ANN: SELinux userspace 2.7-rc4 release candidate

2017-06-30 Thread Stephen Smalley 
A fourth (and hopefully final) release candidate for the SELinux
userspace is now available at:
https://github.com/SELinuxProject/selinux/wiki/Releases

Please give it a test and let us know if there are any issues.
Barring any significant further changes, a final 2.7 release is likely
the week of July 10th.

Changes from the -rc3 release:

Laurent Bigonville (1):
  Fix consistency of PYTHONLIBDIR variable across modules

Nicolas Iooss (3):
  Travis-CI: update the list of Ruby's and Python's versions
  libsepol/tests: override CPPFLAGS too
  Travis-CI: test defining CFLAGS, LDFLAGS, etc. on make command
line

Stephen Smalley (2):
  libselinux,libsemanage: fix RUBYLIBS definition
  Update VERSION files for 2.7-rc4 release.

Re: [PATCH] Fix consistency of PYTHONLIBDIR variable across modules

2017-06-30 Thread Stephen Smalley 
On Fri, 2017-06-30 at 18:09 +0200, Laurent Bigonville wrote:
> From: Laurent Bigonville 
> 
> PYTHONLIBDIR is currently also used in sepolgen but has a different
> behaviour regarding DESTDIR. Let's try to make this consistant.
> 
> Signed-off-by: Laurent Bigonville 

Thanks, applied

> ---
>  python/semanage/Makefile | 8 
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/python/semanage/Makefile b/python/semanage/Makefile
> index 60c36a3a..132162bc 100644
> --- a/python/semanage/Makefile
> +++ b/python/semanage/Makefile
> @@ -5,8 +5,8 @@ PREFIX ?= $(DESTDIR)/usr
>  LIBDIR ?= $(PREFIX)/lib
>  SBINDIR ?= $(PREFIX)/sbin
>  MANDIR = $(PREFIX)/share/man
> -PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" %
> sys.version_info[0:2])')
> -PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
> +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
> import *; print(get_python_lib(1))")
> +PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)
>  BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-
> completion/completions
>  
>  TARGETS=semanage
> @@ -20,8 +20,8 @@ install: all
>   -mkdir -p $(SBINDIR)
>   install -m 755 semanage $(SBINDIR)
>   install -m 644 *.8 $(MANDIR)/man8
> - test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d
> $(PYTHONLIBDIR)/site-packages
> - install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
> + test -d $(PACKAGEDIR) || install -m 755 -d $(PACKAGEDIR)
> + install -m 755 seobject.py $(PACKAGEDIR)
>   -mkdir -p $(BASHCOMPLETIONDIR)
>   install -m 644 $(BASHCOMPLETIONS)
> $(BASHCOMPLETIONDIR)/semanage
>  

[PATCH] Fix consistency of PYTHONLIBDIR variable across modules

2017-06-30 Thread Laurent Bigonville 
From: Laurent Bigonville 

PYTHONLIBDIR is currently also used in sepolgen but has a different
behaviour regarding DESTDIR. Let's try to make this consistant.

Signed-off-by: Laurent Bigonville 
---
 python/semanage/Makefile | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/semanage/Makefile b/python/semanage/Makefile
index 60c36a3a..132162bc 100644
--- a/python/semanage/Makefile
+++ b/python/semanage/Makefile
@@ -5,8 +5,8 @@ PREFIX ?= $(DESTDIR)/usr
 LIBDIR ?= $(PREFIX)/lib
 SBINDIR ?= $(PREFIX)/sbin
 MANDIR = $(PREFIX)/share/man
-PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % 
sys.version_info[0:2])')
-PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; 
print(get_python_lib(1))")
+PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)
 BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
 
 TARGETS=semanage
@@ -20,8 +20,8 @@ install: all
-mkdir -p $(SBINDIR)
install -m 755 semanage $(SBINDIR)
install -m 644 *.8 $(MANDIR)/man8
-   test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d 
$(PYTHONLIBDIR)/site-packages
-   install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
+   test -d $(PACKAGEDIR) || install -m 755 -d $(PACKAGEDIR)
+   install -m 755 seobject.py $(PACKAGEDIR)
-mkdir -p $(BASHCOMPLETIONDIR)
install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage
 
-- 
2.13.2

[PATCH] IB/core: Fix static analysis warning in ib_policy_change_task

2017-06-30 Thread Dan Jurgens 
From: Daniel Jurgens 

ib_get_cached_subnet_prefix can technically fail, but the only way it
could is not possible based on the loop conditions. Check the return
value before using the variable sp to resolve a static analysis warning.

