The selinux/semanage python module import error in semanage_migrate_store
was misleading. Before, it would report that the selinux/semanage modules
were not installed even though they were on the system.
Now the import failure is only reported if the modules are not installed.
Otherwise, a stack trace is printed for all other errors in the selinux/semanage
python modules.
Signed-off-by: Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>
I missed this bug in commit 9ec0ea143ab5 ("libsemanage: use previous
seuser when getting the previous name").
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Use "previous" user name when no new user is available in
semanage_seuser_audit. Otherwise "id=0" is logged instead of
"acct=user_name" ("id=0" is hard coded value).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1622045
Restrictive umask may cause creating directories with with unintended
access mode. Reset umask before creating directories to avoid this
issue.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186422
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This program can be useful in order to test the Python API of
libsemanage. Make it usable in Python 3 using 2to3 and some tweaks.
While at it, fix warnings reported by flake8 linter.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Only use spaces to indent Python code. This reduces the number of
warnings reported by Python linters.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
from getpwnam_r(3): "The call sysconf(_SC_GETPW_R_SIZE_MAX) returns
either -1, without changing errno, or an initial suggested size for buf.
(If this size is too small, the call fails with ERANGE, in which case
the caller can retry with a larger buffer.)"
The same can happen for _SC_GETGR_R_SIZE_MAX. 1024 appears to be a good
fallback but may need revisiting in the future.
This triggered an error on musl libc but could happen other places too.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Verify that the final path does not exceed the size of the
buffer before copying. This can only occur if an alternate
path for the policy root and/or the policy store root has been
specified and if the resulting path would exceed PATH_MAX. A
similar check is already applied by semanage_make_final().
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When split_args() calls append_arg(), the returned value needs to be
checked in order to detect memory allocation failure. Checks were
missing in two places, which are spotted by clang's static analyzer:
semanage_store.c:1352:7: warning: Value stored to 'rc' is never
read
rc = append_arg(&argv, &num_args, arg);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
semanage_store.c:1368:3: warning: Value stored to 'rc' is never read
rc = append_arg(&argv, &num_args, arg);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Fix sizeof calculation in array iteration introduced by commit
6bb8282c4c
"libsemanage: replace access() checks to make setuid programs work"
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
libselinux and libsemanage Makefiles invoke site.getsitepackages() in
order to get the path to the directory /usr/lib/pythonX.Y/site-packages
that matches the Python interpreter chosen with $(PYTHON). This method
is incompatible with Python virtual environments, as described in
https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
This issue has been opened for more than 5 years.
On the contrary python/semanage/ and python/sepolgen/ Makefiles use
distutils.sysconfig.get_python_lib() in order to get the site-packages
path into a variable named PYTHONLIBDIR. This way of computing
PYTHONLIBDIR is compatible with virtual environments and gives the same
result as PYSITEDIR.
As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and
libsemanage Makefiles use it. And as native code is installed (as part
of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64
on systems which distinguish /usr/lib64 from /usr/lib.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
access() uses real UID instead of effective UID which causes false
negative checks in setuid programs.
Replace access() calls (mostly tests for file existence) by stat().
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
F_OK access checks only work properly as long as all directories along
the path are accessible to real user running the program.
Replace F_OK access checks by testing return value of open, write, etc.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
clang's static analyzer reports an out-of-bound array access in
semanage_user_roles() when num_roles is zero, with the following
statement:
strcpy(roles,roles_arr[0]);
When num_roles is zero, roles_arr[0] is not uninitialized and roles is
the result of malloc(0) so this strcpy is dangerous. Make
semanage_user_roles() return an empty string instead.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This patch solves the following issues:
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Stop overwriting the commit number for the default save-previous flag
setting (false) in semanage.conf.
Allows semodule -v -i <policy> to show the correct commit number.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
When a calling process uses umask(0) some files in the SELinux module
store can be created to be world writeable. With this patch, libsemanage
sets umask(0077) before fopen() operations and restores the original
umask value when it's done.
