Some error's were reported by valgrind (below) fix them. The test
cases on which these leaks were detected:
1. properly formed file_contexts file.
2. malformed file_contexts file, unknown type.
3. malformed file_contexts file, type that fails on validate callback.
4. malformed file_contexts file, invalid regex.
5. malformed file_contexts file, invalid mode.
==3819== Conditional jump or move depends on uninitialised value(s)
==3819== at 0x12A682: closef (label_file.c:577)
==3819== by 0x12A196: selabel_close (label.c:163)
==3819== by 0x10A2FD: cleanup (checkfc.c:218)
==3819== by 0x5089258: __run_exit_handlers (exit.c:82)
==3819== by 0x50892A4: exit (exit.c:104)
==3819== by 0x10A231: main (checkfc.c:361)
==3819== Uninitialised value was created by a heap allocation
==3819== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819== by 0x4C2CF1F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819== by 0x12BB31: process_file (label_file.h:273)
==3819== by 0x12A2BA: selabel_file_init (label_file.c:522)
==3819== by 0x12A0BB: selabel_open (label.c:88)
==3819== by 0x10A038: main (checkfc.c:292)
==3819==
==3819==
==3819== HEAP SUMMARY:
==3819== in use at exit: 729 bytes in 19 blocks
==3819== total heap usage: 21,126 allocs, 21,107 frees, 923,854 bytes allocated
==3819==
==3819== 81 bytes in 1 blocks are definitely lost in loss record 1 of 2
==3819== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3819== by 0x50D5839: strdup (strdup.c:42)
==3819== by 0x12A2A6: selabel_file_init (label_file.c:517)
==3819== by 0x12A0BB: selabel_open (label.c:88)
==3819== by 0x10A038: main (checkfc.c:292)
==3819==
==4238== 40 bytes in 1 blocks are definitely lost in loss record 1 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x12A1D2: selabel_file_init (label_file.c:886)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 81 bytes in 1 blocks are definitely lost in loss record 2 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x50D5839: strdup (strdup.c:42)
==4238== by 0x12A2A6: selabel_file_init (label_file.c:517)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 386 bytes in 24 blocks are definitely lost in loss record 3 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x50D5889: strndup (strndup.c:45)
==4238== by 0x12CDDF: read_spec_entries (label_support.c:37)
==4238== by 0x12B72D: process_file (label_file.h:392)
==4238== by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 648 bytes in 18 blocks are definitely lost in loss record 4 of 6
==4238== at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x117C9B: avtab_insert_node (avtab.c:105)
==4238== by 0x117C10: avtab_insert (avtab.c:163)
==4238== by 0x11880A: avtab_read_item (avtab.c:566)
==4238== by 0x118BD3: avtab_read (avtab.c:600)
==4238== by 0x125BDD: policydb_read (policydb.c:3854)
==4238== by 0x109F87: main (checkfc.c:273)
==4238==
==4238== 1,095 bytes in 12 blocks are definitely lost in loss record 5 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x12D8D1: pcre_compile2 (pcre_compile.c:9217)
==4238== by 0x12B239: compile_regex (label_file.h:357)
==4238== by 0x12B9C7: process_file (label_file.h:429)
==4238== by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
==4238==
==4238== 1,296 bytes in 12 blocks are definitely lost in loss record 6 of 6
==4238== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4238== by 0x13EBE5: pcre_study (pcre_study.c:1565)
==4238== by 0x12B25D: compile_regex (label_file.h:366)
==4238== by 0x12B9C7: process_file (label_file.h:429)
==4238== by 0x12A2BA: selabel_file_init (label_file.c:522)
==4238== by 0x12A0BB: selabel_open (label.c:88)
==4238== by 0x10A038: main (checkfc.c:292)
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When running sepolgen-ifgen on refpolicy (git master branch), the
following messages show up:
/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error
on line 3369 gen_context [type=GEN_CONTEXT]
/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
line 188379 ' [type=SQUOTE]
/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
line 188385 ' [type=SQUOTE]
The line numbers are incorrect because the lineno member of the lexer
object is not resetted after each file has been processed. After fixing
this, the messages are nicer:
/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error
on line 43 gen_context [type=GEN_CONTEXT]
/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
line 1416 ' [type=SQUOTE]
/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
line 1422 ' [type=SQUOTE]
As line 43 of kernel/selinux.if contains a genfscon statement with a
gen_context component, the reported line numbers are now correct.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This replaces the openssl library with SHA1 hash functions
extracted from [1] as this is a public domain implementation.
util/selabel_digest -v option still compares the result with
the openssl command "openssl dgst -sha1 -hex .." for validation.
