commit dca7ce8195d2 Author: Petr Lautrbach Date: Thu Nov 28 13:45:08 2019 +0100 Update VERSIONs to 3.0 for release. Signed-off-by: Petr Lautrbach commit 6e187f8a2aab Author: Petr Lautrbach Date: Tue Nov 12 18:14:54 2019 +0100 Update VERSIONs to 3.0-rc2 for release. Signed-off-by: Petr Lautrbach commit adb8bdd4295d Author: Petr Lautrbach Date: Fri Nov 15 15:54:25 2019 +0100 dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot When org.selinux.relabel_on_boot(0) was called twice, it failed with FileNotFoundError. Fixes: $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:1 method return sender=:1.53 -> dest=:1.54 reply_serial=2 $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0 method return sender=:1.53 -> dest=:1.55 reply_serial=2 $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0 Error org.freedesktop.DBus.Python.FileNotFoundError: FileNotFoundError: [Errno 2] No such file or directory: '/.autorelabel' Signed-off-by: Petr Lautrbach commit 214cb61d539f Author: Petr Lautrbach Date: Tue Nov 19 11:43:26 2019 +0100 Travis-CI: Drop Python 2 from matrix As a result of Python 2 sunset - https://www.python.org/doc/sunset-python-2/ - Python 2 code will not be supported in this project anymore and new Python code should be written only for Python 3. Signed-off-by: Petr Lautrbach commit ad2208ec220f Author: Baichuan Kong Date: Thu Nov 14 10:48:07 2019 +0800 restorecond: Fix redundant console log output error When starting restorecond without any option the following redundant console log is outputed: /dev/log 100.0% /var/volatile/run/syslogd.pid 100.0% ... This is caused by two global variables of same name r_opts. When executes r_opts = opts in restore_init(), it originally intends to assign the address of struct r_opts in "restorecond.c" to the pointer *r_opts in "restore.c". However, the address is assigned to the struct r_opts and covers the value of low eight bytes in it. That causes unexpected value of member varibale 'nochange' and 'verbose' in struct r_opts, thus affects value of 'restorecon_flags' and executes unexpected operations when restorecon the files such as the redundant console log output or file label nochange. Cause restorecond/restore.c is copied from policycoreutils/setfiles, which share the same pattern. It also has potential risk to generate same problems, So fix it in case. Signed-off-by: Baichuan Kong commit 91cd4600dbd0 Author: Nicolas Iooss Date: Mon Nov 11 11:11:13 2019 +0100 libselinux,libsemanage: check in python_exception.i files Generating selinuxswig_python_exception.i and semanageswig_python_exception.i requires gcc, which appears to be unavailable on some platform. Work around this issue by adding the generated files to the git repository. While at it, remove a stray space in the generated selinuxswig_python_exception.i. Original thread: https://lore.kernel.org/selinux/20191012172357.GB19655@imap.altlinux.org/T/#ma78bd7fe71fb5784387a8c0cebd867d6c02ee6e4 Signed-off-by: Nicolas Iooss Cc: Michael Shigorin commit dd9c70e0d7b9 Author: Nicolas Iooss Date: Mon Nov 11 10:56:54 2019 +0100 libselinux,libsemanage: fix python_exception.i dependencies selinuxswig_python_exception.i and semanageswig_python_exception.i need to be regenerated when either an input header file changes or exception.sh changes. Add the missing items to the respective Makefiles. Signed-off-by: Nicolas Iooss commit 5815cc9843d7 Author: Nicolas Iooss Date: Mon Nov 11 10:49:37 2019 +0100 libselinux,libsemanage: never create -.o in exception.sh Files starting with "-" causes issues in commands such as "rm *.o". For libselinux and libsemanage, when exception.sh fails to remove "-.o", "make clean" fails with: rm: invalid option -- '.' Try 'rm ./-.o' to remove the file '-.o'. Try 'rm --help' for more information. Fix this by making exception.sh create "temp.o" instead of "-.o". Signed-off-by: Nicolas Iooss commit 8375671d30c8 Author: Petr Lautrbach Date: Thu Nov 7 11:23:37 2019 +0100 python/sepolicy: Revert "Only invoke RPM on RPM-enabled Linux distributions" Commit 73b7ff410c1b ("Only invoke RPM on RPM-enabled Linux distributions") used platform.linux_distribution() function to detect whether the system is rpm based. This function is deprecated since Python 3.5 and it's removed from Python 3.8 - https://bugs.python.org/issue28167 The original problem is already fixed by another commit 671f83b42ba2 ("policycoreutils/sepolicy: Check get_rpm_nvr_list() return value"): $ sepolicy generate --customize -p mypolicy -n testpolicy -d httpd_sys_script_t -w /home Failed to retrieve rpm info for selinux-policy Created the following files: mypolicy/testpolicy.te # Type Enforcement file mypolicy/testpolicy.if # Interface file mypolicy/testpolicy.fc # File Contexts file mypolicy/testpolicy_selinux.spec # Spec file mypolicy/testpolicy.sh # Setup Script Fixes: File "/usr/lib/python3.8/site-packages/sepolicy/generate.py", line 1384, in generate if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")): AttributeError: module 'platform' has no attribute 'linux_distribution' Signed-off-by: Petr Lautrbach commit 6d5f7f20bc99 Author: Petr Lautrbach Date: Wed Nov 6 17:30:43 2019 +0100 Replace www.nsa.gov references by github.com/SELinuxProject The original page doesn't exist anymore. Fixes: https://github.com/SELinuxProject/selinux/issues/170 Signed-off-by: Petr Lautrbach commit c7527bdb608b Author: James Carter Date: Fri Nov 1 09:50:53 2019 -0400 libsepol/cil: Report disabling an optional block only at high verbose levels Since failing to resolve a statement in an optional block is normal, only display messages about the statement failing to resolve and the optional block being disabled at the highest verbosity level. These messages are now only at log level CIL_INFO instead of CIL_WARN. Signed-off-by: James Carter commit 0271bf4136e3 Author: Thomas Petazzoni Date: Fri Oct 25 15:41:49 2019 +0200 libselinux/src/Makefile: don't pass bogus -I and -L to python setup.py build_ext Using $(DESTDIR) during the build does not follow the normal/standard semantic of DESTDIR: it is normally only needed during the installation. Therefore, a lot of build systems/environments don't pass any DESTDIR at build time, which causes setup.py to be called with -I /usr/include -L /usr/lib, which breaks cross-compilation. Signed-off-by: Thomas Petazzoni commit b3ed0a7a6027 Author: Petr Lautrbach Date: Tue Oct 1 14:26:00 2019 +0200 Update VERSIONs to 3.0-rc1 for release. Signed-off-by: Petr Lautrbach commit 95bcd6af0352 Author: Vit Mojzis Date: Mon Oct 21 16:37:36 2019 +0200 python/semanage: Document DCCP and SCTP support Add DCCP and SCTP protocols in semanage port man page and --help message. Signed-off-by: Vit Mojzis commit 06040cdc54ca Author: Jason Zaman Date: Mon Oct 21 13:55:05 2019 +0800 policycoreutils: semodule: Enable CIL logging semodule -v will turn on semodule's own verbose logging but not logging from CIL. This change makes the verbose flag