Commit Graph

1119 Commits

Author SHA1 Message Date
Dan Walsh
70b23853a8 libselinux: Compiled file context files and the original should have the same permissions
Currently the compiled file context files can end up with different
permissions then the original.  This can lead to non priv users
not being able to read the compiled versions.
2014-08-26 07:59:02 -04:00
Steve Lawrence
52623801c4 libsemanage: fix deprecation warning for bison
The %name-prefix="foo" syntax was deprecated in bison 2.3b [1], which
was released in 2006. This patches fixes the syntax to use the newer
syntax. This breaks support for older versions of bison.

[1] http://lists.gnu.org/archive/html/help-bison/2009-10/msg00018.html

Reported-by: Ilya Frolov <ilya.a.frolov@gmail.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-25 11:51:17 -04:00
Stephen Smalley
e5aaa01f81 Skip policy module re-link when only setting booleans.
Since booleans are only set, not added/removed, we do not need to re-link
modules when setting them.  We can instead just take the existing binary
policy and mutate it for the new values.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-30 08:34:26 -04:00
Stephen Smalley
76913d8adb Deprecate use of flask.h and av_permissions.h.
Also remove all internal uses by libselinux.
This requires deleting the old class/perm string lookup tables
and compatibility code for kernels that predate the /sys/fs/selinux/class
tree, i.e. Linux < 2.6.23.

This also fixes a longstanding bug in the stringrep code; it was allocating
NVECTORS (number of vectors in the legacy av_perm_to_string table, i.e.
the total number of legacy permissions) entries in the per-class perms array
rather than MAXVECTORS (the maximum number of permissions in any
access vector).  Ho hum.  I already fixed this in Android but forgot it
here.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-09 13:49:18 -04:00
Stephen Smalley
ac33098a80 Add pcre version string to the compiled file_contexts format.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-09 13:02:46 -04:00
Stephen Smalley
7bdc38ccb2 Log an error on unknown classes and permissions.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-08 14:03:39 -04:00
Artyom Smirnov
056efe85d6 Add db_exception and db_datatype support to label_db backend
Hi,

in https://github.com/TresysTechnology/refpolicy/pull/1 db_exception
and db_datatype were added to reference policy. This small patch
extends ability of label_db backend to work with these objects.

Regards.
2014-06-26 10:51:15 -04:00
Nicolas Iooss
2eba8aa1f5 libsemanage: use semanage_bool_get_value to print a boolean
... and not semanage_bool_set_value.

This fixes "python2 pywrap-test.py -v -B -C"
2014-06-24 15:53:45 -04:00
Nicolas Iooss
49c738fc93 libsemanage: fix src/pywrap-test.py -v -F
Running "libsemanage/src/pywrap-test.py -v -F" gives following error:

    Traceback (most recent call last):
      File "pywrap-test.py", line 1139, in <module>
        sys.exit(main())
      File "pywrap-test.py", line 1121, in main
        tests.run(sh)
      File "pywrap-test.py", line 107, in run
        self.test_writefcontext(handle)
      File "pywrap-test.py", line 622, in test_writefcontext
        if self.verbose: print "SEFContext type set: ", semanage.semanage_fcontext_get_type_str(fcon)
    TypeError: in method 'semanage_fcontext_get_type_str', argument 1 of type 'int'

The argument of semanage_fcontext_get_type_str is the type recorded in
fcon and not fcon itself.  This type can be retrieved with
semanage_fcontext_get_type.
2014-06-24 15:53:45 -04:00
Nicolas Iooss
78c9c97ab9 libselinux: fix typo in man page 2014-06-12 08:20:41 -04:00
Andy Lutomirski
74d27a9733 seunshare: Try to use setcurrent before setexec
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
libcap-ng set, setexeccon will cause execve to fail.  This also
makes setting selinux context the very last action taken by
seunshare prior to exec, as it may otherwise cause things to fail.

Note that this won't work without adjusting the system policy to
allow this use of setcurrent.  This rule appears to work:

    allow unconfined_t sandbox_t:process dyntransition;

although a better rule would probably relax the unconfined_t
restriction.

