There is a missing error check in audit2why.c. Check for error and
return NULL if we can't initialize instead of just pretending it worked.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
python3 does not have PyString_FromString use PyBytes_FromString
instead. The same for PyString_Check->PyBytes_Check and for
PyString_AsString->PyBytes_AsString
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Tools like restorecon or systemd, which load the fcontext database to
make labeling decisions do not need to check for duplicate rules. Only
the first rule will be used. Instead we should only check for
duplicates when new rules are added to the database. And fail the
transaction if we find one.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Allow the specification of python3 in the swig creation
This patch adds the new option PYPREFIX which causes the swig created
libraries to have a prefix. This allows one to build both the python2
and python3 libraries in the same source tree. The install will then
later strip this prefix back off when it drops the files into the python
approriate site package directory.
This patch also needs to update the PYINC definition as newer python
patckages on fedora exist in /usr/include/python3.2mu instead of
/usr/include/python3.2 as the other method of detemrining PYINC would
have found.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When expanding a module which includes role transitions we were
comparing the numeric value of the base policy role with the numberic
value of the unmapped role in the module. Comparisions between
role values need to both be in terms of the mapped role in the base
module.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Harry Ciao <qingtao.cao@windriver.com>
If one tries to build policycoreutils it won't work because of:
seunshare.c: In function ‘main’:
seunshare.c:242:21: error: ‘CLONE_NEWNS’ undeclared (first use in this
function)
seunshare.c:242:21: note: each undeclared identifier is reported only
once for each function it appears in
make[1]: *** [seunshare.o] Error 1
Moving the #define _GNU_SOURCE earlier in the file means it is set when
sched.h is includes via some of dependancy chain. Thus it can build.
Signed-off-by: Eric Paris <eparis@redhat.com>
We have dumb code in setfiles which will set a static variable called
ignore_enoent. Thing is, nothing uses it. So move the setting to where
it is useful and use it!
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
There is a .gitignore at the head of the directory but only contains
entries for the utils directory. Move to the utils directory.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This utility will tell what context a new task will have after exec
based on the pathname and the context of the launching task.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
libselinux selabel_open function always processed the substitution files (if
installed) from the active policy contexts/files/file_contexts.subs and
subs_dist irrespective of the backend type or SELABEL_OPT_PATH setting. This
patch now processes the correct subs files when selabel_open is called with
SELABEL_CTX_FILE. The other backends could also process their own substitution
files if needed in their own areas.
[move the init declaration to label_internal.h - eparis]
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The Fedora Distribution is looking to standardize kernel subsystem file
systems to be mounted under /sys/fs. They would like us to move /selinux
to /sys/fs/selinux. This patch changes libselinux in the following
ways:
1. load_policy will first check if /sys/fs/selinux exists and mount the
selinuxfs at this location, if it does not exists it will fall back to
mounting the file system at /selinux (if it exists).
2. The init functions of selinux will now check if /sys/fs/selinux is
mounted, if it is and has an SELinuxfs mounted on it, the code will then
check if the selinuxfs is mounted rw, if it is, libselinux will set the
mountpoint, if it is readonly, libselinux will return no mountpoint. If
/sys/fs/selinux does not exists, the same check will be done for
/selinux and finally for an entry in /proc/mounts.
NOTE: We added the check for RO, to allow tools like mock to be able to
tell a chroot that SELinux is disabled while enforcing it outside the
chroot.
$ getenforce
Enabled
$ mount --bind /selinux /var/chroot/selinux
$ mount -o remount,ro /var/chroot/selinux
$ chroot /var/chroot
$ getenforce
Disabled
3. In order to make this work, I needed to stop enabled from checking if
/proc/filesystem for entries if selinux_mnt did not exist. Now enabeled
checks if selinux_mnt has been discovered otherwise it will report
selinux disabled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Note that you cannot build a module with an older policy version.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The first user that logs in will not be caught by restorecond. The utmp
checking function only returns that there was a change when the previous
list of users was non-NULL.
Here's a patch that works for me (this is against the latest Red Hat
Enterprise Linux 5 policycoreutils release, but I checked the current
source tree and the same problem is present):
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The makefile does:
SRCS= $(filter-out $A, $(filter-out $B, *))
When it can just do:
SRCS= $(filter-out $A $B, *)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
update .gitignore to include files that are normally created when
working and building inside the git repo
Sigend-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
There was no way to print all of the role transition rules in dispol.
Add that support.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
libsemanage/src/semanage.py and libselinux/src/semanageswig_wrap.c
are both generated rather than being real code. Do not store them
in git.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
libselinux/src/selinux.py and libselinux/src/selinuxswig_wrap.c
are both generated rather than being real code. Do not store them
in git.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
With kernel 2.6.31, restorecond uses 99% of my CPU.
This is because removing and readding the watch on utmp triggers inotify to
return an IN_IGNORED event for the old watch descriptor. If the watch gets
allocated the same wd when it is readded, then restorecond thinks that utmp
has changed, so removes and readds the watch again, potentially looping.
With kernel <= 2.6.30, this never happened, because the kernel didn't reuse
watch descriptors. So the IN_IGNORED event comes with a wd that is no
longer in use, and gets ignored. But kernel 2.6.31 reuses the same watch
descriptor.
This patch fixes that by ignoring inotify events whose only bit set is
IN_IGNORED.
Note: it is not clear to me why it is necessary to remove and readd the
watch in the first place.
