Inside split_args we do a = realloc(b) and strdup. If the realloc
succeeds and then the strdup fails, we return NULL to the caller. The
caller will then jump to an error code which will do a free(b). This is
fine if the realloc failed, but is a big problem if realloc worked. If
it worked b is now meaningless and a needs to be freed.
I change the function interface to return an error and to update "b"
from the caller.
Signed-off-by: Eric Paris <eparis@redhat.com>
We did a bunch of:
if ((blah = function(a0, a1, a2)) == NULL) {
goto err;
} else {
something = blah;
}
Which takes 5 lines and is a pain to read. Instead:
blah = function(a0, a1, a2);
if (blah == NULL)
goto err;
something = blah;
Which takes 4 lines and is easier to read!
Winning!
Signed-off-by: Eric Paris <eparis@redhat.com>
If you specified a portion of the module name the code would disable the module rather
then giving you an error. For example.
semodule -d http
Would disable the httpd module.
As a matter of fact
semodule -r h
Would disable the first module file name that began with h.
This patch gets the real file name out of the modules and compares it to the name specified.
It also consolodates a bunch of duplicated code, and fixes a return code bug.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If you are building "standard" policies(not MCS/MLS), libsemanage
will crash, which caused by strdup() to "level" NULL pointers.
For example, semodule -s refpolicy -b base.pp -i a.pp
Signed-off-by: Eric Paris <eparis@redhat.com>
We generate pkg-config --libs and use that to build the libselinux
python so file. We do not use it to build the libsemanage versions. We
also never use the ruby equivalent. So stop calling pkg-config
uselessly.
Signed-off-by: Eric Paris <eparis@redhat.com>
We explicitly set the soname of the python and ruby files. We don't
need this. We are using the -o name as the soname, so just let the
toolchain do its thing. It just makes the Makefile nicer to read.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
In python 3.2 we hit a problem where the fconext was garbage. We didn't
see this in python 2.7. The reason is because python3.2 would free and
reuse the memory and python 2.7 just happened to leave it alone.
Instead of using memory that python might use for something else, use
strdup() to get a local copy which we can free when we are finished with
it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If the private semanage.conf file is unreadable for some reason (usually
ENOENT) fallback to the default file.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We calculated a length, allocated a space for the string, then used
snprintf to fill the array giving it a different length. Rather than
doing all that math ourselves, just use asprintf and let libraries get
it right.
Signed-off-by: Eric Paris <eparis@redhat.com>
SELinux ruby bindings didn't build from the top level
the swig generated .c file wasn't gitignored
use pkg-config for ruby info like we do for python
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
swig creates C files with warnings. Turn off the warnings so the build
is clean. We can't help the code it produces anyway...
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Having magic numbers in the code is a bad idea, using a macro is better.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This allow to build the ruby module for both ruby 1.8 and 1.9.1 (the
way it's done for the python module)
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Do not link against libpython, the interpreter is already linked to it.
In Debian this is usually considered bad practice.
Signed-off-by: Author: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Currently the semanage.conf file is hard coded to /etc/selinux/semanage.conf
even when an alternate root path is specified. Use the semanage.conf
found inside the altername root instead of the system global version.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If you build a distribution without MLS turned on, libsemanage will
crash if given a user without a level. This patch allows users
without levels to be passed in.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
For a long time /root has been treated differently in Red Hat
Distributions then upstream policy.
We do not want to label /root the same as a users homedir. Because of
this we have carried a patch in libsemanage/genhomedircon.c to ignore
/root.
This patch adds a flag to semanage.conf, ignoredirs. That will allow
distributions or users to specify directories that genhomedircon
should ignore when setting up users homedir labeling.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When certain programs were run which created new files they would get
default permissions based on the current users umask. However these
files should get the same permissions as those files which they
replaced. Do that.
