In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
This fixes the build with "make PYTHON=python2" on systems where python
is python3.
For PYLIBVER and PYTHONLIBDIR definitions, I tested Python 2.5, 2.6, 2.7,
3.3 and 3.4. For each of them, these commands print the expected result:
python -c 'import sys;print("python%d.%d" % sys.version_info[0:2])'"
python -c "from distutils.sysconfig import *;print(get_python_lib(1))"
Acked-by: Steve Lawrence <slawrence@tresys.com>
The addition of this rule caused interface vectors to be less accurate.
The grammar looks correct without the rule, so remove it.
Reverted hunk from commit 17cc87e56b0241688c119f774f103622b002e0ae
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Help the administrator/policy developer to see what parts of the label are different.
For example if you get a constraint violation and the role of the source and target
differ, audit2allow will suggest this might be the problem.
2.1.99 is just a placeholder to distinguish it from the prior release.
2.2 will be the released version. Switching to 2-component versions.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
audit2allow was generating rules which would not compile. We can only
do one per line, not tons of types at one time.
Signed-off-by: Eric Paris <eparis@redhat.com>
Return low quality matches as well as high quality matches. Sometimes
we just want the crap with the sugar.
Signed-off-by: Eric Paris <eparis@redhat.com>
Filenames can have a +, so we should be able to parse and handle those
files.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We still want to be able to use sepolgen even if setools isn't
installed. Degrade functionality, but still work if it can't be found.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwlash@redhat.com>
I am running into an issue with sepolgen. Debian ships more
than one version of the refpolicy, a default one, and a MLS enabled
one. So, the include files live in either
/usr/share/selinux/{default,mls}/include sepolgen (in
src/sepolgen/defaults.py) sets refpolicy_devel() to a single
location -- and thus, only one version of the security policy may be
supported. So, sepolgen-ifgen from policycoreutils can only work
with one policy, which may not be the one installed on the target
machine. Could this be made configurable, somehow? As far as I can
see, sepolgen's python library does not offer any way to set the
value. This change fixes that. Now you may set the path to look for
development headers in /etc/selinux/sepolgen.conf, in the variable
SELINUX_DEVEL_PATH. The builtin default will have it work on Debian
and fedora machines out of the box.
Signed-off-by: Laurent Bigonville bigon@debian.org
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
FIPS does not allow md5 as a valid algorithm. Although we don't really
care about cryptographic strength since the algorithm isn't allowed to
be used at all use something strong, like sha256.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If you pass output from a log file that does not include any avc's
audit2allow will crash. This patch fixes this problem.
ausearch -m avc -ts recent | audit2allow
If there was no AVC's recently, we do not want the python to crash.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
combine analysys of audit2why into audit2allow, so users can see if a
boolean would solve an AVC or if it is a constrain violation. Rather
then blindly adding allow rules to modules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We already allow this in policy, so allow it in sepolgen as well.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
During Rawhide releases we change all "unconfined_domains" to
permissive domains in order to find new AVC messages without breaking
rawhide boxes. The way we do this is changing the unconfined_domain
interface and putting permissive $1; in it. sepolgen does not like
this and blows up the build. This patch tells sepolgen to ignore the
permissive in an interface.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>