Commit Graph

2276 Commits

Author SHA1 Message Date
Nicolas Iooss ff2e36831d Travis-CI: do not test gold linkers with clang
clang does not know -fuse-ld=gold. It only needs -flto, which
automatically adds -plugin=LLVMgold.so to the linker command line, but
this does not work on Travis-CI because the gold linker plugin is not
installed:

    /usr/bin/ld: /usr/local/clang-3.9.0/bin/../lib/LLVMgold.so: error
    loading plugin: /usr/local/clang-3.9.0/bin/../lib/LLVMgold.so:
    cannot open shared object file: No such file or directory

Disable in the build matrix the combination of linking with special
linkers with using clang.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-08-07 10:44:17 -04:00
Nicolas Iooss b1ea812083 Travis-CI: use sugulite environment
Travis-CI provides several environments for Ubuntu 14.04 Trusty. It
chooses the one that best matches the needs defined in .travis.yml
depending on a complex algorithm.

In order to test several C compilers, Python versions and Ruby versions,
we need the full image, which is named "sugulite".

For future reference, there are some notes about using the full image
on https://github.com/travis-ci/packer-templates/pull/454 and
https://github.com/travis-ci/docs-travis-ci-com/issues/1267#issuecomment-316016312
and https://blog.travis-ci.com/2017-06-21-trusty-updates-2017-Q2-launch

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-08-07 10:44:17 -04:00
Stephen Smalley 1bac758bf6 Update VERSION files for 2.7 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-04 09:31:00 -04:00
Stephen Smalley dfda6a5b2c Update VERSION files for 2.7-rc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:43:47 -04:00
Stephen Smalley ae1cd12076 libsepol: Define nnp_nosuid_transition policy capability
Define the nnp_nosuid_transition policy capability used to enable
SELinux domain transitions under NNP or nosuid if the
nnp_transition permission or nosuid_transition permission is
allowed between the old and new contexts. When this capability is not
enabled, such transitions remain limited to bounded transitions as they
were prior to the introduction of this capability.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:42:36 -04:00
Petr Lautrbach f80ea84698 sepolicy: File labels used to be sorted in a man page
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-07-27 09:49:32 -04:00
Petr Lautrbach 960b943b2f sepolicy: Make manpage and transition faster
SETools4 and Python 3 versions of map() and filter() uses iterators to
generates query results and these iterators can't be imply re-used. It
makes manpage and transitions operations really slow as they do lot of queries.

This patch changes it in the way that it caches results in lists for all
types, allow rules and transitions first and use cached results to
filter them using Python's filter() function.

Before:
$ time sepolicy manpage -d httpd_t sshd_t init_t
real    0m53.486s
user    0m53.171s
sys     0m0.054s

After:
$ time sepolicy manpage -d httpd_t sshd_t init_t
real    0m10.532s
user    0m10.368s
sys     0m0.114s

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-07-27 09:49:32 -04:00
Petr Lautrbach c624c4abaa sepolicy: Fix syntax errors in 'manpage -w'
Fixes:
  File "python/sepolicy/sepolicy/manpage.py", line 373, in _gen_css
    print("%s has been created") % style_css
TypeError: unsupported operand type(s) for %: 'NoneType' and 'str'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-07-27 09:49:32 -04:00
Petr Lautrbach dabb4c06ca sepolicy: Fix minor typo in 'transition -s' test
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-07-27 09:49:32 -04:00
Tom Cherry 00548bd9b6 libselinux: fix thread safety issues with lookup_common()
There are two problems with lookup_common() and therefore
selabel_lookup() and related functions that this patch fixes:

1) A race with the lazy compilation of regexes.  Since the struct
regex_data is allocated and assigned immediately to the parent struct
spec, it's possible for a second thread to see that this pointer is
non-NULL before the regex compilation has finished.  This typically
results in a -1 return from selabel_lookup() with ENOENT as errno.

This is fixed by adding synchronization in compile_regex().

2) A race with PCRE2 regex_match().  A struct pcre2_match_data is
created once and used for all regex matches for a given regex.  This
is problematic if two threads are attempting to evaluate the same
regex simultaneously.  This typically results in a successful return
from selabel_lookup() but with an erroneous selabel.