Patch from: Stephen Smalley
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The makefile which generated the package config files did not have the
VERSION file as a dependancy. Thus if you updated a tree you have
previously build the .pc file wouldn't be rebuilt and the old version
would be reinstalled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
A few calls to semanage_store_access_check() in the libsemanage
tests passed an argument even though it is a void function.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Change the default "make" target for the libraries from "install" to
"all" in the makefiles.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
By default only the effective branch of a tunable conditional would be
expanded and written to raw policy, while all needless unused branches
would be discarded.
Add a new option '-P' or "--preserve_tunables" to the semodule program.
By default it is 0, if set to 1 then the above preserve_tunables flag
in the sepol_handle_t would be set to 1 accordingly.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Change the way libsemanage handles disabled modules. In the current
method libsemanage renames the FOO.pp file to FOO.pp.disabled and then
the rebuild process ignores *.disabled modules.
Since we want to start shipping
/etc/selinux/targeted/modules/active/modules/*.pp within the payload of
the rpm. If we continued this method, a policy update would re-enable a
module.
The new mechanism will just create a symbolic link between FOO.pp and
FOO.pp.disabled. Then the library will check all modules, and if a
module has a link, it will not be compiled into the policy. This solves
the rpm update problem. and actually gives us an easier update
capability since if FOO.pp.disabled already exists using the old method,
it will continue to work with the new method.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Allow Change libsemanage Makefile to be able to build by default and to build
if you change the version of Python
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Currently if you have a bug in a fc file, the store only reports that you have
a problem but not the name of the module, or any hint of what is wrong. This
patch will print out as much as been collected in the file_spec at the time
of the error.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Allow applications to specify an alternate root for selinux stores.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Python doesn't really work on the basis of negative error code. It
throws exceptions. This patch automatically generates little stub
functions which will catch negative error codes and will throw
exceptions in their place.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Dave Malcolm has been working on adding python3 support to libsemanage
(and libselinux).
Change to Makefile to:
Support building the Python bindings multiple times, against various Python
runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build
targets with "PYPREFIX":
Should build python2 version by default, without the user doing any changes.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The attached patch makes the
/etc/selinux/default/contexts/files/file_contexts.homedirs generation process
include the MCS/MLS level.
This means that if you have a user with a MCS/MLS level that isn't SystemLow
then their home directory will be labeled such that they can have read/write
access to it by default.
Unless anyone has any better ideas for how to solve this problem I will upload
this to Debian shortly.
What do the MLS users do in this situation? Just relabel home directories
manually?
Finally it seems that when you run "semanage user -m" the
file_contexts.homedirs doesn't get updated, it's only when you run
"semanage login -m" that it takes affect.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Russell Coker <russell@coker.com.au>
Acked-by: Dan Walsh <dwalsh@redhat.com>
libsemanage/src/semanage.py and libselinux/src/semanageswig_wrap.c
are both generated rather than being real code. Do not store them
in git.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Bump checkpolicy to 2.1.0
Bump libselinux to 2.1.0
Bump libsepol to 2.1.0
Bump libsemanage to 2.1.0
Bump policycoreutils to 2.1.0
Bump sepolgen to 1.1.0
Email: justinmattock@gmail.com
Subject: libsemanage Fix warning: parameter 'key' set but not used(and others)
Date: Tue, 6 Jul 2010 15:23:30 -0700
libsemanage produced no errors with the warnings, Im just noticing
big hunks of sections with warning messages:
database_llist.c: In function 'dbase_llist_add':
database_llist.c:150:28: warning: parameter 'key' set but not used
database_llist.c: In function 'dbase_llist_count':
database_llist.c:221:50: warning: parameter 'handle' set but not used
database_llist.c: In function 'dbase_llist_del':
database_llist.c:278:41: warning: parameter 'handle' set but not used
(and so on...)
so add the GCC attribute to quiet these warnings since most go to
NULL;
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Chad Sellers <csellers@tresys.com>
On 02/24/2010 02:24 PM, Daniel J Walsh wrote:
>
Ignore the first patch it was missing pc.in files.
Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
I want to change the default of libsemanage to not look for home
directories in getpwent. This patch allows you to set the flag
usepasswd=false in the semanage.conf file. and genhomedircon will only
setup the labeling of /home, /export/home and any confined users homedirs.
If this patch is not acceptable because libsemanage is being rewritten,
I would like the functionality to be added to the new libsemanage.
On Sun, 2010-01-24 at 21:29 +0100, Guido Trentalancia wrote:
> Hi !
>
> Has anybody had any time to look at this ticket:
> http://userspace.selinuxproject.org/trac/ticket/7 ?
>
> I have experienced the same issue and verified that the problem is actually triggered by the bzip support (as pointed out by Stephen Smalley back in August). In fact, if I use bzip-blocksize=0 in semanage.conf then the problem disappears...
>
> Otherwise with a default semanage.conf and bzip enabled, I get:
>
> libsepol.module_package_read_offsets: offset greater than file size (at 4, offset 200478 -> 8192 (No such file or directory).
> libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/refpolicy/modules/tmp/base.pp. (No such file or directory).
> semodule: Failed!
>
> I am using libsepol-2.0.41 and libsemanage-2.0.42.
Looking into this more closely, I believe this is another manifestation
of:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543915#17
which was ultimately traced down to two issues:
1) A missing offset check in libsepol (fixed in libsepol 2.0.38), and
2) A bug / lack of binary mode support in the fmemopen implementation in
glibc that was later fixed, see:
http://sourceware.org/bugzilla/show_bug.cgi?id=6544
Maybe you have the older glibc still?
Looking at the libsemanage code though, I think we could in fact avoid
any dependency on fmemopen by using the native libsepol support for
operating on a memory region via sepol_policy_file_set_mem(), ala:
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Each manual page should start with a "NAME" section, which lists the
name and a brief description of the page separated by "\-". These
sections are parsed by "mandb" and stored in a database for the use of
"apropos" and "whatis", so they must be in a certain format. These
manual pages apparently use the wrong format and cannot be parsed by
"mandb". This commit fixes that.
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Manoj Srivastava wrote:
> Hi,
>
> As demonstrated by
>
> $ ldd /lib/libsemanage.so.1
> linux-gate.so.1 => (0xb8092000)
> libsepol.so.1 => /lib/libsepol.so.1 (0xb8015000)
> libselinux.so.1 => /lib/libselinux.so.1 (0xb7ffa000)
> libbz2.so.1.0 => /lib/libbz2.so.1.0 (0xb7fe9000)
> libustr-1.0.so.1 => /usr/lib/libustr-1.0.so.1 (0xb7fbf000)
> libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7e60000)
> libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7e5c000)
> /lib/ld-linux.so.2 (0xb8093000)
>
> libsemanage1 links to libustr which is located under the,
> possible separate or external, /usr partition, which would render
> libsemanage unusable in such setups. (This dependency has been around
> since 2.0.9).
>
> Should we move libsemanage1 to /usr/lib? The only reason for it
> to be in /lib would be for early boot, where /usr might not be
> available, but at this point, it is likely not usable without /usr
> anyway.
>
> manoj
Yes, I'm not sure why you'd need libsemanage during early boot, we
probably should apply this:
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Add modules support to semanage
Date: Thu, 12 Nov 2009 11:23:15 -0500
On 11/11/2009 01:52 PM, Chad Sellers wrote:
> On 9/30/09 2:33 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
>
>> Includes enable and disable.
>>
> I presume I should hold off on this patch until you have a chance to
> resubmit the libsemanage support that it relies on. Let me know if that's
> not the case.
>
> Thanks,
> Chad
>
Lets do this patch.
Moves load_policy from /usr/sbin to /sbin
Removed cruft.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Having a pkgconfig files allows the pkg-config tool to be used to
query the presence of the library (or a particular version of it),
and to obtain the C flags and linker arguments to build with it.
Based on Debian patches by Manoj Srivastava <srivasta@debian.org>.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
This patch adds a function to turn off file contexts validation.
