policycoreutils carries many duplicate, empty translation files.
They are a remnant of broken Transifex's system for managing
translation codes. This commit removes them.
Signed-off-by: Piotr Drąg <piotrdrag@gmail.com>
checkpolicy currently imposes arbitrary limits on pathnames used
in genfscon and other statements. This prevents specifying certain
paths in /proc such as those containing comma (,) characters.
Generalize the PATH, QPATH, and FILENAME patterns to support most
legal pathnames.
For simplicity, we do not support pathnames containing newlines or
quotes.
Reported-by: Inamdar Sharif <isharif@nvidia.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
There is a signal handler so that the select returns EINTR when the
child exits. EINTR is used to then clean up and flush the remaining
buffers. It should not error.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Add missing <stdarg.h> include
This is needed to fix the build on uClibc, due to the usage of
va_list.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
There was a change in swig-3.10 to use importlib instead of imp. While
the implementation with imp looked for _selinux.so also into the same directory
as __init__.py is, a new module with importlib searchs only standard paths.
It means that we need to move _selinux.so from $(PYLIBDIR)/site-packages/selinux/
to $(PYLIBDIR)/site-packages/.
Fixes:
>>> import selinux
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 21, in <module>
_selinux = swig_import_helper()
File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 20, in swig_import_helper
return importlib.import_module('_selinux')
File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
ImportError: No module named _selinux
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Improve the description by mentioning that if is_selinux_mls_enabled(),
it simply means that the kernel has MLS support and the policy contains
MLS features. To check whether MLS support is enabled on the running
system, use selinux_getpolicytype().
Signed-off-by: David King <dking@redhat.com>
filepath needs to be resolved first in order to be correctly found by
selabel_lookup_raw()
Fixes:
$ matchpathcon -V passwd
passwd has context system_u:object_r:passwd_file_t:s0, should be
system_u:object_r:passwd_file_t:s0
$ echo $?
1
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Snapper needs a way how to set a proper selinux context on btrfs
subvolumes originating in snapshot create command. Fs can't handle it on
its own so snapper will enforce .snapshots subvolume relabeling
according to a file returned by selinux_snapperd_contexts_path().
The format of the file will be similar to other contexts file:
snapperd_data = system_u:object_r:snapperd_data_t:s0
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1247530https://bugzilla.redhat.com/show_bug.cgi?id=1247532
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Bail before running off the end of the class index
Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces
Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
This patch is part of the Debian effort to make the build reproducible
Thank to Reiner Herrmann <reiner@reiner-h.de> for the patches
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
It wasn't clear how to use -l option with full/standard KIND and the
example in semodule.8 man page was wrong.
Based on a patch by Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The following test incorrectly asserts a neverallowxperm failure.
attribute test1_attr1;
attribute test1_attr2;
type test1_type1, test1_attr1, test1_attr2;
allow test1_type1 test1_attr1:socket ioctl;
allowxperm test1_type1 test1_attr2:socket ioctl { 1 };
neverallowxperm test1_attr1 test1_attr1:socket ioctl { 0 }
To handle attributes correctly, the neverallowxperm checking has been
modified. Now when the ioctl permission is granted on an avtab entry
that matches an avrule neverallowxperm entry, the assertion checking
first determines the matching source/target/class sets between the
avtab entry and the neverallowxperm entry. Only the matching sets are
enumerated over to determine if the neverallowed extended permissions
exist and if they are granted. This is similar to how
report_assertion_avtab_matches() reports neverallow failures.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Originally checkmodule stated that it wrote to the input file instead of
to the output file.
Reported-By: Milos Malik <mmalik@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The man page's example suggested to use -g instead of -E and used --cil
and --hll options on the wrong positions.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- Handling of cgroups was remove in de0795a12e but
-c option was still documented in sandbox.8
- Minor formatting fix
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Compilation tools respects certain environment variables, like CC.
However, in libselinux and libsemanage, they are not respected
everywhere. This command fixes respect for those variables, falling back
to the previous hardcoded values if not specified.
Temporarily mounting /proc within selinuxfs_exists() can cause
problems since it can be called by a libselinux constructor and
therefore may be invoked by every program linked with libselinux.
Since this was only motivated originally by a situation where
selinuxfs_exists() was called from selinux_init_load_policy()
before /proc was mounted, fix it in selinux_init_load_policy() instead.
This reverts commit 5a8d8c499b
("libselinux: only mount /proc if necessary") and
commit 9df4988846
("libselinux: Mount procfs before checking /proc/filesystems").
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
