Re: libsemanage getpwent and nss-systemd incompability

[Laurent Bigonville]

Le 13/07/18 à 16:37, Stephen Smalley a écrit :

On 07/13/2018 10:26 AM, Laurent Bigonville wrote:

Le 13/07/18 à 16:19, Laurent Bigonville a écrit :

Le 10/07/18 à 17:58, Stephen Smalley a écrit :

On 07/10/2018 11:40 AM, Stephen Smalley wrote:

On 07/09/2018 04:20 PM, Nicolas Iooss wrote:

Hello,

While testing a systemd update on Arch Linux, I encountered the
following message (in a Vagrant virtual machine):

# semanage fcontext -m -s sysadm_u -t user_home_t '/vagrant(/.*)?'
libsemanage.get_home_dirs: Error while fetching users. Returning list so far.

A quick debugging of get_home_dirs() in
libsemanage/src/genhomedircon.c shows that the loop "while ((pwbuf =
getpwent()) != NULL)" stops with pwbuf=NULL and errno=2 (ENOENT). My
/etc/nsswitch.conf contains:

passwd: files mymachines systemd

If I remove "systemd" from this line, the error disappears. Therefore
it seems that systemd's NSS module returns a ENOENT error when
getpwent() is called. I have not found any clue in systemd's code [1]
about such an error and I have not got much time to debug this issue.
Does this occurs for someone else (using Fedora for example)?

Fedora ships with usepasswd=False in semanage.conf, so we'll never reach that 
code in a default configuration.
Fedora nsswitch.conf has following for passwd:
passwd:    files sss systemd

Removing usepasswd=False from semanage.conf, I see the same behavior with 
libsemanage 2.8, systemd 239, and glibc 2.27 on Fedora and it did not occur 
with systemd 238.  systemd v239 does introduce support into nss-systemd for 
looking up dynamic users, so this seems to be the cause. Not sure yet whether 
this represents a bug in libsemanage or systemd, but it appears to just be a 
warning and not fatal to operation.

I'm inclined to think that this is a bug in systemd.  The man page for 
getpwent() says nothing about setting errno to ENOENT upon reaching the end of 
the passwd database; it should just return NULL w/o setting errno AFAICT.

I see the same warning in debian.

If I'm reading 
https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html well this 
is actually valid to set errno=ENOENT and return NSS_STATUS_NOTFOUND if "The 
requested entry is not available.", so that should be OK?

There are more info at 
https://www.gnu.org/software/libc/manual/html_node/NSS-Module-Function-Internals.html as 
well: "The function shall return NSS_STATUS_SUCCESS as long as there are more 
entries. When the last entry was read it should return NSS_STATUS_NOTFOUND. When the 
buffer given as an argument is too small for the data to be returned NSS_STATUS_TRYAGAIN 
should be returned. When the service was not formerly initialized by a call to 
_nss_DATABASE_setdbent all return values allowed for this function can also be returned 
here."

But indeed, it's not that clear if you should set errno or not if you reach the 
last entry

I'm not averse to a patch for libsemanage to ignore ENOENT from getpwent(), but 
I think it is a bug in either systemd (i.e. it shouldn't be setting ENOENT) or 
glibc (it should suppress it) given that it is not documented as a possible 
errno value in getpwent(3).  If we ignore it, we likely ought to clear errno to 
avoid incorrect propagation of an ENOENT errno to later code.  But someone 
likely ought to open a bug with either systemd or glibc maintainers regardless. 
 Should be easy to create a trivial test case w/o involving libsemanage, just 
some code that calls getpwent() until it returns NULL and then tests the errno 
value, and show that it changes between systemd v238 and systemd v239.
FTR I've opened https://sourceware.org/bugzilla/show_bug.cgi?id=23410 as 
the errno is not documented, let's see what they will say


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: libsemanage getpwent and nss-systemd incompability

[Laurent Bigonville]

Le 13/07/18 à 16:19, Laurent Bigonville a écrit :

Le 10/07/18 à 17:58, Stephen Smalley a écrit :

On 07/10/2018 11:40 AM, Stephen Smalley wrote:

On 07/09/2018 04:20 PM, Nicolas Iooss wrote:

Hello,

While testing a systemd update on Arch Linux, I encountered the
following message (in a Vagrant virtual machine):

# semanage fcontext -m -s sysadm_u -t user_home_t '/vagrant(/.*)?'
libsemanage.get_home_dirs: Error while fetching users. Returning 
list so far.


