commit 4dca9576eac769dee530738edf86d42e69967865 Author: Petr Lautrbach Date: Tue Oct 1 14:26:00 2019 +0200 Update VERSIONs to 3.0-rc1 for release. Signed-off-by: Petr Lautrbach commit 74c5e551ca58dc02e95487be95cd8d5d83857b41 Author: Nicolas Iooss Date: Mon Sep 30 22:22:11 2019 +0200 libsemanage/tests: check that string pointers are not NULL before comparing them This silences many issues reported by Infer static analyzer about possible NULL pointer dereferences. Signed-off-by: Nicolas Iooss commit 7673b97e45fd6f1c54190e029dcadaa8db49c97d Author: Nicolas Iooss Date: Mon Sep 30 22:22:10 2019 +0200 libsemanage/tests: return when str is NULL CU_FAIL() does not stop the execution flow. This issue has been found using Infer static analyzer. Signed-off-by: Nicolas Iooss commit adcc353f6eb24058867bd478d86270693af5e5c1 Author: Vit Mojzis Date: Mon Sep 30 09:49:04 2019 +0200 python/semanage: fix moduleRecords.customized() Return value of "customized" has to be iterable. Fixes: "semanage export" with no modules in the system (eg. monolithic policy) crashes: Traceback (most recent call last): File "/usr/sbin/semanage", line 970, in do_parser() File "/usr/sbin/semanage", line 949, in do_parser args.func(args) File "/usr/sbin/semanage", line 771, in handleExport for c in OBJECT.customized(): TypeError: 'NoneType' object is not iterable Signed-off-by: Vit Mojzis commit 3a9b4505bfc1333020577efbcce92458d3f3673b Author: Vit Mojzis Date: Fri Sep 27 16:13:47 2019 +0200 python/semanage: Improve handling of "permissive" statements - Add "customized" method to permissiveRecords which is than used for "semanage permissive --extract" and "semanage export" - Enable "semanage permissive --deleteall" (already implemented) - Add "permissive" to the list of modules exported using "semanage export" - Update "semanage permissive" man page Signed-off-by: Vit Mojzis commit 9d8fd6e9b9c3ec4c49d59e9bcb006317efc13acd Author: James Carter Date: Wed Sep 25 15:28:17 2019 -0400 libsepol: Further improve binary policy optimization This improves commit b8213acf (libsepol: add a function to optimize kernel policy) by Ondrej Mosnacek by always removing redundant conditional rules which have an identical rule in the unconditional policy. Add a flag called not_cond to is_avrule_redundant(). When checking unconditional rules against the avtab (which stores the unconditional rules) we need to skip the actual rule that we are checking (otherwise a rule would be determined to be redundant with itself and bad things would happen), but when checking a conditional rule against the avtab we do not want to skip an identical rule (which is what currently happens), we want to remove the redundant permissions in the conditional rule. A couple of examples to illustrate when redundant condtional rules are not removed. Example 1 allow t1 t2:class1 perm1; if (bool1) { allow t1 t2:class1 perm1; } The conditional rule is clearly redundant, but without this change it will not be removed, because of the check for an identical rule. Example 2 typeattribute t1 a1; allow t1 t2:class1 perm1; allow a1 t2:class1 perm1; if (bool1) { allow t1 t2:class1 perm1; } The conditional rule is again clearly redundant, but now the order of processing during the optimization will determine whether or not the rule is removed. Because a1 contains only t1, a1 and t1 are considered to be supersets of each other. If the rule with the attribute is processed first, then it will be determined to be redundant and removed, so the conditional rule will not be removed. But if the rule with the type is processed first, then it will be removed and the conditional rule will be determined to be redundant with the rule with the attribute and removed as well. The change reduces the size of policy a bit more than the original optimization. Looking at the change in number of allow rules, there is about a 10% improvement over the old optimization. orig old new Refpolicy 113284 82467 78053 Fedora 106410 64015 60008 Signed-off-by: James Carter commit 120681c1a392a297bce6468b8887a767feced744 Author: Nicolas Iooss Date: Fri Sep 27 00:04:05 2019 +0200 libsepol, libsemanage: add a macro to silence static analyzer warnings in tests Several static analyzers (clang's one, Facebook Infer, etc.) warn about NULL pointer dereferences after a call to CU_ASSERT_PTR_NOT_NULL_FATAL() in the test code written using CUnit framework. This is because this CUnit macro is too complex for them to understand that the pointer cannot be NULL: it is translated to a call to CU_assertImplementation() with an argument as TRUE in order to mean that the call is fatal if the asserted condition failed (cf. http://cunit.sourceforge.net/doxdocs/group__Framework.html). A possible solution could consist in replacing the CU_ASSERT_..._FATAL() calls by assert() ones, as most static analyzers know about assert(). Nevertheless this seems to go against CUnit's API. An alternative solution consists in overriding CU_ASSERT_..._FATAL() macros in order to expand to assert() after a call to the matching CU_ASSERT_...