Commit Graph

75 Commits

Author SHA1 Message Date
Topi Miettinen
4e1979a66b
gennetfilter: add rules for ICMP/ICMPv6 packets
Generate rules for SECMARKing ICMP and ICMPv6 packets as
icmp_packet_t.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-22 17:03:28 +03:00
Chris PeBenito
1311c7e3b7
Merge pull request #229 from topimiettinen/gennetfilter-nft
gennetfilter: generate nft tables with --nft
2020-04-16 17:19:13 -04:00
Topi Miettinen
758d626ef8 gennetfilter: handle port ranges
Don't ignore port ranges. For example:
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
can be used to generate:
base -A selinux_new_input -p udp --dport 10080:10082 -j SECMARK --selctx system_u:object_r:amanda_server_packet_t:s0
base -A selinux_new_input -p tcp --dport 10080:10083 -j SECMARK --selctx system_u:object_r:amanda_server_packet_t:s0
base -A selinux_new_output -p udp --dport 10080:10082 -j SECMARK --selctx system_u:object_r:amanda_client_packet_t:s0
base -A selinux_new_output -p tcp --dport 10080:10083 -j SECMARK --selctx system_u:object_r:amanda_client_packet_t:s0

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-16 17:06:08 -04:00
Topi Miettinen
25f29bcfa4
gennetfilter: generate nft tables with --nft
Optionally generate Netfilter NFT tables. Sample output:

```#!/usr/sbin/nft -f
flush ruleset
table inet security {
        secmark default_input_packet {
                "system_u:object_r:server_packet_t:s0"
        }
        secmark default_output_packet {
                "system_u:object_r:client_packet_t:s0"
        }
        secmark afs_bos_input {
                "system_u:object_r:afs_bos_server_packet_t:s0"
        }
        secmark afs_bos_output {
                "system_u:object_r:afs_bos_client_packet_t:s0"
        }
...
        chain INPUT {
                type filter hook input priority 0; policy accept;
                ct state new meta secmark set "default_input_packet"
                ct state new udp dport 7007 meta secmark set "afs_bos_input"
...
                ct state new ct secmark set meta secmark
                ct state established,related meta secmark set ct secmark
        }
        chain FORWARD {
                type filter hook forward priority 0; policy accept;
        }
        chain OUTPUT {
                type filter hook output priority 0; policy accept;
                ct state new meta secmark set "default_output_packet"
                ct state new udp dport 7007 meta secmark set "afs_bos_output"
...
                ct state new ct secmark set meta secmark
                ct state established,related meta secmark set ct secmark
        }
}
```

The labels are applied to TCP and/or UDP as needed. MCS and MLS are
not really handled.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-16 23:46:02 +03:00
Topi Miettinen
fb120dd8df
Python string fix
Use raw string constants to avoid errors from python3.8:
    NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
                         ^
SyntaxError: invalid escape sequence \(

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-16 13:04:30 +03:00
Nicolas Iooss
73f9c0c4ef Vagrant: allow VirtualBox provisionning to use dhclient and ip
When provisioning a Debian test virtual machine with VirtualBox (using
the main Vagrantfile), vagrant runs commands dhclient and ip from a ssh
session because of this directive:

    debian.vm.network "private_network", type: "dhcp"

This triggers:

    type=AVC msg=audit(1578749426.820:68): avc:  denied  { write } for
    pid=541 comm="dhclient" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:dhcpc_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749426.820:68):
    proctitle=2F7362696E2F6468636C69656E74002D34002D76002D69002D72002D
    7066002F72756E2F6468636C69656E742E657468312E706964002D6C66002F7661
    722F6C69622F646863702F6468636C69656E742E657468312E6C6561736573002D
    49002D6466002F7661722F6C69622F646863702F6468636C69656E74362E657468
    31

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { read } for
    pid=544 comm="ip" path="pipe:[14005]" dev="pipefs" ino=14005
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { write } for
    pid=544 comm="ip" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749427.868:69):
    proctitle=6970002D34006164647200666C757368006465760065746831006C61
    62656C0065746831

