Commit Graph

2716 Commits

Author SHA1 Message Date
xunchang
5cff2813c5
Restorecon: factor out a lookup helper for context matches
We used to hash the file_context and skip the restorecon on the top
level directory if the hash doesn't change. But the file_context might
change after an update; and some users experienced long restorecon
time as they have lots of files under directories like /data/media.
Therefore, we try to skip unnecessary restores if the file context
relates to the given directory doesn't change.

This CL is the first step that factors out a lookup helper function
and returns an array of matched pointers instead of a single one.
The old loopup_common function is then modified to take the first
element in the array.

This change has already been submitted in android selinux branch. And
porting it upstream will make these two branches more consistent and
save some work for the future merges.

Signed-off-by: Tianjie Xu <xunchang@google.com>
2019-07-27 10:39:19 +02:00
Petr Lautrbach
2efa068575 libselinux: Use Python distutils to install SELinux python bindings
Follow officially documented way how to build C extension modules using
distutils - https://docs.python.org/3.8/extending/building.html#building

Fixes:

- selinux python module fails to load when it's built using SWIG-4.0:

>>> import selinux
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in <module>
    from . import _selinux
ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py)

SWIG-4.0 changed (again?) its behavior so that it uses: from . import _selinux
which looks for _selinux module in the same directory as where __init__.py is -
$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into
$(PYLIBDIR)/site-packages/ since a9604c30a5 ("libselinux: Change the location
of _selinux.so").

- audit2why python module fails to build with Python 3.8

cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DOVERRIDE_GETTID=0 -I../include -D_GNU_SOURCE -DDISABLE_RPM -DNO_ANDROID_BACKEND -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8  -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L. -shared -o python-3.8audit2why.so python-3.8audit2why.lo -lselinux -l:libsepol.a  -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
/usr/bin/ld: python-3.8audit2why.lo: in function `finish':
/builddir/build/BUILD/libselinux-2.9/src/audit2why.c:166: undefined reference to `PyArg_ParseTuple'
/usr/bin/ld: python-3.8audit2why.lo: in function `_Py_INCREF':
/usr/include/python3.8/object.h:449: undefined reference to `_Py_NoneStruct'
/usr/bin/ld: /usr/include/python3.8/object.h:449: undefined reference to `_Py_NoneStruct'
/usr/bin/ld: python-3.8audit2why.lo: in function `check_booleans':
/builddir/build/BUILD/libselinux-2.9/src/audit2why.c:84: undefined reference to `PyExc_RuntimeError'
...

It's related to the following Python change
https://docs.python.org/dev/whatsnew/3.8.html#debug-build-uses-the-same-abi-as-release-build

Python distutils adds correct link options automatically.

- selinux python module doesn't provide any Python metadata

When selinux python module was built manually, it didn't provide any metadata.
distutils takes care about that so that selinux Python module is visible for
pip:

$ pip3 list | grep selinux
selinux              2.9

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-07-26 18:15:46 +02:00
Richard Haines
ee8f7a870c
libselinux: Fix security_get_boolean_names build error
When running 'make' from libselinux on Fedora 30 (gcc 9.1.1) the
following error is reported:

bute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wstrict-overflow=5
-I../include -D_GNU_SOURCE  -DNO_ANDROID_BACKEND  -c -o booleans.o
booleans.c
booleans.c: In function ‘security_get_boolean_names’:
booleans.c:39:5: error: assuming signed overflow does not occur when
changing X +- C1 cmp C2 to X cmp C2 -+ C1 [-Werror=strict-overflow]
  39 | int security_get_boolean_names(char ***names, int *len)
      |    ^~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:171: booleans.o] Error 1

This is caused by the '--i' in the: 'for (--i; i >= 0; --i)' loop.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2019-07-21 22:59:37 +02:00
Laurent Bigonville
120883adf0 mcstrans: Add reference to setools.conf man page in the daemon one
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-07-18 09:51:43 -05:00
Laurent Bigonville
13c235537b mcstrans: Move setrans.conf manpage to section 5
Move setrans.conf manpage to section 5 as it describes the documentation
for "File formats and conventions"

