commit a9f8a101fd2c475b3dcffbcc76b86355d956a095 Author: Stephen Smalley Date: Thu May 24 14:21:09 2018 -0400 Update VERSIONs to 2.8 for release. Signed-off-by: Stephen Smalley commit b2d710d9594aa8e2094fd7ddddbc91cd0b641023 Author: Jason Zaman Date: Mon May 21 15:44:08 2018 +0800 travis.yml: add ruby 2.5 to the test matrix Ruby 2.5 is not installed by default, force reinstall with rvm Signed-off-by: Jason Zaman Acked-by: Nicolas Iooss commit f1735ebbec97773b8716f53a47b1fbeed9c0c98d Author: Jason Zaman Date: Thu May 17 11:21:14 2018 +0800 genhomedircon: sysconf can return -1 without failure from getpwnam_r(3): "The call sysconf(_SC_GETPW_R_SIZE_MAX) returns either -1, without changing errno, or an initial suggested size for buf. (If this size is too small, the call fails with ERANGE, in which case the caller can retry with a larger buffer.)" The same can happen for _SC_GETGR_R_SIZE_MAX. 1024 appears to be a good fallback but may need revisiting in the future. This triggered an error on musl libc but could happen other places too. Signed-off-by: Jason Zaman commit 178c552e468091402bf063b2b05302e37a68c686 Author: Jason Zaman Date: Thu May 17 12:45:05 2018 +0800 restorecond: Musl compatibility for GLOB_BRACE and GLOB_TILDE musl doesn't implement GLOB_BRACE and GLOB_TILDE, so simply don't use them there. This affects restorecond -u but braces are not used in the example configs. GLOB_TILDE is on the roadmap[1] for musl 1.1.21 so restorecond -u should be fine soon. [1]: https://wiki.musl-libc.org/roadmap.html Signed-off-by: Jason Zaman commit 310470235af42c6ce62cedea6db51e28c0c8ea59 Author: Luis Ressel Date: Mon Nov 13 07:41:42 2017 +0100 setfiles: Musl compatibility for GLOB_BRACE and GLOB_TILDE musl doesn't implement GLOB_BRACE and GLOB_TILDE, so simply don't use them there. This only affects "setfiles -f", which I don't expect many people use, and it's undocumented anyway that it expands globs. Signed-off-by: Luis Ressel Signed-off-by: Jason Zaman commit ab0e27003ef245f20512d1808b1dfee662ab8f41 Author: Jason Zaman Date: Wed May 16 16:46:16 2018 +0800 libselinux: enable linking to musl-fts Musl libc does not include the fts(3) functions so need to link to the musl-fts library https://github.com/pullmoll/musl-fts Signed-off-by: Jason Zaman commit 42f0376228724dae6b754ea425975bfa99d6252e Author: Jason Zaman Date: Wed May 16 16:26:20 2018 +0800 sestatus: include limits.h for PATH_MAX compile fails on musl libc because it cant find PATH_MAX. Signed-off-by: Jason Zaman commit 5ddfc0371afefa38e88fb9f16667c1db5cf3ae46 Author: Alan Jenkins Date: Sat May 12 13:43:09 2018 +0100 policycoreutils: fixfiles: failure to create /.autorelabel is fatal Fix the following ambiguous output (from booting with init=/bin/sh): # /usr/sbin/fixfiles onboot /usr/sbin/fixfiles: line 313: /.autorelabel: Read-only file system /usr/sbin/fixfiles: line 317: /.autorelabel: Read-only file system System will relabel on next boot System will not relabel on next boot if we couldn't create ./autorelabel (In case anyone reading this description is still confused: To run `fixfiles onboot` after booting with init=/bin/sh, you must first run `mount / -oremount,rw`). commit 20c9b4971e5ddfbd70f4c3930898b31b1317fafd Author: Stephen Smalley Date: Thu May 10 11:08:22 2018 -0400 Update VERSION files to 2.8-rc3 Signed-off-by: Stephen Smalley commit 3ca8762efdc20194e77768b5298ee7758ea3ba9a Author: Stephen Smalley Date: Wed May 9 11:22:46 2018 -0400 libsepol: cil: prevent stack buffer overflow in cil_expr_to_string Fix the test to prevent overflowing the stack buffer for boolean expressions. Signed-off-by: Stephen Smalley commit 84b19ae72e5349ba0761e194d111cbd22d9d0e2e Author: Stephen Smalley Date: Tue May 8 10:24:00 2018 -0400 libsemanage: prevent string overflow on final paths Verify that the final path does not exceed the size of the buffer before copying. This can only occur if an alternate path for the policy root and/or the policy store root has been specified and if the resulting path would exceed PATH_MAX. A similar check is already applied by semanage_make_final(). Signed-off-by: Stephen Smalley commit 9a9b0e9d61185ce4b231d09b51cd6bba63c9ef1c Author: Vit Mojzis Date: Fri May 4 13:51:46 2018 +0200 python/semanage/seobject.py: Fix undefined store check self.store is always a string (actual store name or "") because of semanageRecords.__init__. Fix check for not defined store. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3 Signed-off-by: Vit Mojzis commit c41633b90e4c06424981b8be89d7fb6ee1940a03 Author: Stephen Smalley Date: Thu May 3 14:48:45 2018 -0400 libselinux: audit2why: fix build warnings Fix the following build warnings. audit2why.c: In function ‘__policy_init’: audit2why.c:207:22: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4081 [-Wformat-truncation=] "unable to open %s: %s\n", ^~ path, strerror(errno)); ~~~~ audit2why.c:206:4: note: ‘snprintf’ output 20 or more bytes (assuming 4115) into a destination of size 4096 snprintf(errormsg, sizeof(errormsg), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "unable to open %s: %s\n", ~~~~~~~~~~~~~~~~~~~~~~~~~~~ path, strerror(errno)); ~~~~~~~~~~~~~~~~~~~~~~ audit2why.c:253:28: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4074 [-Wformat-truncation=] "invalid binary policy %s\n", path); ^~ ~~~~ audit2why.c:252:3: note: ‘snprintf’ output between 24 and 4119 bytes into a destination of size 4096 snprintf(errormsg, sizeof(errormsg), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "invalid binary policy %s\n", path); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Stephen Smalley commit e76569f863125e48b2d8567bd9d1ba74e729bc24 Author: Stephen Smalley Date: Thu May 3 14:48:44 2018 -0400 libselinux: avcstat: fix build warning Fix the following build warning. avcstat.c: In function ‘main’: avcstat.c:113:4: error: ‘strncpy’ specified bound 4096 equals destination size [-Werror=stringop-truncation] strncpy(avcstatfile, optarg, sizeof avcstatfile); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Stephen Smalley commit 8467979d4150c622909fdbf8918f0c3b30952054 Author: Stephen Smalley Date: Thu May 3 14:48:43 2018 -0400 libselinux: fix build warning in save_booleans() Fix the following warning in save_booleans(). We could likely drop the function altogether, either ignoring or returning EINVAL if a non-zero permanent argument is passed to security_set_boolean_list(), since setting persistent booleans is now handled via libsemanage. This code and the corresponding security_load_booleans() code is legacy from RHEL4 days and could be removed although we would need to keep the ABI for compatibility. booleans.c: In function ‘save_booleans’: booleans.c:441:13: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size between 0 and 8191 [-Werror=format-truncation=] "%s=%d\n", boolname, ^~ booleans.c:440:7: note: ‘snprintf’ output between 4 and 8205 bytes into a destination of size 8192 snprintf(outbuf, sizeof(outbuf), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "%s=%d\n", boolname, ~~~~~~~~~~~~~~~~~~~~ boollist[i].value); ~~~~~~~~~~~~~~~~~~ booleans.c:454:12: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size between 0 and 8191 [-Werror=format-truncation=] "%s=%d\n", boolname, val); ^~ booleans.c:453:6: note: ‘snprintf’ output between 4 and 8205 bytes into a destination of size 8192 snprintf(outbuf, sizeof(outbuf), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "%s=%d\n", boolname, val); ~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Stephen Smalley commit 38e49c7187e22c402d2f74946f3d034babe4a16d Author: Stephen Smalley Date: Thu May 3 14:48:42 2018 -0400 libsepol: remove unused function and type Fix the following build warning: policydb.c: In function ‘get_symtab_destroy_func’: policydb.c:1581:9: error: cast between incompatible function types from ‘int (*)(char *, void *, void *)’ to ‘void (*)(char *, void *, void *)’ [-Werror=cast-function-type] return (hashtab_destroy_func_t) destroy_f[sym_num]; ^ It turns out that this function and type are long unused in libsepol and are not exported APIs for the shared library, so just remove