Re: libsemanage getpwent and nss-systemd incompability
Le 13/07/18 à 16:37, Stephen Smalley a écrit : On 07/13/2018 10:26 AM, Laurent Bigonville wrote: Le 13/07/18 à 16:19, Laurent Bigonville a écrit : Le 10/07/18 à 17:58, Stephen Smalley a écrit : On 07/10/2018 11:40 AM, Stephen Smalley wrote: On 07/09/2018 04:20 PM, Nicolas Iooss wrote: Hello, While testing a systemd update on Arch Linux, I encountered the following message (in a Vagrant virtual machine): # semanage fcontext -m -s sysadm_u -t user_home_t '/vagrant(/.*)?' libsemanage.get_home_dirs: Error while fetching users. Returning list so far. A quick debugging of get_home_dirs() in libsemanage/src/genhomedircon.c shows that the loop "while ((pwbuf = getpwent()) != NULL)" stops with pwbuf=NULL and errno=2 (ENOENT). My /etc/nsswitch.conf contains: passwd: files mymachines systemd If I remove "systemd" from this line, the error disappears. Therefore it seems that systemd's NSS module returns a ENOENT error when getpwent() is called. I have not found any clue in systemd's code [1] about such an error and I have not got much time to debug this issue. Does this occurs for someone else (using Fedora for example)? Fedora ships with usepasswd=False in semanage.conf, so we'll never reach that code in a default configuration. Fedora nsswitch.conf has following for passwd: passwd: files sss systemd Removing usepasswd=False from semanage.conf, I see the same behavior with libsemanage 2.8, systemd 239, and glibc 2.27 on Fedora and it did not occur with systemd 238. systemd v239 does introduce support into nss-systemd for looking up dynamic users, so this seems to be the cause. Not sure yet whether this represents a bug in libsemanage or systemd, but it appears to just be a warning and not fatal to operation. I'm inclined to think that this is a bug in systemd. The man page for getpwent() says nothing about setting errno to ENOENT upon reaching the end of the passwd database; it should just return NULL w/o setting errno AFAICT. I see the same warning in debian. If I'm reading https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html well this is actually valid to set errno=ENOENT and return NSS_STATUS_NOTFOUND if "The requested entry is not available.", so that should be OK? There are more info at https://www.gnu.org/software/libc/manual/html_node/NSS-Module-Function-Internals.html as well: "The function shall return NSS_STATUS_SUCCESS as long as there are more entries. When the last entry was read it should return NSS_STATUS_NOTFOUND. When the buffer given as an argument is too small for the data to be returned NSS_STATUS_TRYAGAIN should be returned. When the service was not formerly initialized by a call to _nss_DATABASE_setdbent all return values allowed for this function can also be returned here." But indeed, it's not that clear if you should set errno or not if you reach the last entry I'm not averse to a patch for libsemanage to ignore ENOENT from getpwent(), but I think it is a bug in either systemd (i.e. it shouldn't be setting ENOENT) or glibc (it should suppress it) given that it is not documented as a possible errno value in getpwent(3). If we ignore it, we likely ought to clear errno to avoid incorrect propagation of an ENOENT errno to later code. But someone likely ought to open a bug with either systemd or glibc maintainers regardless. Should be easy to create a trivial test case w/o involving libsemanage, just some code that calls getpwent() until it returns NULL and then tests the errno value, and show that it changes between systemd v238 and systemd v239. FTR I've opened https://sourceware.org/bugzilla/show_bug.cgi?id=23410 as the errno is not documented, let's see what they will say ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: libsemanage getpwent and nss-systemd incompability
Le 13/07/18 à 16:19, Laurent Bigonville a écrit : Le 10/07/18 à 17:58, Stephen Smalley a écrit : On 07/10/2018 11:40 AM, Stephen Smalley wrote: On 07/09/2018 04:20 PM, Nicolas Iooss wrote: Hello, While testing a systemd update on Arch Linux, I encountered the following message (in a Vagrant virtual machine): # semanage fcontext -m -s sysadm_u -t user_home_t '/vagrant(/.*)?' libsemanage.get_home_dirs: Error while fetching users. Returning list so far. A quick debugging of get_home_dirs() in libsemanage/src/genhomedircon.c shows that the loop "while ((pwbuf = getpwent()) != NULL)" stops with pwbuf=NULL and errno=2 (ENOENT). My /etc/nsswitch.conf contains: passwd: files mymachines systemd If I remove "systemd" from this line, the error disappears. Therefore it seems that systemd's NSS module returns a ENOENT error when getpwent() is called. I have not found any clue in systemd's code [1] about such an error and I have not got much time to debug this issue. Does this occurs for someone else (using Fedora for example)? Fedora ships with usepasswd=False in semanage.conf, so we'll never reach that code in a default configuration. Fedora nsswitch.conf has following for passwd: passwd: files sss systemd Removing usepasswd=False from semanage.conf, I see the same behavior with libsemanage 2.8, systemd 239, and glibc 2.27 on Fedora and it did not occur with systemd 238. systemd v239 does introduce support into nss-systemd for looking up dynamic users, so this seems to be the cause. Not sure yet whether this represents a bug in libsemanage or systemd, but it appears to just be a warning and not fatal to operation. I'm inclined to think that this is a bug in systemd. The man page for getpwent() says nothing about setting errno to ENOENT upon reaching the end of the passwd database; it should just return NULL w/o setting errno AFAICT. I see the same warning in debian. If I'm reading https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html well this is actually valid to set errno=ENOENT and return NSS_STATUS_NOTFOUND if "The requested entry is not available.", so that should be OK? There are more info at https://www.gnu.org/software/libc/manual/html_node/NSS-Module-Function-Internals.html as well: "The function shall return NSS_STATUS_SUCCESS as long as there are more entries. When the last entry was read it should return NSS_STATUS_NOTFOUND. When the buffer given as an argument is too small for the data to be returned NSS_STATUS_TRYAGAIN should be returned. When the service was not formerly initialized by a call to _nss_DATABASE_setdbent all return values allowed for this function can also be returned here." But indeed, it's not that clear if you should set errno or not if you reach the last entry ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: libsemanage getpwent and nss-systemd incompability
Le 10/07/18 à 17:58, Stephen Smalley a écrit : On 07/10/2018 11:40 AM, Stephen Smalley wrote: On 07/09/2018 04:20 PM, Nicolas Iooss wrote: Hello, While testing a systemd update on Arch Linux, I encountered the following message (in a Vagrant virtual machine): # semanage fcontext -m -s sysadm_u -t user_home_t '/vagrant(/.*)?' libsemanage.get_home_dirs: Error while fetching users. Returning list so far. A quick debugging of get_home_dirs() in libsemanage/src/genhomedircon.c shows that the loop "while ((pwbuf = getpwent()) != NULL)" stops with pwbuf=NULL and errno=2 (ENOENT). My /etc/nsswitch.conf contains: passwd: files mymachines systemd If I remove "systemd" from this line, the error disappears. Therefore it seems that systemd's NSS module returns a ENOENT error when getpwent() is called. I have not found any clue in systemd's code [1] about such an error and I have not got much time to debug this issue. Does this occurs for someone else (using Fedora for example)? Fedora ships with usepasswd=False in semanage.conf, so we'll never reach that code in a default configuration. Fedora nsswitch.conf has following for passwd: passwd: files sss systemd Removing usepasswd=False from semanage.conf, I see the same behavior with libsemanage 2.8, systemd 239, and glibc 2.27 on Fedora and it did not occur with systemd 238. systemd v239 does introduce support into nss-systemd for looking up dynamic users, so this seems to be the cause. Not sure yet whether this represents a bug in libsemanage or systemd, but it appears to just be a warning and not fatal to operation. I'm inclined to think that this is a bug in systemd. The man page for getpwent() says nothing about setting errno to ENOENT upon reaching the end of the passwd database; it should just return NULL w/o setting errno AFAICT. I see the same warning in debian. If I'm reading https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html well this is actually valid to set errno=ENOENT and return NSS_STATUS_NOTFOUND if "The requested entry is not available.", so that should be OK? For information, this issue occurs with SELinux release 2.8 (and git master branch), systemd 239.0 and glibc 2.27, on a system with SELinux in permissive mode. Best, Nicolas [1] https://github.com/systemd/systemd/blob/master/src/nss-systemd/nss-systemd.c ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
sepolgen-ifgen fails with current refpolicy
Hello, With the current refpolicy when running sepolgen-ifgen I get the following (fatal) error: /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK] error parsing headers error parsing file /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: could not parse text: "/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]" The line in question in obj_perm_sets.spt is: define(`mmap_file_perms',`{ getattr open map read execute ioctl } refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')') # deprecated 20171213 sepolgen-ifgen is not happy with the embedded "refpolicywarn" apparently. Regards, Laurent Bigonville ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] restorecond: Fix consistancy of DESTDIR usage
From: Laurent Bigonville --- restorecond/Makefile | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/restorecond/Makefile b/restorecond/Makefile index 25be18d4..8a0ada1f 100644 --- a/restorecond/Makefile +++ b/restorecond/Makefile @@ -9,8 +9,8 @@ DBUSSERVICEDIR = $(PREFIX)/share/dbus-1/services SYSTEMDDIR ?= $(PREFIX)/lib/systemd autostart_DATA = sealertauto.desktop -INITDIR ?= $(DESTDIR)/etc/rc.d/init.d -SELINUXDIR = $(DESTDIR)/etc/selinux +INITDIR ?= /etc/rc.d/init.d +SELINUXDIR = /etc/selinux DBUSFLAGS = -DHAVE_DBUS $(shell $(PKG_CONFIG) --cflags dbus-glib-1) DBUSLIB = $(shell $(PKG_CONFIG) --libs dbus-glib-1) @@ -42,11 +42,11 @@ install: all -mkdir -p $(DESTDIR)$(SBINDIR) install -m 755 restorecond $(DESTDIR)$(SBINDIR) install -m 644 restorecond.8 $(DESTDIR)$(MANDIR)/man8 - -mkdir -p $(INITDIR) - install -m 755 restorecond.init $(INITDIR)/restorecond - -mkdir -p $(SELINUXDIR) - install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf - install -m 644 restorecond_user.conf $(SELINUXDIR)/restorecond_user.conf + -mkdir -p $(DESTDIR)$(INITDIR) + install -m 755 restorecond.init $(DESTDIR)$(INITDIR)/restorecond + -mkdir -p $(DESTDIR)$(SELINUXDIR) + install -m 644 restorecond.conf $(DESTDIR)$(SELINUXDIR)/restorecond.conf + install -m 644 restorecond_user.conf $(DESTDIR)$(SELINUXDIR)/restorecond_user.conf -mkdir -p $(DESTDIR)$(AUTOSTARTDIR) install -m 644 restorecond.desktop $(DESTDIR)$(AUTOSTARTDIR)/restorecond.desktop -mkdir -p $(DESTDIR)$(DBUSSERVICEDIR) -- 2.17.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] restorecond: Fix consistancy of DESTDIR usage
Le 30/05/18 à 22:19, Nicolas Iooss a écrit : On Tue, May 29, 2018 at 9:29 AM, Laurent Bigonville wrote: From: Laurent Bigonville --- restorecond/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/restorecond/Makefile b/restorecond/Makefile index 25be18d4..fed65bba 100644 --- a/restorecond/Makefile +++ b/restorecond/Makefile @@ -9,7 +9,7 @@ DBUSSERVICEDIR = $(PREFIX)/share/dbus-1/services SYSTEMDDIR ?= $(PREFIX)/lib/systemd autostart_DATA = sealertauto.desktop -INITDIR ?= $(DESTDIR)/etc/rc.d/init.d +INITDIR ?= /etc/rc.d/init.d SELINUXDIR = $(DESTDIR)/etc/selinux This looks good to me, but seeing the SELINUXDIR definition, I am wondering whether this line should also be migrated to remove DESTDIR from it. This could be done in an other patch. You want a new patch? I could amend that one instead Nicolas DBUSFLAGS = -DHAVE_DBUS $(shell $(PKG_CONFIG) --cflags dbus-glib-1) @@ -42,8 +42,8 @@ install: all -mkdir -p $(DESTDIR)$(SBINDIR) install -m 755 restorecond $(DESTDIR)$(SBINDIR) install -m 644 restorecond.8 $(DESTDIR)$(MANDIR)/man8 - -mkdir -p $(INITDIR) - install -m 755 restorecond.init $(INITDIR)/restorecond + -mkdir -p $(DESTDIR)$(INITDIR) + install -m 755 restorecond.init $(DESTDIR)$(INITDIR)/restorecond -mkdir -p $(SELINUXDIR) install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf install -m 644 restorecond_user.conf $(SELINUXDIR)/restorecond_user.conf -- 2.17.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
system-config-selinux requires root to run
