Commit Graph

513 Commits

Author SHA1 Message Date
Stephen Smalley
220151c0ef Update policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-16 11:41:46 -04:00
Petr Lautrbach
219eea83ce policycoreutils: setfiles/restorecon: fix -r/-R option
A spec file was incorrectly stored as rootpath when -r option was used

Fixes:
/sbin/setfiles:  /tmp/install_root is not located in /etc/selinux/targeted/contexts/files/file_contexts

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-04-16 11:40:55 -04:00
Stephen Smalley
b03543cdc0 Update policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-16 09:52:05 -04:00
Stephen Smalley
549912d229 org.selinux.policy: Require auth_admin_keep for all actions.
Fedora permits obtaining local policy customizations and the list
of policy modules without admin authentication, but we would prefer
more conservative defaults upstream.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-16 09:40:31 -04:00
James Carter
c0064fb732 Update ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-04-02 10:52:25 -04:00
James Carter
758a7fe501 libsepol, policycoreutils: Move functions to convert a module package to CIL
Move code to convert a policy module to CIL from the policy package to
CIL conversion tool, pp, in policycoreutils to libsepol. The only changes
to the code are the additions of the prefix "sepol_" to the functions
sepol_module_package_to_cil() and sepol_ppfile_to_module_package(). This
code is being changed from GPL to LGPL with permission from Tresys.

Convert pp to use the renamed functions in libsepol.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-04-01 13:09:17 -04:00
Stephen Smalley
d05b06298b Update policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-30 10:56:33 -04:00
Jason Zaman
055cc407fc run_init: Use a ring buffer in open_init_pty
open_init_pty uses select() to handle all the file descriptors. There is
a very high CPU usage due to select() always returning immediately with
the fd is available for write. This uses a ring buffer and only calls
select on the read/write fds that have data that needs to be
read/written which eliminates the high CPU usage.

This also correctly returns the exit code from the child process.

This was originally from debian where they have been carrying it as a
patch for a long time. Then we got a bug report in gentoo which this
also happens to fix. The original debian patch had the ring buffer
written in C++ so I modified the class into a struct and some static
methods so it is C-only at the request of Steve Lawrence.

Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474956
Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=532616

Signed-off-by: Jason Zaman <jason@perfinion.com>
Tested-by: Laurent Bigonville <bigon@bigon.be>
2015-03-30 10:53:41 -04:00
Nicolas Iooss
4be2fd4576 run_init: fix open_init_pty avaibility check
If /usr/sbin/open_init_pty is not found or is not executable,
access("/usr/sbin/open_init_pty", X_OK) returns -1, not zero.

Use "!= 0" like in other places in SELinux userland libraries and tools.
2015-03-30 10:51:58 -04:00
Stephen Smalley
3057bcf6a0 Update ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-18 08:37:10 -04:00
Daniel De Graaf
82030de5dc libsepol, checkpolicy: widen Xen IOMEM ocontext entries
This expands IOMEMCON device context entries to 64 bits.  This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space.  The policy version number change
is shared with the next patch.

While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:18 -04:00
Stephen Smalley
50788b155d Update libselinux and policycoreutils ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 14:18:34 -04:00
Petr Lautrbach
417cb8d076 Fix -Wformat errors
Fixes two types of errors which appear when building with gcc-5.0.0

- format ‘%d’ expects argument of type ‘int’, but argument X has type ‘unsigned int’
- format ‘%a’ expects argument of type ‘float *’, but argument X has type ‘char **’

