Commit 9df4988846 ("libselinux: Mount procfs before checking
/proc/filesystems") changed selinuxfs_exists() to always try
mounting /proc before reading /proc/filesystems. However, this is
unnecessary if /proc is already mounted and can produce avc denials
if the process is not allowed to perform the mount. Check first
to see if /proc is already present and only try the mount if it is not.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
getpidcon documentation does not specify that a pid of 0 refers to the
current process, and getcon exists specifically to provide this
functionality, and getpidcon(getpid()) would provide it as well.
Disallow pid values <= 0 that may lead to unintended behavior in
userspace object managers.
Signed-off-by: Daniel Cashman <dcashman@android.com>
The selinux_restorecon(3) man page details this function.
It has been built using the work from Android where an SHA1 hash
of the specfiles is held in an extended attribute to enhance
performance. Also contains components from policycoreutils/setfiles.
The utils/selinux_restorecon.c utility demonstrates the functionality.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Inserting non-ascii characters into the following files:
* file_contexts
* property_contexts
* service_contexts
can cause a failure on labeling but still result in a successful
build.
Hard error on non-ascii characters with:
<path>: line 229 error due to: Non-ASCII characters found
Signed-off-by: William Roberts <william.c.roberts@intel.com>
a2737333 commit introduced a possibility to build libselinux without
rpm_execcon() when DISABLE_RPM is set. However, it didn't cover SWIG
bindings. With this commit the rpm_execcon() bindings are not created.
Fixes:
ImportError: /usr/lib64/python3.5/site-packages/selinux/_selinux.so: undefined symbol: rpm_execcon
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When a line number is displayed for context errors they are
x2 the correct value, so reset line count for each pass.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Some error's were reported by valgrind (below) fix them. The test
cases on which these leaks were detected:
1. properly formed file_contexts file.
2. malformed file_contexts file, unknown type.
3. malformed file_contexts file, type that fails on validate callback.
4. malformed file_contexts file, invalid regex.
5. malformed file_contexts file, invalid mode.
==3819== Conditional jump or move depends on uninitialised value(s)
==3819== at 0x12A682: closef (label_file.c:577)
==3819== by 0x12A196: selabel_close (label.c:163)
==3819== by 0x10A2FD: cleanup (checkfc.c:218)
==3819== by 0x5089258: __run_exit_handlers (exit.c:82)
==3819== by 0x50892A4: exit (exit.c:104)
==3819== by 0x10A231: main (checkfc.c:361)
==3819== Uninitialised value was created by a heap allocation
==3819== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819== by 0x4C2CF1F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819== by 0x12BB31: process_file (label_file.h:273)
==3819== by 0x12A2BA: selabel_file_init (label_file.c:522)
==3819== by 0x12A0BB: selabel_open (label.c:88)
==3819== by 0x10A038: main (checkfc.c:292)
==3819==
==3819==
==3819== HEAP SUMMARY:
==3819== in use at exit: 729 bytes in 19 blocks
==3819== total heap usage: 21,126 allocs, 21,107 frees, 923,854 bytes allocated
==3819==
==3819== 81 bytes in 1 blocks are definitely lost in loss record 1 of 2
==3819== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819== by 0x50D5839: strdup (strdup.c:42)
==3819== by 0x12A2A6: selabel_file_init (label_file.c:517)
==3819== by 0x12A0BB: selabel_open (label.c:88)
==3819== by 0x10A038: main (checkfc.c:292)
==3819==
==4238== 40 bytes in 1 blocks are definitely lost in loss record 1 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x12A1D2: selabel_file_init (label_file.c:886)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 81 bytes in 1 blocks are definitely lost in loss record 2 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x50D5839: strdup (strdup.c:42)
==4238== by 0x12A2A6: selabel_file_init (label_file.c:517)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 386 bytes in 24 blocks are definitely lost in loss record 3 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x50D5889: strndup (strndup.c:45)
==4238== by 0x12CDDF: read_spec_entries (label_support.c:37)
==4238== by 0x12B72D: process_file (label_file.h:392)
==4238== by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 648 bytes in 18 blocks are definitely lost in loss record 4 of 6
==4238== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x117C9B: avtab_insert_node (avtab.c:105)
==4238== by 0x117C10: avtab_insert (avtab.c:163)
==4238== by 0x11880A: avtab_read_item (avtab.c:566)
==4238== by 0x118BD3: avtab_read (avtab.c:600)
==4238== by 0x125BDD: policydb_read (policydb.c:3854)
==4238== by 0x109F87: main (checkfc.c:273)
==4238==
==4238== 1,095 bytes in 12 blocks are definitely lost in loss record 5 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x12D8D1: pcre_compile2 (pcre_compile.c:9217)
==4238== by 0x12B239: compile_regex (label_file.h:357)
==4238== by 0x12B9C7: process_file (label_file.h:429)
==4238== by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 1,296 bytes in 12 blocks are definitely lost in loss record 6 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x13EBE5: pcre_study (pcre_study.c:1565)
==4238== by 0x12B25D: compile_regex (label_file.h:366)
==4238== by 0x12B9C7: process_file (label_file.h:429)
==4238== by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
Signed-off-by: William Roberts <william.c.roberts@intel.com>
This replaces the openssl library with SHA1 hash functions
extracted from [1] as this is a public domain implementation.
util/selabel_digest -v option still compares the result with
the openssl command "openssl dgst -sha1 -hex .." for validation.
