Commit Graph

127 Commits

Author SHA1 Message Date
Stephen Smalley
678ec5df79 Fix expand logic for policy versions older than 24.
This was broken for older policy versions when we updated to
version 24.

Broken by commit 787f2f00f5d8ed6f5f.

Change-Id: I4063334c5c0462ef5c3706611c7dff5c60c612aa
Reported-by: William Roberts <bill.c.roberts@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-12-03 09:49:22 -05:00
Stephen Smalley
9da070f700 libsepol: Report all neverallow violations.
Switch libsepol check_assertions() from only reporting the first violation
to reporting them all.

Change-Id: I45b3502ff96b1d093574e1fecff93a582f8d00bd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 09:49:13 -05:00
Steve Lawrence
07e75a9cc7 Bump to release candidate 6 2014-11-12 08:30:15 -05:00
Steve Lawrence
d1db56c52b Bump to release candidate 5 2014-10-29 11:01:03 -04:00
Steve Lawrence
71393a181d libselinux: libsepol: use ln --relative to create .so symlinks
The current build system assumes SHLIBDIR is ../../ relative to LIBDIR.
However, this isn't always the case. For example, Arch Linux sets both
LIBDIR and SHLIBDIR to /usr/lib, which results in broken symlinks.

Instead of making that assumption, create .so symlinks using ln
--relative so that the correct relative paths are used. Note that this
adds a dependency for the build system to use coretuils-8.16 or later.

Fixes #2

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-22 08:25:44 -04:00
Steve Lawrence
6280387034 Bump to release candidate 4 2014-10-06 15:03:24 -04:00
Steve Lawrence
450a3ea216 Merge commit '847aa150e30e6147c28ed9807fae4dc232b5a8fe' 2014-10-06 14:55:04 -04:00
Steve Lawrence
ff5bbe6dcf Bump VERSION/ChangeLog for release candidate 3
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 10:16:34 -04:00
Steve Lawrence
bbbd58e125 Merge commit 'a3abb2c05301b24ad2f8307d07734d89ddf808d8' into merge 2014-10-02 10:07:00 -04:00
Nicolas Iooss
44035fcab4 libsepol/tests: fix gcc -Warray-bounds warning
test-linker-roles.c: In function 'module_role_tests':
  test-linker-roles.c:147:7: error: array subscript is above array bounds
  [-Werror=array-bounds]
    decls[2] = (test_find_decl_by_sym(base, SYM_TYPES,"tag_g_m2"))->decl_id;
         ^

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:45 -04:00
Nicolas Iooss
14c0564641 libsepol: fix most gcc -Wwrite-strings warnings
gcc puts literal strings lie in read-only memory.  On x86_64, trying to
write to them triggers a segmentation fault.

To detect such issues at build time, variables holding a pointer to such
strings should be "const char*".  "gcc -Wwrite-strings" warns when using
non-const pointers to literal strings.

Remove gcc warnings by adding const to local variables and argumens of
internal functions.

This does *not* fix this warning:

  policydb_public.c:208:10: warning: passing argument 2 of 'hashtab_search' discards 'const' qualifier from pointer target type
    return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) ==
            ^
  In file included from ../include/sepol/policydb/symtab.h:16:0,
                   from ../include/sepol/policydb/policydb.h:60,
                   from policydb_public.c:4:
  ../include/sepol/policydb/hashtab.h:98:24: note: expected 'hashtab_key_t' but argument is of type 'const char *'
  extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
                         ^

Moreover the "const" word in hashtab_search prototype does not make the
second parameter "const char*" but "char* const".

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:15 -04:00
Nicolas Iooss
278ae562d6 libsepol: fix potential free of uninitialized pointer
When using "gcc -O2 -Wall -Werror" to compile libsepol, the following
error happens:

  services.c: In function 'constraint_expr_eval_reason':
  services.c:820:2: error: 'answer_list' may be used uninitialized in this
  function [-Werror=maybe-uninitialized]
    free(answer_list);
    ^

Indeed, because of a goto statement in constraint_expr_eval_reason
function, "free(answer_list)" can be called before answer_list has been
initialized.