also set cil's log level. By default (ie no -v flag), this will enable CIL_ERR, and each -v will increase the level from there. Tested with a duplicated fcontext in the policy. Before this change: # semodule -v -B Committing changes: Problems processing filecon rules Failed post db handling semodule: Failed! After this change: # semodule -v -B [ ... snip ... ] Found conflicting filecon rules at /var/lib/selinux/mcs/tmp/modules/400/mycustom/cil:159 at /var/lib/selinux/mcs/tmp/modules/400/mycustom/cil:158 Problems processing filecon rules Failed post db handling semodule: Failed! Closes: https://github.com/SELinuxProject/selinux/issues/176 Signed-off-by: Jason Zaman commit 9be4e7454dc9 Author: Masatake YAMATO Date: Sat Oct 19 19:26:56 2019 +0900 checkpolicy: allow to write policy to stdout If - is given as filename for -o option, checkpolicy writes the policy to standard output. This helps users to read policy.conf and/or CIL policy file with pager like less command: $ checkpolicy -M -F -b /sys/fs/selinux/policy -o - | less The users don't have to make a temporary file. /dev/stdout can be used instead. However, - reduces the number of typing for the purpose. Using - for standard output (and/or standard input) is popular convention. Change(s) in v2: * Check the availability of output stream only when opening a regualar file. Suggested by Stephen Smalley . Signed-off-by: Masatake YAMATO commit b8455f774a3f Author: Masatake YAMATO Date: Sat Oct 19 19:26:55 2019 +0900 checkpolicy: update the description for -o option in the man page Write about policy.conf and CIL files. Signed-off-by: Masatake YAMATO commit a581560eb0de Author: Masatake YAMATO Date: Sat Oct 19 19:26:54 2019 +0900 checkpolicy: remove a redundant if-condition Inner if-condition in following code is redundant: if (outfile) { /* ... just referring outfile ... */ if (outfile) { do_something(); } } We can simplify this to: if (outfile) { /* ... just referring outfile ... */ do_something(); } Signed-off-by: Masatake YAMATO commit 7494bb1298b3 Author: Ondrej Mosnacek Date: Fri Oct 18 11:20:05 2019 +0200 sepolicy: generate man pages in parallel Generating man pages takes a lot of time. Do it in parallel to speed up the process. Signed-off-by: Ondrej Mosnacek commit b915c7a9d330 Author: Nicolas Iooss Date: Sun Oct 13 12:52:16 2019 +0200 libsemanage: mark all exported function "extern" Many functions are already marked "extern" in libsemanage's public headers and this will help using the content of the headers in order to automatically generate some glue code for Python bindings. Signed-off-by: Nicolas Iooss commit cfe487409307 Author: Nicolas Iooss Date: Sun Oct 13 12:52:15 2019 +0200 libselinux: mark all exported function "extern" Many functions are already marked "extern" in libselinux's public headers and this will help using the content of the headers in order to automatically generate some glue code for Python bindings. Signed-off-by: Nicolas Iooss commit e0e66c25e21a Author: Petr Lautrbach Date: Fri Oct 11 09:07:17 2019 +0200 libsepol: Use LIBSEPOL_3.0 and fix sepol_policydb_optimize symbol mapping There's a typo in commit b8213acff837101 ("libsepol: add a function to optimize kernel policy") which added new function sepol_policydb_optimize(), but there's sepol_optimize_policy in libsepol.map. LIBSEPOL_3.0 is used to follow the next release version libsepol-3.0 Signed-off-by: Petr Lautrbach Acked-by: Ondrej Mosnacek Acked-by: Stephen Smalley commit 510a679b470a Author: Stephen Smalley Date: Thu Sep 26 08:49:34 2019 -0400 python/sepolicy: call segenxml.py with python3 Fixes: https://github.com/SELinuxProject/selinux/issues/61 Signed-off-by: Stephen Smalley Acked-by: Nicolas Iooss commit 711fe60723a3 Author: Vit Mojzis Date: Tue Oct 8 14:22:13 2019 +0200 python/semanage: Add support for DCCP and SCTP protocols Fixes: # semanage port -a -p sctp -t port_t 1234 ValueError: Protocol udp or tcp is required # semanage port -d -p sctp -t port_t 1234 ValueError: Protocol udp or tcp is required Signed-off-by: Vit Mojzis commit 991dd7402fa2 Author: Vit Mojzis Date: Tue Oct 8 14:22:12 2019 +0200 libsemanage: Add support for DCCP and SCTP protocols This is necessary for "semanage port" to be able to handle DCCP and SCTP protocols. Fixes: "port_parse" only handles TCP and UDP protocols Signed-off-by: Vit Mojzis commit 74c5e551ca58 Author: Nicolas Iooss Date: Mon Sep 30 22:22:11 2019 +0200 libsemanage/tests: check that string pointers are not NULL before comparing them This silences many issues reported by Infer static analyzer about possible NULL pointer dereferences. Signed-off-by: Nicolas Iooss commit 7673b97e45fd Author: Nicolas Iooss Date: Mon Sep 30 22:22:10 2019 +0200 libsemanage/tests: return when str is NULL CU_FAIL() does not stop the execution flow. This issue has been found using Infer static analyzer. Signed-off-by: Nicolas Iooss commit adcc353f6eb2 Author: Vit Mojzis Date: Mon Sep 30 09:49:04 2019 +0200 python/semanage: fix moduleRecords.customized() Return value of "customized" has to be iterable. Fixes: "semanage export" with no modules in the system (eg. monolithic policy) crashes: Traceback (most recent call last): File "/usr/sbin/semanage", line 970, in do_parser() File "/usr/sbin/semanage", line 949, in do_parser args.func(args) File "/usr/sbin/semanage", line 771, in handleExport for c in OBJECT.customized(): TypeError: 'NoneType' object is not iterable Signed-off-by: Vit Mojzis commit 3a9b4505bfc1 Author: Vit Mojzis Date: Fri Sep 27 16:13:47 2019 +0200 python/semanage: Improve handling of "permissive" statements - Add "customized" method to permissiveRecords which is than used for "semanage permissive --extract" and "semanage export" - Enable "semanage permissive --deleteall" (already implemented) - Add "permissive" to the list of modules exported using "semanage export" - Update "semanage permissive" man page Signed-off-by: Vit Mojzis commit 9d8fd6e9b9c3 Author: James Carter Date: Wed Sep 25 15:28:17 2019 -0400 libsepol: Further improve binary policy optimization This improves commit b8213acf (libsepol: add a function to optimize kernel policy) by Ondrej Mosnacek by always removing redundant conditional rules which have an identical rule in the unconditional policy. Add a flag called not_cond to is_avrule_redundant(). When checking unconditional rules against the avtab (which stores the unconditional rules) we need to skip the actual rule that we are checking (otherwise a rule would be determined to be redundant with itself and bad things would happen), but when checking a conditional rule against the avtab we do not want to skip an identical rule (which is what currently happens), we want to remove the redundant permissions in the conditional rule. A couple of examples to illustrate when redundant condtional rules are not removed. Example 1 allow t1 t2:class1 perm1; if (bool1) { allow t1 t2:class1 perm1; } The conditional rule is clearly