them. Signed-off-by: Stephen Smalley commit dc03bae194e425a11d7080ccb9de7073ddbe7e4b Author: Stephen Smalley Date: Thu Apr 26 13:20:40 2018 -0400 Update VERSION files to 2.8-rc2. Signed-off-by: Stephen Smalley commit 531fc3d8a7b6996830e3b6dbbfdad7d24ac57363 Author: Nicolas Iooss Date: Sun Apr 22 21:30:32 2018 +0200 libsemanage: always check append_arg return value When split_args() calls append_arg(), the returned value needs to be checked in order to detect memory allocation failure. Checks were missing in two places, which are spotted by clang's static analyzer: semanage_store.c:1352:7: warning: Value stored to 'rc' is never read rc = append_arg(&argv, &num_args, arg); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ semanage_store.c:1368:3: warning: Value stored to 'rc' is never read rc = append_arg(&argv, &num_args, arg); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Nicolas Iooss commit 20a324b5911cd6ca29bfd3b9e674043953a2790b Author: Nicolas Iooss Date: Sun Apr 22 21:21:48 2018 +0200 sestatus: free process and file contexts which are checked clang's static analyzer reports a potential memory leak because the buffers allocated in pc and fc are not freed in main(), in sestatus.c. Free these buffers properly. Signed-off-by: Nicolas Iooss commit 0f99a3126c09f6a5946ff35b5414011afd6431db Author: Nicolas Iooss Date: Sun Apr 22 21:21:47 2018 +0200 sestatus: resolve symlinks in path when looking for a process "sestatus -v" uses /proc/$PID/exe symbolic link in order to find the context of processes present in /etc/sestatus.conf. For example, this file includes "/usr/sbin/sshd". On Arch Linux, /bin, /sbin and /usr/sbin are symbolic links to /usr/bin, so sshd process is seen as "/usr/bin/sshd" instead of "/usr/sbin/sshd". This causes "sestatus -v" to show nothing in "Process contexts:" for sshd, agetty, etc. Use realpath() to resolve any symlink components in program paths defined in /etc/sestatus.conf. This makes "sestatus -v" show the expected result: Process contexts: Current context: sysadm_u:sysadm_r:sysadm_t Init context: system_u:system_r:init_t /sbin/agetty system_u:system_r:getty_t /usr/sbin/sshd system_u:system_r:sshd_t Signed-off-by: Nicolas Iooss commit 87a58b6b4ebf88da78bf1386c36d8d982ca41525 Author: Stephen Smalley Date: Fri Apr 20 10:12:57 2018 -0400 Revert "libselinux: verify file_contexts when using restorecon" This reverts commit 814631d3aebaa041073a42c677c1ed62ce7830d5. As reported by Petr Lautrbach, this commit changed the behavior of selabel_open() when SELABEL_OPT_VALIDATE is 0, and this would be an API change. Reported-by: Petr Lautrbach Signed-off-by: Stephen Smalley commit f04d64012afdb410271bb1d354a15cfe106080ea Author: Stephen Smalley Date: Thu Apr 19 10:40:16 2018 -0400 Update VERSION files to 2.8-rc1 Signed-off-by: Stephen Smalley commit efc77aa209904c789c1ac8cc59396a134ab1295a Author: Nicolas Iooss Date: Fri Apr 13 22:34:24 2018 +0200 libselinux: remove unused variable usercon In getconlist.c, main() does not use usercon. Remove this variable. Signed-off-by: Nicolas Iooss commit 5f76f6b8fb7922d9c365192b3d043e66ea7414c5 Author: Nicolas Iooss Date: Fri Apr 13 22:34:23 2018 +0200 libselinux: fix memory leak in getconlist In getconlist.c's main(), "level" is duplicated from an optional argument without being ever freed. clang's static analyzer warns about this memory leak. Free the allocated memory properly in order to remove a warning reported by clang's static analyzer. Signed-off-by: Nicolas Iooss commit c56bb631c4e5caa433f503a7f051055b9f334e5d Author: Nicolas Iooss Date: Fri Apr 13 22:34:22 2018 +0200 libselinux: label_file: fix memory management in store_stem() If store_stem() fails to expand the memory allocated on data->stem_arr, some things go wrong: * the memory referenced by "buf" is leaked, * data->alloc_stems has been increased without data->stem_arr having been expanded. So the next time store_stem() is called, the function will behave as if the buffer holds enough space, and will write data after the end of data->stem_arr. The first issue is being spotted by clang's static analyzer, which warns about leaking variable "stem" in find_stem_from_spec() (this function calls store_stem()). This both issues by freeing buf when realloc(data->stem_arr) fails, and by not increasing data->alloc_stems when this happens. Signed-off-by: Nicolas Iooss commit 3dd5dd8a07839c24acd8b8ca3d4dc5f848e8f744 Author: Nicolas Iooss Date: Fri Apr 13 22:34:21 2018 +0200 libsepol: ensure the level context is not empty When load_users() parses an invalid line with an empty level context (ie. nothing between "level" and "range" keywords), it allocates memory with malloc(0) and uses it. The behavior of malloc() in this case is an unspecified behavior: it might return NULL, which would lead to a segmentation fault. Fix this issue by reporting the invalid entry instead. While at it, ensure that the character before "range" is a space, and change the logic slightly in order to avoid using "--p; ... p++;". This issue is reported by clang's static analyzer with the following message: genusers.c:222:11: warning: Use of zero-allocated memory *r++ = *s; ^ genusers.c:225:7: warning: Use of zero-allocated memory *r = 0; ^ Signed-off-by: Nicolas Iooss commit 9fc2301047bcdaf2db0af607c56d51c0e1346070 Author: Nicolas Iooss Date: Fri Apr 13 22:34:20 2018 +0200 libsepol: do not dereference NULL if stack_init fails In cond_expr_to_cil(), when stack_init() fails to allocate a stack, the function calls stack_pop() with stack = NULL. Then stack_pop() dereferences the pointer ("if (stack->pos == -1) {"), which is NULL. Fix this by moving the stack cleaning loop in a "if (stack != NULL)" block. This issue is reported by clang's static analyzer with the following message: module_to_cil.c:463:6: warning: Access to field 'pos' results in a dereference of a null pointer (loaded from variable 'stack') if (stack->pos == -1) { ^~~~~~~~~~ Signed-off-by: Nicolas Iooss commit 10bb459addf4f1457ce87fe893b38757c1f48a6c Author: Vit Mojzis Date: Thu Apr 12 12:26:01 2018 +0200 libsemanage: do not change file mode of seusers and users_extra Commit 8702a865e08b5660561e194a83e4a363061edc03 causes file mode of seusers and users_extra to change based on the value defined in config file whenever direct_commit is called and policy is not rebuilt. (e.g. when setting a boolean). Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1512639 $ ll /var/lib/selinux/targeted/active/users_extra -rw-------. 1 root root 101 11. dub 17.31 /var/lib/selinux/targeted/active/users_extra $ ll /var/lib/selinux/targeted/active/seusers -rw-------. 1 root root 73 11. dub 17.31 /var/lib/selinux/targeted/active/seusers $ semanage boolean -m --on httpd_can_network_connect $ ll /var/lib/selinux/targeted/active/seusers -rw-r--r--. 1 root root 73 23. bře 16.59 /var/lib/selinux/targeted/active/seusers $ ll /var/lib/selinux/targeted/active/users_extra -rw-r--r--. 1 root root 101 23. bře 16.59 /var/lib/selinux/targeted/active/users_extra $ rpm -Vq selinux-policy-targeted .M.....T. /var/lib/selinux/targeted/active/seusers .M.....T. /var/lib/selinux/targeted/active/users_extra Signed-off-by: Vit Mojzis commit 1ac7716df48c8fb5c6d1a1a39ad8cc619af60670 Author: Vit Mojzis Date: Thu Apr 12 09:41:26 2018 +0200 python/sepolgen: Try to translate SELinux contexts to raw This allows sepolgen to generate policy from AVC messages that contain contexts translated by mcstrans. Fixes: \# echo "type=USER_AVC msg=audit(1468415802.940:2199604): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:SystemLow-SystemHigh tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'" | audit2allow libsepol.mls_from_string: invalid MLS context SystemLow-SystemHigh libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:system_r:systemd_logind_t:SystemLow-SystemHigh to sid Signed-off-by: Vit Mojzis commit 3e47c239ec207565242ce3980ce8cab9b912e585 Author: Yuli Khodorkovskiy Date: Thu Mar 29 17:16:42 2018 -0700 libselinux: echo line number of bad label in selabel_fini() Keep track of line numbers for each file context in selabel_handle. If an error occurs in selabel_fini(), the line number of an invalid file context is echoed to the user. Signed-off-by: Yuli Khodorkovskiy commit 814631d3aebaa041073a42c677c1ed62ce7830d5 Author: Yuli Khodorkovskiy Date: Thu Mar 29 17:16:41 2018 -0700 libselinux: verify file_contexts when using restorecon In permissive mode, calling restorecon with a bad label in file_contexts does not verify the label's existence in the loaded policy. This results in any label successfully applying to a file, as long as the file exists. This issue has two assumptions: 1) file_contexts must be manually updated with the invalid label. Running `semanage fcontext` will error when attempting to add an invalid label to file_contexts. 