ANN: SELinux userspace 2.7-rc4 release candidate
A fourth (and hopefully final) release candidate for the SELinux userspace is now available at: https://github.com/SELinuxProject/selinux/wiki/Releases Please give it a test and let us know if there are any issues. Barring any significant further changes, a final 2.7 release is likely the week of July 10th. Changes from the -rc3 release: Laurent Bigonville (1): Fix consistency of PYTHONLIBDIR variable across modules Nicolas Iooss (3): Travis-CI: update the list of Ruby's and Python's versions libsepol/tests: override CPPFLAGS too Travis-CI: test defining CFLAGS, LDFLAGS, etc. on make command line Stephen Smalley (2): libselinux,libsemanage: fix RUBYLIBS definition Update VERSION files for 2.7-rc4 release.
Re: [PATCH] Fix consistency of PYTHONLIBDIR variable across modules
On Fri, 2017-06-30 at 18:09 +0200, Laurent Bigonville wrote: > From: Laurent Bigonville> > PYTHONLIBDIR is currently also used in sepolgen but has a different > behaviour regarding DESTDIR. Let's try to make this consistant. > > Signed-off-by: Laurent Bigonville Thanks, applied > --- > python/semanage/Makefile | 8 > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/python/semanage/Makefile b/python/semanage/Makefile > index 60c36a3a..132162bc 100644 > --- a/python/semanage/Makefile > +++ b/python/semanage/Makefile > @@ -5,8 +5,8 @@ PREFIX ?= $(DESTDIR)/usr > LIBDIR ?= $(PREFIX)/lib > SBINDIR ?= $(PREFIX)/sbin > MANDIR = $(PREFIX)/share/man > -PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % > sys.version_info[0:2])') > -PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig > import *; print(get_python_lib(1))") > +PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) > BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash- > completion/completions > > TARGETS=semanage > @@ -20,8 +20,8 @@ install: all > -mkdir -p $(SBINDIR) > install -m 755 semanage $(SBINDIR) > install -m 644 *.8 $(MANDIR)/man8 > - test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d > $(PYTHONLIBDIR)/site-packages > - install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages > + test -d $(PACKAGEDIR) || install -m 755 -d $(PACKAGEDIR) > + install -m 755 seobject.py $(PACKAGEDIR) > -mkdir -p $(BASHCOMPLETIONDIR) > install -m 644 $(BASHCOMPLETIONS) > $(BASHCOMPLETIONDIR)/semanage >
[PATCH] Fix consistency of PYTHONLIBDIR variable across modules
From: Laurent BigonvillePYTHONLIBDIR is currently also used in sepolgen but has a different behaviour regarding DESTDIR. Let's try to make this consistant. Signed-off-by: Laurent Bigonville --- python/semanage/Makefile | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python/semanage/Makefile b/python/semanage/Makefile index 60c36a3a..132162bc 100644 --- a/python/semanage/Makefile +++ b/python/semanage/Makefile @@ -5,8 +5,8 @@ PREFIX ?= $(DESTDIR)/usr LIBDIR ?= $(PREFIX)/lib SBINDIR ?= $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man -PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])') -PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(1))") +PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions TARGETS=semanage @@ -20,8 +20,8 @@ install: all -mkdir -p $(SBINDIR) install -m 755 semanage $(SBINDIR) install -m 644 *.8 $(MANDIR)/man8 - test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages - install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages + test -d $(PACKAGEDIR) || install -m 755 -d $(PACKAGEDIR) + install -m 755 seobject.py $(PACKAGEDIR) -mkdir -p $(BASHCOMPLETIONDIR) install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage -- 2.13.2
[PATCH] IB/core: Fix static analysis warning in ib_policy_change_task