Fixes:
drwx------. /var/lib/selinux/targeted/active
-rw-rw-rw-. /var/lib/selinux/targeted/active/booleans.local
-rw-rw-rw-. /var/lib/selinux/targeted/active/policy.linked
-rw-rw-rw-. /var/lib/selinux/targeted/active/seusers.local
drwx------. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/cil
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/lang_ext
drwx------. /var/lib/selinux/targeted/active/modules/disabled
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/disabled/zosremote
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Function dbase_llist_iterate iterates over records and checks return
value of iterate function. According to a manpage semanage_iterate(3),
handler can return value 1 for early exit. dbase_llist_iterate
currently checks for return value > 1, which does not include
expected value 1. This affects most of the semanage_*_iterate
and semanage_*_local functions.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Function semanage_genhomedircon() adds fallback user and function
setup_fallback_user() may add another one. But only one fallback
user is freed. Make sure to free all fallback users in
semanage_genhomedircon().
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
This will allow listing the correct file_contexts.homedirs
using libsemanage regardless of selected policy store.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
The RUBYLIBS definition introduced by commit f5b9bc2a06
("libselinux,libsemanage: link Ruby wrappers with -lruby") did
not work on Debian. Fix it based on a patch by Nicolas Iooss.
Reported-by: Laurent Bigonville <bigon@debian.org>
Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The `getpwent_r` function is a non-standard but reentrant version of the
POSIX-defined `getpwent` function. While it should provide the benefit
of being safe to use in multi-threaded environments, it disallows us
from compiling with libc implementations which stick to the POSIX
standard more closely.
As libsemanage may be used in a multi-threaded environment, being
reentrant may in fact be quite important to us. As such, simply
switching out `getpwent_r` against its non-reentrant function can prove
quite dangerous. But interestingly enough, the glibc implementation of
`getpwent_r` does not even guarantee being reentrant. Quoting from
getpwent_r(7):
NOTES
The function getpwent_r() is not really reentrant since it shares
the reading position in the stream with all other threads.
As such, it is non-reentrant in the same sense as its simple `getpwent`
brother and can simply be switched out without losing any guarantees
here.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
When -lbz2 is written before libsemanage.a in the linker command line,
the linker may fail to find all needed symbols. This occurs for example
when building on Ubuntu 14.04 without the gold linker (cf. Travis build
result https://travis-ci.org/fishilico/selinux/builds/245072498):
gcc libsemanage-tests.o test_semanage_store.o test_utilities.o utilities.o
-L/home/travis/build/fishilico/selinux/installdir/usr/lib -o libsemanage-tests
-lcunit -lbz2 -laudit ../src/libsemanage.a -lselinux -lsepol
../src/libsemanage.a(direct_api.o): In function `bzip':
direct_api.c:(.text+0xee6): undefined reference to `BZ2_bzWriteOpen'
direct_api.c:(.text+0xf11): undefined reference to `BZ2_bzWriteClose'
direct_api.c:(.text+0xf79): undefined reference to `BZ2_bzWrite'
direct_api.c:(.text+0xfa1): undefined reference to `BZ2_bzWriteClose'
direct_api.c:(.text+0xfe0): undefined reference to `BZ2_bzWriteClose'
../src/libsemanage.a(direct_api.o): In function `bunzip':
direct_api.c:(.text+0x114e): undefined reference to `BZ2_bzReadOpen'
direct_api.c:(.text+0x1249): undefined reference to `BZ2_bzRead'
direct_api.c:(.text+0x13b4): undefined reference to `BZ2_bzReadClose'
../src/libsemanage.a(seusers_local.o): In function `semanage_seuser_audit':
seusers_local.c:(.text+0x4c5): undefined reference to `audit_open'
seusers_local.c:(.text+0x5b6): undefined reference to `audit_log_semanage_message'
seusers_local.c:(.text+0x5cd): undefined reference to `audit_close'
As ../src/libsemanage.a is a dependency of $(EXECUTABLE) in the
Makefile, use $^ to include it in the command line. While at it, put $^
after $(LDFLAGS) as other Makefiles do.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
There were several places in the makefiles where LDLIBS or CFLAGS were
supposed to include options to build. They were missing the override
keyword so would be skipped if these vars were set on the make cmdline.
Add the override directive to fix this.
Signed-off-by: Jason Zaman <jason@perfinion.com>
when building packages (e.g. for openSUSE Linux)
(random) filesystem order of input files
influences ordering of functions in the output,
thus without the patch, builds (in disposable VMs) would usually differ.
See https://reproducible-builds.org/ for why this matters.