2) the system must be in permissive. Although applying an invalid label in enforcing gives an error and fails, successfully labeling a file with a bad label could cause issues during policy development in permissive. Instead, as each context is used, verify it is valid before blindly applying the label. If an error with validation occurs in restorecon, application of remaining valid labels will be uninterrupted as before. Signed-off-by: Yuli Khodorkovskiy commit 4ba19b541d066d9b0aa104deefc093f468d3d8a2 Author: James Carter Date: Wed Mar 28 15:47:22 2018 -0400 libsepol/cil: Improve processing of context rules Improve the processing of netifcon, genfscon, ibpkeycon, ibendportcon, portcon, nodecon, fsuse, filecon, iomemcon, ioportcon, pcidevicecon, and devicetreecon rules. If the multiple-decls option is not used then report errors if duplicate context rules are found. If it is used then remove duplicate context rules and report errors when two rules are identical except for the context. This also changes the ordering of portcon and filecon rules. The protocol of portcon rules will be compared if the port numbers are the same and the path strings of filecon rules will be compared if the number of meta characters, the stem length, string length and file types are the same. Based on an initial patch by Pierre-Hugues Husson (phh@phh.me) Signed-off-by: James Carter commit ea8d689b533ac498c8ab37bca04aaf4f81e2ee71 Author: Tri Vo Date: Fri Mar 16 11:11:36 2018 -0700 Resolve conflicts in expandattribute. This commit resolves conflicts in values of expandattribute statements in policy language and expandtypeattribute in CIL. For example, these statements resolve to false in policy language: expandattribute hal_audio true; expandattribute hal_audio false; Similarly, in CIL these also resolve to false. (expandtypeattribute (hal_audio) true) (expandtypeattribute (hal_audio) false) A warning will be issued on this conflict. Motivation When Android combines multiple .cil files from system.img and vendor.img it's possible to have conflicting expandattribute statements. This change deals with this scenario by resolving the value of the corresponding expandtypeattribute to false. The rationale behind this override is that true is used for reduce run-time lookups, while false is used for tests which must pass. Signed-off-by: Tri Vo Acked-by: Jeff Vander Stoep Acked-by: William Roberts Acked-by: James Carter commit 0d1fad884a17a49d30a35c0e06e07a7ffda02e30 Author: Vit Mojzis Date: Mon Mar 19 12:08:12 2018 +0100 policycoreutils/semodule: Allow enabling/disabling multiple modules at once Unify behaviour for all module actions. The same behaviour is already present for -i/-u/-r/-e switches. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1545218 Signed-off-by: Vit Mojzis commit a0c4e64238f3c8628d75f084325b9453bf0bc6b5 Author: Vit Mojzis Date: Tue Mar 13 09:12:37 2018 +0100 policycoreutils/semodule: Improve man page and unify it with --help Unify the way parameters are described in man pages and --help message. Explain special syntax allowing the user to specify multiple modules when using -i/u/r/E mods. Point out that priority has to be specified in order to remove module at different priority than 400 and that "-d" disables all instances of given module across priorities. Resolves: rhbz#1320565, rhbz#1337192 Signed-off-by: Vit Mojzis commit c99739a6aa6f986345d80c47e6a93daf3290c706 Author: James Carter Date: Wed Mar 7 10:01:35 2018 -0500 libsepol: Prevent freeing unitialized value in ibendport handling Nicolas Iooss reports: In sepol_ibendport_key_create(), if sepol_ibendport_alloc_ibdev_name() fails to allocate tmp_key->ibdev_name, sepol_ibendport_key_free() is called to free the memory associated with tmp_key, which results in free() being called on uninitialized tmp_key->ibdev_name. This issue is reported by clang's static analyzer with the following message: ibendport_record.c:115:2: warning: 1st function call argument is an uninitialized value free(key->ibdev_name); ^~~~~~~~~~~~~~~~~~~~~ Signed-off-by: James Carter commit cf0ab12414360b7e00b2ace2f8a8beee1362e4c8 Author: Richard Haines via Selinux Date: Sun Mar 11 16:22:55 2018 +0000 selinux: Add support for the SCTP portcon keyword Update libsepol, checkpolicy and the CIL compiler to support the SCTP portcon keyword. Signed-off-by: Richard Haines commit 721ccb33181082f6bfee3bfb51c8541d8136b71e Author: Vit Mojzis Date: Mon Mar 19 15:46:15 2018 +0100 libsemanage/direct_api.c: Fix iterating over array Fix sizeof calculation in array iteration introduced by commit 6bb8282c4cf66e93daa9684dbe9c75bb6b1e09a7 "libsemanage: replace access() checks to make setuid programs work" Signed-off-by: Vit Mojzis commit 07629c0a9f26e6e9ebb0b2847e09a461512990c9 Author: Nicolas Iooss Date: Wed Feb 14 22:33:03 2018 +0100 libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR libselinux and libsemanage Makefiles invoke site.getsitepackages() in order to get the path to the directory /usr/lib/pythonX.Y/site-packages that matches the Python interpreter chosen with $(PYTHON). This method is incompatible with Python virtual environments, as described in https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 . This issue has been opened for more than 5 years. On the contrary python/semanage/ and python/sepolgen/ Makefiles use distutils.sysconfig.get_python_lib() in order to get the site-packages path into a variable named PYTHONLIBDIR. This way of computing PYTHONLIBDIR is compatible with virtual environments and gives the same result as PYSITEDIR. As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and libsemanage Makefiles use it. And as native code is installed (as part of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64 on systems which distinguish /usr/lib64 from /usr/lib. Signed-off-by: Nicolas Iooss Acked-by: Petr Lautrbach commit 5576912170da7f3983ba4d4d4a788b2cfdb64468 Author: Stephen Smalley Date: Thu Mar 8 15:11:58 2018 -0500 libsepol: Export sepol_polcap_getnum/name functions Export the sepol_polcap_getnum/name() functions to users of the shared library. This will enable SETools to stop depending on the static library. Note that we may want to move polcaps.h up one level since the convention is that headers directly under include/sepol are shared library APIs while headers under include/sepol/policydb are limited to static users. However, this will unnecessarily break the build for existing static users so it is deferred. Suggested-by: Chris PeBenito Signed-off-by: Stephen Smalley commit 6bb8282c4cf66e93daa9684dbe9c75bb6b1e09a7 Author: Vit Mojzis Date: Fri Mar 9 16:39:44 2018 +0100 libsemanage: replace access() checks to make setuid programs work access() uses real UID instead of effective UID which causes false negative checks in setuid programs. Replace access() calls (mostly tests for file existence) by stat(). Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431 Signed-off-by: Vit Mojzis commit 29d84c628063658643a362fb88a4db72d7032cf2 Author: Jan Zarsky Date: Wed Mar 7 10:16:20 2018 +0100 python/sepolgen: fix typo in PolicyGenerator commit 4efa673bc07e728b72b5e5b28d9819fdeeae8380 Author: Vit Mojzis Date: Tue Mar 6 12:58:07 2018 +0100 libsemanage: remove access() check to make setuid programs work F_OK access checks only work properly as long as all directories along the path are accessible to real user running the program. Replace F_OK access checks by testing return value of open, write, etc. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431 Signed-off-by: Vit Mojzis commit 88f47106170f8665638519a15655ace79d5c3126 Author: Vit Mojzis Date: Tue Mar 6 12:58:06 2018 +0100 libsemanage: remove access() check to make setuid programs work access() uses real UID instead of effective UID which causes false negative checks in setuid programs. Remove redundant access() checks Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431 Signed-off-by: Vit Mojzis commit 2784addb142c5431f78b9be709b5cb637583d355 Author: Nicolas Iooss Date: Mon Mar 5 23:58:20 2018 +0100 libsemanage: silence clang static analyzer report clang's static analyzer reports an out-of-bound array access in semanage_user_roles() when num_roles is zero, with the following statement: strcpy(roles,roles_arr[0]); When num_roles is zero, roles_arr[0] is not uninitialized and roles is the result of malloc(0) so this strcpy is dangerous. Make semanage_user_roles() return an empty string instead. Signed-off-by: Nicolas Iooss commit 2bd82070ef3908ddf95c6e36c2b452685b46fe04 Author: Nicolas Iooss Date: Mon Mar 5 23:58:19 2018 +0100 libsepol: cil: show an error when cil_expr_to_string() fails cil_tree_print_expr() calls cil_expr_to_string() in order to compute a string expression into expr_str. If this function fails, expr_str is left unitialized but its value is dereferenced with: cil_log(CIL_INFO, "%s)", expr_str); Prevent such an issue by checking cil_expr_to_string()'s return value before using expr_str. This issue has been found with clang's static analyzer. Signed-off-by: Nicolas Iooss commit 3217d717c8900497d28a426fe5c4b73369c4a09a Author: Vit Mojzis Date: Thu Mar 1 12:03:06 2018 +0100 gui/fcontextPage: Set default object class in addDialog This ensures that user cannot leave the object class selection blank. Signed-off-by: Vit Mojzis commit 6f4b1bbdea53f7b2086291238cd01befd7dd2c19 Author: Vit Mojzis Date: Thu Feb 22 14:29:33 2018 +0100 gui/semanagePage: Close "edit" and "add" dialogues when successfull "Edit" and "add" dialogues weren't closed after successful transaction ("add" and "edit" methods return "None" if successful). Signed-off-by: Vit Mojzis commit 8caec179c3eb9a54fc73b5d80b717367ed4df6e8 Author: Vit Mojzis Date: Wed Feb 28 13:12:53 2018 +0100 libsemanage: Improve warning for installing disabled module Resolves: rhbz#1337199 Signed-off-by: Vit Mojzis commit 733b8005d84fdc1ddbc92d47d4d5dd7c6bbec80e Author: Yuli Khodorkovskiy Date: Sat Feb 24 04:57:33 2018 +0000 secilc: Fix documentation build for OS X systems Since Darwin systems do not have GNU sed installed, the Darwin sed is missing the "regexp-extended" flag needed to modify the secilc markdown files before processing with pandoc. A quick fix for Mac users is to `brew install gnu-sed` and to use gsed. Signed-off-by: Yuli Khodorkovskiy commit fd43043ba21479384df5a800fcba4e31b6e3e973 Author: Vit Mojzis Date: Thu Feb 22 14:33:20 2018 +0100 semodule-utils/semodule_package: fix semodule_unpackage man page Fix command line arguments and description in man page. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1334834 Signed-off-by: Vit Mojzis commit e4348941ee8037723bf6b5598359e150b82e5ba1 Author: Lee Stubbs Date: Sun Feb 18 17:21:41 2018 -0500 Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type. commit bb6b4c661b7cd3ed773b46c6c24510cb81f50bb2 Author: Petr Lautrbach Date: Thu Feb 22 18:29:01 2018 +0100 gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name Fixes: /usr/share/system-config-selinux/polgengui.py:679: PyGIDeprecationWarning: Deprecated, please use stop_emission_by_name. entry.emit_stop_by_name("insert_text") Signed-off-by: Petr Lautrbach commit df135b07a727d1bac6a62e0db262256ff0135a8f Author: Nicolas Iooss Date: Wed Feb 14 22:16:24 2018 +0100 python/sepolicy: Initialize policy.ports as a dict in generate.py in class policy, ports is usually initialized with the result of get_all_ports(), which is a dict. If this function failed, the error was not fatal but ports was left initialized as a list, which would trigger other errors when accessing it. Initialize ports as an empty dict in order to fix this issue. Signed-off-by: Nicolas Iooss commit 8059ad7ad108e8113ab1c7fc1a4dc7904218cdc6 Author: Nicolas Iooss Date: Wed Feb 14 22:16:23 2018 +0100 python/sepolicy: Support non-MLS policy When using sepolgen GUI on a system with a non-MLS policy, sepolicy.info(sepolicy.PORT) does not define "range" attributes (since commit 908340e8e7a9 ("sepolicy: support non-MLS policy in manpage")). Replace them with None in get_all_ports() result. Signed-off-by: Nicolas Iooss commit b8296872fe2deb8c11a677932cc9a2111d8cc49e Author: Nicolas Iooss Date: Wed Feb 14 22:16:25 2018 +0100 python/sepolicy: Fix translated strings with parameters When a translated string takes parameters with %, the % and the parameters need to be after the call to the underline function in order to work properly. Signed-off-by: Nicolas Iooss commit 41f1882724d921db654c9104c14b6ab1aeb4c817 Author: Petr Lautrbach Date: Tue Feb 13 15:51:01 2018 +0100 python/sepolicy: Do not use types.BooleanType It was removed from Python 3 Fixes: File "polgengui.py", line 390, in forward self.generate_policy() File "polgengui.py", line 491, in generate_policy my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1) File "/home/plautrba/devel/github/bachradsusi/SELinuxProject-selinux/python/sepolicy/sepolicy/generate.py", line 468, in set_use_syslog if not isinstance(val, types.BooleanType): AttributeError: module 'types' has no attribute 'BooleanType' Signed-off-by: Petr Lautrbach commit 72811329770b7b98c8a0ee93b0b14fd2b245535c Author: Petr Lautrbach Date: Tue Feb 13 13:12:47 2018 +0100 python/sepolicy: Use list instead of map map() returns an iterator in python3, list in python2 Fixes: File "/usr/lib/python3.6/site-packages/sepolicy/generate.py", line 114, in get_all_users users.remove("system_u") AttributeError: 'map' object has no attribute 'remove' Signed-off-by: Petr Lautrbach commit aeef83ca164e0e507f824e35d96c6a7728c3c7e0 Author: Petr Lautrbach Date: Tue Feb 13 13:08:48 2018 +0100 gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui - $ gtk-builder-convert polgen.glade polgen.ui - use get_object instead of get_widget - use connect_signals instead of signal_connect Signed-off-by: Petr Lautrbach commit 5333152934d8bf30f882df24bbdbdcd16d33505b Author: Petr Lautrbach Date: Fri Mar 17 15:09:08 2017 +0100 gui/polgengui.py: Fix sepolicy.generate import in polgengui.py b43991f9 added direct import of sepolicy but it forgot to import sepolicy.generate and didn't change use of generate to sepolicy.generate Fixes: Traceback (most recent call last): File "/usr/bin/selinux-polgengui", line 778, in app = childWindow() File "/usr/bin/selinux-polgengui", line 205, in __init__ self.all_types = sepolicy.generate.get_all_types() AttributeError: 'module' object has no attribute 'generate' Traceback (most recent call last): File "/usr/share/system-config-selinux/polgengui.py", line 365, in forward if self.on_in_net_page_next(): File "/usr/share/system-config-selinux/polgengui.py", line 701, in on_in_net_page_next generate.verify_ports(self.in_tcp_entry.get_text()) NameError: global name 'generate' is not defined Signed-off-by: Petr Lautrbach commit 4b27d5a365c265732cec03bb728efeacef74cedb Author: Dominick Grift Date: Thu Feb 15 18:34:37 2018 +0100 Describe multiple-decls in secilc.8.xml Signed-off-by: Dominick Grift commit fdd306711a54a4b3feda8a10bd0f5d7b27f12c2b Author: Nicolas Iooss Date: Wed Feb 14 16:51:49 2018 +0100 Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR Recent commits removed $DESTDIR from $PYSITEDIR in libselinux and libsemanage: -PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') +PYSITEDIR ?