Commit Graph

1667 Commits

Author SHA1 Message Date
Petr Lautrbach
e90ebf08eb sandbox: do not run xmodmap in a new X session
xmodmap causes Xephyr X server to reset itself when it's run before wm
and even right after wm. It causes termination of the server as we use
-terminate. The -terminate option seems be important enough in order not
to left running the server when the last client connection is closed.

This patch drops the execution of xmodmap from .sandboxrc until there's
a better solution.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-21 12:30:57 -04:00
Stephen Smalley
b660a87b5f libselinux: public symbol cleanup
Hide or remove symbols that should not be public.
All uses of obj_class_compat were removed by
commit 76913d8adb
("Deprecate use of flask.h and av_permissions.h")
and it never should have been public regardless,
so remove it.
myprintf is used by matchpathcon internally but should
not be public, so hide it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-21 11:09:26 -04:00
Stephen Smalley
b54758560a Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-19 14:33:10 -04:00
Petr Lautrbach
9a57996dfa sandbox: Use GObject introspection binding instead of pygtk2
sandbox command is also now using GTK 3.0

This patch comes from Fedora patch set

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-09-19 14:31:35 -04:00
Stephen Smalley
c4fdd9a4c8 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-19 10:18:54 -04:00
William Roberts
ba9bb2ebcb libselinux: correct error path to always try text
patch 5e15a52aaa cleans up the process_file() routine,
but introduced a bug. If the binary file cannot be
opened, always attempt to fall back to the textual file,
this was not occurring.

The logic should be:
1. Open the newest file between base path + suffix and
   base_path + suffix + ".bin"
2. If anything fails, attempt to load the oldest file.

The result, with a concrete example, would be:
If file_contexts is the newest file, and it cannot be
processed, the code will fall back to file_contexts.bin
and vice versa.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-19 09:48:11 -04:00
Stephen Smalley
72b43e523d Updated libselinux ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-15 13:50:30 -04:00
Stephen Smalley
8e776b074c libselinux: regex_writef: Mark unused argument with __attribute__((unused)).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-15 13:49:31 -04:00
Janis Danisevskis
50f0910cf0 libselinux: add support for pcre2
This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.

As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.

Also, for pcre2 the persistent format is architecture dependent.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used,
sefcontext_compile now respects the "-r". This flag makes
sefcontext_compile include the precompiled regular expressions
in the output file. The default is to omit them, so that the
output remains portable at the cost of having to recompile
the regular expressions at load time, or rather on first use.

Signed-off-by: Janis Danisevskis <jdanis@google.com>
2016-09-15 13:49:14 -04:00
Stephen Smalley
4f29266623 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-15 13:49:00 -04:00
Petr Lautrbach
964bf69a65 sandbox: fix file labels on copied files
Since python 3.3, shutil.copy2() tries to preserve extended file
system attributes. It means that when a user uses -i or -I, copied files
have the original labels and sandboxed process can't read them.

With this change, homedir and tmpdir is recursively relabeled with the
expected sandbox labels after all items are in their place.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-15 13:47:25 -04:00
Petr Lautrbach
6fcef9a09c sandbox: tests - close stdout of p1
p1.stdout should be closed after it's connected to p2 according to
https://docs.python.org/3/library/subprocess.html#replacing-shell-pipeline

Fixes:
$ make PYTHON=python3 test
Verify that we can read file descriptors handed to sandbox ...
/usr/lib64/python3.5/unittest/case.py:638: ResourceWarning: unclosed
file <_io.BufferedReader name=4>
  testMethod()

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-15 13:47:25 -04:00
Petr Lautrbach
3aedecefc7 sandbox: tests - use sandbox from cwd
The tests executed sandbox from $PATH while they should test sandbox in
cwd. At the same time, tests should be run using the same python as is
used by make to run them.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-15 13:47:25 -04:00
Stephen Smalley
d10c8b81d4 sepolgen: fix make test
make test in sepolgen was broken because checkmodule now requires
the module name to match the file name.  Fix it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-12 09:42:38 -04:00
Stephen Smalley
429041bfab Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-09 14:26:45 -04:00
Stephen Smalley
0a0e5afbb4 libselinux: fix coding style problems with the prior commit
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-09 14:25:06 -04:00
William Roberts
5e15a52aaa libselinux: clean up process file
The current process_file() code will open the file
twice on the case of a binary file, correct this.

