Commit Graph

587 Commits

Author SHA1 Message Date
Eamon Walsh
cc502813e0 Bump libselinux to 2.0.74 2008-11-03 13:45:19 -05:00
Eamon Walsh
eee0f022e4 Put a proper message type into each message logged by the userspace AVC.
Currently, the message types are defined but not used.

This will allow better separation of messages when logging to facilities
such as libaudit.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2008-10-31 10:20:33 -04:00
Joshua Brindle
3d431ae08f bump libselinux and checkpolicy versions 2008-10-14 08:12:59 -04:00
Stephen Smalley
d5286d7169 Genfscon 'dash' issue
On Tue, 2008-10-14 at 02:00 +0000, korkishko Tymur wrote:
> I have checked policy_parse.y. It has following rule for genfscon:
>
> genfs_context_def	: GENFSCON identifier path '-' identifier security_context_def
> 	{if (define_genfs_context(1)) return -1;}
> 	| GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
> 	{if (define_genfs_context(1)) return -1;}
> 	 | GENFSCON identifier path security_context_def
> 	{if (define_genfs_context(0)) return -1;}
>
> The rule for path definition (in policy_scan.l) has already included '-' (dash):
>
> "/"({alnum}|[_.-/])*	        { return(PATH); }
>
> In my understanding (maybe wrong), path is parsed first (and path might include '-') and only then separate '-' is parsed.
> But it still produces an error if path definition is correct and includes '-'.
>
> Any ideas/patches how to fix grammar rules are welcomed.

This looks like a bug in policy_scan.l - we are not escaping (via
backslash) special characters in the pattern and thus the "-" (dash) is
being interpreted rather than taken literally.  The same would seemingly
apply for "." (dot), and would seem relevant not only to PATH but also
for IDENTIFIER.  The patch below seems to fix this issue for me:
2008-10-14 07:36:16 -04:00
Joshua Brindle
345fb4a99b Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Yet another man page patch
Date: Tue, 30 Sep 2008 08:52:58 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

int selinux_file_context_cmp(const security_context_t a,
+                                    const security_context_t b);"
+
+.BI "int selinux_file_context_verify(const char *path, mode_t mode);"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjiISoACgkQrlYvE4MpobPV9gCg0KZ+rsxGsIalBS1qvbObK7bA
0H8Anj8FnGzOnSjnOfbk+5R4Bf2OyxW+
=nJ7k
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-14 07:34:49 -04:00
Joshua Brindle
86562db50a Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: matchpathcon -V does not always work as expected.
Date: Tue, 30 Sep 2008 08:54:18 -0400

matchpathcon -V should be passing the mode when checking whether the
file context on a file is correct.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-14 07:33:19 -04:00
Joshua Brindle
a73248ba81 remove reject file 2008-10-09 08:34:09 -04:00
Joshua Brindle
b04f2af251 bump checkpolicy to 2.0.17 and libsepol to 2.0.34 2008-10-09 08:31:43 -04:00
Joshua Brindle
f470207454 Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: Thread/Child-Domain Assignment (rev.6)
Date: Tue, 07 Oct 2008 15:39:45 +0900

>> Hmm....
>> It seems to me what you pointed out is a bug of my patch. It prevents to deliver
>> actual number of type/attribute symbols to policy file, but it is unclear why does
>> it makes libsepol ignore the policyvers.
>> (I guess it may be a separated matter.)
>>
>>> Rather than trying to calculate the length without attributes I just removed
>>> the attribute check. This causes attributes to be written for all versions,
>>> but this should not cause any problems at all.
>> The reason why I injected such an ad-hoc code is that we cannot decide the policy
>> version written when type_attr_remove() is invoked.
>> Is it impossible to move it to policydb_write()?
>> It is invoked after the policyvers is fixed by caller.
>
> It isn't impossible. You are going to have to make it walk to type
> symbol table to calculate the length without attributes, then write
> that length instead of the total symtab length.

The attached patch enables to fixup the number of type/attribute entries
to be written. The type_attr_uncount() decrements the number of attribute
entries skipped at type_write().

At first, I had a plan to invoke type_attr_remove() with
hashtab_map_remove_on_error(), but it means the given policydb structure
is modified at policydb_write() and implicit changes to external interface.

