] values (even though the destructor is present!).
As it is not possible to remove rpm_execcon() without changing
libselinux soname (it would be an ABI break) like b67fefd991
("libselinux: set DISABLE_RPM default to y.") tried to do, disable this
interface locally in the SWIG wrappers.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
With the reverted commit applied, some functions were returning arrays
of bytes instead of python strings under python3 this was causing issues
with string manipulation functions like split().
Swig (checked with 3.0.7) is adding compatibility macros that take care
of the differences between python2 and python3.
This reverts commit 63df0f7ef1.
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
When building with clang, multiple noreturn issues arise,
for instance:
selabel_partial_match.c:11:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]
Fix these.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
As reported by Nicolas Iooss, the clang + linux build seems
broken:
clang-3.9: warning: argument unused during compilation: '-undefined
dynamic_lookup'
/usr/bin/ld: unrecognised option: -install_name
clang-3.9: error: linker command failed with exit code 1 (use -v to
see invocation)
We already have those options set for Darwin, just drop them from the
clang side.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Loop designed for stripping leading "//" was changing
the only pointer referencing block of memory allocated
by "strdup", resulting in "free()" failure. The loop
had no effect because "realpath" is used later on.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1376598
Signed-off-by: vmojzis <vmojzis@redhat.com>
Add clean targets to just clean the python and ruby wrapper objects
Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
We build booleans.c with DISABLE_BOOL set on Android host
and target. Add that file to the upstream Makefile.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Some systems, like Mac, don't have stdio_ext.h. Since we're
building with DISABLE_BOOL=y on Mac, just include the
header files with the DISABLE define, and use the bare
minimum headers for DISABLE_BOOL=y.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
To build on mac, first build libsepol with
no DESTDIR set.
Secondly, build libselinux with ANDROID_HOST=y
This configuration can be used to test the Android
host build on Mac.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on mac, one encounters this error:
sefcontext_compile.c:270:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]
To correct this, add the attribute noreturn to the function.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on mac with ANDROID_HOST=y, clang complains:
sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
CHAR64LONG16* block = (CHAR64LONG16*) workspace;
Rather then casting the bytearray to the CHAR64LONG16 union,
just create a stack workspace of type CHAR64LONG16.
This will prevent alignment issues with the data accesses.
Signed-off-by: William Roberts <william.c.roberts@intel.com>