Fix this error by moving the definition of answer_list to the beginning
of constraint_expr_eval_reason.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:53:19 -04:00
Steve Lawrence
213c3189d0 Bump versions for r2
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-27 11:47:04 -04:00
Steve Lawrence
8f9d3a7c95 Fix typos in ChangeLog and Versions 2014-08-26 14:20:48 -04:00
Steve Lawrence
79fd2d06ab Bump versions and update ChangeLog
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 09:48:54 -04:00
Steve Lawrence
416f150f1a libsepol: build cil into libsepol
Set DISABLE_CIL=y to build libsepol without CIL support, e.g

    make DISABLE_CIL=y

To enable CIL support in libsepol, set DISABLE_CIL=n. This is the default
if not specified.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 08:03:31 -04:00
Steve Lawrence
bb0f8beff8 Merge commit 'b19eafb97feb6389d78e1693f276fc5b10e25bd6' as 'libsepol/cil' 2014-08-26 08:02:58 -04:00
Steve Lawrence
44a65ed816 libsepol: add function to libsepol for setting target_platform
With pp modules, the target platform information comes form the base
module. However, CIL modules have no concept of target platform.  So it
must come from somewhere else. This adds an API function that allows
setting the target platform.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 08:02:16 -04:00
Stephen Smalley
1e6482134b Bump version and update ChangeLog for release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-06 13:30:27 -04:00
Stephen Smalley
9e746d6a69 Improve error message for name-based transition conflicts.
Quote the component name.
Reorder the arguments to more closely align with the rule syntax.
Use a more descriptive text that will more clearly correspond to the original rule.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-16 14:17:39 -04:00
Stephen Smalley
e910cf6e62 Revert "libsepol: filename_trans: use some better sorting to compare and merge"
This change was incorrect and can yield duplicate file name transition rules.
Revert it and look at converting the filename_trans list to a hashtab
as has already been done in the kernel in the future.

This reverts commit a29f6820c5.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-15 14:38:59 -04:00
Stephen Smalley
35b3c259a7 2.3-rc1 (release candidate 1).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-25 13:24:44 -04:00
Stephen Smalley
a80a48cb19 Fix for binary policy modules.
They do not retain the neverallow source information so we must
not assume that source_filename is set.  Either need a new binary
module format if we want to propagate this information for modular
builds or get rid of binary modules.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-24 14:28:32 -04:00
Stephen Smalley
84c9c828a0 Update ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-24 15:05:09 -04:00
Stephen Smalley
ef24ade029 Report source file and line information for neverallow failures.
Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-24 14:58:58 -04:00
Stephen Smalley
534f5a74bb Update libsepol and checkpolicy ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-06 09:35:58 -05:00
Richard Haines
733ea08147 libsepol: Fix valgrind errors in constraint_expr_eval_reason
Running valgrind flagged up three "definitely lost" malloc/realloc errors
when checking constraints.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2013-11-06 09:31:48 -05:00
Richard Haines
e1551b91af libsepol: Add sepol_validate_transition_reason_buffer function
This will return mls/validatetrans constraint information for each
expression in a buffer. If POLICY_KERN version is >=
POLICYDB_VERSION_CONSTRAINT_NAMES then the policy defined types/attributes
will be returned.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2013-11-06 09:31:28 -05:00
Stephen Smalley
0135eaa24f Cosmetic: Fix libsepol ChangeLog dates from 2012.
Someone didn't know what year it was when they made those changes.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-31 09:40:00 -04:00
Stephen Smalley
7c4bb77999 Version bump for release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-30 12:45:19 -04:00
Stephen Smalley
8e5d465335 Update ChangeLog files.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-30 12:42:05 -04:00
Dan Walsh
4bc2cd49d4 Update version of policy file to match what was shipped since Fedora 19 2013-10-29 11:43:02 -04:00
Richard Haines
9eefe11b3a libsepol: V1 Allow constraint denials to be determined.
Adds policy source defined 'type' or 'typeattribute' names to
constraints by adding additional structures (->type_names->types) to a
binary policy.
Before this change all typeattributes were expanded to lists of types
and added to the constraint under ->names. This made it difficult for
system admins to determine from the policy source what attribute
needed to be updated. To facilitate analysis of constraint failures
a new function has also been added, see sepol_compute_av_reason_buffer.

As additional structures have been added to policy, the policy version
is also updated (POLICYDB_VERSION_CONSTRAINT_NAMES). There is also a
corresponding kernel patch to handle the additional structures.

sepol_compute_av_reason_buffer is an extended version of
sepol_compute_av_reason. This will return a buffer with constraint
expression information, containing the constrain type, class, perms,
keywords etc.. It will also contain which constraint expr failed plus
the final outcome. The buffer MUST be free'd with free(3).

The type information output by sepol_compute_av_reason_buffer depends on
the policy version:
If >= POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be
whatever was in the original policy (type or attribute names).
If < POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be
the types listed in the constraint (as no attribute information is
available in these versions).
For users and roles whatever policy version, only the names are listed
(as role attributes are not currently held in the constraint).