Differences from the previous version are here:

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-08 06:58:40 -04:00
Joshua Brindle
45728407d6 Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: Thread/Child-Domain Assignment (rev.2)
Date: Tue, 05 Aug 2008 14:55:52 +0900

[2/3] thread-context-checkpolicy.2.patch
  It enables to support TYPEBOUNDS statement and to expand
  existing hierarchies implicitly.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
--
 module_compiler.c |   86 +++++++++++++++++++++++++++++++++++++++++++++++++
 policy_define.c   |   93 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 policy_define.h   |    1
 policy_parse.y    |    5 ++
 policy_scan.l     |    2 +
 5 files changed, 186 insertions(+), 1 deletion(-)

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-10-08 06:56:51 -04:00
Joshua Brindle
e61b36a5c7 Author: Joshua Brindle
Email: method@manicmethod.com
Subject: BUGREPORT: A type alias of invisible primary one
Date: Mon, 22 Sep 2008 16:43:04 -0400

KaiGai Kohei wrote:
> Joshua Brindle wrote:
>> KaiGai Kohei wrote:
>>> I found a strange type_datum_t object which has 0 for its s.value
>>> during development of new type hierarchy checks.
>>>
>>> The strange one is "xguest_javaplugin_default_xproperty_t" which
>>> is an alias type of "xguest_javaplugin_xproperty_t".
>>>
>>> I doubted my patch at first, but it can be reproduced on the normal
>>> libsepol. It seems to me an original matter which is not exposed yet,
>>> and I am innocence. :-)
>>>
>>> During tracing the matter, I noticed the primary type is invisible
>>> at expand_module(), but the aliased one is visible. It can make the
>>> strange type_datum_t object.
>>>
>>> * at the expand_module()
>>> 1. The expand_state_t which includes typemap is initialized.
>>>
>>> 2. The type_copy_callback is invoked for any types via hashtab_map.
>>>    It only copies primary and visible types into newer hashtab,
>>>    and set up typemap to translate between old and new s.value.
>>>    Thus, the given primary type is invisible, its slot of typemap
>>>    is kept to zero.
>>>    (*) is_id_enabled() for "xguest_javaplugin_xproperty_t" returned false.
>>>
>>> 3. The alias_copy_callback is invoked for any types via hashtab_map.
>>>    It only copies alias and visible types into newer hashtab.
>>>    Here is no check whether the primary side is visible, or not.
>>>    A copied type_datum_t object for the given alias has new s.value
>>>    which is picked up from state->typemap.
>>>
>>> 4. However, the target slot of state->typemap was zero, because
>>>    its primary one is invisible. The aliased type has a strange
>>>    s.value.
>>>
>>> 5. Type hierarchy checks got a segmentation fault, due to
>>>    "p->type_val_to_name[datum->s.value - 1]".
>>>                         ^^^^^^^^^^^^^^^^^^ == -1
>>> Yes, we can identify cause of the matter.
>> Do you have a policy that can be used to reproduce this?
>
> Yes, the following policy can reproduce the matter.
> - - - - [ cut here ] - - - -
> policy_module(baz, 1.0)
>
> optional_policy(`
>         gen_require(`
>                 type invisible_primary_t;
>         ')
>         typealias invisible_primary_t alias visible_alias_t;
> ')
> - - - - - - - - - - - - - - -
>
> The attached patch can inject some of printf()'s.
> You can see that invisible_primary_t is skipped at type_copy_callback()
> and an incorrect s.value is assigned at alias_copy_callback().
>
> Thanks,
>

This should fix it. I tested with and without your patchset on a few policies. Let me know if it doesn't work for you:
2008-10-07 09:51:54 -04:00
Joshua Brindle
57671a59f2 bump libsepol to 2.0.33 2008-09-29 21:11:42 -04:00
Joshua Brindle
eeb520a045 Revert "Subject: remove expand_rule function"
This reverts commit 45e94541ec.
2008-09-29 21:09:17 -04:00
Joshua Brindle
922103e7f2 bump libselinux to 2.0.73 2008-09-29 18:20:51 -04:00
Joshua Brindle
06c2dd5d04 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Some missing man pages from libselinux
Date: Wed, 24 Sep 2008 08:57:44 -0400

We are still missing the following man pages.
Perhaps some of these functions should be removed?
selinux_users_path seems to return a bogus directory?
Also do not have _raw functions defined in man pages.

matchpathcon_checkmatches
matchpathcon_filespec_add
matchpathcon_filespec_destroy
matchpathcon_filespec_eval
matchpathcon_index
matchpathcon_init_prefix
print_access_vector
security_canonicalize_context
security_disable
security_set_boolean_list
selinux_check_passwd_access
selinux_customizable_types_path
selinux_file_context_cmp
selinux_file_context_verify
selinux_get_callback
selinux_init_load_policy
selinux_lsetfilecon_default
selinux_mkload_policy
selinux_raw_to_trans_context
selinux_trans_to_raw_context
selinux_translations_path
selinux_users_path
set_selinuxmnt

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-29 15:55:18 -04:00
Joshua Brindle
85ea2db4bd Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Man page fixes for libselinux.
Date: Mon, 22 Sep 2008 13:52:13 -0400

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-29 15:12:38 -04:00
Joshua Brindle
5973c54402 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Latest flask definitions for libselinux.
Date: Mon, 22 Sep 2008 13:50:26 -0400