The general flow through process_file() was a bit
difficult to read, streamline the routine to be
more readable.

Detailed statistics of before and after:

Source lines of code reported by cloc on modified files:
before: 735
after: 742

Object size difference:
before: 195530 bytes
after:  195485 bytes

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-09 14:08:55 -04:00
James Carter
c1d873e971 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-06 13:48:20 -04:00
Guido Trentalancia
e7fbb8b401 Produce more meaningful error messages when conflicting type rules are found by libsepol.
Fixes Debian bug #832331 (https://bugs.debian.org/832331).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-09-06 13:46:32 -04:00
Stephen Smalley
542b528703 Updated checkpolicy and libsepol ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-06 11:14:09 -04:00
Nicolas Iooss
2489b50a91 libsepol: make "make test" fails when a CUnit test fails
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
Nicolas Iooss
3666bd9a99 libsepol: tests: fix g_b_role_2 test
Even though g_b_role_2 is used both in
tests/policies/test-linker/small-base.conf and
tests/policies/test-linker/module1.conf, it seems to only exists in the
scope of the base policy.

This fixes the following failure of "make -C libsepol test":

    ./libsepol-tests
         CUnit - A unit testing framework for C - Version 2.1-3
         http://cunit.sourceforge.net/
    Suite: cond
      Test: cond_expr_equal ...passed
    Suite: linker
      Test: linker_indexes ...passed
      Test: linker_types ...passed
      Test: linker_roles ...sym g_b_role_2 has 1 decls, 2 expected
    FAILED
        1. test-common.c:43  - scope->decl_ids_len == len
        2. test-common.c:52  - found == 1
      Test: linker_cond ...passed
    Suite: expander
      Test: expander_indexes ...passed
      Test: expander_attr_mapping ...passed
      Test: expander_role_mapping ...passed
      Test: expander_user_mapping ...passed
      Test: expander_alias ...passed
    Suite: deps
      Test: deps_modreq_global ...passed
      Test: deps_modreq_opt ...passed
    Suite: downgrade
      Test: downgrade ...passed

    Run Summary:    Type  Total    Ran Passed Failed Inactive
                  suites      5      5    n/a      0        0
                   tests     13     13     12      1        0
                 asserts   1274   1274   1272      2      n/a

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
Nicolas Iooss
112f86d489 checkpolicy: add types associated to a role in the current scope when parsing
This fixes most of the errors reported in "make -C libsepol test":

    ./libsepol-tests
         CUnit - A unit testing framework for C - Version 2.1-3
         http://cunit.sourceforge.net/
    Suite: cond
      Test: cond_expr_equal ...passed
    Suite: linker
      Test: linker_indexes ...passed
      Test: linker_types ...passed
      Test: linker_roles ...
    role o1_b_role_1 has 0 types, 1 expected
    role o1_b_role_1 has 0 types, 1 expected
    role o1_m1_role_1 has 0 types, 1 expected
    sym g_b_role_2 has 1 decls, 2 expected
    Role o1_b_role_2 had type o1_b_type_1 not in types array
    role o1_b_role_2 has 0 types, 1 expected
    Role g_b_role_4 had type g_m1_type_2 not in types array
    role g_b_role_4 has 0 types, 1 expected
    role o3_b_role_1 has 0 types, 1 expected
    role o3_b_role_1 has 0 types, 1 expected
    role o4_b_role_1 has 0 types, 1 expected
    Role o4_b_role_1 had type g_m1_type_1 not in types array

