Commit Graph

133 Commits

Author SHA1 Message Date
Nicolas Iooss
f39c0ac637 python/chcat: fix removing categories on users with Fedora default setup
Using Vagrant with fedora/28-cloud-base image, SELinux logins are
configured this way:

    # semanage login -l
    Login Name           SELinux User         MLS/MCS Range        Service

    __default__          unconfined_u         s0-s0:c0.c1023       *
    root                 unconfined_u         s0-s0:c0.c1023       *
    vagrant              unconfined_u         s0-s0:c0.c1023       *

Using "chcat -l +c42 vagrant" successfully adds the category to user
vagrant, but "chcat -l -- -c42 vagrant" fails to remove it.
semanage login -l returns:

    vagrant              unconfined_u         s0-s0:c0.c1023,c42   *

This issue is caused by expandCats(), which refuses to return a list of
more than 25 categories. This causes chcat_user_remove() to work with
cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to
it not been able to remove 'c42' from the list.

Fix this issue by splitting the list of categories before calling
expandCats().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-11 12:39:09 +01:00
Nicolas Iooss
69c56bd2f6 python/chcat: improve the code readability
flake8 reports many warnings for chcat:

    chcat:7:1: E265 block comment should start with '# '
    chcat:29:1: F401 'string' imported but unused
    chcat:44:1: E722 do not use bare 'except'
    chcat:104:9: F841 local variable 'e' is assigned to but never used
    chcat:144:9: F841 local variable 'e' is assigned to but never used
    chcat:186:9: F841 local variable 'e' is assigned to but never used
    chcat:234:9: F841 local variable 'e' is assigned to but never used
    chcat:262:9: F841 local variable 'e' is assigned to but never used
    chcat:281:5: F841 local variable 'e' is assigned to but never used
    chcat:385:9: E722 do not use bare 'except'
    chcat:402:1: E305 expected 2 blank lines after class or function definition, found 1
    chcat:436:5: F841 local variable 'e' is assigned to but never used

Fix all of them.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-11 12:39:07 +01:00
Vit Mojzis
2923d9d21e python/chcat: use check_call instead of getstatusoutput
Use "check_call" instead of "getstatusoutput" in order for special
characters and spaces in filenames to be handled correctly.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-11 12:39:05 +01:00
Vit Mojzis
9cb9b18b17
python/semanage: Start exporting "ibendport" and "ibpkey" entries
Include "ibendport" and "ibpkey" entries in "semanage export".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-09 16:09:08 +01:00
Vit Mojzis
73135989de
python/semanage: Include MCS/MLS range when exporting local customizations
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-09 16:08:53 +01:00
Vit Mojzis
a3be73bea4
python: replace aliases with corresponding type names
Aliases are not used in the selinux database. When user enters a type
alias as a parameter it should be converted to the corresponding type
in order to be processed correctly further in the userspace logic.

Fixes e.g.:

\#sepolicy transition -s phpfpm_t
/* where phpfpm_t is a type alias of httpd_t */

Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 691, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 458, in transition
    mytrans = setrans(args.source, args.target)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
    self._process(self.source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
    trans = _get_trans(source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
    src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
IndexError: list index out of range
2018-11-10 17:26:13 +01:00
Vit Mojzis
48aeea9ce6
python/semanage: Stop rejecting aliases in semanage commands
Resolves:

\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined

\# seinfo -tsvirt_sandbox_file_t -x
   TypeName container_file_t
   Aliases
      svirt_sandbox_file_t
      svirt_lxc_file_t

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:55 +02:00
Vit Mojzis
4c63b8e7b6
python/sepolicy: Stop rejecting aliases in sepolicy commands
Fix CheckDomain and CheckPortType classes to properly deal with aliases.

Resolves:
   https://bugzilla.redhat.com/show_bug.cgi?id=1600009

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:48 +02:00
Vit Mojzis
448f5a9257
python/sepolicy: Fix "info" to search aliases as well
Restore previous behaviour of "sepolicy.info()".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:30 +02:00
Vit Mojzis
e5f312667b
python/sepolicy: Update to work with setools-4.2.0
Change in internal setools API causes sepolicy to crash when processing
AVRules.

    File "python/sepolicy/sepolicy/__init__.py", line 277, in _setools_rule_to_dict
        if isinstance(rule, setools.policyrep.terule.AVRule):
    AttributeError: module 'setools.policyrep' has no attribute 'terule'

See https://github.com/SELinuxProject/setools/issues/8 for more details.