Note for testing: you need to log in (to cause a change in utmp) after
starting restorecond to trigger the bug. In fact you need to log in twice
before the kernel reuses a watch descriptor.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The formatting of dismod/dispol display of filename trans rules didn't
make a lot of sense. Make them more like the original rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The kernel policy parsing logic was incorrectly believing the list of
filename transition rules was always empty because we never updated the
tail pointer when we added to the list. This patch updates the pointer
to the last entry when a new entry is added.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Bump checkpolicy to 2.1.0
Bump libselinux to 2.1.0
Bump libsepol to 2.1.0
Bump libsemanage to 2.1.0
Bump policycoreutils to 2.1.0
Bump sepolgen to 1.1.0
When the link process is completed, the types type_set_t and roles
ebitmap in a role attribute are settled, then we could go on to scan
all role attributes in the base->p_roles.table checking if any non-zero
bit in its roles ebitmap is indeed another role attribute.
If this is the case, then we need to escalate the roles ebitmap of
the sub role attribute into that of the parent, and remove the sub role
attribute from parent's roles ebitmap.
Since sub-attribute's roles ebitmap may further contain other role
attributes, we need to re-scan the updated parent's roles ebitmap.
Also if a loop dependency is detected, no escalation of sub-attribute's
roles ebitmap is needed.
Note, although in the link stage all role identifiers defined in any
block/decl of any module would be copied into the base->p_roles.table,
the role-attribute relationships could still be recorded in the decl's
local symtab[SYM_ROLES] table(see get_local_role()), so before all above
escalation of sub role attribute's roles ebitmap into that of parent ever
happens, all decl in the base->global list except the global block would
have to be traversed so as to populate potential role-attribute
relationships from decl up to the base module.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
When the rolemap and pointer to the base module are available, if
a non-zero bit in role_set_t.roles is a role attribute, expand it
before remap.
Note, during module compile the rolemap may not be available, the
potential duplicates of a regular role and the role attribute that
the regular role belongs to could be properly handled by
copy_role_allow() and copy_role_trans() during module expansion.
Take advantage of the role_val_to_struct[] of the base module, since
when role_set_expand() is invoked, the role_val_to_struct[] of the
out module may have not been established yet.
Also cleanup the error handling of role_set_expand().
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
1. Copy the flavor flag into its counterpart in the out module;
2. Fix all role attributes in the base module:
2.1 remap the roles ebitmap and merge into its counterpart in the
out module;
2.2 escalate the types.types ebitmap of its counterpart in the out
module, to the counterparts for all the regular roles that belongs
to the current role attribute.
The role_fix_callback() must be called after role_copy_callback()
so that state->rolemap[] is available.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Make the flavor flag and the roles ebitmap in role_datum_t structure
properly handled during module link process:
1. the flavor flag is copied into the base module;
2. if both the current module and the base module have defined or
required the same role, check if there is a discrepency in flavor;
3. remap the roles ebitmap and merge into its counterpart in the
base module;
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Add support to read/write the flavor flag and roles ebitmap in the
role_datum_t structure from/to policy module, if its version is no less
than MOD_POLICYDB_VERSION_ROLEATTRIB.
Since the role ebitmap would be expanded and won't be written into
policy.X, neither is the flavor flag, kernel SELinux security server
needs no change, the maximum version number for policy.X needs no bump.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
1. Add a uint32_t "flavor" field and an ebitmap "roles" to the
role_datum_t structure;
2. Add a new "attribute_role" statement and its handler to declare
a role attribute;
3. Modify declare_role() to setup role_datum_t.flavor according
to the isattr argument;
4. Add a new "roleattribute" rule and its handler, which will record
the regular role's (policy value - 1) into the role attribute's
role_datum_t.roles ebitmap;
5. Modify the syntax for the role-types rule only to define the
role-type associations;
6. Add a new role-attr rule to support the declaration of a single
role, and optionally the role attribute that the role belongs to;
7. Check if the new_role used in role-transition rule is a regular role;
8. Support to require a role attribute;
9. Modify symtab_insert() to allow multiple declarations only for
the regular role, while a role attribute can't be declared more than once
and can't share a same name with another regular role.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The patch below allows filesystem names in fs_use_* and genfscon
statements to start with a digit, but still requires at least one
character to be a letter. A new token type for filesystem names is
created since these names having nothing to do with SELinux.
This patch is needed because some filesystem names (such as 9p) start
with a digit.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This wraps the filename token in quotes to make parsing easier and more
clear. The quotes are stripped off before being passed to checkpolicy.
The quote wrapping is only used by filename transitions. This changes
the filename transition syntax to the following:
type_transition source target : object default_type "filename";
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
currently policy will not build if I define a module as 1
policy_module(dan,1) Fails
policy_module(dan,1.0) works
The attached patch makes the first one work.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:
type_transition unconfined_t etc_t:file system_conf_t eric;
This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.
The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
We just use random numbers to make menu selections. Use #defines and
names that make some sense instead.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
When writing the roletrans rules, rules are dropped when not supported,
but the number of rules is not decreased. This sets the number of
elements to the actual number of rules that will be written.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Although the role trans code had support to handle the kernel policy
when the version was less that roletrans such support was not in the
module read/write code. This patch adds proper support for role trans
in modules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This patch adds libsepol support for filename_trans rules. These rules
allow one to make labeling decisions for new objects based partially on
the last path component. They are stored in a list. If we find that
the number of rules grows to an significant size I will likely choose to
store these in a hash, both in libsepol and in the kernel. But as long
as the number of such rules stays small, this should be good.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Bump checkpolicy to 2.0.24
Bump libselinux to 2.0.102
Bump libsepol to 2.0.43
Bump policycoreutils to 2.0.86
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