() non-fatal macro. This appears to work fine and to remove many false-positive warnings from various static analyzers. As this substitution should only occur when using static analyzer, put it under #ifdef __CHECKER__, which is the macro used by sparse when analyzing the Linux kernel. Signed-off-by: Nicolas Iooss commit eca4ee4542e9f641ad1fdf29f7996cd2454939df Author: Nicolas Iooss Date: Sat Sep 21 23:30:37 2019 +0200 CircleCI: run scan-build and publish its results automatically CircleCI is a continuous integration system like Travis CI, which provides different features. Contrary to Travis CI, it is quite harder to build the project with several build configurations (so it is not a replacement), but it provides short-term storage for files produced by a build job in what is called "artifacts". Use this feature in order to store the results of clang's static analyzer (scan-build) after every pushed commit. This way makes it possible to quickly compare the result of the analyzer after applying some patches that were sent for review to the mailing list, as it no longer requires running the analyzer several times on the development machine. An output example is available at https://352-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-09-21-164945-6152-1/index.html These web pages were created by the job described at https://circleci.com/gh/fishilico/selinux/352 Signed-off-by: Nicolas Iooss commit 54cb5c674bd26d1da3a0e1470afd8bd783988897 Author: Petr Lautrbach Date: Tue Sep 24 21:46:37 2019 +0200 Switch last 2 files using /usr/bin/env to /usr/bin/python3 Other python scripts already use python3 by default. Both files don't have exec bits so they have to be run using python interpret on command line anyway: $ python3 ./setup.py ... Signed-off-by: Petr Lautrbach commit 68fbb6b0a0655014959e2ef1ce9548d6aa33bc20 Author: Petr Lautrbach Date: Tue Sep 24 21:15:23 2019 +0200 python/semanage: Do not use default s0 range in "semanage login -a" Using the "s0" default means that new login mappings are always added with "s0" range instead of the range of SELinux user. Signed-off-by: Petr Lautrbach commit 5dfa95c6865f7bd15c0462eb812efaab126dfbe6 Author: Petr Lautrbach Date: Tue Sep 24 21:12:21 2019 +0200 gui: Fix remove module in system-config-selinux When a user tried to remove a policy module with priority other than 400 via GUI, it failed with a message: libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory). This is fixed by calling "semodule -x PRIORITY -r NAME" instead of "semodule -r NAME". From Jono Hein Signed-off-by: Petr Lautrbach commit f4e741a144124e8197d3d20ed53a6938ccd6593d Author: Petr Lautrbach Date: Tue Sep 24 21:08:54 2019 +0200 policycoreutils/fixfiles: Force full relabel when SELinux is disabled The previous check used getfilecon to check whether / slash contains a label, but getfilecon fails only when SELinux is disabled. Therefore it's better to check this using selinuxenabled. Signed-off-by: Petr Lautrbach commit d3a8fc4c03ea1bbe1a5da70e4d0bc164ce1c38b0 Author: Petr Lautrbach Date: Tue Sep 24 21:08:53 2019 +0200 policycoreutils/fixfiles: Fix [-B] [-F] onboot Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel" command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes `fixfiles -B onboot` to show usage instead of updating /.autorelabel The code is restructured to handle -B for different modes correctly. Fixes: # fixfiles -B onboot Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel ... Signed-off-by: Petr Lautrbach commit 152aeb152fc956fec33378384069b497ceabda05 Author: Vit Mojzis Date: Tue Sep 24 08:41:30 2019 +0200 policycoreutils/fixfiles: Fix "verify" option "restorecon -n" (used in the "restore" function) has to be used with "-v" to display the files whose labels would be changed. Fixes: Fixfiles verify does not report misslabelled files unless "-v" option is used. Signed-off-by: Vit Mojzis commit 68b2e4416e5c7c272af43312d4faf4e1dd62a8a2 Author: Nicolas Iooss Date: Fri Sep 20 07:59:55 2019 +0200 libselinux: do not add rc to pos twice In regex_format_error(), when error_data->error_offset is zero, rc is not updated and should not be added to pos again. Signed-off-by: Nicolas Iooss commit 340da085a51612ba6c08d1334f8fc88d07441235 Author: Nicolas Iooss Date: Fri Sep 20 07:59:54 2019 +0200 libselinux: ensure strlen() is not called on NULL When compile_regex() calls regex_prepare_data() and this function fails in the following condition: *regex = regex_data_create(); if (!(*regex)) return -1; ... error_data has been zero-ed and compile_regex() calls: regex_format_error(&error_data, regex_error_format_buffer, sizeof(regex_error_format_buffer)); This leads to a call to strlen(error_data->error_buffer), where error_data->error_buffer is NULL. Avoid this by checking that error_data->error_buffer is not NULL before trying to format it. This issue has been found using clang's static analyzer: https://337-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-09-01-181851-6152-1/report-0b122b.html#EndPath Signed-off-by: Nicolas Iooss commit b550c0e20221cca29ac51e6165feec3640baa3a5 Author: Nicolas Iooss Date: Mon Aug 5 22:11:20 2019 +0200 Fix many misspellings Use codespell (https://github.com/codespell-project/codespell) in order to find many common misspellings that are present in English texts. Signed-off-by: Nicolas Iooss commit e17e489ee3b41504f107af0375cc2f4f7cc8697a Author: Nicolas Iooss Date: Sun Sep 1 20:14:10 2019 +0200 Add configuration file for lgtm.com Add a configuration file in order to parse the C code on https://lgtm.com/projects/g/SELinuxProject/selinux/ The documentation about this file is on https://help.semmle.com/lgtm-enterprise/user/help/lgtm.yml-configuration-file.html and https://help.semmle.com/lgtm-enterprise/user/help/cpp-extraction.html Fixes: https://github.com/SELinuxProject/selinux/issues/98 Signed-off-by: Nicolas Iooss commit 86df2b27a7dd4e12e3a2f8adc7c2c3afe7db5ead Author: Mike Palmiotto Date: Mon Sep 16 16:30:15 2019 -0400 libselinux: fix string conversion of unknown perms Commit c19395d72295f5e69275d98df5db22dfdf214b6c fixed some handling of unknown classes/permissions, but missed the case where an unknown permission is loaded and then subsequently logged, either via denial or auditallow. If a permission set has some valid values mixed with unknown values, say `{ read write foo }`, a check on `{ read write foo }` would fail to log the entire set. To fix this, skip over the bad permissions/classes when expanding them to strings. The unknowns should be logged during `selinux_set_mapping`, so there is no need for further logging of the actual unknown permissions. Signed-off-by: Mike Palmiotto commit cfc57c2e7038349fbb4ae1f88d43e416eb38d13d Author: Nicolas Iooss Date: Sun Sep 1 20:06:36 2019 +0200 libsepol/tests: do not dereference a NULL pointer In test_attr_types, the pointer decl is allowed to be NULL in the beginning, but is dereferenced to produce a helpful message right before a CU_ASSERT_FATAL. Make this derefence not happen if the pointer is NULL. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 0da7718310cbb6e942349c5a515c83b9f6dea432 Author: Nicolas Iooss Date: Sun Sep 1 20:06:35 2019 +0200 python/sepolicy: remove unnecessary pass statement This issue has been found using lgtm.com analyzer: https://lgtm.com/projects/g/SELinuxProject/selinux/snapshot/eac5e661ca7300800000496fe13985286af70c6d/files/python/sepolicy/sepolicy/__init__.py?sort=name&dir=ASC&mode=heatmap#x9f8225117f52fb01:1 Signed-off-by: Nicolas Iooss commit af67fa5d9578ead495de93da70d28bfcb002a438 Author: Nicolas Iooss Date: Sun Sep 1 20:06:34 2019 +0200 python/chcat: remove unnecessary assignment chcat_add() defines variable cmd twice before calling subprocess.check_call(cmd, ...). Remove the first definition. This bug was found using lgtm.com analyzer: https://lgtm.com/projects/g/SELinuxProject/selinux/snapshot/eac5e661ca7300800000496fe13985286af70c6d/files/python/chcat/chcat?sort=name&dir=ASC&mode=heatmap#L118 Signed-off-by: Nicolas Iooss commit dddd28e90bc29bf1b8fcefe860667126cfbf09d4 Author: Nicolas Iooss Date: Sun Sep 1 20:06:33 2019 +0200 libsepol/cil: do not dereference perm_value_to_cil when it has not been allocated When one of the first allocations of cil_binary_create_allocated_pdb() fails, the exit label dereferences the items of array perm_value_to_cil even though it could be still NULL. This issue has been found using clang's static analyzer: https://327-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-08-05-203459-6149-1/report-febf85.html#EndPath Signed-off-by: Nicolas Iooss commit c8ac3af7b55b97fb0ead395b300656c7e81a05b4 Author: Nicolas Iooss Date: Sun Sep 1 20:06:32 2019 +0200 libsepol: reset *p to NULL if sepol_module_package_create fails semodule-utils/semodule_link/semodule_link.c contains: static sepol_module_package_t *load_module(char *filename) { /* ... */ if (sepol_module_package_create(&p)) { /* ... */ goto bad; /* ... */ bad: sepol_module_package_free(p); When sepol_module_package_create() fails while having successfully allocated p, it currently frees p without setting it back to NULL. This causes a use-after-free in load_module(). Prevent this use-after-free by setting sepol_module_package_create's argument back to NULL when an error happens. This issue has been found using Infer static analyzer. Signed-off-by: Nicolas Iooss commit 0b136a35e345ecf86c1343066a5206b4d794082c Author: Nicolas Iooss Date: Sun Sep 1 20:06:31 2019 +0200 libsepol: do not dereference scope if it can be NULL Doing this looks wrong: len = scope->decl_ids_len; if (scope == NULL) { /* ... */ Move the dereferencing of scope after the NULL check. This issue has been found using Infer static analyzer. Signed-off-by: Nicolas Iooss commit da8e3c7d3696096687983034a7e965e822a1a2b0 Author: Nicolas Iooss Date: Sun Sep 1 20:06:28 2019 +0200 semodule-utils: fix comparison with argc In order for argv[3] to be used, argc needs to be at least 4, not 3. This bug was found using lgtm.com analyzer: https://lgtm.com/projects/g/fishilico/selinux-for-lgtm/snapshot/8c1b2658f80392ff8b3532c6bd5d0cefac8afb30/files/semodule-utils/semodule_package/semodule_unpackage.c?sort=name&dir=ASC&mode=heatmap#xb1ce80b43260d34c:1 Signed-off-by: Nicolas Iooss commit 4a266cc3ce05eed2094b8ae1d4297b98efa4278c Author: Nicolas Iooss Date: Sun Sep 15 21:10:39 2019 +0200 libsepol: do not dereference a failed allocated pointer When strs_stack_init(&stack) fails to allocate memory and stack is still NULL, it should not be dereferenced with strs_stack_pop(stack). This issue has been found using Infer static analyzer. Signed-off-by: Nicolas Iooss commit 4459d635b8f1cd79a128a344340fa452579cd713 Author: James Carter Date: Thu Sep 12 16:24:23 2019 -0400 libsepol: Remove cil_mem_error_handler() function pointer As reported by Nicolas Iooss (nicolas.iooss@m4x.org), static analyzers have problems understanding that the default memory error handler does not return since it is called through the cil_mem_error_handler() function pointer. This results in a number of false positive warnings about null pointer dereferencing. Since the ability to set the cil_mem_error_handler() is only through the function cil_set_mem_error_handler() which is never used and whose definition is not in any header file, remove that function, remove the use of cil_mem_error_handler() and directly in-line the contents of the default handler, cil_default_mem_error_handler(). Signed-off-by: James Carter commit dc4e54126bf25dea4d51820922ccd1959be68fbc Author: James Carter Date: Thu Sep 12 13:38:22 2019 -0400 libsepol: Make an unknown permission an error in CIL This patch is loosely based on a patch by Yuli Khodorkovskiy from June 13th, 2019. Since any permission used in the policy should be defined, CIL should return an error if it cannot resolve a permission used in a policy. This was the original behavior of CIL. The behavior was changed over three commits from July to November 2016 (See commits 46e157b47, da51020d6, and 2eefb20d8). The change was motivated by Fedora trying to remove permissions from its policy that were never upstreamed (ex/ process ptrace_child and capability2 compromise_kernel). Local or third party modules compiled with those permissions would break policy updates. After three years it seems