redundant, but without this change it will not be removed, because of the check for an identical rule. Example 2 typeattribute t1 a1; allow t1 t2:class1 perm1; allow a1 t2:class1 perm1; if (bool1) { allow t1 t2:class1 perm1; } The conditional rule is again clearly redundant, but now the order of processing during the optimization will determine whether or not the rule is removed. Because a1 contains only t1, a1 and t1 are considered to be supersets of each other. If the rule with the attribute is processed first, then it will be determined to be redundant and removed, so the conditional rule will not be removed. But if the rule with the type is processed first, then it will be removed and the conditional rule will be determined to be redundant with the rule with the attribute and removed as well. The change reduces the size of policy a bit more than the original optimization. Looking at the change in number of allow rules, there is about a 10% improvement over the old optimization. orig old new Refpolicy 113284 82467 78053 Fedora 106410 64015 60008 Signed-off-by: James Carter commit 120681c1a392 Author: Nicolas Iooss Date: Fri Sep 27 00:04:05 2019 +0200 libsepol, libsemanage: add a macro to silence static analyzer warnings in tests Several static analyzers (clang's one, Facebook Infer, etc.) warn about NULL pointer dereferences after a call to CU_ASSERT_PTR_NOT_NULL_FATAL() in the test code written using CUnit framework. This is because this CUnit macro is too complex for them to understand that the pointer cannot be NULL: it is translated to a call to CU_assertImplementation() with an argument as TRUE in order to mean that the call is fatal if the asserted condition failed (cf. http://cunit.sourceforge.net/doxdocs/group__Framework.html). A possible solution could consist in replacing the CU_ASSERT_..._FATAL() calls by assert() ones, as most static analyzers know about assert(). Nevertheless this seems to go against CUnit's API. An alternative solution consists in overriding CU_ASSERT_..._FATAL() macros in order to expand to assert() after a call to the matching CU_ASSERT_...() non-fatal macro. This appears to work fine and to remove many false-positive warnings from various static analyzers. As this substitution should only occur when using static analyzer, put it under #ifdef __CHECKER__, which is the macro used by sparse when analyzing the Linux kernel. Signed-off-by: Nicolas Iooss commit eca4ee4542e9 Author: Nicolas Iooss Date: Sat Sep 21 23:30:37 2019 +0200 CircleCI: run scan-build and publish its results automatically CircleCI is a continuous integration system like Travis CI, which provides different features. Contrary to Travis CI, it is quite harder to build the project with several build configurations (so it is not a replacement), but it provides short-term storage for files produced by a build job in what is called "artifacts". Use this feature in order to store the results of clang's static analyzer (scan-build) after every pushed commit. This way makes it possible to quickly compare the result of the analyzer after applying some patches that were sent for review to the mailing list, as it no longer requires running the analyzer several times on the development machine. An output example is available at https://352-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-09-21-164945-6152-1/index.html These web pages were created by the job described at https://circleci.com/gh/fishilico/selinux/352 Signed-off-by: Nicolas Iooss commit 54cb5c674bd2 Author: Petr Lautrbach Date: Tue Sep 24 21:46:37 2019 +0200 Switch last 2 files using /usr/bin/env to /usr/bin/python3 Other python scripts already use python3 by default. Both files don't have exec bits so they have to be run using python interpret on command line anyway: $ python3 ./setup.py ... Signed-off-by: Petr Lautrbach commit 68fbb6b0a065 Author: Petr Lautrbach Date: Tue Sep 24 21:15:23 2019 +0200 python/semanage: Do not use default s0 range in "semanage login -a" Using the "s0" default means that new login mappings are always added with "s0" range instead of the range of SELinux user. Signed-off-by: Petr Lautrbach commit 5dfa95c6865f Author: Petr Lautrbach Date: Tue Sep 24 21:12:21 2019 +0200 gui: Fix remove module in system-config-selinux When a user tried to remove a policy module with priority other than 400 via GUI, it failed with a message: libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory). This is fixed by calling "semodule -x PRIORITY -r NAME" instead of "semodule -r NAME". From Jono Hein Signed-off-by: Petr Lautrbach commit f4e741a14412 Author: Petr Lautrbach Date: Tue Sep 24 21:08:54 2019 +0200 policycoreutils/fixfiles: Force full relabel when SELinux is disabled The previous check used getfilecon to check whether / slash contains a label, but getfilecon fails only when SELinux is disabled. Therefore it's better to check this using selinuxenabled. Signed-off-by: Petr Lautrbach commit d3a8fc4c03ea Author: Petr Lautrbach Date: Tue Sep 24 21:08:53 2019 +0200 policycoreutils/fixfiles: Fix [-B] [-F] onboot Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel" command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes `fixfiles -B onboot` to show usage instead of updating /.autorelabel The code is restructured to handle -B for different modes correctly. Fixes: # fixfiles -B onboot Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel ... Signed-off-by: Petr Lautrbach commit 152aeb152fc9 Author: Vit Mojzis Date: Tue Sep 24 08:41:30 2019 +0200 policycoreutils/fixfiles: Fix "verify" option "restorecon -n" (used in the "restore" function) has to be used with "-v" to display the files whose labels would be changed. Fixes: Fixfiles verify does not report misslabelled files unless "-v" option is used. Signed-off-by: Vit Mojzis commit 68b2e4416e5c Author: Nicolas Iooss Date: Fri Sep 20 07:59:55 2019 +0200 libselinux: do not add rc to pos twice In regex_format_error(), when error_data->error_offset is zero, rc is not updated and should not be added to pos again. Signed-off-by: Nicolas Iooss commit 340da085a516 Author: Nicolas Iooss Date: Fri Sep 20 07:59:54 2019 +0200 libselinux: ensure strlen() is not called on NULL When compile_regex() calls regex_prepare_data() and this function fails in the following condition: *regex = regex_data_create(); if (!