Commit Graph

2822 Commits

Author SHA1 Message Date
Ondrej Mosnacek
fe985a8c84 travis: run only selinux-testsuite
Now that the standard testing is run on GitHub Actions, we can remove it
from .travis.yml, leaving only the selinux-testsuite sanity check, which
can't be migrated. Hopefully this will save some precious minutesfrom
the limited "plan" Travis gave us...

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-27 15:37:31 +01:00
Nicolas Iooss
7844cd212f Add configuration to build and run tests in GitHub Actions
Copy the tests that are currently run on Travis CI, in order to no
longer depends on Travis CI.

For more context: Travis-CI is changing its offer, as documented in
https://docs.travis-ci.com/user/migrate/open-source-repository-migration
and SELinuxProject moved to https://travis-ci.com
https://lore.kernel.org/selinux/CAFqZXNspH6MmB-o0wtJJwj-p0DKKrH-ZjfW2YkF_yQS_gCBwqQ@mail.gmail.com/T/#t

Unfortunately the credits for opensource projects are quite limited, and
require interaction with Travis CI support (which was quite unresponsive
when I contacted them for other opensource projects I am maintaining).

Create a configuration for Github Actions that duplicates most Travis CI
checks.

* macOS check has not yet been converted, but GitHub Actions support
  this platform so this can be done in another patch (and in another
  configuration in .github/workflows ?).

* KVM support is not available on GitHub Actions so running SELinux
  testsuite in a Fedora VM is not possible. This is a known issue
  (https://github.com/actions/virtual-environments/issues/183) and other
  projects seem to face the same issue (for example
  https://github.com/opencontainers/runc/issues/2670).

This configuration has been tested on
https://github.com/fishilico/selinux/actions/runs/380579153

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-27 09:49:39 +01:00
Bernhard M. Wiedemann
fadcc8396c python/sepolicy: allow to override manpage date
in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/
for the definition of this variable.

This patch was done while working on reproducible builds for openSUSE.

Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
2020-11-13 10:53:59 +01:00
Nicolas Iooss
89dab4675d
libsepol: free memory when realloc() fails
In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to
grow the memory, the function returns NULL without freeing class_buf.
This leads to a memory leak which is reported by clang's static
analyzer:
https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath

Fix the memory leak by calling free(class_buf).

While at it, use size_t insted of int to store the size of the buffer
which is growing.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-11-12 21:24:06 +01:00
Ondrej Mosnacek
e081620812
ci: add new dependencies needed by selinux-testsuite
The testsuite now runs filesystem tests also on other filesystems than
just the default ext4. [1] That means a few more userspace utilities are
needed to format these filesystems. [2]

[1] 071ec9c5e5
[2] d4e507f78a

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-12 21:24:00 +01:00
Ondrej Mosnacek
c064d21483
selinux_config(5): add a note that runtime disable is deprecated
...and refer to selinux(8), which explains it further.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-12 21:23:59 +01:00
Ondrej Mosnacek
45b15c2216
selinux(8): explain that runtime disable is deprecated
Update the main SELinux manpage to explain that runtime disable (i.e.
disabling SELinux using SELINUX=Disabled) is deprecated and recommend
disabling SELinux only via the kernel boot parameter.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-11 20:42:22 +01:00
Ondrej Mosnacek
3c16aaefbf
selinux(8): mark up SELINUX values
Mark up the possible values of SELINUX (disabled, permissive, enforcing)
for better readability.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-11 20:42:21 +01:00
Ondrej Mosnacek
3de445af0b
ci: bump Fedora image version to 33
The testsuite will soon be switching to testing multiple filesystems,
which exposes a bug in F32 image's kernel. Since Fedora 33 has been
released recently and the testsuite runs just fine on it, just bump the
image version to avoid the bug.

This commit also fixes the script to read out the Fedora image version
from environment variables instead of using hard-coded values.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-11-11 20:40:15 +01:00
Vit Mojzis
ce46daab7c libsemanage/genhomedircon: check usepasswd
Only add user homedir contexts when usepasswd = True

Resolves:
   # grep usepasswd /etc/selinux/semanage.conf
   usepasswd=False
   # useradd -Z unconfined_u -d /tmp test
   # matchpathcon /tmp
   /tmp	unconfined_u:object_r:user_home_dir_t:s0

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2020-11-10 07:23:44 +01:00
Björn Bidar
c2a58cc525 libselinux: LABEL_BACKEND_ANDROID add option to enable
Add option to just enable the android label backend without disabling
anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST.

Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
2020-11-01 20:47:15 -06:00
Ondrej Mosnacek
4dd74ded5b ci: use parallel build
Pass -j$(nproc) to all make invocations to make the CI run a little
faster.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: William Roberts <bill.c.roberts@gmail.com>
2020-10-31 16:53:44 +01:00
James Carter
2d353bd585 libsepol/cil: Give error for more than one true or false block
Both tunableif and booleanif use conditional blocks (either true or
false). No ordering is imposed, so a false block can be first (or even
the only) block. Checks are made to ensure that the first and second
(if it exists) blocks are either true or false, but no checks are made
to ensure that there is only one true and/or one false block. If there
are more than one true or false block, only the first will be used and
the other will be ignored.

Create a function, cil_verify_conditional_blocks(), that gives an error
along with a message if more than one true or false block is specified
and call that function when building tunableif and booleanif blocks in
the AST.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-10-26 09:55:37 +01:00
Björn Bidar
db0f2f382e libselinux: Add build option to disable X11 backend
Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
2020-10-23 09:50:02 -05:00
Petr Lautrbach
6ebb35d261
libsemanage: Bump libsemanage.so version
Previous commits removed some symbols and broke ABI, therefore we need to change
SONAME.

See the following quotes from distribution guidelines:

https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries

Every time the shared library ABI changes in a way that may break
binaries linked against older versions of the shared library, the SONAME
of the library and the corresponding name for the binary package
containing the runtime shared library should change.

https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning

When new versions of the library are released, you should use an ABI
comparison tool to check for ABI differences in the built shared
libraries. If it detects any incompatibilities, bump the n number by
one.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-10-19 22:11:42 +02:00
Petr Lautrbach
c08b73d718
libsemanage: Drop deprecated functions
semanage_module_enable() and semanage_module_disable() were deprecated
by commit 9fbc6d1441 ("libsemanage: add back original module
enable/disable functions for ABI compatability") in 2014 in order to
preserve ABI compatibility. As we the libsemanage ABI is changed by the
previous commit, it makes sense to drop them completely.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-10-19 22:11:41 +02:00
Petr Lautrbach
b46406de8a
libsemanage: Remove legacy and duplicate symbols
Versioned duplicate symbols cause problems for LTO. These symbols were
introduced during the CIL integration several releases ago and were only
consumed by other SELinux userspace components.

Related: https://github.com/SELinuxProject/selinux/issues/245

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-10-19 22:11:40 +02:00
Petr Lautrbach
4a142ac46a
libsepol: Bump libsepol.so version
Previous commits removed some symbols and broke ABI, therefore we need to change
SONAME.

See the following quotes from distribution guidelines:

https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries

Every time the shared library ABI changes in a way that may break
binaries linked against older versions of the shared library, the SONAME
of the library and the corresponding name for the binary package
containing the runtime shared library should change.

https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning

When new versions of the library are released, you should use an ABI
comparison tool to check for ABI differences in the built shared
libraries. If it detects any incompatibilities, bump the n number by
one.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-10-19 22:11:39 +02:00
Petr Lautrbach
506c7b95b8
libsepol: Drop deprecated functions
These functions were converted to no-op by commit
c3f9492d7f ("selinux: Remove legacy local boolean and user code") and
left in libsepol/src/deprecated_functions.c to preserve API/ABI. As we
change libsepol ABI dropping duplicate symbols it's time to drop these
functions too.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-10-19 22:11:39 +02:00
Petr Lautrbach
ae58e84b4f
libsepol: Get rid of the old and duplicated symbols
Versioned duplicate symbols cause problems for LTO. These symbols were
introduced during the CIL integration several releases ago and were only
consumed by other SELinux userspace components.

Fixes: https://github.com/SELinuxProject/selinux/issues/245

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2020-10-19 22:11:38 +02:00
Nicolas Iooss
c97d63c6b4
libsepol: silence potential NULL pointer dereference warning
When find_avtab_node() is called with key->specified & AVTAB_XPERMS and
xperms=NULL, xperms is being dereferenced. This is detected as a
"NULL pointer dereference issue" by static analyzers.

Even though it does not make much sense to call find_avtab_node() in a
way which triggers the NULL pointer dereference issue, static analyzers
have a hard time with calls such as:

    node = find_avtab_node(handle, avtab, &avkey, cond, NULL);

... where xperms=NULL.

