Commit Graph

230 Commits

Author SHA1 Message Date
Petr Lautrbach
bf5d3d2da9 semanage-fcontext.8: Drop extra )s after FILE_SPEC
Fixes: https://github.com/SELinuxProject/selinux/issues/340

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-03-03 12:13:47 -05:00
Christian Göttsche
b8159f32f0 python/sepolgen: accept square brackets in FILENAME token
When parsing Reference Policy style files accept square brackets in file
names.  The FILENAME token is used in the TYPE_TRANSITION grammar rule
for the optional name based argument.  This name can contain square
brackets, e.g. for anonymous inodes like "[io_uring]".

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-03 12:06:30 -05:00
Christian Göttsche
c09d63852e python: mark local functions static
sepolgen-ifgen-attr-helper.c:59:5: warning: no previous prototype for ‘render_access_mask’ [-Wmissing-prototypes]
       59 | int render_access_mask(uint32_t av, avtab_key_t *key, policydb_t *policydbp,
          |     ^~~~~~~~~~~~~~~~~~
    sepolgen-ifgen-attr-helper.c:114:5: warning: no previous prototype for ‘output_avrule’ [-Wmissing-prototypes]
      114 | int output_avrule(avtab_key_t *key, avtab_datum_t *datum, void *args)
          |     ^~~~~~~~~~~~~
    sepolgen-ifgen-attr-helper.c:220:6: warning: no previous prototype for ‘usage’ [-Wmissing-prototypes]
      220 | void usage(char *progname)
          |      ^~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-15 16:00:54 -05:00
Petr Lautrbach
7f600c40bc
Update VERSIONs to 3.3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-10-21 16:31:23 +02:00
Petr Lautrbach
5319c49d8a
Update VERSIONs to 3.3-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-10-06 13:28:15 +02:00
Christian Göttsche
b1a3c2030c Correct some typos
Found by codespell

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-30 15:42:11 -04:00
Petr Lautrbach
0b833973bf
Update VERSIONs to 3.3-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-22 17:14:25 +02:00
Petr Lautrbach
38cb18e931 Update VERSIONs and Python bindings version to 3.3-rc1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-08 09:49:46 +02:00
Michał Górny
ba23ba0683 python: Import specific modules from setools for less deps
Import the setools classes needed for Python bindings from specific
setools modules in order to reduce the dependency footprint
of the Python bindings.  Importing the top-level module causes all
setools modules to be loaded which includes the modules that require
networkx.

SELinux packages belong to the group of core system packages on Gentoo
Linux.  It is desirable to keep the system set as small as possible,
and the dependency between setools and networkx seems to be the easiest
link to break without major loss of functionality.

Signed-off-by: Michał Górny <mgorny@gentoo.org>
2021-09-02 10:47:19 -04:00
Petr Lautrbach
e8b98f67f6 python/sepolicy: Fix COPY_PASTE_ERROR (CWE-398)
Fixes:
    Error: COPY_PASTE_ERROR (CWE-398): [#def3]
    selinux/python/sepolicy/sepolicy/__init__.py:1032: original: ""_key_t"" looks like the original copy.
    selinux/python/sepolicy/sepolicy/__init__.py:1035: copy_paste_error: ""_key_t"" looks like a copy-paste error.
    selinux/python/sepolicy/sepolicy/__init__.py:1035: remediation: Should it say ""_secret_t"" instead?
    # 1033|
    # 1034|       if f.endswith("_secret_t"):
    # 1035|->         return txt + "treat the files as %s secret data." % prettyprint(f, "_key_t")
    # 1036|
    # 1037|       if f.endswith("_ra_t"):

