Commit Graph

2044 Commits

Author SHA1 Message Date
Vit Mojzis
718bc4bcdf python/sepolicy: fix obtaining domain name in HTMLManPages
HTMLManPages got domain name by splitting name of selinux manpage
on "_selinux" which doesn't work properly when domain name contains
"_selinux".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2017-03-10 15:47:27 -05:00
Nicolas Iooss
cd20f9c257 policycoreutils: add noreturn attribute to usage()
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-07 14:00:43 -05:00
Nicolas Iooss
28a6a560fa semodule-utils: add noreturn attribute to usage()
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-07 14:00:39 -05:00
Nicolas Iooss
2f8926f755 mcstrans: add noreturn attribute to usage()
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-07 14:00:35 -05:00
Nicolas Iooss
840a7c9180 secilc: add noreturn attribute to usage()
While at it, make usage() static and mark its argument as const.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-07 14:00:30 -05:00
Nicolas Iooss
ef61dd7d4b checkpolicy: add noreturn attribute to usage()
While at it, make usage() static and mark its argument as const.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-07 14:00:25 -05:00
Nicolas Iooss
e720859f57 restorecond: add noreturn attribute to exitApp()
This makes it possible for static analyzers such as clang's one to
understand that strings_list_add() cannot dereference a NULL pointer in
the following code:

    if (!newptr)
        exitApp("Out of Memory");
    newptr->string = strdup(string);

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-07 14:00:16 -05:00
Stephen Smalley
43b24f0132 libsepol: Define cgroup_seclabel policy capability
Define the new cgroup_seclabel policy capability used to
enable userspace setting of security labels on cgroup files
via setfscreatecon() aka /proc/self/attr/fscreate and/or
setfilecon() aka setxattr().

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-03-02 12:39:13 -05:00
Nicolas Iooss
ded385d377 libselinux: initialize temp value in SWIG wrapper to prevent freeing garbage
Currently this Python program triggers a segmentation fault in
libselinux SWIG wrapper:

    import selinux
    selinux.get_ordered_context_list()

gdb shows that the segmentation fault occurs when freeing some memory:

    Reading symbols from python...(no debugging symbols found)...done.
    Starting program: /usr/bin/python -c import\
    selinux\;selinux.get_ordered_context_list\(\)
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/usr/lib/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff789a304 in free () from /usr/lib/libc.so.6
    (gdb) bt
    #0  0x00007ffff789a304 in free () from /usr/lib/libc.so.6
    #1  0x00007ffff6011499 in freeconary (con=0x7ffff6ac5d00) at
    freeconary.c:14
    #2  0x00007ffff6296899 in _wrap_get_ordered_context_list
    (self=<optimized out>, args=<optimized out>) at
    selinuxswig_wrap.c:6185
    #3  0x00007ffff741891f in _PyCFunction_FastCallDict () from
    /usr/lib/libpython3.6m.so.1.0
    ...

SWIG generated the following code for _wrap_get_ordered_context_list():

    char ***arg3 = (char ***) 0 ;
    char **temp3 ;
    arg3 = &temp3;
    if (!PyArg_ParseTuple(args, "OO:get_ordered_context_list",&obj0,&obj1))
        SWIG_fail;
    /* ... */
  fail:
    if (*arg3) freeconary(*arg3);

If PyArg_ParseTuple fails, freeconary() is called on the value of
"temp3", which has not been initialized. Fix this by initializing temp
to NULL in the SWIG template.

A similar issue exists with security_get_boolean_names(). Fix it too.

This issue has been found using clang's static analyzer, on a system
which uses SWIG 3.0.12.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-01 10:42:45 -05:00
Nicolas Iooss
6305bfbc00 mcstrans: do not dereference color_str if it is NULL
This bug has been found using clang static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-01 10:42:39 -05:00
Nicolas Iooss
ccfbd9aa17 libsemanage/tests: include libsepol headers from $DESTDIR
When building and running tests on a system without SELinux with a
command similar to "make DESTDIR=/tmp/destdir install test", libsemanage
tests fail to build with the following error:

    In file included from utilities.h:20:0,
                     from utilities.c:24:
    ../src/handle.h:29:26: fatal error: sepol/handle.h: No such file or
    directory
     #include <sepol/handle.h>
                              ^

Fix this by adding the newly-installed directory under $DESTDIR (using
variable $PREFIX) in the search paths of the compiler.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-01 10:42:34 -05:00
Nicolas Iooss
4176a29235 libsemanage: never call memcpy with a NULL value
clang's static analyzer reports "Argument with 'nonnull' attribute
passed null" in append_str(), because argument t may be NULL but is used
in a call to memcpy().