So, make the function report an error instead of crashing.

Here is an example of report from clang's static analyzer:
https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-d86a57.html#EndPath

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-10-19 22:08:44 +02:00
Nicolas Iooss
64387cb373
libsepol: drop confusing BUG_ON macro
Contrary to Linux kernel, BUG_ON() does not halt the execution, in
libsepol/src/services.c. Instead it displays an error message and
continues the execution.

This means that this code does not prevent an out-of-bound write from
happening:

    case CEXPR_AND:
        BUG_ON(sp < 1);
        sp--;
        s[sp] &= s[sp + 1];

Use if(...){BUG();rc=-EINVAL;goto out;} constructions instead, to make
sure that the array access is always in-bound.

This issue has been found using clang's static analyzer:
https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-50a861.html#EndPath

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-10-19 22:08:37 +02:00
Nicolas Iooss
521e6a2f47 libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
When compiling SELinux userspace tools with -ftrapv (this option
generates traps for signed overflow on addition, subtraction,
multiplication operations, instead of silently wrapping around),
semodule crashes when running the tests from
scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:

    [root@localhost selinux-testsuite]# make test
    make -C policy load
    make[1]: Entering directory '/root/selinux-testsuite/policy'
    # Test for "expand-check = 0" in /etc/selinux/semanage.conf
    # General policy build
    make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
    Compiling targeted test_policy module
    Creating targeted test_policy.pp policy package
    rm tmp/test_policy.mod.fc
    make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
    # General policy load
    domain_fd_use --> off
    /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
    make[1]: *** [Makefile:174: load] Aborted (core dumped)

Using "coredumpctl gdb" leads to the following strack trace:

    (gdb) bt
    #0  0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
    #1  0x00007f608fe38895 in abort () from /lib64/libc.so.6
    #2  0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
        at ../cil/src/cil_binary.c:1551
    #4  0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
        at ../cil/src/cil_binary.c:1596
    #5  0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
        args=0x239a640) at ../cil/src/cil_binary.c:1649
    #6  0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
        args=0x239a640) at hashtab.c:234
    #7  0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
        at ../cil/src/cil_binary.c:4969
    #8  0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
    #9  0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
        at ../cil/src/cil.c:631
    #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
    #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
    #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753

    (gdb) f 3
    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
        at ../cil/src/cil_binary.c:1551
    1551     xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);

A signed integer overflow therefore occurs in XPERM_SETBITS(h):

    #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)

This macro is expanded with h=31, so "(1 << 31) - 1" is computed:

* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
* (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
  results in 0x7fffffff (which is unsigned)

Using unsigned integers (with "1U") fixes the crash, as
(1U << 31) = 0x80000000U has no overflowing issues.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2020-10-15 19:25:05 +02:00
Nicolas Iooss
d23342a9de libselinux: convert matchpathcon to selabel_lookup()
Function matchpathcon() is deprecated in favor of selabel_lookup() but
program "matchpathcon" is much easier to use than "selabel_loopkup" to
find the file context which would be applied to some files and
directories.

More precisely:

    matchpathcon /path/to/my/file

is easier to type and remember than:

    selabel_lookup -b file -k /path/to/my/file

It also allows performing multiple context searches in one command,
where selabel_lookup cannot use multiple -k options.

Migrate matchpathcon to the preferred API.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2020-10-14 17:57:26 +02:00
Dominick Grift
e8bcdb84dc
cil_network_labeling_statements: fixes nodecon examples
The order of the subnet and netmask is wrong and also the value of netmask is wrong for single address subnet
Use an ipaddr reserved for documentation: https://tools.ietf.org/html/rfc5737
Add ipv6 example: https://tools.ietf.org/html/rfc3849

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2020-09-27 12:01:31 +02:00
Dominick Grift
eefa5511dd
cil_access_vector_rules: allowx, auditallowx and dontauditx fixes
allowx requires a equivalent "allow ioctl" rule to be present
auditallowx requires a equivalent "auditallow" ioctl rule to be present
dontauditx requires atleast one equivalent "allowx" rule to be present (can be a random irrelevant ioctlcmd)

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2020-09-26 20:26:07 +02:00
James Carter
a152653b9a libsepol/cil: Fix neverallow checking involving classmaps
When classmaps used in a neverallow were being expanded during CIL
neverallow checking, an empty classmapping in the list of
classmappings for a classmap would cause the classmap expansion to
stop and the rest of the classmapping of the classmap to be ignored.
This would mean that not all of the classes and permissions associated
with the classmap would be used to check for a neverallow violation.