Handle this by adding attribute vagrant_provisioning_cmd_type to the
relevant domains, in the policy module specific to the Vagrant test
environments.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 22:45:18 +01:00
Nicolas Iooss
7317bd64c0
Vagrantfile: add a specific SELinux policy module
When using Vagrant to run virtual machines with SELinux enabled, several
specific accesses need to be allowed. It does not make much sense to add
the needed rules to the refpolicy, as they are very specific to the use
of Vagrant to provision a virtual machine to test a policy. Therefore,
create a dedicated module to allow the required accesses.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 18:17:36 +01:00
Chris PeBenito
0bfd1387ac Remove incorrect usages of "is" operator from Python scripts.
Closes #128

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-11-23 10:12:53 -05:00
Chris PeBenito
dffe3df251 fc_sort.py: Use "==" for comparing integers.
"is" is for testing two references are the same object.  The fact that this
worked is specific to the Python implementation.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-10-08 15:45:27 -04:00
Christian Göttsche
16af31d5a1 re-implement fc_sort in python
fc_sort is the only/last build tool that requires a C compiler

Re-implement it in python, so that gcc dependencies can be dropped

The output of the C and the python version differ slightly in the order of equally specific file contexts

old:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /opt/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
    /usr/.*		system_u:object_r:usr_t
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /run/.*		<<none>>
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t

new:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t
    /opt/.*		system_u:object_r:usr_t
    /run/.*		<<none>>
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /usr/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
2019-10-06 00:11:30 +02:00
Christian Göttsche
67a27c2738 segenxml.py: fix format usage in warning message 2019-10-01 20:38:58 +02:00
Ondrej Mosnacek
cd77bbc1ed Fix find commands in Makefiles
Without this fix, building a custom module in a directory that contains
a file with special characters in its name (e.g. '(') triggers a syntax
error:

$ cat >foo.te <<EOF
module foo 1.0;
require {
	class file entrypoint;
	type shell_exec_t;
	type vmtools_unconfined_t;
}
allow vmtools_unconfined_t shell_exec_t : file entrypoint;
EOF
$ touch "my broken (file)"
$ make -f /usr/share/selinux/devel/Makefile foo.pp
/bin/sh: -c: line 0: syntax error near unexpected token `('
/bin/sh: -c: line 0: `find anaconda-ks.cfg my broken (file) vncserver.strace systemd.strace rhel-server-7.6-x86_64-boot.iso rt_minimal.c vnc.cil foo.te rsyslog tmp virt-install.log evil_banner.sh livemedia.log program.log foo.if rhel7-minimal.ks TestZip.java TestZip.class foo.fc sudoloop foo.pp strace.log -maxdepth 0 -type d'

Link: https://bugzilla.redhat.com/show_bug.cgi?id=1692676
Reported-by: Renaud Métrich <rmetrich@redhat.com>
Suggested-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-22 09:00:23 +02:00
Chris PeBenito
0af99256c6 genhomedircon.py: Fix top-level exception handling.
Fixes errors like this:

Traceback (most recent call last):
  File "support/genhomedircon.py", line 490, in <module>
    errorExit("Options Error " + error)
TypeError: Can't convert 'GetoptError' object to str implicitly

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-15 09:41:49 -04:00
David Sugar
8e18a55457 Update CUSTOM_BUILDOPT
Have Makefile include CUSTOM_BUILDOPT in generated build.conf
Update Makefile.devel to pass CUSTOM_BUILDOPT while building module

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-10-27 14:56:34 -04:00
Sven Vermeulen
744482a3e6 Update segenxml to include support for templated booleans and tunables
The segenxml tool is used to generate documentation regarding the policy
definitions. Its output is an XML file that contains the in-line
comments associated with boolean generation as well as interface
definitions.

With booleans also generated inside templates, this information was
(until now) ignored. Templates such as apache's apache_content_template
which created new booleans were not properly documented, as the
in-template comments were ignored.

In this patch, we will go over module code first and seek template
calls. When a template call is matched, the module code is updated
(expanded) with the template content (while substituting the arguments
to get a proper code listing). Only after all templates have been
expanded we seek the necessary boolean definitions.