(*regex)) return -1; ... error_data has been zero-ed and compile_regex() calls: regex_format_error(&error_data, regex_error_format_buffer, sizeof(regex_error_format_buffer)); This leads to a call to strlen(error_data->error_buffer), where error_data->error_buffer is NULL. Avoid this by checking that error_data->error_buffer is not NULL before trying to format it. This issue has been found using clang's static analyzer: https://337-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-09-01-181851-6152-1/report-0b122b.html#EndPath Signed-off-by: Nicolas Iooss commit b550c0e20221 Author: Nicolas Iooss Date: Mon Aug 5 22:11:20 2019 +0200 Fix many misspellings Use codespell (https://github.com/codespell-project/codespell) in order to find many common misspellings that are present in English texts. Signed-off-by: Nicolas Iooss commit e17e489ee3b4 Author: Nicolas Iooss Date: Sun Sep 1 20:14:10 2019 +0200 Add configuration file for lgtm.com Add a configuration file in order to parse the C code on https://lgtm.com/projects/g/SELinuxProject/selinux/ The documentation about this file is on https://help.semmle.com/lgtm-enterprise/user/help/lgtm.yml-configuration-file.html and https://help.semmle.com/lgtm-enterprise/user/help/cpp-extraction.html Fixes: https://github.com/SELinuxProject/selinux/issues/98 Signed-off-by: Nicolas Iooss commit 86df2b27a7dd Author: Mike Palmiotto Date: Mon Sep 16 16:30:15 2019 -0400 libselinux: fix string conversion of unknown perms Commit c19395d72295f5e69275d98df5db22dfdf214b6c fixed some handling of unknown classes/permissions, but missed the case where an unknown permission is loaded and then subsequently logged, either via denial or auditallow. If a permission set has some valid values mixed with unknown values, say `{ read write foo }`, a check on `{ read write foo }` would fail to log the entire set. To fix this, skip over the bad permissions/classes when expanding them to strings. The unknowns should be logged during `selinux_set_mapping`, so there is no need for further logging of the actual unknown permissions. Signed-off-by: Mike Palmiotto commit cfc57c2e7038 Author: Nicolas Iooss Date: Sun Sep 1 20:06:36 2019 +0200 libsepol/tests: do not dereference a NULL pointer In test_attr_types, the pointer decl is allowed to be NULL in the beginning, but is dereferenced to produce a helpful message right before a CU_ASSERT_FATAL. Make this derefence not happen if the pointer is NULL. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 0da7718310cb Author: Nicolas Iooss Date: Sun Sep 1 20:06:35 2019 +0200 python/sepolicy: remove unnecessary pass statement This issue has been found using lgtm.com analyzer: https://lgtm.com/projects/g/SELinuxProject/selinux/snapshot/eac5e661ca7300800000496fe13985286af70c6d/files/python/sepolicy/sepolicy/__init__.py?sort=name&dir=ASC&mode=heatmap#x9f8225117f52fb01:1 Signed-off-by: Nicolas Iooss commit af67fa5d9578 Author: Nicolas Iooss Date: Sun Sep 1 20:06:34 2019 +0200 python/chcat: remove unnecessary assignment chcat_add() defines variable cmd twice before calling subprocess.check_call(cmd, ...). Remove the first definition. This bug was found using lgtm.com analyzer: https://lgtm.com/projects/g/SELinuxProject/selinux/snapshot/eac5e661ca7300800000496fe13985286af70c6d/files/python/chcat/chcat?sort=name&dir=ASC&mode=heatmap#L118 Signed-off-by: Nicolas Iooss commit dddd28e90bc2 Author: Nicolas Iooss Date: Sun Sep 1 20:06:33 2019 +0200 libsepol/cil: do not dereference perm_value_to_cil when it has not been allocated When one of the first allocations of cil_binary_create_allocated_pdb() fails, the exit label dereferences the items of array perm_value_to_cil even though it could be still NULL. This issue has been found using clang's static analyzer: https://327-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-08-05-203459-6149-1/report-febf85.html#EndPath Signed-off-by: Nicolas Iooss commit c8ac3af7b55b Author: Nicolas Iooss Date: Sun Sep 1 20:06:32 2019 +0200 libsepol: reset *p to NULL if sepol_module_package_create fails semodule-utils/semodule_link/semodule_link.c contains: static sepol_module_package_t *load_module(char *filename) { /* ... */ if (sepol_module_package_create(&p)) { /* ... */ goto bad; /* ... */ bad: sepol_module_package_free(p); When sepol_module_package_create() fails while having successfully allocated p, it currently frees p without setting it back to NULL. This causes a use-after-free in load_module(). Prevent this use-after-free by setting sepol_module_package_create's argument back to NULL when an error happens. This issue has been found using Infer static analyzer. Signed-off-by: Nicolas Iooss commit 0b136a35e345 Author: Nicolas Iooss Date: Sun Sep 1 20:06:31 2019 +0200 libsepol: do not dereference scope if it can be NULL Doing this looks wrong: len = scope->decl_ids_len; if (scope == NULL) { /* ... */ Move the dereferencing of scope after the NULL check. This issue has been found using Infer static analyzer. Signed-off-by: Nicolas Iooss commit da8e3c7d3696 Author: Nicolas Iooss Date: Sun Sep 1 20:06:28 2019 +0200 semodule-utils: fix comparison with argc In order for argv[3] to be used, argc needs to be at least 4, not 3. This bug was found using lgtm.com analyzer: https://lgtm.com/projects/g/fishilico/selinux-for-lgtm/snapshot/8c1b2658f80392ff8b3532c6bd5d0cefac8afb30/files/semodule-utils/semodule_package/semodule_unpackage.c?sort=name&dir=ASC&mode=heatmap#xb1ce80b43260d34c:1 Signed-off-by: Nicolas Iooss commit 4a266cc3ce05 Author: Nicolas Iooss Date: Sun Sep 15 21:10:39 2019 +0200 libsepol: do not dereference a failed allocated pointer When strs_stack_init(&stack) fails to allocate memory and stack is still NULL, it should not be dereferenced with strs_stack_pop(stack). This issue has been found using Infer static analyzer. Signed-off-by: Nicolas Iooss commit 4459d635b8f1 Author: James Carter Date: Thu Sep 12 16:24:23 2019 -0400 libsepol: Remove cil_mem_error_handler() function pointer As reported by Nicolas Iooss (nicolas.iooss@m4x.org), static analyzers have problems understanding that the default memory error handler does not return since it is called through the cil_mem_error_handler() function pointer. This results in a number of false positive warnings about null pointer dereferencing. Since the ability to set the cil_mem_error_handler() is only through the function cil_set_mem_error_handler() which is never used and whose definition is not in any header file, remove that function, remove the use of cil_mem_error_handler() and directly in-line the contents of the default handler, cil_default_mem_error_handler(). Signed-off-by: James Carter commit dc4e54126bf2 Author: James Carter Date: Thu Sep 12 13:38:22 2019 -0400 libsepol: Make an unknown permission an error in CIL This patch is loosely based on a patch by Yuli Khodorkovskiy from June 13th, 2019. Since any permission used in the policy should be defined, CIL should return an error if it cannot resolve a permission used in a policy. This was the original behavior of CIL. The behavior was changed over three commits from July to November 2016 (See commits 46e157b47, da51020d6, and 2eefb20d8). The change was motivated by Fedora trying to remove permissions from its policy that were never upstreamed (ex/ process ptrace_child and capability2 compromise_kernel). Local or third party modules compiled with those permissions would break policy updates. After three years it seems unlikely that we need to worry about those local and third party modules and it is time for