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-07-18 09:51:43 -05:00
Laurent Bigonville
5a5e739e5e Add documentation key in systemd .service files
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-07-18 09:51:43 -05:00
Nicolas Iooss
3abeb7c654
libsepol: include module.c internal header in module_to_cil.c
In module_to_cil.c, sepol_ppfile_to_module_package() calls functions
from module.c without including the internal header. This makes building
libsepol with "gcc -flto -fuse-ld=gold" fails when linking libsepol.so:

    /tmp/ccHYAKVZ.ltrans21.ltrans.o:<artificial>:function
    sepol_ppfile_to_module_package: error: undefined reference to
    'sepol_module_package_free'
    /tmp/ccHYAKVZ.ltrans21.ltrans.o:<artificial>:function
    sepol_ppfile_to_module_package: error: undefined reference to
    'sepol_module_package_create'
    /tmp/ccHYAKVZ.ltrans21.ltrans.o:<artificial>:function
    sepol_ppfile_to_module_package: error: undefined reference to
    'sepol_module_package_create'
    collect2: error: ld returned 1 exit status

Fixes: https://github.com/SELinuxProject/selinux/issues/165

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-06-26 08:39:14 +02:00
James Carter
071247e8f4 checkpolicy: add flag to enable policy optimization
Add the command-line option 'O' to checkpolicy to cause kernel policies
to be optimized by calling policydb_optimize() before being written out.

This option can be used on conf files and binary kernel policies, but
not when converting a conf file to CIL.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
[omosnace: make commit desc more consistent with the other patches]
[omosnace: fix a typo in the commit message]
[omosnace: directly use policydb_optimize() as also the rest of code already uses
 other policydb_*() functions...]
[omosnace: update man page]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-06-25 10:11:00 -04:00
Ondrej Mosnacek
f7cb5901f1 secilc: add flag to enable policy optimization
Add a command-line option -O/--optimize to optimize the final policydb
using sepol_policydb_optimize() before writing it out.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-06-25 10:11:00 -04:00
Ondrej Mosnacek
3cba4306b9 libsemanage: optionally optimize policy on rebuild
When building binary policy, optionally run it through
sepol_policydb_optimize() just before writing it out.

Add an optimize-policy variable to semanage.conf(5) that controls
whether optimization will be applied during libsemanage operations.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-06-25 10:11:00 -04:00
Ondrej Mosnacek
b8213acff8 libsepol: add a function to optimize kernel policy
Add sepol_policydb_optimize(), which checks a kernel policy for
redundant rules (i.e. those that are covered by an existing more general
rule) and removes them.

Results on Fedora 29 policy:

WITHOUT OPTIMIZATION:
    # time semodule -B
    real    0m21,280s
    user    0m18,636s
    sys     0m2,525s

    $ wc -c /sys/fs/selinux/policy
    8692158 /sys/fs/selinux/policy

    $ seinfo (edited)
      Allow:            113159
      Dontaudit:         10297
      Total:            123156

WITH OPTIMIZATION ENABLED:
    # time semodule -B
    real    0m22,825s
    user    0m20,178s
    sys     0m2,520s

    $ wc -c /sys/fs/selinux/policy
    8096158 /sys/fs/selinux/policy

    $ seinfo (edited)
      Allow:             66334
      Dontaudit:          7480
      Total:             73814

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-06-25 10:11:00 -04:00
Unto Sten
84b8f30606 More accurate error messages
Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:03:20 -07:00
Unto Sten
6062c45b1d Remove redundant if-clause
Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:03:12 -07:00
Unto Sten
163d5b456d Remove unneeded int
Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:03:03 -07:00
Jan Zarsky
c46b8af40a libsemanage: test semanage_msg_default_handler
Add test for semanage_msg_default_handler.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
acda541a4d libsemanage: test semanage_context_* functions
Add new test suite for other libsemanage functions. Add tests for
semanage_context_* functions.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
6f064e0b30 libsemanage: test semanage_user_* functions
Add new test suite for semanage_user_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
2b6966d7bc libsemanage: test semanage_port_* functions
Add new test suite for semanage_port_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
dfc81c13fc libsemanage: test semanage_node_* functions
Add new test suite for semanage_node_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
1791cb42fc libsemanage: test semanage_ibendport_* functions
Add new test suite for semanage_ibendport_* functions. The test suite aims for
line coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
c238906b5b libsemanage: test semanage_iface_* functions
Add new test suite for semanage_iface_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
5aab527f56 libsemanage: test semanage_fcontext functions
Add new test suite for semanage_fcontext_* functions. The test suite aims for
line coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
b1c09dc3f7 libsemanage: test semanage_bool_* functions
Add new test suite for semanage_bool_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
92bd4ae5ba libsemanage: test semanage_handle_* functions
Add new test suite for semanage_handle_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Jan Zarsky
638e2f9df0 libsemanage: add helper functions to tests
- Add functions for creating and destroying test semanage store.
- Add functions for writing SELinux policy to the test store.
- Add functions for creating semanage handle, connecting to the store and for
  beginning a transaction.
- Update Makefile to compile test policies from CIL source.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2019-06-19 09:01:48 -07:00
Mike Palmiotto
544cc7957b libsepol/cil: fix mlsconstrain segfault
Installing a cil module with invalid mlsconstrain syntax currently
results in a segfault. In the following module, the right-hand side of
the second operand of the OR is a list (mlstrustedobject):