Hello, I was planning to readd system-config-selinux in the debian package now that it has been ported to GIR, python3 and GTK3. But I realized that it requires root rights (via pkexec) to work. The problem with that is that it doesn't work with wayland. Are there any plans to decouple (evermore) the GUI and the backend that requires root? Kind regards, Laurent Bigonville ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
fixfiles and load_policy moved from /sbin to /usr/sbin
Hello, While packaging policycoreutils 2.8 I've seen that the fixfiles and load_policy executables were moved from /sbin to /usr/sbin Any reasons for this? This seems to me like an involuntary side effect of the cleanup for DESTDIR and PREFIX in the build system. For distribution with usr-merge that will not change anything, but for others that could prevent early boot scripts to load the policy Shouldn't that be reverted? Kind regards, Laurent Bigonville ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] policycoreutils: Fix typo in newrole.1 manpage
From: Laurent Bigonville --- policycoreutils/newrole/newrole.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policycoreutils/newrole/newrole.1 b/policycoreutils/newrole/newrole.1 index 0d9738a1..893c42f7 100644 --- a/policycoreutils/newrole/newrole.1 +++ b/policycoreutils/newrole/newrole.1 @@ -44,7 +44,7 @@ specified by that range. If the or .B --preserve-environment option is specified, the shell with the new SELinux context will preserve environment variables, -otherwise a new minimal enviroment is created. +otherwise a new minimal environment is created. .PP Additional arguments .I ARGS -- 2.17.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 3/3] libselinux: fix the whatis line for the selinux_boolean_sub.3 manpage
From: Laurent Bigonville Signed-off-by: Laurent Bigonville --- libselinux/man/man3/selinux_boolean_sub.3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libselinux/man/man3/selinux_boolean_sub.3 b/libselinux/man/man3/selinux_boolean_sub.3 index d24c12a3..a29a38d5 100644 --- a/libselinux/man/man3/selinux_boolean_sub.3 +++ b/libselinux/man/man3/selinux_boolean_sub.3 @@ -1,6 +1,6 @@ .TH "selinux_boolean_sub" "3" "11 June 2012" "dwa...@redhat.com" "SELinux API documentation" .SH "NAME" -selinux_boolean_sub \- +selinux_boolean_sub \- Search the translated name for a boolean_name record . .SH "SYNOPSIS" .B #include -- 2.17.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 2/3] libselinux: Fix line wrapping in selabel_file.5
From: Laurent Bigonville Fix line wrapping with limited to 80 columns Fix lintian error: W: selinux-utils: manpage-has-errors-from-man usr/share/man/man5/selabel_file.5.gz 104: warning [p 2, 10.0i]: cannot adjust line Signed-off-by: Laurent Bigonville --- libselinux/man/man5/selabel_file.5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5 index e7388242..e97bd826 100644 --- a/libselinux/man/man5/selabel_file.5 +++ b/libselinux/man/man5/selabel_file.5 @@ -92,7 +92,7 @@ The optional local and distribution substitution files that perform any path ali .RE .sp The default file context series of files are: -.RS +.RS 6 .I /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts .br .I /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts.local -- 2.17.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/3] libselinux: Fix spelling errors in manpages
From: Laurent Bigonville Signed-off-by: Laurent Bigonville --- libselinux/man/man3/selinux_boolean_sub.3 | 2 +- libselinux/man/man3/selinux_restorecon_xattr.3 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libselinux/man/man3/selinux_boolean_sub.3 b/libselinux/man/man3/selinux_boolean_sub.3 index 308c2684..d24c12a3 100644 --- a/libselinux/man/man3/selinux_boolean_sub.3 +++ b/libselinux/man/man3/selinux_boolean_sub.3 @@ -12,7 +12,7 @@ selinux_boolean_sub \- searches the .I \%/etc/selinux/{POLICYTYPE}/booleans.subs_dist file -for a maching boolean_name record. If the record exists the boolean substitution name is returned. If not +for a matching boolean_name record. If the record exists the boolean substitution name is returned. If not .BR \%selinux_boolean_sub () returns the original .IR \%boolean_name . diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3 index 7280c958..516d2669 100644 --- a/libselinux/man/man3/selinux_restorecon_xattr.3 +++ b/libselinux/man/man3/selinux_restorecon_xattr.3 @@ -119,7 +119,7 @@ By default .BR selinux_restorecon_xattr (3) will use the default set of specfiles described in .BR files_contexts (5) -to calculate the initial SHA1 digest to be used for comparision. +to calculate the initial SHA1 digest to be used for comparison. To change this default behavior .BR selabel_open (3) must be called specifying the required -- 2.17.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] secilc: Make the clean target call the clean target of docs/
From: Laurent Bigonville Thanks to Russell Coker https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899083 Signed-off-by: Laurent Bigonville --- secilc/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/secilc/Makefile b/secilc/Makefile index dfd79cef..16640098 100644 --- a/secilc/Makefile +++ b/secilc/Makefile @@ -58,6 +58,7 @@ clean: rm -f file_contexts rm -f $(SECILC_MANPAGE) rm -f $(SECIL2CONF_MANPAGE) + $(MAKE) -C docs clean relabel: -- 2.17.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] restorecond: Fix consistancy of DESTDIR usage
From: Laurent Bigonville --- restorecond/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/restorecond/Makefile b/restorecond/Makefile index 25be18d4..fed65bba 100644 --- a/restorecond/Makefile +++ b/restorecond/Makefile @@ -9,7 +9,7 @@ DBUSSERVICEDIR = $(PREFIX)/share/dbus-1/services SYSTEMDDIR ?= $(PREFIX)/lib/systemd autostart_DATA = sealertauto.desktop -INITDIR ?= $(DESTDIR)/etc/rc.d/init.d +INITDIR ?= /etc/rc.d/init.d SELINUXDIR = $(DESTDIR)/etc/selinux DBUSFLAGS = -DHAVE_DBUS $(shell $(PKG_CONFIG) --cflags dbus-glib-1) @@ -42,8 +42,8 @@ install: all -mkdir -p $(DESTDIR)$(SBINDIR) install -m 755 restorecond $(DESTDIR)$(SBINDIR) install -m 644 restorecond.8 $(DESTDIR)$(MANDIR)/man8 - -mkdir -p $(INITDIR) - install -m 755 restorecond.init $(INITDIR)/restorecond + -mkdir -p $(DESTDIR)$(INITDIR) + install -m 755 restorecond.init $(DESTDIR)$(INITDIR)/restorecond -mkdir -p $(SELINUXDIR) install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf install -m 644 restorecond_user.conf $(SELINUXDIR)/restorecond_user.conf -- 2.17.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: dbus-daemon patches review
Le 23/03/18 à 13:26, Stephen Smalley a écrit : On 03/23/2018 06:31 AM, Laurent Bigonville wrote: Le 22/03/18 à 17:09, Stephen Smalley a écrit : On 03/21/2018 07:58 AM, Laurent Bigonville wrote: Hello, Could somebody have a quick look at the two patches that I opened for two dbus bugs: https://bugs.freedesktop.org/show_bug.cgi?id=92831 (stop using avc_init()) https://bugs.freedesktop.org/attachment.cgi?id=138021 (stop using selinux_set_mapping()) I'm also wondering whether the call to avc_add_callback() shouldn't be replaced by selinux_set_callback(), an opinion on this? Patches look sane to me although I'm not really familiar with dbus code. Thanks for the review, Simon already had a look at the dbus part of the code Looks like the callback is only used to trigger a reload of the dbus configuration (for dbus_contexts updates), and thus selinux_set_callback(SELINUX_CB_POLICYLOAD) is more appropriate than avc_add_callback(AVC_CALLBACK_RESET), since the latter is called upon setenforce 1 as well. However, if it were truly only for that purpose, one might argue that it ought to be a watch on the dbus_contexts file instead and not be tied to selinux at all. I really don't know the original rational of this. But I guess that if somebody is modifying dbus_contexts file, there are big chances that he will reload the policy as well(?). I'll change avc_add_callback() by selinux_set_callback(), we could say that as the file is in the SELinux path it's its responsibility. NB This still won't fix the case where dbusd has already performed a string_to_security_class/av_perm lookup and the result has been cached by the libselinux class cache and then a subsequent policy update alters those values. That is what was fixed for systemd's usage of selinux_check_access() by selinux commit b408d72ca9104cb0c1bc4e154d8732cc7c0a9190. Offhand, I'm now wondering why I didn't just call flush_class_cache() from avc_reset() itself. That would fix it for other users of the AVC. You can't directly call flush_class_cache() from the dbus selinux policyload callback because it is hidden presently. If we can fix it directly in libselinux, then that is better. If not, we'd need to export it and probably give it a more unique name, ala selinux_flush_class_cache(). Right, that's a really good point, that I apparently overlooked... Is that cache really supposed to substantially speedup things? Would it be possible to create a version of selinux_check_access() that allows to pass a reference the cache or let selinux_check_access() create that cache itself? If it's the case I guess that dbus-broker would benefit of that as well as they are using selinux_check_access(). Otherwise we can indeed clean up the cache our self, but wasn't the goal of selinux_check_access() to be an "easy" interface to use, asking the applications to do this kind of housekeeping is defeating that purpose, isn't it? If you use selinux_check_access(), then the class cache is already flushed for you upon an AVC reset; that is what the commit I referenced above did. The problem in the case of dbusd is that it is not using selinux_check_access() but rather its own direct usage of string_to_security_class/av_perm() and avc_has_perm(). That's why we need to either take the call to flush_class_cache() in libselinux to avc_reset() so that it is done for all users of the AVC, or we need to export it and have dbusd call it from its policy reload callback. No, I meant the decision cache used by avc_has_perm(). dbus is not using selinux_check_access() because there is no way to set that decision cache (the 5th parameter of avc_has_perm() is NULL)
Re: dbus-daemon patches review
Le 22/03/18 à 17:09, Stephen Smalley a écrit : On 03/21/2018 07:58 AM, Laurent Bigonville wrote: Hello, Could somebody have a quick look at the two patches that I opened for two dbus bugs: https://bugs.freedesktop.org/show_bug.cgi?id=92831 (stop using avc_init()) https://bugs.freedesktop.org/attachment.cgi?id=138021 (stop using selinux_set_mapping()) I'm also wondering whether the call to avc_add_callback() shouldn't be replaced by selinux_set_callback(), an opinion on this? Patches look sane to me although I'm not really familiar with dbus code. Thanks for the review, Simon already had a look at the dbus part of the code Looks like the callback is only used to trigger a reload of the dbus configuration (for dbus_contexts updates), and thus selinux_set_callback(SELINUX_CB_POLICYLOAD) is more appropriate than avc_add_callback(AVC_CALLBACK_RESET), since the latter is called upon setenforce 1 as well. However, if it were truly only for that purpose, one might argue that it ought to be a watch on the dbus_contexts file instead and not be tied to selinux at all. I really don't know the original rational of this. But I guess that if somebody is modifying dbus_contexts file, there are big chances that he will reload the policy as well(?). I'll change avc_add_callback() by selinux_set_callback(), we could say that as the file is in the SELinux path it's its responsibility. NB This still won't fix the case where dbusd has already performed a string_to_security_class/av_perm lookup and the result has been cached by the libselinux class cache and then a subsequent policy update alters those values. That is what was fixed for systemd's usage of selinux_check_access() by selinux commit b408d72ca9104cb0c1bc4e154d8732cc7c0a9190. Offhand, I'm now wondering why I didn't just call flush_class_cache() from avc_reset() itself. That would fix it for other users of the AVC. You can't directly call flush_class_cache() from the dbus selinux policyload callback because it is hidden presently. If we can fix it directly in libselinux, then that is better. If not, we'd need to export it and probably give it a more unique name, ala selinux_flush_class_cache(). Right, that's a really good point, that I apparently overlooked... Is that cache really supposed to substantially speedup things? Would it be possible to create a version of selinux_check_access() that allows to pass a reference the cache or let selinux_check_access() create that cache itself? If it's the case I guess that dbus-broker would benefit of that as well as they are using selinux_check_access(). Otherwise we can indeed clean up the cache our self, but wasn't the goal of selinux_check_access() to be an "easy" interface to use, asking the applications to do this kind of housekeeping is defeating that purpose, isn't it?