Stop using internal setools API:

- use AttributeError instead of setools specific exceptions
- evaluate conditional expressions using conditional.evaluate() instead
of qpol_symbol.is_enabled()

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-09-25 21:30:15 +02:00
Nicolas Iooss
c5389c7c45
semanage: add a missing space in ibendport help
Currently, in:

    # semanage ibendport --help
    usage: semanage ibendport [-h] [-n] [-N] [-s STORE] [ --add -t TYPE
    -z IBDEV_NAME -r RANGE ( port ) | --delete -z IBDEV_NAME -r RANGE(
    port ) | --deleteall  | --extract  | --list -C | --modify -t TYPE -z
    IBDEV_NAME -r RANGE ( port ) ]

... a space is missing between "RANGE" and "( port )" in the usage of
--delete. Add it by splitting the string correctly in the usage line
definition.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-09-09 21:35:51 +02:00
Nicolas Iooss
7dd66ea49a
semanage: "semanage user" does not use -s, fix documentation
Both "semanage user --help" and "man 8 semanage-user" state that
"semanage user" accepts option -s, but this is incorrect: -s is not
needed to specify the SELinux user on the command line, contrary to
"semanage login" for example. Fix the documention.

While at it, remove many spaces from the helptext of option --roles. I
do not know where they came from, but they were reduced to a single
space when displayed anyway.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-09-09 21:35:44 +02:00
Nicolas Iooss
6f01778406
python: remove semicolon from end of lines
Python does not need to end a statement with a semicolon. Doing this
gets reported by linters such as flake8 ("E703 statement ends with a
semicolon").

Remove such semicolons in the code and enable this warning in
scripts/run-flake8.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-19 17:55:19 +02:00
Nicolas Iooss
fa671f434e
python/sepolicy: add missing % in network tab help text
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 23:00:08 +02:00
Nicolas Iooss
6ea7f067c8
python/sepolicy: do not import types
This module is not used and its name conflicts with variable "types".

This issue has been found using flake8. This Python linter reported:

    python/sepolicy/sepolicy/generate.py:657:5: F811 redefinition of
    unused 'types' from line 31

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:10 +02:00
Nicolas Iooss
052a4fde73
python/sepolicy: do not import sepolicy.generate.DAEMON twice
This issue has been found using flake8. This Python linter reported:

    python/sepolicy/sepolicy.py:582:5: F811 redefinition of unused
    'DAEMON' from line 582

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:10 +02:00
Nicolas Iooss
a33528b0d2
python/sepolicy: use variables which exist in the gui.py
Some function used variables which were not defined when populating
self.cur_dict with an operation. Fix this, even though the old values do
not seem to be used.

This issue has been found using flake8. This Python linter reported:

    python/sepolicy/sepolicy/gui.py:2020:101: F821 undefined name 'oldsetype'
    python/sepolicy/sepolicy/gui.py:2020:122: F821 undefined name 'oldmls'
    python/sepolicy/sepolicy/gui.py:2020:142: F821 undefined name 'oldclass'
    python/sepolicy/sepolicy/gui.py:2050:133: F821 undefined name 'oldmls'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:10 +02:00
Nicolas Iooss
8fac024785
python/sepolicy: fix "procotol" misspelling
procotol -> protocol

This issue has been found using flake8. This Python linter reported:

    python/sepolicy/sepolicy/gui.py:2525:132: F821 undefined name 'procotol'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:09 +02:00
Nicolas Iooss
052dcf62fd
python/sepolgen: use self when accessing members in FilesystemUse
This silences the following flake8 errors:

    python/sepolgen/src/sepolgen/refpolicy.py:758:25: F821 undefined name 'XATTR'
    python/sepolgen/src/sepolgen/refpolicy.py:760:27: F821 undefined name 'TRANS'
    python/sepolgen/src/sepolgen/refpolicy.py:762:27: F821 undefined name 'TASK'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:09 +02:00
Nicolas Iooss
e6dd227272
python/sepolgen: remove buggy code
av_extract_params() may call __param_insert() with only 2 parameters
instead of 4, which has no chance to work fine. Moreover it uses "PERM",
which is undefined. As nobody complained about this code, it seems to be
dead, so remove it.

