Commit Graph

133 Commits

Author SHA1 Message Date
Miroslav Grepl
f82771c105 Fix typo in executable.py template.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
1353988d58 sepolicy: We should be creating _exec interfaces when we create the domtrans interface
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Miroslav Grepl
8dfdb38db9 sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
c0ec882bfa Fix up generation of application policy
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
1db83be583 policycoreutils/sepolicy: boolean.png is in help/
Fixes:
(sepolicy:2183): Gtk-WARNING **: Could not load image 'images/booleans.png': Failed to open file '/usr/lib64/python3.4/site-packages/sepolicy/images/booleans.png': No such file or directory

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
590e765dce sepolicy: Move svirt man page out of libvirt into its own
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
63283b81bb sepolicy: Add manpages for typealiased types
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
cfbb79736d sepolicy: Fix spelling mistakes in commands in generated manpages
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
443b84e4df policycoreutils/sepolicy: Add documentation for MCS separated domains
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Jason Zaman
fcb5d5cc72 Makefiles: drop -L/-I to system paths
The toolchain automatically handles them and they break cross compiling.

LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)

Gentoo-Bug: https://bugs.gentoo.org/500674

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:27:05 -04:00
Stephen Smalley
317743bbe2 python/semanage: fix export of fcontext socket entries
Fixes https://github.com/SELinuxProject/selinux/issues/49 (#49).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-03-15 13:10:18 -04:00
Ville Skyttä
fba9d01035 Python 3.6 invalid escape sequence deprecation fixes
https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior

A backslash-character pair that is not a valid escape sequence now
generates a DeprecationWarning. Although this will eventually become a
SyntaxError, that will not be for several Python releases.

The problem appears when you use '-W error':

$ python3 -W error -c 'import re; re.findall("[^a-zA-Z0-9_\-\.]", " *%$")'
  File "<string>", line 1
SyntaxError: invalid escape sequence \-

Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>

[ Edited commit message as per suggestion from Petr Lautrbach ]
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-03-10 15:56:36 -05:00
Vit Mojzis
718bc4bcdf python/sepolicy: fix obtaining domain name in HTMLManPages
HTMLManPages got domain name by splitting name of selinux manpage
on "_selinux" which doesn't work properly when domain name contains
"_selinux".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2017-03-10 15:47:27 -05:00
Vit Mojzis
ed51e23f15 sepolgen: strip non-printable characters when parsing audit messages
Strip the following characters
\x1c	File Separator
\x1d	Group Separator
\x1e	Record Separator
\x85	Next Line (C1 Control Code)
from audit message fields to make sure they are not evaluated
as part of some identifier (eg. ausearch used insert \x1d into
--raw output resulting in "unrecognized class" error messages).

This is done as part of str.split() in python3.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1406328
2017-02-21 13:43:09 -05:00
Nicolas Iooss
dcd135cc06 Re-link programs after libsepol.a is updated
After libsepol is modified (for example while developing new features or
fixing bugs), running "make install" in the top-level directory does not
update the programs which use libsepol.a. Add this static library to the
target dependencies in order to force their updates. This makes "make"
use libsepol.a in the linking command without using LDLIBS.

While at it, copy what commit 14d7064348 ("libselinux: Allow
overriding libsepol.a location during build") introduced in libselinux
Makefile by using a new LIBSEPOLA variable in all Makefiles.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-18 16:41:34 -05:00
Nicolas Iooss
baee7238b8 semanage, sepolicy: make tests not fail on systems without SELinux
selinux.security_getenforce() triggers an exception when running tests
on systems without SELinux. In order to skip tests which need SELinux in
enforcing mode, test selinux.is_selinux_enabled() too, like commit
945bc8853b ("sandbox: make test not fail on systems without SELinux").

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-17 16:48:46 -05:00
Alan Jenkins
62f058980e policycoreutils, python: Fix bad manpage formatting in "SEE ALSO"
Fix missing and surplus commas.  Fix the following formatting errors:

    .BR selinux(8)

renders the the "(8)" in bold as well as the "selinux".  This is wrong.

    .B selinux
    (8)

renders with a space between "selinux" and "(8)", this is wrong.

    .B selinux (8)

commits both of the above mistakes.