Fixes: 8f408ab64be6 ("selinux lsm IB/core: Implement LSM notification
system")
Signed-off-by: Daniel Jurgens 
Reported-by: Dan Carpenter 
---
 drivers/infiniband/core/device.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index 631eaa9..dabd9f9 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -376,7 +376,8 @@ static void ib_policy_change_task(struct work_struct *work)
WARN_ONCE(ret,
  "ib_get_cached_subnet_prefix err: %d, this 
should never happen here\n",
  ret);
-   ib_security_cache_change(dev, i, sp);
+   if (ret)
+   ib_security_cache_change(dev, i, sp);
}
}
up_read(_rwsem);
-- 
1.8.3.1

[PATCH] IB/core: Fix uninitialized variable use in check_qp_port_pkey_settings

2017-06-30 Thread Dan Jurgens 
From: Daniel Jurgens 

Check the return value from get_pkey_and_subnet_prefix to prevent using
uninitialized variables.

Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs")
Signed-off-by: Daniel Jurgens 
Reported-by: Dan Carpenter 
---
 drivers/infiniband/core/security.c | 20 
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/drivers/infiniband/core/security.c 
b/drivers/infiniband/core/security.c
index 3e8c389..70ad19c 100644
--- a/drivers/infiniband/core/security.c
+++ b/drivers/infiniband/core/security.c
@@ -120,21 +120,25 @@ static int check_qp_port_pkey_settings(struct 
ib_ports_pkeys *pps,
return 0;
 
if (pps->main.state != IB_PORT_PKEY_NOT_VALID) {
-   get_pkey_and_subnet_prefix(>main,
-  ,
-  _prefix);
+   ret = get_pkey_and_subnet_prefix(>main,
+,
+_prefix);
+   if (ret)
+   return ret;
 
ret = enforce_qp_pkey_security(pkey,
   subnet_prefix,
   sec);
+   if (ret)
+   return ret;
}
-   if (ret)
-   return ret;
 
if (pps->alt.state != IB_PORT_PKEY_NOT_VALID) {
-   get_pkey_and_subnet_prefix(>alt,
-  ,
-  _prefix);
+   ret = get_pkey_and_subnet_prefix(>alt,
+,
+_prefix);
+   if (ret)
+   return ret;
 
ret = enforce_qp_pkey_security(pkey,
   subnet_prefix,
-- 
1.8.3.1

Re: [PATCH] selinux: return -ENOMEM if kzalloc() fails

2017-06-30 Thread Tetsuo Handa 
Stephen Smalley wrote:
> On Fri, 2017-06-30 at 10:56 +0300, Dan Carpenter wrote:
> > We accidentally return success instead of -ENOMEM on this failure
> > path.
> > 
> > Fixes: 409dcf31538a ("selinux: Add a cache for quicker retreival of
> > PKey SIDs")
> > Signed-off-by: Dan Carpenter 
> 
> NAK, that's intentional.  See the comment just above the code in
> question.

If allocation failure is no problem, please consider using
GFP_NOWAIT | __GFP_NOMEMALLOC | __GFP_NOWARN instead of
GFP_ATOMIC, for memory reserves is mainly targeted for OOM victims.

Re: [PATCH 3/3] Travis-CI: test defining CFLAGS, LDFLAGS, etc. on make command line

2017-06-30 Thread Stephen Smalley 
On Wed, 2017-06-28 at 23:42 +0200, Nicolas Iooss wrote:
> Some Makefiles rely on adding values to variables like CFLAGS,
> LDFLAGS, etc. For example doing "LDFLAGS += -L../src" does not work
> fine
> when LDFLAGS is defined on the command line of "make".
> 
> Commits 297877ab88ee ("libselinux utils: override LD{FLAGS, LIBS} for
> libselinux.so in Makefile") and 15f274073322 ("Makefiles: override
> *FLAGS and *LIBS") recently fixed such issues, by introducing keyword
> "override" in the relevant Makefile statements.
> 
> In order to prevent the fixed issues from appearing again, add a test
> case in Travis-CI configuration file. This case adds on make's
> command
> line minimal definitions for CFLAGS and LDFLAGS and empty definitions
> for CPPFLAGS and LDLIBS.
> 
> An example of build failure due to a missing override in a required
> CPPFLAGS addition is provided on
> https://travis-ci.org/fishilico/selinux/builds/245107609

Thanks, applied all three.