Make append_str() do nothing when called with t=NULL.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-01 10:42:28 -05:00
Nicolas Iooss
ddaf0afec7 libsepol/cil: do not dereference args before checking it was not null
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-01 10:42:23 -05:00
Nicolas Iooss
3228889620 semodule_package: do not leak memory when using -u or -s
When using -u and -s options, semodule_package's main() allocates
user_extra and seusers to hold the argument values. These allocated
memory blocks are not freed when main() exits, which leads gcc's Address
Sanitizer to report a memory leak. This occurs for example when building
refpolicy base.pp module.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-01 10:42:16 -05:00
Vit Mojzis
ed51e23f15 sepolgen: strip non-printable characters when parsing audit messages
Strip the following characters
\x1c	File Separator
\x1d	Group Separator
\x1e	Record Separator
\x85	Next Line (C1 Control Code)
from audit message fields to make sure they are not evaluated
as part of some identifier (eg. ausearch used insert \x1d into
--raw output resulting in "unrecognized class" error messages).

This is done as part of str.split() in python3.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1406328
2017-02-21 13:43:09 -05:00
Nicolas Iooss
1cd3e1a40a libselinux, libsemanage: make PYPREFIX computation more robust
On systems where $PYTHON is python3.5 (instead of python2 or python3),
pkg-config fails to find the Python package because it is named with a
dash (e.g. python-3.5).

Moreover the build system may have been using the pkg-config
configuration files for the wrong Python version when several Python
with the same major version number are installed (e.g. using python-3.5
on a system with both python-3.4 and python-3.5 and where
/usr/lib/pkgconfig/python3.pc is a symlink to python-3.5.pc).

In order to fix these two issues, compute $PYPREFIX from $PYTHON by
using the full major.minor version.

Moreover update Travis-Ci configuration to grab the relevant
configuration files for pkg-config from /opt/python (for example
/opt/python/3.5.2/lib/pkgconfig/python-3.5.pc) instead of using
system-provided files (/usr/lib/x86_64-linux-gnu/pkgconfig/python3.pc
and /usr/lib/x86_64-linux-gnu/pkgconfig/python2.pc).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-21 13:42:52 -05:00
James Carter
a2d40aaeba libsepol/cil: Move initialization of bitmap in __cil_permx_to_bitmap()
Nicolas Iooss reports:
  When __cil_permx_to_bitmap() calls __cil_permx_str_to_int() on an
  invalid number, local variablt "bitmap" is left initialized when
  the function returns and its memory is leaked.

  This memory leak has been found by running clang's Address Sanitizer
  on a set of policies generated by American Fuzzy Lop.

Move the initialization of bitmap to right before ebitmap_set_bit()
and after the call to __cil_permx_str_to_int().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-21 13:11:15 -05:00
Nicolas Iooss
95e5c103f3 libsepol/cil: free bitmaps in cil_level_equals()
cil_level_equals() builds two bitmap and compare them but does not
destroy them before returning the result.

This memory leak has been found by running clang's Address Sanitizer on
a set of policies generated by American Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-21 13:09:49 -05:00
Nicolas Iooss
9feaf0380d libsepol/cil: do not leak left-hand side of an invalid constraint
__cil_fill_constraint_expr() does not destroy the list associated with
the first operand of a two-operand operation when the second operand is
invalid.

This memory leak can be reproduced with the following policy:

    (constrain (files (read))
        (not (or (and (eq t1 exec_t) (%q t2 bin_t)) (eq r1 r2))))

This memory leak has been found by running clang's Address Sanitizer on
a set of policies generated from secilc/test/policy.cil by American
Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-21 13:09:44 -05:00
Nicolas Iooss
602385d70c libsepol/cil: free the first operand if the second one is invalid
When __cil_expr_to_bitmap() fails to parse the second operand of an
operation with two operands, it returns an error without destroying the
bitmap which has been created for the first operand. Fix this memory
leak.