Adds open, X Definitions and nlmsg_tty_audit for netlink_audit_socket

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-29 12:12:04 -04:00
Joshua Brindle
c28138ef18 bump policycoreutils to 2.0.57 2008-09-18 09:56:06 -04:00
Joshua Brindle
1dce6736bd Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Latest translations of SELinux policoreutils patch
Date: Fri, 12 Sep 2008 11:57:31 -0400

http://people.fedoraproject.org/~dwalsh/SELinux/policycoreutils-po.patch
2008-09-18 09:52:36 -04:00
Joshua Brindle
f187d4a56e bump to libsemanage 2.0.28 2008-09-15 11:25:27 -04:00
Joshua Brindle
e319cd8538 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: libsemage patch to not compile modules for seusers and fcontext
Date: Wed, 10 Sep 2008 10:30:08 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ivan Gyurdiev wrote:
>
>>> I'm a little unclear on what this is doing - can you clarify?
>>>
>> This is clearing the existing seusers.final file, otherwise delete was
>> not working.
>>
> I think the previous code was doing more - it was merging the local file
> with the shipped base package file, like this:
>
>    data = extract_file_from_policy_package( )
>    write_file ( "seusers.final", data )
>    if ( data != null ) {
>        seusers.clear_cache()  // thereby forcing reload from
> seusers.final when cache() is called again (in merge_components)
>    } else {
>        seusers.clear()
>    }
>
> It's also doing this three times (once for fcontexts, once for seusers,
> once for seusers_extra).
> The problem is that you're skipping the link_sandbox call, which builds
> the base package, containing this information.
>
> Ivan
>
>
Ok I found some problems with the previous patch and did some code
reuse.  I added a function that only read base.pp in order to handle the
 base user_extra and seusers problem.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-15 09:25:33 -04:00
Joshua Brindle
f0e01678fb Merge branch 'master' of ssh://jbrindle@oss.tresys.com/home/git/selinux/ 2008-09-07 22:50:10 -04:00
Joshua Brindle
a4c9f58e03 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Changes to semanage to allow it to handle transactions.
Date: Fri, 12 Sep 2008 11:52:31 -0400

Joshua Brindle wrote:
> Daniel J Walsh wrote:
> semanage -S targeted -i - << __eof
> user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
> user -a -P user -R guest_r guest_u
> user -a -P user -R xguest_r xguest_u
> __eof
> semanage -S targeted -i - << __eof
> login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
> login -m  -s unconfined_u -r s0-s0:c0.c1023 root
> __eof
>
> So you can add multiple records in a single pass.
>>

> This patch seems to cause some issues:

> [root@misterfreeze selinux-pristine]# semanage --help
> Traceback (most recent call last):
>   File "/usr/sbin/semanage", line 433, in <module>
>     usage(_("Requires 2 or more arguments"))
>   File "/usr/sbin/semanage", line 98, in usage
>     """) % message)
> TypeError: float argument required

Patch off your latest policycoreutils.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 22:00:20 -04:00
Joshua Brindle
5214ee3d97 bump policycoreutils to 2.0.56 and sepolgen to 1.0.14 2008-09-07 18:57:50 -04:00
Joshua Brindle
f33c230526 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Changes to semanage to allow it to handle transactions.
Date: Mon, 08 Sep 2008 15:05:36 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

semanage -S targeted -i - << __eof
user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
user -a -P user -R guest_r guest_u
user -a -P user -R xguest_r xguest_u
__eof
semanage -S targeted -i - << __eof
login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m  -s unconfined_u -r s0-s0:c0.c1023 root
__eof

So you can add multiple records in a single pass.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjFd4AACgkQrlYvE4MpobMaoQCgxeqYTX2mpRIiIr0461/fvblU
3fQAoIbM8x9rWL0f8iPz0UeoM2mf60XW
=hxC3
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:53:26 -04:00
Joshua Brindle
64d7ef5d44 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Add glob support for restorecond
Date: Mon, 08 Sep 2008 15:03:51 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have added supported for GLOB expressions in restorecond.  In order to
get nsplugin to work well, you need all of the contents of the homedir
labeled correctly.  Unfortunately gnome creates directories at a fairly
random pace.  FCFS.  So it is very difficult to get transitions to
happen properly.  As a tradeoff, we can use restorecond to watch the
homedir and relabel the directory when it is created.  I know this is a
potential race condition. where some of the files created in the
directory will still have the wrong context, but I don't know of a
better solution.