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-03-13 14:14:23 -04:00
Steve Lawrence
9aa60660a5 Update policycoreutils changelog 2015-02-25 08:31:05 -05:00
Andrew Spiers
7fc51977a5 typo in semanage-port.8
Acked-by: Steve Lawrence <slawrence@tresys.com>
2015-02-25 08:29:08 -05:00
Stephen Smalley
d8b2a0ab50 Update libselinux and policycoreutils ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-13 10:46:45 -05:00
Christopher
6d198c0031 Fixed typo/grammatical error 2015-02-08 01:34:55 -05:00
Steve Lawrence
f0c9966f88 Bump to final release 2015-02-02 09:38:10 -05:00
dcashman
ed7a6ba24a Allow libsepol C++ static library on device.
Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-01-20 10:31:15 -05:00
Steve Lawrence
823ebc8c6b Bump to release candidate 7 2014-12-03 10:06:26 -05:00
Laurent Bigonville
b9abc5c6e7 Add "RuntimeDirectory=setrans" to the mcstrans.service
Add "RuntimeDirectory=setrans" to the mcstrans.service, this will make
systemd automatically create the /run/setrans directory before starting
the service.

This directory contains the ".setrans-unix" socket created by the
daemon.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 10:05:25 -05:00
Steve Lawrence
7a09af2123 policycoreutils: pp: add roletype statements for both declared and required type/typeattributes
Currently, roletype statements are only added for types when they are
declared (not required). This means that in policy like:

  require {
    type foo_t;
  }
  type bar_t;
  role staff_r types foo_t, bar_t;

only bar_t is associated with staff_r. This patch moves the code that
generates roletype statements for types to outside the SCOPE_DECL check
so that roletype statements are generated for all types, regardless of
the required/declared scope. It further moves the code outside of the
type/typeattribute flavor check so that roletype statements are also
generated for typeattributes.

Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Tested-by: Jason Zaman <jason@perfinion.com>
2014-11-19 14:25:33 -05:00
Steve Lawrence
07e75a9cc7 Bump to release candidate 6 2014-11-12 08:30:15 -05:00
Steve Lawrence
81d8cea807 policycoreutils: pp: define type aliases in the correct scope
Previously, type aliases were converted to CIL in the global namespace,
regardless of which scope they were actually defined in. So essentially
type aliases could never be in optionals. For the most part this worked,
however, in some small number of cases, a type alias could reference a
type defined inside an optional. If that optional was disabled, the type
would be disabled and so the type alias would fail to resolve, causing
policy to fail to build.

Unfortunately, type alises are stored in pp modules different than other
symbols (e.g. types/roles/etc) so they must be added to scopes
differently. So this patch gathers up all type aliases in a list and
keeps track of which scope each type alias is defined in. When we enter
a new scope, use that list to determine which type alias are defined
there and print the appropriate CIL statements.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2014-11-12 08:06:41 -05:00
Steve Lawrence
3904db5ac9 policycoreutils: pp: mimic require block support in CIL
CIL does not have any concept of require blocks. Instead, CIL relies on
whether or not all statements inside an optional block resolve to
determine if an optional block should be enabled/disabled. However, a
small number of optional statements require a type that is not actually
used in the optional block. In old style policy, this would cause the
optional block to be disabled. However, in CIL, because the type is never
used, the optional block will remain enabled.

To maintain compatibility, we modify pp2cil to create a new attribute,
cil_gen_require, and all types/roles/attributes that are required in a
pp module/optional block are associated with this attribute. Thus, if a
type is required but not used, it will still fail to resolve in the
typeattributeset statement, causing the optional to correctly be
disabled.

Note that when compiling the CIL this generated from compiling refpolicy
pp modules with pp2cil, the extra CIL statements cause ~12.6MB increase
in maximum memory usage (129.7 MB to 142.3 MB). Though, compilation time
decreases by ~35% (26 seconds to 17 seconds).