This has been tested with the following policy:

    (class CLASS (PERM))
    (classorder (CLASS))
    (sid SID)
    (sidorder (SID))
    (user USER)
    (role ROLE)
    (type TYPE)
    (category CAT)
    (categoryorder (CAT))
    (sensitivity SENS)
    (sensitivityorder (SENS))
    (sensitivitycategory SENS (CAT))
    (allow TYPE self (CLASS (PERM)))
    (roletype ROLE TYPE)
    (userrole USER ROLE)
    (userlevel USER (SENS))
    (userrange USER ((SENS)(SENS (CAT))))
    (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))

    (permissionx ioctl_test (ioctl CLASS
        (and (range 0x1600 0x19FF) (.ot (range 0x1750 0x175F)))))

This memory leak has been found by running clang's Address Sanitizer on
a set of policies generated from secilc/test/policy.cil by American
Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-21 13:09:39 -05:00
Nicolas Iooss
7fe9a7be31 libsepol/cil: use __cil_ordered_lists_destroy() to free unordered_classorder_lists
In cil_resolve_ast, unordered_classorder_lists is a list of
cil_ordered_list. It needs to be destroyed with
__cil_ordered_lists_destroy() to free all associated memory.

This has been tested with the following policy:

    (class CLASS1 ())
    (class CLASS2 ())
    (classorder (unordered CLASS1))
    (classorder (CLASS2))

This memory leak has been found by running clang's Address Sanitizer on
a set of policies generated by American Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-21 13:09:22 -05:00
James Carter
9edcf28a04 libsepol/cil: Destroy cil_tree_node stacks when finished resolving AST
CIL uses separate cil_tree_node stacks for optionals and blocks to
check for statements not allowed in optionals or blocks and to know
which optional to disable when necessary. But these stacks were not
being destroyed when exiting cil_resolve_ast(). This is not a problem
normally because the stacks will be empty, but this is not the case
when exiting with an error.

Destroy both tree node stacks when exiting to ensure that they are
empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-17 10:53:52 -05:00
Nicolas Iooss
c9adfe2d26 Introduce Travis-CI tests
Add a configuration file for https://travis-ci.org/. This continuous
integration platform can build the project for several configurations on
Linux, using different compilers, linkers, Python versions and Ruby
versions. An example of build results is available on
https://travis-ci.org/fishilico/selinux/builds/185912863

Even if the SELinux userland libraries and tools project does not enable
Travis-CI integration, the .travis.yml file may be helpful for
contributors who wish to run tests in several configurations.

Current limitations:

- It does not run an OS X build. Travis-CI provides free OS X
  environments but it is quite difficult to configure a single
  .travis.yml file which defines many Linux environments and some OS X
  ones.
- It only runs Ubuntu 14.04 with an x86-64 CPU. This does not test
  Android, ARM nor 32-bit x86 configurations.
- It only builds with glibc, not musl or other light C library.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-08 10:48:53 -05:00
Nicolas Iooss
eeafde1351 libsepol/cil: fix type confusion in cil_copy_ast
When running secilc on the following CIL file, the program tries to free
the data associated with type X using cil_destroy_typeattribute():

    (macro sys_obj_type ((user ARG1)) (typeattribute X))

    (block B
        (type X)
        (call sys_obj_type (Y))
    )

By adding some printf statements to cil_typeattribute_init(),
cil_type_init() and cil_destroy_typeattribute(), the error message I get
when using gcc's address sanitizer is:

$ secilc -o /dev/null -f /dev/null test.cil -vvvvvv
creating TYPE 0x60400000dfd0
Parsing 2017-02-02_crashing_nulptrderef_cil.cil
Building AST from Parse Tree
creating TYPEATTR 0x60600000e420
creating TYPE 0x60400000df50
Destroying Parse Tree
Resolving AST
Failed to resolve call statement at 2017-02-02_crashing_nulptrderef_cil.cil:5
Problem at 2017-02-02_crashing_nulptrderef_cil.cil:5
Pass 8 of resolution failed
Failed to resolve ast
Failed to compile cildb: -2
Destroying TYPEATTR 0x60600000e420, types (nil) name X
Destroying TYPEATTR 0x60400000df50, types 0xbebebebe00000000 name X
ASAN:DEADLYSIGNAL
=================================================================
==30684==ERROR: AddressSanitizer: SEGV on unknown address
0x000000000000 (pc 0x7fc0539d114a bp 0x7ffc1fbcb300 sp
0x7ffc1fbcb2f0 T0)
    #0 0x7fc0539d1149 in ebitmap_destroy /usr/src/selinux/libsepol/src/ebitmap.c:356
    #1 0x7fc053b96201 in cil_destroy_typeattribute ../cil/src/cil_build_ast.c:2370
    #2 0x7fc053b42ea4 in cil_destroy_data ../cil/src/cil.c:616
    #3 0x7fc053c595bf in cil_tree_node_destroy ../cil/src/cil_tree.c:235
    #4 0x7fc053c59819 in cil_tree_children_destroy ../cil/src/cil_tree.c:201
    #5 0x7fc053c59958 in cil_tree_subtree_destroy ../cil/src/cil_tree.c:172
    #6 0x7fc053c59a27 in cil_tree_destroy ../cil/src/cil_tree.c:165
    #7 0x7fc053b44fd7 in cil_db_destroy ../cil/src/cil.c:299
    #8 0x4026a1 in main /usr/src/selinux/secilc/secilc.c:335
    #9 0x7fc0535e5290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #10 0x403af9 in _start (/usr/src/selinux/DESTDIR/usr/bin/secilc+0x403af9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/src/selinux/libsepol/src/ebitmap.c:356 in ebitmap_destroy
==30684==ABORTING

When copying the AST tree in cil_resolve_call1(),
__cil_copy_node_helper() calls cil_copy_typeattribute() to grab type X
in the symbol table of block B, and creates a node with the data of X
but with CIL_TYPEATTRIBUTE flavor.

This example is a "type confusion" bug between cil_type and
cil_typeattribute structures. It can be generalized to any couple of
structures sharing the same symbol table (an easy way of finding other
couples is by reading the code of cil_flavor_to_symtab_index()).

Fix this issue in a "generic" way in __cil_copy_node_helper(), by
verifying that the flavor of the found data is the same as expected and
triggering an error when it is not.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-08 10:48:40 -05:00
James Carter
1f312a9247 policycoreutils/semodule: fix -Wwrite-strings warnings
Nicolass Iooss reports that when building with "clang -Wwrite-strings",
the compiler complains about initializing the char* array
genhomedirconargv with literal strings.

Make genhomedirconargv an array of pointers to const char and cast it
as non-const when assigning it to argv.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-06 11:06:42 -05:00
Nicolas Iooss
68a4203f87 libsemanage/tests: fix -Wwrite-strings warnings
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:06:10 -05:00
Nicolas Iooss
c33fd02db5 libsepol/tests: fix -Wwrite-strings warnings
Since fd9e5ef7b7 ("libsepol: use constant keys in hashtab functions")
it is possible to call hashtab_search() with a const char* key value.
Doing so fixes compiler warnings about non-const char* string literals
(-Wwrite-strings flag).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:06:04 -05:00
Nicolas Iooss
9c770fe87e semodule_deps: hide -Wwrite-strings warnings
generate_requires() may use a non-freable strings, BASE_NAME, as key in
a hashtable. The compiler complains about this small abuse of
hashtab_insert() interface (because its argument key is char* without
"const"). Nevertheless this is all right because the hashtab keys are
never freed directly (this behavior is documented in a comment in
free_requires()).

Therefore, hide the compiler warning by casting BASE_NAME to char*.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:59 -05:00
Nicolas Iooss
0df0b25d95 mcstrans: fix -Wwrite-strings warnings
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:52 -05:00
Nicolas Iooss
2f94ac47d5 policycoreutils/hll/pp: fix -Wwrite-strings warnings
In main(), variable ifile can be made const char*. While at it, make
ofile const char* too.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:42 -05:00
Nicolas Iooss
a51b30ae23 libsemanage: make lang_ext parameter const in semanage_direct_write_langext()
When building with "clang -Wwrite-strings", the compiler reports the
following warnings:

    direct_api.c:1030:46: error: passing 'const char [4]' to parameter
    of type 'char *' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    status = semanage_direct_write_langext(sh, "cil", modinfo);
                                                               ^~~~~
    direct_api.c:898:11: note: passing argument to parameter 'lang_ext'
    here
                                    char *lang_ext,
                                          ^
    direct_api.c:1030:46: error: passing 'const char [4]' to parameter
    of type 'char *' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    status = semanage_direct_write_langext(sh, "cil", modinfo);
                                                               ^~~~~
    direct_api.c:898:11: note: passing argument to parameter 'lang_ext'
    here
                                    char *lang_ext,
                                          ^