This issue has been found using flake8. This Python linter reported:

    python/sepolgen/src/sepolgen/interfaces.py:158:37: F821 undefined
    name 'PERM'

While at it, fix a typo in a comment.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:09 +02:00
Nicolas Iooss
20db6a5a73
python/sepolgen: silence linter warning about has_key
flake8 warns about using has_key():

    python/sepolgen/src/sepolgen/refparser.py:315:15: W601 .has_key() is
    deprecated, use 'in'

However "spt.has_key(id)" uses function SupportMacros.has_key(), which
is not the same as the "in" operator. Silence this warning by using "#
noqa".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:09 +02:00
Nicolas Iooss
3d3c51d607
python/sepolgen: fix refpolicy parsing of "permissive"
p_permissive() uses an undefined variable t, which is buggy. In order to
ignore permissive statements, the function only needs to "pass".

flake8 reported the following error:

    python/sepolgen/src/sepolgen/refparser.py:789:5: F821 undefined name 't'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:08 +02:00
Nicolas Iooss
495c4c894a
python/sepolicy: use lowercase variable name
SELinuxGui.files_initial_data_insert() uses both "seLinux_label" and
"selinux_label", which leads to using an undefined variable, as reported
by flake8:

    python/sepolicy/sepolicy/gui.py:1191:42: F821 undefined name 'selinux_label'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:08 +02:00
Nicolas Iooss
1fb0c7790c
python/sepolicy: drop unused CheckPolicyType
CheckPolicyType class is not used in sepolicy and has been written from
an buggy copy-paste: "newval.append(v)" does not make any sense in
CheckPolicyType.__call__, as reported by flake8:

    python/sepolicy/sepolicy.py:190:13: F821 undefined name 'newval'
    python/sepolicy/sepolicy.py:190:27: F821 undefined name 'v'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:08 +02:00
Nicolas Iooss
a0c167ed22
python/sepolgen: return NotImplemented instead of raising it
sepolgen uses "return NotImplemented" (in access.py and matching.py) in
order to make Python's sorting function use an other call to compare
objects. For this to work, "NotImplemented" needs to be returned, not
raised like _compare's default implementation does.

This issue has been found using flake8. This Python linter reported:

    python/sepolgen/src/sepolgen/util.py:128:9: F901 'raise
    NotImplemented' should be 'raise NotImplementedError'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:08 +02:00
Nicolas Iooss
03c708d28d
python/sepolgen: do not import twice the modules
util.py starts by importing "locale" and "sys", so there is no need to
import these modules again in the functions.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-15 22:12:07 +02:00
Nicolas Iooss
f6e7613bd3
python/semanage: fix Python syntax of catching several exceptions
"except OSError, ImportError:" does not perform what it says: it is the
Python 2 syntax of catching OSError exceptions as "ImportError" (like
"except OSError, e:"), and this is indeed caught by Python3:

      File "./python/semanage/seobject.py", line 143
        except OSError, ImportError:
                      ^
    SyntaxError: invalid syntax

The correct syntax consists in using parentheses.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-06 22:06:48 +02:00
Vit Mojzis
b12e246739 python/semanage: Replace bare except with specific one
The corresponding except clause should only be used for
exceptions caused by audit module error or unavailability.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-07-14 18:00:25 +02:00
Vit Mojzis
cf8eed5431 python/semanage: Fix logger class definition
Test if audit module is enabled so that logger class is defined
correctly.

Fixes:
"semanage fcontext -l" fails with "OSError: Protocol not supported" when
booting with audit=0

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-07-14 17:59:56 +02:00
Yuri Chornoivan
f032946cf9 Fix minor typos
Signed-off-by: Yuri Chornoivan <yurchor@ukr.net>
2018-06-30 20:28:25 +02:00
Vit Mojzis
5e33a44c66 python/semanage: Stop logging loginRecords changes
semanage_seuser_modify_local and semanage_seuser_del_local already do
the logging.
Moreover, semanage log for loginRecords.__add was flawed since it
reported old-{seuser,role,range} of default user instead of None. This
was caused by selinux.getseuserbyname, which returns values for default
user when the specified username is not found.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294663

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-06-26 09:53:16 -04:00
Jan Zarsky
42b4a44b74 python: add xperms support to audit2allow
Add support for extended permissions to audit2allow. Extend AuditParser
to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to
generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow
to turn on generating of extended permission AV rules.

AVCMessage parses the ioctlcmd field in AVC messages. AuditParser
converts the ioctlcmd values into generic representation of extended
permissions that is stored in access vectors.

Extended permissions are represented by operations (currently only
'ioctl') and values associated to the operations. Values (for example
'~{ 0x42 1234 23-34 }') are stored in the XpermSet class.

PolicyGenerator contains new method to turn on generating of xperms.
When turned on, for each access vector, standard AV rule and possibly
several xperm AV rules are generated. Xperm AV rules are represented by
the AVExtRule class.