This is fixed by adding a pthread_mutex within regex_match() for
PCRE2.  Note, on my system, creating new matchdata takes roughly an
order of magnitude more time than locking a non-contended
pthread_mutex.  I don't believe programs will have enough contention
on this lock to justify that cost.

Bug: 63861738
Test: ueventd unit tests
Change-Id: I13bf782d81d0a0b896d444e396f307ad0dbacb6a
2017-07-26 16:23:04 -04:00
Dan Cashman 7803c8ca99 libsepol: cil: enable cpp compilation of cil.h.
Signed-off-by: Daniel Cashman <dcashman@google.com>
2017-07-26 13:24:22 -04:00
Stephen Smalley 9f1730fa39 Update VERSION files for 2.7-rc5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-18 12:01:26 -04:00
Stephen Smalley ebd695d5f0 open_init_pty: restore stdin/stdout to blocking upon exit
At exit, restore stdin and stdout to blocking.

Test: run_init id && run_init id
Test: open_init_pty bash -c 'echo hello; exec >&- 2>&- <&-; sleep 1;'

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187
Fixes: https://bugs.gentoo.org/show_bug.cgi?id=621062
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-18 08:59:50 -04:00
Stephen Smalley bea2c19dd2 Revert "open_init_pty: Do not make stdin and stdout non-blocking"
Making stdin/stdout non-blocking causes open_init_pty to hang if
they are closed, ala
./open_init_pty bash -c 'echo hello; exec >&- 2>&- <&-; sleep 1; '
and per
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474956#10

This reverts commit fb081eb64b.

Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-18 08:51:49 -04:00
Stephen Smalley fb081eb64b open_init_pty: Do not make stdin and stdout non-blocking
It is unclear why this was being done in the first place, and
it has caused multiple bugs with run_init/open_init_pty usage.

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187
Fixes: https://bugs.gentoo.org/show_bug.cgi?id=621062
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 13:03:01 -04:00
Stephen Smalley 83fbc0979d Update VERSION files for 2.7-rc4 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-30 13:41:33 -04:00
Laurent Bigonville 57ac60769c Fix consistency of PYTHONLIBDIR variable across modules
PYTHONLIBDIR is currently also used in sepolgen but has a different
behaviour regarding DESTDIR. Let's try to make this consistant.

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2017-06-30 12:54:43 -04:00
Nicolas Iooss 1edb93c0ba Travis-CI: test defining CFLAGS, LDFLAGS, etc. on make command line
Some Makefiles rely on adding values to variables like CFLAGS,
LDFLAGS, etc. For example doing "LDFLAGS += -L../src" does not work fine
when LDFLAGS is defined on the command line of "make".

Commits 297877ab88 ("libselinux utils: override LD{FLAGS, LIBS} for
libselinux.so in Makefile") and 15f2740733 ("Makefiles: override
*FLAGS and *LIBS") recently fixed such issues, by introducing keyword
"override" in the relevant Makefile statements.

In order to prevent the fixed issues from appearing again, add a test
case in Travis-CI configuration file. This case adds on make's command
line minimal definitions for CFLAGS and LDFLAGS and empty definitions
for CPPFLAGS and LDLIBS.

An example of build failure due to a missing override in a required
CPPFLAGS addition is provided on
https://travis-ci.org/fishilico/selinux/builds/245107609

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-30 08:56:43 -04:00
Nicolas Iooss 6b9035ddc6 libsepol/tests: override CPPFLAGS too
A build toolchain may override CPPFLAGS on the command line of "make".
Doing so currently breaks libsepol/tests compilation, as it requires
"-I../include/ -I$(CHECKPOLICY)" to be provided in gcc's arguments.

This completes commit 15f2740733 ("Makefiles: override *FLAGS and
*LIBS").

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-30 08:56:43 -04:00
Nicolas Iooss 9a0279e9e9 Travis-CI: update the list of Ruby's and Python's versions
Travis-CI no longer provides Ruby 2.0 in its Trusty environment (it has
been updated according to
https://blog.travis-ci.com/2017-06-21-trusty-updates-2017-Q2-launch).
Remove this version from .travis.yml.