unlikely that we need to worry about those local and third party modules and it is time for CIL to give an error like it should. Signed-off-by: James Carter commit 26e83975d50651b957961de20fcb2f3016a75f5a Author: Vit Mojzis Date: Tue Jul 2 14:09:05 2019 +0200 Fix mcstrans secolor examples According to "check_dominance" function: Range defined as "s15:c0.c1023" does not dominate any other range than "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.). While range defined as "s15-s15:c0.c1023" dominates all of the above. This is either a bug, or "s15:c0.c1023" should not be used in the examples. Signed-off-by: Vit Mojzis commit 2ff0fbffcf031336539371d15032fce904095bfa Author: Vit Mojzis Date: Tue Jul 2 14:09:04 2019 +0200 Revert "mcstransd select correct colour range." This reverts commit fe17b3d2d924018750386c5ee74f12ca4b054136. MLS ranges should be compared based on dominance. This fixes mlscolor-test on mcstrans examples. Eg. mlscolor-test using /usr/share/mcstrans/examples/urcsts when executed on mls machine fails as follows: \#pushd /usr/share/mcstrans/examples/urcsts \#cp -f secolor.conf /etc/selinux/mls/secolor.conf \#cp -f setrans.conf /etc/selinux/mls/setrans.conf \#systemctl restart mcstransd \#python3 /usr/share/mcstrans/util/mlscolor-test urcsts.color For 'system_u:system_r:inetd_t:SystemLow' got '#000000 #000000 #000000 #000000 #000000 #000000 #000000 #000000' expected '#000000 #000000 #000000 #000000 #000000 #000000 #000000 #008000' ... mlscolor-test done with 19 errors Signed-off-by: Vit Mojzis commit 9ba35fe8c280b7c91ec65b138d9f13e44ededaa9 Author: Joshua Brindle Date: Mon Sep 9 11:05:57 2019 -0700 Add default_range glblub support Policy developers can set a default_range default to glblub and computed contexts will be the intersection of the ranges of the source and target contexts. This can be used by MLS userspace object managers to find the range of clearances that two contexts have in common. An example usage is computing a transition between the network context and the context of a user logging into an MLS application. For example, one can add a default with this cil: (defaultrange db_table glblub) or in te (base module only): default_range db_table glblub; and then test using the compute_create utility: $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 Some example range transitions are: User Permitted Range | Network Device Label | Computed Label ---------------------|----------------------|---------------- s0-s1:c0.c12 | s0 | s0 s0-s1:c0.c12 | s0-s1:c0.c1023 | s0-s1:c0.c12 s0-s4:c0.c512 | s1-s1:c0.c1023 | s1-s1:c0.c512 s0-s15:c0,c2 | s4-s6:c0.c128 | s4-s6:c0,c2 s0-s4 | s2-s6 | s2-s4 s0-s4 | s5-s8 | INVALID s5-s8 | s0-s4 | INVALID Signed-off-by: Joshua Brindle commit 6177a6f2c48ebaeb9581fdf9186eecd0d6e03a64 Author: Nicolas Iooss Date: Tue Jul 30 23:40:39 2019 +0200 libsemanage: include internal header to use the hidden function prototypes When functions from libsemanage calls other functions that are exported, these functions need to be "wrapped" using hidden_proto() macro. This is done in headers such as "user_internal.h". Several functions in genhomedircon.c are not doing this, which makes building with -flto fail with errors such as: /usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in function `user_sort_func': /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:758: undefined reference to `semanage_user_get_name' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:758: undefined reference to `semanage_user_get_name' /usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in function `fcontext_matches': /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:240: undefined reference to `semanage_fcontext_get_expr' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:248: undefined reference to `semanage_fcontext_get_type' /usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in function `add_user.isra.0': /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:992: undefined reference to `semanage_user_get_mlslevel' /usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in function `write_context_file': /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:892: undefined reference to `semanage_user_key_create' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:764: undefined reference to `semanage_user_get_name' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:897: undefined reference to `semanage_user_query' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:905: undefined reference to `semanage_user_get_mlslevel' Include the missing headers. Fixes: https://github.com/SELinuxProject/selinux/issues/169 Signed-off-by: Nicolas Iooss commit f25d03d75d3504e71b1fcb7cee74c0d2cba1cda0 Author: Nicolas Iooss Date: Sat Jun 29 21:53:44 2019 +0200 libselinux: ensure that digest_len is not zero In add_xattr_entry(), if selabel_get_digests_all_partial_matches() returns with digest_len = 0, the code gets executed as: sha1_buf = malloc(digest_len * 2 + 1); /* Allocate 1 byte */ /* ... */ for (i = 0; i < digest_len; i++) /* Do not do anything */ sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]); /* ... */ new_entry->digest = strdup(sha1_buf); /* use of uninitiliazed content */ This is reported by some static code analyzers, even though in practise digest_len should never be zero, and the call to sprintf() ensures that the content of sha1_buf is initialized and terminated by '\0'. Make sure to never call strdup() on an uninitialized string by verifying that digest_len != 0. Signed-off-by: Nicolas Iooss commit 7eef9386c2f91b622121985482ad79e4e1f043b6 Author: Nicolas Iooss Date: Wed Jun 26 08:51:03 2019 +0200 libsepol: initialize a local variable once Function optimize_cond_av_list() initializes its local variable pcov_cur twice. Remove