    FAILED
        1. test-common.c:216  - found == len
        2. test-common.c:216  - found == len
        3. test-common.c:216  - found == len
        4. test-common.c:43  - scope->decl_ids_len == len
        5. test-common.c:52  - found == 1
        6. test-common.c:213  - new == 1
        7. test-common.c:216  - found == len
        8. test-common.c:213  - new == 1
        9. test-common.c:216  - found == len
        10. test-common.c:216  - found == len
        11. test-common.c:216  - found == len
        12. test-common.c:216  - found == len
        13. test-common.c:213  - new == 1
      Test: linker_cond ...passed
    Suite: expander
      Test: expander_indexes ...passed
      Test: expander_attr_mapping ...passed
      Test: expander_role_mapping ...passed
      Test: expander_user_mapping ...passed
      Test: expander_alias ...passed
    Suite: deps
      Test: deps_modreq_global ...passed
      Test: deps_modreq_opt ...passed
    Suite: downgrade
      Test: downgrade ...passed

    Run Summary:    Type  Total    Ran Passed Failed Inactive
                  suites      5      5    n/a      0        0
                   tests     13     13     12      1        0
                 asserts   1269   1269   1256     13      n/a

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
Stephen Smalley
36a21c38d1 Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-23 15:57:33 -04:00
Gary Tierney
67b328a91c genhomedircon: add support for %group syntax
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.

This commit adds support for generating home directory contexts for login
mappings using the group syntax and adds error reporting for handling cases
where there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
2016-08-23 15:54:45 -04:00
Gary Tierney
83ab9e258f genhomedircon: generate contexts for logins mapped to the default user
Removes a test in get_users() which excludes any logins that are
explicitly mapped to the default user from file context generation,
which results in logins mapped to the fallback user with home
directories outside of LU_HOMEDIRECTORY (in the absence of
usepasswd=True) having no matching file_contexts.homedirs entries.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
2016-08-23 15:51:06 -04:00
James Carter
0dce00d72e Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 15:14:41 -04:00
James Carter
f9927d9370 libsepol: Change which attributes CIL keeps in the binary policy
The removal of attributes that are only used in neverallow rules is
hindering AOSP adoption of the CIL compiler. This is because AOSP
extracts neverallow rules from its policy.conf for use in the Android
compatibility test suite. These neverallow rules are applied against
the binary policy being tested to check for a violation. Any neverallow
rules with an attribute that has been removed cannot be checked.

Now attributes are kept unless they are not used in any allow rule and
they are auto-generated or named "cil_gen_require" or do not have any
types associated with them.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 15:13:32 -04:00
James Carter
a0f05b307b Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 14:09:50 -04:00
William Roberts
fbf77104c3 libsepol: port str_read from kernel
Rather than duplicating the following sequence:
1. Read len from file
2. alloc up space based on 1
3. read the contents into the buffer from 2
4. null terminate the buffer from 2

Use the str_read() function that is in the kernel, which
collapses steps 2 and 4. This not only reduces redundant
code, but also has the side-affect of providing a central
check on zero_or_saturated lengths from step 1 when
generating string values.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-19 13:18:02 -04:00
William Roberts
fb0cc0cc64 libsepol: calloc all the *_to_val_structs
The usage patterns between these structures seem similair
to role_val_to_struct usages. Calloc these up to prevent
any unitialized usages.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-19 13:17:57 -04:00
Stephen Smalley
a1d76acf04 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-19 10:41:03 -04:00
Jason Zaman
b5002d54d7 audit2allow: tests should use local copy not system
The tests currently just executed "audit2allow" which meant search in
$PATH. They should instead test the one in the pwd. The files in the
repo are not executable so prefix with "python" also.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-08-19 08:45:10 -04:00
Jason Zaman
0a150ca94d audit2allow: fix audit2why import from seobject.
Commit b43991f913 broke audit2why because
boolean_desc was imported indirectly via seobject. Use it directly from
sepolicy instead.

$ cd policycoreutils/audit2allow
$ make test
test_audit2why (__main__.Audit2allowTests)
Verify audit2why works ... Traceback (most recent call last):
  File "/bin/audit2why", line 365, in <module>
    app.main()
  File "/bin/audit2why", line 353, in main
    self.__output()
  File "/bin/audit2why", line 295, in __output
    return self.__output_audit2why()
  File "/bin/audit2why", line 263, in __output_audit2why
    print("\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0]))
AttributeError: 'module' object has no attribute 'boolean_desc'
FAIL

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-08-19 08:45:10 -04:00
Jason Zaman
229214bc80 audit2allow: remove audit2why so it gets symlinked
audit2why is supposed to be a symlink to audit2allow. There are instead
2 files in the repo so the makefile has not been replacing audit2why.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-08-19 08:45:10 -04:00
Stephen Smalley
5a62da59ed Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-18 15:24:22 -04:00
Stephen Smalley
d92470623c Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-18 15:22:28 -04:00
Miroslav Vadkerti
846c87f506 semanage: fix error message for fcontext -m
The type must be a file of device type, not a port type.