Moreover Python 3.6 and Ruby 3.4 are available. Test building with them.

Last by not least, pypy virtual environment directory has been renamed
pypy2 (/home/travis/virtualenv/pypy2 is a symbolic link to pypy2-5.6.0).

The updated .travis.yml file has been tested on
https://travis-ci.org/fishilico/selinux/builds/248126824

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-30 08:56:43 -04:00
Stephen Smalley 2d1a6c63c6 libselinux,libsemanage: fix RUBYLIBS definition
The RUBYLIBS definition introduced by commit f5b9bc2a06
("libselinux,libsemanage: link Ruby wrappers with -lruby") did
not work on Debian.  Fix it based on a patch by Nicolas Iooss.

Reported-by: Laurent Bigonville <bigon@debian.org>
Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-28 09:35:57 -04:00
Stephen Smalley 6fab7923ce Update VERSION files for 2.7-rc3 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-23 13:01:45 -04:00
Petr Lautrbach 43c0d1f889 mcstrans: Allow overriding libsepol.a location during build
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-06-23 08:15:40 -04:00
Patrick Steinhardt 2c651e0a28 genhomedircon: avoid use of non-standard `getpwent_r`
The `getpwent_r` function is a non-standard but reentrant version of the
POSIX-defined `getpwent` function. While it should provide the benefit
of being safe to use in multi-threaded environments, it disallows us
from compiling with libc implementations which stick to the POSIX
standard more closely.

As libsemanage may be used in a multi-threaded environment, being
reentrant may in fact be quite important to us. As such, simply
switching out `getpwent_r` against its non-reentrant function can prove
quite dangerous. But interestingly enough, the glibc implementation of
`getpwent_r` does not even guarantee being reentrant. Quoting from
getpwent_r(7):

    NOTES

    The function getpwent_r() is not really reentrant since it shares
    the reading position in the stream with all other threads.

As such, it is non-reentrant in the same sense as its simple `getpwent`
brother and can simply be switched out without losing any guarantees
here.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2017-06-22 16:44:07 -04:00
Patrick Steinhardt ca07a2ad46 libselinux: avoid redefining _FORTIFY_SOURCE
Two makefiles of ours pass `-D_FORTIFY_SOURCE=2` directly to the
preprocessor. While this does not pose any problems when the value has
not been previously set, it can break the build if it is part of the
standard build flags.

The issue can easily be fixed by instead defining `_FORTIFY_SOURCE`
without specifying a concrete value. In this case, gcc will not error
out and simply keep using the previously defined value. On the other
hand, if no value has been defined, we will now compile with
`_FORTIFY_SOURCE=1`. From feature_test_macros(7):

    If _FORTIFY_SOURCE is set to 1, with compiler optimization level 1
    (gcc -O1) and above, checks that shouldn't change the behavior of
    conforming programs are performed.  With _FORTIFY_SOURCE set to 2,
    some more checking is added, but some conforming programs might
    fail.

While this leaves us with less checks for buffer overflows, it will only
enable checks that should not change behaviour of conforming programs.
With _FORTIFY_SOURCE=2, the compiler may even unintentionally change
behaviour of conforming programs. So in fact, one could even argue that
we should only be setting the value to 1 anyway to avoid surprising side
effects.

So this patch changes our CFLAGS to only pass `-D_FORTIFY_SOURCE`
without any concrete value, fixing the build issue.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2017-06-22 16:44:07 -04:00
Nicolas Iooss f027db4f2f python/sepolicy: remove definition of SYSCONFDIR
This variable is not used in any Makefile in python/.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-21 10:31:36 -04:00
Nicolas Iooss 47acedf06f gui: do not create /etc
selinux-gui does not install anything in /etc. Do not create this
directory when building a package with "make install".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-21 10:31:36 -04:00
Nicolas Iooss cdd3b1d728 libsemanage/tests: fix linking
When -lbz2 is written before libsemanage.a in the linker command line,
the linker may fail to find all needed symbols. This occurs for example
when building on Ubuntu 14.04 without the gold linker (cf. Travis build
result https://travis-ci.org/fishilico/selinux/builds/245072498):