dbus-daemon patches review
Hello, Could somebody have a quick look at the two patches that I opened for two dbus bugs: https://bugs.freedesktop.org/show_bug.cgi?id=92831 (stop using avc_init()) https://bugs.freedesktop.org/attachment.cgi?id=138021 (stop using selinux_set_mapping()) I'm also wondering whether the call to avc_add_callback() shouldn't be replaced by selinux_set_callback(), an opinion on this? Kind regards, Laurent Bigonville >From 1299035853924131d40d1033ce367153933d4a84 Mon Sep 17 00:00:00 2001 From: Laurent Bigonville <bi...@bigon.be> Date: Sat, 3 Mar 2018 13:15:17 +0100 Subject: [PATCH 1/2] Stop using avc_init() which is deprecated Stop using avc_init() and use avc_open() instead. With this commit dbus-daemon will stop using a thread to monitor the avc netlink and will poll it instead. https://bugs.freedesktop.org/show_bug.cgi?id=92831 --- bus/bus.c | 2 +- bus/selinux.c | 213 +++- bus/selinux.h | 2 +- bus/test-main.c | 6 -- bus/test.c | 9 +++ 5 files changed, 113 insertions(+), 119 deletions(-) diff --git a/bus/bus.c b/bus/bus.c index 9fd9820b..5b59ed45 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -995,7 +995,7 @@ bus_context_new (const DBusString *config_file, */ bus_audit_init (context); - if (!bus_selinux_full_init ()) + if (!bus_selinux_full_init (context, error)) { bus_context_log (context, DBUS_SYSTEM_LOG_ERROR, "SELinux enabled but D-Bus initialization failed; " diff --git a/bus/selinux.c b/bus/selinux.c index d09afb4b..f0ddfa11 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -49,6 +49,7 @@ #include #include #include +#include #endif /* HAVE_SELINUX */ #ifdef HAVE_LIBAUDIT #include @@ -64,45 +65,20 @@ static dbus_bool_t selinux_enabled = FALSE; /* Store an avc_entry_ref to speed AVC decisions. */ static struct avc_entry_ref aeref; +/* Store the avc netlink fd. */ +static int avc_netlink_fd = -1; + +/* Watch to listen for SELinux status changes via netlink. */ +static DBusWatch *avc_netlink_watch_obj = NULL; +static DBusLoop *avc_netlink_loop_obj = NULL; + /* Store the SID of the bus itself to use as the default. */ static security_id_t bus_sid = SECSID_WILD; -/* Thread to listen for SELinux status changes via netlink. */ -static pthread_t avc_notify_thread; - /* Prototypes for AVC callback functions. */ -static void log_callback (const char *fmt, ...) _DBUS_GNUC_PRINTF (1, 2); -static void log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft); -static void *avc_create_thread (void (*run) (void)); -static void avc_stop_thread (void *thread); -static void *avc_alloc_lock (void); -static void avc_get_lock (void *lock); -static void avc_release_lock (void *lock); -static void avc_free_lock (void *lock); - -/* AVC callback structures for use in avc_init. */ -static const struct avc_memory_callback mem_cb = -{ - .func_malloc = dbus_malloc, - .func_free = dbus_free -}; -static const struct avc_log_callback log_cb = -{ - .func_log = log_callback, - .func_audit = log_audit_callback -}; -static const struct avc_thread_callback thread_cb = -{ - .func_create_thread = avc_create_thread, - .func_stop_thread = avc_stop_thread -}; -static const struct avc_lock_callback lock_cb = -{ - .func_alloc_lock = avc_alloc_lock, - .func_get_lock = avc_get_lock, - .func_release_lock = avc_release_lock, - .func_free_lock = avc_free_lock -}; +static int log_callback (int type, const char *fmt, ...) _DBUS_GNUC_PRINTF (2, 3); +static int log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft); + #endif /* HAVE_SELINUX */ /** @@ -115,8 +91,8 @@ static const struct avc_lock_callback lock_cb = */ #ifdef HAVE_SELINUX -static void -log_callback (const char *fmt, ...) +static int +log_callback (int type, const char *fmt, ...) { va_list ap; #ifdef HAVE_LIBAUDIT @@ -150,6 +126,8 @@ log_callback (const char *fmt, ...) out: #endif va_end(ap); + + return 0; } /** @@ -170,7 +148,7 @@ policy_reload_callback (u_int32_t event, security_id_t ssid, /** * Log any auxiliary data */ -static void +static int log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft) { DBusString *audmsg = data; @@ -188,73 +166,20 @@ log_audit_callback (void *data, security_class_t class, char *buf, size_t buflef if (bufleft > (size_t) _dbus_string_get_length()) _dbus_string_copy_to_buffer_with_nul (, buf, bufleft); } -} - -/** - * Create thread to notify the AVC of enforcing and policy reload - * changes via netlink. - * - * @param run the thread run function - * @return pointer to the thread - */ -static void * -avc_create_thread (void (*run) (void)) -{ - int rc; - - rc = pthread_create (_notify_thread, NULL, (void *(*) (void *)) run, NULL); - if (rc != 0) -{ - _dbus_warn ("Failed to start AVC thread: %s", _dbu
Re: setfiles crashing when SELinux is disabled
Le 30/07/17 à 21:40, Nicolas Iooss a écrit : On Sun, Jul 30, 2017 at 8:52 PM, Laurent Bigonville <bi...@debian.org> wrote: Hi, When using sefiles (setfiles -m -F -v /etc/selinux/refpolicy/contexts/files/file_contexts.bin /) when SELinux is disabled, it crahes with the fillowing trace: #0 __strcmp_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31 No locals. #1 0x7f13241957be in restorecon_sb (pathname=0xd36aa93160 "/usr/include/xf86drm.h", flags=flags@entry=0x7fffd3700ae3, sb=, sb=) at selinux_restorecon.c:666 newcon = 0xd36abdc100 "system_u:object_r:usr_t:s0" curcon = 0x0 newtypecon = 0x0 rc = updated = false lookup_path = #2 0x7f1324196810 in selinux_restorecon (pathname_orig=pathname_orig@entry=0xd36aa943e0 "/", restorecon_flags=) at selinux_restorecon.c:984 Having "curcon = 0x0" with a non-NULL newcon in selinux_restorecon.c looks like the bug fixed by commit a9094fae2c7b ("libselinux: avoid calling strcmp() on a NULL pointer", https://github.com/SELinuxProject/selinux/commit/a9094fae2c7bcd14af7263f9bb7fbacff5bc761c). Which version are you using? Does back-porting this commit fix your issue? It was 2.6 on that machine. Seems to be fixed with 2.7~rc2, thanks
setfiles crashing when SELinux is disabled
Hi, When using sefiles (setfiles -m -F -v /etc/selinux/refpolicy/contexts/files/file_contexts.bin /) when SELinux is disabled, it crahes with the fillowing trace: #0 __strcmp_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31 No locals. #1 0x7f13241957be in restorecon_sb (pathname=0xd36aa93160 "/usr/include/xf86drm.h", flags=flags@entry=0x7fffd3700ae3, sb=, sb=) at selinux_restorecon.c:666 newcon = 0xd36abdc100 "system_u:object_r:usr_t:s0" curcon = 0x0 newtypecon = 0x0 rc = updated = false lookup_path = #2 0x7f1324196810 in selinux_restorecon (pathname_orig=pathname_orig@entry=0xd36aa943e0 "/", restorecon_flags=) at selinux_restorecon.c:984 flags = {nochange = false, verbose = true, progress = false, set_specctx = true, add_assoc = true, ignore_digest = false, recurse = true, userealpath = false, set_xdev = true, abort_on_error = true, syslog_changes = false, log_matches = false, ignore_noent = false} issys = false setrestoreconlast = sb = {st_dev = 64769, st_ino = 2, st_nlink = 20, st_mode = 16877, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 4096, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1501439201, tv_nsec = 886964517}, st_mtim = {tv_sec = 1501435537, tv_nsec = 187391390}, st_ctim = {tv_sec = 1501439165, tv_nsec = 374865190}, __glibc_reserved = {0, 0, 0}} sfsb = {f_type = 61267, f_bsize = 4096, f_blocks = 3838052, f_bfree = 480404, f_bavail = 295268, f_files = 977280, f_ffree = 677268, f_fsid = {__val = {9930339, 726475040}}, f_namelen = 255, f_frsize = 4096, f_flags = 4128, f_spare = {0, 0, 0, 0}} fts = 0xd36aa93110 ftsent = 0xd36ab77290 pathname = 0xd36aa943a0 "/" pathdnamer = 0x0 pathdname = pathbname = paths = {0xd36aa943a0 "/", 0x0} fts_flags = error = 0 sverrno = xattr_value = 0x0 size = dev_num = 64769 __func__ = "selinux_restorecon" #3 0x00d368f23152 in process_glob (name=, opts=) at restore.c:89 globbuf = {gl_pathc = 1, gl_pathv = 0xd36aa943c0, gl_offs = 0, gl_flags = 13456, gl_closedir = 0x0, gl_readdir = 0x0, gl_opendir = 0x0, gl_lstat = 0x0, gl_stat = 0x0} i = 0 len = rc = errors = 0 #4 0x00d368f229b0 in main (argc=6, argv=0x7fffd3700eb8) at setfiles.c:459 sb = {st_dev = 64769, st_ino = 391936, st_nlink = 1, st_mode = 33188, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 1383869, st_blksize = 4096, st_blocks = 2712, st_atim = { tv_sec = 1501439075, tv_nsec = 298617901}, st_mtim = {tv_sec = 1501438955, tv_nsec = 50281901}, st_ctim = {tv_sec = 1501438955, tv_nsec = 50281901}, __glibc_reserved = {0, 0, 0}} opt = i = input_filename = 0x0 use_input_file = buf = 0x0 buf_len = 71776119061217535 base = mass_relabel = errors = 0 ropts = 0xd368f2367c "e:f:hiIDlmno:pqrsvFRW0" sopts = 0xd368f23660 "c:de:f:hiIDlmno:pqr:svFR:W0" opts =
Re: open_init_pty: Do not make stdin and stdout non-blocking
commit fb081eb64b36a9de5a43f3d69d9e628b6eb1afc7 (HEAD -> master, origin/master) Author: Stephen SmalleyDate: Mon Jul 10 13:03:01 2017 -0400 open_init_pty: Do not make stdin and stdout non-blocking It is unclear why this was being done in the first place, and it has caused multiple bugs with run_init/open_init_pty usage. Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187 Fixes: https://bugs.gentoo.org/show_bug.cgi?id=621062 Signed-off-by: Stephen Smalley I see you fixed the issue with run_init/open_init_pty messing up with the terminals but I think it's introducing an other issue :/ FTR I found the reason why stdin/stdout were not blocking, it's a fix for this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474956#10 Apparently if the descriptors are closed, open_init_pty hangs, example: ./open_init_pty bash -c 'echo hello; exec >&- 2>&- <&-; sleep 1; '
[PATCH] Fix consistency of PYTHONLIBDIR variable across modules
From: Laurent Bigonville <bi...@bigon.be> PYTHONLIBDIR is currently also used in sepolgen but has a different behaviour regarding DESTDIR. Let's try to make this consistant. Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- python/semanage/Makefile | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python/semanage/Makefile b/python/semanage/Makefile index 60c36a3a..132162bc 100644 --- a/python/semanage/Makefile +++ b/python/semanage/Makefile @@ -5,8 +5,8 @@ PREFIX ?= $(DESTDIR)/usr LIBDIR ?= $(PREFIX)/lib SBINDIR ?= $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man -PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])') -PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(1))") +PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions TARGETS=semanage @@ -20,8 +20,8 @@ install: all -mkdir -p $(SBINDIR) install -m 755 semanage $(SBINDIR) install -m 644 *.8 $(MANDIR)/man8 - test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages - install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages + test -d $(PACKAGEDIR) || install -m 755 -d $(PACKAGEDIR) + install -m 755 seobject.py $(PACKAGEDIR) -mkdir -p $(BASHCOMPLETIONDIR) install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage -- 2.13.2
Re: [PATCH] Fix consistency of PYTHONLIBDIR variable
