Commit Graph

1637 Commits

Author SHA1 Message Date
William Roberts
fb0cc0cc64 libsepol: calloc all the *_to_val_structs
The usage patterns between these structures seem similair
to role_val_to_struct usages. Calloc these up to prevent
any unitialized usages.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-19 13:17:57 -04:00
Stephen Smalley
a1d76acf04 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-19 10:41:03 -04:00
Jason Zaman
b5002d54d7 audit2allow: tests should use local copy not system
The tests currently just executed "audit2allow" which meant search in
$PATH. They should instead test the one in the pwd. The files in the
repo are not executable so prefix with "python" also.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-08-19 08:45:10 -04:00
Jason Zaman
0a150ca94d audit2allow: fix audit2why import from seobject.
Commit b43991f913 broke audit2why because
boolean_desc was imported indirectly via seobject. Use it directly from
sepolicy instead.

$ cd policycoreutils/audit2allow
$ make test
test_audit2why (__main__.Audit2allowTests)
Verify audit2why works ... Traceback (most recent call last):
  File "/bin/audit2why", line 365, in <module>
    app.main()
  File "/bin/audit2why", line 353, in main
    self.__output()
  File "/bin/audit2why", line 295, in __output
    return self.__output_audit2why()
  File "/bin/audit2why", line 263, in __output_audit2why
    print("\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0]))
AttributeError: 'module' object has no attribute 'boolean_desc'
FAIL

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-08-19 08:45:10 -04:00
Jason Zaman
229214bc80 audit2allow: remove audit2why so it gets symlinked
audit2why is supposed to be a symlink to audit2allow. There are instead
2 files in the repo so the makefile has not been replacing audit2why.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-08-19 08:45:10 -04:00
Stephen Smalley
5a62da59ed Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-18 15:24:22 -04:00
Stephen Smalley
d92470623c Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-18 15:22:28 -04:00
Miroslav Vadkerti
846c87f506 semanage: fix error message for fcontext -m
The type must be a file of device type, not a port type.

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
2016-08-18 15:21:37 -04:00
stephensmalley
0864aa96aa Merge pull request #22 from wakeful/fix-incorrect-import-message
fixing incorrect help message
2016-08-18 14:36:25 -04:00
AJ
f8185ee7f4 fixing incorrect message in semanage.8 man page. 2016-08-18 19:29:10 +01:00
Stephen Smalley
a3811713ee Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-18 08:41:39 -04:00
Stephen Smalley
b9ebab6528 semanage: Fix semanage fcontext -D
commit 4c5b8a9568 ("semanage: add
auditing of changes in records") broke semanage fcontext -D.
Fix it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-18 08:36:30 -04:00
Stephen Smalley
b0a9b464ae Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-17 16:44:38 -04:00
Stephen Smalley
a7334eb0de libsemanage: validate and compile file contexts before installing
libsemanage presently runs setfiles -c to validate the file_contexts
files and sefcontext_compile to compile them to file_contexts.bin
after installing the final files under /etc/selinux.  As a result,
any error that occurs during this processing may leave invalid files
in /etc/selinux.  Move this processing before installing the files
to their final location, and then copy the .bin files that were
generated.

This prevents an error like:
semanage fcontext -a -t httpd_exec_t "/foo["
from reaching the /etc/selinux directory at all, e.g.

$ sudo semanage fcontext -a -t httpd_exec_t "/foo["
[sudo] password for sds:
/var/lib/selinux/final/targeted/contexts/files/file_contexts.local:  line 4 has invalid regex /foo[:  missing terminating ] for character class
/var/lib/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
OSError: Error

Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-17 16:36:59 -04:00
AJ
ffd07e72fd fixing incorrect help message 2016-08-17 20:59:09 +01:00
Stephen Smalley
80dc3ef239 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-17 15:17:10 -04:00
Stephen Smalley
6e2bdb770f libselinux, sefcontext_compile: handle NULL pcre study data
pcre_study() can return a NULL result if no additional information
could be determined for the pattern.  Thus, sefcontext_compile
needs to correctly handle the case where the study data is NULL
when generating file_contexts.bin, and libselinux needs to correctly
handle it when loading file_contexts.bin.  Fix them both.

This change enables:
semanage fcontext -a -t httpd_exec_t "(/.*)?"
to succeed, since the regex itself is valid but there is no
additional information produced by pcre_study().

Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-17 15:05:48 -04:00
James Carter
dbc6d6d596 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-17 10:10:40 -04:00
William Roberts
8673854fb8 libsepol: fix overflow and 0 length allocations
Throughout libsepol, values taken from sepolicy are used in
places where length == 0 or length == <saturated> matter,
find and fix these.

