Commit Graph

2475 Commits

Author SHA1 Message Date
Stephen Smalley
dc3d9c6d71
libsemanage: set selinux policy root around calls to selinux_boolean_sub
As reported in #109, semodule -p /path/to/policyroot -s minimum -n -B
tries to use /etc/selinux/targeted/booleans.subs_dist.  This is because
it invokes the libselinux selinux_boolean_sub() interface, which uses
the active/installed policy files rather than the libsemanage ones.

Switch the selinux policy root around the selinux_boolean_sub() call
to incorporate the semanage root as a prefix and to use the specified
policy store as a suffix so that the correct booleans.subs_dist file
(if any) is used.

The underlying bug is that booleans.subs_dist is not itself managed
via libsemanage. If it was managed and therefore lived within the
policy store, then libsemanage could access the appropriate
booleans.subs_dist file without using the libselinux interface at all,
and thus would not need to modify the selinux policy root.  Moving
booleans.subs_dist to a managed file is deferred to a future change.

Test:
dnf install selinux-policy-minimum selinux-policy-targeted
cd / && tar cf - etc/selinux var/lib/selinux | (cd ~/policy-root; tar xvpf -)
strace semodule -p ~/policy-root -s minimum -n -B

Before:
openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5

After:
openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5

Fixes https://github.com/SELinuxProject/selinux/issues/109

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2019-01-12 19:01:24 +01:00
Nicolas Iooss
bb518a01e9 scripts/run-flake8: run on Python scripts not ending with .py
When running flake8 on a directory, it does not analyze files without an
extension, like semanage_migrate_store, mlscolor-test, etc. Use grep to
find files with a Python shebang and build a list which is then given to
flake8.

This commit is possible now that some clean-up patches have been
applied, such as commit 69c56bd2f6 ("python/chcat: improve the code
readability") and b7227aaec1 ("mcstrans: fix Python linter warnings on
test scripts") and 3cb974d2d2 ("semanage_migrate_store: fix many
Python linter warnings").

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-08 13:21:09 +01:00
Nicolas Iooss
aa3ddfed93 python: run all the tests with "make test"
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-08 10:15:46 +01:00
Nicolas Iooss
916640d786 python/sepolgen: refpolicy installs its Makefile in include/Makefile
When running "make install-headers" on refpolicy,
/usr/share/selinux/refpolicy/Makefile does not exist but
/usr/share/selinux/refpolicy/include/Makefile does. Use it when
available.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-08 10:15:46 +01:00
Nicolas Iooss
e1f2db5887 python/audit2allow: use local sepolgen-ifgen-attr-helper for tests
Introduce option --attr-helper to sepolgen-ifgen to make it possible to
override /usr/bin/sepolgen-ifgen-attr-helper and use it in the testuite
in order to test the helper which has been compiled from the project
instead of the one installed on the system.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-08 10:15:46 +01:00
Nicolas Iooss
4ac069a3ee python/audit2allow: make the tests useful again
audit2allow testsuite requires a system which uses SELinux with a MLS
policy. This is a lot to ask for a continuous integretation system.
Thankfully this can be worked around by using option -p to run the tools
with a specific configuration. Doing this, the testsuite can even be run
on a system without SELinux.

This approach requires building a custom policy for parsing test.log.
Add a minimal policy written in CIL for this need.

While at it:
* Do not invoke "sudo sepolgen-ifgen" but produce a file in a writable
  directory (instead of /var/lib/sepolgen/interface_info)
* Use sys.executable instead of 'python', in order to really test
  python3 and python2 when calling the test script with one of these
  interpreters.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-08 10:15:46 +01:00
Nicolas Iooss
53c7a046ff Travis-CI: download refpolicy and install headers
This is needed in order to run sepolgen-ifgen in audit2allow testsuite.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-08 10:15:46 +01:00
Nicolas Iooss
fbc7248ffa python/semanage: explain why sepolicy is imported in a function
Importing modules inside functions is quite uncommon in Python. This is
nevertheless required with sepolicy because it loads the current SELinux
policy when it is imported (and raises ValueError when this fails).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-07 12:50:45 +01:00
Nicolas Iooss
b2a54258b4 python/audit2allow: allow using audit2why as non-root user
Importing sepolicy as non-root on a system with SELinux causes the
following exception to be raised:

