Drop unnecessary declarations.
Add missing error messages.
More strict command line argument parsing.
Check closing file for incomplete write.
Rework resource cleanup, so that all files and allocated memory are
released in all branches, useful to minimize reports while debugging
libsepol under valgrind(8) or sanitizers.
Set close-on-exec flag in case of any sibling thread.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Drop unnecessary declarations.
More verbose error messages and add missing trailing newline.
More strict argument count checking.
Check closing file for incomplete write.
Rework resource cleanup, so that all files and allocated memory are
released in all branches, useful to minimize reports while debugging
libsepol under valgrind(8) or sanitizers.
Add help argument option -h.
Set close-on-exec flag in case of any sibling thread.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Drop unnecessary declarations.
Reduce scope of file global variable.
Mention -v argument in help usage message.
More strict integer conversion.
More strict argument count checking.
Check closing file for incomplete write.
Rework resource cleanup, so that all files and allocated memory are
released in all branches, useful to minimize reports while debugging
libsepol under valgrind(8) or sanitizers.
Add help argument option -h.
Set close-on-exec flag in case of any sibling threads.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
setsebool does not directly use any symbols from libsepol. Any
transitional ones, via libsemanage, are available by linking against
libsemanage.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Support the usage format of multiple booleans to change, e.g.:
setsebool bool1=on bool2=off
Support the options -N and -V.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Before the CIL post processing phase (where expressions are evaluated,
various ebitmaps are set, etc) there is a pre-verification where
checks are made to find self references or loops in bounds, attribute
sets, and class permissions. The class permission checking is faulty
in two ways.
First, it does not check for the use of "all" in a permission expression
for a class that has no permissions. An error will still be generated
later and secilc will exit cleanly, but without an error message that
explains the problem.
Second, it does not properly handle lists in permission expressions.
For example, "(C ((P)))" is a legitimate class permission. The
permissions expression contains one item that is a list containing
one permission. This permission expression will be properly evaluated.
Unfortunately, the class permission verification assumes that each
item in the permission expression is either an operator or a
permission datum and a segmenation fault will occur.
Refactor the class permission checking to give a proper error when
"all" is used in a permission expression for a class that has no
permissions and so that it can handle lists in permission
expressions. Also, check for the actual flavor of each item in
the permission expression and return an error if an unexpected
flavor is found.
The failure to properly handle lists in permission expressions was
found by oss-fuzz (#58085).
Tested-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Validate policy after optimizing.
Run policy assertion check, ignoring any assertions.
Abort on failures writing the parsed policy, as writing should not fail on
validated policies.
Set close-on-exec flag in case of any sibling thread.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
put_entry() is used during writing binary policies. Avoid short writes
due to an overflow.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit 55b75a2c ("libsepol: stop translating deprecated intial SIDs to
strings") dropped several names of obsolete initial sids ans replaced
them with NULL. This leads to their printable string being dynamically
allocated but not free'd.
Instead of keeping track of which name was allocated dynamically and
which not, allocate all on the heap, which simplifies the later cleanup.
While on it also free the name in case of a strs_add_at_index() failure.
Reported-by: oss-fuzz (issue 60271)
Fixes: 55b75a2c ("libsepol: stop translating deprecated intial SIDs to strings")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This patch implements the support for prefix/suffix filename transitions
in the CIL structures as well as in the CIL policy parser.
Syntax of the new prefix/suffix filename transition rule:
(typetransition source_type_id target_type_id class_id object_name match_type default_type_id)
where match_type is either the keyword "prefix" or "suffix".
Examples:
(typetransition ta tb CLASS01 "file01" prefix td)
(typetransition td te CLASS01 "file02" suffix tf)
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
This patch extends the structures for module and base policy (avrule_t)
to support prefix/suffix transitions. In addition to this, it implements
the necessary changes to functions for reading and writing the binary
policy, as well as parsing the policy conf.
Syntax of the new prefix/suffix filename transition rule:
type_transition source_type target_type : class default_type object_name match_type;
where match_type is either keyword "prefix" or "suffix"
Examples:
type_transition ta tb:CLASS01 tc "file01" prefix;
type_transition td te:CLASS01 tf "file02" suffix;
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently, filename type transitions support only exact name matching.
However, in practice, the names contain variable parts. This leads to
many duplicated rules in the policy that differ only in the part of the
name, or it is even impossible to cover all possible combinations.
This patch extends the filename type transitions structures to include
new types of filename transitions - prefix and suffix filename
transitions. It also implements the reading and writing of those rules
in the kernel binary policy format together with increasing its version.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Implement a new module policy format that closely matches the new
internal representation of avrule introduced in the previous patch.
This patch bumps the maximum module policy version and implements
reading/writing functions such that the module binary policy structure
matches its internal representation, namely, the object name attribute
used for the filename transition rules.
These changes have no significant effect on the size of the module
policy file (tested with Fedora policy).
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Implement a new binary policy format that closely matches the new
internal representation introduced in the previous patch.
This patch bumps the maximum kernel policy version and implements
reading/writing functions such that kernel binary policy structure
matches internal representation.
These changes can cause the binary policy to grow in size due to
effectively undoing the benefits of the commit 8206b8cb ("libsepol:
implement POLICYDB_VERSION_COMP_FTRANS "), but this will be mitigated by
adding the prefix/suffix support as described in the previous patch.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Similarly to the previous patch, filename transition rules are stored
and parsed separately from other type enforcement rules. Moving them to
avrule makes it consistent with the filename transitions in avtab and
makes future improvements easier to implement.