Le 26/06/17 à 21:37, Stephen Smalley a écrit : On Mon, 2017-06-26 at 18:46 +0200, bi...@debian.org wrote: From: Laurent Bigonville <bi...@bigon.be> PYTHONLIBDIR is currently not consistant, at one place it's influanced by DESTDIR an at another one it's not. Fix this and make it consistant Seems like it is influenced by DESTDIR before and after this change (before, PYTHONLIBDIR is defined relative to LIBDIR which is defined relative to PREFIX which is define relative to DESTDIR). If I do a make DESTDIR=/path/to/foo install before and after this change (with an empty /path/to/foo before each run), the only difference is that it moves from $(DESTDIR)/usr/lib/pythonM.N/site- packages to $(DESTDIR)/usr/lib64/pythonM.N/site-packages. This makes it consistent with sepolgen but inconsistent with sepolicy, which is installed to usr/lib, not usr/lib64. So, I'm unclear on whether this is an improvement. With the debian build system, LIBDIR is set to $(DESTDIR)/usr/lib/ this means that PYTHONLIBDIR will end up as $(DESTDIR)/usr/lib//python/. If I override PYTHONLIBDIR to $(DESTDIR)/usr/lib/python/ I ends up with sepolicy being installed in $(DESTDIR)/$(DESTDIR)/usr/lib//python/ which is not what I want either --- python/semanage/Makefile | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python/semanage/Makefile b/python/semanage/Makefile index 60c36a3a..132162bc 100644 --- a/python/semanage/Makefile +++ b/python/semanage/Makefile @@ -5,8 +5,8 @@ PREFIX ?= $(DESTDIR)/usr LIBDIR ?= $(PREFIX)/lib SBINDIR ?= $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man -PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])') -PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(1))") +PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash- completion/completions TARGETS=semanage @@ -20,8 +20,8 @@ install: all -mkdir -p $(SBINDIR) install -m 755 semanage $(SBINDIR) install -m 644 *.8 $(MANDIR)/man8 - test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages - install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages + test -d $(PACKAGEDIR) || install -m 755 -d $(PACKAGEDIR) + install -m 755 seobject.py $(PACKAGEDIR) -mkdir -p $(BASHCOMPLETIONDIR) install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage
Re: run_init messes up terminal settings
Le 26/06/17 à 15:08, Stephen Smalley a écrit : On Sat, 2017-06-24 at 12:20 +0200, Laurent Bigonville wrote: Hello, Russell opened the following bug regarding run_init in the debian bts: [...] It turns out that the problem was not running $(arch), but running run_init in the shell it spawned. Below is an example of reproducing this, the first time run_init performs as expected. The second time is fails without me even typing a password or pressing ENTER. The result is the same with any command, but ls is just a good example. This happens no matter what shell is spawned (whether it's ssh, su, or just an Xterm), run_init seems generally broken with the 4.9.0-2-amd64/4.9.13-1 kernel at least. NB I can't rule out the possibility of a kernel bug at this stage. But at this time it seems best to assume it's a run_init bug until proven otherwise. Sorry for the inconvenience Andreas. # run_init ls /boot Authenticating root. Password: config-4.9.0-2-amd64 lost+foundSystem.map-4.9.0- 3-amd64 config-4.9.0-3-amd64 memtest86+.binvmlinuz-4.9.0-2- amd64 grub memtest86+_multiboot.bin vmlinuz-4.9.0-3- amd64 initrd.img-4.9.0-2-amd64 real initrd.img-4.9.0-3-amd64 System.map-4.9.0-2-amd64 # run_init ls /boot Authenticating root. Password: run_init: incorrect password for root authentication failed. # I can reproduce this with 2.7-rc3, run_init is compiled with pam and audit support. An idea what could happen here? Regards, Laurent Bigonville https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187 I don't think this could have ever worked under run_init since open_init_pty was introduced (originally from Debian); note that open_init_pty does alter terminal settings. I don't quite follow the example given above. It shows executing run_init twice with ls /boot as the arguments, which is not running run_init within run_init. That works fine for me. I just re-tried again and I can definitely reproduce this in debian unstable. My complete test case is: sudo -i run_init ls /boot run_init ls /boot If I exit the shell started by sudo, run_init will works again for one invocation before getting the error again. If I try something like: run_init run_init ls /boot which actually runs run_init within run_init, then that also works for me without problem. If I try something like: run_init /bin/bash then I lose any echoing of input characters to the shell (due to open_init_pty turning it off), but I can enter commands and execute them, or run stty sane to regain echoing. But I don't think that has ever been supported since the introduction of open_init_pty in 2005 (policycoreutils 1.21.2). What's the use case for it? Side bar: run_init (and open_init_pty) are no longer packaged by Fedora since systemd renders it unnecessary, and even prior to that, Fedora policy enabled DIRECT_INITRC=y in build.conf, and therefore run_init wasn't required for typical operation (maybe under -mls policy it was still needed, not sure). Possibly we should move run_init out of policycoreutils into its own subdirectory in the selinux userspace tree to reflect this transition and start deprecating it. run_init and newrole executables are still packaged in debian but in a different package that is not pulled by anything, so people that need it have to manually install it.
run_init messes up terminal settings
Hello, Russell opened the following bug regarding run_init in the debian bts: [...] It turns out that the problem was not running $(arch), but running run_init in the shell it spawned. Below is an example of reproducing this, the first time run_init performs as expected. The second time is fails without me even typing a password or pressing ENTER. The result is the same with any command, but ls is just a good example. This happens no matter what shell is spawned (whether it's ssh, su, or just an Xterm), run_init seems generally broken with the 4.9.0-2-amd64/4.9.13-1 kernel at least. NB I can't rule out the possibility of a kernel bug at this stage. But at this time it seems best to assume it's a run_init bug until proven otherwise. Sorry for the inconvenience Andreas. # run_init ls /boot Authenticating root. Password: config-4.9.0-2-amd64 lost+foundSystem.map-4.9.0-3-amd64 config-4.9.0-3-amd64 memtest86+.binvmlinuz-4.9.0-2-amd64 grub memtest86+_multiboot.bin vmlinuz-4.9.0-3-amd64 initrd.img-4.9.0-2-amd64 real initrd.img-4.9.0-3-amd64 System.map-4.9.0-2-amd64 # run_init ls /boot Authenticating root. Password: run_init: incorrect password for root authentication failed. # I can reproduce this with 2.7-rc3, run_init is compiled with pam and audit support. An idea what could happen here? Regards, Laurent Bigonville https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187
Re: [PATCH 2/4] libselinux, libsemanage: link Ruby wrapper with -lruby
Hello, Le 14/11/16 à 22:28, Nicolas Iooss a écrit : When linking with -Wl,-no-undefined in LDFLAGS (in order to find possible link-time errors), the Ruby wrapper module needs to be linked with the libruby.so which is used by $(RUBY). Introduce a new RUBYLIBS variable to find this library. Signed-off-by: Nicolas Iooss <nicolas.io...@m4x.org> --- libselinux/src/Makefile | 3 ++- libsemanage/src/Makefile | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 4fe1f7002181..82a1010af2d8 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -15,6 +15,7 @@ INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') +RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -lruby"') I'm trying to package 2.7-rc2 in debian and unfortunately this is not working out of the box for me. The library is not installed as -lruby but as -lruby-2.3 (for ruby 2.3). In addition the lib is not installed in /usr/lib. I can see in the RbConfig::CONFIG hash a key called LIBRUBYARG_SHARED or LIBRUBYARG which contains "-lruby-2.3". Also I see a "archlibdir" or "sitearchlibdir" key which contains the correct path to the lib (the multiarch path) RUBYLIBS ?= $(shell $@ -e 'puts "-L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]') Could this be a possible alternatives for the other distributions? Regards, Laurent Bigonville
SO_PEERSEC on socket connected to the same process
Hi, Currently the dbus-daemon is not returning anything when asked about its own security context (using GetConnectionSELinuxSecurityContext or GetConnectionCredentials methods). This cause some issues[0] with systemd now that it's enforcing the policy for user sessions again. I already made a patch that has been merged[1][2] upstream in the GetConnectionSELinuxSecurityContext case and it now returns the SELinux context of the dbus-daemon process itself. For the GetConnectionCredentials case, upstream wanted a generic way of getting the security label and went the way of using SO_PEERSEC on a socket connected to itself. But for some reasons it's always returning unlabeled_t. Note that the same value is returned by the getpeercon() function as well. I've made a small test case (see attached file) and tested it on both debian and RHEL7. Is this somehow expected? Is this a bug? Cheers, Laurent Bigonville [0]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864221 [1]https://bugs.freedesktop.org/show_bug.cgi?id=101315 [2] https://phabricator.freedesktop.org/rDBUSdcf02f80656d #include #include #include #include #include int main(void) { int socks[2]; char buf[1024] = ""; int len = sizeof(buf); char *context = NULL; if (getcon_raw() < 0) perror("getcon_raw"); printf("getcon: %s\n", context); freecon(context); if (socketpair (AF_UNIX, SOCK_STREAM, 0, socks) < 0) perror("socketpair"); if (getsockopt (socks[0], SOL_SOCKET, SO_PEERSEC, , ) < 0) perror("getsockopt 1"); printf("socket 1: %s\n", buf); len = sizeof(buf); if (getsockopt (socks[1], SOL_SOCKET, SO_PEERSEC, , ) < 0) perror("getsockopt 2"); printf("socket 2: %s\n", buf); if (getpeercon_raw(socks[0], ) < 0) perror("getpeercon_raw 1"); printf("getpeercon 1: %s\n", context); freecon(context); if (getpeercon_raw(socks[1], ) < 0) perror("getpeercon_raw 2"); printf("getpeercon 2: %s\n", context); freecon(context); close(socks[0]); close(socks[1]); return 0; }
Re: selabel_lookup_raw() doesn't find correct context for path with double slashes
Le 01/06/17 à 15:24, Stephen Smalley a écrit : On Thu, 2017-06-01 at 11:29 +0200, Laurent Bigonville wrote: Hello, While investigating a bug about systemd/udev not setting the proper context on the hwdb.bin file, Michael Biebl discovered that apparently the selabel_lookup_raw() function is not coping properly with paths with double slashes (like "//lib/udev/hwdb.bin") Shouldn't the selabel_lookup*() functions be more resilient to this case? Or should application canonicalize (with realpath()?) the path before calling these functions? Regards, Laurent Bigonville https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854 AFAICS, it already does this, and has done so for a long time. $ selabel_lookup -r -b file -k //lib/udev/hwdb.bin Default context: system_u:object_r:bin_t:s0 $ selabel_lookup -r -b file -k /lib/udev/hwdb.bin Default context: system_u:object_r:bin_t:s0 (The output may differ on your system due to policy differences - mine was on Fedora - but the point is that the resulting context is the same with and without the double slashes.) Thanks for the reply. Interesting, this doesn't seem to be the case in debian unstable (SELinux userspace 2.6) and I'm using the refpolicy here on my test machine: $ /usr/sbin/selabel_lookup -r -b file -k //lib/udev/hwdb.bin Default context: system_u:object_r:default_t:s0 $ /usr/sbin/selabel_lookup -r -b file -k /lib/udev/hwdb.bin Default context: system_u:object_r:bin_t:s0 The relevant code is: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/label_file.c#L716 The commit was: https://github.com/SELinuxProject/selinux/commit/8f007923dd4ff89652479587d96e22bc63dbf822 That said, if further canonicalization beyond duplicate slash removal is needed (ala realpath), that is on the caller. That is done for example by selinux_restorecon(3), if SELINUX_RESTORECON_REALPATH is passed to it.