    gcc libsemanage-tests.o test_semanage_store.o test_utilities.o utilities.o
    -L/home/travis/build/fishilico/selinux/installdir/usr/lib -o libsemanage-tests
    -lcunit -lbz2 -laudit ../src/libsemanage.a -lselinux -lsepol
    ../src/libsemanage.a(direct_api.o): In function `bzip':
    direct_api.c:(.text+0xee6): undefined reference to `BZ2_bzWriteOpen'
    direct_api.c:(.text+0xf11): undefined reference to `BZ2_bzWriteClose'
    direct_api.c:(.text+0xf79): undefined reference to `BZ2_bzWrite'
    direct_api.c:(.text+0xfa1): undefined reference to `BZ2_bzWriteClose'
    direct_api.c:(.text+0xfe0): undefined reference to `BZ2_bzWriteClose'
    ../src/libsemanage.a(direct_api.o): In function `bunzip':
    direct_api.c:(.text+0x114e): undefined reference to `BZ2_bzReadOpen'
    direct_api.c:(.text+0x1249): undefined reference to `BZ2_bzRead'
    direct_api.c:(.text+0x13b4): undefined reference to `BZ2_bzReadClose'
    ../src/libsemanage.a(seusers_local.o): In function `semanage_seuser_audit':
    seusers_local.c:(.text+0x4c5): undefined reference to `audit_open'
    seusers_local.c:(.text+0x5b6): undefined reference to `audit_log_semanage_message'
    seusers_local.c:(.text+0x5cd): undefined reference to `audit_close'

As ../src/libsemanage.a is a dependency of $(EXECUTABLE) in the
Makefile, use $^ to include it in the command line. While at it, put $^
after $(LDFLAGS) as other Makefiles do.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-21 10:31:36 -04:00
Stephen Smalley 7b5699bfd7 Fix BINDIR/SBINDIR/... variables in Makefiles
As reported by Nicolas Iooss, there are still some inconsistencies
in the definitions and usage of Makefile variables related to bin
and sbin directories. Since we need to still support non-usrmerge
systems, we cannot completely synchronize them, but we can eliminate
unnecessary differences, remove unused variables, and drop the
USRSBINDIR variables.

Before:
$ find . -name Makefile -exec cat {} + |grep '^[A-Z_]*BINDIR' |sort -u
BINDIR=$(PREFIX)/bin
BINDIR ?= $(PREFIX)/bin
BINDIR ?= $(PREFIX)/sbin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
USRSBINDIR ?= $(PREFIX)/sbin

After:
$ find . -name Makefile -exec cat {} + | grep '^[A-Z_]*BINDIR' | sort -u
BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin

This does not change the actual install location of any file.
It does drop the legacy symlink from /usr/sbin/load_policy to
/sbin/load_policy; packagers can create that separately if
desired.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-20 12:18:26 -04:00
Jason Zaman 15f2740733 Makefiles: override *FLAGS and *LIBS
There were several places in the makefiles where LDLIBS or CFLAGS were
supposed to include options to build. They were missing the override
keyword so would be skipped if these vars were set on the make cmdline.
Add the override directive to fix this.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-06-20 12:15:04 -04:00
Patrick Steinhardt 34dc7bcc31 libsepol: replace non-standard use of __BEGIN_DECLS
While most header files already use the common pattern of `extern "C"`
declarations to enable compiling in a C++ project, some header files in
libsepol instead use the macros `__BEGIN_DECLS` and `__END_DECLS`. These
macros are defined in the "sys/cdefs.h" header file, which provides
some non-standard extensions for glibc.

Convert usage of these declarations with the standard `extern "C"`
pattern. This improves compatibility with other libc implementations,
e.g. musl libc.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2017-06-20 11:03:12 -04:00
Jason Zaman 297877ab88 libselinux utils: override LD{FLAGS, LIBS} for libselinux.so in Makefile
the utils dir link to libselinux.so which was just built, if LDFLAGS or
LDLIBS were specificed on the make commandline then the search path is
not appended. Add the override directive to fix this.

