- Explain applying range/list of categories
- "-d" removes all categories of given file/user
- Add examples
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Explicitly set CFLAGS for the pip install command, similar to calling
setup.py, to ignore known compiler warnings treated as errors, e.g.:
selinuxswig_python_wrap.c:3593:19: error: 'sidget' is deprecated [-Werror,-Wdeprecated-declarations]
result = (int)sidget(arg1);
^
selinuxswig_python_wrap.c:15024:1: error: no previous prototype for function 'PyInit__selinux' [-Werror,-Wmissing-prototypes]
SWIG_init(void) {
^
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The output parameter `role_arr` of semanage_user_get_roles() is an array
of non-owned role names. Since the array is never used again, as its
contents have been copied into the return value `roles`, free it.
Example leak report from useradd(8):
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x5597624284a8 in __interceptor_calloc (./shadow/src/useradd+0xee4a8)
#1 0x7f53aefcbbf9 in sepol_user_get_roles src/user_record.c:270:21
Avoid using the identifier `bool` to improve support with future C
standards. C23 is about to make `bool` a predefined macro (see N2654).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Avoid using the identifier `bool` to improve support with future C
standards. C23 is about to make `bool` a predefined macro (see N2654).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Avoid using the identifier `bool` to improve support with future C
standards. C23 is about to make `bool` a predefined macro (see N2654).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Avoid using the identifier `bool` to improve support with future C
standards. C23 is about to make `bool` a predefined macro (see N2654).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The previous commit changed the member `bool` to `boolean` of the
libsepol type `cond_expr_t` for C23 compatibility.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Avoid using the identifier `bool` to improve support with future C
standards. C23 is about to make `bool` a predefined macro (see N2654).
Since the type `cond_expr_t` is part of the public API it will break
client applications. A quick search of the code in Debian shows only
usages in checkpolicy and setools.
Define a new macro signaling the renaming to simplify support of client
applications for new and older versions of libsepol.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Add support for using negated or complemented self in the target type of
neverallow rules.
Some Refpolicy examples:
neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *;
neverallow domain { domain -self -dockerc_t }:dir create;
# no violations
neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create };
libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create };
libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };
neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write };
libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename };
libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create };
Using negated self in a complement, `~{ domain -self }`, is not
supported.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Add not self support for neverallow rules.
Example 1
allow TYPE1 TYPE1 : CLASS1 PERM1; # Rule 1
allow TYPE1 TYPE2 : CLASS1 PERM1; # Rule 2
neverallow TYPE1 ~self : CLASS1 PERM1;
Rule 1 is not a violation of the neverallow. Rule 2 is.
Example 2
allow TYPE1 TYPE1 : CLASS2 PERM2; # Rule 1
allow TYPE1 TYPE2 : CLASS2 PERM2; # Rule 2
allow TYPE1 TYPE3 : CLASS2 PERM2; # Rule 3
neverallow ATTR1 { ATTR2 -self } : CLASS2 PERM2;
Assuming TYPE1 has attribute ATTR1 and TYPE1 and TYPE2 have
attribute ATTR2, then rule 1 and 3 are not violations of the
neverallow while rule 2 is. Rule 3 is not a violation because
TYPE3 does not have attribute ATTR2.
Adopted improvements from James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
It is required to build it as of commit 4b4922e115e2
("tests/infiniband*: simplify test activation").
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
The check_ext_changes option currently assumes that as long as the
module content is unchanged, it is safe to assume that the policy.linked
file doesn't need to be rebuilt. However, there are some additional
parameters that can affect the content of this policy file, namely:
* the disable_dontaudit and preserve_tunables flags
* the target_platform and policyvers configuration values
Include these in the checksum so that the option works correctly when
only some of these input values are changed versus the current state.
Fixes: 286a679fad ("libsemanage: optionally rebuild policy when modules are changed externally")
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Add a note that querying a foreign process via its PID is inherently
racy.
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Add the public interfaces getpidprevcon(3) and getpidprevcon_raw(3), and
the utility getpidprevcon to gather the previous context before the last
exec of a given process.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
The hash mask is set to 2^16 - 1, which does not fit into a signed 16
bit integer. Use uint32_t to be on the safe side. Also use size_t for
counting in debug function.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Add const qualifier to read-only state struct.
Minimize scope of function local variables, to reduce complexity.
Pass only the file type related file flags to selabel_lookup(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
The optimization flag -funit-at-a-time is enabled by default in GCC[1]
and not supported by Clang:
clang: error: optimization flag '-funit-at-a-time' is not supported [-Werror,-Wignored-optimization-argument]
[1]: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Commit 7506771e4b
"add missing booleans to man pages" dramatically slowed down
"sepolicy manpage -a" by removing caching of setools rule query.
Re-add said caching and update the query to only return conditional
rules.
Before commit 7506771e:
#time sepolicy manpage -a
real 1m43.153s
# time sepolicy manpage -d httpd_t
real 0m4.493s
After commit 7506771e:
#time sepolicy manpage -a
real 1h56m43.153s
# time sepolicy manpage -d httpd_t
real 0m8.352s
After this commit:
#time sepolicy manpage -a
real 1m41.074s
# time sepolicy manpage -d httpd_t
real 0m7.358s
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Do not remove the runtime directory /run/setrans/, which is the parent
for the security context translation socket .setrans-unix, when the
service is stopped, so the path can not be taken over by a foreign
program, which could lead to a compromise of the context translation of
libselinux.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
pcre's behavior is changed so that pcre2_match always allocates heap for
match_data, rather than stack, regardless of size. The heap isn't freed
until explicitly calling pcre2_match_data_free. This new behavior may
result in heap overhead, which may increase the peak memory usage about
a few megabytes. It's because regex_match is first called for regex_data
objects, and then regex_data objects are freed at once.
