selinux_check_access() should not error on bad class or perms if the
security_deny_unkown() function return false. If policy tells us to
allow unknown classes and perms we should respect that.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
To simplify finding why programs don't work, assert that avc_init() was
called any time avc functions are called. This means we won't get
'random' segfaults and will instead be able to hopefully quickly
determine what we did wrong as application developers.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
It's not special and doesn't need its own Makefile lines. Just make it
a normal target.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Move everything into /usr/* and just put links from /*. The whole /usr
thing hasn't really worked in all situations for a long long time. Just
accept that fact and move along.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The earlier patch to avc.c put the struct member annotation at
the end of the line, which works fine for GCC, but upsets SWIG.
Equivalent code in selinux.h demonstrates how to place the
annotation without upsetting SWIG.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
XXX: -Wno-redundant-decls really shouldn't be set, if some way
can be found to deal with warnings generated by dso.h
XXX: the maximum stack size should be much lower, but there
are too many functions using PATH_MAX which need to be rewritten
to use the heap instead.
XXX: probe for whether the user's GCC supports a flag ?
Signed-off-by: Eric Paris <eparis@redhat.com>
Annotating the die method as taking printf format exposes
a bug in error reporting
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The public avc.h file must use a printf annotation in the struct
callback members, otherwise application code will get compiler
warnings that the method should have an annotation set.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
* include/selinux/selinux.h, src/init.c: set_selinuxmnt should take
a const char *mntpath
* src/get_default_type.c: Avoid bad cast discarding const
* load_policy.c: Fix var decl to avoid discarding const
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add 'void' parameter to all functions which take no arguments
* selinux_config.c: s/()/(void)/
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
seusers.c: In function ‘getseuser’:
seusers.c:273:3: error: jump skips variable initialization [-Werror=jump-misses-init]
seusers.c:317:2: note: label ‘err’ defined here
seusers.c:274:8: note: ‘fp’ declared here
* seusers.c: Declare FILE *fp at start of getseuser() method
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The getcon man page already includes setcon() and other non-"get"
entries. Why send people somewhere else just for freecon? Put it here.
Signed-off-by: Eric Paris <eparis@redhat.com>
Do not talk about disabling selinux in the setenforce man page. Point
people in the right direction instead.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When selabel_lookup found an invalid context with validation enabled, it
always stated it was 'file_contexts' whether media, x, db or file.
The fix is to store the spec file name in the selabel_lookup_rec on
selabel_open and use this as output for logs. Also a minor fix if key is
NULL to stop seg faults.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add service_seusers(5) - those in the ./logins directory, seusers(5),
user_contexts(5) - those in the ./contexts/users directory,
virtual_domain_context(5) and virtual_image_context(5) man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Add failsafe_context(5), local.users(5), removable_contexts(5) and
securetty_types(5) man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Add booleans(5), customizable_types(5), default_contexts(5) and
default_type(5) man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Updated selabel_x(5) with X-Windows context configuration file format and
added x_contexts(5) man page that links to it.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Updated selabel_media(5) with media context configuration file format and
added media(5) man page that links to it.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Updated selabel_db(5) with RDBMS context configuration file format and added sepgsql_contexts(5) man page that links to it.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Updated selabel_file(5) with file context configuration file format and
added file_contexts(5) man page that links to it. selabel_file(5) also
describes the .local, .homedirs, .subs and .subs_dist configuration file
formats.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
For get_default_context_with_role(3) and get_default_context_with_rolelevel(3),
return errno = EINVAL if invalid role.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
get_default_type(3) now returns with errno set to EINVAL if the entry does not
exist.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If selinux_set_mapping(3) is used to map classes, and an invalid class is used
to compute a decision (tclass = 0), the result did not obey the status of the
deny_unknown flag.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Remove assert in security_get_boolean_names(3) if the len invalid and stop seg
fault if names is null. Set EINVAL instead and return error.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a check to restorecon, to not change a context if the context on disk matches
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Sometimes sticking to 80 characters sucks a lot. I don't care. Buy a
wider monitor so I can read the code.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
symlink_realpath is used by both libselinux and policycoreutils.
Instead of coding it twice, export the libselinux version under a new
name that makes it sound more generic.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Potential file descriptor leak on this code path, need to close file
descriptor if out of memory.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If a user was in too many groups the check_group function might not pass
a large enough buffer to getgrnam_r to handle things. This could return
ERANGE which we then aborted. Instead we should make the buffer larger and
try again.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Some programs, like passwd, need to do simeple one time access checks.
Rather than set up a full avc cache and use that infrastructure they
were directly using security_compute_av. A problem with this approach
is the lack of audit on denials. This patch creates a new interface
that is simple to use and which will still listen to things like
permissive and output audit messages on denials.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Return early to save an indent. Clean up all memory on ENOMEM
conditions. Use '\0' instead of 0 for nul terminiator. Style changes
to make Eric happy.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The makefile which generated the package config files did not have the
VERSION file as a dependancy. Thus if you updated a tree you have
previously build the .pc file wouldn't be rebuilt and the old version
would be reinstalled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Handle situation where selinux=0 passed to the kernel and both /selinux and
/sys/fs/selinux directories do not exist. We used to handle selinux=0
(or kernel compile without selinux) by getting ENODEV when we tried to
mount selinuxfs on /selinux. Now selinux=0 means that /sys/fs/selinux
won't exist and we never create the real directory /selinux at all. So
we get ENOENT instead of ENODEV. The solution is to check to see if the
mount failure was for ENODEV and if not to check if selinuxfs exists in
/proc/filesystems at all. If it doesn't exist, that's equivalent to
ENODEV.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is purely personal preference. Most of the Makefiles use $() for
Makefile variables, but a couple of places use ${}. Since this obscured
some later Makefile changes I figured I'd just make them all the same up
front.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