    Error: COPY_PASTE_ERROR (CWE-398): [#def4]
    selinux/python/sepolicy/sepolicy/__init__.py:1065: original: ""_tmp_t"" looks like the original copy.
    selinux/python/sepolicy/sepolicy/__init__.py:1067: copy_paste_error: ""_tmp_t"" looks like a copy-paste error.
    selinux/python/sepolicy/sepolicy/__init__.py:1067: remediation: Should it say ""_etc_t"" instead?
    # 1065|           return txt + "store %s temporary files in the /tmp directories." % prettyprint(f, "_tmp_t")
    # 1066|       if f.endswith("_etc_t"):
    # 1067|->         return txt + "store %s files in the /etc directories." % prettyprint(f, "_tmp_t")
    # 1068|       if f.endswith("_home_t"):
    # 1069|           return txt + "store %s files in the users home directory." % prettyprint(f, "_home_t")

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-07-30 09:55:33 -04:00
Petr Lautrbach
3f9ff90f9e Do not use Python slip
Python slip is not actively maintained anymore and it was used just as
a polkit proxy. It looks like polkit dbus interface is quite simple to
be used directly via python dbus module.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-07-28 15:01:47 -04:00
Petr Lautrbach
cf853c1a0c
Update VERSIONs to 3.2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-03-04 16:42:59 +01:00
Petr Lautrbach
be065c4b44
sepolicy: Do not try to load policy on import
When a policy is inaccessible, scripts fail right "import sepolicy". With
this change we let the "sepolicy" module to import and move the policy
initialization before it's used for the first time.

Fixes:
    >>> import seobject
    Traceback (most recent call last):
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
        _pol = setools.SELinuxPolicy(policy_file)
      File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
      File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
    PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
        import sepolicy
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
        raise e
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
        policy(policy_file)
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
        raise ValueError(_("Failed to read %s policy file") % policy_file)
    ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-27 21:38:24 +01:00
Petr Lautrbach
d4d1f4ba7e
Update VERSIONs to 3.2-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-24 15:49:59 +01:00
Vit Mojzis
8f0f0a28aa selinux(8,5): Describe fcontext regular expressions
Describe which type of regular expression is used in file context
definitions and which flags are in effect.

Explain how local file context modifications are processed.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-19 15:18:05 +01:00
Petr Lautrbach
2c7c4a84c3
Update VERSIONs to 3.2-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-02-03 11:26:28 +01:00
Vit Mojzis
e12f71e82f python/sepolgen: allow any policy statement in if(n)def
"ifdef/ifndef" statements can be used to conditionally define
an interface, but this syntax is not recognised by sepolgen-ifgen.
Fix sepolgen-ifgen to allow any policy statement inside an
"ifdef/ifndef" statement.

Fixes:
        $ cat <<EOF > i.if
ifndef(`apache_manage_pid_files',`
        interface(`apache_manage_pid_files',`
                manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
        ')
')

        #sepolgen-ifgen --interface=i.if
        i.if: Syntax error on line 2 interface [type=INTERFACE]
        i.if: Syntax error on line 4 ' [type=SQUOTE]

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
[OM: s/fidef/ifdef/]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2021-01-27 17:02:45 +01:00
Petr Lautrbach
c534d4e2ce
Update VERSIONs and Python bindings version to 3.2-rc1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-01-20 12:40:14 +01:00
Vit Mojzis
b15dff0feb python/semanage: Sort imports in alphabetical order
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2021-01-13 23:48:24 +01:00
Vit Mojzis
92e01969d0 python/semanage: empty stdout before exiting on BrokenPipeError
Empty stdout buffer before exiting when BrokenPipeError is
encountered. Otherwise python will flush the bufer during exit, which
may trigger the exception again.
https://docs.python.org/3/library/signal.html#note-on-sigpipe

Fixes:
   #semanage fcontext -l | egrep -q -e '^/home'
   BrokenPipeError: [Errno 32] Broken pipe
   Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
   BrokenPipeError: [Errno 32] Broken pipe

Note that the error above only appears occasionally (usually only the
first line is printed).