To workaround it, free match_data as soon as we call regex_match. It's
fine because libselinux currently doesn't use match_data, but use only
the return value.
Signed-off-by: Inseob Kim <inseob@google.com>
Acked-by: Jason Zaman <jason@perfinion.com>
get_bools should return a list of booleans that can affect given type,
but it did not handle non trivial conditional statements properly
(returning the whole conditional statement instead of a list of booleans
in the statement).
e.g. for
allow httpd_t spamc_t:process transition; [ httpd_can_check_spam && httpd_can_sendmail ]:True
get_bools used to return [("httpd_can_check_spam && httpd_can_sendmail", False)] instead of
[("httpd_can_check_spam", False), ("httpd_can_sendmail", False)]
- rename "boolean" in sepolicy rule dictionary to "booleans" to suggest
it can contain multiple values and make sure it is populated correctly
- add "conditional" key to the rule dictionary to accommodate
get_conditionals, which requires the whole conditional statement
- extend get_bools search to dontaudit rules so that it covers booleans
like httpd_dontaudit_search_dirs
Note: get_bools uses security_get_boolean_active to get the boolean
value, but the value is later used to represent the default.
Not ideal, but I'm not aware of a way to get the actual defaults.
Fixes:
"sepolicy manpage" generates man pages that are missing booleans
which are included in non trivial conditional expressions
e.g. httpd_selinux(8) does not include httpd_can_check_spam,
httpd_tmp_exec, httpd_unified, or httpd_use_gpg
This fix, however, also adds some not strictly related booleans
to some man pages. e.g. use_nfs_home_dirs and
use_samba_home_dirs are added to httpd_selinux(8)
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Do not write class definitions for classes without any permission and
any inherited common class. The classes are already declared in
write_class_decl_rules_to_conf(). Skipping those empty definitions,
which are equal to the corresponding class declarations, will enable to
parse the generated policy conf file with checkpolicy, as checkpolicy
does not accept class declarations after initial sid declarations.
This will enable simple round-trip tests with checkpolicy.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Found by codespell(1) and typos[1].
[1]: https://github.com/crate-ci/typos
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The kernel does not support type attributes as source or target in type
av rules (type_transition, type_member, type_change)[1]. Such rules
should have been expanded[2].
[1]: abe3c63144/security/selinux/ss/services.c (L1843)
[2]: 0a8c177dac/libsepol/src/expand.c (L1981)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In load_checks(), add return check for malloc() to avoid NULL reference.
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
When installing to a destdir with pip install --prefix= --root=, pip tries to
uninstall the existing root-owned package and fails
Fixes:
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master` .
Processing /tmp/selinux-release/selinux-master/python/sepolicy
Preparing metadata (setup.py) ... done
Building wheels for collected packages: sepolicy
Building wheel for sepolicy (setup.py) ... done
Created wheel for sepolicy: filename=sepolicy-3.4-py3-none-any.whl size=1663564 sha256=229546db123e7d84613d190d49c192291b1a4f7f2a037657b39283b04ac391a4
Stored in directory: /tmp/pip-ephem-wheel-cache-50r2x4cn/wheels/b2/9e/63/6a6212a84d65a709923228719d065ed34e66a90c7fed01e8cf
Successfully built sepolicy
Installing collected packages: sepolicy
Attempting uninstall: sepolicy
Found existing installation: sepolicy 3.4
Uninstalling sepolicy-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: 'generate.py'
Consider using the `--user` option or check the permissions.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
When the python bindings are installed to a destdir with pip install
--prefix= --root=, pip tries to uninstall the existing root-owned
package and fails
Fixes:
running build_ext
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master` .
Processing /tmp/selinux-release/selinux-master/libselinux/src
Preparing metadata (setup.py) ... done
Building wheels for collected packages: selinux
Building wheel for selinux (setup.py) ... done
Created wheel for selinux: filename=selinux-3.4-cp310-cp310-linux_x86_64.whl size=725511 sha256=b35e9cdb2a6efce389eeece45446826b4ac6b41f81fdc128893f947036f27e8e
Stored in directory: /tmp/pip-ephem-wheel-cache-kemjh99e/wheels/ca/2d/1e/d1ab52426d9add92931471cfa0d2558bcbeed89084af2388c9
Successfully built selinux
Installing collected packages: selinux
Attempting uninstall: selinux
Found existing installation: selinux 3.4
Uninstalling selinux-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: '__init__.cpython-310.pyc'
Consider using the `--user` option or check the permissions.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Since commit 7494bb1298 ("sepolicy: generate man pages in parallel")
man pages are generated in parallel and there's a race between
os.path.exists() and os.makedirs().
The check os.path.exists() is not necessary when os.makedirs() is called
with exist_ok=True.
Fixes:
/usr/bin/sepolicy manpage -a -p /__w/usr/share/man/man8/ -w -r /__w/
FileExistsError: [Errno 17] File exists: '/__w/usr/share/man/man8/'
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit c08cf24f39 ("python: Remove dependency on the Python module
distutils") replace usage of distutils.sysconfig by sysconfig but it was
forgotten on the fact that the later provide a different api.
Fixes:
self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'sysconfig' has no attribute 'get_python_lib'
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add return check for regex_data_create() to avoid NULL reference of regex_data
(gdb) bt
#0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6
#1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260
#2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76
#3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407
#4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>)
at label_file.c:949
#5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092
#6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Vit Mojzis
Christian Göttsche
Ondrej Mosnacek
Jason Zaman
Petr Lautrbach
lujiev
Inseob Kim
kkz
Jie Lu
James Carter