This patch adds an optional object name attribute to the avrule
structure and uses this new attribute to move filename transition rules
to avrule. It also updates functions for parsing type enforcement rules
to accept rules with a filename as their last argument (filename
transition rules), separate functions for parsing filename transitions
are therefore no longer needed.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently, filename transitions are stored separately from other type
enforcement rules. This leads to possibly sub-optimal performance and
makes further improvements cumbersome.
This patch adds a symbol table with filename transitions to the
transition structure added to avtab in the previous patch. It also
implements functions required for reading and writing filename
transitions (either binary or source formats) and updates the code for
expanding attributes. Last but not least, it updates the conflict check
in the conditional avtab to account for empty transitions in the
non-conditional avtab.
These changes are expected to cause higher memory usage, as now there
needs to be a filename transition structure for every stype. This patch
effectively undoes most of the commit 42ae834a ("libsepol,checkpolicy:
optimize storage of filename transitions"), but this will be mitigated
by providing support for matching prefix/suffix of the filename for
filename transitions in future patches which will reduce to need to have
so many of them.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
To move filename transitions to be part of avtab, we need to create
space for it in the avtab_datum structure which holds the rule for
a certain combination of stype, ttype and tclass.
As only type transitions have a special variant that uses a filename, it
would be suboptimal to add a (mostly empty) pointer to some structure to
all avtab rules.
Therefore, this patch adds a new structure to the avtab_datum and moves
the otype of the transition to this structure. In the next patch, this
structure will also hold filename transitions for the combination of
stype, ttype and tclass.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
It confuses translators and new lines are dropped by parser module anyway.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
If a string contains more than one unnamed argument it's hard for
translators to proper localize as they don't know which value is
represented by a unnamed argument. It also blocks them to use a
different order of arguments which would make better sense in other
languages.
Fixes:
$ xgettext --default-domain=python -L Python --keyword=_ --keyword=N_ ../audit2allow/audit2allow ../chcat/chcat ../semanage/semanage ../semanage/seobject.py ../sepolgen/src/sepolgen/interfaces.py ../sepolicy/sepolicy/generate.py ../sepolicy/sepolicy/gui.py ../sepolicy/sepolicy/__init__.py ../sepolicy/sepolicy/interface.py ../sepolicy/sepolicy.py
../chcat/chcat:220: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
../semanage/seobject.py:1178: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
...
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
This adds more exceptions to be handled by the except clause in
`get_os_version()`:
* If the `distro` package is not installed, then `import distro` raises
a `ModuleNotFoundError` exception.
* The distro documentation[1] lists `OSError` and `UnicodeError` as
exceptions that can be raised.
* Older versions of distro (<= 1.6.0) may also raise
`subprocessCalledProcessError`[2].
[1]: https://github.com/python-distro/distro/blob/v1.8.0/src/distro/distro.py#L749-L753
[2]: https://github.com/python-distro/distro/blob/v1.6.0/distro.py#L726-L728
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Check the return value of calloc() to avoid null pointer reference.
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Instead, a new action, 'v' for printing the policy (and/or
module) version in batch mode is added.
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
* fix minus self formatting in neverallow rules, avoiding `~ - self`
* show neverallow and neverallowxperm rules
* whitespace improvements in output
- avoid duplicate whitespaces before permission list, since
sepol_av_to_string() already adds a trailing one
- avoid duplicate whitespace after wildcard type
- unify indentation for xperm rules
* drop unused global variables
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add the command line argument `-N/--disable-neverallow`, similar to
secilc(8), to checkpolicy(8) and checkmodule(8) to skip the check of
neverallow rule violations.
This is mainly useful in development, e.g. to quickly add rules to a
policy without fulfilling all neverallow rules or build policies with
known violations.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Resurrect the naming of the "init" initial SID, as it has been
reintroduced in the kernel. Also add the new "userspace_initial_context"
policy capability that is used to enable the new semantics for this
initial SID.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Many of the initial SIDs are no longer used by the kernel, so
translating them to the legacy names doesn't bring much value. Clear the
legacy names from the table and let the code translate them to the
fallback "unknown" names instead.
Note that this only affects the generated text output when converting
policies from binary to text form. The text policy languages let the
policy define its own names for the initial SIDs based on the order in
which they are declared, so the table is never used to convert from name
to SID. Thus this is just a cosmetic change and has no functional
impact.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
even when SELinux is disabled. The command works properly when SELinux
is disabled and with this change the user will be present once SELinux
is re-enabled.
Also, do not execute the command when the package is updated, only when
it is first installed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The following commit
330b0fc333
changed the userdom_base_user_template, which now requires a role
corresponding to the user being created to be defined outside of the
template.
Similar change was also done to fedora-selinux/selinux-policy
e1e216b25d
Although I believe the template should define the role (just as it
defines the new user), that will require extensive changes to refpolicy.
In the meantime the role needs to be defined separately.
Fixes:
# sepolicy generate --term_user -n newuser
Created the following files:
/root/a/test/newuser.te # Type Enforcement file
/root/a/test/newuser.if # Interface file
/root/a/test/newuser.fc # File Contexts file
/root/a/test/newuser_selinux.spec # Spec file
/root/a/test/newuser.sh # Setup Script
# ./newuser.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile newuser.pp
Compiling targeted newuser module
Creating targeted newuser.pp policy package
rm tmp/newuser.mod tmp/newuser.mod.fc
+ /usr/sbin/semodule -i newuser.pp
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
Failed to resolve AST
/usr/sbin/semodule: Failed!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Expand the description to make it more clear what "interfaces" mean
here. They're different from network interfaces used by SELinux
command `semanage interface`.
Add a note that the information comes from on-disk file which has been
installed and it doesn't necessarily match the policy loaded to the
kernel.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
