When a branch has '.py' suffix git creates a file with the same suffix and this
file is found by the `find . -name '*.py'` command. Such files from './git' need
to be filtered out.
Fixes:
$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
Analyzing 189 Python scripts
./.git/logs/refs/heads/semanage-test.py:1:42: E999 SyntaxError: invalid syntax
./.git/refs/heads/semanage-test.py:1:4: E999 SyntaxError: invalid syntax
The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Previously python/semanage/test-semanage.py returned 0 even when there was a
fail in some test and `make test` didn't indicate any problem.
Fixes:
$ make test
...
Ran 10 tests in 110.854s
FAILED (failures=4)
$ echo $?
0
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
It stopped too early, exposing a bug in sudo selinux_restore_tty():
SELINUX_ERR op=setxattr invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow"
avc: denied { mac_admin } for pid=859 comm="sudo" capability=33 scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0
If we want to be able to reference human readable contexts in SELinuxContext= and nspawn -Z and -L then we need mcstrans ASAP
v2: stop late, but do stop
Signed-off-by: Dominick Grift <dac.override@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
This reverts commit 692716fc5f.
Other parts of the SELinux userspace depend on certain attributes,
such as node_type, exisiting and this change breaks those parts.
Before this patch can be reapplied, we need to identify the attributes
that must never be expanded and create a CIL module with the needed
expandtypeattribute statements (or something similar).
Signed-off-by: James Carter <jwcarter@gmail.com>
* Test Python 3.8 and Pypy3 3.6-7.2.0
* Test Ruby 2.7
* Drop Ruby 2.2 and 2.3 (they are not supported with Ubuntu 18.04 in
https://rubies.travis-ci.org/)
* While at it, replace deprecated libdbus-glib-1-dev with libglib2.0-dev
now that restorecond has been upgraded.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
On Debian the `distutils` module is patched, so `get_python_lib()`
returns by default `/usr/lib/python3/dist-packages` (no minor version)
But `setuptools` affecting setup.py is not patched to create the library
directory at `/usr/lib/python3/dist-packages` by default, rather than a
command line argument `--install-layout deb` is added
Add PYTHON_SETUP_ARGS as argument to affected setup.py calls and add a
note in the global README.md
See https://www.debian.org/doc/packaging-manuals/python-policy/packaging_tools.html
Section B.1
Fixes: https://github.com/SELinuxProject/selinux/issues/187
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Errno is not set to ENOENT when lookup_all() doesn't find any match.
fixes: https://src.fedoraproject.org/tests/selinux/issue/51
Signed-off-by: Richard Filo <rfilo@redhat.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
On systems using non-default `PREFIX`, `LIBDIR`, `SHLIBDIR`, `BINDIR`
or `SBINDIR`, running
`DESTDIR=/path/to/destdir ./scripts/env_use_destdir make test`
does not perform the intended behavior, because the testing programs and
libraries are installed into locations that are not added to
`LD_LIBRARY_PATH` nor `PATH`.
More precisely, with `LIBDIR=/usr/lib64 SHLIBDIR=/lib64`, `env_use_destdir`
does not work. Fix this by adding the installation directories relative
to `DESTDIR` in `LD_LIBRARY_PATH` and `PATH`.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
libselinux and libsemanage use:
PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
import *; print(get_python_lib(plat_specific=1,
prefix='$(PREFIX)'))")
while python/semanage and python/sepolgen/src/sepolgen use:
PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
import *; print(get_python_lib(prefix='$(PREFIX)'))")
This is right: libselinux and libsemanage's Python bindings use native
code (thus "plat_specific=1") while the others only install Python
files.
Nevertheless `scripts/env_use_destdir` only runs the second command
when computing `$PYTHONPATH`. When using this script to run `make test`
in a minimal Fedora 31 environment, this leads to an error such as:
make[2]: Entering directory '/code/python/sepolicy'
Traceback (most recent call last):
File "test_sepolicy.py", line 117, in <module>
import selinux
ModuleNotFoundError: No module named 'selinux'
Fix this by also adding `get_python_lib(plat_specific=1)` to the
computed `$PYTHONPATH`.
While at it, preserve `$PYTHONPATH` instead of resetting it. This makes
it easier to work with Python virtual environments.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
* Add SELinux logo
* Add a link to Travis-CI
* Add a link to lore.kernel.org archive
* Document that SELinux is packaged in several distributions, providing
links to policycoreutils package (this package requires libsemanage,
libselinux, libsepol, etc. so if it is packaged, most sub-projects
have to also be)
* Make Fedora install command readable on GitHub without scrolling
horizontally and update it
* Split installed packaged between the dependencies for the "main"
libraries and programs, and the bindings
- The install command line has been tested using a container from
image fedora:31
* Document Debian dependencies
- The install command line has been tested using a container from
image debian:10
* Document running `make test` with `./scripts/env_use_destdir`
* Introduce "macOS" section for instructions specific to macOS.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The user systemd service file could be installed in an other location than the
system ones. In debian for example, the system files are installed
/lib/systemd/system and the user ones in /usr/lib/systemd/user.
Suggested-by: Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Make user restorecond systemd service consistent with restorecond_user.conf file
used by `restorecond -u`
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The range of unreserved ports starts from 1024 and ends to
65535 (inclusive). (Secure) RPC ports can be between 512 and
1023 (inclusive).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Delete an unused column from view "Application Transitions From". The
second column displays names of the executable files instead of
booleans.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Mount selinuxfs with mount flags noexec and nosuid. It's not likely
that this has any effect, but it's visually more pleasing.
