This is the upstream repository for the Security Enhanced Linux (SELinux) userland libraries and tools. The software provided by this project complements the SELinux features integrated into the Linux kernel and is used by Linux distributions. All bugs an
Go to file
James Carter 26a994539d libsepol/cil: Rewrite verification of map classes and classpermissionsets
The classperms associated with each map class permission and with each
classpermissionset are verified in __cil_verify_classperms() which had
multiple problems with how it did the verification.

1) Verification was short-circuited when the first normal class is found.
  The second classpermissionset statement below would not have been
  verified.
    (classpermission cp1)
    (classpermissionset cp1 (CLASS (PERM)))
    (classpermissionset cp1 cp2)

2) The classperms of a map class permission and classpermissionset were
not checked for being NULL before the function recursively called itself.
This would result in a segfault if the missing map or set was referred to
before the classmap or classpermission occured. This error was reported by
Dominick Grift (dominick.grift@defensec.nl).
  These rules would cause a segfault.
    (classmap cm1 (mp1))
    (classmapping cm1 mp1 (cm2 (mp2)))
    (classmap cm2 (mp2))
  But an error would be produced for these rules.
    (classmap cm1 (mp1))
    (classmap cm2 (mp2))
    (classmapping cm2 mp2 (cm1 (mp1)))

3) The loop detection logic was incomplete and could only detect a loop
with a certain statement ordering.
  These rules would cause a stack overflow.
    (classmap cm1 (mp1))
    (classmapping cm1 mp1 (cm2 (mp2)))
    (classmap cm2 (mp2))
    (classmapping cm2 mp2 (cm3 (mp3)))
    (classmap cm3 (mp3))
    (classmapping cm3 mp3 (cm2 (mp2)))

Rewrote __cil_verify_classperms() to fix these errors.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2020-02-06 11:01:07 -05:00
.circleci CircleCI: run scan-build and publish its results automatically 2019-09-26 09:45:47 -04:00
checkpolicy libsepol,checkpolicy: support omitting unused initial sid contexts 2020-01-29 10:17:02 -05:00
dbus Update VERSIONs to 3.0 for release. 2019-11-28 13:46:48 +01:00
gui Update VERSIONs to 3.0 for release. 2019-11-28 13:46:48 +01:00
libselinux libselinux: export flush_class_cache(), call it on policyload 2020-01-24 08:28:37 -05:00
libsemanage Update VERSIONs to 3.0 for release. 2019-11-28 13:46:48 +01:00
libsepol libsepol/cil: Rewrite verification of map classes and classpermissionsets 2020-02-06 11:01:07 -05:00
mcstrans Update VERSIONs to 3.0 for release. 2019-11-28 13:46:48 +01:00
policycoreutils Update VERSIONs to 3.0 for release. 2019-11-28 13:46:48 +01:00
python python/semanage: check variable type of port before trying to split 2019-12-10 15:21:16 -05:00
restorecond Update VERSIONs to 3.0 for release. 2019-11-28 13:46:48 +01:00
sandbox Update VERSIONs to 3.0 for release. 2019-11-28 13:46:48 +01:00
scripts libsepol, libsemanage: add a macro to silence static analyzer warnings in tests 2019-09-30 08:43:41 -04:00
secilc Update VERSIONs to 3.0 for release. 2019-11-28 13:46:48 +01:00
semodule-utils Update VERSIONs to 3.0 for release. 2019-11-28 13:46:48 +01:00
.gitignore restorecond: Add gitignore 2016-11-16 11:20:05 -05:00
.travis.yml Travis-CI: Drop Python 2 from matrix 2019-11-21 12:06:43 -05:00
CleanSpec.mk Add empty top level Android.mk / CleanSpec.mk files 2015-04-16 07:54:09 -04:00
CONTRIBUTING.md Fix many misspellings 2019-09-18 22:47:35 +02:00
lgtm.yml Add configuration file for lgtm.com 2019-09-18 08:24:11 -04:00
Makefile Makefile: always build with -fno-common 2020-01-27 10:51:23 -05:00
README README: Update Fedora python 3 dependencies 2019-02-20 16:43:27 +01:00

Please submit all bug reports and patches to selinux@vger.kernel.org.
Subscribe by sending "subscribe selinux" in the body of an email
to majordomo@vger.kernel.org.

Build dependencies on Fedora:
yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python3-devel python3-setools swig xmlto redhat-rpm-config

To build and install everything under a private directory, run:
make DESTDIR=~/obj install install-pywrap

To install as the default system libraries and binaries
(overwriting any previously installed ones - dangerous!),
on x86_64, run:
make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
or on x86 (32-bit), run:
make install install-pywrap relabel

This may render your system unusable if the upstream SELinux userspace
lacks library functions or other dependencies relied upon by your
distribution.  If it breaks, you get to keep both pieces.

To install libsepol on macOS (mainly for policy analysis):
cd libsepol; make PREFIX=/usr/local install

This requires GNU coreutils (brew install coreutils).