    ValueError: No SELinux Policy installed

Ignore this when using audit2why, which allows using it with option
--policy as a non-root user.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-07 12:50:45 +01:00
Nicolas Iooss
621c406585 python/audit2allow/sepolgen-ifgen: show errors on stderr
This allows test_audit2allow.py to display the errors correctly.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-07 12:50:45 +01:00
Nicolas Iooss
c759912227 python/audit2allow/sepolgen-ifgen: add missing \n to error message
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-07 12:50:45 +01:00
Nicolas Iooss
33d7a761e5 python/sepolgen: close /etc/selinux/sepolgen.conf after parsing it
sepolgen testsuite reports the following warning on a system with
/etc/selinux/sepolgen.conf:

    .../src/./sepolgen/defaults.py:35: ResourceWarning: unclosed file
    <_io.TextIOWrapper name='/etc/selinux/sepolgen.conf' mode='r'
    encoding='UTF-8'>

Fix this by properly closing the file in PathChooser.__init__().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-07 12:50:45 +01:00
Laurent Bigonville
9ac345e8d5
libsemanage: Always set errno to 0 before calling getpwent()
The manpage explicitly states that:

  The  getpwent()  function  returns a pointer to a passwd structure, or
  NULL if there are no more entries or an error occurred.  If an error
  occurs, errno is set appropriately.  If one wants to check errno after
  the call, it should be set to zero before the call.

Without this, genhomedircon can wrongly return the following:
  libsemanage.get_home_dirs: Error while fetching users.  Returning list so far.

https://github.com/SELinuxProject/selinux/issues/121

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-01-05 15:47:03 +01:00
Petr Lautrbach
1015aef5cf
python/sepolicy: Make policy files sorting more robust
The sorting order seems to be fragile because '100' < '99', so the policy
filename needs to be parsed in order to extract the version as an integer and
sort according to it.

Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-05 14:50:16 +01:00
Petr Lautrbach
2d825c616d
python/semanage: Load a store policy and set the store SELinux policy root
When "store" is set, sepolicy needs to load a new policy file and selinux module
needs to set the new store root path.

With this patch, semanage is able to work correctly with non-default -S <store>
even when the default policy is not installed yet.

Fixes:
$ sudo semanage login -S minimum -m -s unconfined_u -r s0-s0:c0.c1023 __default__
libsemanage.dbase_llist_query: could not query record value
OSError: [Errno 0] Error

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-05 14:49:46 +01:00
Petr Lautrbach
ef359c97c9
python/sepolicy: Add sepolicy.load_store_policy(store)
load_store_policy() allows to (re)load SELinux policy based on a store name. It
is useful when SELinux is disabled and default policy is not installed; or when
a user wants to query or manipulate another policy.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-05 14:49:17 +01:00
Petr Lautrbach
e718c2ab77
python/semanage: import sepolicy only when it's needed
Related:
https://github.com/SELinuxProject/selinux/issues/81

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-05 14:48:18 +01:00
Petr Lautrbach
a73b0bba1a
python/semanage: move valid_types initialisations to class constructors
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>

Fixes:
$ sudo semanage
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 28, in <module>
    import seobject
  File "/usr/lib/python3.7/site-packages/seobject.py", line 1045, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib/python3.7/site-packages/seobject.py", line 1047, in portRecords
    valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
  File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 203, in <genexpr>
    return ({
  File "/usr/lib64/python3.7/site-packages/setools/typeattrquery.py", line 65, in results
    for attr in self.policy.typeattributes():
AttributeError: 'NoneType' object has no attribute 'typeattributes'

https://github.com/SELinuxProject/selinux/issues/81

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-05 14:47:49 +01:00
Nicolas Iooss
691231e612 python/sepolgen: upgrade ply to release 3.11
PLY (Python Lex-Yacc) 3.11 has been released in February 2018:
- http://www.dabeaz.com/ply/index.html
- https://github.com/dabeaz/ply/releases/tag/3.11

Copy lex.py and yacc.py from this new release.