CIL to give an error like it should. Signed-off-by: James Carter commit 26e83975d506 Author: Vit Mojzis Date: Tue Jul 2 14:09:05 2019 +0200 Fix mcstrans secolor examples According to "check_dominance" function: Range defined as "s15:c0.c1023" does not dominate any other range than "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.). While range defined as "s15-s15:c0.c1023" dominates all of the above. This is either a bug, or "s15:c0.c1023" should not be used in the examples. Signed-off-by: Vit Mojzis commit 2ff0fbffcf03 Author: Vit Mojzis Date: Tue Jul 2 14:09:04 2019 +0200 Revert "mcstransd select correct colour range." This reverts commit fe17b3d2d924018750386c5ee74f12ca4b054136. MLS ranges should be compared based on dominance. This fixes mlscolor-test on mcstrans examples. Eg. mlscolor-test using /usr/share/mcstrans/examples/urcsts when executed on mls machine fails as follows: \#pushd /usr/share/mcstrans/examples/urcsts \#cp -f secolor.conf /etc/selinux/mls/secolor.conf \#cp -f setrans.conf /etc/selinux/mls/setrans.conf \#systemctl restart mcstransd \#python3 /usr/share/mcstrans/util/mlscolor-test urcsts.color For 'system_u:system_r:inetd_t:SystemLow' got '#000000 #000000 #000000 #000000 #000000 #000000 #000000 #000000' expected '#000000 #000000 #000000 #000000 #000000 #000000 #000000 #008000' ... mlscolor-test done with 19 errors Signed-off-by: Vit Mojzis commit 9ba35fe8c280 Author: Joshua Brindle Date: Mon Sep 9 11:05:57 2019 -0700 Add default_range glblub support Policy developers can set a default_range default to glblub and computed contexts will be the intersection of the ranges of the source and target contexts. This can be used by MLS userspace object managers to find the range of clearances that two contexts have in common. An example usage is computing a transition between the network context and the context of a user logging into an MLS application. For example, one can add a default with this cil: (defaultrange db_table glblub) or in te (base module only): default_range db_table glblub; and then test using the compute_create utility: $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 Some example range transitions are: User Permitted Range | Network Device Label | Computed Label ---------------------|----------------------|---------------- s0-s1:c0.c12 | s0 | s0 s0-s1:c0.c12 | s0-s1:c0.c1023 | s0-s1:c0.c12 s0-s4:c0.c512 | s1-s1:c0.c1023 | s1-s1:c0.c512 s0-s15:c0,c2 | s4-s6:c0.c128 | s4-s6:c0,c2 s0-s4 | s2-s6 | s2-s4 s0-s4 | s5-s8 | INVALID s5-s8 | s0-s4 | INVALID Signed-off-by: Joshua Brindle commit 6177a6f2c48e Author: Nicolas Iooss Date: Tue Jul 30 23:40:39 2019 +0200 libsemanage: include internal header to use the hidden function prototypes When functions from libsemanage calls other functions that are exported, these functions need to be "wrapped" using hidden_proto() macro. This is done in headers such as "user_internal.h". Several functions in genhomedircon.c are not doing this, which makes building with -flto fail with errors such as: /usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in function `user_sort_func': /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:758: undefined reference to `semanage_user_get_name' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:758: undefined reference to `semanage_user_get_name' /usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in function `fcontext_matches': /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:240: undefined reference to `semanage_fcontext_get_expr' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:248: undefined reference to `semanage_fcontext_get_type' /usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in function `add_user.isra.0': /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:992: undefined reference to `semanage_user_get_mlslevel' /usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in function `write_context_file': /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:892: undefined reference to `semanage_user_key_create' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:764: undefined reference to `semanage_user_get_name' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:897: undefined reference to `semanage_user_query' /usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:905: undefined reference to `semanage_user_get_mlslevel' Include the missing headers. Fixes: https://github.com/SELinuxProject/selinux/issues/169 Signed-off-by: Nicolas Iooss commit f25d03d75d35 Author: Nicolas Iooss Date: Sat Jun 29 21:53:44 2019 +0200 libselinux: ensure that digest_len is not zero In add_xattr_entry(), if selabel_get_digests_all_partial_matches() returns with digest_len = 0, the code gets executed as: sha1_buf = malloc(digest_len * 2 + 1); /* Allocate 1 byte */ /* ... */ for (i = 0; i < digest_len; i++) /* Do not do anything */ sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]); /* ... */ new_entry->digest = strdup(sha1_buf); /* use of uninitiliazed content */ This is reported by some static code analyzers, even though in practise digest_len should never be zero, and the call to sprintf() ensures that the content of sha1_buf is initialized and terminated by '\0'. Make sure to never call strdup() on an uninitialized string by verifying that digest_len != 0. Signed-off-by: Nicolas Iooss commit 7eef9386c2f9 Author: Nicolas Iooss Date: Wed Jun 26 08:51:03 2019 +0200 libsepol: initialize a local variable once Function optimize_cond_av_list() initializes its local variable pcov_cur twice. Remove the first initialization. This issue has been found using clang's static analyzer: https://282-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-06-24-210510-6101-1/report-c64da3.html#EndPath Signed-off-by: Nicolas Iooss commit 2a1766f4431e Author: Richard Haines Date: Fri Jun 21 16:40:53 2019 +0100 selinux: Update manpages after removing legacy boolean and user code Remove and update all relevant manpages. Signed-off-by: Richard Haines commit c3f9492d7ff0 Author: Richard Haines Date: Mon Jun 24 19:02:28 2019 +0100 selinux: Remove legacy local boolean and user code Remove legacy local boolean and user code, and to preserve API/ABI compatibility the following functions int values should be set to '0' as they are no longer used: selinux_mkload_policy(int preservebools) security_set_boolean_list(.... int permanent) and the following are now no-op and return '-1': security_load_booleans() sepol_genusers() sepol_set_delusers() sepol_genbools() sepol_genbools_array() and these still return their paths for compatibility, however they are marked as deprecated: selinux_booleans_path() selinux_users_path() These have been removed as they are local functions only: sepol_genusers_policydb() sepol_genbools_policydb() Also "SETLOCALDEFS" removed from SELinux config file and code. Signed-off-by: Richard Haines commit 526534e30432 Author: Richard Haines Date: Sat Jul 6 16:21:15 2019 +0100 setfiles: Update utilities for the new digest scheme Update restorecon_xattr and man pages for new digest scheme managed by selinux_restorecon(3). Note that the Russian man pages require updating. Signed-off-by: Richard Haines commit e016502c0a26 Author: Richard Haines Date: Sat Jul 6 16:21:14 2019 +0100 libselinux: Save digest of all partial matches for directory We used to hash the file_context and skip the restorecon on the top level directory if the hash doesn't change. But the file_context might change after an OTA update; and some users experienced long restorecon time as they have lots of files under directories like /data/media. This CL tries to hash all the partial match entries in the file_context for each directory; and skips the restorecon if that digest stays the same, regardless of the changes to the other parts of file_context. This is a version ported from Android that was originally written by: xunchang Signed-off-by: Richard Haines commit c00ed59281d9 Author: xunchang Date: Wed Apr 17 11:09:55 2019 -0700 libselinux: Ignore the stem when looking up all matches in file context This is a follow up fix to the restorecon change in commit 6ab5fbaabc84f7093b37c1afae855292e918090f This change has been tested in android for a while. The stem is a list of top level directory (without regex metachar) covered in the file context. And it constructs from finding the second '/' in the regex_string; and aims to speed up the lookup by skipping unnecessary regex matches. More contexts in https://lore.kernel.org/selinux/200309231522.25749.russell@coker.com.au/ However, this caused some issue when we try to find all the partial matches for a root directory. For example, the path "/data" doesn't have a stem while the regex "/data/misc/(/.*)?" has "/data" as the stem. As a result, all the regex for the subdirs of /data will not considered as a match for "/data". And the restorecon will wrongly skip on top level "/data" when there's a context change to one of subdir. This CL always includes the stem when compiling the regex in all circumstances. Also, it ignores the stem id check in the "match all" case, while the behavior for the single match stays unchanged. I will collect more data to find out if stem id check is still necessary at all with the new restorecon logic. Test: run restorecon on "/data"; change the context of one subdir and run again, and the context is restored on that subdir; search the caller of regex_match Signed-off-by: Tianjie Xu commit 5cff2813c579 Author: xunchang Date: Mon Mar 11 15:24:42 2019 -0700 Restorecon: factor out a lookup helper for context matches We used to hash the file_context and skip the restorecon on the top level directory if the hash doesn't change. But the file_context might change after an update; and some users experienced long restorecon time as they have lots of files under directories like /data/media. Therefore, we try to skip unnecessary restores if the file context relates to the given directory doesn't change. This CL is the first step that factors out a lookup helper function and returns an array of matched pointers instead of a single one. The old loopup_common function is then modified to take the first element in the array. This change has already been submitted in android selinux branch. And porting it upstream will make these two branches more consistent and save some work for the future merges. Signed-off-by: Tianjie Xu commit 2efa06857575 Author: Petr Lautrbach Date: Fri Jun 7 17:35:44 2019 +0200 libselinux: Use Python distutils to install SELinux python bindings Follow officially documented way how to build C extension modules using distutils - https://docs.python.org/3.8/extending/building.html#building Fixes: - selinux python module fails to load when it's built using SWIG-4.0: >>> import selinux Traceback (most recent call last): File "", line 1, in File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in from . import _selinux ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py) SWIG-4.0 changed (again?) its behavior so that it uses: from . import _selinux which looks for _selinux module in the same directory as where __init__.py is - $(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into $(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location of _selinux.so"). - audit2why python module fails to build with Python 3.8 cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DOVERRIDE_GETTID=0 -I../include -D_GNU_SOURCE -DDISABLE_RPM -DNO_ANDROID_BACKEND -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L. -shared -o python-3.8audit2why.so python-3.8audit2why.lo -lselinux -l:libsepol.a -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs /usr/bin/ld: python-3.8audit2why.lo: in function `finish': /builddir/build/BUILD/libselinux-2.9/src/audit2why.c:166: undefined reference to `PyArg_ParseTuple' /usr/bin/ld: python-3.8audit2why.lo: in function `_Py_INCREF': /usr/include/python3.8/object.h:449: undefined reference to `_Py_NoneStruct' /usr/bin/ld: /usr/include/python3.8/object.h:449: undefined reference to `_Py_NoneStruct' /usr/bin/ld: python-3.8audit2why.lo: in function `check_booleans': /builddir/build/BUILD/libselinux-2.9/src/audit2why.c:84: undefined reference to `PyExc_RuntimeError' ... It's related to the following Python change https://docs.python.org/dev/whatsnew/3.8.html#debug-build-uses-the-same-abi-as-release-build Python distutils adds correct link options automatically. - selinux python module doesn't provide any Python metadata When selinux python module was built manually, it didn't provide any metadata. distutils takes care about that so that selinux Python module is visible for pip: $ pip3 list | grep selinux selinux 2.9 Signed-off-by: Petr Lautrbach commit ee8f7a870c62 Author: Richard Haines Date: Mon Jul 8 14:37:01 2019 +0100 libselinux: Fix security_get_boolean_names build error When running 'make' from libselinux on Fedora 30 (gcc 9.1.1) the following error is reported: bute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wstrict-overflow=5 -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -c -o booleans.o booleans.c booleans.c: In function ‘security_get_boolean_names’: booleans.c:39:5: error: assuming signed overflow does not occur when changing X +- C1 cmp C2 to X cmp C2 -+ C1 [-Werror=strict-overflow] 39 | int security_get_boolean_names(char ***names, int *len) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors make[1]: *** [Makefile:171: booleans.o] Error 1 This is caused by the '--i' in the: 'for (--i; i >= 0; --i)' loop. Signed-off-by: Richard Haines commit 120883adf086 Author: Laurent Bigonville Date: Mon Jul 15 16:45:02 2019 +0200 mcstrans: Add reference to setools.conf man page in the daemon one Signed-off-by: Laurent Bigonville commit 13c235537b29 Author: Laurent Bigonville Date: Mon Jul 15 16:45:01 2019 +0200 mcstrans: Move setrans.conf manpage to section 5 Move setrans.conf manpage to section 5 