Telling everyone they need to restorcon -R -v ~ is not a great solution.
 If you are worried about information flow you should never rely on
restorecond.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjFdxcACgkQrlYvE4MpobPtjACg3uyqaHD78FRxdaG5mfitnoB/
lh0AnjvfDC2vmCWisxzWq2qFsZMMu3XK
=JiG7
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:51:09 -04:00
Joshua Brindle
ceb5792c21 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Only call gen_requires once.
Date: Thu, 11 Sep 2008 09:35:54 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently audit2allow/sepolgen will create two identical gen_requires
block if you have allow rules and a role statement.

This patch fixes this problem.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJHroACgkQrlYvE4MpobPgMQCghgAMBtaQO0BeZX+ug6IwsWB8
bNEAoMkRo4cZa0iJhGoGMmCvy5ncGpj8
=gMFg
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:48:24 -04:00
Joshua Brindle
2928ff2189 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: fixfiles fixes
Date: Mon, 08 Sep 2008 15:03:35 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Removes all files from /tmp, previous one would leave /tmp/.a and /tmp/.b

Fixed context on unlabeled_t and file_t files in /tmp and /var/tmp.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjFdwYACgkQrlYvE4MpobMZJACfRsCuVFja3fvYZYtptyW2h3lH
yAQAn0xmDAYELt+res60OIcL3UDrUFRv
=09W1
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:47:23 -04:00
Joshua Brindle
f210ced209 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Only call gen_requires once.
Date: Thu, 11 Sep 2008 09:35:54 -0400

Currently audit2allow/sepolgen will create two identical gen_requires
block if you have allow rules and a role statement.

This patch fixes this problem.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:42:35 -04:00
Joshua Brindle
95e4b5c3cc Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: fixfiles fixes
Date: Mon, 08 Sep 2008 15:03:35 -0400

[root@misterfreeze selinux]# cat patch
--- nsapolicycoreutils/scripts/fixfiles 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.55/scripts/fixfiles     2008-09-08 14:08:57.000000000 -0400
@@ -139,14 +139,14 @@
 LogReadOnly
 ${SETFILES} -q ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
 rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
-find /tmp -context "*:file_t*" -exec chcon -t tmp_t {} \;
-find /var/tmp -context "*:file_t*" -exec chcon -t tmp_t {} \;
+find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
+find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
 exit $?
 }

 fullrelabel() {
     logit "Cleaning out /tmp"
-    rm -rf /tmp/.??* /tmp/*
+    find /tmp/ -mindepth 1 -print0 | xargs -0 /bin/rm -f
     LogReadOnly
     restore
 }

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:40:28 -04:00
Stephen Smalley
107d46ff3e Update policycoreutils VERSION and ChangeLog. 2008-08-26 09:40:22 -04:00
Stephen Smalley
55fe3dbba5 Fix locallist (-lC) functionality for semanage node. 2008-08-26 09:36:09 -04:00
Stephen Smalley
4611c09d6b Fix EMBEDDED=y build. 2008-08-26 09:08:25 -04:00
Christian Kuester
49706ad9f8 Revised Patch for local nodecon support in semanage (was: Adding local nodecon's through semanage)
Stephen Smalley schrieb:

Hi List,

> On Tue, 2008-07-08 at 08:30 -0400, Stephen Smalley wrote:
>> On Tue, 2008-07-08 at 12:13 +0200, Christian Kuester wrote:
>>>> Other tidbits on the semanage patch that I noticed:
>>>> - semanage node -l was broken, requires additional argument that has
>>>> been added to the list methods subsequently.  Also would be nice to
>>>> support locallist/-C option.
>>>> - semanage node -p option should take a string rather than an integer
>>>> and map it to the proper symbolic constant for ipv4/ipv6.
>> Please be sure to test each of the nodeRecords methods.
> Are you still pursuing getting this cleaned up and merged?

Sorry, it took some time. The revised patch for nodecon support in
the semanage tool is attached.

It now takes strings as arguments for the ip protocol. list/locallist
work as expected and output is more readable. I also made changes for
the semanage.8 man page.

Kind Regards,
Christian

--
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH

Heilsbachstr. 24, 53123 Bonn  | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0       | fon: +49(30) / 27594853
fax: +49(228) / 52675-25      | fax: +49(30) / 78709617

Geschäftsführer
Boris Esser, Elmar Geese
HRB AG Bonn 5168
Ust-ID: DE122264941

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2008-08-21 16:48:03 -04:00
Joshua Brindle
45e94541ec Subject: remove expand_rule function
Send again with the right date and time ;)

This removes the (apparently) unused expand_rule function

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-08-19 16:35:34 -04:00
Vesa-Matti J Kari
0915aeaaac selinux: conditional expression type validation was off-by-one
This is the same off-by-one bug that was already fixed in the kernel.
(According to my understanding neither of these bugs has security
implications)

Signed-off-by: Vesa-Matti Kari <vmkari@cc.helsinki.fi>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-08-19 16:34:59 -04:00
Joshua Brindle
13cd4c8960 initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00