We need this for cross-installs in rpm, where we install policy
into a chroot that has binaries of a different architecture which
cannot be executed on the build system. So, we would like to use
this function to disable executing setfiles. This of course means
the file contexts could be invalid, but we're willing to take
that risk.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Basically it makes semodule -u file.pp, install file.pp if it does not exist. This matches the rpm syntax, and allows us too update/install many packages with a transaction without know whether the package is updated or installed.
Currently we can only do a -i which could hammer a newwer version.
commit 3a5ed0fdf42200d0efd6cb1064eab91d2eb5ca52
Author: Dan Walsh <dwalsh@redhat.com>
Date: Mon Aug 24 11:36:41 2009 -0400
i Upgrade patch
Add code to semanage_direct_commit() to notice that the disable_dontaudit
flag has been changed and rebuild the policy if so.
Currently, libsemanage doesn't notice that the disable_dontaudit flag is
set so it does not rebuild the policy. semodule got around this by calling
semanage_set_rebuild() explicitly, but libsemanage should really notice
that this has changed and rebuild appropriately.
On Mon, 2009-08-24 at 10:57 -0400, Chris PeBenito wrote:
> On Mon, 2009-08-24 at 10:04 -0400, Stephen Smalley wrote:
> > On Mon, 2009-08-24 at 09:54 -0400, Chris PeBenito wrote:
> > > I took the current release of libsemanage and added the patch to add a
> > > bzip blocksize option[1]. The modules in my store were already
> > > compressed with the stock release. I put bzip-blocksize=0 in my
> > > semanage.conf and I do semodule -B and get:
> > >
> > > libsepol.module_package_read_offsets: wrong magic number for module
> > > package: expected 0xf97cff8f, got 0x39685a42 (No such file or
> > > directory).
> > > libsemanage.semanage_load_module: Error while reading from module
> > > file /etc/selinux/strict/modules/tmp/modules/apm.pp. (No such file or
> > > directory).
> > > semodule: Failed!
> > >
> > > If I do semodule -l, it will also get the magic number error. If I
> > > remove the blocksize option, it works again. I was able to reinsert all
> > > of the modules to get it working again with the blocksize 0 option.
> > >
> > > [1] http://userspace.selinuxproject.org/trac/changeset/ee9827000137fed2d3300124115fc1572acafe2f
> >
> > Yes, that's what I would expect. The expectation is that either one
> > would set that option before installing the policy for the first time,
> > or that one completely re-installs the policy after setting that option.
>
> Can we have a little better handling of this case? I don't mind
> reinstalling the policy, but the error messages aren't helpful. In
> addition, with semodule -l being broken, I have to look into the module
> store to see what modules are installed or guess.
Seems like it is just as easy to just support pre-existing compressed
modules, see below.
Explicitly probe for the bzip2 magic string prefix and fall through to
BZ2_bzReadOpen() if the module is bzipped even if bzip-blocksize=0.
Thus bzip-blocksize=0 will prevent any further compression of
subsequently installed/updated modules, but will continue to function
with existing compressed modules.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove the support for hard linking files in semanage_copy_file, as it
is unsafe and can leave the active store corrupted if something goes
wrong during the transaction. It also can leave the installed policy
files with incorrect file modes or security contexts.
To do this safely, we would need to change all functions that write to
the sandbox files to first unlink the destination file. This was done
in the original patch for the write_file helper but not for other cases.
It would need to be done for all functions that open.*O_CREAT or
fopen.*w on a file in the sandbox.