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2021-01-13 23:46:57 +01:00
Bernhard M. Wiedemann
fadcc8396c python/sepolicy: allow to override manpage date
in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/
for the definition of this variable.

This patch was done while working on reproducible builds for openSUSE.

Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
2020-11-13 10:53:59 +01:00
Christian Göttsche
2a60de8eca sepolgen: sort extended rules like normal ones
Currently:

    #============= sshd_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t ptmx_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t sshd_devpts_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t user_devpts_t:chr_file ioctl;

    #============= user_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t devtty_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t user_devpts_t:chr_file ioctl;
    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;

Changed:

    #============= sshd_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t ptmx_t:chr_file ioctl;
    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t sshd_devpts_t:chr_file ioctl;
    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t user_devpts_t:chr_file ioctl;
    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };

    #============= user_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t devtty_t:chr_file ioctl;
    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t user_devpts_t:chr_file ioctl;
    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00
Christian Göttsche
9e239e5569 sepolgen: print extended permissions in hexadecimal
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.

[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00
W. Michael Petullo
ccd973f721
python/audit2allow: add #include <limits.h> to sepolgen-ifgen-attr-helper.c
I found that building on OpenWrt/musl failed with:

  sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...

Musl is less "generous" than glibc in recursively including header
files, and I suspect this is the reason for this error. Explicitly
including limits.h fixes the problem.

Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-07-21 08:14:43 +02:00
Petr Lautrbach
7df27b78e9 Update VERSIONs and Python bindings version to 3.1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-07-10 17:17:15 +02:00
Topi Miettinen
da3bbc31a8 semanage: handle getprotobyname() failure case
At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4". In that case, set the protocol number
used by audit logs for "ipv4" to a fixed value. To ensure audit log
compatibility, let's use the same numeric value as Fedora: 4, which is
actually understood by kernel as IP over IP.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-25 13:28:42 -04:00
Petr Lautrbach
b3d8b99f0c Update VERSIONs to 3.1-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-06-19 13:02:31 +02:00
Christian Göttsche
4613038d8e sepolgen-ifgen: refactor default policy path retrieval
On a SELinux disabled system the python call
`selinux.security_policyvers()` will fail.

Move the logic to find a binary policy from the python script
`sepolgen-ifgen` to the C-helper `sepolgen-ifgen-attr-helper`.
Change the helper command line interface to accept an optional policy
path as second argument.  If not given try the current loaded policy
(`selinux_current_policy_path`) and if running on a SELinux disabled
system iterate over the default store path appending policy versions
starting at the maximum supported policy version
(`sepol_policy_kern_vers_max`).

This changes the helper command line interface from:
    sepolgen-ifgen-attr-helper policy_file out_file
to
    sepolgen-ifgen-attr-helper out_file [policy_file]
and adds a linkage to libselinux.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:32:07 +02:00
Christian Göttsche
c40c4e4428 refparser: add missing newline after error message
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:31:51 +02:00
Christian Göttsche
5adc269f95 sepolgen: parse gen_tunable as bool
Currently sepolgen-ifgen parses a gen_tunable statement as interface
and reports in verbose mode:

    Missing interface definition for gen_tunable

Add grammar for gen_tunable statements in the refparser

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:31:29 +02:00
Petr Lautrbach
f5ac1209f9 python/sepolicy: Use xml.etree.ElementTree.Element.iter()
xml.etree.ElementTree.Element.getiterator() was deprecated since Python 3.2 and
dropped in Python 3.9