= $(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') As "site.getsitepackages()" does not work within virtualenvs, .travis.yml defines PYSITEDIR's value in it and this definition needs to be updated too. Signed-off-by: Nicolas Iooss commit a46776cdcf32c25a2bad4b1c3f0eea3dadfad0aa Author: Marcus Folkesson Date: Wed Feb 14 10:57:17 2018 +0100 build: setup buildpaths if DESTDIR is specified Signed-off-by: Marcus Folkesson commit a44b3735df1747e0ec1eca13a02b02eb2274143d Author: Marcus Folkesson Date: Wed Feb 14 10:57:16 2018 +0100 dbus: build: follow standard semantics for DESTDIR and PREFIX Signed-off-by: Marcus Folkesson commit 45530b8e3afb4ecf95cdba3b9f1382eab77bd6d2 Author: Marcus Folkesson Date: Wed Feb 14 10:57:15 2018 +0100 semodule-utils: build: follow standard semantics for DESTDIR and PREFIX Signed-off-by: Marcus Folkesson commit b10ed68cf2536817a4e7b1c3efc40d8dab2bff6c Author: Marcus Folkesson Date: Wed Feb 14 10:57:14 2018 +0100 secilc: build: follow standard semantics for DESTDIR and PREFIX Signed-off-by: Marcus Folkesson commit 1f8237d500cb7a88f84a35b29755ac0c1d76bbc6 Author: Marcus Folkesson Date: Wed Feb 14 10:57:13 2018 +0100 sandbox: build: follow standard semantics for DESTDIR and PREFIX Signed-off-by: Marcus Folkesson commit 38918b5d1c2b94e1668d54f763f1d340cdf91231 Author: Marcus Folkesson Date: Wed Feb 14 10:57:12 2018 +0100 restorecond: build: follow standard semantics for DESTDIR and PREFIX Signed-off-by: Marcus Folkesson commit 88a6216ddba69109b7488805b6850e8e6657c26f Author: Marcus Folkesson Date: Wed Feb 14 10:57:11 2018 +0100 python: build: move modules from platform-specific to platform-shared Signed-off-by: Marcus Folkesson commit 11aaf180ef128551d9f8d65dbd32961e99670914 Author: Marcus Folkesson Date: Wed Feb 14 10:57:10 2018 +0100 python: build: follow standard semantics for DESTDIR and PREFIX Signed-off-by: Marcus Folkesson commit 6b901a4fb80cc61c46f75144b5bb366b8da38e82 Author: Marcus Folkesson Date: Wed Feb 14 10:57:09 2018 +0100 policycoreutils: build: follow standard semantics for DESTDIR and PREFIX Signed-off-by: Marcus Folkesson commit fc7a4e079848a584e962342338d43e5b5b385e3e Author: Marcus Folkesson Date: Wed Feb 14 10:57:08 2018 +0100 mcstrans: build: follow standard semantics for DESTDIR and PREFIX Signed-off-by: Marcus Folkesson commit 0932805363b949b73d1a550cc965cec9a6131b68 Author: Marcus Folkesson Date: Wed Feb 14 10:57:07 2018 +0100 gui: build: follow standard semantics for DESTDIR and PREFIX Signed-off-by: Marcus Folkesson commit 23bbd2e4489e14d4bb6c0ee49c6ee236a7943020 Author: Marcus Folkesson Date: Wed Feb 14 10:57:06 2018 +0100 checkpolicy: build: follow standard semantics for DESTDIR and PREFIX This patch solves the following issues: - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson commit e15f61e5d2fe74c6e7c0a5f81083a93b508c35f7 Author: Marcus Folkesson Date: Wed Feb 14 10:57:05 2018 +0100 libsemanage: build: follow standard semantics for DESTDIR and PREFIX This patch solves the following issues: - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson commit b24980ec07af66c4b419f8053aa65e97b36e558d Author: Marcus Folkesson Date: Wed Feb 14 10:57:04 2018 +0100 libselinux: build: follow standard semantics for DESTDIR and PREFIX This patch solves the following issues: - The pkg-config files generates odd paths when using DESTDIR without PREFIX - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson commit f8532f17731c82df9956aa1c92f7fb08bd65bf05 Author: Marcus Folkesson Date: Wed Feb 14 10:57:03 2018 +0100 libsepol: build: follow standard semantics for DESTDIR and PREFIX This patch solves the following issues: - The pkg-config files generates odd paths when using DESTDIR without PREFIX - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson commit f281fc52197300cc579ddb970b995cedc98878ab Author: Richard Haines Date: Wed Jan 24 09:42:54 2018 +0000 libsemanage: Allow tmp files to be kept if a compile fails Allow the tmp build files to be kept for debugging when a policy build fails. Signed-off-by: Richard Haines commit f47c291cf8c4c7fc168967fc05c53b473cdea221 Author: Richard Haines Date: Mon Jan 22 16:38:11 2018 +0000 libsemanage: Return commit number if save-previous false Stop overwriting the commit number for the default save-previous flag setting (false) in semanage.conf. Allows semodule -v -i to show the correct commit number. Signed-off-by: Richard Haines commit 2f26c1db5d37ed9c0294246d6019016e66507f2c Author: Vit Mojzis Date: Thu Jan 11 18:44:27 2018 +0100 python/semanage: Remove redundant and broken moduleRecords.modify() moduleRecords.modify() calls nonexistent function semanage_module_update_file (maybe it should have been semanage_module_upgrade_file which is now obsolete and calls semanage_module_install_file) and the job of updating a module is done by moduleRecords.add(). Signed-off-by: Vit Mojzis commit 653b393f42bd425089463434bc5c0634cb0aa9c5 Author: Petr Lautrbach Date: Thu Jan 11 17:22:10 2018 +0100 python/semanage: bring semanageRecords.set_reload back It's used by third parties, e.g. Ansible modules Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1527745 Signed-off-by: Petr Lautrbach commit 8bcee8442197c91e10e7d5a54b409866dc2753f1 Author: Richard Haines Date: Wed Jan 10 14:12:38 2018 +0000 libselinux: Correct manpages regarding removable_context The selabel_media(5) man page incorrectly stated that the removable_context(5) would be read if an selabel_lookup(3) failed. Correct the man pages that fixes [1]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1395621 Signed-off-by: Richard Haines commit 5e81672ca0adaf4695f2634e063a30543a4800a9 Author: Petr Lautrbach Date: Wed Dec 13 13:16:33 2017 +0100 python/semanage: make seobject.py backward compatible Commit 985753f changed behavior of seobject class constructors. While semanage itself was fixed, there are other tools like system-config-selinux and chcat which depend on the original behavior. This change make the constructors backward compatible. Fixes: $ system-config-selinux Traceback (most recent call last): File "/usr/share/system-config-selinux/system-config-selinux.py", line 196, in app = childWindow() File "/usr/share/system-config-selinux/system-config-selinux.py", line 100, in __init__ self.add_page(booleansPage.booleansPage(xml)) File "/usr/share/system-config-selinux/booleansPage.py", line 142, in __init__ self.load(self.filter) File "/usr/share/system-config-selinux/booleansPage.py", line 212, in load self.booleans = seobject.booleanRecords() TypeError: __init__() missing 1 required positional argument: 'args' Signed-off-by: Petr Lautrbach commit eee003f810f5312b61b8da61f34c2d581617a997 Author: Petr Lautrbach Date: Mon Nov 27 21:33:12 2017 +0100 libsemanage: Use umask(0077) for fopen() write operations When a calling process uses umask(0) some files in the SELinux module store can be created to be world writeable. With this patch, libsemanage sets umask(0077) before fopen() operations and restores the original umask value when it's done. Fixes: drwx------. /var/lib/selinux/targeted/active -rw-rw-rw-. /var/lib/selinux/targeted/active/booleans.local -rw-rw-rw-. /var/lib/selinux/targeted/active/policy.linked -rw-rw-rw-. /var/lib/selinux/targeted/active/seusers.local drwx------. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t -rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/cil -rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/lang_ext drwx------. /var/lib/selinux/targeted/active/modules/disabled -rw-rw-rw-. /var/lib/selinux/targeted/active/modules/disabled/zosremote Signed-off-by: Petr Lautrbach commit d80556d885c551e59c2a0863fbccf00ae048865c Author: Jan Zarsky Date: Wed Nov 22 16:09:59 2017 +0100 libsemanage: properly check return value of iterate function Function dbase_llist_iterate iterates over records and checks return value of iterate function. According to a manpage semanage_iterate(3), handler can return value 1 for early exit. dbase_llist_iterate currently checks for return value > 1, which does not include expected value 1. This affects most of the semanage_*_iterate and semanage_*_local functions. Signed-off-by: Jan Zarsky commit 2d49a4b41c6ecbcf254e6045f2e01f677ad58ffe Author: James Carter Date: Fri Nov 17 08:09:52 2017 -0500 libsepol/cil: Create new keep field for type attribute sets Daniel Cashman discovered the following: When using cil_db multiple_decls, the different cil_attribute nodes all point to the same underlying cil_attribute struct. This leads to problems, though, when