Gentoo-Bug: https://bugs.gentoo.org/621762

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-06-19 11:23:06 -04:00
Stephen Smalley 08d4b030ea Update VERSION files for 2.7-rc2 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-16 12:50:03 -04:00
Vit Mojzis 2608b4d666 policycoreutils/fixfiles: do not dereference link files in tmp
Files in /tmp, /var/tmp, /var/run and /var/lib/debug labeled as
unlabeled_t or undefined_t are relabeled to match corresponding
directory label. Stop dereferencing link files in these folders
in order not to accidentally change label of other files in the
system.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1458831

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2017-06-16 12:37:03 -04:00
James Carter 5a553e8287 libsepol/cil: Fix bugs when writing policy.conf rules
The typebounds rules should end with a ";".

The netifcon and nodecon rules should not end with a ";".

The default rules are missing a "_". They should be "default_user",
"default_role" and "default_type".

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-15 13:21:53 -04:00
James Carter f2b5aae4aa libsepol: Fix neverallow bug when checking conditional policy
Commit 9e6840e refactored neverallow checking. In the process a bug
was introduced that causes enabled conditional rules to be skipped.
The bug is that the avtab key is checked by comparing the specified
field of the key to the value AVTAB_ALLOWED. Since enabled conditional
rules have an additional bit set as well, these rules are not
considered to match.

The fix is to use a bitwise AND (&) to only check the desired bit.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-14 11:05:11 -04:00
Richard Haines 9ddfb4d544 secilc: Update test policy and documentation for Infiniband
CIL updates to support the InfiniBand development.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-06-12 11:13:31 -04:00
Richard Haines c8e135ba22 libsepol/cil: ibendportcon fails to resolve in CIL policy
Fix named ibendportcon context not resolving correctly.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-06-12 11:13:25 -04:00
Nicolas Iooss f6f4876dfc libsepol: destroy the expanded level when mls_semantic_level_expand() fails
In mls_semantic_range_expand(), when a call to
mls_semantic_level_expand() fails, the function destroys the semantic
level instead of the expanded one. This leads to a use-after-free which
is reported by gcc's Address Sanitizer:

libsepol.mls_semantic_level_expand: mls_semantic_level_expand: invalid sensitivity level found 128/0.
libsepol.sepol_module_package_read: invalid module in module package (at section 0)
Failed to read policy package
=================================================================
==24456==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000ee58 at pc 0x7fe6c4fb96b4 bp 0x7fffa5ea6b70 sp 0x7fffa5ea6b60
READ of size 8 at 0x60200000ee58 thread T0
    #0 0x7fe6c4fb96b3 in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:755
    #1 0x7fe6c4fb9b88 in mls_semantic_range_destroy /usr/src/selinux/libsepol/src/mls.c:802
    #2 0x7fe6c500e8ab in user_datum_destroy /usr/src/selinux/libsepol/src/policydb.c:535
    #3 0x7fe6c500e980 in user_destroy /usr/src/selinux/libsepol/src/policydb.c:1390
    #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235
    #5 0x7fe6c50152da in symtabs_destroy /usr/src/selinux/libsepol/src/policydb.c:1595
    #6 0x7fe6c5015433 in policydb_destroy /usr/src/selinux/libsepol/src/policydb.c:1503
    #7 0x7fe6c5040e0d in sepol_policydb_free /usr/src/selinux/libsepol/src/policydb_public.c:82
    #8 0x7fe6c4fbc503 in sepol_module_package_free /usr/src/selinux/libsepol/src/module.c:143
    #9 0x7fe6c4fefefb in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4293
    #10 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124
    #11 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
    #12 0x402589 in _start (/usr/src/selinux/DESTDIR/usr/libexec/selinux/hll/pp+0x402589)