From: Daniel Jurgensib_get_cached_subnet_prefix can technically fail, but the only way it could is not possible based on the loop conditions. Check the return value before using the variable sp to resolve a static analysis warning. Fixes: 8f408ab64be6 ("selinux lsm IB/core: Implement LSM notification system") Signed-off-by: Daniel Jurgens Reported-by: Dan Carpenter --- drivers/infiniband/core/device.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c index 631eaa9..dabd9f9 100644 --- a/drivers/infiniband/core/device.c +++ b/drivers/infiniband/core/device.c @@ -376,7 +376,8 @@ static void ib_policy_change_task(struct work_struct *work) WARN_ONCE(ret, "ib_get_cached_subnet_prefix err: %d, this should never happen here\n", ret); - ib_security_cache_change(dev, i, sp); + if (ret) + ib_security_cache_change(dev, i, sp); } } up_read(_rwsem); -- 1.8.3.1
[PATCH] IB/core: Fix uninitialized variable use in check_qp_port_pkey_settings
From: Daniel JurgensCheck the return value from get_pkey_and_subnet_prefix to prevent using uninitialized variables. Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs") Signed-off-by: Daniel Jurgens Reported-by: Dan Carpenter --- drivers/infiniband/core/security.c | 20 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c index 3e8c389..70ad19c 100644 --- a/drivers/infiniband/core/security.c +++ b/drivers/infiniband/core/security.c @@ -120,21 +120,25 @@ static int check_qp_port_pkey_settings(struct ib_ports_pkeys *pps, return 0; if (pps->main.state != IB_PORT_PKEY_NOT_VALID) { - get_pkey_and_subnet_prefix(>main, - , - _prefix); + ret = get_pkey_and_subnet_prefix(>main, +, +_prefix); + if (ret) + return ret; ret = enforce_qp_pkey_security(pkey, subnet_prefix, sec); + if (ret) + return ret; } - if (ret) - return ret; if (pps->alt.state != IB_PORT_PKEY_NOT_VALID) { - get_pkey_and_subnet_prefix(>alt, - , - _prefix); + ret = get_pkey_and_subnet_prefix(>alt, +, +_prefix); + if (ret) + return ret; ret = enforce_qp_pkey_security(pkey, subnet_prefix, -- 1.8.3.1
Re: [PATCH] selinux: return -ENOMEM if kzalloc() fails
Stephen Smalley wrote: > On Fri, 2017-06-30 at 10:56 +0300, Dan Carpenter wrote: > > We accidentally return success instead of -ENOMEM on this failure > > path. > > > > Fixes: 409dcf31538a ("selinux: Add a cache for quicker retreival of > > PKey SIDs") > > Signed-off-by: Dan Carpenter> > NAK, that's intentional. See the comment just above the code in > question. If allocation failure is no problem, please consider using GFP_NOWAIT | __GFP_NOMEMALLOC | __GFP_NOWARN instead of GFP_ATOMIC, for memory reserves is mainly targeted for OOM victims.
Re: [PATCH 3/3] Travis-CI: test defining CFLAGS, LDFLAGS, etc. on make command line
On Wed, 2017-06-28 at 23:42 +0200, Nicolas Iooss wrote: > Some Makefiles rely on adding values to variables like CFLAGS, > LDFLAGS, etc. For example doing "LDFLAGS += -L../src" does not work > fine > when LDFLAGS is defined on the command line of "make". > > Commits 297877ab88ee ("libselinux utils: override LD{FLAGS, LIBS} for > libselinux.so in Makefile") and 15f274073322 ("Makefiles: override > *FLAGS and *LIBS") recently fixed such issues, by introducing keyword > "override" in the relevant Makefile statements. > > In order to prevent the fixed issues from appearing again, add a test > case in Travis-CI configuration file. This case adds on make's > command > line minimal definitions for CFLAGS and LDFLAGS and empty definitions > for CPPFLAGS and LDLIBS. > > An example of build failure due to a missing override in a required > CPPFLAGS addition is provided on > https://travis-ci.org/fishilico/selinux/builds/245107609 Thanks, applied all three. > > Signed-off-by: Nicolas Iooss> --- > .travis.yml | 16 ++-- > 1 file changed, 10 insertions(+), 6 deletions(-) > > diff --git a/.travis.yml b/.travis.yml > index 573e73322e28..481ea7dae8bb 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -12,6 +12,7 @@ env: > matrix: > # Test the last version of Python and Ruby together, with some > linkers > - PYVER=python3.6 RUBYLIBVER=2.4 > +- PYVER=python3.6 RUBYLIBVER=2.4 TEST_FLAGS_OVERRIDE=1 > - PYVER=python3.6 RUBYLIBVER=2.4 LINKER=gold > - PYVER=python3.6 RUBYLIBVER=2.4 LINKER=bfd > > @@ -96,14 +97,17 @@ before_script: > - echo "$PYTHON" ; $PYTHON --version > - echo "$RUBY" ; $RUBY --version > > + # If TEST_FLAGS_OVERRIDE is defined, test that overriding CFLAGS, > LDFLAGS and other variables works fine > + - if [ -n "$TEST_FLAGS_OVERRIDE" ]; then > EXPLICIT_MAKE_VARS="CFLAGS=-I$DESTDIR/usr/include LDFLAGS=- > L$DESTDIR/usr/lib LDLIBS= CPPFLAGS=" ; fi > + > script: > # Start by installing everything into $DESTDIR > - - make install -k > - - make install-pywrap -k > - - make install-rubywrap -k > + - make install $EXPLICIT_MAKE_VARS -k > + - make install-pywrap $EXPLICIT_MAKE_VARS -k > + - make install-rubywrap $EXPLICIT_MAKE_VARS -k > > # Now that everything is installed, run "make all" to build > everything which may have not been built > - - make all -k > + - make all $EXPLICIT_MAKE_VARS -k > > # Set up environment variables for the tests > - export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib" > @@ -118,7 +122,7 @@ script: > - echo "$RUBYLIB" > > # Run tests > - - make test > + - make test $EXPLICIT_MAKE_VARS > > # Test Python and Ruby wrappers > - $PYTHON -c 'import selinux;import selinux.audit2why;import > semanage;print(selinux.is_selinux_enabled())' > @@ -132,7 +136,7 @@ script: > git status --short | sed -n 's/^??/error: missing .gitignore > entry for/p' | (! grep '^') > > # Clean up everything and show which file would be added to "make > clean" > - - make clean distclean > + - make clean distclean $EXPLICIT_MAKE_VARS > - |- > git ls-files --ignored --others --exclude-standard | sed > 's/^/error: "make clean distclean" did not remove /' | (! grep '^') >
Re: [PATCH] selinux: return -ENOMEM if kzalloc() fails
On Fri, 2017-06-30 at 10:56 +0300, Dan Carpenter wrote: > We accidentally return success instead of -ENOMEM on this failure > path. > > Fixes: 409dcf31538a ("selinux: Add a cache for quicker retreival of > PKey SIDs") > Signed-off-by: Dan CarpenterNAK, that's intentional. See the comment just above the code in question. > > diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c > index e3614ee5f1c0..36e61f622b5a 100644 > --- a/security/selinux/ibpkey.c > +++ b/security/selinux/ibpkey.c > @@ -160,8 +160,10 @@ static int sel_ib_pkey_sid_slow(u64 > subnet_prefix, u16 pkey_num, u32 *sid) > * is valid, it just won't be added to the cache. > */ > new = kzalloc(sizeof(*new), GFP_ATOMIC); > - if (!new) > + if (!new) { > + ret = -ENOMEM; > goto out; > + } > > new->psec.subnet_prefix = subnet_prefix; > new->psec.pkey = pkey_num;
[PATCH] selinux: return -ENOMEM if kzalloc() fails
We accidentally return success instead of -ENOMEM on this failure path. Fixes: 409dcf31538a ("selinux: Add a cache for quicker retreival of PKey SIDs") Signed-off-by: Dan Carpenterdiff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c index e3614ee5f1c0..36e61f622b5a 100644 --- a/security/selinux/ibpkey.c +++ b/security/selinux/ibpkey.c @@ -160,8 +160,10 @@ static int sel_ib_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid) * is valid, it just won't be added to the cache. */ new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (!new) + if (!new) { + ret = -ENOMEM; goto out; + } new->psec.subnet_prefix = subnet_prefix; new->psec.pkey = pkey_num;