This fixes the following warning from "make test":

    python run-tests.py
    ../src/./sepolgen/lex.py:634: DeprecationWarning: Using or importing
    the ABCs from 'collections' instead of from 'collections.abc' is
    deprecated, and in 3.8 it will stop working
     if isinstance(t, collections.Callable):

(Python 3.3 moved collections.Callable to collections.abc.Callable)

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-04 13:52:09 +01:00
Nicolas Iooss
0c02ae1cd8 semanage_migrate_store: switch to space indentation
The script used both tabs and space to indent the code, using a tab
length of 8 (in calls to parser.add_option(...)). Make the code more
readable by using spaces for indentation everywhere.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-04 12:19:39 +01:00
Nicolas Iooss
cc6d99db4e semanage_migrate_store: remove unused loading of libsepol.so
semanage_migrate_store loads libsepol.so using ctypes but never uses it.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-04 12:19:33 +01:00
Nicolas Iooss
3cb974d2d2 semanage_migrate_store: fix many Python linter warnings
flake8 reports many warnings on script semanage_migrate_store:

    E225 missing whitespace around operator
    E302 expected 2 blank lines, found 1
    E701 multiple statements on one line (colon)
    E703 statement ends with a semicolon
    E722 do not use bare 'except'
    ...

Fix some of them in order to reduce the noise.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-04 12:19:24 +01:00
William Roberts
9fe430345a Makefile: add -Wstrict-overflow=5 to CFLAGS
Build with strict overflow checking enabled. If the compiler optimizes
code that could be removed due to undefined signed overflow, then the
compiler will issue a warning.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2018-12-31 08:06:29 -08:00
William Roberts
97edcebd1e build: set _FORTIFY_SOURCE=2 in libselinux
Use -D_FO0RTIFY_SOURCE=2 when building libselinux and it's util library.
Note that this can be overridden by setting CFLAGS during the build.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2018-12-31 08:06:29 -08:00
William Roberts
4f96b323b0 Makefile: fix _FORTIFY_SOURCE redefined build error
Certain builds of gcc enable _FORTIFY_SOURCE which results in the error:
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined
<command-line>:0:0: note: this is the location of the previous definition

Correct this by undefining it first and redefining it. Also, the previous
command line option was using -Wp which is passing the value *AS IS* to the
pre-processor rather than to the compiler driver. The C pre-processor has
an undocumented interface subject to change per man 1 gcc. Just use the
-D option to specify this value.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2018-12-31 08:06:29 -08:00
Petr Lautrbach
8a8a4f8e05 mcstrans: Fix check in raw_color()
raw_color() uses color_str as an output argument which is assigned to a new
allocated memory. Therefore it should fail when color_str is null; or
when *color_str is not null in order to avoid a memory leak.

Fixes:
>>> selinux.selinux_raw_context_to_color('system_u:system_r:inetd_t:s0')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: [Errno 0] Error

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2018-12-20 15:13:12 +01:00
Nicolas Iooss
89e808af1d python/sepolgen: always indent with 4 spaces
p_attribute_role_def() used tabs.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-19 13:29:08 +01:00
Nicolas Iooss
b7227aaec1 mcstrans: fix Python linter warnings on test scripts
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-19 11:37:35 +01:00
Nicolas Iooss
0ec2ed57c3 mcstrans: convert test scripts to Python 3
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-19 11:37:29 +01:00
Petr Lautrbach
5013d2ba97 python/sepolicy: search() also for dontaudit rules
dontaudit rules were accidentally dropped during rewrite to SETools 4 API in
97d5f6a2

Fixes:
>>> import sepolicy
>>> sepolicy.search(['dontaudit'])
[]

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2018-12-18 13:21:06 +01:00
Nicolas Iooss
16e3953a76
python/semanage: do not show "None" levels when using a non-MLS policy
When MLS is disabled, "semanage export" shows records such as:

    login -a -s sysadm_u -r 'None' me

Prevent "semanage export" from displaying None or empty strings in level
and categories arguments by checking them in all customized() methods.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-15 10:02:46 +01:00
Nicolas Iooss
f39c0ac637 python/chcat: fix removing categories on users with Fedora default setup
Using Vagrant with fedora/28-cloud-base image, SELinux logins are
configured this way:

    # semanage login -l
    Login Name           SELinux User         MLS/MCS Range        Service

    __default__          unconfined_u         s0-s0:c0.c1023       *
    root                 unconfined_u         s0-s0:c0.c1023       *
    vagrant              unconfined_u         s0-s0:c0.c1023       *

Using "chcat -l +c42 vagrant" successfully adds the category to user
vagrant, but "chcat -l -- -c42 vagrant" fails to remove it.
semanage login -l returns:

    vagrant              unconfined_u         s0-s0:c0.c1023,c42   *

This issue is caused by expandCats(), which refuses to return a list of
more than 25 categories. This causes chcat_user_remove() to work with
cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to
it not been able to remove 'c42' from the list.