[1] https://github.com/WaterJuice/CryptLib
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
If selabel_open is called with no request for a digest it will fail
with ENOENT. This fixes all the labeling routines to resolve this
problem. The utils/selabel_digest example has also been updated
to allow calling selabel_open with and without digest requests to
aid testing.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
selabel_digest(3) if enabled by the SELABEL_OPT_DIGEST option during
selabel_open(3) will return an SHA1 digest of the spec files, plus
a list of the specfiles used to calculate the digest. There is a
test utility supplied that will demonstrate the functionality.
The use case for selabel_digest(3) is to implement an selinux_restorecon
function based on the Android version that writes a hash of the
file_contexts files to an extended attribute to enhance performance
(see external/libselinux/src/android.c selinux_android_restorecon()).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Commit 966855d9a1 added selinux.py as a requirement for pywrap.
This file is generated during the swig step but there is no explicit
rule in the Makefile so parallel build fails. This adds another rule
so the ordering is correct.
jason@meriadoc ~/code/gentoo/selinux/libselinux $ make -j3 pywrap
.... SNIP ....
sed -e 's/@VERSION@/2.4/; s:@prefix@:/usr:; s:@libdir@:lib:; s:@includedir@:/usr/include:' < libselinux.pc.in > libselinux.pc
bash exception.sh > selinuxswig_python_exception.i
make[1]: *** No rule to make target 'selinux.py', needed by 'pywrap'. Stop.
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/home/jason/code/gentoo/selinux/libselinux/src'
Makefile:36: recipe for target 'pywrap' failed
make: *** [pywrap] Error 2
Signed-off-by: Jason Zaman <jason@perfinion.com>
This improves the robustness of programs using selinux_check_access()
in the face of policy updates that alter the values of the class or
permissions that they are checking. Otherwise, a policy update can
trigger false permission denials, as in
https://bugzilla.redhat.com/show_bug.cgi?id=1264051
Changes to the userspace class/permission definitions should still be
handled with care, as not all userspace object managers have been converted
to use selinux_check_access() and even those that do use it are still not
entirely safe against an interleaving of a policy reload and a call to
selinux_check_access(). The change does however address the issue in
the above bug and avoids the need to restart systemd.
This change restores the flush_class_cache() function that was removed in
commit 435fae64a9 ("libselinux: Remove unused flush_class_cache method")
because it had no users at the time, but makes it hidden to avoid exposing
it as part of the libselinux ABI.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When a path has no context, for example, when the file was created when
selinux was disabled, selinux.restorecon(path) will fail:
>>> selinux.restorecon('/etc/multipath.conf.new')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 88,
in restorecon
status, oldcontext = lgetfilecon(path)
OSError: [Errno 61] No data available
This failure does not seems to be useful, as we can successfully match
the context for this path using selinux.matchpathcon(), and set it
successfully using selinux.chcon(). The failure is caused by trying to
avoid the lsetfilecon() call if the current context is does not need
update.
This patch handles this specific error from lgetfilecon(), preventing
this failure.
Signed-off-by: Nir Soffer <nsoffer@redhat.com>
Ensure the mmap start address and length are not modified so the memory
used can be released when selabel_close(3) is called.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
The selinux.py is generated at compile-time and will be installed as
python module "selinux/__init__.py", just make sure that it has been
generated completely while starting "make install-pywrap".
This fixes below errors that caused by an empty "selinux/__init__.py":
$ /usr/sbin/semanage -h
Traceback (most recent call last):
File "/usr/sbin/semanage", line 30, in <module>
import seobject
File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in <module>
import sepolicy
File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 226, in <module>
def get_file_equiv_modified(fc_path = selinux.selinux_file_context_path()):
AttributeError: 'module' object has no attribute 'selinux_file_context_path'
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Add -p option that will take a binary policy file to validate
context entries in the text file_contexts file.
Should validation fail the binary file will not be written.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
file_contexts can be legitimately empty, particularly when dealing with
a file_contexts.local file. The change to test for file_contexts.bin
format by magic number was treating an EOF condition as a fatal error,
thereby causing an error on empty file_contexts.local files. Only
treat it as an error if there was truly an error on the read, as
checked via ferror(). Otherwise, clear the error and EOF indicators
so that they do not persist when we rewind the file and try to read
it as text.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fail hard on any error during property_contexts (or service_contexts)
processing. We want to catch any such errors early and not proceed
with a potentially mislabeled system.
Also remove some obsoleted tests for NULL; they were necessary
in earlier versions of the code where we were copying the strings
at this point, but no longer.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fail hard on any error during file_contexts processing.
We want to catch any such errors early and not proceed
with a potentially mislabeled system. This was the original
logic but was loosened long ago to more gracefully handle
user error in Linux distributions (a single typo could lead
to not being able to label anything, even if the relevant
entry for the files in question was correct). However,
in Android, file_contexts is not modified at runtime and
we want to fully validate it at build, so we want to fail
hard in these cases, and in modern Linux, file_contexts is
modified using tools (semanage, semodule) and a library
(libsemanage) that should already be fully validating values
before adding entries, and that trigger a setfiles -c validation
(equivalent to Android checkfc) before committing the transaction.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If file_contexts.bin was opened with SELABEL_OPT_VALIDATE set, then
we should validate contexts in the same manner as with file_contexts.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Stephen Smalley
Dan Walsh
dcashman
Steve Lawrence
Richard Haines
William Roberts
Petr Lautrbach
Ville Skyttä
Jason Zaman
Nir Soffer
Wenzong Fan