as it describes the documentation for "File formats and conventions" Signed-off-by: Laurent Bigonville commit 5a5e739e5ecc Author: Laurent Bigonville Date: Mon Jul 15 16:45:00 2019 +0200 Add documentation key in systemd .service files Signed-off-by: Laurent Bigonville commit 3abeb7c654ed Author: Nicolas Iooss Date: Mon Jun 24 21:31:54 2019 +0200 libsepol: include module.c internal header in module_to_cil.c In module_to_cil.c, sepol_ppfile_to_module_package() calls functions from module.c without including the internal header. This makes building libsepol with "gcc -flto -fuse-ld=gold" fails when linking libsepol.so: /tmp/ccHYAKVZ.ltrans21.ltrans.o::function sepol_ppfile_to_module_package: error: undefined reference to 'sepol_module_package_free' /tmp/ccHYAKVZ.ltrans21.ltrans.o::function sepol_ppfile_to_module_package: error: undefined reference to 'sepol_module_package_create' /tmp/ccHYAKVZ.ltrans21.ltrans.o::function sepol_ppfile_to_module_package: error: undefined reference to 'sepol_module_package_create' collect2: error: ld returned 1 exit status Fixes: https://github.com/SELinuxProject/selinux/issues/165 Signed-off-by: Nicolas Iooss commit 071247e8f4e9 Author: James Carter Date: Thu Jun 13 13:45:58 2019 +0200 checkpolicy: add flag to enable policy optimization Add the command-line option 'O' to checkpolicy to cause kernel policies to be optimized by calling policydb_optimize() before being written out. This option can be used on conf files and binary kernel policies, but not when converting a conf file to CIL. Signed-off-by: James Carter [omosnace: make commit desc more consistent with the other patches] [omosnace: fix a typo in the commit message] [omosnace: directly use policydb_optimize() as also the rest of code already uses other policydb_*() functions...] [omosnace: update man page] Signed-off-by: Ondrej Mosnacek commit f7cb5901f1fb Author: Ondrej Mosnacek Date: Thu Jun 13 13:45:57 2019 +0200 secilc: add flag to enable policy optimization Add a command-line option -O/--optimize to optimize the final policydb using sepol_policydb_optimize() before writing it out. Signed-off-by: Ondrej Mosnacek commit 3cba4306b95a Author: Ondrej Mosnacek Date: Thu Jun 13 13:45:56 2019 +0200 libsemanage: optionally optimize policy on rebuild When building binary policy, optionally run it through sepol_policydb_optimize() just before writing it out. Add an optimize-policy variable to semanage.conf(5) that controls whether optimization will be applied during libsemanage operations. Signed-off-by: Ondrej Mosnacek commit b8213acff837 Author: Ondrej Mosnacek Date: Thu Jun 13 13:45:55 2019 +0200 libsepol: add a function to optimize kernel policy Add sepol_policydb_optimize(), which checks a kernel policy for redundant rules (i.e. those that are covered by an existing more general rule) and removes them. Results on Fedora 29 policy: WITHOUT OPTIMIZATION: # time semodule -B real 0m21,280s user 0m18,636s sys 0m2,525s $ wc -c /sys/fs/selinux/policy 8692158 /sys/fs/selinux/policy $ seinfo (edited) Allow: 113159 Dontaudit: 10297 Total: 123156 WITH OPTIMIZATION ENABLED: # time semodule -B real 0m22,825s user 0m20,178s sys 0m2,520s $ wc -c /sys/fs/selinux/policy 8096158 /sys/fs/selinux/policy $ seinfo (edited) Allow: 66334 Dontaudit: 7480 Total: 73814 Signed-off-by: Ondrej Mosnacek commit 84b8f306060c Author: Unto Sten Date: Wed Jun 12 17:19:41 2019 +0300 More accurate error messages Signed-off-by: Unto Sten commit 6062c45b1d31 Author: Unto Sten Date: Wed Jun 12 17:15:06 2019 +0300 Remove redundant if-clause Signed-off-by: Unto Sten commit 163d5b456dca Author: Unto Sten Date: Wed Jun 12 17:18:03 2019 +0300 Remove unneeded int Signed-off-by: Unto Sten commit c46b8af40adf Author: Jan Zarsky Date: Wed Jun 12 10:04:04 2019 +0200 libsemanage: test semanage_msg_default_handler Add test for semanage_msg_default_handler. Signed-off-by: Jan Zarsky commit acda541a4da7 Author: Jan Zarsky Date: Wed Jun 12 10:04:03 2019 +0200 libsemanage: test semanage_context_* functions Add new test suite for other libsemanage functions. Add tests for semanage_context_* functions. Signed-off-by: Jan Zarsky commit 6f064e0b309b Author: Jan Zarsky Date: Wed Jun 12 10:04:02 2019 +0200 libsemanage: test semanage_user_* functions Add new test suite for semanage_user_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 2b6966d7bc6c Author: Jan Zarsky Date: Wed Jun 12 10:04:01 2019 +0200 libsemanage: test semanage_port_* functions Add new test suite for semanage_port_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit dfc81c13fcc0 Author: Jan Zarsky Date: Wed Jun 12 10:04:00 2019 +0200 libsemanage: test semanage_node_* functions Add new test suite for semanage_node_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 1791cb42fc9e Author: Jan Zarsky Date: Wed Jun 12 10:03:59 2019 +0200 libsemanage: test semanage_ibendport_* functions Add new test suite for semanage_ibendport_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit c238906b5b92 Author: Jan Zarsky Date: Wed Jun 12 10:03:58 2019 +0200 libsemanage: test semanage_iface_* functions Add new test suite for semanage_iface_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 5aab527f5661 Author: Jan Zarsky Date: Wed Jun 12 10:03:57 2019 +0200 libsemanage: test semanage_fcontext functions Add new test suite for semanage_fcontext_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit b1c09dc3f72c Author: Jan Zarsky Date: Wed Jun 12 10:03:56 2019 +0200 libsemanage: test semanage_bool_* functions Add new test suite for semanage_bool_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 92bd4ae5bad6 Author: Jan Zarsky Date: Wed Jun 12 10:03:55 2019 +0200 libsemanage: test semanage_handle_* functions Add new test suite for semanage_handle_* functions. The test suite aims for line coverage and covers expected usage of functions. The test suite uses custom semanage store and policy written in CIL, it does not require running on SELinux enabled system. Signed-off-by: Jan Zarsky commit 638e2f9df021 Author: Jan Zarsky Date: Wed Jun 12 10:03:54 2019 +0200 libsemanage: add helper functions to tests - Add functions for creating and destroying test semanage store. - Add functions for writing SELinux policy to the test store. - Add functions for creating semanage handle, connecting to the store and for beginning a transaction. - Update Makefile to compile test policies from CIL source. Signed-off-by: Jan Zarsky commit 544cc7957bed Author: Mike Palmiotto Date: Mon Jun 17 15:15:12 2019 +0000 libsepol/cil: fix mlsconstrain segfault Installing a cil module with invalid mlsconstrain syntax currently results in a segfault. In the following module, the right-hand side of the second operand of the OR is a list (mlstrustedobject): $ cat test.cil (class test (foo) ) (classorder (unordered test)) (mlsconstrain (test (foo)) (or (dom h1 h2) (eq t2 (mlstrustedobject)) ) ) $ sudo semodule -i test.cil zsh: segmentation fault sudo semodule -i test.cil This syntax is invalid and should error accordingly, rather than segfaulting. This patch provides this syntax error for the same module: $ sudo semodule -i test.cil t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side Bad expression tree for constraint Bad constrain declaration at /var/lib/selinux/mls/tmp/modules/400/test/cil:4 semodule: Failed! Signed-off-by: Mike Palmiotto commit eb2a875747c3 Author: Jokke Hämäläinen Date: Mon Jun 17 15:02:39 2019 +0300 libsepol: Replace constant with sizeof() Replace constant 18 with safer use of sizeof() Signed-off-by: Unto Sten commit e8d880e0a221 Author: Jokke Hämäläinen Date: Mon Jun 17 15:02:11 2019 +0300 libsepol: Check strdup() failures Check strdup() failures Signed-off-by: Unto Sten commit dbffdf71351e Author: Petr Lautrbach Date: Fri May 31 22:19:05 2019 +0200 Add CONTRIBUTING.md Based on https://github.com/SELinuxProject/selinux/wiki/Contributing Signed-off-by: Petr Lautrbach Acked-by: Paul Moore commit c758ac1ddf3e Author: Unto Sten Date: Sat May 11 01:04:16 2019 +0300 Trivial style fixes commit be9976e7637c Author: Unto Sten Date: Sat May 11 00:50:31 2019 +0300 Trivial style improvements commit 26462e101f86 Author: Aleksei Nikiforov Date: Tue Apr 30 10:26:42 2019 +0300 Update man pages translation by Olesya Gerasimenko Signed-off-by: Olesya Gerasimenko Signed-off-by: Aleksei Nikiforov commit 9adafb6d518d Author: Ondrej Mosnacek Date: Mon May 13 13:58:26 2019 +0200 run_init: fix build when crypt() is not in unistd.h According to [1], crypt() support in POSIX is optional, so include also when _XOPEN_CRYPT is not defined or is defined to -1. Without this I can't build run_init from source out-of-the-box on Fedora 29. [1] http://man7.org/linux/man-pages/man3/crypt.3.html#NOTES Signed-off-by: Ondrej Mosnacek commit 159d5063d37f Author: Richard Haines Date: Tue May 21 12:22:06 2019 +0100 libsepol/cil: Allow validatetrans rules to be resolved When validatetrans rule is in CIL policy it errors with: u3, r3, and t3 can only be used with mlsvalidatetrans rules Will now resolve these examples: (validatetrans binder (and (and (eq t1 t1_t) (eq t2 t2_t)) (eq t3 t3_t))) (mlsvalidatetrans file (and (and (eq t1 t1_t) (eq t2 t2_t)) (and (eq t3 t3_t) (domby h1 h2)))) Signed-off-by: Richard Haines commit 3e506bda3b46 Author: Ondrej Mosnacek Date: Tue May 14 10:14:16 2019 +0200 libsepol: add ebitmap_for_each_set_bit macro Most of the users of ebitmap_for_each_bit() macro only care for the set bits, so introduce a new ebitmap_for_each_positive_bit() macro that skips the unset bits. Replace uses of ebitmap_for_each_bit() with the new macro where appropriate. Signed-off-by: Ondrej Mosnacek commit baf8a1de163a Author: Unto Sten Date: Fri May 10 20:53:04 2019 +0300 Check strdup() failure commit cd1ef4d64e16 Author: Unto Sten Date: Fri May 10 19:47:07 2019 +0300 another style fix commit e1a74396c7c6 Author: Unto Sten Date: Fri May 10 16:52:08 2019 +0300 Unify code style to preserve my sanity commit 5d8f44e2c36a Author: Unto Sten Date: Fri May 10 20:10:37 2019 +0300 Global replace exit(0) with more readable exit(EXIT_SUCCESS) commit f46b64fccb9f Author: Petr Lautrbach Date: Thu Apr 4 23:16:52 2019 +0200 semanage/semanage-boolean.8: Fix a minor typo boolan -> boolean Reported-by: Bogdan BOTEZ Signed-off-by: Petr Lautrbach commit ac2a3fb4fede Author: Gary Tierney Date: Wed Apr 17 17:37:31 2019 +0100 dismod: print policy version of loaded modules Signed-off-by: Gary Tierney commit 4984a75f3824 Author: Gary Tierney Date: Wed Apr 17 17:37:30 2019 +0100 checkmodule: add support for specifying module policy version Currently checkpolicy can produce binary policies for earlier policy versions to provide support for building policies on one machine and loading/analyzing them on another machine with an earlier version of the kernel or libsepol, respectively. However, checkmodule was lacking this capability. This commit adds an identical `-c` flag that can be passed to checkmodule that will build a modular policy file of the specified version. Signed-off-by: Gary Tierney commit 25ce1029073d Author: Joshua Brindle Date: Fri Apr 5 12:01:02 2019 -0700 Add security_validatetrans support It seems validatetrans support was never added to libselinux, despite being added to selinuxfs in kernel version 4.5 There is a utility to test, however the targeted policy has no validatetrans rules so some must be added: $ cat validatetrans.cil (mlsvalidatetrans db_table (and (or (or (or (eq l1 l2) (and (eq t3 unconfined_t) (domby l1 l2))) (and (eq t3 unconfined_t) (dom l1 l2))) (and (eq t3 unconfined_t) (incomp l1 l2))) (or (or (or (eq l1 h2) (and (eq t3 unconfined_t) (domby h1 h2))) (and (eq t3 unconfined_t) (dom h1 h2))) (and (eq t3 unconfined_t) (incomp h1 h2))))) $ sudo semodule -i validatetrans.cil $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r: # invalid context here opening /sys/fs/selinux/validatetrans security_validatetrans returned -1 errno: Invalid argument $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:init_t:s0 opening /sys/fs/selinux/validatetrans security_validatetrans returned -1 errno: Operation not permitted $ ./validatetrans system_u:system_r:kernel_t:s0 system_u:system_r:init_t:s0:c0 db_table system_u:system_r:unconfined_t:s0 opening /sys/fs/selinux/validatetrans security_validatetrans returned 0 errno: Success Signed-off-by: Joshua Brindle commit 42f73af50764 Author: Laurent Bigonville Date: Thu Mar 21 11:04:39 2019 +0100 restorecond: Do not link against libpcre For some reasons, restorecond was explicitly linking against libpcre but the code is not using any of its symbols Closes: https://github.com/SELinuxProject/selinux/issues/137 Signed-off-by: Laurent Bigonville commit 5fc701fe11c4 Author: Nicolas Iooss Date: Tue Feb 26 20:02:07 2019 +0100 restorecond: use /run instead of /var/run On most distributions, /var/run is a symbolic link to /run so using /var/run or /run lead to the same result. Nevertheless systemd started to warn about using /var/run in a service file, logging entries such as: /usr/lib/systemd/system/restorecond.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/restorecond.pid → /run/restorecond.pid; please update the unit file accordingly. Switch to /run in order to follow this advice. Signed-off-by: Nicolas Iooss commit 5d149b23dee7 Author: Petr Lautrbach Date: Mon Mar 18 14:39:25 2019 +0100 gui: Install .desktop files to /usr/share/applications by default /usr/share/applications is a standard directory for .desktop files. Installation path can be changed using DESKTOPDIR variable in installation phase, e.g. make DESKTOPDIR=/usr/local/share/applications install Signed-off-by: Petr Lautrbach commit c778509dd0ed Author: Petr Lautrbach Date: Tue Mar 5 17:38:55 2019 +0100 gui: Install polgengui.py to /usr/bin/selinux-polgengui polgengui.py is a standalone gui tool which should be in /usr/bin with other tools. Signed-off-by: Petr Lautrbach