Fix this issue by splitting the list of categories before calling
expandCats().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-11 12:39:09 +01:00
Nicolas Iooss
69c56bd2f6 python/chcat: improve the code readability
flake8 reports many warnings for chcat:

    chcat:7:1: E265 block comment should start with '# '
    chcat:29:1: F401 'string' imported but unused
    chcat:44:1: E722 do not use bare 'except'
    chcat:104:9: F841 local variable 'e' is assigned to but never used
    chcat:144:9: F841 local variable 'e' is assigned to but never used
    chcat:186:9: F841 local variable 'e' is assigned to but never used
    chcat:234:9: F841 local variable 'e' is assigned to but never used
    chcat:262:9: F841 local variable 'e' is assigned to but never used
    chcat:281:5: F841 local variable 'e' is assigned to but never used
    chcat:385:9: E722 do not use bare 'except'
    chcat:402:1: E305 expected 2 blank lines after class or function definition, found 1
    chcat:436:5: F841 local variable 'e' is assigned to but never used

Fix all of them.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-11 12:39:07 +01:00
Vit Mojzis
2923d9d21e python/chcat: use check_call instead of getstatusoutput
Use "check_call" instead of "getstatusoutput" in order for special
characters and spaces in filenames to be handled correctly.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-11 12:39:05 +01:00
Vit Mojzis
9cb9b18b17
python/semanage: Start exporting "ibendport" and "ibpkey" entries
Include "ibendport" and "ibpkey" entries in "semanage export".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-09 16:09:08 +01:00
Vit Mojzis
73135989de
python/semanage: Include MCS/MLS range when exporting local customizations
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-09 16:08:53 +01:00
Stephen Smalley
49c13dd6bc
libsepol: ibpkeys.c: fix printf format string specifiers for subnet_prefix
Use PRIx64 to print the subnet_prefix (which is a uint64_t) instead
of lx.

Fixes #108

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-11-23 21:38:44 +01:00
Nicolas Iooss
3b0dbede9c gui: remove html_util.py
This file is not used anywhere.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-11-22 10:03:49 +01:00
Tom Gundersen
3a40d05735 dbus: remove deprecated at_console statement
As described in [0], this likely did not have the intended effect, so
simply remove it. The change in behavior is that up until this patch
it would be possible for any non-system user to potentially gain access
to selinux' dbus interface. Now this is extended to also allow any
system user.

As the comment indicates, PolicyKit is used to enforce access, so this
should be perfectly harmless.

[0]: <https://www.spinics.net/lists/linux-bluetooth/msg75267.html>

Signed-off-by: Tom Gundersen <teg@jklm.no>
CC: David Herrmann <dh.herrmann@gmail.com>
2018-11-22 10:03:30 +01:00
Nicolas Iooss
b4b0074294
libselinux: selinux_restorecon: fix printf format string specifier for uint64_t
fc_count is defined as uint64_t, which needs to be printed with PRIu64
(it is "llu" on x86 and "lu" on x86-64). Otherwise, building with
'CC="gcc -m32"' fails with:

    selinux_restorecon.c: In function ‘restorecon_sb’:
    selinux_restorecon.c:633:26: error: format ‘%lu’ expects argument of
    type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka
    ‘long long unsigned int’} [-Werror=format=]
         fprintf(stdout, "\r%luk", fc_count / STAR_COUNT);
                            ~~^
                            %llu

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-11-10 17:32:06 +01:00
Vit Mojzis
a3be73bea4
python: replace aliases with corresponding type names
Aliases are not used in the selinux database. When user enters a type
alias as a parameter it should be converted to the corresponding type
in order to be processed correctly further in the userspace logic.