0x60200000ee58 is located 8 bytes inside of 16-byte region [0x60200000ee50,0x60200000ee60)
freed by thread T0 here:
    #0 0x7fe6c5537ae0 in __interceptor_free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45
    #1 0x7fe6c4fb969b in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:757
    #2 0x7fe6c4f02a57 in mls_semantic_range_expand /usr/src/selinux/libsepol/src/expand.c:948
    #3 0x7fe6c5007a98 in policydb_user_cache /usr/src/selinux/libsepol/src/policydb.c:939
    #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235
    #5 0x7fe6c5013859 in policydb_index_others /usr/src/selinux/libsepol/src/policydb.c:1286
    #6 0x7fe6c5020b65 in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4342
    #7 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618
    #8 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276
    #9 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124
    #10 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)

previously allocated by thread T0 here:
    #0 0x7fe6c5537e40 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x7fe6c5004efc in mls_read_semantic_level_helper /usr/src/selinux/libsepol/src/policydb.c:1976
    #2 0x7fe6c500f596 in mls_read_semantic_range_helper /usr/src/selinux/libsepol/src/policydb.c:2010
    #3 0x7fe6c500f596 in user_read /usr/src/selinux/libsepol/src/policydb.c:3258
    #4 0x7fe6c502055b in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4286
    #5 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618
    #6 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276
    #7 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124
    #8 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/selinux/libsepol/src/mls.c:755 in mls_semantic_level_destroy
Shadow bytes around the buggy address:
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa 01 fa fa fa 01 fa
  0x0c047fff9db0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
=>0x0c047fff9dc0: fa fa 00 00 fa fa 00 00 fa fa fd[fd]fa fa fd fd
  0x0c047fff9dd0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9de0: fa fa 04 fa fa fa 00 01 fa fa fd fd fa fa fd fd
  0x0c047fff9df0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fd
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24456==ABORTING

This issue has been found while fuzzing hll/pp with the American Fuzzy
Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-12 09:32:37 -04:00
Stephen Smalley 2f602f6cb9 Update VERSION files for 2.7-rc1 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-09 10:36:06 -04:00
Stephen Smalley d1769a9b83 libselinux: always unmount selinuxfs for SELINUX=disabled
As reported in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864479
using a kernel configuration with CONFIG_SECURITY_SELINUX_DISABLE=n
and a /etc/selinux/config with SELINUX=disabled leads to a boot
failure.

Fix this by always unmounting selinuxfs if /etc/selinux/config has
SELINUX=disabled even if unable to successfully disable SELinux.
This will ensure that subsequent is_selinux_enabled() tests will
return 0 (disabled) and userspace will therefore skip any SELinux
processing.

Reported-by: Christian Göttsche <cgzones@googlemail.com>
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-09 10:31:48 -04:00
James Carter f9ae34a404 libsepol: Expand attributes with TYPE_FLAGS_EXPAND_ATTR_TRUE set
Commit 1089665e31 (Add attribute
expansion options) adds an expandattribute rule to the policy.conf
language which sets a type_datum flag. Currently the flag is used
only when writing out CIL policy from a policy.conf.

Make use of the flag when expanding policy to expand policy rules
and remove all type associations for an attribute that has
TYPE_FLAGS_EXPAND_ATTR_TRUE set. (The attribute will remain in the
policy, but have no types associated with it.)

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-05 13:41:21 -04:00
James Carter 738db6077b libsepol/cil: Fix bug in cil_reset_ibpkeycon()
Nicolas Iooss <nicolas.iooss@m4x.org> discovered with clang's static
analyzer that cil_reset_ibpkeycon() was checking that ibpkeycon->context
was NULL and then passing the NULL value to cil_reset_context() which
expected a non-NULL argument.

Instead, cil_reset_ibpkeycon() should check if ibpkeycon->context_str
is NULL. If it is non-NULL then the context field points to a named
context that was created elsewhere and it will be reset there, but if
the context_str field is NULL, then the context is not named and needs
to be reset.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-05 11:30:14 -04:00
Petr Lautrbach 641d4ff55b sepolicy: Fix sorting of port_strings in python 3
Fixes:
$ sepolicy network -d httpd_t

httpd_t: tcp name_connect
Traceback (most recent call last):
  File /usr/bin/sepolicy, line 699, in <module>
    args.func(args)
  File /usr/bin/sepolicy, line 319, in network
    _print_net(d, tcp, name_connect)
  File /usr/bin/sepolicy, line 276, in _print_net
    port_strings.sort(numcmp)
TypeError: must use keyword argument for key function