A quick debugging of get_home_dirs() in
libsemanage/src/genhomedircon.c shows that the loop "while ((pwbuf =
getpwent()) != NULL)" stops with pwbuf=NULL and errno=2 (ENOENT). My
/etc/nsswitch.conf contains:

passwd: files mymachines systemd

If I remove "systemd" from this line, the error disappears. Therefore
it seems that systemd's NSS module returns a ENOENT error when
getpwent() is called. I have not found any clue in systemd's code [1]
about such an error and I have not got much time to debug this issue.
Does this occurs for someone else (using Fedora for example)?
Fedora ships with usepasswd=False in semanage.conf, so we'll never 
reach that code in a default configuration.

Fedora nsswitch.conf has following for passwd:
passwd:    files sss systemd

Removing usepasswd=False from semanage.conf, I see the same behavior 
with libsemanage 2.8, systemd 239, and glibc 2.27 on Fedora and it 
did not occur with systemd 238.  systemd v239 does introduce support 
into nss-systemd for looking up dynamic users, so this seems to be 
the cause. Not sure yet whether this represents a bug in libsemanage 
or systemd, but it appears to just be a warning and not fatal to 
operation.
I'm inclined to think that this is a bug in systemd.  The man page 
for getpwent() says nothing about setting errno to ENOENT upon 
reaching the end of the passwd database; it should just return NULL 
w/o setting errno AFAICT.


I see the same warning in debian.

If I'm reading 
https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html 
well this is actually valid to set errno=ENOENT and return 
NSS_STATUS_NOTFOUND if "The requested entry is not available.", so 
that should be OK?


There are more info at 
https://www.gnu.org/software/libc/manual/html_node/NSS-Module-Function-Internals.html 
as well: "The function shall return NSS_STATUS_SUCCESS as long as there 
are more entries. When the last entry was read it should return 
NSS_STATUS_NOTFOUND. When the buffer given as an argument is too small 
for the data to be returned NSS_STATUS_TRYAGAIN should be returned. When 
the service was not formerly initialized by a call to 
_nss_DATABASE_setdbent all return values allowed for this function can 
also be returned here."


But indeed, it's not that clear if you should set errno or not if you 
reach the last entry


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: libsemanage getpwent and nss-systemd incompability

[Laurent Bigonville]

Le 10/07/18 à 17:58, Stephen Smalley a écrit :

On 07/10/2018 11:40 AM, Stephen Smalley wrote:

On 07/09/2018 04:20 PM, Nicolas Iooss wrote:

Hello,

While testing a systemd update on Arch Linux, I encountered the
following message (in a Vagrant virtual machine):

# semanage fcontext -m -s sysadm_u -t user_home_t '/vagrant(/.*)?'
libsemanage.get_home_dirs: Error while fetching users.  Returning list so far.

A quick debugging of get_home_dirs() in
libsemanage/src/genhomedircon.c shows that the loop "while ((pwbuf =
getpwent()) != NULL)" stops with pwbuf=NULL and errno=2 (ENOENT). My
/etc/nsswitch.conf contains:

passwd: files mymachines systemd

If I remove "systemd" from this line, the error disappears. Therefore
it seems that systemd's NSS module returns a ENOENT error when
getpwent() is called. I have not found any clue in systemd's code [1]
about such an error and I have not got much time to debug this issue.
Does this occurs for someone else (using Fedora for example)?

Fedora ships with usepasswd=False in semanage.conf, so we'll never reach that 
code in a default configuration.
Fedora nsswitch.conf has following for passwd:
passwd: files sss systemd

Removing usepasswd=False from semanage.conf, I see the same behavior with 
libsemanage 2.8, systemd 239, and glibc 2.27 on Fedora and it did not occur 
with systemd 238.  systemd v239 does introduce support into nss-systemd for 
looking up dynamic users, so this seems to be the cause. Not sure yet whether 
this represents a bug in libsemanage or systemd, but it appears to just be a 
warning and not fatal to operation.

I'm inclined to think that this is a bug in systemd.  The man page for 
getpwent() says nothing about setting errno to ENOENT upon reaching the end of 
the passwd database; it should just return NULL w/o setting errno AFAICT.


I see the same warning in debian.

If I'm reading 
https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html 
well this is actually valid to set errno=ENOENT and return 
NSS_STATUS_NOTFOUND if "The requested entry is not available.", so that 
should be OK?






For information, this issue occurs with SELinux release 2.8 (and git
master branch), systemd 239.0 and glibc 2.27, on a system with SELinux
in permissive mode.

Best,
Nicolas

[1] https://github.com/systemd/systemd/blob/master/src/nss-systemd/nss-systemd.c

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.