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:38 -05:00
Nicolas Iooss
d6b5b037f9 libsepol: fix -Wwrite-strings warnings
When compiling with -Wwrite-strings, clang reports some warnings like:

    module_to_cil.c:784:13: error: assigning to 'char *' from 'const
    char [5]' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    statement = "type";
                              ^ ~~~~~~
    module_to_cil.c:787:13: error: assigning to 'char *' from 'const
    char [5]' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    statement = "role";
                              ^ ~~~~~~

Add a const type attribute to local variables which only handle constant
strings.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:33 -05:00
James Carter
192153db43 checkpolicy: Make print_error_msg() static
The function print_error_msg() in module_compiler.c is not called
externally, so make it static.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-06 11:01:32 -05:00
James Carter
5d56c2679d checkpolicy: Remove uneeded return check in require_symbol()
Since symtab_insert() no longer returns -2 in the case of a
declaration of an identifier followed by a require of the same
symbol, remove the uneeded check.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:32 -05:00
James Carter
8adbd615c1 libsepol: Return +1 when declaration is followed by a require
A check is made in symtab_insert() for the case when an identifier
had already been declared and was now being required. This meant
that a declaration followed by a require was treated differently
from a require followed by a declaration.

Remove that check and treat both cases the same (which means
returning +1).

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:32 -05:00
James Carter
b6f3e0086f checkpolicy: Improve check for identifier flavor mismatch
An identifier flavor mismatch occurs when an identifier is
declared or required as a regular role or type in one place but as
an attribute in another place.

Currently there is only a check for an identifier flavor mismatch
when a type has already been declared and there is a require of
the same type in the same scope. There are no checks if the require
comes first and there are no checks for roles.

Check for an identifier flavor mismatch for both roles and types
whenever a declaration or requirement tries to add an identifier
that is already in the symtab.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:32 -05:00
James Carter
d676e7ce3c checkpolicy: Move common require and declare code into new function
Move common code from declare_symbol() and require_symbol() to a new
function named create_symbol().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:24 -05:00
James Carter
a7a0678999 checkpolicy: Cleanup error messages
Add the new function print_error_msg() to print an error message
based on the local error number and symbol_type. Remove the
duplicate switch statements used throughout module_complier.c
to display error messages.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:01:28 -05:00
James Carter
a141c0d19f checkpolicy: Create common function for user declares and requires
Move common code out of declare_user() and require_user() into the
new function create_user().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:01:21 -05:00
James Carter
bd05768057 checkpolicy: Create common function for role declares and requires
Move common code out of declare_role() and require_role_or_attribute()
    into the new function create_role().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 13:54:05 -05:00
James Carter
daaaf28bfb checkpolicy: Create common function for type declares and requires
Move common code out of declare_type() and require_type_or_attribute()
into the new function create_type().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 13:53:23 -05:00
Stephen Smalley
cfea39714c policycoreutils: remove deprecated -o option from fixfiles verify
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-27 09:53:30 -05:00
Richard Haines
454768f56d setfiles: Fix setfiles progress indicator
This fixes the following bug:
UX regression: setfiles progress indicator is now misleading and
confusing in fixfiles.

The outputting of * is replaced by the number of files in 1k increments
as the previous versions. If "/" is specified on the pathname, then this
will indicate a mass relabel, an example output will be:
restorecon -nRp /etc /tmp /boot /
/etc 100.0%
/tmp 100.0%
/boot 100.0%
3.2%

Also setfiles(8) and restorecon(8) versions that are implemented using
the selinux_restorecon(3) function do not support the [-o filename]
option as this was deprecated. This has now been made clear by displaying
a message to stderr.