We also don't want this applied to the installed policy files, as they
need to be created with appropriate file modes and security contexts
that may differ from the sandbox files. At present, the hard link
support will only affect the installed policy files when they are first
created; afterward the link() call will always fail with EEXIST since
they are not unlinked prior to installation (nor would that be safe as
it could leave the system without a policy - rename would make more
sense in that situation). If we were to re-introduce hard link support,
we ought to use different helpers or flags for installing the policy
files than for copying the active store to the temporary sandbox to
avoid affecting both.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow the administrator to customize the bzip block size and "small"
flag via semanage.conf. After applying you can add entries like these
to your /etc/selinux/semanage.conf to trade off memory vs disk space
(block size) and to trade off memory vs runtime (small):
bzip-blocksize=4
bzip-small=true
You can also disable bzip compression altogether for your module store
via:
bzip-blocksize=0
The semanage.conf entries are now validated against legal value ranges
at handle creation time.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Currently any changes made to the policy which require committing a handle cause dontaudit rules to be re-enabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is connected. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created a call to commit will fail.
Signed-off-by: Christopher Pardy <cpardy@redhat.com>
[sds: Removed duplicate from other patch and cleaned up style.]
[sds: Changed uses of semanage_fname to semanage_path.]
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This patch adds a SWIG specification file for ruby bindings for libsemanage.
The spec file is almost identical to the python SWIG file with the exception
that all list generating typemaps have been removed and the python related
functions have been replaced with the corresponding ruby ones. Finally the
Makefile is modified to be able to build the new bindings. Something to note is
that on 64-bit systems ruby.h might be found somewhere under /usr/lib64 instead
of /usr/lib so LIBDIR=/usr/lib64 will be needed to build the ruby bindings from
source.
Below is an example using the ruby bindings and produces the similar output
to semodule -l
#!/usr/bin/ruby
require "semanage"
handle = Semanage.semanage_handle_create
Semanage.semanage_select_store(handle, "targeted", Semanage::SEMANAGE_CON_DIRECT)
Semanage.semanage_connect(handle)
module_info = Semanage.semanage_module_list(handle)
modules = Array.new()
module_info[2].times do |n|
temp_module = Semanage.semanage_module_list_nth(module_info[1], n)
mod_string = Semanage.semanage_module_get_name(temp_module).to_s + " " \
+ Semanage.semanage_module_get_version(temp_module).to_s
modules.push(mod_string)
end
puts "List of Installed Modules"
modules.each do |str|
puts str
end
Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
Add a semanage_mls_enabled() interface to libsemanage so that
semanage/seobject can be rewritten to use it to test whether MLS is
enabled for a given policy store rather than checking the runtime MLS
enabled status, which can be misleading when using semanage on a
SELinux-disabled host or when using semanage on a store other than the
active one. Sample usage:
from semanage import *
handle = semanage_handle_create()
rc = semanage_connect(handle)
rc = semanage_mls_enabled(handle)
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The current libsemanage code does not correctly add lines which include
USER in them into the homedir_template, for example:
/tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t
This line was included in the past since it has ROLE. However, with the
switch to UBAC separations, the line has changed to:
/tmp/gconfd-USER -d system_u:object_r:user_tmp_t
and is no longer included. The follwing patch fixes.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: libsemage patch to not compile modules for seusers and fcontext
Date: Wed, 10 Sep 2008 10:30:08 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ivan Gyurdiev wrote:
>
>>> I'm a little unclear on what this is doing - can you clarify?
>>>
>> This is clearing the existing seusers.final file, otherwise delete was
>> not working.
>>
> I think the previous code was doing more - it was merging the local file
> with the shipped base package file, like this:
>
> data = extract_file_from_policy_package( )
> write_file ( "seusers.final", data )
> if ( data != null ) {
> seusers.clear_cache() // thereby forcing reload from
> seusers.final when cache() is called again (in merge_components)
> } else {
> seusers.clear()
> }
>
> It's also doing this three times (once for fcontexts, once for seusers,
> once for seusers_extra).
> The problem is that you're skipping the link_sandbox call, which builds
> the base package, containing this information.
>
> Ivan
>
>
Ok I found some problems with the previous patch and did some code
reuse. I added a function that only read base.pp in order to handle the
base user_extra and seusers problem.
Signed-off-by: Joshua Brindle <method@manicmethod.com>