selabel_lookup_raw() doesn't find correct context for path with double slashes
Hello, While investigating a bug about systemd/udev not setting the proper context on the hwdb.bin file, Michael Biebl discovered that apparently the selabel_lookup_raw() function is not coping properly with paths with double slashes (like "//lib/udev/hwdb.bin") Shouldn't the selabel_lookup*() functions be more resilient to this case? Or should application canonicalize (with realpath()?) the path before calling these functions? Regards, Laurent Bigonville https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854
Re: Wrong alignment when listing user/login with semanage in French
Le 17/01/17 à 22:45, Stephen Smalley a écrit : On Sat, 2017-01-14 at 13:48 +0100, Laurent Bigonville wrote: Hi, Not sure I already posted this on the ML. When listing the user/login with semanage (login/user -l) in French (and probably in other languages as well), the columns headers are not properly aligned. This makes it sometimes difficult to read the output(and it's ugly), see: https://i.imgur.com/zhZkebc.png Some of the translations should maybe be fixed in this case to make them shorter, but the alignment should probably be dynamic. RHEL/Fedora[1] contains the python binding for libsmartcols, maybe this could be used to do the formating? Not sure. Is it readily available in other distributions and in OpenEmbedded? It's not in Debian (or Ubuntu) yet but I could package it for the next cycle. libsmartcols itself is part of util-linux. For OpenEmbedded I don't know. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Wrong alignment when listing user/login with semanage in French
Hi, Not sure I already posted this on the ML. When listing the user/login with semanage (login/user -l) in French (and probably in other languages as well), the columns headers are not properly aligned. This makes it sometimes difficult to read the output(and it's ugly), see: https://i.imgur.com/zhZkebc.png Some of the translations should maybe be fixed in this case to make them shorter, but the alignment should probably be dynamic. RHEL/Fedora[1] contains the python binding for libsmartcols, maybe this could be used to do the formating? Regards, Laurent Bigonvlle [1] https://bugzilla.redhat.com/show_bug.cgi?id=1369558 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: Another getcon() vs getcon_raw() issue in systemd
Le 30/12/16 à 18:43, Stephen Smalley a écrit : Fedora no longer runs mcstransd by default, so that may also be relevant. Dbusd should likely provide the raw context to clients so that they are free to use either the raw or translated interfaces without difficulty. Hi, FTR, I've open https://bugs.freedesktop.org/show_bug.cgi?id=99234 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
setools: cast increases required alignment of target type
Hi, When compiling setools on at least mips64el and sparc64, I get the following error: mips64el-linux-gnuabi64-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -O2 -fdebug-prefix-map=/«PKGBUILDDIR»=. -fstack-protector-strong -Wformat -Werror=format-security -Wno-sign-compare -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibqpol -Ilibqpol/include -I/usr/include/python3.5m -c libqpol/module_compiler.c -o build/temp.linux-mips64-3.5/libqpol/module_compiler.o -Werror -Wextra -Waggregate-return -Wcast-align -Wfloat-equal -Wformat -Wformat=2 -Winit-self -Winline -Wmissing-format-attribute -Wmissing-include-dirs -Wnested-externs -Wold-style-definition -Wpointer-arith -Wredundant-decls -Wstrict-prototypes -Wunknown-pragmas -Wwrite-strings -Wno-missing-field-initializers -Wno-unused-parameter -Wno-cast-qual -Wno-shadow -Wno-unreachable-code -fno-exceptions libqpol/module_compiler.c: In function ‘declare_symbol’: libqpol/module_compiler.c:155:19: error: cast increases required alignment of target type [-Werror=cast-align] *dest_value = ((level_datum_t *)s)->level->sens; ^ libqpol/module_compiler.c: In function ‘require_symbol’: libqpol/module_compiler.c:650:19: error: cast increases required alignment of target type [-Werror=cast-align] *dest_value = ((level_datum_t *)s)->level->sens; ^ libqpol/module_compiler.c: In function ‘require_bool_tunable’: libqpol/module_compiler.c:1077:36: error: cast increases required alignment of target type [-Werror=cast-align] require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum, ^ libqpol/module_compiler.c: In function ‘require_cat’: libqpol/module_compiler.c:1201:40: error: cast increases required alignment of target type [-Werror=cast-align] retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat, ^ cc1: all warnings being treated as errors error: command 'mips64el-linux-gnuabi64-gcc' failed with exit status 1 This is fatal only on some architectures, but I guess fixing this could also improve the performances on the others. Regards, Laurent Bigonville ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/2] policycoreutils: Force GTK3.0 for sepolicy gui
From: Laurent Bigonville <bi...@bigon.be> This removes the following warning when running sepolicy gui command: /usr/lib/python3/dist-packages/sepolicy/gui.py:29: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '3.0') before import to ensure that the right version gets loaded. Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/sepolicy/sepolicy/gui.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py index 7f1888c..ee78e0c 100644 --- a/policycoreutils/sepolicy/sepolicy/gui.py +++ b/policycoreutils/sepolicy/sepolicy/gui.py @@ -26,6 +26,8 @@ # # +import gi +gi.require_version('Gtk', '3.0') from gi.repository import Gtk from gi.repository import Gdk from gi.repository import GLib -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 2/2] policycoreutils: Use GObject introspection binding instead of python-gobject in selinux_server.py
From: Laurent Bigonville <bi...@bigon.be> Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/sepolicy/selinux_server.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policycoreutils/sepolicy/selinux_server.py b/policycoreutils/sepolicy/selinux_server.py index cdf4d16..8bd1fe5 100644 --- a/policycoreutils/sepolicy/selinux_server.py +++ b/policycoreutils/sepolicy/selinux_server.py @@ -3,7 +3,7 @@ import dbus import dbus.service import dbus.mainloop.glib -import gobject +from gi.repository import GObject import slip.dbus.service from slip.dbus import polkit import os @@ -128,7 +128,7 @@ class selinux_server(slip.dbus.service.Object): raise ValueError("%s does not exist" % path) if __name__ == "__main__": -mainloop = gobject.MainLoop() +mainloop = GObject.MainLoop() dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) system_bus = dbus.SystemBus() name = dbus.service.BusName("org.selinux", system_bus) -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result
Le 08/11/16 à 15:57, Stephen Smalley a écrit : On 11/08/2016 08:34 AM, Stephen Smalley wrote: On 11/07/2016 06:09 PM, Laurent Bigonville wrote: Le 07/11/16 à 22:13, Stephen Smalley a écrit : On 11/07/2016 03:01 AM, Laurent Bigonville wrote: From: Laurent Bigonville <bi...@bigon.be> sepolicy.info() now returns a generator, use next() to get the results. This breaks sandbox for me, $ /usr/bin/sandbox -X firefox Traceback (most recent call last): File "/usr/bin/sandbox", line 529, in rc = sandbox.main() File "/usr/bin/sandbox", line 513, in main self.__parse_options() File "/usr/bin/sandbox", line 308, in __parse_options """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))['types']) TypeError: list object is not an iterator Which version of python and setools are you using? I have installed setools4 from source, both running setup.py via python and via python3 to install it for python 2.7 and python 3.5 (both are installed on Fedora, with python referencing 2.7 by default). I have likewise built and installed the selinux userspace with PYTHON=python and with PYTHON=python3. I have tried running sandbox via python and via python3, and it yields the same exception in both cases with your patch, and works fine without your patch. Ok, I forcibly removed the Fedora setools* packages (which also uninstalled policycoreutils) and built and installed setools4 and policycoreutils from upstream source again. Now I do not get that exception with your patch, but it also works fine without your patch - I see no difference in behavior. Not sure what I am missing. If I don't have the sandbox policy installed I get a backtrace instead of a nice error: Traceback (most recent call last): File "sandbox", line 529, in rc = sandbox.main() File "sandbox", line 513, in main self.__parse_options() File "sandbox", line 308, in __parse_options """) % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))[0]['types']) IndexError: list index out of range ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result
Le 07/11/16 à 22:13, Stephen Smalley a écrit : On 11/07/2016 03:01 AM, Laurent Bigonville wrote: From: Laurent Bigonville <bi...@bigon.be> sepolicy.info() now returns a generator, use next() to get the results. This breaks sandbox for me, $ /usr/bin/sandbox -X firefox Traceback (most recent call last): File "/usr/bin/sandbox", line 529, in rc = sandbox.main() File "/usr/bin/sandbox", line 513, in main self.__parse_options() File "/usr/bin/sandbox", line 308, in __parse_options """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))['types']) TypeError: list object is not an iterator Which version of python and setools are you using? Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/sandbox/sandbox | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index 4010e83..c07a1d8 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -305,8 +305,8 @@ kill -TERM $WM_PID 2> /dev/null types = _(""" Policy defines the following types for use with the -t: \t%s -""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))[0]['types']) -except RuntimeError: +""") % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))['types']) +except StopIteration: pass usage = _(""" @@ -380,8 +380,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- self.setype = DEFAULT_X_TYPE else: try: -sepolicy.info(sepolicy.TYPE, "sandbox_t") -except RuntimeError: +next(sepolicy.info(sepolicy.TYPE, "sandbox_t")) +except StopIteration: raise ValueError(_("Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command")) if self.__options.setype: ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[Patch v2 2/2] policycoreutils: Make sepolicy work with python3