Changes since v2:
- Fix BOOLEAN statements to match backtick (`) and tick (') usages as
  well
- Fix match for arguments to also include multiple entries ( { ... } )

Changes since v1:
- Also apply the regexp on BOOLEAN to allow generating templated
  boolean/tunable documentation

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
Sven Vermeulen
9d8bb4eb93 Add gentemplates.sh to extract template content
Some of the templates in the reference policy generate new booleans and
tunables, based on the $1, $2, ... parameters passed on. To allow
segenxml, which generates the necessary documentation on booleans, to
keep track of template-generated booleans as well, we need to allow it
to substitute template calls with the actual template content.

The gentemplates.sh script is a helper script that will extract template
code and store it as files (one file per template). These files are then
later on used by the segenxml tool.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
Chris PeBenito
ef6e79a082 Switch all remaining Python references to the Python 3 interpreter. 2018-05-31 17:41:59 -04:00
William Roberts
65620e0f94 fc_sort: use calloc instead of malloc
Rather than using malloc to allocated nodes and setting all the fields,
just use calloc.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-10-18 19:26:36 -07:00
Adam Duskett
6c9cc47e6c fix regex escape sequence error.
python3.6 will error out with the message "invalid escape sequence"
in genhomedircon.py.  This patch fixes these errors by turning the string
in the into a raw string.
2017-10-10 18:00:30 -04:00
Guido Trentalancia
5490639ac9 fc_sort: memory leakages
Avoid memory leakages in the fc_sort executable (now passes
all valgrind AND Clang static analyzer tests fine).

Some NULL pointer checks with or without associated error
reporting.

Some white space and comment formatting fixes.

Optimization: avoid unnecessary operations (unnecessary
memory allocation/deallocation and list copying).

Reverts 7821eb6f37 as such
trick is no longer needed, given that all memory leakages
have now been fixed.

This is the sixth version of this patch. Please do not use
the first version as it introduces a serious bug.

For reference, the original issue reported by the Cland
static analyzer is as follows:

support/fc_sort.c:494:6: warning: Potential leak of memory
pointed to by 'head'
            malloc(sizeof(file_context_bucket_t));

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
2017-10-04 19:29:47 -04:00
Luis A. Lozano
cd20f0ba9f Avoid memory leak warning.
Using the LLVM static analyzer, we get a warning about leaked memory
pointed by bcurrent. Since the warning happens within "main" and we
don't care about deallocating the memory and just call "exit" which
gets rid of the warning.
2017-09-05 16:20:44 -07:00
David Sugar
f8a4b8e28b Strip spaces from NAME
Strip trailing space(s) from 'NAME' being read from /etc/selinux/config as a trailing space in that name will cause a weird error during the make process for modules built out of tree.  This is seen on current RedHat machines which have space in the 'SELINUXTYPE' variable.
2017-08-31 21:19:32 -04:00
Guido Trentalancia
89b53fafa9 fc_sort: avoid compiler warning/error
Fix a "-Werror=implicit-fallthrough" compiler warning/error on
the switch statement.

This third version (v3) fixes a bug introduced in the first
version and improves the style over the second version.

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
2017-06-07 19:13:28 -04:00
Daniel Jurgens
25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Nicolas Iooss
82e7e4e638
Use raw strings in regular expressions
Python 3.6 complains about the strings which are used as regular
expression in the support scripts:

    File "support/segenxml.py", line 37
        INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
                              ^
    SyntaxError: invalid escape sequence \s
2017-04-08 12:29:07 +02:00
cgzones
33fd9ae139 fix travis and genhomedircon 2017-03-18 18:38:20 +01:00
cgzones
3b3e6f75d3 travis: run make xml, html and install(-.*)? targets 2017-03-18 15:35:15 +01:00
cgzones
82b0a6d4d5 convert build scripts to python3 2017-03-15 02:09:20 +01:00
cgzones
d3462090d5 m4 errprint: add __program__ info 2017-03-08 17:16:27 +01:00
Chris PeBenito
4c16ca2d66 Only display the WERROR notice if there actually are errors. 2017-02-18 13:59:33 -05:00
Chris PeBenito
dd03d589e2 Implement WERROR build option to treat warnings as errors.
Add this to all Travis-CI builds.
2017-02-18 10:20:20 -05:00
cgzones
d8cb498284 remove trailing whitespaces 2016-12-06 13:45:13 +01:00
Chris PeBenito
2035047958 Merge pull request #43 from williamcroberts/google-patch
fc_sort: cleanup warnings caught by clang tidy / static analyzer.
2016-10-19 18:37:25 -04:00
Rahul Chaudhry
0412d1ace4 fc_sort: cleanup warnings caught by clang tidy / static analyzer.
Value stored to 'i' is never read.
Variable 'j' is never used.
2016-10-19 13:29:20 -07:00
Sean Placchetti
71f96eb3c4 Update specfile
Minor tweaks to specfile
2016-10-17 07:37:51 -04:00
Sean Placchetti
502463589e Update to refpolicy spec file
Missing forwardslash
2016-10-11 15:35:07 -04:00
William Roberts
cb4491c19e fc_sort: strip whitespace errors
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-01-07 08:41:32 -08:00
Chris PeBenito
bf0cfe940a Add systemd build option. 2015-10-20 15:01:23 -04:00
Nicolas Iooss
ad2d828797 Create tmp directory when compiling a .mod.fc file in a modular way
When compiling modules using support/Makefile.devel (which is installed
in /usr/share/selinux/*/include/Makefile) with "make -j9", the build
fails because tmp/ does not exist.