Fixes the following warning from gcc7 by increasing the
buffer size to PATH_MAX.
semanage_store.c: In function ‘semanage_remove_directory’:
semanage_store.c:819:30: warning: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 254 [-Wformat-truncation=]
snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name);
^~
semanage_store.c:819:3: note: ‘snprintf’ output 2 or more bytes (assuming 257) into a destination of size 255
snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/
Fixes the following warnings by annotating with a /* FALLTHRU */ comment.
Unfortunately, the __attribute__ ((fallthrough)); approach does not appear
to work with older compilers.
../cil/src/cil_parser.c: In function ‘cil_parser’:
../cil/src/cil_parser.c:253:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
tok.value = tok.value+1;
~~~~~~~~~~^~~~~~~~~~~~~
../cil/src/cil_parser.c:254:3: note: here
case SYMBOL:
^~~~
../cil/src/cil_parser.c:275:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (tok.type != END_OF_FILE) {
^
../cil/src/cil_parser.c:279:3: note: here
case END_OF_FILE:
^~~~
../cil/src/cil_post.c: In function ‘cil_post_fc_fill_data’:
../cil/src/cil_post.c:104:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
c++;
~^~
../cil/src/cil_post.c:105:3: note: here
default:
^~~~~~~
regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:542:2: note: here
case 3:
^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:544:2: note: here
case 2:
^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:546:2: note: here
case 1:
^~~~
regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:542:2: note: here
case 3:
^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:544:2: note: here
case 2:
^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:546:2: note: here
case 1:
^~~~
modules.c: In function ‘semanage_module_get_path’:
modules.c:602:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (file == NULL) file = "hll";
^
modules.c:603:3: note: here
case SEMANAGE_MODULE_PATH_CIL:
^~~~
modules.c:604:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (file == NULL) file = "cil";
^
modules.c:605:3: note: here
case SEMANAGE_MODULE_PATH_LANG_EXT:
^~~~
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commits a3d2c7a 6a7a5aa introduced inconsistent use of tabs and spaces
in indentation what makes python3.6 unhappy.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Update libsepol and libsemanage to work with ibendport records. Add local
storage for new and modified ibendport records in ibendports.local.
Update semanage to parse the ibendport command options to add, modify,
and delete them.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Update libsepol and libsemanage to work with pkey records. Add local
storage for new and modified pkey records in pkeys.local. Update semanage
to parse the pkey command options to add, modify, and delete pkeys.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
The toolchain automatically handles them and they break cross compiling.
LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)
Gentoo-Bug: https://bugs.gentoo.org/500674
Signed-off-by: Jason Zaman <jason@perfinion.com>
In commit b61922f727 ("libsemanage: revert
"Skip policy module re-link when only setting booleans"), we reverted
an optimization for setting booleans since it produced incorrect behavior.
This incorrect behavior was due to operating on the policy with local
changes already merged. However, reverting this change leaves us with
undesirable overhead for setsebool -P. We also have long wanted
to support the same optimization for making other changes that do
not truly require module re-compilation/re-linking.
If we save the linked policy prior to merging local changes, we
can skip re-linking the policy modules in most cases, thereby
significantly improvement the performance and memory overhead of
semanage and setsebool -P commands. Save the linked policy in the
policy sandbox and use it when we are not making a change that requires
recompilation of the CIL modules. With this change, a re-link
is not performed when setting booleans or when adding, deleting, or
modifying port, node, interface, user, login (seusers) or fcontext
mappings. We save linked versions of the kernel policy, seusers,
and users_extra produced from the CIL modules before any local
changes are merged. This has an associated storage cost, primarily
storing an extra copy of the kernel policy file.
Before:
$ time setsebool -P zebra_write_config=1
real 0m8.714s
user 0m7.937s
sys 0m0.748s
After:
$ time setsebool -P zebra_write_config=1
real 0m1.070s
user 0m0.343s
sys 0m0.703s
Resolves: https://github.com/SELinuxProject/selinux/issues/50
Reported-by: Carlos Rodrigues <cefrodrigues@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
semanage_module_info_destroy() always returns 0. Nevertheless
semanage_direct_list_all() uses its return value in a surprising way:
cleanup:
if (priorities != NULL) {
/* ... */
free(priorities);
}
/* ... */
ret = semanage_module_info_destroy(sh, modinfo_tmp);
if (ret != 0) {
status = -1;
goto cleanup;
}
The last "goto cleanup;" leads clang's static analyzer to believe a
double free is possible. Even though this is a false positive, the
body of condition "if (ret != 0)" contains dead code. Remove it.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