From: Laurent Bigonville <bi...@bigon.be> Add python3 support for sepolicy Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/sepolicy/selinux_client.py | 6 ++-- policycoreutils/sepolicy/sepolicy.py | 38 policycoreutils/sepolicy/sepolicy/__init__.py| 16 ++ policycoreutils/sepolicy/sepolicy/communicate.py | 4 +-- policycoreutils/sepolicy/sepolicy/generate.py| 30 +-- policycoreutils/sepolicy/sepolicy/interface.py | 14 ++--- policycoreutils/sepolicy/sepolicy/manpage.py | 7 +++-- 7 files changed, 65 insertions(+), 50 deletions(-) diff --git a/policycoreutils/sepolicy/selinux_client.py b/policycoreutils/sepolicy/selinux_client.py index 7f4a91c..dc29f28 100644 --- a/policycoreutils/sepolicy/selinux_client.py +++ b/policycoreutils/sepolicy/selinux_client.py @@ -39,6 +39,6 @@ if __name__ == "__main__": try: dbus_proxy = SELinuxDBus() resp = dbus_proxy.customized() -print convert_customization(resp) -except dbus.DBusException, e: -print e +print(convert_customization(resp)) +except dbus.DBusException as e: +print(e) diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py index 3e502a7..5bf9b52 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py @@ -262,7 +262,7 @@ def _print_net(src, protocol, perm): if len(portdict) > 0: bold_start = "\033[1m" bold_end = "\033[0;0m" -print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end +print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end) port_strings = [] boolean_text = "" for p in portdict: @@ -275,7 +275,7 @@ def _print_net(src, protocol, perm): port_strings.append("%s (%s)" % (", ".join(recs), t)) port_strings.sort(numcmp) for p in port_strings: -print "\t" + p +print("\t" + p) def network(args): @@ -286,7 +286,7 @@ def network(args): if i[0] not in all_ports: all_ports.append(i[0]) all_ports.sort() -print "\n".join(all_ports) +print("\n".join(all_ports)) for port in args.port: found = False @@ -297,18 +297,18 @@ def network(args): else: range = "%s-%s" % (i[0], i[1]) found = True -print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range) +print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range)) if not found: if port < 500: -print "Undefined reserved port type" +print("Undefined reserved port type") else: -print "Undefined port type" +print("Undefined port type") for t in args.type: if (t, 'tcp') in portrecs.keys(): -print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])) +print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))) if (t, 'udp') in portrecs.keys(): -print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])) +print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))) for a in args.applications: d = sepolicy.get_init_transtype(a) @@ -357,7 +357,7 @@ def manpage(args): for domain in test_domains: m = ManPage(domain, path, args.root, args.source_files, args.web) -print m.get_man_page_path() +print(m.get_man_page_path()) if args.web: HTMLManPages(manpage_roles, manpage_domains, path, args.os) @@ -418,7 +418,7 @@ def communicate(args): out = list(set(writable) & set(readable)) for t in out: -print t +print(t) def gen_communicate_args(parser): @@ -445,7 +445,7 @@ def booleans(args): args.booleans.sort() for b in args.booleans: -print "%s=_(\"%s\")" % (b, boolean_desc(b)) +print("%s=_(\"%s\")" % (b, boolean_desc(b))) def gen_booleans_args(parser): @@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""): for i in interfaces: if args.verbose: try: -print get_interface_format_text(i + append) +print(get_interface_format_text(i + append)) except KeyError: -print i +print(i) if args.compile: try: interface_compile_test(i) except KeyError: -
[PATCH 2/2] policycoreutils: Make sepolicy work with python3
From: Laurent Bigonville <bi...@bigon.be> Add python3 support for sepolicy Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/sepolicy/selinux_client.py | 6 ++-- policycoreutils/sepolicy/sepolicy.py | 38 policycoreutils/sepolicy/sepolicy/__init__.py| 16 ++ policycoreutils/sepolicy/sepolicy/communicate.py | 4 +-- policycoreutils/sepolicy/sepolicy/generate.py| 30 +-- policycoreutils/sepolicy/sepolicy/interface.py | 14 ++--- policycoreutils/sepolicy/sepolicy/manpage.py | 7 +++-- 7 files changed, 65 insertions(+), 50 deletions(-) diff --git a/policycoreutils/sepolicy/selinux_client.py b/policycoreutils/sepolicy/selinux_client.py index 7f4a91c..dc29f28 100644 --- a/policycoreutils/sepolicy/selinux_client.py +++ b/policycoreutils/sepolicy/selinux_client.py @@ -39,6 +39,6 @@ if __name__ == "__main__": try: dbus_proxy = SELinuxDBus() resp = dbus_proxy.customized() -print convert_customization(resp) -except dbus.DBusException, e: -print e +print(convert_customization(resp)) +except dbus.DBusException as e: +print(e) diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py index 3e502a7..5bf9b52 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py @@ -262,7 +262,7 @@ def _print_net(src, protocol, perm): if len(portdict) > 0: bold_start = "\033[1m" bold_end = "\033[0;0m" -print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end +print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end) port_strings = [] boolean_text = "" for p in portdict: @@ -275,7 +275,7 @@ def _print_net(src, protocol, perm): port_strings.append("%s (%s)" % (", ".join(recs), t)) port_strings.sort(numcmp) for p in port_strings: -print "\t" + p +print("\t" + p) def network(args): @@ -286,7 +286,7 @@ def network(args): if i[0] not in all_ports: all_ports.append(i[0]) all_ports.sort() -print "\n".join(all_ports) +print("\n".join(all_ports)) for port in args.port: found = False @@ -297,18 +297,18 @@ def network(args): else: range = "%s-%s" % (i[0], i[1]) found = True -print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range) +print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range)) if not found: if port < 500: -print "Undefined reserved port type" +print("Undefined reserved port type") else: -print "Undefined port type" +print("Undefined port type") for t in args.type: if (t, 'tcp') in portrecs.keys(): -print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])) +print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))) if (t, 'udp') in portrecs.keys(): -print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])) +print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))) for a in args.applications: d = sepolicy.get_init_transtype(a) @@ -357,7 +357,7 @@ def manpage(args): for domain in test_domains: m = ManPage(domain, path, args.root, args.source_files, args.web) -print m.get_man_page_path() +print(m.get_man_page_path()) if args.web: HTMLManPages(manpage_roles, manpage_domains, path, args.os) @@ -418,7 +418,7 @@ def communicate(args): out = list(set(writable) & set(readable)) for t in out: -print t +print(t) def gen_communicate_args(parser): @@ -445,7 +445,7 @@ def booleans(args): args.booleans.sort() for b in args.booleans: -print "%s=_(\"%s\")" % (b, boolean_desc(b)) +print("%s=_(\"%s\")" % (b, boolean_desc(b))) def gen_booleans_args(parser): @@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""): for i in interfaces: if args.verbose: try: -print get_interface_format_text(i + append) +print(get_interface_format_text(i + append)) except KeyError: -print i +print(i) if args.compile: try: interface_compile_test(i) except KeyError: -
[PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result
From: Laurent Bigonville <bi...@bigon.be> sepolicy.info() now returns a generator, use next() to get the results. Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/sandbox/sandbox | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index 4010e83..c07a1d8 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -305,8 +305,8 @@ kill -TERM $WM_PID 2> /dev/null types = _(""" Policy defines the following types for use with the -t: \t%s -""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))[0]['types']) -except RuntimeError: +""") % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))['types']) +except StopIteration: pass usage = _(""" @@ -380,8 +380,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- self.setype = DEFAULT_X_TYPE else: try: -sepolicy.info(sepolicy.TYPE, "sandbox_t") -except RuntimeError: +next(sepolicy.info(sepolicy.TYPE, "sandbox_t")) +except StopIteration: raise ValueError(_("Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command")) if self.__options.setype: -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] policycoreutils: Use "new" sepolicy icon in .desktop file for sepolicy gui
Le 02/11/16 à 14:27, Stephen Smalley a écrit : On 11/02/2016 09:04 AM, Laurent Bigonville wrote: From: Laurent Bigonville<bi...@bigon.be> New hires icons have been added to the repository end 2013 but the sepolicy .desktop file is not using it, let's fix that. Thanks, applied. I plan to move these icon files over to the gui/ directory in the splitpolicycoreutils branch. Thanks, I should probably reply to your initial mail about the split, but shouldn't the gui directory completely dropped? I mean system-config-selinux is python2 only and need to be ported to GObject introspection and GTKBuilder if we want it to work in python3 (or it should be ported, but it looked non trivial to my meager knowledge). ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] Revert "libselinux: support new python3 functions"
From: Laurent Bigonville <bi...@bigon.be> With the reverted commit applied, some functions were returning arrays of bytes instead of python strings under python3 this was causing issues with string manipulation functions like split(). Swig (checked with 3.0.7) is adding compatibility macros that take care of the differences between python2 and python3. This reverts commit 63df0f7ef12844b9b86cc293299671da772fcf84. Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- libselinux/src/selinuxswig_python.i | 22 +++--- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i index 8cea18d..43df291 100644 --- a/libselinux/src/selinuxswig_python.i +++ b/libselinux/src/selinuxswig_python.i @@ -64,7 +64,7 @@ def install(src, dest): PyObject* list = PyList_New(*$2); int i; for (i = 0; i < *$2; i++) { - PyList_SetItem(list, i, PyBytes_FromString((*$1)[i])); + PyList_SetItem(list, i, PyString_FromString((*$1)[i])); } $result = SWIG_Python_AppendOutput($result, list); } @@ -97,9 +97,7 @@ def install(src, dest): len++; plist = PyList_New(len); for (i = 0; i < len; i++) { - PyList_SetItem(plist, i, - PyBytes_FromString((*$1)[i]) - ); + PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); } } else { plist = PyList_New(0); @@ -116,9 +114,7 @@ def install(src, dest): if (*$1) { plist = PyList_New(result); for (i = 0; i < result; i++) { - PyList_SetItem(plist, i, - PyBytes_FromString((*$1)[i]) - ); + PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); } } else { plist = PyList_New(0); @@ -171,20 +167,16 @@ def install(src, dest): $1 = (char**) malloc(size + 1); for(i = 0; i < size; i++) { - if (!PyBytes_Check(PySequence_GetItem($input, i))) { - PyErr_SetString(PyExc_ValueError, "Sequence must contain only bytes"); - + if (!PyString_Check(PySequence_GetItem($input, i))) { + PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings"); return NULL; } - } for(i = 0; i < size; i++) { s = PySequence_GetItem($input, i); - - $1[i] = (char*) malloc(PyBytes_Size(s) + 1); - strcpy($1[i], PyBytes_AsString(s)); - + $1[i] = (char*) malloc(PyString_Size(s) + 1); + strcpy($1[i], PyString_AsString(s)); } $1[size] = NULL; } -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] policycoreutils: Use "new" sepolicy icon in .desktop file for sepolicy gui
From: Laurent Bigonville <bi...@bigon.be> New hires icons have been added to the repository end 2013 but the sepolicy .desktop file is not using it, let's fix that. --- policycoreutils/sepolicy/sepolicy.desktop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policycoreutils/sepolicy/sepolicy.desktop b/policycoreutils/sepolicy/sepolicy.desktop index f9d0cec..181a1c5 100644 --- a/policycoreutils/sepolicy/sepolicy.desktop +++ b/policycoreutils/sepolicy/sepolicy.desktop @@ -1,7 +1,7 @@ [Desktop Entry] Name=SELinux Policy Management Tool Comment=Generate SELinux policy modules -Icon=system-config-selinux +Icon=sepolicy Exec=/usr/bin/sepolicy gui Type=Application Terminal=false -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Backtrace in sandbox command
Hi, I get the following backtrace in sandbox because there are no types marked with the "sandbox_type" attribute in my test policy: Traceback (most recent call last): File "/usr/bin/sandbox", line 529, in rc = sandbox.main() File "/usr/bin/sandbox", line 513, in main self.__parse_options() File "/usr/bin/sandbox", line 308, in __parse_options """) % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))[0]['types']) IndexError: list index out of range It seems that sepolicy.info() is not returning a RuntimeError exception if there are not types returned. There is a 2nd call to sepolicy.info() later in the code where the same exception is catch. In both cases, sepolicy.info() is returning an iterator. Has anything changed in sepolicy behavior here? Laurent Bigonville ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v2] libselinux: Add clean-pywrap and clean-rubywrap targets