    .BR selinux (8), apparmor (8)

omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:

    .BR selinux (8),
    .BR apparmor (8)

Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
2017-01-12 14:59:31 -05:00
Vit Mojzis
8fe1b0ca27 python/sepolicy/sepolicy: optimise sepolicy gui loading
Significantly speed up sepolicy gui loading by aggregating setools
queries.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-09 12:16:45 -05:00
Vit Mojzis
ef387e88bd python/sepolicy/sepolicy: Cleanup of gui code
Based on 77589dd354218f1f56d1c83747799606fa1b4899 by Dan Walsh.
Speed up gui loading.
Some minor bug fixes.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-09 12:16:45 -05:00
Vit Mojzis
31fcd66d39 python/sepolicy/sepolicy/gui: Reflect sepolicy changes into gui
sepolicy.get_init_entrypoint() now returns list of Type objects
instead of single string, which caused sepolicy gui to crash.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-06 12:31:37 -05:00
Vit Mojzis
4791a99d67 python: Fix some typos
Aside from typos, change the way markup is applied to a tooltip
in sepolicy/gui so that the text can be translated.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-05 15:11:08 -05:00
Kyle Walker
468a0dbac8 seobject: Handle python error returns correctly
After 9406ace8 ("libsemanage: throw exceptions in python rather than
return NULL"), calls to libsemanage functions return Python exceptions
instead of returning negative error return codes. For systems that did not
have the applicable headers installed prior to build, the difference was
not seen. Following commit 9792099f ("Properly build the swig exception
file even if the headers are missing"), that issue has been resolved and
the underlying semanage_fcontext_query_local and semanage_fcontext_query
calls now result in an OSError return. This results in the following error
when attempting to modify a fcontext defined in the systems base policy.

    libsemanage.dbase_llist_query: could not query record value (No such file or directory).
    OSError: No such file or directory

To resolve the error, handle the OSError exception, but retain the
previous query operation.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1398427

Signed-off-by: Kyle Walker <kwalker@redhat.com>
2016-11-30 11:00:51 -05:00
Vit Mojzis
86e568c27b python/semanage/semanage: Unify argument handling
Missing argument checks for "fcontext" and "boolean" were performed
outside of "argparse", resulting in shortened help message (without
argument details) and no error description.
Fix: perform these checks using "argparse" as is the case with other
semanage options.

Some "required argument" check were performed outside of "handle_opts"
obscuring the code.
Fix: Add required arguments to {fcontext boolean}_args and remove the
checks from handle{Fcontext Boolean}.

Remove unpaired parentheses from "semanage fcontext" usage message.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-30 09:33:58 -05:00
Vit Mojzis
041e00106f python/sepolicy/sepolicy/gui: Fix getting python lib path
Python code is not platform specific and resides always in
lib (as opposed to lib64 on x64 architectures).

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-30 08:49:26 -05:00
Stephen Smalley
7e09f584e1 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures
Teach audit2why to recognize type bounds failures.  This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.

This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel.  However, it
is unclear if this is needed.  It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).

Before:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

After:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
        Was caused by:
                Typebounds violation.

                Add an allow rule for the parent type.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 15:53:59 -05:00
Vit Mojzis
c034875c14 policycoreutils/sepolicy/gui: fix current selinux state radiobutton
Radiobutton was always set to "Permissive" and couldn't be switched.
Update radiobutton together with status text in bottom left corner.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-29 08:49:48 -05:00
cgzones
1e605e9905 fix semanage fcontext help message
the ftype options were incorrect
2016-11-24 20:01:26 +01:00
Stephen Smalley
7935dee8f6 Drop ChangeLog files
They can be generated as desired via git log.
No need to keep maintaining them by hand.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 12:10:58 -05:00
Stephen Smalley
25c167a6ea Add COPYING files for new subdirs.
Copied from policycoreutils/COPYING, from which these originated.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:51 -05:00
Stephen Smalley
6bd0b55380 Add VERSION files for new components
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:51 -05:00
Stephen Smalley
b97d959a6a Move policycoreutils/sepolgen-ifgen into python/audit2allow.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:51 -05:00
Stephen Smalley
50be5fcca4 Move sepolicy desktop and png files to gui.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:51 -05:00
Stephen Smalley
48dc232627 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:50 -05:00