modifying the used value in the struct. __cil_post_db_attr() changes the value of the field to based on the output of cil_typeattribute_used(), for use later in cil_typeattribute_to_policydb and cil_typeattribute_to_bitmap, but due to the multiple declarations, cil_typeattribute_used() could be called again by a second node. In this second call, the value used is the modifed value of CIL_TRUE or CIL_FALSE, not the flags actually needed. This could result in the field being reset again, to an incorrect CIL_FALSE value. Add the field "keep" to struct cil_typeattributeset, set its value using cil_typeattribute_used(), and use it when determining whether the attribute is to be kept or if it should be expanded. Signed-off-by: James Carter commit 5c48d93271b20a7c96ce2fb66fe46f829e870b5d Author: Lukas Vrabec Date: Wed Nov 15 14:25:53 2017 +0100 python/sepolicy: Fix sepolicy manpage. Arguments generate and gui was mixed together and information didn't make sense. This fix split gui and generate sections. Signed-off-by: Lukas Vrabec commit 2d21207796e01fec28c0f61874549f47956117ef Author: Vit Mojzis Date: Mon Nov 13 09:56:26 2017 +0100 python/semanage: Update Infiniband code to work on python3 Update Infiniband "port" and "key" listing and export to work on python3. {}.keys() does not support .sort() operation on Py3. Signed-off-by: Vit Mojzis commit 2927532b1c5823220d63f8f7c9e8c0bccc23b1bd Author: Vit Mojzis Date: Fri Nov 10 16:28:44 2017 +0100 python/semanage: Fix export of ibendport entries Replace nonexistent switch "-x" by "-z" (entry name). Fix invalid index (the dictionary key is a 2-tuple). Add MLS/MCS range (present in all entries). Fixes: #semanage ibendport -E File "/usr/sbin/semanage", line 1049, in do_parser() File "/usr/sbin/semanage", line 1028, in do_parser args.func(args) File "/usr/sbin/semanage", line 605, in handleIbendport for i in OBJECT.customized(): File "/usr/lib64/python2.7/site-packages/seobject/__init__.py", line 1806, in customized l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0])) IndexError: tuple index out of range Signed-off-by: Vit Mojzis commit ebbf42d4087da1baa4ca3a578e48372b423b3635 Author: Petr Lautrbach Date: Mon Nov 6 16:00:40 2017 +0100 python/semanage: Enforce noreload only if it's requested by -N option We want to call semanage_set_reload() only if -N option is used. Fixes: $ sudo umount /sys/fs/selinux $ sudo semanage fcontext -a --type=postfix_local_tmp_t /var/opt/01789667 SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory /sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory). SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory /sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory). FileNotFoundError: [Errno 2] No such file or directory Signed-off-by: Petr Lautrbach commit 985753f11bb286bd7ec15ee2177e177a595f263a Author: Petr Lautrbach Date: Mon Nov 6 16:00:39 2017 +0100 python/semanage: Don't use global setup variable In order to do that we need to propagate args into seobject objects and use args.store to get a store name. Signed-off-by: Petr Lautrbach commit d05eaaf098e53dc12cf8df2e750dad2afb645824 Author: Petr Lautrbach Date: Mon Nov 6 16:00:38 2017 +0100 python/semanage: drop *_ini functions Signed-off-by: Petr Lautrbach commit c15f495a65e26933189b8f7da2f8fb93f5b0d6e8 Author: Jan Zarsky Date: Mon Nov 6 16:35:30 2017 +0100 libsemanage: free genhomedircon fallback user Function semanage_genhomedircon() adds fallback user and function setup_fallback_user() may add another one. But only one fallback user is freed. Make sure to free all fallback users in semanage_genhomedircon(). Signed-off-by: Jan Zarsky commit 1b7073c70079d80b05745cb8ba71db0e32776b3a Author: Nicolas Iooss Date: Tue Oct 24 23:39:39 2017 +0200 Travis-CI: try working around network issues by retrying downloads Some Travis-CI builds failed because of issues when downloading refpolicy files for sepolgen tests. Use curl's option --retry to make the downloads work when the networking issues are only transient. Signed-off-by: Nicolas Iooss commit 4da8fcc21a3240345c727ab8207225d76f12fc7d Author: Jan Zarsky Date: Mon Oct 23 10:52:34 2017 +0200 libsepol: free ibendport device names When reading policy, ibendport device names are allocated in ocontext_read_selinux() but they are not freed when calling sepol_policydb_free(); Fix this by freeing them in ocontext_selinux_free(). Signed-off-by: Jan Zarsky commit 80d6927b69b5d1411fde52cf693e05746aa6ad49 Author: Petr Lautrbach Date: Wed Oct 11 10:53:45 2017 +0200 libselinux: Add support for pcre2 to pkgconfig definition When libselinux is built using USE_PCRE2 libselinux.pc needs to require libpcre2-8 instead of libpcre. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1487521 Signed-off-by: Petr Lautrbach commit ae5f219d7abf0dd1dd487fdd451c939568007b68 Author: Stephen Smalley Date: Tue Oct 3 10:21:43 2017 -0400 semodule-utils: remove semodule_deps As discussed in https://github.com/SELinuxProject/selinux/issues/64, semodule_deps has apparently been broken for a very long time for binary modules and is completely irrelevant for CIL modules. If there are any users of it, they ought to be rewritten anyway since it is not producing correct dependency information, and the ultimate goal is to stop using binary modules altogether so it is not worth fixing. Remove it to avoid any further broken usage. Signed-off-by: Stephen Smalley commit 393bafd3c5a9209bb18fb5d8843a434fc714966b Author: Vit Mojzis Date: Wed Oct 4 17:36:04 2017 +0200 python/semanage: Enable listing file_contexts.homedirs Include entries from file_contexts.homedirs when listing file contexts via "semanage fcontext -l" "semanage fcontext -l" so far ignored content of file_contexts.homedirs file, which is confusing for users (more specific rules may be ignored in favor of rules unseen to the user since file_contexts.homedirs has higher priority than file_contexts). Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813 Signed-off-by: Vit Mojzis commit bc161a9e942911a93ae893d7cfed732f172241a0 Author: Vit Mojzis Date: Wed Oct 4 17:36:03 2017 +0200 libsemanage: Add support for listing fcontext.homedirs file Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813 Signed-off-by: Vit Mojzis commit 5007687feb62e27678ee961243984bc319a22911 Author: Vit Mojzis Date: Wed Oct 4 17:36:02 2017 +0200 libsemanage: Keep copy of file_contexts.homedirs in policy store This will allow listing the correct file_contexts.homedirs using libsemanage regardless of selected policy store. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813 Signed-off-by: Vit Mojzis commit ef61301d7e113c4c4fe9945cde8f53974a3063f4 Author: Nicolas Iooss Date: Sun Oct 1 18:15:17 2017 +0200 gui: remove mappingsPage This page is not used anywhere and seems to be an incomplete version of loginsPage. Signed-off-by: Nicolas Iooss commit 7b0f5a12f4e159911b3303c963498944e3018c49 Author: Nicolas Iooss Date: Sun Oct 1 18:15:16 2017 +0200 gui: delete overridden definition of usersPage.delete() Function delete() is defined twice in class usersPage and the first one invoke semanagePage.delete(), which does not exist. Signed-off-by: Nicolas Iooss commit 3b5e8fb8421b0f80a7be61d0e54d71ee694b2b33 Author: Nicolas Iooss Date: Sun Oct 1 18:15:15 2017 +0200 gui: fix parsing of "semodule -lfull" in tab Modules The output of "semodule -lfull" changed from "module version" to "priority module kind". Update system-config-selinux to use this new format in its tab "Policy Module". Signed-off-by: Nicolas Iooss commit d689e3dc1647b78926126e8b0c3b22db98115dcd Author: Nicolas Iooss Date: Sun Oct 1 18:15:14 2017 +0200 gui: remove the status bar The status bar of system-config-selinux's main window is not used and takes some room. Remove it. Signed-off-by: Nicolas Iooss commit 305aacbc4b3c2a8a4aa4bcab7011dcb21a8d577c Author: Nicolas Iooss Date: Sun Sep 24 19:04:56 2017 +0200 sepolicy: support non-MLS policy in gui Several "sepolic gui" tabs raise exceptions when using a policy without MLS because some dictionaries describing users and logins lack level and range properties. Use conditions and get() where appropriate in order