The documentation has also been updated to reflect these changes.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-01-27 09:39:22 -05:00
Lokesh Mandvekar
b9213c7f1a libselinux: selinux_restorecon.3 man page typo fix
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2017-01-25 15:51:45 -05:00
Steve Lawrence
1ef665cb92 libsepol: fix pp module to cil nodecon statement
Policy modules do not have the concept of named IP addresses like CIL
does. So when converting nodecode statements from pp policy modules to
CIL, we need to wrap the IP address and mask parameters in parentheses
so that the CIL compiler does not try to resolve them as named
addresses, but instead treats them as anonymous.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2017-01-25 14:47:16 -05:00
Thomas Petazzoni
05abcb1d13 libselinux/src/regex.c: support old compilers for the endian check
libselinux 2.6 has added some code in regex.c that uses __BYTE_ORDER__
to determine the system endianness. Unfortunately, this definition
provided directly by the compiler doesn't exist in older gcc versions
such as gcc 4.4.

In order to address this, this commit extends the logic to use
<endian.h> definitions if __BYTE_ORDER__ is not provided by the
compiler. This allows libselinux to build properly with gcc 4.4.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-01-25 09:18:16 -05:00
Stephen Smalley
b88c4a4707 libselinux: disable filespec hash table stats on non-debug builds
Disable generating filespec hash table stats on non-debug builds,
as they are not useful information for users and cause fixfiles
check to produce noisy output.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-24 14:45:24 -05:00
Stephen Smalley
bd4ffeb435 policycoreutils/setfiles: set up a logging callback for libselinux
Define a logging callback for libselinux so that any informational
or error messages generated by libselinux functions are properly
prefixed with the program name and routed to the proper output stream.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-24 14:38:40 -05:00
Alan Jenkins
ac7899fc3a policycoreutils: let output of fixfiles be redirected (as normal)
fixfiles was redirecting log output to `tty`.  This overrides user intent
e.g. when shell redirection is used.

Redirect it to stdout, using /proc.  `tty` equally depended on /proc.
We do not depend on /dev/stdout: it might not be present, if a rescue
system is booted with devtmpfs (no udev daemon).

By default, log messages were redirected into the void when not run from a
tty.  We consider this a bug, which is now fixed.

1. If calling scripts happen to require the old behaviour, they can easily
   write the same code themselves.

2. When fixfiles is run from Fedora's selinux-autorelabel.service,
   the calling script is specifically run from a tty.

   Also Fedora's calling script chooses to redirect stdout and stderr to
   /dev/null.  This redirection will now suceed, improving the transparency
   of the code.  The previous behaviour may be obtained by choosing not
   to redirect the progress messages of this long-running process to
   /dev/null.  A patch has been submitted to Fedora to suggest this novel
   approach:  https://bugzilla.redhat.com/show_bug.cgi?id=1415674

Complete disclosure:

* Remove unused variable LOGGER.
* Fix logfiles containing spaces.

Disclaimer:

1. "Log" output may contain escape sequences (backspace?) e.g. in
   `fixfiles -l log.txt restore`.  This is not the usual understanding
   of a log file.

2.  For some reason, not all informative messages are sent to `-l` e.g.
   the list of filesystems, and "cleaning up labels on /tmp".

3. `function logit` is retained, but the logfile is also written to
   outside this function.  Implementing support for the system log
   would require another function which accepts piped input.
   Also see point 1.

Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
2017-01-24 13:34:57 -05:00
Nicolas Iooss
7da9bc00f2 checkpolicy: do not leak memory when a class is not found in an avrule
While checkmodule tries to compile the following policy file and fails
because class "process" is not found, it does not free some allocated
memory:

    module ckpol_leaktest 1.0.0;
    require {type TYPE1;}
    allow TYPE1 self:process fork;

clang memory sanitier output is:

=================================================================
==16050==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 136 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
    #1 0x41a620 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2450:24
    #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
    #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
    #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
    #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
    #1 0x411c87 in insert_id /usr/src/selinux/checkpolicy/policy_define.c:120:18

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
    #1 0x43133c in ebitmap_set_bit /usr/src/selinux/libsepol/src/ebitmap.c:321:27

Indirect leak of 18 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd80b5eb0 in __interceptor___strdup (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0x84eb0)
    #1 0x41a6e5 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2460:28
    #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
    #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
    #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
    #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

SUMMARY: AddressSanitizer: 186 byte(s) leaked in 4 allocation(s).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-23 11:26:44 -05:00