As per the issue below, libsepol segfaults on loading old kernel policies
that contain duplicate filename transition rules. The segfault is due to
the fact that the val_to_name arrays have not yet been populated at this
point in the policydb_read() processing. Since this warning apparently
never worked since it was first introduced, drop it and just silently
discard the duplicate like the kernel does. I was not able to produce a
policy with such duplicates using the current policy toolchain, either
via CIL or via binary modules with manual semodule_link/expand.
Fixes: https://github.com/SELinuxProject/selinux/issues/239
Fixes: 8fdb225521 ("libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs")
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
Prior to rename(2)'ing the final selinux policy files into place,
fsync(2) them to ensure the contents will be fully written prior to
rename. While we are here, also fix checking of write(2) to detect
short writes and treat them as an error. This code could be more
generally improved but keeping to the minimal changes required to fix
this bug.
Fixes: https://github.com/SELinuxProject/selinux/issues/237
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
pyflakes 2.2.0 improved the way format strings are analyzed, which
triggers new warnings in flake8:
python/sepolicy/sepolicy/manpage.py:1046:23: F999 '...' % ... has
unused named argument(s): type
python/sepolicy/sepolicy/manpage.py:1225:23: F999 '...' % ... has
unused named argument(s): user
Remove the unused arguments in order to silence these warnings.
This fixes failures in Travis-CI such as
https://travis-ci.org/github/SELinuxProject/selinux/jobs/686230518#L5153
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: William Roberts <william.c.roberts@intel.com>
The return value of context_new needs to be free with context_free.
Signed-off-by: bauen1 <j2468h@gmail.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
When a branch has '.py' suffix git creates a file with the same suffix and this
file is found by the `find . -name '*.py'` command. Such files from './git' need
to be filtered out.
Fixes:
$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
Analyzing 189 Python scripts
./.git/logs/refs/heads/semanage-test.py:1:42: E999 SyntaxError: invalid syntax
./.git/refs/heads/semanage-test.py:1:4: E999 SyntaxError: invalid syntax
The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Previously python/semanage/test-semanage.py returned 0 even when there was a
fail in some test and `make test` didn't indicate any problem.
Fixes:
$ make test
...
Ran 10 tests in 110.854s
FAILED (failures=4)
$ echo $?
0
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
It stopped too early, exposing a bug in sudo selinux_restore_tty():
SELINUX_ERR op=setxattr invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow"
avc: denied { mac_admin } for pid=859 comm="sudo" capability=33 scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0
If we want to be able to reference human readable contexts in SELinuxContext= and nspawn -Z and -L then we need mcstrans ASAP
v2: stop late, but do stop
Signed-off-by: Dominick Grift <dac.override@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
This reverts commit 692716fc5f.
Other parts of the SELinux userspace depend on certain attributes,
such as node_type, exisiting and this change breaks those parts.
Before this patch can be reapplied, we need to identify the attributes
that must never be expanded and create a CIL module with the needed
expandtypeattribute statements (or something similar).
Signed-off-by: James Carter <jwcarter@gmail.com>
* Test Python 3.8 and Pypy3 3.6-7.2.0
* Test Ruby 2.7
* Drop Ruby 2.2 and 2.3 (they are not supported with Ubuntu 18.04 in
https://rubies.travis-ci.org/)
* While at it, replace deprecated libdbus-glib-1-dev with libglib2.0-dev
now that restorecond has been upgraded.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
On Debian the `distutils` module is patched, so `get_python_lib()`
returns by default `/usr/lib/python3/dist-packages` (no minor version)
But `setuptools` affecting setup.py is not patched to create the library
directory at `/usr/lib/python3/dist-packages` by default, rather than a
command line argument `--install-layout deb` is added
Add PYTHON_SETUP_ARGS as argument to affected setup.py calls and add a
note in the global README.md
See https://www.debian.org/doc/packaging-manuals/python-policy/packaging_tools.html
Section B.1
Fixes: https://github.com/SELinuxProject/selinux/issues/187
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Errno is not set to ENOENT when lookup_all() doesn't find any match.
fixes: https://src.fedoraproject.org/tests/selinux/issue/51
Signed-off-by: Richard Filo <rfilo@redhat.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
On systems using non-default `PREFIX`, `LIBDIR`, `SHLIBDIR`, `BINDIR`
or `SBINDIR`, running
`DESTDIR=/path/to/destdir ./scripts/env_use_destdir make test`
does not perform the intended behavior, because the testing programs and
libraries are installed into locations that are not added to
`LD_LIBRARY_PATH` nor `PATH`.
More precisely, with `LIBDIR=/usr/lib64 SHLIBDIR=/lib64`, `env_use_destdir`
does not work. Fix this by adding the installation directories relative
to `DESTDIR` in `LD_LIBRARY_PATH` and `PATH`.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
libselinux and libsemanage use:
PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
import *; print(get_python_lib(plat_specific=1,
prefix='$(PREFIX)'))")
while python/semanage and python/sepolgen/src/sepolgen use:
PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
import *; print(get_python_lib(prefix='$(PREFIX)'))")
This is right: libselinux and libsemanage's Python bindings use native
code (thus "plat_specific=1") while the others only install Python
files.
Nevertheless `scripts/env_use_destdir` only runs the second command
when computing `$PYTHONPATH`. When using this script to run `make test`
in a minimal Fedora 31 environment, this leads to an error such as:
make[2]: Entering directory '/code/python/sepolicy'
Traceback (most recent call last):
File "test_sepolicy.py", line 117, in <module>
import selinux
ModuleNotFoundError: No module named 'selinux'
Fix this by also adding `get_python_lib(plat_specific=1)` to the
computed `$PYTHONPATH`.