to make "sepolicy gui" usable again with a non-MLS policy. Signed-off-by: Nicolas Iooss commit 175efbf3ae21962b8306edaff699d2e9dc846772 Author: Nicolas Iooss Date: Sun Sep 24 19:04:55 2017 +0200 sepolicy: ignore comments and empty lines in file_contexts.subs_dist In refpolicy, file_contexts.subs_dist begins with comments: # This file can is used to configure base path aliases as in: # # /aliased_path /original_path_as_configured_in_file_contexts # The first line gets parsed in read_file_equiv even though it is not a valid path substitution and the second line triggers an exception when accessing f[1]: IndexError: list index out of range Parse substitutions only for lines which are not comment. Signed-off-by: Nicolas Iooss commit 6d9258e5a05fcce06c168b7460dbe6387a4a4dc4 Author: Nicolas Iooss Date: Sat Sep 23 15:45:53 2017 +0200 Travis-CI: fix configuration after September's update The latest update to Travis-CI build environment splitted sugilite environment into amethyst and garnet and deprecated sugilite. As garnet provides tools for languages C and Python, and as it is automatically selected according to https://travis-ci.org/fishilico/selinux/jobs/278927391 , remove "group: sugilite" from Travis-CI configuration file. This update introduced two issues: - Ruby 2.1 is no longer provided. As it has reached End Of Life according to https://www.ruby-lang.org/en/downloads/, remove it from the tested versions - Python 3.3, 3.4 and 3.5 are no longer installed by default. When Travis-CI builds Python projects using these versions, it automatically download and extract an archive from https://s3.amazonaws.com/travis-python-archives/binaries/ubuntu/14.04/x86_64/. Implement this process in .travis.yml directly (because Travis-CI does not support multi-language projects which use several versions of C compilers and Python and Ruby interpreters). Last but not least, it is now possible to build with PyPy3. Enable this interpreter in the build environment matrix. More information about the Travis-CI update is available at https://docs.travis-ci.com/user/build-environment-updates/2017-09-06/ Signed-off-by: Nicolas Iooss commit 0f3beeb00e7a42cc2f44ef0392b8a3a7566a17d7 Author: Nicolas Iooss Date: Wed Sep 20 08:56:54 2017 +0200 gui: port to Python 3 by migrating to PyGI PyGTK has been deprecated in favor of PyGI+GTK and thus has never been ported to python3. Using pygi-convert.sh from https://git.gnome.org/browse/pygobject/tree/pygi-convert.sh helps migrating most of the API but gnome-python. The glade file has been converted to GtkBuilder using gtk-builder-convert system-config-selinux.glade system-config-selinux.ui and some fixes in order to provide an application window (object GnomeApp disappeared, GtkVBox is deprecated, etc.). The associated Python code also needed some modifications in order to migrate to GtkBuilder. The result has been tested on Arch Linux with Python 3.6. There are some bugs in the GUI itself, for which patches will be sent afterwards. Signed-off-by: Nicolas Iooss commit 8f0ea463bc4d60da04c98c921bd0dd8f348066b1 Author: Nicolas Iooss Date: Tue Sep 19 22:49:16 2017 +0200 sepolicy: do not fail when file_contexts.local or .subs do not exist On a system without any file context customizations, "sepolicy gui" fails to load because it tries to read a non-existing file: FileNotFoundError: [Errno 2] No such file or directory: '/etc/selinux/refpolicy-git/contexts/files/file_contexts.local' Once this issue is fixed, another one is triggered: FileNotFoundError: [Errno 2] No such file or directory: '/etc/selinux/refpolicy-git/contexts/files/file_contexts.subs Use try/except to catch these exceptions and use OSError/errno.ENOENT to keep the code compatible with Python 2. Signed-off-by: Nicolas Iooss commit 77059c39e8a06743de9a15fb4501dac85ae0f889 Author: Jan Zarsky Date: Wed Sep 13 10:16:42 2017 +0200 libsepol: fix memory leak in sepol_bool_query() When sepol_bool_query() returns NULL response, variable name is not freed. Fix this by calling free() before returning. Signed-off-by: Jan Zarsky commit 7e9d1344db33533eeb4e807f270f4406944562ec Author: Nicolas Iooss Date: Sun Sep 3 14:19:28 2017 +0200 Makefile: define a default value for CFLAGS When building the project with "make DESTDIR=... install", the root Makefile defines CFLAGS and LDFLAGS without any warning flags ("CFLAGS += -I$(DESTDIR)/usr/include" and "LDFLAGS += -L$(DESTDIR)/usr/lib"). As the Makefiles in subdirectories do not override the flags with warning flags, the code gets compiled without any enabled warning. This leads for example to code being introduced which breaks building libsepol from its directory, while building it from the root Makefile still works fine. This issue can be fixed by defining a set of flags in the root Makefile which are used by all Makefiles in subdirectories. The flags have been chosen following these principles: * they are compatible with both clang and gcc, * they already appear in at least one Makefile, and * they are not triggered with the current git master version. Signed-off-by: Nicolas Iooss commit 04fb15deb77fc91ca637ee9d5cf4542610149222 Author: Nicolas Iooss Date: Sun Sep 3 14:19:27 2017 +0200 restorecond: check write() and daemon() results When compiling restorecond with -Wunused, gcc 4.8.4 (from Ubuntu 14.04) reports the following warnings: restorecond.c: In function ‘main’: restorecond.c:208:9: error: ignoring return value of ‘daemon’, declared with attribute warn_unused_result [-Werror=unused-result] daemon(0, 0); ^ restorecond.c: In function ‘write_pid_file’: restorecond.c:106:2: error: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Werror=unused-result] (void)write(pidfd, val, (unsigned int)len); ^ If any of these calls returns an error, it is currently silently discarded. Add a message in order to warn about such an error. Signed-off-by: Nicolas Iooss commit 13e5fa3b6bc236846a3d32e84a3c31044b6e2ea3 Author: Nicolas Iooss Date: Sun Sep 3 14:19:26 2017 +0200 libsepol/cil: drop wrong unused attribute cil_gen_node() has been using its argument "db" since commit fafe4c212bf6 ("libsepol: cil: Add ability to redeclare types[attributes]"). Drop attribute "unused" on this argument. Signed-off-by: Nicolas Iooss commit 12f3ef8280f1b669174c54ba881a146a38990046 Author: Nicolas Iooss Date: Sun Sep 3 14:19:25 2017 +0200 libsepol/cil: fix -Wwrite-strings warning cil_defaults_to_policy() defines its third argument as non-const "char *kind" even though it is called with literal strings. This makes gcc report the following warning when compiling with -Wwrite-strings: ../cil/src/cil_policy.c: In function ‘cil_gen_policy’: ../cil/src/cil_policy.c:1931:60: error: passing argument 3 of ‘cil_defaults_to_policy’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_USER], "default_user"); ^~~~~~~~~~~~~~ Signed-off-by: Nicolas Iooss commit 3ab3a218f2474a47283435202bee42f8aa0aad6b Author: Nicolas Iooss Date: Sun Sep 3 14:19:24 2017 +0200 libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use extra_args Since commit 67b410e80f09 ("libsepol/cil: Keep attributes used by generated attributes in neverallow rules") gcc reports the following warning when building libsepol: ../cil/src/cil_post.c: In function ‘__cil_post_db_neverallow_attr_helper’: ../cil/src/cil_post.c:1322:17: error: unused variable ‘db’ [-Werror=unused-variable] struct cil_db *db = extra_args; ^~ Signed-off-by: Nicolas Iooss commit 51bc21036ce3368506cf9db2b319ab42eb355515 Author: Nicolas Iooss Date: Sun Sep 3 14:19:23 2017 +0200 libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses When compiling libsepol with clang and some warning flags, the compiler complains about the way IPv6 addresses are initialized: kernel_to_cil.c:2795:35: error: suggest braces around initialization of subobject [-Werror,-Wmissing-braces] struct in6_addr subnet_prefix = {0}; ^ {} When replacing the initializer as suggested, gcc 4.8.4 complains: kernel_to_cil.c: In function ‘write_selinux_ibpkey_rules_to_cil’: kernel_to_cil.c:2795:9: error: missing initializer for field ‘__in6_u’ of ‘struct in6_addr’ [-Werror=missing-field-initializers] struct in6_addr