map() returns an iterator in python3, list in python2
Fixes:
File "/usr/lib/python3.6/site-packages/sepolicy/generate.py", line 114, in get_all_users
users.remove("system_u")
AttributeError: 'map' object has no attribute 'remove'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- $ gtk-builder-convert polgen.glade polgen.ui
- use get_object instead of get_widget
- use connect_signals instead of signal_connect
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
b43991f9 added direct import of sepolicy but it forgot to import
sepolicy.generate and didn't change use of generate to sepolicy.generate
Fixes:
Traceback (most recent call last):
File "/usr/bin/selinux-polgengui", line 778, in <module>
app = childWindow()
File "/usr/bin/selinux-polgengui", line 205, in __init__
self.all_types = sepolicy.generate.get_all_types()
AttributeError: 'module' object has no attribute 'generate'
Traceback (most recent call last):
File "/usr/share/system-config-selinux/polgengui.py", line 365, in forward
if self.on_in_net_page_next():
File "/usr/share/system-config-selinux/polgengui.py", line 701, in on_in_net_page_next
generate.verify_ports(self.in_tcp_entry.get_text())
NameError: global name 'generate' is not defined
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Recent commits removed $DESTDIR from $PYSITEDIR in libselinux and
libsemanage:
-PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site;
print(site.getsitepackages()[0])')
+PYSITEDIR ?= $(shell $(PYTHON) -c 'import site;
print(site.getsitepackages()[0])')
As "site.getsitepackages()" does not work within virtualenvs,
.travis.yml defines PYSITEDIR's value in it and this definition needs to
be updated too.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This patch solves the following issues:
- DESTDIR is needed during compile time to compute library
and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
This patch solves the following issues:
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Stop overwriting the commit number for the default save-previous flag
setting (false) in semanage.conf.
Allows semodule -v -i <policy> to show the correct commit number.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
moduleRecords.modify() calls nonexistent function
semanage_module_update_file (maybe it should have been
semanage_module_upgrade_file which is now obsolete and calls
semanage_module_install_file) and the job of updating a module is done
by moduleRecords.add().
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
The selabel_media(5) man page incorrectly stated that the
removable_context(5) would be read if an selabel_lookup(3)
failed. Correct the man pages that fixes [1].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1395621
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Commit 985753f changed behavior of seobject class constructors. While
semanage itself was fixed, there are other tools like
system-config-selinux and chcat which depend on the original behavior.
This change make the constructors backward compatible.
Fixes: $ system-config-selinux
Traceback (most recent call last):
File "/usr/share/system-config-selinux/system-config-selinux.py", line 196, in <module>
app = childWindow()
File "/usr/share/system-config-selinux/system-config-selinux.py", line 100, in __init__
self.add_page(booleansPage.booleansPage(xml))
File "/usr/share/system-config-selinux/booleansPage.py", line 142, in __init__
self.load(self.filter)
File "/usr/share/system-config-selinux/booleansPage.py", line 212, in load
self.booleans = seobject.booleanRecords()
TypeError: __init__() missing 1 required positional argument: 'args'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When a calling process uses umask(0) some files in the SELinux module
store can be created to be world writeable. With this patch, libsemanage
sets umask(0077) before fopen() operations and restores the original
umask value when it's done.
Fixes:
drwx------. /var/lib/selinux/targeted/active
-rw-rw-rw-. /var/lib/selinux/targeted/active/booleans.local
-rw-rw-rw-. /var/lib/selinux/targeted/active/policy.linked
-rw-rw-rw-. /var/lib/selinux/targeted/active/seusers.local
drwx------. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/cil
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/lang_ext
drwx------. /var/lib/selinux/targeted/active/modules/disabled
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/disabled/zosremote
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Function dbase_llist_iterate iterates over records and checks return
value of iterate function. According to a manpage semanage_iterate(3),
handler can return value 1 for early exit. dbase_llist_iterate
currently checks for return value > 1, which does not include
expected value 1. This affects most of the semanage_*_iterate
and semanage_*_local functions.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Daniel Cashman <dcashman@android.com> discovered the following:
When using cil_db multiple_decls, the different cil_attribute nodes
all point to the same underlying cil_attribute struct. This leads
to problems, though, when modifying the used value in the struct.
__cil_post_db_attr() changes the value of the field to based on
the output of cil_typeattribute_used(), for use later in
cil_typeattribute_to_policydb and cil_typeattribute_to_bitmap, but
due to the multiple declarations, cil_typeattribute_used() could be
called again by a second node. In this second call, the value used
is the modifed value of CIL_TRUE or CIL_FALSE, not the flags actually
needed. This could result in the field being reset again, to an
incorrect CIL_FALSE value.