the first initialization. This issue has been found using clang's static analyzer: https://282-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-06-24-210510-6101-1/report-c64da3.html#EndPath Signed-off-by: Nicolas Iooss commit 2a1766f4431e1d84b3a712d718ceea4c882b22a3 Author: Richard Haines Date: Fri Jun 21 16:40:53 2019 +0100 selinux: Update manpages after removing legacy boolean and user code Remove and update all relevant manpages. Signed-off-by: Richard Haines commit c3f9492d7ff05bdc8581817655ad05bc1e1174b8 Author: Richard Haines Date: Mon Jun 24 19:02:28 2019 +0100 selinux: Remove legacy local boolean and user code Remove legacy local boolean and user code, and to preserve API/ABI compatibility the following functions int values should be set to '0' as they are no longer used: selinux_mkload_policy(int preservebools) security_set_boolean_list(.... int permanent) and the following are now no-op and return '-1': security_load_booleans() sepol_genusers() sepol_set_delusers() sepol_genbools() sepol_genbools_array() and these still return their paths for compatibility, however they are marked as deprecated: selinux_booleans_path() selinux_users_path() These have been removed as they are local functions only: sepol_genusers_policydb() sepol_genbools_policydb() Also "SETLOCALDEFS" removed from SELinux config file and code. Signed-off-by: Richard Haines commit 526534e304324beba7b0c8552c73949694b48406 Author: Richard Haines Date: Sat Jul 6 16:21:15 2019 +0100 setfiles: Update utilities for the new digest scheme Update restorecon_xattr and man pages for new digest scheme managed by selinux_restorecon(3). Note that the Russian man pages require updating. Signed-off-by: Richard Haines commit e016502c0a265d661a3a4b541b865eec94aae2b1 Author: Richard Haines Date: Sat Jul 6 16:21:14 2019 +0100 libselinux: Save digest of all partial matches for directory We used to hash the file_context and skip the restorecon on the top level directory if the hash doesn't change. But the file_context might change after an OTA update; and some users experienced long restorecon time as they have lots of files under directories like /data/media. This CL tries to hash all the partial match entries in the file_context for each directory; and skips the restorecon if that digest stays the same, regardless of the changes to the other parts of file_context. This is a version ported from Android that was originally written by: xunchang Signed-off-by: Richard Haines commit c00ed59281d94da382228bf85a9ac167c080f509 Author: xunchang Date: Wed Apr 17 11:09:55 2019 -0700 libselinux: Ignore the stem when looking up all matches in file context This is a follow up fix to the restorecon change in commit 6ab5fbaabc84f7093b37c1afae855292e918090f This change has been tested in android for a while. The stem is a list of top level directory (without regex metachar) covered in the file context. And it constructs from finding the second '/' in the regex_string; and aims to speed up the lookup by skipping unnecessary regex matches. More contexts in https://lore.kernel.org/selinux/200309231522.25749.russell@coker.com.au/ However, this caused some issue when we try to find all the partial matches for a root directory. For example, the path "/data" doesn't have a stem while the regex "/data/misc/(/.*)?" has "/data" as the stem. As a result, all the regex for the subdirs of /data will not considered as a match for "/data". And the restorecon will wrongly skip on top level "/data" when there's a context change to one of subdir. This CL always includes the stem when compiling the regex in all circumstances. Also, it ignores the stem id check in the "match all" case, while the behavior for the single match stays unchanged. I will collect more data to find out if stem id check is still necessary at all with the new restorecon logic. Test: run restorecon on "/data"; change the context of one subdir and run again, and the context is restored on that subdir; search the caller of regex_match Signed-off-by: Tianjie Xu commit 5cff2813c5792c438fa8fc38774ed048c55bee93 Author: xunchang Date: Mon Mar 11 15:24:42 2019 -0700 Restorecon: factor out a lookup helper for context matches We used to hash the file_context and skip the restorecon on the top level directory if the hash doesn't change. But the file_context might change after an update; and some users experienced long restorecon time as they have lots of files under directories like /data/media. Therefore, we try to skip unnecessary restores if the file context relates to the given directory doesn't change. This CL is the first step that factors out a lookup helper function and returns an array of matched pointers instead of a single one. The old loopup_common function is then modified to take the first element in the array. This change has already been submitted in android selinux branch. And porting it upstream will make these two branches more consistent and save some work for the future merges. Signed-off-by: Tianjie Xu commit 2efa06857575e4118e91ca250b6b92da68b130d5 Author: Petr Lautrbach Date: Fri Jun 7 17:35:44 2019 +0200 libselinux: Use Python distutils to install SELinux python bindings Follow officially documented way how to build C extension modules using distutils - https://docs.python.org/3.8/extending/building.html#building Fixes: - selinux python module fails to load when it's built using SWIG-4.0: >>> import selinux Traceback (most recent call last): File "", line 1, in File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in from . import _selinux ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py) SWIG-4.0 changed (again?) its behavior so that it uses: from . import _selinux which looks for _selinux module in the same directory as where __init__.py is - $(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into $(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location of _selinux.so"). - audit2why python module fails to build with Python 3.8 cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DOVERRIDE_GETTID=0 -I../include -D_GNU_SOURCE -DDISABLE_RPM -DNO_ANDROID_BACKEND -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L. -shared -o python-3.8audit2why.so python-3.8audit2why.lo -lselinux -l:libsepol.a -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs /usr/bin/ld: python-3.8audit2why.lo: in function `finish': /builddir/build/BUILD/libselinux-2.9/src/audit2why.c:166: undefined reference to `PyArg_ParseTuple' /usr/bin/ld: python-3.8audit2why.lo: in function `_Py_INCREF': /usr/include/python3.8/object.h:449: undefined reference to `_Py_NoneStruct' /usr/bin/ld: /usr/include/python3.8/object.h:449: undefined reference to `_Py_NoneStruct' /usr/bin/ld: python-3.8audit2why.lo: in function `check_booleans': /builddir/build/BUILD/libselinux-2.9/src/audit2why.c:84: undefined reference to `PyExc_RuntimeError' ... It's related to the following Python change https://docs.python.org/dev/whatsnew/3.8.html#debug-build-uses-the-same-abi-as-release-build Python distutils adds correct link options automatically. - selinux python module doesn't provide any Python metadata When selinux python module was built manually, it didn't provide any metadata. distutils takes care about that so that selinux Python module is visible for pip: $ pip3 list | grep selinux selinux 2.9 Signed-off-by: Petr Lautrbach commit ee8f7a870c625de139aa271eae0c40578488c2f6 Author: Richard Haines Date: Mon Jul 8 14:37:01 2019 +0100 libselinux: Fix security_get_boolean_names build error When running 'make' from libselinux on Fedora 30 (gcc 9.1.1) the following error is reported: bute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wstrict-overflow=5 -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -c -o booleans.o booleans.c booleans.c: In function ‘security_get_boolean_names’: booleans.c:39:5: error: assuming signed overflow does not occur when changing X +- C1 cmp C2 to X cmp C2 -+ C1 [-Werror=strict-overflow] 39 | int security_get_boolean_names(char ***names, int *len) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors make[1]: *** [Makefile:171: booleans.o] Error 1 This is caused by the '--i' in the: 'for (--i; i >= 0; --i)' loop. Signed-off-by: Richard Haines commit 120883adf086c71665c5253e1e0a3d4c97e70a14 Author: Laurent Bigonville Date: Mon Jul 15 16:45:02 2019 +0200 mcstrans: Add reference to setools.conf man page in the daemon one Signed-off-by: Laurent Bigonville commit 13c235537b29b802ec73e8b7a4704e8e8548336d Author: Laurent Bigonville Date: Mon Jul 15 16:45:01 2019 +0200 mcstrans: Move setrans.conf manpage to section 5 Move setrans.conf manpage to section 5 as it describes the documentation for "File formats and conventions" Signed-off-by: Laurent Bigonville commit 5a5e739e5ecc472b013f59630a36aad0450d9c8f Author: Laurent Bigonville Date: Mon Jul 15 16:45:00 2019 +0200 Add documentation key in systemd .service files Signed-off-by: Laurent Bigonville commit 3abeb7c654ed0c8205cc5e666236f1705af32972 Author: Nicolas Iooss Date: Mon Jun 24 21:31:54 2019 +0200 libsepol: include module.c internal header in module_to_cil.c In module_to_cil.c, sepol_ppfile_to_module_package() calls functions from module.c without including the internal header. This makes building libsepol with "gcc -flto -fuse-ld=gold" fails when linking libsepol.so: /tmp/ccHYAKVZ.ltrans21.ltrans.o::function sepol_ppfile_to_module_package: error: undefined reference to 'sepol_module_package_free' /tmp/ccHYAKVZ.ltrans21.ltrans.o::function sepol_ppfile_to_module_package: error: undefined reference to 'sepol_module_package_create' /tmp/ccHYAKVZ.ltrans21.ltrans.o::function sepol_ppfile_to_module_package: error: undefined reference to 'sepol_module_package_create' collect2: error: ld returned 1 exit status Fixes: https://github.com/SELinuxProject/selinux/issues/165 Signed-off-by: Nicolas Iooss commit 071247e8f4e9584095474093537f1869379ca43f Author: James Carter Date: Thu Jun 13 13:45:58 2019 +0200 checkpolicy: add flag to enable policy optimization Add the command-line option 'O' to checkpolicy to cause kernel policies to be optimized by calling policydb_optimize() before being written out. This option can be used on conf files and binary kernel policies, but not when converting a conf file to CIL. Signed-off-by: James Carter [omosnace: make commit desc more consistent with the other patches] [omosnace: fix a typo in the commit message] [omosnace: directly use policydb_optimize() as also the rest of code already uses other policydb_*() functions...] [omosnace: update man page] Signed-off-by: Ondrej Mosnacek commit f7cb5901f1fb8be8fd038d64e54b5627bca5b88b Author: Ondrej Mosnacek Date: Thu Jun 13 13:45:57 2019 +0200 secilc: add flag to enable policy optimization Add a command-line option -O/--optimize to optimize the final policydb using sepol_policydb_optimize() before writing it out. Signed-off-by: Ondrej Mosnacek commit 3cba4306b95a31869008173eb708a48d5727cead Author: Ondrej Mosnacek Date: Thu Jun 13 13:45:56 2019 +0200 libsemanage: optionally optimize policy on rebuild When building binary policy, optionally run it through sepol_policydb_optimize() just before writing it out. Add an optimize-policy variable to semanage.conf(5) that controls whether optimization will be applied during libsemanage operations. Signed-off-by: Ondrej Mosnacek commit b8213acff837101eadb7ce213beddf19b879b52d Author: Ondrej Mosnacek Date: Thu Jun 13 13:45:55 2019 +0200 libsepol: add a function to optimize kernel policy Add sepol_policydb_optimize(), which checks a kernel policy for redundant rules (i.e. those that are covered by an existing more general rule) and removes them. Results on Fedora 29 policy: WITHOUT OPTIMIZATION: # time semodule -B real 0m21,280s user 0m18,636s sys 0m2,525s $ wc -c /sys/fs/selinux/policy 8692158 /sys/fs/selinux/policy $ seinfo (edited) Allow: 113159 Dontaudit: 10297 Total: 123156 WITH OPTIMIZATION ENABLED: # time semodule -B real 0m22,825s user 0m20,178s sys 0m2,520s $ wc -c /sys/fs/selinux/policy 8096158 /sys/fs/selinux/policy $ seinfo (edited) Allow: 66334 Dontaudit: 7480 Total: 73814 Signed-off-by: Ondrej Mosnacek commit 84b8f306060cd2a4eeae83e8cb2ec51d1b18b93b Author: Unto Sten Date: Wed Jun 12 17:19:41 2019 +0300 More accurate error messages Signed-off-by: Unto Sten commit 6062c45b1d31ba5b7ef12ecda6cb8c9d3aa55714 Author: Unto Sten Date: Wed Jun 12 17:15:06 2019 +0300 Remove redundant if-clause Signed-off-by: Unto Sten commit 163d5b456dca8d1ef26490973baf071d6818abeb Author: Unto Sten Date: Wed Jun 12 17:18:03 2019 +0300 Remove unneeded int Signed-off-by: Unto Sten commit c46b8af40adf6dd2ad4951d27eab01ea8f950e07 Author: Jan Zarsky Date: Wed Jun 12 10:04:04 2019 +0200 libsemanage: test semanage_msg_default_handler Add test for semanage_msg_default_handler. Signed-off-by: Jan Zarsky commit acda541a4da746328f907e42316f96d7288ca3c2 Author: Jan Zarsky Date: Wed Jun 12 10:04:03 2019 +0200 libsemanage: test semanage_context_* functions Add new test suite for other libsemanage functions. Add tests for semanage_context_* functions. Signed-off-by: Jan Zarsky commit 6f064e0b309b556f458cbb50e7b5c89471c3be61 Author: Jan Zarsky Date: Wed Jun 12 10:04:02 2019 +0200 libsemanage: test semanage_user_* functions Add new test suite for semanage_user_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 2b6966d7bc6cda739a2684b172571f75c7cf121a Author: Jan Zarsky Date: Wed Jun 12 10:04:01 2019 +0200 libsemanage: test semanage_port_* functions Add new test suite for semanage_port_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit dfc81c13fcc08a046f452aca0d219760ea56cec6 Author: Jan Zarsky Date: Wed Jun 12 10:04:00 2019 +0200 libsemanage: test semanage_node_* functions Add new test suite for semanage_node_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 1791cb42fc9e8fd2b805472f4ea7af088a7c6b41 Author: Jan Zarsky Date: Wed Jun 12 10:03:59 2019 +0200 libsemanage: test semanage_ibendport_* functions Add new test suite for semanage_ibendport_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit c238906b5b929f4891c21448981d9dbb8fede700 Author: Jan Zarsky Date: Wed Jun 12 10:03:58 2019 +0200 libsemanage: test semanage_iface_* functions Add new test suite for semanage_iface_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 5aab527f56619ae6493bfa5c3e13a8d32b6cbe52 Author: Jan Zarsky Date: Wed Jun 12 10:03:57 2019 +0200 libsemanage: test semanage_fcontext functions Add new test suite for semanage_fcontext_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit b1c09dc3f72ce2f9e7ed20c85f861b15939b52fe Author: Jan Zarsky Date: Wed Jun 12 10:03:56 2019 +0200 libsemanage: test semanage_bool_* functions Add new test suite for semanage_bool_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 92bd4ae5bad6832621d3e2c6608b216e36b677a2 Author: Jan Zarsky Date: Wed Jun 12 10:03:55 2019 +0200 libsemanage: test semanage_handle_* functions Add new test suite for semanage_handle_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 638e2f9df021fd82d25a7c13e0ff1c1a07b5a794 Author: Jan Zarsky Date: Wed Jun 12 10:03:54 2019 +0200 libsemanage: add helper functions to tests - Add functions for creating and destroying test semanage store. - Add functions for writing SELinux policy to the test store. - Add functions for creating semanage handle, connecting to the store and for beginning a transaction. - Update Makefile to compile test policies from CIL source. Signed-off-by: Jan Zarsky commit 544cc7957bedee20e3f57db2374e21fcb42d918c Author: Mike Palmiotto Date: Mon Jun 17 15:15:12 2019 +0000 libsepol/cil: fix mlsconstrain segfault Installing a cil module with invalid mlsconstrain syntax currently results in a segfault. In the following module, the right-hand side of the second operand of the OR is a list (mlstrustedobject): $ cat test.cil (class test (foo) ) (classorder (unordered test)) (mlsconstrain (test (foo)) (or (dom h1 h2) (eq t2 (mlstrustedobject)) ) ) $ sudo semodule -i test.cil zsh: segmentation fault sudo semodule -i test.cil This syntax is invalid and should error accordingly, rather than segfaulting. This patch provides this syntax error for the same module: $ sudo semodule -i test.cil t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side Bad expression tree for constraint Bad constrain declaration at /var/lib/selinux/mls/tmp/modules/400/test/cil:4 semodule: Failed! Signed-off-by: Mike Palmiotto commit eb2a875747c3030da5d8dc39197d0889fd8926e7 Author: Jokke Hämäläinen Date: Mon Jun 17 15:02:39 2019 +0300 libsepol: Replace constant with sizeof() Replace constant 18 with safer use of sizeof() Signed-off-by: Unto Sten commit e8d880e0a22111e8ad3d6b36418014ba4430a944 Author: Jokke Hämäläinen Date: Mon Jun 17 15:02:11 2019 +0300 libsepol: Check strdup() failures Check strdup() failures Signed-off-by: Unto Sten commit dbffdf71351e2c53b4d8b82f4035594f09e9d7c7 Author: Petr Lautrbach Date: Fri May 31 22:19:05 2019 +0200 Add CONTRIBUTING.md Based on https://github.com/SELinuxProject/selinux/wiki/Contributing Signed-off-by: Petr Lautrbach Acked-by: Paul Moore commit c758ac1ddf3ec7529bf530cbd6e06bdd219a8805 Author: Unto Sten Date: Sat May 11 01:04:16 2019 +0300 Trivial style fixes commit be9976e7637c5d3852b4490186f7cf6ea254efdf Author: Unto Sten Date: Sat May 11 00:50:31 2019 +0300 Trivial style improvements commit 26462e101f86f1fe41aaee279c4bf957a6fe0879 Author: Aleksei