Signed-off-by: Andy Lutomirski <luto@amacapital.net>
2014-05-12 14:14:45 -04:00
Dan Walsh
de0795a12e Remove handling of cgroups from sandbox
It never worked correctly and this should be handled with an
API to systemd going forward.
2014-05-12 14:14:42 -04:00
Dan Walsh
6ee0299ab7 Update XDG_RUNTIME_DIR directory 2014-05-12 14:14:39 -04:00
Will Woods
241fac2728 selinux_init_load_policy: setenforce(0) if security_disable() fails
If you run selinux_init_load_policy() after a chroot/switch-root, it's
possible that your *previous* root loaded policy, but your *new* root
wants SELinux disabled.

We can't disable SELinux in this case, but we *do* need to make sure
it's permissive. Otherwise we may continue to enforce the old policy.

So, if seconfig = -1, but security_disable() fails, we set *enforce=0,
and then let the existing code handle the security_{get,set}enforce
stuff.

Once that's handled, exit with failure via "goto noload", as before.
2014-05-07 15:24:35 -04:00
Stephen Smalley
1e6482134b Bump version and update ChangeLog for release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-06 13:30:27 -04:00
Stephen Smalley
9e746d6a69 Improve error message for name-based transition conflicts.
Quote the component name.
Reorder the arguments to more closely align with the rule syntax.
Use a more descriptive text that will more clearly correspond to the original rule.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-16 14:17:39 -04:00
Stephen Smalley
e910cf6e62 Revert "libsepol: filename_trans: use some better sorting to compare and merge"
This change was incorrect and can yield duplicate file name transition rules.
Revert it and look at converting the filename_trans list to a hashtab
as has already been done in the kernel in the future.

This reverts commit a29f6820c5.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-15 14:38:59 -04:00
Stephen Smalley
53e1304103 Add support for building dispol program.
This is a program for displaying the contents of a binary policy file.

Change-Id: Iba94d6b13ac1abbc084da5631dc2bf4107e548d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-09 08:34:32 -04:00
Stephen Smalley
fb5d2a5bea Update ChangeLog and VERSION for rc1.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-31 08:37:53 -04:00
Thomas Hurd
6263ad719c libsemanage: fix memory leak in semanage_genhomedircon 2014-03-31 08:37:05 -04:00
Stephen Smalley
35b3c259a7 2.3-rc1 (release candidate 1).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-25 13:24:44 -04:00
Stephen Smalley
a80a48cb19 Fix for binary policy modules.
They do not retain the neverallow source information so we must
not assume that source_filename is set.  Either need a new binary
module format if we want to propagate this information for modular
builds or get rid of binary modules.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-24 14:28:32 -04:00
Stephen Smalley
84c9c828a0 Update ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-24 15:05:09 -04:00
Nick Kralevich
e91b5d2ad0 Maybe fix darwin compile error.
external/checkpolicy/policy_define.c:63: error: 'PATH_MAX' undeclared here (not in a function)
  [deleted]
  make: *** [out/host/darwin-x86/obj/EXECUTABLES/checkpolicy_intermediates/policy_define.o] Error 1
  make: *** Waiting for unfinished jobs....

Change-Id: If3795c7e62ed0d685ad07047f46014f77b87b4a8
2014-03-24 15:03:31 -04:00
Stephen Smalley
0e00684f69 Report source file and line information for neverallow failures.
Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-24 15:02:57 -04:00
Stephen Smalley
ef24ade029 Report source file and line information for neverallow failures.
Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-24 14:58:58 -04:00
Stephen Smalley
8c5171d76e Update checkpolicy/ChangeLog. 2014-02-20 14:24:43 -05:00
Stephen Smalley
bfb806120a Prevent incompatible option combinations.
checkmodule -m and -b are fundamentally incompatible with each other,
so reject attempts to use them together.

Resolves
https://bugzilla.redhat.com/show_bug.cgi?id=1064603

Also fix the error message for -m with -U to use stderr.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-20 14:20:20 -05:00
Stephen Smalley
2001fa0e9d dismod and dispol do not use libselinux.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-20 14:19:50 -05:00
Stephen Smalley
269b45c8bb Update libselinux/ChangeLog for next.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-19 16:12:55 -05:00
Stephen Smalley
9eb9c93275 Get rid of security_context_t and fix const declarations.
In attempting to enable building various part of Android with -Wall -Werror,
we found that the const security_context_t declarations in libselinux
are incorrect; const char * was intended, but const security_context_t
translates to char * const and triggers warnings on passing
const char * from the caller.   Easiest fix is to replace them all with
const char *.  And while we are at it, just get rid of all usage of
security_context_t itself as it adds no value - there is no true
encapsulation of the security context strings and callers already
directly use string functions on them.  typedef left to permit
building legacy users until such a time as all are updated.