___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

sepolgen-ifgen fails with current refpolicy

[Laurent Bigonville]

Hello,

With the current refpolicy when running sepolgen-ifgen I get the 
following (fatal) error:


/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on 
line 157 ` [type=TICK]
error parsing headers
error parsing file /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: could 
not parse text: "/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: 
Syntax error on line 157 ` [type=TICK]"

The line in question in obj_perm_sets.spt is:

define(`mmap_file_perms',`{ getattr open map read execute ioctl } 
refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms 
instead')') # deprecated 20171213

sepolgen-ifgen is not happy with the embedded "refpolicywarn" apparently.

Regards,

Laurent Bigonville


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] restorecond: Fix consistancy of DESTDIR usage

[Laurent Bigonville]

From: Laurent Bigonville 

---
 restorecond/Makefile | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/restorecond/Makefile b/restorecond/Makefile
index 25be18d4..8a0ada1f 100644
--- a/restorecond/Makefile
+++ b/restorecond/Makefile
@@ -9,8 +9,8 @@ DBUSSERVICEDIR = $(PREFIX)/share/dbus-1/services
 SYSTEMDDIR ?= $(PREFIX)/lib/systemd
 
 autostart_DATA = sealertauto.desktop
-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
-SELINUXDIR = $(DESTDIR)/etc/selinux
+INITDIR ?= /etc/rc.d/init.d
+SELINUXDIR = /etc/selinux
 
 DBUSFLAGS = -DHAVE_DBUS $(shell $(PKG_CONFIG) --cflags dbus-glib-1)
 DBUSLIB = $(shell $(PKG_CONFIG) --libs dbus-glib-1)
@@ -42,11 +42,11 @@ install: all
-mkdir -p $(DESTDIR)$(SBINDIR)
install -m 755 restorecond $(DESTDIR)$(SBINDIR)
install -m 644 restorecond.8 $(DESTDIR)$(MANDIR)/man8
-   -mkdir -p $(INITDIR)
-   install -m 755 restorecond.init $(INITDIR)/restorecond
-   -mkdir -p $(SELINUXDIR)
-   install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf
-   install -m 644 restorecond_user.conf $(SELINUXDIR)/restorecond_user.conf
+   -mkdir -p $(DESTDIR)$(INITDIR)
+   install -m 755 restorecond.init $(DESTDIR)$(INITDIR)/restorecond
+   -mkdir -p $(DESTDIR)$(SELINUXDIR)
+   install -m 644 restorecond.conf $(DESTDIR)$(SELINUXDIR)/restorecond.conf
+   install -m 644 restorecond_user.conf 
$(DESTDIR)$(SELINUXDIR)/restorecond_user.conf
-mkdir -p $(DESTDIR)$(AUTOSTARTDIR)
install -m 644 restorecond.desktop 
$(DESTDIR)$(AUTOSTARTDIR)/restorecond.desktop
-mkdir -p $(DESTDIR)$(DBUSSERVICEDIR)
-- 
2.17.1


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] restorecond: Fix consistancy of DESTDIR usage

[Laurent Bigonville]

Le 30/05/18 à 22:19, Nicolas Iooss a écrit :

On Tue, May 29, 2018 at 9:29 AM, Laurent Bigonville  wrote:

From: Laurent Bigonville 

---
  restorecond/Makefile | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/restorecond/Makefile b/restorecond/Makefile
index 25be18d4..fed65bba 100644
--- a/restorecond/Makefile
+++ b/restorecond/Makefile
@@ -9,7 +9,7 @@ DBUSSERVICEDIR = $(PREFIX)/share/dbus-1/services
  SYSTEMDDIR ?= $(PREFIX)/lib/systemd

  autostart_DATA = sealertauto.desktop
-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
+INITDIR ?= /etc/rc.d/init.d
  SELINUXDIR = $(DESTDIR)/etc/selinux

This looks good to me, but seeing the SELINUXDIR definition, I am
wondering whether this line should also be migrated to remove DESTDIR
from it. This could be done in an other patch.


You want a new patch? I could amend that one instead


Nicolas


  DBUSFLAGS = -DHAVE_DBUS $(shell $(PKG_CONFIG) --cflags dbus-glib-1)
@@ -42,8 +42,8 @@ install: all
 -mkdir -p $(DESTDIR)$(SBINDIR)
 install -m 755 restorecond $(DESTDIR)$(SBINDIR)
 install -m 644 restorecond.8 $(DESTDIR)$(MANDIR)/man8
-   -mkdir -p $(INITDIR)
-   install -m 755 restorecond.init $(INITDIR)/restorecond
+   -mkdir -p $(DESTDIR)$(INITDIR)
+   install -m 755 restorecond.init $(DESTDIR)$(INITDIR)/restorecond
 -mkdir -p $(SELINUXDIR)
 install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf
 install -m 644 restorecond_user.conf 
$(SELINUXDIR)/restorecond_user.conf
--
2.17.0




___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

system-config-selinux requires root to run

[Laurent Bigonville]

Hello,

I was planning to readd system-config-selinux in the debian package now 
that it has been ported to GIR, python3 and GTK3.