Also added are two functions that obtain the class and permissions
from a binary policy file that has been loaded for testing:
sepol_string_to_security_class
sepol_string_to_av_perm

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2013-10-29 08:49:51 -04:00
Stephen Smalley
a08010023b Update ChangeLogs and bump VERSIONs to an intermediate value.
2.1.99 is just a placeholder to distinguish it from the prior release.
2.2 will be the released version.  Switching to 2-component versions.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-25 15:14:23 -04:00
Stephen Smalley
56258807ea Revert "Richard Haines patch that allows us discover constraint violation information"
This reverts commit 56b49ab711.

Conflicts:
	libselinux/src/audit2why.c
2013-10-25 13:53:03 -04:00
Stephen Smalley
8b71d70b55 Add separate role declarations as required by modern checkpolicy.
Sadly, make test still fails on some tests.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-25 12:08:23 -04:00
Dan Walsh
3b44fe10e5 Patch from Sven Vermeulen to use RANLIB.
This will allow users to specify alternal ranlib commands.
2013-10-24 13:58:41 -04:00
Dan Walsh
2540b20096 Laurent Bigonville patch to fix various minor manpage issues and correct section numbering. 2013-10-24 13:58:37 -04:00
Dan Walsh
a8b3340288 Laurent Bigonville patch to allow overriding PATH Definitions in Makefiles 2013-10-24 13:58:37 -04:00
Dan Walsh
56b49ab711 Richard Haines patch that allows us discover constraint violation information
Basically we need this information to allow audit2allow/audit2why to better
describe which constraint is being broken.
2013-10-24 13:58:37 -04:00
Eric Paris
e9410c9b06 VERSION BUMP FOR UPSTREAM PUSH 2013-02-05 20:22:02 -05:00
Alice Chu
92788715dc libsepol: Fix memory leak issues found by Klocwork
Signed-off-by: Eric Paris <eparis@redhat.com>
2013-02-05 20:14:50 -05:00
Eric Paris
693f5241fd checkpolicy: libsepol: implement default type policy syntax
We currently have a mechanism in which the default user, role, and range
can be picked up from the source or the target object.  This implements
the same thing for types.  The kernel will override this with type
transition rules and similar.  This is just the default if nothing
specific is given.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2013-02-05 20:14:46 -05:00
Eric Paris
afe88d8c69 libsepol: coverity fixes
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2013-02-05 20:14:45 -05:00
Adam Tkac
a29f6820c5 libsepol: filename_trans: use some better sorting to compare and merge
The expand_filename_trans() function consumed vast majority of time by comparsion
of two lists with dumb algorithm with O(n^2) complexity.

Now it chunks one list by it's filename_trans->stype value to limit length of
elements which needs to be walked when comparing filename_trans_t element with
this chunked list.

This change speeds-up se* commands by 80%.

Signed-off-by: Adam Tkac <atkac@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2013-02-01 12:08:56 -05:00
Eric Paris
8638197342 Version bumps for upstream push 2012-09-13 10:33:58 -04:00
Harry Ciao
2ef297d4c8 libsepol: role_fix_callback skips out-of-scope roles during expansion.
If a role identifier is out of scope it would be skipped over during
expansion, accordingly, be it a role attribute, it should be skipped
over as well when role_fix_callback tries to propagate its capability
to all its sub-roles.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 21:15:52 -04:00
Chris PeBenito
01723ac2ce libsepol: Add always_check_network policy capability
Currently the packet class in SELinux is not checked if there are no
SECMARK rules in the security or mangle netfilter tables.  Similarly, the
peer class is not checked if there is no NetLabel or labeled IPSEC.  Some
systems prefer that these classes are always checked, for example, to
protect the system should the netfilter rules fail to load or if the
nefilter rules were maliciously flushed.

Add the always_check_network policy capability which, when enabled, treats
these mechanisms as enabled, even if there are no labeling rules.

Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 14:30:24 -04:00
Chris PeBenito
1f3bca77e0 libsepol: check for missing initial SID labeling statement.
If an initial SID is missing a labeling statement, the compiler will
segfault when trying to copy the context during expand.  Check for this
situation to handle it gracefully.

This fixes ocontext_copy_selinux() and ocontext_copy_xen().

Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 14:30:23 -04:00
Chris PeBenito
e26b58b08e libsepol: Move context_copy() after switch block in ocontext_copy_*().
If an initial SID is missing a labeling statement, the compiler will
segfault on the context_copy().  Move the context copy after the
switch block so that the existance of the initial SID label can be checked
before trying to copy the context.

This fixes both ocontext_copy_selinux() and ocontext_copy_xen().

Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 14:30:23 -04:00