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
2016-08-18 15:21:37 -04:00
stephensmalley
0864aa96aa Merge pull request #22 from wakeful/fix-incorrect-import-message
fixing incorrect help message
2016-08-18 14:36:25 -04:00
AJ
f8185ee7f4 fixing incorrect message in semanage.8 man page. 2016-08-18 19:29:10 +01:00
Stephen Smalley
a3811713ee Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-18 08:41:39 -04:00
Stephen Smalley
b9ebab6528 semanage: Fix semanage fcontext -D
commit 4c5b8a9568 ("semanage: add
auditing of changes in records") broke semanage fcontext -D.
Fix it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-18 08:36:30 -04:00
Stephen Smalley
b0a9b464ae Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-17 16:44:38 -04:00
Stephen Smalley
a7334eb0de libsemanage: validate and compile file contexts before installing
libsemanage presently runs setfiles -c to validate the file_contexts
files and sefcontext_compile to compile them to file_contexts.bin
after installing the final files under /etc/selinux.  As a result,
any error that occurs during this processing may leave invalid files
in /etc/selinux.  Move this processing before installing the files
to their final location, and then copy the .bin files that were
generated.

This prevents an error like:
semanage fcontext -a -t httpd_exec_t "/foo["
from reaching the /etc/selinux directory at all, e.g.

$ sudo semanage fcontext -a -t httpd_exec_t "/foo["
[sudo] password for sds:
/var/lib/selinux/final/targeted/contexts/files/file_contexts.local:  line 4 has invalid regex /foo[:  missing terminating ] for character class
/var/lib/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
OSError: Error

Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-17 16:36:59 -04:00
AJ
ffd07e72fd fixing incorrect help message 2016-08-17 20:59:09 +01:00
Stephen Smalley
80dc3ef239 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-17 15:17:10 -04:00
Stephen Smalley
6e2bdb770f libselinux, sefcontext_compile: handle NULL pcre study data
pcre_study() can return a NULL result if no additional information
could be determined for the pattern.  Thus, sefcontext_compile
needs to correctly handle the case where the study data is NULL
when generating file_contexts.bin, and libselinux needs to correctly
handle it when loading file_contexts.bin.  Fix them both.

This change enables:
semanage fcontext -a -t httpd_exec_t "(/.*)?"
to succeed, since the regex itself is valid but there is no
additional information produced by pcre_study().

Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-17 15:05:48 -04:00
James Carter
dbc6d6d596 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-17 10:10:40 -04:00
William Roberts
8673854fb8 libsepol: fix overflow and 0 length allocations
Throughout libsepol, values taken from sepolicy are used in
places where length == 0 or length == <saturated> matter,
find and fix these.

Also, correct any type mismatches noticed along the way.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:58:19 -04:00
William Roberts
02081779f3 libsepol: fix unitialized jmp and invalid dereference
When initializing role_datum_t array, initialize the array.
This corrects this issue:

==25766== Conditional jump or move depends on uninitialised value(s)
==25766==    at 0x40ABFE: context_is_valid (context.c:59)
==25766==    by 0x40AAED: policydb_context_isvalid (context.c:19)
==25766==    by 0x43CBF4: context_read_and_validate (policydb.c:1881)
==25766==    by 0x43E7B3: ocontext_read_selinux (policydb.c:2631)
==25766==    by 0x43EC4D: ocontext_read (policydb.c:2729)
==25766==    by 0x442019: policydb_read (policydb.c:3937)
==25766==    by 0x442F15: sepol_policydb_read (policydb_public.c:174)
==25766==    by 0x407ED4: init (check_seapp.c:885)
==25766==    by 0x408D83: main (check_seapp.c:1230)

Also, check for NULL when determining if a role can be associated
with a type.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:45 -04:00