Add the field "keep" to struct cil_typeattributeset, set its value
using cil_typeattribute_used(), and use it when determining whether
the attribute is to be kept or if it should be expanded.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Arguments generate and gui was mixed together and information didn't make sense. This fix split gui and generate sections.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
Update Infiniband "port" and "key" listing and export to work on
python3.
{}.keys() does not support .sort() operation on Py3.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Replace nonexistent switch "-x" by "-z" (entry name).
Fix invalid index (the dictionary key is a 2-tuple).
Add MLS/MCS range (present in all entries).
Fixes:
#semanage ibendport -E
File "/usr/sbin/semanage", line 1049, in <module>
do_parser()
File "/usr/sbin/semanage", line 1028, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 605, in handleIbendport
for i in OBJECT.customized():
File "/usr/lib64/python2.7/site-packages/seobject/__init__.py", line 1806, in customized
l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
IndexError: tuple index out of range
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
We want to call semanage_set_reload() only if -N option is used.
Fixes:
$ sudo umount /sys/fs/selinux
$ sudo semanage fcontext -a --type=postfix_local_tmp_t /var/opt/01789667
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
In order to do that we need to propagate args into seobject objects and
use args.store to get a store name.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Function semanage_genhomedircon() adds fallback user and function
setup_fallback_user() may add another one. But only one fallback
user is freed. Make sure to free all fallback users in
semanage_genhomedircon().
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Some Travis-CI builds failed because of issues when downloading
refpolicy files for sepolgen tests. Use curl's option --retry to make
the downloads work when the networking issues are only transient.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When reading policy, ibendport device names are allocated in
ocontext_read_selinux() but they are not freed when calling
sepol_policydb_free();
Fix this by freeing them in ocontext_selinux_free().
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
When libselinux is built using USE_PCRE2 libselinux.pc needs to require
libpcre2-8 instead of libpcre.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1487521
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
As discussed in https://github.com/SELinuxProject/selinux/issues/64,
semodule_deps has apparently been broken for a very long time for
binary modules and is completely irrelevant for CIL modules. If there
are any users of it, they ought to be rewritten anyway since it is
not producing correct dependency information, and the ultimate goal
is to stop using binary modules altogether so it is not worth fixing.
Remove it to avoid any further broken usage.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Include entries from file_contexts.homedirs when listing file contexts
via "semanage fcontext -l"
"semanage fcontext -l" so far ignored content of file_contexts.homedirs
file, which is confusing for users (more specific rules may be ignored in
favor of rules unseen to the user since file_contexts.homedirs has
higher priority than file_contexts).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This will allow listing the correct file_contexts.homedirs
using libsemanage regardless of selected policy store.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Function delete() is defined twice in class usersPage and the first one
invoke semanagePage.delete(), which does not exist.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The output of "semodule -lfull" changed from "module version" to
"priority module kind". Update system-config-selinux to use this new
format in its tab "Policy Module".
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Several "sepolic gui" tabs raise exceptions when using a policy without
MLS because some dictionaries describing users and logins lack level and
range properties. Use conditions and get() where appropriate in order
to make "sepolicy gui" usable again with a non-MLS policy.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In refpolicy, file_contexts.subs_dist begins with comments:
# This file can is used to configure base path aliases as in:
#
# /aliased_path /original_path_as_configured_in_file_contexts
#
The first line gets parsed in read_file_equiv even though it is not a
valid path substitution and the second line triggers an exception when
accessing f[1]:
IndexError: list index out of range
Parse substitutions only for lines which are not comment.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The latest update to Travis-CI build environment splitted sugilite
environment into amethyst and garnet and deprecated sugilite. As garnet
provides tools for languages C and Python, and as it is automatically
selected according to
https://travis-ci.org/fishilico/selinux/jobs/278927391 , remove "group:
sugilite" from Travis-CI configuration file.
This update introduced two issues:
- Ruby 2.1 is no longer provided. As it has reached End Of Life
according to https://www.ruby-lang.org/en/downloads/, remove it from
the tested versions
- Python 3.3, 3.4 and 3.5 are no longer installed by default. When
Travis-CI builds Python projects using these versions, it
automatically download and extract an archive from
https://s3.amazonaws.com/travis-python-archives/binaries/ubuntu/14.04/x86_64/.
Implement this process in .travis.yml directly (because Travis-CI does
not support multi-language projects which use several versions of C
compilers and Python and Ruby interpreters).
Last but not least, it is now possible to build with PyPy3. Enable this
interpreter in the build environment matrix.
More information about the Travis-CI update is available at
https://docs.travis-ci.com/user/build-environment-updates/2017-09-06/
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
