It confuses translators and new lines are dropped by parser module anyway.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
If a string contains more than one unnamed argument it's hard for
translators to proper localize as they don't know which value is
represented by a unnamed argument. It also blocks them to use a
different order of arguments which would make better sense in other
languages.
Fixes:
$ xgettext --default-domain=python -L Python --keyword=_ --keyword=N_ ../audit2allow/audit2allow ../chcat/chcat ../semanage/semanage ../semanage/seobject.py ../sepolgen/src/sepolgen/interfaces.py ../sepolicy/sepolicy/generate.py ../sepolicy/sepolicy/gui.py ../sepolicy/sepolicy/__init__.py ../sepolicy/sepolicy/interface.py ../sepolicy/sepolicy.py
../chcat/chcat:220: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
../semanage/seobject.py:1178: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
...
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
This adds more exceptions to be handled by the except clause in
`get_os_version()`:
* If the `distro` package is not installed, then `import distro` raises
a `ModuleNotFoundError` exception.
* The distro documentation[1] lists `OSError` and `UnicodeError` as
exceptions that can be raised.
* Older versions of distro (<= 1.6.0) may also raise
`subprocessCalledProcessError`[2].
[1]: https://github.com/python-distro/distro/blob/v1.8.0/src/distro/distro.py#L749-L753
[2]: https://github.com/python-distro/distro/blob/v1.6.0/distro.py#L726-L728
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Check the return value of calloc() to avoid null pointer reference.
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Instead, a new action, 'v' for printing the policy (and/or
module) version in batch mode is added.
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
* fix minus self formatting in neverallow rules, avoiding `~ - self`
* show neverallow and neverallowxperm rules
* whitespace improvements in output
- avoid duplicate whitespaces before permission list, since
sepol_av_to_string() already adds a trailing one
- avoid duplicate whitespace after wildcard type
- unify indentation for xperm rules
* drop unused global variables
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add the command line argument `-N/--disable-neverallow`, similar to
secilc(8), to checkpolicy(8) and checkmodule(8) to skip the check of
neverallow rule violations.
This is mainly useful in development, e.g. to quickly add rules to a
policy without fulfilling all neverallow rules or build policies with
known violations.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Resurrect the naming of the "init" initial SID, as it has been
reintroduced in the kernel. Also add the new "userspace_initial_context"
policy capability that is used to enable the new semantics for this
initial SID.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Many of the initial SIDs are no longer used by the kernel, so
translating them to the legacy names doesn't bring much value. Clear the
legacy names from the table and let the code translate them to the
fallback "unknown" names instead.
Note that this only affects the generated text output when converting
policies from binary to text form. The text policy languages let the
policy define its own names for the initial SIDs based on the order in
which they are declared, so the table is never used to convert from name
to SID. Thus this is just a cosmetic change and has no functional
impact.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
even when SELinux is disabled. The command works properly when SELinux
is disabled and with this change the user will be present once SELinux
is re-enabled.
Also, do not execute the command when the package is updated, only when
it is first installed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The following commit
330b0fc333
changed the userdom_base_user_template, which now requires a role
corresponding to the user being created to be defined outside of the
template.
Similar change was also done to fedora-selinux/selinux-policy
e1e216b25d
Although I believe the template should define the role (just as it
defines the new user), that will require extensive changes to refpolicy.
In the meantime the role needs to be defined separately.
Fixes:
# sepolicy generate --term_user -n newuser
Created the following files:
/root/a/test/newuser.te # Type Enforcement file
/root/a/test/newuser.if # Interface file
/root/a/test/newuser.fc # File Contexts file
/root/a/test/newuser_selinux.spec # Spec file
/root/a/test/newuser.sh # Setup Script
# ./newuser.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile newuser.pp
Compiling targeted newuser module
Creating targeted newuser.pp policy package
rm tmp/newuser.mod tmp/newuser.mod.fc
+ /usr/sbin/semodule -i newuser.pp
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
Failed to resolve AST
/usr/sbin/semodule: Failed!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Expand the description to make it more clear what "interfaces" mean
here. They're different from network interfaces used by SELinux
command `semanage interface`.
Add a note that the information comes from on-disk file which has been
installed and it doesn't necessarily match the policy loaded to the
kernel.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Use the libsepol internal wrapper ERR() with a NULL handler to emit
error messages. ERR() will besides adding a prefix of "libsepol" also
write to stderr. One benefit is the option to suppress the messages via
sepol_debug(), although marked deprecated, e.g. in fuzzers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use the libsepol internal wrapper ERR() with a NULL handler to emit
error messages. ERR() will besides adding a prefix of "libsepol" also
write to stderr. One benefit is the option to suppress the messages via
sepol_debug(), although marked deprecated, e.g. in fuzzers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
sepol_log_err() will already append a newline unconditionally.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Match surrounding code and the message were quite generic too.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Bail out on expanding levels with invalid low category.
UBSAN report:
expand.c:952:21: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'uint32_t' (aka 'unsigned int')
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
XEN policies with extended permissions are not supported, e.g. writing
them will fail (see write.c:avrule_write()).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
For old style range transition rules the class defaults to process.