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-11-12 08:06:41 -05:00
Steve Lawrence
d1db56c52b Bump to release candidate 5 2014-10-29 11:01:03 -04:00
Steve Lawrence
6280387034 Bump to release candidate 4 2014-10-06 15:03:24 -04:00
Steve Lawrence
84d9486eb2 policycoreutils/hll/pp: fix typo in error messages
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-06 14:51:23 -04:00
Steve Lawrence
7f16505a31 policycoreutils/hll/pp: only print certain roles when declared in base modules
Some roles (i.e. user_r, staff_r, sysadm_r, system_r, unconfined_r) are
declared in the base module, and sometimes in non-base modules. This
could result in duplicate declarations of roles, which isn't allowed in
CIL. So for these roles, only generate their declarations if they appear
in a base module, otherwise ignore their declarations. All other roles
are printed regardlss of their declaration location.

Note that this means that if a policy author does not include one of the
roles in the base module then they will not be included in the resulting
policy, likely causing a compliation error in CIL.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 12:10:22 -04:00
Steve Lawrence
ff5bbe6dcf Bump VERSION/ChangeLog for release candidate 3
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 10:16:34 -04:00
Yuli Khodorkovskiy
0a71540723 policycoreutils/hll/pp: change printing behavior of typeattribute/sets
Avrules that have the negation, star, or complement flag set for types
need typeattributes and typeattributesets that are generated. This caused
issues when these generated statements were inserted into conditionals, since
typeattributes/sets are not allowed in conditionals.

This change always prints typeattributes and typeattributesets
immediately unless the types appear inside of an avrule in conditionals or blocks.
For this special case, we print the typeattributes after the end
of each conditional/block.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:57:08 -04:00
Yuli Khodorkovskiy
836ffd988e policycoreutils/hll/pp: fix '\n' parsing in filecon statements
Some module fc files do not contain a trailing new line. This
caused contexts to have their last character to be deleted. When
parsing each line from a fc file, we only strip off the last character
if it is a new line.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:57:03 -04:00
Yuli Khodorkovskiy
f42d013eec policycoreutils/hll/pp: Fix role/roletype scoping
- Create role declarations no matter if the declaration is in base or
  a module. Since CIL does not permit role re-declarations, this change
  will break existing policies that have the same role declared in multiple
  modules. To fix this, the policies will need to change the role to be
  defined in a single place.
- Pass around the avrule_decl stack rather than just the most recent
  decl. The full stack is needed to determine if identifiers are in
  scope
- Only create roletype statements for a role and a type in two cases:
   1) The role is declared/required and the type is declared/required in
      the same scope or an ancestor scope of the role
   2) The type is declared/required and the role is declared/required in
      an ancestor scope of the type

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:58 -04:00
Nicolas Iooss
e4d693ae87 Use $(PYTHON) instead of "python" in every Makefile
This fixes the build with "make PYTHON=python2" on systems where python
is python3.

For PYLIBVER and PYTHONLIBDIR definitions, I tested Python 2.5, 2.6, 2.7,
3.3 and 3.4.  For each of them, these commands print the expected result:

    python -c 'import sys;print("python%d.%d" % sys.version_info[0:2])'"
    python -c "from distutils.sysconfig import *;print(get_python_lib(1))"

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:49 -04:00
Nicolas Iooss
c4a4a1a7ed Fix gcc -Wstrict-prototypes warnings
In C, defining a function with () means "any number of parameters", not
"no parameter".  Use (void) instead where applicable and add unused
parameters when needed.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:38 -04:00
Nicolas Iooss
188a028f74 policycoreutils: fix most gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:34 -04:00
Nicolas Iooss
aad0962be2 policycoreutils/hll/pp: fix gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:31 -04:00
Nicolas Iooss
3642a57cd0 policycoreutils/hll/pp: add printf format attribute to relevant functions
log_err, cil_printf and cil_println use printf formats to process their
arguments.  Use __attribute__((format(printf,...))) to make "gcc
-Wformat -Wformat-security" detect issues.

This detected this issue several times on a x86_64 system:

  format '%lx' expects argument of type 'long unsigned int', but
  argument has type 'uint32_t'

Fix this by introducing an explicit cast to unsigned long.