Add the missing command to create tmp/ when running tmp/%.mod.fc target.

Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=530178
2014-12-02 09:26:54 -05:00
Chris PeBenito
5b2a2998b8 Need the __future__ import for python2 if using print(). 2014-05-13 09:39:00 -04:00
Nicolas Iooss
1c8c76c927 Make support/policyvers.py compatible with Python 3
Add parenthesis around print statement, like in other Python scripts.
2014-05-13 08:18:46 -04:00
Nicolas Iooss
aa3fa6d2fd fc_sort: make outfile argument optional
When working on fc_sort to try to understand why using /usr/s?bin/... file
contexts has been reported not to work properly [1], I found it frustrating not
to be able to do "tmp/fc_sort my_filecontexts.fc" and see the result printed on
the screen.  This patch implements this behavior by making optional the second
argument of fc_sort.

[1] commit 36e2216f8 of contrib repository,
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36e2216f82192660d063012e69281f27ba20864b
2014-04-04 15:50:57 -04:00
Nicolas Iooss
572c617c91 fc_sort: initialize allocated memory to fix execution on an empty file
When running fc_sort on an empty context file, this program uses uninitialized
pointers when accessing to the elements of a list.  On my system, it goes in a
very long loop (maybe infinite) because uninitialized fields in malloc'ed
structures happen to contain valid pointers in the heap.

This patch fixes this bug by initializing ->next and ->data fields before they
may be read.
2014-04-04 15:47:36 -04:00
Nicolas Iooss
eedc944a54 fc_sort: fix typos in comments 2014-04-04 15:47:36 -04:00
Chris PeBenito
0656a81019 Fix support/policyvers.py not to error if building policy on a SELinux-disabled system. 2013-09-23 14:26:32 -04:00
Chris PeBenito
3bf7fd504c Use python libselinux bindings to determine policy version.
This eliminates the hardcoded /selinux in Rules.monolithic, which
broke when the filesystem mount was moved to /sys/fs/selinux.
2013-06-06 09:27:40 -04:00
Chris PeBenito
c87f945a5a Fix fc_sort.c warning uncovered by recent gcc
output_name in main was set to argv[2] but then argv[2] rather than
output_name was used later in the function.
2013-02-26 09:16:49 -05:00
Sven Vermeulen
afeb8c4cb9 Refactoring code to support python3
This patch includes the necessary refactoring to support python 3.

Changes since v2
- Do not include contrib submodule (no relevant changes there)
- Update in pyplate to fix a failure with str/unicode in doc generation

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-06-26 09:08:48 -04:00
Harry Ciao
46acfdd455 Move role declarations to the top of base.conf
system_r is required by the policy_module macro, which however will
be expanded as empty if the module is built into base.pp. system_r
is defined in the kernel.te, its definition should be moved to the
top of base.conf so that other modules copied earlier into base.conf
than kernel.te could reference system_r in their unconditional block
properly.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2012-02-29 12:08:22 -05:00
Chris PeBenito
d1af485661 Remove rolemap and per-role template support.
This support was deprecated and unused in Reference Policy November 5 2008.
2011-10-14 08:52:21 -04:00