mirror of
https://github.com/topjohnwu/selinux.git
synced 2024-12-13 22:48:49 +00:00
This is the upstream repository for the Security Enhanced Linux (SELinux) userland libraries and tools. The software provided by this project complements the SELinux features integrated into the Linux kernel and is used by Linux distributions. All bugs an
26a994539d
The classperms associated with each map class permission and with each classpermissionset are verified in __cil_verify_classperms() which had multiple problems with how it did the verification. 1) Verification was short-circuited when the first normal class is found. The second classpermissionset statement below would not have been verified. (classpermission cp1) (classpermissionset cp1 (CLASS (PERM))) (classpermissionset cp1 cp2) 2) The classperms of a map class permission and classpermissionset were not checked for being NULL before the function recursively called itself. This would result in a segfault if the missing map or set was referred to before the classmap or classpermission occured. This error was reported by Dominick Grift (dominick.grift@defensec.nl). These rules would cause a segfault. (classmap cm1 (mp1)) (classmapping cm1 mp1 (cm2 (mp2))) (classmap cm2 (mp2)) But an error would be produced for these rules. (classmap cm1 (mp1)) (classmap cm2 (mp2)) (classmapping cm2 mp2 (cm1 (mp1))) 3) The loop detection logic was incomplete and could only detect a loop with a certain statement ordering. These rules would cause a stack overflow. (classmap cm1 (mp1)) (classmapping cm1 mp1 (cm2 (mp2))) (classmap cm2 (mp2)) (classmapping cm2 mp2 (cm3 (mp3))) (classmap cm3 (mp3)) (classmapping cm3 mp3 (cm2 (mp2))) Rewrote __cil_verify_classperms() to fix these errors. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> |
||
---|---|---|
.circleci | ||
checkpolicy | ||
dbus | ||
gui | ||
libselinux | ||
libsemanage | ||
libsepol | ||
mcstrans | ||
policycoreutils | ||
python | ||
restorecond | ||
sandbox | ||
scripts | ||
secilc | ||
semodule-utils | ||
.gitignore | ||
.travis.yml | ||
CleanSpec.mk | ||
CONTRIBUTING.md | ||
lgtm.yml | ||
Makefile | ||
README |
Please submit all bug reports and patches to selinux@vger.kernel.org. Subscribe by sending "subscribe selinux" in the body of an email to majordomo@vger.kernel.org. Build dependencies on Fedora: yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python3-devel python3-setools swig xmlto redhat-rpm-config To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. To install libsepol on macOS (mainly for policy analysis): cd libsepol; make PREFIX=/usr/local install This requires GNU coreutils (brew install coreutils).