From: Laurent Bigonville <bi...@bigon.be> Add clean targets to just clean the python and ruby wrapper objects Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- libselinux/Makefile | 6 ++ libselinux/src/Makefile | 12 +--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/libselinux/Makefile b/libselinux/Makefile index ef971f4..979e225 100644 --- a/libselinux/Makefile +++ b/libselinux/Makefile @@ -57,4 +57,10 @@ install-pywrap: install-rubywrap: $(MAKE) -C src install-rubywrap $@ +clean-pywrap: + $(MAKE) -C src clean-pywrap $@ + +clean-rubywrap: + $(MAKE) -C src clean-rubywrap $@ + test: diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index ccd8442..c9f35b1 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -187,8 +187,14 @@ install-rubywrap: rubywrap relabel: /sbin/restorecon $(SHLIBDIR)/$(LIBSO) -clean: - -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGRUBYLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~ +clean-pywrap: + -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) + +clean-rubywrap: + -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO) + +clean: clean-pywrap clean-rubywrap + -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~ distclean: clean rm -f $(GENERATED) $(SWIGFILES) @@ -196,4 +202,4 @@ distclean: clean indent: ../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch])) -.PHONY: all clean pywrap rubywrap swigify install install-pywrap install-rubywrap distclean +.PHONY: all clean clean-pywrap clean-rubywrap pywrap rubywrap swigify install install-pywrap install-rubywrap distclean -- 2.10.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] libselinux: Add clean-pywrap and clean-rubywrap targets
From: Laurent Bigonville <bi...@bigon.be> Add clean targets to just clean the python and ruby wrapper objects Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- libselinux/Makefile | 6 ++ libselinux/src/Makefile | 10 -- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/libselinux/Makefile b/libselinux/Makefile index ef971f4..979e225 100644 --- a/libselinux/Makefile +++ b/libselinux/Makefile @@ -57,4 +57,10 @@ install-pywrap: install-rubywrap: $(MAKE) -C src install-rubywrap $@ +clean-pywrap: + $(MAKE) -C src clean-pywrap $@ + +clean-rubywrap: + $(MAKE) -C src clean-rubywrap $@ + test: diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index ccd8442..1871551 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -187,8 +187,14 @@ install-rubywrap: rubywrap relabel: /sbin/restorecon $(SHLIBDIR)/$(LIBSO) -clean: - -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGRUBYLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~ +clean-pywrap: + -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) + +clean-rubywrap: + -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO) + +clean: clean-pywrap clean-rubywrap + -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~ distclean: clean rm -f $(GENERATED) $(SWIGFILES) -- 2.10.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [Patch v3] sandbox: Use dbus-run-session instead of dbus-launch when available
Le 27/09/16 à 15:50, Stephen Smalley a écrit : On 09/27/2016 08:39 AM, Laurent Bigonville wrote: From: Laurent Bigonville <bi...@bigon.be> According to dbus upstream: "dbus-launch is fairly horrible code, complicated by the historical need for it to support X11 autolaunching, so the D-Bus maintainers would like to move it out of the critical path and minimize its use." https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289 Signed-off-by: Laurent Bigonville <bi...@bigon.be> Thanks, applied. Thanks, Are there any plans to roll a new release of the userspace soon? ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[Patch v3] sandbox: Use dbus-run-session instead of dbus-launch when available
From: Laurent Bigonville <bi...@bigon.be> According to dbus upstream: "dbus-launch is fairly horrible code, complicated by the historical need for it to support X11 autolaunching, so the D-Bus maintainers would like to move it out of the critical path and minimize its use." https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289 Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/sandbox/sandbox | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index b6bc805..4010e83 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -285,9 +285,13 @@ class Sandbox: # /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap %s & WM_PID=$! -dbus-launch --exit-with-session %s +if which dbus-run-session >/dev/null 2>&1; then +dbus-run-session -- %s +else +dbus-launch --exit-with-session %s +fi kill -TERM $WM_PID 2> /dev/null -""" % (command, wm, command)) +""" % (command, wm, command, command)) fd.close() os.chmod(execfile, 0o700) -- 2.9.3 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: sandox -X not working with recent Xephyr
Le 19/09/16 à 20:26, Stephen Smalley a écrit : On 09/19/2016 02:02 PM, Petr Lautrbach wrote: On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote: On 09/18/2016 02:39 PM, Laurent Bigonville wrote: Hi, It seems that sandbox -X is not working anymore on debian. Xephyr (1.18.4) is giving me the following error: _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. The X socket is not created inside the sandbox and then the application can obviously not connect to it. I'm not sure how this could be fixed, maybe let's seunshare create that directory? I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe they have a fix? That is using the Fedora policycoreutils-sandbox package, which yields a functioning sandbox -X, e.g. sandbox -X firefox works correctly. However, if I install sandbox from upstream, e.g. cd selinux sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel then sandbox -X firefox fails immediately, and I have the following in the audit log: type=SELINUX_ERR msg=audit(1474295659.424:2189): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002 newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002 It's most likely not related. Same error can be seen in stock Fedora. So I guess there are other patches in the Fedora package that are needed? It's this patch https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d But the patch bellow works too: --- a/policycoreutils/sandbox/sandboxX.sh +++ b/policycoreutils/sandbox/sandboxX.sh @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF EOF -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do export DISPLAY=:$D cat > ~/seremote << __EOF #!/bin/sh I'm not sure which one is correct. I don't know either, but the one above does work and seems simpler, so let's go with that one. I don't really understand why it's working outside of the sandbox and why it was working before. But indeed removing -terminate or add -reset seems to fix it ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v2] sandbox: Use GObject introspection binding instead of pygtk2
From: Petr Lautrbach <plaut...@redhat.com> sandbox command is also now using GTK 3.0 This patch comes from Fedora patch set Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/sandbox/sandbox | 18 +++--- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index 9f200d5..726ba9b 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -111,16 +111,18 @@ def copyfile(file, srcdir, dest): def savefile(new, orig, X_ind): copy = False if(X_ind): -import gtk -dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, -gtk.BUTTONS_YES_NO, +import gi +gi.require_version('Gtk', '3.0') +from gi.repository import Gtk +dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO, +Gtk.ButtonsType.YES_NO, _("Do you want to save changes to '%s' (Y/N): ") % orig) dlg.set_title(_("Sandbox Message")) -dlg.set_position(gtk.WIN_POS_MOUSE) +dlg.set_position(Gtk.WindowPosition.MOUSE) dlg.show_all() rc = dlg.run() dlg.destroy() -if rc == gtk.RESPONSE_YES: +if rc == Gtk.ResponseType.YES: copy = True else: try: @@ -452,8 +454,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- if self.__options.dpi: dpi = self.__options.dpi else: -import gtk -dpi = str(gtk.settings_get_default().props.gtk_xft_dpi / 1024) +import gi +gi.require_version('Gtk', '3.0') +from gi.repository import Gtk +dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024) xmodmapfile = self.__homedir + "/.xmodmap" xd = open(xmodmapfile, "w") -- 2.9.3 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] sandbox: Use dbus-launch instead of dbus-run-session
From: Laurent Bigonville <bi...@bigon.be> According to dbus upstream: "dbus-launch is fairly horrible code, complicated by the historical need for it to support X11 autolaunching, so the D-Bus maintainers would like to move it out of the critical path and minimize its use." https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289 --- policycoreutils/sandbox/sandbox | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index 726ba9b..f537dc6 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -285,7 +285,7 @@ class Sandbox: /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap %s & WM_PID=$! -dbus-launch --exit-with-session %s +dbus-run-session -- %s kill -TERM $WM_PID 2> /dev/null """ % (command, wm, command)) fd.close() -- 2.9.3 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
sandox -X not working with recent Xephyr
Hi, It seems that sandbox -X is not working anymore on debian. Xephyr (1.18.4) is giving me the following error: _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. The X socket is not created inside the sandbox and then the application can obviously not connect to it. I'm not sure how this could be fixed, maybe let's seunshare create that directory? Cheers, Laurent Bigonville ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] sandbox: Use GObject introspection binding instead of pygtk2
From: Laurent Bigonville <bi...@bigon.be> sandbox command is also now using GTK 3.0 This patch comes from Fedora patch set --- policycoreutils/sandbox/sandbox | 18 +++--- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index 9f200d5..726ba9b 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -111,16 +111,18 @@ def copyfile(file, srcdir, dest): def savefile(new, orig, X_ind): copy = False if(X_ind): -import gtk -dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, -gtk.BUTTONS_YES_NO, +import gi +gi.require_version('Gtk', '3.0') +from gi.repository import Gtk +dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO, +Gtk.ButtonsType.YES_NO, _("Do you want to save changes to '%s' (Y/N): ") % orig) dlg.set_title(_("Sandbox Message")) -dlg.set_position(gtk.WIN_POS_MOUSE) +dlg.set_position(Gtk.WindowPosition.MOUSE) dlg.show_all() rc = dlg.run() dlg.destroy() -if rc == gtk.RESPONSE_YES: +if rc == Gtk.ResponseType.YES: copy = True else: try: @@ -452,8 +454,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- if self.__options.dpi: dpi = self.__options.dpi else: -import gtk -dpi = str(gtk.settings_get_default().props.gtk_xft_dpi / 1024) +import gi +gi.require_version('Gtk', '3.0') +from gi.repository import Gtk +dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024) xmodmapfile = self.__homedir + "/.xmodmap" xd = open(xmodmapfile, "w") -- 2.9.3 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] libselinux/utils/Makefile: Fix in tree compilation
From: Laurent Bigonville <bi...@bigon.be> Some tools need the sepol/sepol.h header --- libselinux/utils/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile index cf7af52..8497cb4 100644 --- a/libselinux/utils/Makefile +++ b/libselinux/utils/Makefile @@ -3,6 +3,7 @@ PREFIX ?= $(DESTDIR)/usr LIBDIR ?= $(PREFIX)/lib USRBINDIR ?= $(PREFIX)/sbin SBINDIR ?= $(DESTDIR)/sbin +INCLUDEDIR ?= $(PREFIX)/include MAX_STACK_SIZE=8192 CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \ @@ -23,7 +24,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ -Werror -Wno-aggregate-return -Wno-redundant-decls -override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS) +override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) LDLIBS += -L../src -lselinux -L$(LIBDIR) TARGETS=$(patsubst %.c,%,$(wildcard *.c)) -- 2.8.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] Sort object files for deterministic linking order