Fixes:
Verify sepolicy interface -c -i works ... Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 691, in <module>
    args = parser.parse_args(args=parser_args)
  File "/usr/lib64/python3.9/argparse.py", line 1819, in parse_args
    args, argv = self.parse_known_args(args, namespace)
  File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
    namespace, args = self._parse_known_args(args, namespace)
  File "/usr/lib64/python3.9/argparse.py", line 2043, in _parse_known_args
    positionals_end_index = consume_positionals(start_index)
  File "/usr/lib64/python3.9/argparse.py", line 2020, in consume_positionals
    take_action(action, args)
  File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
    action(self, namespace, argument_values, option_string)
  File "/usr/lib64/python3.9/argparse.py", line 1208, in __call__
    subnamespace, arg_strings = parser.parse_known_args(arg_strings, None)
  File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
    namespace, args = self._parse_known_args(args, namespace)
  File "/usr/lib64/python3.9/argparse.py", line 2061, in _parse_known_args
    start_index = consume_optional(start_index)
  File "/usr/lib64/python3.9/argparse.py", line 2001, in consume_optional
    take_action(action, args, option_string)
  File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
    action(self, namespace, argument_values, option_string)
  File "/usr/bin/sepolicy", line 216, in __call__
    interface_dict = get_interface_dict()
  File "/usr/lib/python3.9/site-packages/sepolicy/interface.py", line 149, in get_interface_dict
    for i in m.getiterator('interface'):
AttributeError: 'xml.etree.ElementTree.Element' object has no attribute 'getiterator'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:29:21 +02:00
Topi Miettinen
f3a1614291 semanage-node.8: describe netmask
Network Mask argument for `semanage node` accepts also the simple CIDR
mask format, so let's document it.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-09 15:44:14 -04:00
Topi Miettinen
dd744247de semanage bash completion: handle semanage module
List modules for bash completion of `semanage module`.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-09 15:44:07 -04:00
Petr Lautrbach
c554c3d88a Update VERSIONs to 3.1-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-05-15 15:54:08 +02:00
Nicolas Iooss
63bf6afe5e python/sepolicy: silence new flake8 warnings
pyflakes 2.2.0 improved the way format strings are analyzed, which
triggers new warnings in flake8:

    python/sepolicy/sepolicy/manpage.py:1046:23: F999 '...' % ... has
    unused named argument(s): type

    python/sepolicy/sepolicy/manpage.py:1225:23: F999 '...' % ... has
    unused named argument(s): user

Remove the unused arguments in order to silence these warnings.

This fixes failures in Travis-CI such as
https://travis-ci.org/github/SELinuxProject/selinux/jobs/686230518#L5153

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: William Roberts <william.c.roberts@intel.com>
2020-05-13 11:12:55 +02:00
Petr Lautrbach
6c6f4f7687 semanage/test-semanage.py: Return non-zero value when some of unittest tests fail
Previously python/semanage/test-semanage.py returned 0 even when there was a
fail in some test and `make test` didn't indicate any problem.

Fixes:
    $ make test
    ...
    Ran 10 tests in 110.854s
    FAILED (failures=4)
    $ echo $?
    0

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-05-13 11:11:23 +02:00
Christian Göttsche
7c73601d54 tree-wide: introduce PYTHON_SETUP_ARGS to customize setup.py calls on Debian
On Debian the `distutils` module is patched, so `get_python_lib()`
returns by default `/usr/lib/python3/dist-packages` (no minor version)

But `setuptools` affecting setup.py is not patched to create the library
directory at `/usr/lib/python3/dist-packages` by default, rather than a
command line argument `--install-layout deb` is added

Add PYTHON_SETUP_ARGS as argument to affected setup.py calls and add a
note in the global README.md

See https://www.debian.org/doc/packaging-manuals/python-policy/packaging_tools.html
Section B.1