Nikiforov Date: Tue Apr 30 10:26:42 2019 +0300 Update man pages translation by Olesya Gerasimenko Signed-off-by: Olesya Gerasimenko Signed-off-by: Aleksei Nikiforov commit 9adafb6d518d90779d523ffc3c0596bff943602e Author: Ondrej Mosnacek Date: Mon May 13 13:58:26 2019 +0200 run_init: fix build when crypt() is not in unistd.h According to [1], crypt() support in POSIX is optional, so include also when _XOPEN_CRYPT is not defined or is defined to -1. Without this I can't build run_init from source out-of-the-box on Fedora 29. [1] http://man7.org/linux/man-pages/man3/crypt.3.html#NOTES Signed-off-by: Ondrej Mosnacek commit 159d5063d37fae8814e93c140b9d499721c08949 Author: Richard Haines Date: Tue May 21 12:22:06 2019 +0100 libsepol/cil: Allow validatetrans rules to be resolved When validatetrans rule is in CIL policy it errors with: u3, r3, and t3 can only be used with mlsvalidatetrans rules Will now resolve these examples: (validatetrans binder (and (and (eq t1 t1_t) (eq t2 t2_t)) (eq t3 t3_t))) (mlsvalidatetrans file (and (and (eq t1 t1_t) (eq t2 t2_t)) (and (eq t3 t3_t) (domby h1 h2)))) Signed-off-by: Richard Haines commit 3e506bda3b46452df3467e9392362e4e32beb966 Author: Ondrej Mosnacek Date: Tue May 14 10:14:16 2019 +0200 libsepol: add ebitmap_for_each_set_bit macro Most of the users of ebitmap_for_each_bit() macro only care for the set bits, so introduce a new ebitmap_for_each_positive_bit() macro that skips the unset bits. Replace uses of ebitmap_for_each_bit() with the new macro where appropriate. Signed-off-by: Ondrej Mosnacek commit baf8a1de163abf0c46c507d06b9aa000e2ba162b Author: Unto Sten Date: Fri May 10 20:53:04 2019 +0300 Check strdup() failure commit cd1ef4d64e16cf74baf43255059eeffb150f3108 Author: Unto Sten Date: Fri May 10 19:47:07 2019 +0300 another style fix commit e1a74396c7c62873f4571d84f3adf00250790e23 Author: Unto Sten Date: Fri May 10 16:52:08 2019 +0300 Unify code style to preserve my sanity commit 5d8f44e2c36ab02482f08fd44bdd040865d0700d Author: Unto Sten Date: Fri May 10 20:10:37 2019 +0300 Global replace exit(0) with more readable exit(EXIT_SUCCESS) commit f46b64fccb9f42e3926c0b3aafc85a35c61d58fe Author: Petr Lautrbach Date: Thu Apr 4 23:16:52 2019 +0200 semanage/semanage-boolean.8: Fix a minor typo boolan -> boolean Reported-by: Bogdan BOTEZ Signed-off-by: Petr Lautrbach commit ac2a3fb4fedefdd0bcb0fae3e87eb1ea62c3eb2b Author: Gary Tierney Date: Wed Apr 17 17:37:31 2019 +0100 dismod: print policy version of loaded modules Signed-off-by: Gary Tierney commit 4984a75f3824de88af1dee8635878592ff64155d Author: Gary Tierney Date: Wed Apr 17 17:37:30 2019 +0100 checkmodule: add support for specifying module policy version Currently checkpolicy can produce binary policies for earlier policy versions to provide support for building policies on one machine and loading/analyzing them on another machine with an earlier version of the kernel or libsepol, respectively. However, checkmodule was lacking this capability. This commit adds an identical `-c` flag that can be passed to checkmodule that will build a modular policy file of the specified version. Signed-off-by: Gary Tierney commit 25ce1029073dcad7210fdb08b1a3d65edf9f76ec Author: Joshua Brindle Date: Fri Apr 5 12:01:02 2019 -0700 Add security_validatetrans support It seems validatetrans support was never added to libselinux, despite being added to selinuxfs in kernel version 4.5 There is a utility to test, however the targeted policy has no validatetrans rules so some must be added: $ cat validatetrans.cil (mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2))))) $ sudo semodule -i validatetrans.cil $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here opening /sys/fs/selinux/validatetrans security_validatetrans returned -1 errno: Invalid argument $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0 opening /sys/fs/selinux/validatetrans security_validatetrans returned -1 errno: Operation not permitted $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0 opening /sys/fs/selinux/validatetrans security_validatetrans returned 0 errno: Success Signed-off-by: Joshua Brindle commit 42f73af5076411de3c6a5b2bed21a4fd6ae44acd Author: Laurent Bigonville Date: Thu Mar 21 11:04:39 2019 +0100 restorecond: Do not link against libpcre For some reasons, restorecond was explicitly linking against libpcre but the code is not using any of its symbols Closes: https://github.com/SELinuxProject/selinux/issues/137 Signed-off-by: Laurent Bigonville commit 5fc701fe11c48bd1076b5ed3a9b43dc20d24fd24 Author: Nicolas Iooss Date: Tue Feb 26 20:02:07 2019 +0100 restorecond: use /run instead of /var/run On most distributions, /var/run is a symbolic link to /run so using /var/run or /run lead to the same result. Nevertheless systemd started to warn about using /var/run in a service file, logging entries such as: /usr/lib/systemd/system/restorecond.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/restorecond.pid → /run/restorecond.pid; please update the unit file accordingly. Switch to /run in order to follow this advice. Signed-off-by: Nicolas Iooss commit 5d149b23dee77c43beeb2a43b1d7f924dd88f56b Author: Petr Lautrbach Date: Mon Mar 18 14:39:25 2019 +0100 gui: Install .desktop files to /usr/share/applications by default /usr/share/applications is a standard directory for .desktop files. Installation path can be changed using DESKTOPDIR variable in installation phase, e.g. make DESKTOPDIR=/usr/local/share/applications install Signed-off-by: Petr Lautrbach commit c778509dd0ed3b184d720032f31971f975e42973 Author: Petr Lautrbach Date: Tue Mar 5 17:38:55 2019 +0100 gui: Install polgengui.py to /usr/bin/selinux-polgengui polgengui.py is a standalone gui tool which should be in /usr/bin with other tools. Signed-off-by: Petr Lautrbach