Fixes e.g.:

\#sepolicy transition -s phpfpm_t
/* where phpfpm_t is a type alias of httpd_t */

Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 691, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 458, in transition
    mytrans = setrans(args.source, args.target)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
    self._process(self.source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
    trans = _get_trans(source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
    src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
IndexError: list index out of range
2018-11-10 17:26:13 +01:00
James Carter
46c5207482 libsepol: mark permissive types when loading a binary policy
Nicolas Iooss reports:
When using checkpolicy to read a binary policy, permissive types are not
written in the output file. In order to reproduce this issue, a test
policy can be written from minimal.cil with the following commands:

    $ cd secilc/test/
    $ cp minimum.cil my_policy.cil
    $ echo '(typepermissive TYPE)' >> my_policy.cil
    $ secilc my_policy.cil
    $ checkpolicy -bC -o /dev/stdout policy.31

    # There is no "(typepermissive TYPE)" in checkpolicy output.

This is because TYPE_FLAGS_PERMISSIVE is added to typdatum->flags only
when loading a module, which uses the permissive flag in the type
properties. A kernel policy defines permissive types in a dedicated
bitmap, which gets loaded as p->permissive_map before the types are
loaded.

The solution is to use the permissive_map bitmap instead of relying on
the flags field of the struct type_datum when writing out CIL or
policy.conf policy from a binary.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-11-06 14:11:56 -05:00
Stephen Smalley
3f99b14939 libselinux: fix overly strict validation of file_contexts.bin
load_mmap and regex_load_mmap (in the !USE_PCRE2 case) were
incorrectly treating the absence of any fixed stems or study data
as an error, rejecting valid file_contexts.bin files.  Remove
the extraneous validation checks.

Test:
$ cat > file_contexts <<EOF
(/.*)?                u:object_r:system_file:s0
/lib                   u:object_r:system_dir:s0
EOF
$ sefcontext_compile file_contexts
$ selabel_lookup -b file -k /lib -f file_contexts.bin

Before:
ERROR: selabel_open - Could not obtain handle.

After:
Default context: u:object_r:system_dir:s0

Reported-by: Jiyong Park <jiyong@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-11-05 09:31:45 -05:00
Mr Stid
c6f44ba8da
Fix snprintf truncated error
Link: https://github.com/SELinuxProject/selinux/pull/106
Signed-off-by: StidOfficial <stidofficiel@gmail.com>
2018-10-27 09:18:15 +02:00
Yuli Khodorkovskiy
95b3552451 mcstrans: remove unused getpeercon_raw() call
There is a call to getpeercon_raw() in mcstransd, but nothing is done
with the context. The purpose of process_request() is to translate a
context and we would like that to succeed even if, for some reason,
getpeercon_raw() fails.

Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2018-10-26 09:53:11 -04:00
Ondrej Mosnacek
94ebccf534 libsepol: add missing ibendport port validity check
The kernel checks if the port is in the range 1-255 when loading an
ibenportcon rule. Add the same check to libsepol.

Fixes: 118c0cd103 ("libsepol: Add ibendport ocontext handling")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2018-10-25 14:06:45 -07:00
Ondrej Mosnacek
c8e5de952d libsepol: fix endianity in ibpkey range checks
We need to convert from little-endian before dong range checks on the
ibpkey port numbers, otherwise we would be checking a wrong value on
big-endian systems.

Fixes: 9fbb311276 ("libsepol: Add ibpkey ocontext handling")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2018-10-25 14:06:45 -07:00
Vit Mojzis
48aeea9ce6
python/semanage: Stop rejecting aliases in semanage commands
Resolves:

\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined

\# seinfo -tsvirt_sandbox_file_t -x
   TypeName container_file_t
   Aliases
      svirt_sandbox_file_t
      svirt_lxc_file_t

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:55 +02:00
Vit Mojzis
4c63b8e7b6
python/sepolicy: Stop rejecting aliases in sepolicy commands
Fix CheckDomain and CheckPortType classes to properly deal with aliases.

Resolves:
   https://bugzilla.redhat.com/show_bug.cgi?id=1600009

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:48 +02:00
Vit Mojzis
448f5a9257
python/sepolicy: Fix "info" to search aliases as well
Restore previous behaviour of "sepolicy.info()".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:30 +02:00