Fixes: https://github.com/SELinuxProject/selinux/issues/187

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2020-05-06 16:12:35 +02:00
Topi Miettinen
603665855a sepolicy: fix some typos and port definitions
The range of unreserved ports starts from 1024 and ends to
65535 (inclusive). (Secure) RPC ports can be between 512 and
1023 (inclusive).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2020-05-04 10:31:44 +02:00
Topi Miettinen
db196873ae sepolicy-gui: fix columns in transitions view
Delete an unused column from view "Application Transitions From". The
second column displays names of the executable files instead of
booleans.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2020-05-04 10:31:39 +02:00
Petr Lautrbach
79f69a3ca1
python/semanage: Use ipaddress module instead of IPy
ipaddress python module was added to standard library in Python 3.3 -
https://docs.python.org/3/library/ipaddress.html

seobject.py was the only consumer of IPy module so this dependency is not needed
anymore.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-05-01 09:21:21 +02:00
Nicolas Iooss
75182f81f4 python/semanage: check rc after getting it
This issue has been found using lgtm.com:
4946f674a6/files/python/semanage/seobject.py (x5c052fffe98aee02):1

Fixes: 49706ad9f8 ("Revised Patch for local nodecon support in
semanage (was: Adding local nodecon's through semanage)")
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-04-22 16:40:34 -05:00
Joshua Schmidlkofer
5bbe32a7e5 python/semanage: check variable type of port before trying to split
While using Ansible's Selinux module to manage ports, I discovered
that numerical ports caused an unhandled exception in 'seobject.py'.
This appears to be a bug, and I am proposing a fix which checks the
type of the argument before operating on it.  This maintains the
original functionality in the case of a string, and acts in the same
fashion if you supply an integer.

I did not find any open bug report against the SELinux project. The
downstream bug report is here:
https://github.com/ansible/ansible/issues/60968

Signed-off-by: Joshua Schmidlkofer <joshua@joshuainnovates.us>
2019-12-10 15:21:16 -05:00
Petr Lautrbach
dca7ce8195
Update VERSIONs to 3.0 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-28 13:46:48 +01:00
Petr Lautrbach
6e187f8a2a Update VERSIONs to 3.0-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-22 13:54:17 +01:00
Petr Lautrbach
8375671d30 python/sepolicy: Revert "Only invoke RPM on RPM-enabled Linux distributions"
Commit 73b7ff410c ("Only invoke RPM on RPM-enabled Linux distributions") used
platform.linux_distribution() function to detect whether the system is rpm
based. This function is deprecated since Python 3.5 and it's removed from Python
3.8 - https://bugs.python.org/issue28167

The original problem is already fixed by another commit
671f83b42b ("policycoreutils/sepolicy: Check get_rpm_nvr_list() return
value"):

    $ sepolicy generate --customize -p mypolicy -n testpolicy -d httpd_sys_script_t -w /home
    Failed to retrieve rpm info for selinux-policy
    Created the following files:
    mypolicy/testpolicy.te # Type Enforcement file
    mypolicy/testpolicy.if # Interface file
    mypolicy/testpolicy.fc # File Contexts file
    mypolicy/testpolicy_selinux.spec # Spec file
    mypolicy/testpolicy.sh # Setup Script

Fixes:
     File "/usr/lib/python3.8/site-packages/sepolicy/generate.py", line 1384, in generate
       if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")):
     AttributeError: module 'platform' has no attribute 'linux_distribution'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-08 09:20:35 -05:00
Petr Lautrbach
6d5f7f20bc Replace www.nsa.gov references by github.com/SELinuxProject
The original page doesn't exist anymore.

Fixes: https://github.com/SELinuxProject/selinux/issues/170

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-08 09:20:29 -05:00
Petr Lautrbach
b3ed0a7a60 Update VERSIONs to 3.0-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-10-28 13:06:11 +01:00
Vit Mojzis
95bcd6af03 python/semanage: Document DCCP and SCTP support
Add DCCP and SCTP protocols in semanage port man page and --help
message.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-10-23 10:24:38 -04:00
Ondrej Mosnacek
7494bb1298 sepolicy: generate man pages in parallel
Generating man pages takes a lot of time. Do it in parallel to speed up
the process.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-10-21 08:40:53 -04:00
Stephen Smalley
510a679b47 python/sepolicy: call segenxml.py with python3
Fixes: https://github.com/SELinuxProject/selinux/issues/61
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-10-15 10:17:09 -04:00