Also, correct any type mismatches noticed along the way.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:58:19 -04:00
William Roberts
02081779f3 libsepol: fix unitialized jmp and invalid dereference
When initializing role_datum_t array, initialize the array.
This corrects this issue:

==25766== Conditional jump or move depends on uninitialised value(s)
==25766==    at 0x40ABFE: context_is_valid (context.c:59)
==25766==    by 0x40AAED: policydb_context_isvalid (context.c:19)
==25766==    by 0x43CBF4: context_read_and_validate (policydb.c:1881)
==25766==    by 0x43E7B3: ocontext_read_selinux (policydb.c:2631)
==25766==    by 0x43EC4D: ocontext_read (policydb.c:2729)
==25766==    by 0x442019: policydb_read (policydb.c:3937)
==25766==    by 0x442F15: sepol_policydb_read (policydb_public.c:174)
==25766==    by 0x407ED4: init (check_seapp.c:885)
==25766==    by 0x408D83: main (check_seapp.c:1230)

Also, check for NULL when determining if a role can be associated
with a type.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:45 -04:00
William Roberts
d13bff623b libsepol: bound attr_type_map access by nprim
Correct an invalid memory access when attr_type_map array
indexing is outside of bounds.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:25 -04:00
William Roberts
305986f58c genfs_read: fix use heap-use-after-free
The newc variable is calloc'd and assigned to a new
owner during a loop. After the first assignment of newc
to newgenfs->head, the subsequent iteration could fail
before the newc is reseated with a new heap allocation
pointer. When the subsequent iteration fails, the
newc variable is freed. Later, an attempt it made to
free the same pointer assigned to newgenfs->head.

To correct this, clear newc after every loop iteration.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:12 -04:00
William Roberts
33de30a284 ebitmap: detect invalid bitmap
When count is 0 and the highbit is not zero, the ebitmap is not
valid and the internal node is not allocated. This causes issues
when routines, like mls_context_isvalid() attempt to use the
ebitmap_for_each_bit() and ebitmap_node_get_bit() as they assume
a highbit > 0 will have a node allocated.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:55:57 -04:00
William Roberts
b612314bf3 libsepol: ensure key is valid before doing search
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:55:44 -04:00
William Roberts
8b4ad4fde5 libsepol: fix invalid access of NULL on type_val_to_struct
In type_set_expand:
When nprim, the table index counter, is greater than the value of initizalized
entries in the type_val_to_struct[] array, detect this as invalid
and return an error.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:55:31 -04:00
James Carter
58e0c3207f Updated policycoreutils ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-15 14:22:39 -04:00
Miroslav Vadkerti
cc5b484c2b semanage: correct fcontext auditing
For modify action actually audit the selinux type, i.e. use setype
variable.

For deleting equal fcontext rules do not audit ftype, as the ftype value
for equal rules makes little sense.

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
2016-08-15 12:29:06 -04:00
Miroslav Vadkerti
7f34831c7b semanage: default to "s0" if serange empty for port modify
In case serange is empty, but the record is beeing modified
(setype was supplied), use default "s0" range. With the original
code the audit event would be printed with no range (i.e.
"system_u:object_r:ssh_port_t:")

Note that default "s0" is currently used in other places
of seobject.py.

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
2016-08-15 12:29:00 -04:00
Miroslav Vadkerti
e414249c4a semanage: use socket.getprotobyname for protocol
This patch removes proto_to_audit dictionary and uses
standard socket.getprotobyname(protocol) to resolve
protocol number from given protocol name.

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
2016-08-15 12:28:53 -04:00
James Carter
da3e2f51d9 Updated libselinux and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-11 14:38:52 -04:00
Richard Haines
e05312831b policycoreutils: restorecond - Modify to use selinux_restorecon
Modify restorecond to make use of the libselinux selinux_restorecon*
set of functions. Also removed obsolete matchpathcon* functions.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-08-11 14:34:02 -04:00
Richard Haines
602347c742 policycoreutils: setfiles - Modify to use selinux_restorecon
Modify setfiles and restorecon to make use of the libselinux
selinux_restorecon* set of functions.

The output from these commands should be much the same as before
with some minor wording changes, the only exceptions being that for
setfiles(8) and restorecon(8) the following options have been added:
1) -I to ignore checking the directory digests.
2) -m to ignore reading /proc/mounts.
These additional options are described in the updated man pages.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-08-11 14:33:58 -04:00
Richard Haines
f2e77865e1 libselinux: Add setfiles support to selinux_restorecon(3)
Add additional error handling, flags, xdev handling, alt_rootpath and
add/remove non-seclabel fs's to support setfiles(8), restorecon(8)
and restorecond(8) functionality.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-08-11 14:33:55 -04:00
Richard Haines
d4a46eec3f libselinux: Evaluate inodes in selinux_restorecon(3)
This patch adds inode evaluation services from policycoreutiles/setfiles
to selinux_restorecon.c

The overall objective is to modify restorecon(8) and setfiles(8)
to use selinux_restorecon(3) services.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-08-11 14:33:51 -04:00
Stephen Smalley
6fc26b0ec9 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-11 10:02:05 -04:00
Miroslav Vadkerti
8fef0902f0 semanage: fix modify action in node and interface
The modify actions of security context mappings for
interface and node actully called add action.