Option nodev can't be used because of /sys/fs/selinux/null device,
which is used by Android.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Follow-up of: 9eb9c93275 ("Get rid of security_context_t and fix const declarations.")
Acked-by: William Roberts <william.c.roberts@intel.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
ipaddress python module was added to standard library in Python 3.3 -
https://docs.python.org/3/library/ipaddress.html
seobject.py was the only consumer of IPy module so this dependency is not needed
anymore.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The SWIG C build should allow deprecated functions and not warn on them
because it is exposing the full interface including deprecated routines.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Utility matchpathcon uses the matchpathcon interface which has been
deprectaed. However, this tool will continue to live on, so allow it to
use the deprecated interface.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Update the one internal tree caller in the same file to
call selinux_check_passwd_access_internal.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Now that matchpathcon_fini is marked deprecated, create an
matchpathcon_fini_internal interface for internal users. We create
a new header file for matchpathcon_internal interfaces.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Now that avc_init is marked deprecated, create an avc_init_internal interface
for internal users.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
In case there are errors when committing changes to booleans, the
errors may not be reported to user except by nonzero exit status. With
"setsebool -V" it's possible to see errors from commit phase, but
otherwise the unfixed command is silent:
# setsebool -V -P secure_mode_insmod=off
libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
Fixed version alerts the user about problems even without -V:
# setsebool -P secure_mode_insmod=off
Failed to commit changes to booleans: Read-only file system
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
When restorecond starts, it installs a SIGTERM handler in order to exit
cleanly (by removing its PID file). When restorecond --user starts,
there is no PID file, and g_main_loop_run() does not stop when master_fd
is closed. This leads to an unkillable service, which is an issue.
Fix this by overriding the handler for SIGTERM in restorecond --user.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When running restorecond in user sessions using D-Bus activation,
restorecond's process is spawned in the CGroup of the D-Bus daemon:
$ systemctl --user status
[...]
CGroup: /user.slice/user-1000.slice/user@1000.service
├─init.scope
│ ├─1206 /usr/lib/systemd/systemd --user
│ └─1208 (sd-pam)
└─dbus.service
├─1628 /usr/bin/dbus-daemon --session --address=systemd:
└─4570 /usr/sbin/restorecond -u
In order to separate it, introduce a systemd unit for
restorecond-started-as-user.
After this patch:
CGroup: /user.slice/user-1000.slice/user@1000.service
├─restorecond-user.service
│ └─2871 /usr/sbin/restorecond -u
├─init.scope
│ ├─481 /usr/lib/systemd/systemd --user
│ └─485 (sd-pam)
└─dbus.service
└─2868 /usr/bin/dbus-daemon --session --address=systemd:
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955940 states:
dbus-glib is a deprecated D-Bus library with some significant design
flaws, and is essentially unmaintained.
restorecond uses dbus-glib in order to spawn as a D-Bus service on the
session bus of users. This makes restorecond stays so long as the user
session exists.
Migrate from dbus-glib to GDbus API for the implementation of this
feature.
Moreover restorecond currently uses a D-Bus signal to trigger starting
the service. This is quite inappropriate, as stated for example in
https://dbus.freedesktop.org/doc/dbus-tutorial.html#members
Methods are operations that can be invoked on an object, with
optional input (aka arguments or "in parameters") and output (aka
return values or "out parameters"). Signals are broadcasts from the
object to any interested observers of the object; signals may
contain a data payload.
Implementing a method is more appropriate. It appears that all D-Bus
users can implement method Ping from interface org.freedesktop.DBus.Peer
(https://dbus.freedesktop.org/doc/dbus-specification.html#standard-interfaces-peer)
and that calling this method is enough to trigger the launch of the
service. This can be tested in a shell by running:
gdbus call --session --dest=org.selinux.Restorecond \
--object-path=/ --method=org.freedesktop.DBus.Peer.Ping
As this method is automatically provided, there is no need to implement
its handling in the service.
Fixed: https://github.com/SELinuxProject/selinux/issues/217
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In libselinux, most functions set errno and return -1 when an error
occurs. But some functions return 1 instead, such as context_type_set(),
context_role_set(), etc. This increases the difficulty of writing Python
bindings of these functions without much benefit.
Return -1 instead (errno was already set).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The function comment of selinux_status_open() states:
It returns 0 on success, or -1 on error.
However the implementation of this function can also return 1. This is
documented in its manpage (libselinux/man/man3/selinux_status_open.3) as
intended. Copy the reason near the function definition in order to make
the code more auditable.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The Python bindings for libselinux expose functions such as
avc_has_perm(), get_ordered_context_list(), etc. When these functions
encounter an error, they set errno accordingly and return a negative
value. In order to get the value of errno from Python code, it needs to
be "forwarded" in a way. This is achieved by glue code in
selinuxswig_python_exception.i, which implement raising an OSError
exception from the value of errno.
selinuxswig_python_exception.i was only generating glue code from
functions declared in selinux.h and not in other headers. Add other
headers.
selinuxswig_python_exception.i is generated by "bash exception.sh". Mark
the fact that exception.sh is a Bash script by adding a shebang. This
makes "shellcheck" not warn about the Bash array which is used to list
header files.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: William Roberts <william.c.roberts@intel.com>
Replace
python3 -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])'
<string>:1: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
.cpython-38-x86_64-linux-gnu.so
with
python3 -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])'
.cpython-38-x86_64-linux-gnu.so
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