[1] https://github.com/WaterJuice/CryptLib
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
If selabel_open is called with no request for a digest it will fail
with ENOENT. This fixes all the labeling routines to resolve this
problem. The utils/selabel_digest example has also been updated
to allow calling selabel_open with and without digest requests to
aid testing.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
selabel_digest(3) if enabled by the SELABEL_OPT_DIGEST option during
selabel_open(3) will return an SHA1 digest of the spec files, plus
a list of the specfiles used to calculate the digest. There is a
test utility supplied that will demonstrate the functionality.
The use case for selabel_digest(3) is to implement an selinux_restorecon
function based on the Android version that writes a hash of the
file_contexts files to an extended attribute to enhance performance
(see external/libselinux/src/android.c selinux_android_restorecon()).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Commit 966855d9a1 added selinux.py as a requirement for pywrap.
This file is generated during the swig step but there is no explicit
rule in the Makefile so parallel build fails. This adds another rule
so the ordering is correct.
jason@meriadoc ~/code/gentoo/selinux/libselinux $ make -j3 pywrap
.... SNIP ....
sed -e 's/@VERSION@/2.4/; s:@prefix@:/usr:; s:@libdir@:lib:; s:@includedir@:/usr/include:' < libselinux.pc.in > libselinux.pc
bash exception.sh > selinuxswig_python_exception.i
make[1]: *** No rule to make target 'selinux.py', needed by 'pywrap'. Stop.
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/home/jason/code/gentoo/selinux/libselinux/src'
Makefile:36: recipe for target 'pywrap' failed
make: *** [pywrap] Error 2
Signed-off-by: Jason Zaman <jason@perfinion.com>
As per the discussion on the selinux development mailinglist, the tmux
application expects the stdin to be writeable. Although perhaps not the most
proper way, having newrole opening the descriptor in read/write keeps the
behaviour in line with what applications expect.
See also http://marc.info/?l=selinux&m=136518126930710&w=2
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Set the "keep capabilities" flag around the setresuid() calls in
drop_capabilities() so that we do not simultaneously drop all
capabilities (when newrole is setuid).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This improves the robustness of programs using selinux_check_access()
in the face of policy updates that alter the values of the class or
permissions that they are checking. Otherwise, a policy update can
trigger false permission denials, as in
https://bugzilla.redhat.com/show_bug.cgi?id=1264051
Changes to the userspace class/permission definitions should still be
handled with care, as not all userspace object managers have been converted
to use selinux_check_access() and even those that do use it are still not
entirely safe against an interleaving of a policy reload and a call to
selinux_check_access(). The change does however address the issue in
the above bug and avoids the need to restart systemd.
This change restores the flush_class_cache() function that was removed in
commit 435fae64a9 ("libselinux: Remove unused flush_class_cache method")
because it had no users at the time, but makes it hidden to avoid exposing
it as part of the libselinux ABI.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When a path has no context, for example, when the file was created when
selinux was disabled, selinux.restorecon(path) will fail:
>>> selinux.restorecon('/etc/multipath.conf.new')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 88,
in restorecon
status, oldcontext = lgetfilecon(path)
OSError: [Errno 61] No data available
This failure does not seems to be useful, as we can successfully match
the context for this path using selinux.matchpathcon(), and set it
successfully using selinux.chcon(). The failure is caused by trying to
avoid the lsetfilecon() call if the current context is does not need
update.
This patch handles this specific error from lgetfilecon(), preventing
this failure.
Signed-off-by: Nir Soffer <nsoffer@redhat.com>
Neverallow rules for ioctl extended permissions will pass in two
cases:
1. If extended permissions exist for the source-target-class set
the test will pass if the neverallow values are excluded.
2. If extended permissions do not exist for the source-target-class
set the test will pass if the ioctl permission is not granted.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Add support for detecting recursive blockinherits, and print a trace of
the detected loop. Output will look something like this upon detection:
Recursive blockinherit found:
test.cil:42: block a
test.cil:43: blockinherit b
test.cil:36: block b
test.cil:37: blockinherit c
test.cil:39: block c
test.cil:40: blockinherit a
Additionally, improve support for detecting recursive macros/calls. Due
to the way calls are copied, the existing code only detected recursion
with call depth of three or more. Smaller depths, like
(macro m ()
(call m))
were not detected and caused a segfault. The callstack that was used for
this was not sufficient, so that is removed and replaced with a method
similar to the block recursion detection. A similar trace is also
displayed for recursive macros/calls.
Also, cleanup sidorder, classorder, catorder, sensorder, and in lists at
the end of resolve, fixing a potential memory leak if errors occur
during resolve.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Ensure the mmap start address and length are not modified so the memory
used can be released when selabel_close(3) is called.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
On older versions of gcc, an error is incorrectly given about
uninitialized variables. This will initialize the culprits.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Fixes https://github.com/SELinuxProject/cil/issues/7.
This fixes a bug where cil_verify_classperms was executed on NULL
classperms lists. A check is now performed when verifying
classpermissions and classmap to ensure the classperms lists are not
empty.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This adds a userattribute statement that may be used in userroles and
constraints. The syntax is the same as typeattributset.