$ cat test.cil
(class test (foo) )
(classorder (unordered test))

(mlsconstrain (test (foo))
	(or
		(dom h1 h2)
		(eq t2 (mlstrustedobject))
	)
)

$ sudo semodule -i test.cil
zsh: segmentation fault  sudo semodule -i test.cil

This syntax is invalid and should error accordingly, rather than
segfaulting. This patch provides this syntax error for the same module:

$ sudo semodule -i test.cil
t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side
Bad expression tree for constraint
Bad constrain declaration at /var/lib/selinux/mls/tmp/modules/400/test/cil:4
semodule:  Failed!

Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
2019-06-19 09:01:23 -07:00
Jokke Hämäläinen
eb2a875747 libsepol: Replace constant with sizeof()
Replace constant 18 with safer use of sizeof()

Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:01:12 -07:00
Jokke Hämäläinen
e8d880e0a2 libsepol: Check strdup() failures
Check strdup() failures

Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:01:12 -07:00
Petr Lautrbach
dbffdf7135 Add CONTRIBUTING.md
Based on https://github.com/SELinuxProject/selinux/wiki/Contributing

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Paul Moore <paul@paul-moore.com>
2019-06-14 14:58:52 -04:00
Unto Sten
c758ac1ddf Trivial style fixes 2019-05-28 07:51:43 -04:00
Unto Sten
be9976e763 Trivial style improvements 2019-05-28 07:51:28 -04:00
Aleksei Nikiforov
26462e101f Update man pages translation by Olesya Gerasimenko
Signed-off-by: Olesya Gerasimenko <gammaray@basealt.ru>
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-05-28 07:50:34 -04:00
Ondrej Mosnacek
9adafb6d51 run_init: fix build when crypt() is not in unistd.h
According to [1], crypt() support in POSIX is optional, so include
also <crypt.h> when _XOPEN_CRYPT is not defined or is defined to -1.
Without this I can't build run_init from source out-of-the-box on
Fedora 29.

[1] http://man7.org/linux/man-pages/man3/crypt.3.html#NOTES

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-24 12:41:49 -04:00
Richard Haines
159d5063d3 libsepol/cil: Allow validatetrans rules to be resolved
When validatetrans rule is in CIL policy it errors with:
u3, r3, and t3 can only be used with mlsvalidatetrans rules

Will now resolve these examples:
(validatetrans binder (and (and (eq t1 t1_t) (eq t2 t2_t)) (eq t3 t3_t)))
(mlsvalidatetrans file (and (and (eq t1 t1_t) (eq t2 t2_t))
    (and (eq t3 t3_t) (domby h1 h2))))

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2019-05-21 13:49:38 -04:00
Ondrej Mosnacek
3e506bda3b libsepol: add ebitmap_for_each_set_bit macro
Most of the users of ebitmap_for_each_bit() macro only care for the set
bits, so introduce a new ebitmap_for_each_positive_bit() macro that
skips the unset bits. Replace uses of ebitmap_for_each_bit() with the
new macro where appropriate.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-20 14:00:32 -04:00
Unto Sten
baf8a1de16 Check strdup() failure 2019-05-15 17:36:18 -07:00
Unto Sten
cd1ef4d64e another style fix 2019-05-15 17:35:43 -07:00
Unto Sten
e1a74396c7 Unify code style to preserve my sanity 2019-05-15 17:35:43 -07:00
Unto Sten
5d8f44e2c3 Global replace exit(0) with more readable exit(EXIT_SUCCESS) 2019-05-15 17:34:43 -07:00
Petr Lautrbach
f46b64fccb semanage/semanage-boolean.8: Fix a minor typo
boolan -> boolean