From: Laurent Bigonville <bi...@bigon.be> This patch is part of the Debian effort to make the build reproducible Thank to Reiner Herrmann <rei...@reiner-h.de> for the patches Signed-off-by: Laurent Bigonville <bi...@bigon.be> --- libselinux/src/Makefile | 2 +- libsemanage/src/Makefile | 2 +- libsepol/src/Makefile| 8 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index ac9a5d6..d94163e 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -49,7 +49,7 @@ ifeq ($(DISABLE_BOOL),y) endif GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i -SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c)) +SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort $(wildcard *.c))) MAX_STACK_SIZE=32768 diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index d6c3f0f..96ee652 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -52,7 +52,7 @@ SWIGRUBYSO=$(RUBYPREFIX)_semanage.so LIBSO=$(TARGET).$(LIBVERSION) GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) semanageswig_python_exception.i -SRCS= $(filter-out $(GENERATED),$(wildcard *.c)) +SRCS= $(filter-out $(GENERATED),$(sort $(wildcard *.c))) OBJS= $(patsubst %.c,%.o,$(SRCS)) conf-scan.o conf-parse.o LOBJS= $(patsubst %.c,%.lo,$(SRCS)) conf-scan.lo conf-parse.lo diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile index c0c3274..b0c901f 100644 --- a/libsepol/src/Makefile +++ b/libsepol/src/Makefile @@ -18,15 +18,15 @@ TARGET=libsepol.so LIBPC=libsepol.pc LIBMAP=libsepol.map LIBSO=$(TARGET).$(LIBVERSION) -OBJS= $(patsubst %.c,%.o,$(wildcard *.c)) -LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c)) +OBJS= $(patsubst %.c,%.o,$(sort $(wildcard *.c))) +LOBJS= $(patsubst %.c,%.lo,$(sort $(wildcard *.c))) CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-format-attribute -O2 override CFLAGS += -I. -I../include -D_GNU_SOURCE ifneq ($(DISABLE_CIL),y) -OBJS += $(sort $(patsubst %.c,%.o,$(wildcard $(CILDIR)/src/*.c) $(CIL_GENERATED))) -LOBJS += $(sort $(patsubst %.c,%.lo,$(wildcard $(CILDIR)/src/*.c) $(CIL_GENERATED))) +OBJS += $(sort $(patsubst %.c,%.o,$(sort $(wildcard $(CILDIR)/src/*.c)) $(CIL_GENERATED))) +LOBJS += $(sort $(patsubst %.c,%.lo,$(sort $(wildcard $(CILDIR)/src/*.c)) $(CIL_GENERATED))) override CFLAGS += -I$(CILDIR)/include endif -- 2.8.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] semodule: Fix the --list-modules=full example in the manpage
From: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/semodule/semodule.8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 index 68e95ab..7b07c45 100644 --- a/policycoreutils/semodule/semodule.8 +++ b/policycoreutils/semodule/semodule.8 @@ -116,7 +116,7 @@ $ semodule \-d alsa # Install a module at a specific priority. $ semodule \-X 100 \-i alsa.pp # List all modules. -$ semodule \-l full +$ semodule \-\-list-modules=full # Set an alternate path for the policy root $ semodule \-B \-p "/tmp" # Set an alternate path for the policy store root -- 2.8.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v2] policycoreutils: Minor fix in a French translation
From: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/po/fr.po | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policycoreutils/po/fr.po b/policycoreutils/po/fr.po index be33d59..5c797c9 100644 --- a/policycoreutils/po/fr.po +++ b/policycoreutils/po/fr.po @@ -1307,7 +1307,7 @@ msgstr "syntaxe : %s [-q]\n" #: ../load_policy/load_policy.c:71 #, c-format msgid "%s: Policy is already loaded and initial load requested\n" -msgstr "La stratégie %s est déjà chargée et un chargement initial est requis\n" +msgstr "%s : La stratégie est déjà chargée et un chargement initial est demandé\n" #: ../load_policy/load_policy.c:80 #, c-format -- 2.8.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] policycoreutils: Minor fix for in a French translation
From: Laurent Bigonville <bi...@bigon.be> --- policycoreutils/po/fr.po | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policycoreutils/po/fr.po b/policycoreutils/po/fr.po index be33d59..5c797c9 100644 --- a/policycoreutils/po/fr.po +++ b/policycoreutils/po/fr.po @@ -1307,7 +1307,7 @@ msgstr "syntaxe : %s [-q]\n" #: ../load_policy/load_policy.c:71 #, c-format msgid "%s: Policy is already loaded and initial load requested\n" -msgstr "La stratégie %s est déjà chargée et un chargement initial est requis\n" +msgstr "%s : La stratégie est déjà chargée et un chargement initial est demandé\n" #: ../load_policy/load_policy.c:80 #, c-format -- 2.8.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: Licence of the new setools icons
Le 05/05/16 à 15:51, Christopher J. PeBenito a écrit : On 5/5/2016 8:46 AM, Christopher J. PeBenito wrote: On 5/5/2016 7:46 AM, Laurent Bigonville wrote: Hello, setools(4) includes a new set of icons. The COPYING file included in the same directory states: [...] This doesn't seems free (as in freedom) as the license doesn't give right to modify the icons. This will make it difficult to include setools in some distro (Debian, Fedora,...). Couldn't the icons already present in the Qt icons theme be used instead? Most of them should have equivalent. If the licensing is a problem, then I can look into replacing the icons with the Qt icons (patches welcome). Replacing with standard icons ended up being straightforward and will be in 4.0.1. Thanks! ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] Fix multiple spelling errors
From: Laurent Bigonville <bi...@bigon.be> Thanks to the lintian utility from Debian --- libselinux/man/man3/avc_add_callback.3 | 4 ++-- libselinux/man/man3/avc_has_perm.3 | 2 +- libselinux/man/man3/is_selinux_enabled.3 | 2 +- libsemanage/include/semanage/handle.h| 2 +- libsemanage/src/database.h | 2 +- libsepol/cil/src/cil_find.c | 2 +- policycoreutils/sandbox/seunshare.8 | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/libselinux/man/man3/avc_add_callback.3 b/libselinux/man/man3/avc_add_callback.3 index dbfe72d..bdbbadf 100644 --- a/libselinux/man/man3/avc_add_callback.3 +++ b/libselinux/man/man3/avc_add_callback.3 @@ -57,7 +57,7 @@ and will cause any SID to match. .I callback is the callback function provided by the userspace object manager. The .I event -argument indicates the security event which occured; the remaining arguments +argument indicates the security event which occurred; the remaining arguments are interpreted according to the event as described below. The return value of the callback should be zero on success, \-1 on error with .I errno @@ -175,7 +175,7 @@ If the userspace AVC is running in threaded mode, callbacks registered via may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See .BR avc_init (3). -Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets excercised is +Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets exercised is .BR AVC_CALLBACK_RESET . . .SH "AUTHOR" diff --git a/libselinux/man/man3/avc_has_perm.3 b/libselinux/man/man3/avc_has_perm.3 index 7353952..3e9fca8 100644 --- a/libselinux/man/man3/avc_has_perm.3 +++ b/libselinux/man/man3/avc_has_perm.3 @@ -108,7 +108,7 @@ for the first time. Using an uninitialized structure will produce undefined behavior. . .SH "RETURN VALUE" -If requested permissions are granted, zero is returned. If requested permissions are denied or an error occured, \-1 is returned and +If requested permissions are granted, zero is returned. If requested permissions are denied or an error occurred, \-1 is returned and .I errno is set appropriately. diff --git a/libselinux/man/man3/is_selinux_enabled.3 b/libselinux/man/man3/is_selinux_enabled.3 index f02052c..b2df562 100644 --- a/libselinux/man/man3/is_selinux_enabled.3 +++ b/libselinux/man/man3/is_selinux_enabled.3 @@ -3,7 +3,7 @@ is_selinux_enabled \- check whether SELinux is enabled . .SH "NAME" -is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Securty) MLS +is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Security) MLS . .SH "SYNOPSIS" .B #include diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h index 6cad529..c816590 100644 --- a/libsemanage/include/semanage/handle.h +++ b/libsemanage/include/semanage/handle.h @@ -130,7 +130,7 @@ int semanage_commit(semanage_handle_t *); #define SEMANAGE_CAN_READ 1 #define SEMANAGE_CAN_WRITE 2 /* returns SEMANAGE_CAN_READ or SEMANAGE_CAN_WRITE if the store is readable - * or writable, respectively. <0 if an error occured */ + * or writable, respectively. <0 if an error occurred */ int semanage_access_check(semanage_handle_t * sh); /* returns 0 if not connected, 1 if connected */ diff --git a/libsemanage/src/database.h b/libsemanage/src/database.h index e460379..6a4a164 100644 --- a/libsemanage/src/database.h +++ b/libsemanage/src/database.h @@ -148,7 +148,7 @@ typedef struct dbase_table { * This function must be invoked before using * any of the database functions above. It may be invoked * multiple times, and will update the cache if a commit -* occured between invocations */ +* occurred between invocations */ int (*cache) (struct semanage_handle * handle, dbase_t * dbase); /* Forgets all changes that haven't been written diff --git a/libsepol/cil/src/cil_find.c b/libsepol/cil/src/cil_find.c index 8e0688c..4134242 100644 --- a/libsepol/cil/src/cil_find.c +++ b/libsepol/cil/src/cil_find.c @@ -383,7 +383,7 @@ int cil_find_matching_avrule_in_ast(struct cil_tree_node *current, enum cil_flav rc = cil_tree_walk(current, __cil_find_matching_avrule_in_ast, NULL, NULL, ); if (rc) { - cil_log(CIL_ERR, "An error occured while searching for avrule in AST\n"); + cil_log(CIL_ERR, "An error occurred while searching for avrule in AST\n"); } return rc; diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8 index 76b75c8..9e105a1 100644
Copying/setting security.selinux xattr explicitly
Hello, I've a question concerning copying the security.selinux xattr explicitly. In you opinion what should happen in an implementation if it cannot be reset security.selinux on the target file? Apparently GNU cp -a ignore failures (while cp --preserve=context fails). In some python helper function (_copyxattr(), see https://bugs.python.org/issue14082), it will return an exception if the copy of any of the xattr is failing, there is no special case for security.selinux. What do you think should be the behavior here? Cheers, Laurent Bigonville ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
chcat is using getlogin() function that sometimes returns null/empty string
Hi, So apparently gnome-terminal developers have decided to stop updating utmp[0] file and this is breaking chcat -Ll with the following error: Traceback (most recent call last): File "/usr/bin/chcat", line 409, in sys.exit(listusercats(cmds)) File "/usr/bin/chcat", line 352, in listusercats users.append(os.getlogin()) OSError: [Errno 2] No such file or directory getlogin(3) manpage suggest to rely on the LOGNAME environment variable, so maybe chcat should fallback to this if getlogin() is not returning anything? Cheers, Laurent Bigonville [0] https://bugzilla.gnome.org/show_bug.cgi?id=747046 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: newrole not working when built with LSPP_PRIV=y
Le 29/09/15 21:35, Stephen Smalley a écrit : On 09/26/2015 09:10 PM, Laurent Bigonville wrote: [...] The patch seems to break an other thing, it Fedora the newrole executable is not setuid root, but it is granted a bunch of capabilities explicitly, if I setuid this executable instead of granting these capabilities, I get yet an other error: Sorry, newrole failed to drop capabilities: Operation not permitted So I guess something need to be fixed here. Yes, the current code just seems to be wrong here. The setresuid() call will drop all capabilities if newrole is setuid-root and the caller is non-root, so it will end up dropping all capabilities immediately. Then the attempt to further set the capabilities will fail (as above), as will any subsequent privileged operations. As currently written, this can only work if not setuid-root and using file-caps. And in that case, the setresuid() call doesn't make sense. Dan? Apparently libcapng has a capng_change_id(3) function that can be used to "change the credentials retaining capabilities". Laurent Bigonville ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.