While at it, constify the format string argument of each function.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:00 -04:00
Nicolas Iooss
e198427fe5 policycoreutils/semodule_package: fix debug build
Building from the root directory with "make DEBUG=1" enables -Wshadow
option.  This makes the compilation fail with the following error:

  semodule_unpackage.c: In function 'usage':
  semodule_unpackage.c:17:25: error: declaration of 'progname' shadows a global declaration [-Werror=shadow]
   static void usage(char *progname)
                         ^
  semodule_unpackage.c:14:7: error: shadowed declaration is here [-Werror=shadow]
   char *progname = NULL;
         ^

Fix this error by no longer passing a global variable as a parameter to
usage function.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:55:57 -04:00
Nicolas Iooss
f978b1b071 policycoreutils/sandbox: fix debug build
Building from the root directory with "make DEBUG=1" enables -Wshadow
option.  This makes the compilation fails with the following error:

  cc -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror -g
  -I/usr/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
  -W   -c -o seunshare.o seunshare.c

  seunshare.c: In function 'spawn_command':
  seunshare.c:141:6: error: declaration of 'child' shadows a global declaration [-Werror=shadow]
    int child;
        ^
  seunshare.c:58:12: error: shadowed declaration is here [-Werror=shadow]
   static int child = 0;
              ^

Fix this error by renaming the "child" variable in spawn_command.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:55:53 -04:00
Nicolas Iooss
855bfdf0ce policycoreutils/hll/pp: fix potential use of uninitialized variable
"gcc -O2 -Wall -Werror" failed with two errors when building pp due to
the use of unitialized variables.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:55:49 -04:00
Steve Lawrence
86dffdd28f policycoreutils: mcstrans: use string_to_av_perm() to calculate permission access vector
mcstrans still uses CONTEXT__CONTAINS from av_permissions.h to calculate
a permission access vector. However, av_permissions.h was deprecated, so
it does not have access to the constant. This updates mcstrans to use
string_to_av_perm() to get the value for context contains.

Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-08-29 09:19:50 -04:00
Steve Lawrence
213c3189d0 Bump versions for r2
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-27 11:47:04 -04:00
Steve Lawrence
8f9d3a7c95 Fix typos in ChangeLog and Versions 2014-08-26 14:20:48 -04:00
Steve Lawrence
79fd2d06ab Bump versions and update ChangeLog
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 09:48:54 -04:00
Yuli Khodorkovskiy
28efbfd4ed policycoreutils: add semodule option to set store root path
Add a new -S option to semodule. This option overrides store_root
in semanage.conf and sets the SELinux store's root path. If neither -S,
nor store_root are specified in semanage.conf, then the default
location is used.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2014-08-26 08:03:31 -04:00
Yuli Khodorkovskiy
241f9d2d03 policycoreutils: add semodule flag for ignoring cached CIL
Providing --ignore-module-cache will cause the recompilating of all HLL
modules, and recaching of the resulting CIL files.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2014-08-26 08:03:31 -04:00
Steve Lawrence
893851c0a1 policycoreutils: add a HLL compiler to convert policy packages (.pp) to CIL
Reads in a policy package file via stdin or via filename, and writes out
the equivilent CIL to stdout or to an output file, depending on the
parameters passed in.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 08:03:31 -04:00
Jason Dana
2ff279e21e policycoreutils: semanage: update to new source policy infrastructure
- Remove version references
- Use new methods for enabling/disabling modules
- Add support to set priority when adding/removing modules
- Modify module --list output to include priority and language extension
- Update permissiveRecords call to support cil policy

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: Jason Dana <jdana@tresys.com>
2014-08-26 08:03:31 -04:00
Yuli Khodorkovskiy
e599a43184 policycoreutils: deprecate base/upgrade/version in semodule
Providing --upgrade or --base will now just call --install, and display
a deprecation message to the user. Additionally, because CIL has no
concept of version numbers, this removes the version output from --list.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2014-08-26 08:02:16 -04:00