While at it, preserve `$PYTHONPATH` instead of resetting it. This makes
it easier to work with Python virtual environments.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
* Add SELinux logo
* Add a link to Travis-CI
* Add a link to lore.kernel.org archive
* Document that SELinux is packaged in several distributions, providing
links to policycoreutils package (this package requires libsemanage,
libselinux, libsepol, etc. so if it is packaged, most sub-projects
have to also be)
* Make Fedora install command readable on GitHub without scrolling
horizontally and update it
* Split installed packaged between the dependencies for the "main"
libraries and programs, and the bindings
- The install command line has been tested using a container from
image fedora:31
* Document Debian dependencies
- The install command line has been tested using a container from
image debian:10
* Document running `make test` with `./scripts/env_use_destdir`
* Introduce "macOS" section for instructions specific to macOS.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The user systemd service file could be installed in an other location than the
system ones. In debian for example, the system files are installed
/lib/systemd/system and the user ones in /usr/lib/systemd/user.
Suggested-by: Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Make user restorecond systemd service consistent with restorecond_user.conf file
used by `restorecond -u`
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The range of unreserved ports starts from 1024 and ends to
65535 (inclusive). (Secure) RPC ports can be between 512 and
1023 (inclusive).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Delete an unused column from view "Application Transitions From". The
second column displays names of the executable files instead of
booleans.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Mount selinuxfs with mount flags noexec and nosuid. It's not likely
that this has any effect, but it's visually more pleasing.
Option nodev can't be used because of /sys/fs/selinux/null device,
which is used by Android.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Follow-up of: 9eb9c93275 ("Get rid of security_context_t and fix const declarations.")
Acked-by: William Roberts <william.c.roberts@intel.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
ipaddress python module was added to standard library in Python 3.3 -
https://docs.python.org/3/library/ipaddress.html
seobject.py was the only consumer of IPy module so this dependency is not needed
anymore.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The SWIG C build should allow deprecated functions and not warn on them
because it is exposing the full interface including deprecated routines.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Utility matchpathcon uses the matchpathcon interface which has been
deprectaed. However, this tool will continue to live on, so allow it to
use the deprecated interface.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Update the one internal tree caller in the same file to
call selinux_check_passwd_access_internal.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Now that matchpathcon_fini is marked deprecated, create an
matchpathcon_fini_internal interface for internal users. We create
a new header file for matchpathcon_internal interfaces.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Now that avc_init is marked deprecated, create an avc_init_internal interface
for internal users.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
In case there are errors when committing changes to booleans, the
errors may not be reported to user except by nonzero exit status. With
"setsebool -V" it's possible to see errors from commit phase, but
otherwise the unfixed command is silent:
# setsebool -V -P secure_mode_insmod=off
libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
Fixed version alerts the user about problems even without -V:
# setsebool -P secure_mode_insmod=off
Failed to commit changes to booleans: Read-only file system
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
When restorecond starts, it installs a SIGTERM handler in order to exit
cleanly (by removing its PID file). When restorecond --user starts,
there is no PID file, and g_main_loop_run() does not stop when master_fd
is closed. This leads to an unkillable service, which is an issue.
Fix this by overriding the handler for SIGTERM in restorecond --user.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When running restorecond in user sessions using D-Bus activation,
restorecond's process is spawned in the CGroup of the D-Bus daemon:
$ systemctl --user status
[...]
CGroup: /user.slice/user-1000.slice/user@1000.service
├─init.scope
│ ├─1206 /usr/lib/systemd/systemd --user
│ └─1208 (sd-pam)
└─dbus.service
├─1628 /usr/bin/dbus-daemon --session --address=systemd:
└─4570 /usr/sbin/restorecond -u
In order to separate it, introduce a systemd unit for
restorecond-started-as-user.
After this patch:
CGroup: /user.slice/user-1000.slice/user@1000.service
├─restorecond-user.service
│ └─2871 /usr/sbin/restorecond -u
├─init.scope
│ ├─481 /usr/lib/systemd/systemd --user
│ └─485 (sd-pam)
└─dbus.service
└─2868 /usr/bin/dbus-daemon --session --address=systemd:
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955940 states:
dbus-glib is a deprecated D-Bus library with some significant design
flaws, and is essentially unmaintained.
restorecond uses dbus-glib in order to spawn as a D-Bus service on the
session bus of users. This makes restorecond stays so long as the user
session exists.
Migrate from dbus-glib to GDbus API for the implementation of this
feature.
Moreover restorecond currently uses a D-Bus signal to trigger starting
the service. This is quite inappropriate, as stated for example in
https://dbus.freedesktop.org/doc/dbus-tutorial.html#members
Methods are operations that can be invoked on an object, with
optional input (aka arguments or "in parameters") and output (aka
return values or "out parameters"). Signals are broadcasts from the
object to any interested observers of the object; signals may
contain a data payload.
Implementing a method is more appropriate. It appears that all D-Bus
users can implement method Ping from interface org.freedesktop.DBus.Peer
(https://dbus.freedesktop.org/doc/dbus-specification.html#standard-interfaces-peer)
and that calling this method is enough to trigger the launch of the
service. This can be tested in a shell by running:
gdbus call --session --dest=org.selinux.Restorecond \
--object-path=/ --method=org.freedesktop.DBus.Peer.Ping
As this method is automatically provided, there is no need to implement
its handling in the service.
Fixed: https://github.com/SELinuxProject/selinux/issues/217
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