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
2016-08-11 10:01:18 -04:00
James Carter
3f524c60fe Updated libsemanage ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-10 10:29:16 -04:00
Petr Lautrbach
7d97c7bf00 libselinux/ChangeLog: Fix the author of the last libselinux change
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-08-10 10:20:16 -04:00
Miroslav Vadkerti
0b6f56e623 semanage: swap tcp and udp protocol numbers
The tcp/udp protocol numbers were accidentaly swapped in
the original patch 'semanage: add auditing of changes in records'.

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
2016-08-10 10:20:13 -04:00
James Carter
50d8a181e8 Updated libsepol and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-09 16:16:58 -04:00
Petr Lautrbach
e069f16f54 policycoreutils: 'fixfiles check' should not change anything
-n was not being passed down to restorecon properly in the code path
for -C and -N

Patch-by: Dan Callaghan <dcallagh@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-08-09 15:55:26 -04:00
William Roberts
8e8a648e92 libsepol: fix memory leak in expand.c
ebitmap_set_bit() can possible allocate nodes, however, the bail early
style of type_set_expand() could leave internal ebitmaps allocated
but not free'd.

Modify type_set_expand() so that it free's all allocated ebitmaps
before returning the error code to the calling routine.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-09 15:55:22 -04:00
William Roberts
6e7d04ac0b libsepol: fix invalid read when policy file is corrupt
AFL Found this bug:
==6523== Invalid read of size 8
==6523==    at 0x4166B4: type_set_expand (expand.c:2508)
==6523==    by 0x43A0B8: policydb_role_cache (policydb.c:790)
==6523==    by 0x41CD70: hashtab_map (hashtab.c:235)
==6523==    by 0x43AC9E: policydb_index_others (policydb.c:1103)
==6523==    by 0x441B14: policydb_read (policydb.c:3888)
==6523==    by 0x442A1F: sepol_policydb_read (policydb_public.c:174)
==6523==    by 0x407ED4: init (check_seapp.c:885)
==6523==    by 0x408D97: main (check_seapp.c:1231)

This occurs when the type_val_to_struct[] mapping array
doesn't contain the type indicated in the ebitmap.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-09 15:55:15 -04:00
Vit Mojzis
671f83b42b policycoreutils/sepolicy: Check get_rpm_nvr_list() return value
get_rpm_nvr_list can fail to get the version of selinux-policy rpm
package, which leads to error during spec file creation (attempt to
invoke __getitem__ of "None" object).

This patch sets the policy number to "0.0.0" in case rpm failed to
get it. This change should be safe because it affects only an example
of spec file.

Variable "POLICYCOREUTILSVER" was removed (unused).

fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1321499

Failed to retrieve rpm info for selinux-policy
Traceback (most recent call last):
  File "/bin/selinux-polgengui", line 360, in forward
    self.generate_policy()
  File "/bin/selinux-polgengui", line 506, in generate_policy
    self.info(my_policy.generate(outputdir))
  File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1382, in generate
    out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file"))
  File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1228, in write_spec
    fd.write(self.generate_spec())
  File "/usr/lib64/python2.7/site-packages/sepolicy/generate.py", line 1190, in generate_spec
    selinux_policyver = get_rpm_nvr_list("selinux-policy")[1]
  TypeError: 'NoneType' object has no attribute '__getitem__'

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-08-09 15:55:08 -04:00
Petr Lautrbach
2e60a2c80e policycoreutils: Don't use subprocess.getstatusoutput() in Python 2 code
The commit 7574a50f tried to improve compatibility with Python 3. It changed
the code to use subprocess.getstatusoutput() instead of
commands.getstatusoutput(). Unfortunately subprocess.getstatusoutput() is not
available in Python 2. This patch changes how getstatusoutput() is imported so
the code works on Python 2 and Python 3.

Fixes:
$ chcat -d something
Traceback (most recent call last):
  File "/usr/bin/chcat", line 432, in <module>
    sys.exit(chcat_replace(["s0"], cmds, login_ind))
  File "/usr/bin/chcat", line 271, in chcat_replace
    rc = subprocess.getstatusoutput(cmd)
AttributeError: 'module' object has no attribute 'getstatusoutput'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-08-09 15:55:02 -04:00
Miroslav Vadkerti
4c5b8a9568 semanage: add auditing of changes in records
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.

A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.

The format of the audit events was discussed with the audit userspace
maintainer.

This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
2016-08-09 15:54:57 -04:00
James Carter
59b645c050 Updated policycoreutils ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-08 15:56:46 -04:00
James Carter
b190e6e37d sepolicy: Add python3 support to test_sepolicy.py
Use assertNotEqual() and assertEqual() instead of assert_().
Convert print statements to print functions.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-08 15:50:18 -04:00
Jason Zaman
d2424c6c98 semanage: Print usage when no args
https://bugs.python.org/issue16308

Traceback (most recent call last):
  File "semanage", line 932, in <module>
    do_parser()
  File "semanage", line 911, in do_parser
    args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00
Jason Zaman
05d1cead3d policycoreutils/gui: py3 support for modules that changed name
StringIO moved to io and commands moved to subprocess

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-05 12:57:08 -04:00