subnet_prefix = {}; ^ Thankfully netinet/in.h provides a macro to initialize struct in6_addr variables: #define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } } Both clang and gcc no longer report warnings when using this macro. Signed-off-by: Nicolas Iooss commit 67b410e80f0917bf1b378997cac0dddf1e6406f7 Author: James Carter Date: Wed Aug 30 14:22:28 2017 -0400 libsepol/cil: Keep attributes used by generated attributes in neverallow rules In order to reduce policy size, CIL removes attributes that are not used by a policy rule in the generated binary policy. However, CIL keeps attributes used by neverallow rules (which are checked at compile time and not in the binary policy) even if the attribute is not used anywhere else in the policy. This behavior is useful to Google who pulls neverallow rules out of the original policy.conf for compatibility testing, but converts the policy.conf to CIL and uses the CIL compiler to generate policy. Without this behavior, the generated binary policy might not have an attribute referred to by one of the neverallow rules used for testing. The one exception to this behavior is for attributes generated in module_to_cil (these have an "_typeattr_" in the middle of their name). Since these attributes are only created because CIL does not allow a type expression in an AV rule, they are removed if they only appear in a neverallow rule (which is the case for most of them) or if the option to expand generated attributes (-G or --expand-generated) is specified for secilc when compiling the policy. Removing generated attributes causes a problem, however, if the type expression that the generated attribute is replacing uses an attribute that is removed. In this case, the original neverallow rule will refer to an attribute that does not exist in the generated binary policy. Now any non-generated attribute used in a typeattributeset rule for a generated attribute which is used in a neverallow rule will be treated like it was used in a neverallow rule. This does not change the behavior of an expandtypeattribute rule for the attribute. That rule, if it exists, will take precedence. Signed-off-by: James Carter commit fafe4c212bf6c32c3021d7b69bcc0cf219e71608 Author: Dan Cashman Date: Tue Aug 29 09:32:05 2017 -0700 libsepol: cil: Add ability to redeclare types[attributes] Modify cil_gen_node() to check to see if the cil_db supports multiple declarations, and if so, to check whether or not the repeated symbol is eligible to share the existing, already-stored datum. The only types considered so far are CIL_TYPE and CIL_TYPEATTRIBUTE, both of which intall empty datums during AST building, so they automatically return true. Test: Build policy with multilpe type and attribute declarations, and without. Policies are binary-identical. Signed-off-by: Dan Cashman Signed-off-by: James Carter commit 1346746d82373bbc4516a830e7f17352b929fa35 Author: Jan Zarsky Date: Fri Aug 25 11:46:47 2017 +0200 libsepol: reset pointer after free In cil_strpool_destroy(), cil_strpool_tab is freed but it is not reset to NULL. When cil_strpool_init() is called again it assumes that cil_strpool_tab was already initialized. Other functions then work with invalid data. Signed-off-by: Jan Zarsky commit 53bb2a11c23b774f096701bab759c6ab9ec52ea1 Author: Stephen Smalley Date: Thu Aug 17 14:16:06 2017 -0400 checkpolicy,libselinux,libsepol,policycoreutils: Update my email address Update my email address since epoch.ncsc.mil no longer exists. Signed-off-by: Stephen Smalley commit f77ad59b4632a983642177726657118e293acc87 Author: Grégoire Colbert Date: Tue Jul 18 11:09:26 2017 +0200 Fixed bad reference in roleattribute "roleattribute" was referencing "typeattributeset", but I believe it should be referencing "roleattributeset" instead. Signed-off-by: James Carter commit bd75c5695c629a20aeb7c9d723290e2d7bb8a3f3 Author: Nicolas Iooss Date: Sat Aug 5 18:37:50 2017 +0200 sepolicy: remove stray space in section "SEE ALSO" The space after "sepolicy(8)" breaks the formatting of section SEE ALSO in man pages generated with sepolicy: SEE ALSO selinux(8), ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) , setsebool(8), Signed-off-by: Nicolas Iooss commit 9f8e5394199575634f6e8a68d5c1ed8c039d3268 Author: Nicolas Iooss Date: Sat Aug 5 18:37:49 2017 +0200 sepolicy: support non-MCS policy in manpage This prevents the following exception to occur when using "sepolicy manpage": Traceback (most recent call last): File "/bin/sepolicy", line 699, in args.func(args) File "/bin/sepolicy", line 359, in manpage m = ManPage(domain, path, args.root, args.source_files, args.web) File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 459, in __init__ self.__gen_man_page() File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 548, in __gen_man_page self._mcs_types() File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 978, in _mcs_types mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type")) StopIteration Signed-off-by: Nicolas Iooss commit 908340e8e7a9cc2715a399831f2397ffa57ec2a8 Author: Nicolas Iooss Date: Sat Aug 5 18:37:48 2017 +0200 sepolicy: support non-MLS policy in manpage "sepolicy manpage" fails when the system does not use MLS because using x.context.range_ raises an exception. Avoid using range and levels when _pol.mls is False. Signed-off-by: Nicolas Iooss commit 07d06cc430749a39128f6fef320c9d76c9d74d3e Author: Nicolas Iooss Date: Sat Aug 5 18:37:47 2017 +0200 sepolicy: fix misspelling of _ra_content_t suffix When "sepolicy manpage" generates descriptions for file type, it uses a mispelled _ra_content_t suffix for prettyprinting, which results in an unwanted double-space on the line. For example sepolicy manpage -d httpd_t produces: .EX .P .B httpd_apcupsd_cgi_ra_content_t .EE - Set files with the httpd_apcupsd_cgi_ra_content_t type, if you want to treat the files as httpd apcupsd cgi read/append content. Signed-off-by: Nicolas Iooss commit d329bb546552f11ae3f6ce2dafb86d4e2859e8a1 Author: Nicolas Iooss Date: Sat Aug 5 18:37:46 2017 +0200 sepolicy: do not fail when file_contexts.local does not exist When running "sepolicy manpage" on a system without file_contexts.local, the command fails with: FileNotFoundError: [Errno 2] No such file or directory: '//etc/selinux/refpolicy/contexts/files/file_contexts.local' Verify that the file exists before using it. Signed-off-by: Nicolas Iooss commit 3edb139789d0895aba9c34f6ce27dea40c181ddf Author: Nicolas Iooss Date: Sat Aug 5 18:37:45 2017 +0200 sepolicy: fix Python3 syntax in manpage Commit c624c4abaaf3 ("sepolicy: Fix syntax errors in 'manpage -w'") missed an occurence of print statement. While at it, fix self.os_version test. Signed-off-by: Nicolas Iooss commit ff2e36831dd941d57df18ab9e998924bdc563f4a Author: Nicolas Iooss Date: Sat Aug 5 12:16:49 2017 +0200 Travis-CI: do not test gold linkers with clang clang does not know -fuse-ld=gold. It only needs -flto, which automatically adds -plugin=LLVMgold.so to the linker command line, but this does not work on Travis-CI because the gold linker plugin is not installed: /usr/bin/ld: /usr/local/clang-3.9.0/bin/../lib/LLVMgold.so: error loading plugin: /usr/local/clang-3.9.0/bin/../lib/LLVMgold.so: cannot open shared object file: No such file or directory Disable in the build matrix the combination of linking with special linkers with using clang. Signed-off-by: Nicolas Iooss commit b1ea8120832d1bb02090098564870af909f10008 Author: Nicolas Iooss Date: Sat Aug 5 12:16:48 2017 +0200 Travis-CI: use sugulite environment Travis-CI provides several environments for Ubuntu 14.04 Trusty. It chooses the one that best matches the needs defined in .travis.yml depending on a complex algorithm. In order to test several C compilers, Python versions and Ruby versions, we need the full image, which is named "sugulite". For future reference, there are some notes about using the full image on https://github.com/travis-ci/packer-templates/pull/454 and https://github.com/travis-ci/docs-travis-ci-com/issues/1267#issuecomment-316016312 and https://blog.travis-ci.com/2017-06-21-trusty-updates-2017-Q2-launch Signed-off-by: Nicolas Iooss