Also, disallow roleattributes where roles are accepted in contexts.
Specify a userattribute
(userattribute foo)
Add users to the set foo
(userattributeset foo (u1 u2))
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When we copy a blockinherit statement, we perform actions that assume
the blockinherit statement was already resolved. However, this isn't the
case if the statement was copied from a tunableif or an in-statement,
since those are resolve before blockinherits and blocks. So when
copying a blockinherit that hasn't been resolved, ignore the code that
associates blocks with the blockinherit; that will all be handled when
the copied blockinherit is actually resolved later.
Additionally, restrict block, blockabstract, and blockinherit statements
from appearing in macros. These statements are all resolved before
macros due to ordering issues, so they must not appear inside macros.
Note that in addition to doing the checks in build_ast, they are also
done in resolve_ast. This is because an in-statement could copy a block
statement into a macro, which we would not know about until after the
in-statement was resolved.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When copying classpermission or classpermissionset statements, we did
not properly initialize the new structs. This would cause a segfault
when one used either of these statements inside a tunableif block, e.g.
(tunableif foo
(true
(classpermissionset cps (cls (perm1 perm2))))
(false
(classpermissionset cps (cls (perm1)))))
Reported-by: Dominick Grift <dac.override@gmail.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
users_extra is needed by genhomedircon and when listing seusers, so it
must be kept in the policy store. Also move the FC_TMPL unlink() closer
to where the FC_TMPL is created; not a functional change, but eaiser to
follow.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
We don't currently store homedir_template in the policy store, which
means genhomedircon only has a template file to use if the
homedir_template was generated from the file contexts in the same
transaction. But homedir_template isn't always generated, as in the
case with setsebool -P. In this and other cases, genhomedircon will not
have a template file resulting in an empty file_contexts.homedir file.
This commit changes this so that homedir_template is always stored in
the policy store so it can be used by genhomedircon regardless of how
policy was built. Also add the homedir_template file to the migration
script.
Signed-off by: Steve Lawrence <slawrence@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Also removes *bounds statements in policy.cil, which had bounds
violations and are better tested in other test files.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
Add three new extended avrule statements with the following syntax:
(allowx source_type target_type permissionx)
(auditallowx source_type target_type permissionx)
(dontauditx source_type target_type permissionx)
source_type - type, typeattribute, or typealias
target_type - type, typeattribute, typealias, or "self" keyword
permissionx - named or anonymous permissionx statement, which has the syntax:
(permissionx name (kind object expression))
name - unique identifier of the permissionx statement
kind - must be "ioctl"; could be extended in the future
object - class or classmap
expression - standard CIL expression containing hexadecimal values,
prefixed with '0x', and the expression keywords 'or', 'xor', 'and',
'not', 'range', or 'all'. Values must be between 0x0000 and 0xFFFF.
Values may also be provided in decimal, or in octal if starting with '0'.
For example:
(allowx src_t tgt_t (ioctl cls (0x1111 0x1222 0x1333)))
(allowx src_t tgt_t (ioctl cls (range 0x1400 0x14FF)))
(allowx src_t tgt_t (ioctl cls (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F)))))
(permissionx ioctl_nodebug (ioctl cls (not (range 0x2010 0x2013))))
(allowx src_t tgt_t ioctl_nodebug)
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
When a user has invalid locales set, audit2allow and audit2why fail with
a traceback. This could be safely ignored as it will stay with 'C'
locale.
Fixes:
Traceback (most recent call last):
File "policycoreutils/audit2allow/audit2allow", line 35, in <module>
locale.setlocale(locale.LC_ALL, '')
File "/usr/lib64/python2.7/locale.py", line 579, in setlocale
return _setlocale(category, locale)
locale.Error: unsupported locale setting
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The selinux.py is generated at compile-time and will be installed as
python module "selinux/__init__.py", just make sure that it has been
generated completely while starting "make install-pywrap".
This fixes below errors that caused by an empty "selinux/__init__.py":
$ /usr/sbin/semanage -h
Traceback (most recent call last):
File "/usr/sbin/semanage", line 30, in <module>
import seobject
File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in <module>
import sepolicy
File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 226, in <module>
def get_file_equiv_modified(fc_path = selinux.selinux_file_context_path()):
AttributeError: 'module' object has no attribute 'selinux_file_context_path'
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Add -p option that will take a binary policy file to validate
context entries in the text file_contexts file.
Should validation fail the binary file will not be written.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
file_contexts can be legitimately empty, particularly when dealing with
a file_contexts.local file. The change to test for file_contexts.bin
format by magic number was treating an EOF condition as a fatal error,
thereby causing an error on empty file_contexts.local files. Only
treat it as an error if there was truly an error on the read, as
checked via ferror(). Otherwise, clear the error and EOF indicators
so that they do not persist when we rewind the file and try to read
it as text.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