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-06-02 16:14:45 -04:00
Petr Lautrbach acc43466f5 sepolicy/interface: Use relative python 3 imports
Fixes:
Verify sepolicy interface -c -i works ... Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 699, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 508, in interface
    print_interfaces(args.interfaces, args)
  File "/usr/bin/sepolicy", line 492, in print_interfaces
    interface_compile_test(i)
  File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 226, in interface_compile_test
    fd.write(generate_compile_te(interface, idict))
  File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 184, in generate_compile_te
    from templates import test_module
ModuleNotFoundError: No module named 'templates'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-06-02 16:14:45 -04:00
Steve Lawrence 0be11881d1 libsepol/cil: fix error check in new cil_resolve_name
This prevented cil_resolve_name() from returning an actual thing when a
name resolved to an alias. This appears to have only affected resolution
dealing with sensitivity and category aliases. Type aliases were not
affected since places that dealt with types handled type aliases
specifically and did not rely on this behavior from cil_resolve_name().

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2017-06-02 12:18:16 -04:00
Stephen Smalley 31f532aacb libselinux: fix selabel_lookup*() double slash bug
As originally reported in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854
, "systemd-hwdb --usr update" was assigning /lib/udev/hwdb.bin the
wrong security context.  This turned out to be a result of systemd-hwdb
calling selabel_lookup_raw() with a path with a leading double slash
(//lib/udev/hwdb.bin). While the selabel file backend already removes
duplicate slashes, this was occurring after any substitution matching
and replacement had occurred in the generic selabel frontend, and thus
the double slash was still preventing the /lib -> /usr/lib substitution
specified by file_contexts.subs_dist from occurring.  As a consequence,
the final path (/lib/udev/hwdb.bin) used to look up did not match the
/usr/lib/udev/[^/]* entry in file_contexts.

There were two options for resolving:
1) move the double slash removal to the selabel frontend code before
substitutions, or
2) move the substitution processing to the selabel file backend code
after double slash removal.

Since substitutions are currently only supported for the file backend,
and since the slash character may have no particular meaning in the
keys for other backends, it seems more correct to do the latter.
This has the advantage of taking all of the substitution data
structures and code private to the selabel file backend.

Test case:
Compare the output of:
	selabel_lookup -r -b file -k //lib/udev/hwdb.bin
versus:
	selabel_lookup -r -b file -k /lib/udev/hwdb.bin

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854
Reported-by: Russell Coker <russell@coker.com.au>
Reported-by: Michael Biebl <biebl@debian.org>
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-01 15:26:53 -04:00
Bernhard M. Wiedemann c18ea1df62 sort input files
when building packages (e.g. for openSUSE Linux)
(random) filesystem order of input files
influences ordering of functions in the output,
thus without the patch, builds (in disposable VMs) would usually differ.

See https://reproducible-builds.org/ for why this matters.
2017-06-01 14:00:30 -04:00
Stephen Smalley 22ac4f9bd3 libsepol: Fix alloc-size-larger-than warning from gcc 7
Fixes the following warning from gcc 7:

In function ‘name_list_to_string’,
    inlined from ‘constraint_expr_to_string’ at module_to_cil.c:1790:8:
module_to_cil.c:1135:6: warning: argument 1 range [18446744071562067968, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]
  str = malloc(len);
  ~~~~^~~~~~~~~~~~~
In file included from module_to_cil.c:36:0:
module_to_cil.c: In function ‘constraint_expr_to_string’:
/usr/include/stdlib.h:443:14: note: in a call to allocation function ‘malloc’ declared here
 extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur;
              ^~~~~~

While we are here, fix a few other issues too.
The usage of snprintf was wrong and unnecessary; we just allocated
the string to be the right size, so we should just fill it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-01 13:36:01 -04:00
Stephen Smalley f60244365c libsemanage: Fix snprintf warnings from gcc 7
Fixes the following warning from gcc7 by increasing the
buffer size to PATH_MAX.

semanage_store.c: In function ‘semanage_remove_directory’:
semanage_store.c:819:30: warning: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 254 [-Wformat-truncation=]
   snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name);
                              ^~
semanage_store.c:819:3: note: ‘snprintf’ output 2 or more bytes (assuming 257) into a destination of size 255
   snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name);
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-01 13:35:56 -04:00