However the policy might not declare the process class leading to
setting a wrong bit later on via:
if (ebitmap_set_bit(&rtr->tclasses, rt->target_class - 1, 1))
UBSAN report:
policydb.c:3684:56: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'uint32_t' (aka 'unsigned int')
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Ensure various object context entries have a name, since they are
duplicated via strdup(3), and the order for ports and memory regions is
valid.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The functions constraint_expr_to_str() prepare a string representation
for validatetrans and mlsvalidatetrans rules. To decide what keyword to
use the type of expression is consulted. Currently the extra target
type (CEXPR_XTARGET) is considered to be an MLS statement while its not,
e.g.:
validatetrans CLASS1 t3 == ATTR1;
Actually check for MLS expression types only.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When setting permission bits from a wildcard or complement only set the
bits for permissions actually declared for the associated class. This
helps optimizing the policy later, since only rules are dropped with a
complete empty permission bitset. Example policy:
class CLASS1
sid kernel
class CLASS1 { PERM1 }
type TYPE1;
bool BOOL1 true;
allow TYPE1 self : CLASS1 { PERM1 };
role ROLE1;
role ROLE1 types { TYPE1 };
if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
user USER1 roles ROLE1;
sid kernel USER1:ROLE1:TYPE1
Also emit a warning if a rule will have an empty permission bitset due
to an exhausting complement.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
If tunables are not preserved (the mode unconditionally used by
checkpolicy) an expression must not consist of booleans and tunables,
since such expressions are not supported during expansion (see expand.c:
discard_tunables()).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The token CLONE is never used in the grammar; drop it.
As side effect `clone` and `CLONE` become available as identifier names.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When semodule -i some.pp to install a module package, duplicate items are
detected for the module. The detection function is nodups_specs in
libselinux/src/label_file.c. The algorithm complexity of implementing
this function is O(M*(N^2)). M is a symbol related to the length of a string.
N indicates the number of data->nspec. In scenarios where N is very large, the
efficiency is very low.
To solve this problem, I propose to use the hash table to detect duplicates.
The algorithm complexity of new implementing is O(M*N). The execution
efficiency will be greatly improved.
Comparison between the execution time of the nodups_specs function.
Old double-layer loop implementation O(M*(N^2)):
semodule -i myapp1.pp
nodups_specs data->nspec: 5002
nodups_specs start: 11785.242s
nodups_specs end: 11785.588s
nodups_specs consumes: 0.346s
semodule -i myapp2.pp
nodups_specs data->nspec: 10002
nodups_specs start: 11804.280s
nodups_specs end: 11806.546s
nodups_specs consumes: 2.266s
semodule -i myapp3.pp
nodups_specs data->nspec: 20002
nodups_specs start: 11819.106s
nodups_specs end: 11830.892s
nodups_specs consumes: 11.786s
New hash table implementation O(M*N):
semodule -i myapp1.pp
nodups_specs data->nspec: 5002
nodups_specs start: 11785.588s
nodups_specs end: 11785.590s
nodups_specs consumes: 0.002s
semodule -i myapp2.pp
nodups_specs data->nspec: 10002
nodups_specs start: 11806.546s
nodups_specs end: 11806.552s
nodups_specs consumes: 0.006s
semodule -i myapp3.pp
nodups_specs data->nspec: 20002
nodups_specs start: 11830.892s
nodups_specs end: 11830.905s
nodups_specs consumes: 0.013s
Signed-off-by: wanghuizhao <wanghuizhao1@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
To adapt to the scenarios of libselinux, this patch does three things:
1. Add a new function hashtab_destroy_key. This function is used to
reclaim memory using the customized key destruction method.
2. Changed the macro definition to _SELINUX_HASHTAB_H_.
3. Add a function declaration to the header file.
Signed-off-by: wanghuizhao <wanghuizhao1@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
To use hashtab in libselinux, migrate the existing hashtab template
from policycoreutils/newrole to libselinux.
Signed-off-by: wanghuizhao <wanghuizhao1@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
The option is not referenced anywhere in the code and I couldn't figure
out its purpose from the description.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Explain applying range/list of categories
- "-d" removes all categories of given file/user
- Add examples
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Explicitly set CFLAGS for the pip install command, similar to calling
setup.py, to ignore known compiler warnings treated as errors, e.g.:
selinuxswig_python_wrap.c:3593:19: error: 'sidget' is deprecated [-Werror,-Wdeprecated-declarations]
result = (int)sidget(arg1);
^
selinuxswig_python_wrap.c:15024:1: error: no previous prototype for function 'PyInit__selinux' [-Werror,-Wmissing-prototypes]
SWIG_init(void) {
^
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The output parameter `role_arr` of semanage_user_get_roles() is an array
of non-owned role names. Since the array is never used again, as its
contents have been copied into the return value `roles`, free it.
Example leak report from useradd(8):
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x5597624284a8 in __interceptor_calloc (./shadow/src/useradd+0xee4a8)
#1 0x7f53aefcbbf9 in sepol_user_get_roles src/user_record.c:270:21
Avoid using the identifier `bool` to improve support with future C
standards. C23 is about to make `bool` a predefined macro (see N2654).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