This is a port of Change-Id I2f9df7bb9f575f76024c3e5f5b660345da2931a7
from Android, augmented to deal with all of the other code in upstream
libselinux and updating the man pages too.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
2014-02-19 16:11:48 -05:00
Stephen Smalley
1cb368636b Updated libselinux/ChangeLog for next.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-06 14:07:18 -05:00
Guillem Jover
a2737333c7 libselinux: Refactor rpm_execcon() into a new setexecfilecon()
This new function allows a process to invoke helper programs with
a new execution context based on the filename, this is initially
intended for package managers so that they can easily execute
package scriptlets or maintainer scripts.

Base rpm_execcon() off this new function.

Signed-off-by: Guillem Jover <guillem@debian.org>
2014-01-06 14:06:03 -05:00
Stephen Smalley
2ba1541f21 Merge branch 'master' into next 2013-12-30 14:40:32 -05:00
Stephen Smalley
edc2e99687 libselinux 2.2.2 - userspace AVC per-domain permissive handling fix.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-30 14:39:59 -05:00
Stephen Smalley
dcd8167f77 Coding style fix for sizeof operator.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-30 14:38:11 -05:00
Stephen Smalley
85a42ec87d Fix a bug in the userspace AVC that broke per-domain permissive mode.
Failure to copy the entire av_decision structure, including the
flags field, would prevent preservation of the SELINUX_AVD_FLAGS_PERMISSIVE
flag and thus cause per-domain permissive to not be honored for userspace
permission checks.

Also ensure that we clear the entire structure.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-30 14:36:19 -05:00
Stephen Smalley
5ba8c79721 Merge branch 'master' into next
Conflicts:
	policycoreutils/ChangeLog
2013-12-09 16:10:24 -05:00
Stephen Smalley
582c2d0199 policycoreutils 2.2.5 - yet another bug fix for non-MLS systems.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-09 16:06:27 -05:00
Sven Vermeulen
7d921ed797 Ignore selevel/serange if MLS is disabled
Currently, the selevel/serange values (which are often set on a default
's0' value) are used for ports, users, contexts and logins. This breaks
non-MLS setups.

This patch will only call the necessary mls functions if mls is actually
enabled.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-12-09 16:04:44 -05:00
Stephen Smalley
f89377f243 Merge branch 'master' into next
Conflicts:
	policycoreutils/ChangeLog
2013-11-26 14:07:49 -05:00
Stephen Smalley
1bca9b5964 policycoreutils 2.2.4 - bug fix for non-MLS systems.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-26 14:04:09 -05:00
Stephen Smalley
5d2b8d49ec Revert "If users of seobject set serange or seuser to "", we need to override."
This reverts commit 5102ed4cb8.
This breaks non-MLS systems.

Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-11-26 14:01:18 -05:00
Stephen Smalley
8d2dc72445 Updated policycoreutils ChangeLog for next.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 11:09:41 -05:00
Dan Walsh
f03dc51262 Add -P semodule option to man page 2013-11-13 11:07:23 -05:00
Dan Walsh
5fe159bfdd selinux_current_policy_path will return none on a disabled SELinux system 2013-11-13 11:07:21 -05:00
Dan Walsh
7315245750 Add new icons for sepolicy gui 2013-11-13 11:07:17 -05:00
Stephen Smalley
11fa7dfc01 Merge branch 'master' into next
Conflicts:
	policycoreutils/ChangeLog
2013-11-13 11:06:54 -05:00
Stephen Smalley
feb6f9ffdd Bump policycoreutils version to 2.2.3.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 11:06:05 -05:00
Dan Walsh
e8718ef514 Make sure we do the polkit check on all dbus interfaces.
Change policy kit to only allow access on the console.
2013-11-13 11:00:29 -05:00