Do not end the expansion of a classmap when one classmapping is empty.

Reported-by: Jonathan Hettwer <j2468h@gmail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-09-17 16:18:52 -04:00
Chris PeBenito
7ef5b1854f libselinux: Change userspace AVC setenforce and policy load messages to audit format.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-09-15 17:19:32 -04:00
Chris PeBenito
f5d644c7e6 libselinux: Add additional log callback details in man page for auditing.
Add additional information about the log callback message types.  Indicate
which types could be audited and the relevant audit record types for them.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-09-15 17:19:32 -04:00
Chris PeBenito
075f9cfe7a libselinux: Fix selabel_lookup() for the root dir.
9e4480b921 ("Remove trailing slash on selabel_file lookups.") introduced
a bug which turns the root directory lookup "/" into an empty string.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-09-15 09:22:08 -04:00
James Carter
734e4beb55 libsepol/cil: Validate conditional expressions before adding to binary policy
CIL was not correctly determining the depth of conditional expressions
which prevented it from giving an error when the max depth was exceeded.
This allowed invalid policy binaries to be created.

Validate the conditional expression using the same logic that is used
when evaluating a conditional expression. This includes checking the
depth of the expression.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-09-11 16:28:03 -04:00
James Carter
685f577aa0 libsepol/cil: Validate constraint expressions before adding to binary policy
CIL was not correctly determining the depth of constraint expressions
which prevented it from giving an error when the max depth was exceeded.
This allowed invalid policy binaries with constraint expressions exceeding
the max depth to be created.

Validate the constraint expression using the same logic that is used
when reading the binary policy. This includes checking the depth of the
the expression.

Reported-by: Jonathan Hettwer <j2468h@gmail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-09-11 16:27:29 -04:00
Dominick Grift
8bc865e1fe newrole: support cross-compilation with PAM and audit
Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-09-04 15:56:38 -04:00
Chris PeBenito
a4149e0eab libselinux: Add new log callback levels for enforcing and policy load notices.
This will enable userspace object managers to send proper audits for policy
loads and setenforce messages generated by the userspace AVC code.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-31 10:27:46 -04:00
Christian Göttsche
a63f93d83b libselinux: initialize last_policyload in selinux_status_open()
If not initialized to the current policyload count, an enforcing change
will trigger policyload-callbacks in selinux_status_updated().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-31 10:23:51 -04:00
Christian Göttsche
ef902db9c8 libselinux: safely access shared memory in selinux_status_updated()
Access the shared nenory safe in regard to consistent view of the SELinux
kernel status page - not in regard to thread-safety.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-31 10:23:51 -04:00
Chris PeBenito
9e4480b921 libselinux: Remove trailing slash on selabel_file lookups.
Having a trailing slash on a file lookup, e.g. "/some/path/", can
cause a different result, for example,  when file contexts are written to have
the directory have a different label than the contents.  This is inconsistent
with normal Linux behaviors where trailing slashes are ignored.

Many callers already strip the trailing slash before the lookup or users
revise the file contexts to work around this.  This fixes it comprehensively.

v2: fix length issues

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:25:45 -04:00
Christian Göttsche
21fb5f20da libselinux: use full argument specifiers for security_check_context in man page
The argument for security_check_context(_raw) is defined as `const char *`.

Say so in the man page.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:54 -04:00
Christian Göttsche
2a60de8eca sepolgen: sort extended rules like normal ones
Currently:

    #============= sshd_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t ptmx_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t sshd_devpts_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t user_devpts_t:chr_file ioctl;

    #============= user_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t devtty_t:chr_file ioctl;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t user_devpts_t:chr_file ioctl;
    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;

Changed:

    #============= sshd_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t ptmx_t:chr_file ioctl;
    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t sshd_devpts_t:chr_file ioctl;
    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow sshd_t user_devpts_t:chr_file ioctl;
    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };

    #============= user_t ==============

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t devtty_t:chr_file ioctl;
    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;

    #!!!! This avc is allowed in the current policy
    #!!!! This av rule may have been overridden by an extended permission av rule
    allow user_t user_devpts_t:chr_file ioctl;
    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00
Christian Göttsche
9e239e5569 sepolgen: print extended permissions in hexadecimal
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.