With xperm generating turned off, PolicyGenerator provides comments
about extended permissions in certain situations. When the AVC message
contains the ioctlcmd field and the access would be allowed according to
the policy, PolicyGenerator warns about xperm rules being the possible
cause of the denial.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2018-06-16 10:36:14 +02:00
Jan Zarsky
474f9b08d4 python/sepolgen: fix access vector initialization
In access module, in AccessVector.__init__() method, when init_list is
not None, the access vector is initialized by from_list() method.
However, this method does not assign attributes self.audit_msgs,
self.type, and self.data. Fix this by assigning these attributes in
__init__() method.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2018-06-16 10:34:53 +02:00
Jan Zarsky
a98314d8c1 python/sepolgen: print all AV rules correctly
In refpolicy module, in AVRule.__rule_type_str() method, self.rule_type
was not checked for value self.NEVERALLOW so that string "neverallow"
was never returned. Fix this by checking all four possible values and
returning correct strings.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2018-06-16 10:34:53 +02:00
Nicolas Iooss
91ef21e31f python/sepolgen: fix typo in PathChoooser name
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-06-06 15:56:45 -04:00
Stephen Smalley
a9f8a101fd Update VERSIONs to 2.8 for release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-24 14:21:09 -04:00
Stephen Smalley
20c9b4971e Update VERSION files to 2.8-rc3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-10 11:08:22 -04:00
Vit Mojzis
9a9b0e9d61 python/semanage/seobject.py: Fix undefined store check
self.store is always a string (actual store name or "") because of
semanageRecords.__init__. Fix check for not defined store.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-05-08 08:13:24 -04:00
Stephen Smalley
dc03bae194 Update VERSION files to 2.8-rc2.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-26 13:20:40 -04:00
Stephen Smalley
f04d64012a Update VERSION files to 2.8-rc1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-19 10:40:16 -04:00
Vit Mojzis
1ac7716df4 python/sepolgen: Try to translate SELinux contexts to raw
This allows sepolgen to generate policy from AVC messages that contain
contexts translated by mcstrans.

Fixes:

\# echo "type=USER_AVC msg=audit(1468415802.940:2199604): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:SystemLow-SystemHigh tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'" | audit2allow

libsepol.mls_from_string: invalid MLS context SystemLow-SystemHigh
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:system_r:systemd_logind_t:SystemLow-SystemHigh to sid

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-04-13 13:41:46 -04:00
Jan Zarsky
29d84c6280 python/sepolgen: fix typo in PolicyGenerator 2018-03-08 14:56:19 -05:00
Lee Stubbs
e4348941ee Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type. 2018-02-26 09:33:19 -05:00
Nicolas Iooss
df135b07a7 python/sepolicy: Initialize policy.ports as a dict in generate.py
in class policy, ports is usually initialized with the result of
get_all_ports(), which is a dict. If this function failed, the error was
not fatal but ports was left initialized as a list, which would trigger
other errors when accessing it.

Initialize ports as an empty dict in order to fix this issue.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-02-23 15:23:47 -05:00
Nicolas Iooss
8059ad7ad1 python/sepolicy: Support non-MLS policy
When using sepolgen GUI on a system with a non-MLS policy,
sepolicy.info(sepolicy.PORT) does not define "range" attributes (since
commit 908340e8e7 ("sepolicy: support non-MLS policy in manpage")).
Replace them with None in get_all_ports() result.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-02-23 15:23:47 -05:00
Nicolas Iooss
b8296872fe python/sepolicy: Fix translated strings with parameters
When a translated string takes parameters with %, the % and the
parameters need to be after the call to the underline function in order
to work properly.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-02-23 15:23:47 -05:00
Petr Lautrbach
41f1882724 python/sepolicy: Do not use types.BooleanType
It was removed from Python 3

Fixes:
File "polgengui.py", line 390, in forward
  self.generate_policy()
File "polgengui.py", line 491, in generate_policy
  my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1)
File "/home/plautrba/devel/github/bachradsusi/SELinuxProject-selinux/python/sepolicy/sepolicy/generate.py",  line 468, in set_use_syslog
  if not isinstance(val, types.BooleanType):
AttributeError: module 'types' has no attribute 'BooleanType'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2018-02-23 15:23:47 -05:00
Petr Lautrbach
7281132977 python/sepolicy: Use list instead of map
map() returns an iterator in python3, list in python2

Fixes:
File "/usr/lib/python3.6/site-packages/sepolicy/generate.py", line 114, in get_all_users
  users.remove("system_u")
AttributeError: 'map' object has no attribute 'remove'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2018-02-23 15:23:47 -05:00
Marcus Folkesson
88a6216ddb python: build: move modules from platform-specific to platform-shared
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 20:02:02 +01:00
Marcus Folkesson
11aaf180ef python: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 20:02:01 +01:00