Reported-by: Bogdan BOTEZ <bmbogdan@gmail.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-04-30 17:49:00 +02:00
Gary Tierney
ac2a3fb4fe dismod: print policy version of loaded modules
Signed-off-by: Gary Tierney <gary.tierney@fastmail.com>
2019-04-19 13:10:53 -04:00
Gary Tierney
4984a75f38 checkmodule: add support for specifying module policy version
Currently checkpolicy can produce binary policies for earlier policy versions
to provide support for building policies on one machine and loading/analyzing
them on another machine with an earlier version of the kernel or libsepol,
respectively. However, checkmodule was lacking this capability.

This commit adds an identical `-c` flag that can be passed to checkmodule that
will build a modular policy file of the specified version.

Signed-off-by: Gary Tierney <gary.tierney@fastmail.com>
2019-04-19 13:10:44 -04:00
Joshua Brindle
25ce102907 Add security_validatetrans support
It seems validatetrans support was never added to libselinux, despite being added to
selinuxfs in kernel version 4.5

There is a utility to test, however the targeted policy has no validatetrans rules so some must be added:

$ cat validatetrans.cil
(mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2)))))

$ sudo semodule -i validatetrans.cil

$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Invalid argument

$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned -1 errno: Operation not permitted

$ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0
opening /sys/fs/selinux/validatetrans
security_validatetrans returned 0 errno: Success

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-04-09 06:51:02 -07:00
Laurent Bigonville
42f73af507
restorecond: Do not link against libpcre
For some reasons, restorecond was explicitly linking against libpcre but
the code is not using any of its symbols

Closes: https://github.com/SELinuxProject/selinux/issues/137

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-03-26 22:21:31 +01:00
Nicolas Iooss
5fc701fe11
restorecond: use /run instead of /var/run
On most distributions, /var/run is a symbolic link to /run so using
/var/run or /run lead to the same result. Nevertheless systemd started
to warn about using /var/run in a service file, logging entries such as:

    /usr/lib/systemd/system/restorecond.service:8: PIDFile= references
    path below legacy directory /var/run/, updating
    /var/run/restorecond.pid → /run/restorecond.pid; please update the
    unit file accordingly.

Switch to /run in order to follow this advice.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-03-18 22:07:08 +01:00
Petr Lautrbach
5d149b23de
gui: Install .desktop files to /usr/share/applications by default
/usr/share/applications is a standard directory for .desktop files.
Installation path can be changed using DESKTOPDIR variable in installation
phase, e.g.

make DESKTOPDIR=/usr/local/share/applications install

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-18 22:06:40 +01:00
Petr Lautrbach
c778509dd0
gui: Install polgengui.py to /usr/bin/selinux-polgengui
polgengui.py is a standalone gui tool which should be in /usr/bin with other
tools.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-17 20:09:59 +01:00
Petr Lautrbach
891cfee44f Update VERSIONs to 2.9 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-15 11:32:30 +01:00
Petr Lautrbach
707e4b8610 libselinux: Do not define gettid() if glibc >= 2.30 is used
Since version 2.30 glibc implements gettid() system call wrapper, see
https://sourceware.org/bugzilla/show_bug.cgi?id=6399

Fixes:
cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I../include -D_GNU_SOURCE  -DNO_ANDROID_BACKEND   -c -o procattr.o procattr.c
procattr.c:28:14: error: static declaration of ‘gettid’ follows non-static declaration
   28 | static pid_t gettid(void)
      |              ^~~~~~
In file included from /usr/include/unistd.h:1170,
                 from procattr.c:2:
/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
   34 | extern __pid_t gettid (void) __THROW;
      |                ^~~~~~

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-13 13:23:50 -04:00
Petr Lautrbach
486aa7d991 libselinux: Add security_reject_unknown(3) man page
Commit c19395d722 ("libselinux: selinux_set_mapping: fix handling of unknown
classes/perms") added a new interface security_reject_unknown() which needs to
be documented.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-11 11:47:36 -04:00