[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-26 14:21:22 -04:00
Stephen Smalley
e7abd802d4 libselinux: fix build order
We need to install the include files before we try to build the source.
Otherwise, make DESTDIR=~/obj install can fail if there are older
headers under /usr/include.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-17 11:54:16 -04:00
bauen1
ba2d6c1063 fixfiles: correctly restore context of mountpoints
By bind mounting every filesystem we want to relabel we can access all
files without anything hidden due to active mounts.

This comes at the cost of user experience, because setfiles only
displays the percentage if no path is given or the path is /

Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-17 11:54:01 -04:00
Dominick Grift
9e9b810340 secilc/docs: document expandtypeattribute
This was added for Androids Treble in 2017.

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Acked-by: James Carter <jwcart2@gmail.com>
2020-08-17 11:53:47 -04:00
William Roberts
071264c6c4 ci: fix stall on git log -1
git log -1 may use a pager to output long messages, and when the pager
is invoked, leads to stalls on the ci system waiting for user input.
Use --oneline to print the short part of the commit message and
the digest. This information is for debug/informational purposes only,
so truncating the output is sufficient.

Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2020-08-11 17:01:04 -05:00
Mike Palmiotto
05bdc03130 libselinux: use kernel status page by default
Commit bc2a8f418e ("libselinux: add selinux_status_* interfaces for
/selinux/status") introduced the sestatus mechanism, which allows for
mmap()'ing of the kernel status page as a replacement for avc_netlink.

The mechanism was initially intended for userspace object managers that
were calculating access decisions within their application and did not
rely on the libselinux AVC implementation. In order to properly make use
of sestatus within avc_has_perm(), the status mechanism needs to
properly set avc internals during status events; else, avc_enforcing is
never updated upon sestatus changes.

This commit gets rid of the default avc_netlink_open() in
avc_init_internal(), replacing it with selinux_status_open(). In the
event that the kernel status page cannot be mapped, the netlink fallback
will be used. By default, avc_has_perm_noaudit() and
selinux_check_access() will now attempt to read the kernel status page,
which removes a system call from two critical code paths.

Since the AVC thread create/stop callbacks were intended to avoid a
system call in the critical code path, they no longer need to be created
by default. In the event that the kernel status page is successfully
mapped, threads will not be created. Threads will still be
created/stopped for the sestatus fallback codepaths.

Userspace object managers that still need a netlink socket can call
avc_netlink_acquire_fd() to open and/or obtain one.

Update the manpage to reflect the new avc_netlink_acquire_fd()
functionality.

Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-08-11 08:11:40 -04:00
William Roberts
91cc86d44e scripts/ci: license as MIT
License the ci scripts with a permissive, OSI approved license, such as
MIT.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
[omosnace: removed the dummy copyright header from LICENSE]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-08-07 10:20:10 +02:00
Ondrej Mosnacek
8206b8cb00 libsepol: implement POLICYDB_VERSION_COMP_FTRANS
Implement a new, more space-efficient form of storing filename
transitions in the binary policy. The internal structures have already
been converted to this new representation; this patch just implements
reading/writing an equivalent representation from/to the binary policy.

This new format reduces the size of Fedora policy from 7.6 MB to only
3.3 MB (with policy optimization enabled in both cases). With the
unconfined module disabled, the size is reduced from 3.3 MB to 2.4 MB.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-08-03 08:52:12 -04:00
Ondrej Mosnacek
42ae834a74 libsepol,checkpolicy: optimize storage of filename transitions
In preparation to support a new policy format with a more optimal
representation of filename transition rules, this patch applies an
equivalent change from kernel commit c3a276111ea2 ("selinux: optimize
storage of filename transitions").

See the kernel commit's description [1] for the rationale behind this
representation. This change doesn't bring any measurable difference of
policy build performance (semodule -B) on Fedora.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-08-03 08:52:12 -04:00
Laurent Bigonville
9e2b8c61bf
restorecond: Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
This completely inactivate the .desktop file incase the user session is
managed by systemd as restorecond also provide a service file

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2020-07-21 08:14:57 +02:00
W. Michael Petullo
ccd973f721
python/audit2allow: add #include <limits.h> to sepolgen-ifgen-attr-helper.c
I found that building on OpenWrt/musl failed with:

  sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...

Musl is less "generous" than glibc in recursively including header
files, and I suspect this is the reason for this error. Explicitly
including limits.h fixes the problem.

Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-07-21 08:14:43 +02:00