> 
> Signed-off-by: Nicolas Iooss 
> ---
>  .travis.yml | 16 ++--
>  1 file changed, 10 insertions(+), 6 deletions(-)
> 
> diff --git a/.travis.yml b/.travis.yml
> index 573e73322e28..481ea7dae8bb 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -12,6 +12,7 @@ env:
>    matrix:
>  # Test the last version of Python and Ruby together, with some
> linkers
>  - PYVER=python3.6 RUBYLIBVER=2.4
> +- PYVER=python3.6 RUBYLIBVER=2.4 TEST_FLAGS_OVERRIDE=1
>  - PYVER=python3.6 RUBYLIBVER=2.4 LINKER=gold
>  - PYVER=python3.6 RUBYLIBVER=2.4 LINKER=bfd
>  
> @@ -96,14 +97,17 @@ before_script:
>    - echo "$PYTHON" ; $PYTHON --version
>    - echo "$RUBY" ; $RUBY --version
>  
> +  # If TEST_FLAGS_OVERRIDE is defined, test that overriding CFLAGS,
> LDFLAGS and other variables works fine
> +  - if [ -n "$TEST_FLAGS_OVERRIDE" ]; then
> EXPLICIT_MAKE_VARS="CFLAGS=-I$DESTDIR/usr/include LDFLAGS=-
> L$DESTDIR/usr/lib LDLIBS= CPPFLAGS=" ; fi
> +
>  script:
>    # Start by installing everything into $DESTDIR
> -  - make install -k
> -  - make install-pywrap -k
> -  - make install-rubywrap -k
> +  - make install $EXPLICIT_MAKE_VARS -k
> +  - make install-pywrap $EXPLICIT_MAKE_VARS -k
> +  - make install-rubywrap $EXPLICIT_MAKE_VARS -k
>  
>    # Now that everything is installed, run "make all" to build
> everything which may have not been built
> -  - make all -k
> +  - make all $EXPLICIT_MAKE_VARS -k
>  
>    # Set up environment variables for the tests
>    - export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib"
> @@ -118,7 +122,7 @@ script:
>    - echo "$RUBYLIB"
>  
>    # Run tests
> -  - make test
> +  - make test $EXPLICIT_MAKE_VARS
>  
>    # Test Python and Ruby wrappers
>    - $PYTHON -c 'import selinux;import selinux.audit2why;import
> semanage;print(selinux.is_selinux_enabled())'
> @@ -132,7 +136,7 @@ script:
>  git status --short | sed -n 's/^??/error: missing .gitignore
> entry for/p' | (! grep '^')
>  
>    # Clean up everything and show which file would be added to "make
> clean"
> -  - make clean distclean
> +  - make clean distclean $EXPLICIT_MAKE_VARS
>    - |-
>  git ls-files --ignored --others --exclude-standard | sed
> 's/^/error: "make clean distclean" did not remove /' | (! grep '^')
>  

Re: [PATCH] selinux: return -ENOMEM if kzalloc() fails

2017-06-30 Thread Stephen Smalley 
On Fri, 2017-06-30 at 10:56 +0300, Dan Carpenter wrote:
> We accidentally return success instead of -ENOMEM on this failure
> path.
> 
> Fixes: 409dcf31538a ("selinux: Add a cache for quicker retreival of
> PKey SIDs")
> Signed-off-by: Dan Carpenter 

NAK, that's intentional.  See the comment just above the code in
question.

> 
> diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c
> index e3614ee5f1c0..36e61f622b5a 100644
> --- a/security/selinux/ibpkey.c
> +++ b/security/selinux/ibpkey.c
> @@ -160,8 +160,10 @@ static int sel_ib_pkey_sid_slow(u64
> subnet_prefix, u16 pkey_num, u32 *sid)
>    * is valid, it just won't be added to the cache.
>    */
>   new = kzalloc(sizeof(*new), GFP_ATOMIC);
> - if (!new)
> + if (!new) {
> + ret = -ENOMEM;
>   goto out;
> + }
>  
>   new->psec.subnet_prefix = subnet_prefix;
>   new->psec.pkey = pkey_num;

[PATCH] selinux: return -ENOMEM if kzalloc() fails

2017-06-30 Thread Dan Carpenter 
We accidentally return success instead of -ENOMEM on this failure path.

Fixes: 409dcf31538a ("selinux: Add a cache for quicker retreival of PKey SIDs")
Signed-off-by: Dan Carpenter 

diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c
index e3614ee5f1c0..36e61f622b5a 100644
--- a/security/selinux/ibpkey.c
+++ b/security/selinux/ibpkey.c
@@ -160,8 +160,10 @@ static int sel_ib_pkey_sid_slow(u64 subnet_prefix, u16 
pkey_num, u32 *sid)
 * is valid, it just won't be added to the cache.
 */
new = kzalloc(sizeof(*new), GFP_ATOMIC);
-   if (!new)
+   if (!new) {
+   ret = -ENOMEM;
goto out;
+   }
 
new->psec.subnet_prefix = subnet_prefix;
new->psec.pkey = pkey_num;