But I realized that it requires root rights (via pkexec) to work.

The problem with that is that it doesn't work with wayland.

Are there any plans to decouple (evermore) the GUI and the backend that 
requires root?


Kind regards,

Laurent Bigonville


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

fixfiles and load_policy moved from /sbin to /usr/sbin

[Laurent Bigonville]

Hello,

While packaging policycoreutils 2.8 I've seen that the fixfiles and 
load_policy executables were moved from /sbin to /usr/sbin


Any reasons for this? This seems to me like an involuntary side effect 
of the cleanup for DESTDIR and PREFIX in the build system.


For distribution with usr-merge that will not change anything, but for 
others that could prevent early boot scripts to load the policy


Shouldn't that be reverted?

Kind regards,

Laurent Bigonville


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] policycoreutils: Fix typo in newrole.1 manpage

[Laurent Bigonville]

From: Laurent Bigonville 

---
 policycoreutils/newrole/newrole.1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/newrole/newrole.1 
b/policycoreutils/newrole/newrole.1
index 0d9738a1..893c42f7 100644
--- a/policycoreutils/newrole/newrole.1
+++ b/policycoreutils/newrole/newrole.1
@@ -44,7 +44,7 @@ specified by that range.  If the
 or
 .B --preserve-environment
 option is specified, the shell with the new SELinux context will preserve 
environment variables,
-otherwise a new minimal enviroment is created.
+otherwise a new minimal environment is created.
 .PP
 Additional arguments
 .I ARGS
-- 
2.17.0


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 3/3] libselinux: fix the whatis line for the selinux_boolean_sub.3 manpage

[Laurent Bigonville]

From: Laurent Bigonville 

Signed-off-by: Laurent Bigonville 
---
 libselinux/man/man3/selinux_boolean_sub.3 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/man/man3/selinux_boolean_sub.3 
b/libselinux/man/man3/selinux_boolean_sub.3
index d24c12a3..a29a38d5 100644
--- a/libselinux/man/man3/selinux_boolean_sub.3
+++ b/libselinux/man/man3/selinux_boolean_sub.3
@@ -1,6 +1,6 @@
 .TH "selinux_boolean_sub" "3" "11 June 2012" "dwa...@redhat.com" "SELinux API 
documentation"
 .SH "NAME"
-selinux_boolean_sub \-
+selinux_boolean_sub \- Search the translated name for a boolean_name record
 .
 .SH "SYNOPSIS"
 .B #include 
-- 
2.17.0


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 2/3] libselinux: Fix line wrapping in selabel_file.5

[Laurent Bigonville]

From: Laurent Bigonville 

Fix line wrapping with limited to 80 columns

Fix lintian error:
W: selinux-utils: manpage-has-errors-from-man 
usr/share/man/man5/selabel_file.5.gz 104: warning [p 2, 10.0i]: cannot adjust 
line

Signed-off-by: Laurent Bigonville 
---
 libselinux/man/man5/selabel_file.5 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/man/man5/selabel_file.5 
b/libselinux/man/man5/selabel_file.5
index e7388242..e97bd826 100644
--- a/libselinux/man/man5/selabel_file.5
+++ b/libselinux/man/man5/selabel_file.5
@@ -92,7 +92,7 @@ The optional local and distribution substitution files that 
perform any path ali
 .RE
 .sp
 The default file context series of files are:
-.RS
+.RS 6
 .I /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts
 .br
 .I  /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts.local
-- 
2.17.0


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 1/3] libselinux: Fix spelling errors in manpages

[Laurent Bigonville]

From: Laurent Bigonville 

Signed-off-by: Laurent Bigonville 
---
 libselinux/man/man3/selinux_boolean_sub.3  | 2 +-
 libselinux/man/man3/selinux_restorecon_xattr.3 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libselinux/man/man3/selinux_boolean_sub.3 
b/libselinux/man/man3/selinux_boolean_sub.3
index 308c2684..d24c12a3 100644
--- a/libselinux/man/man3/selinux_boolean_sub.3
+++ b/libselinux/man/man3/selinux_boolean_sub.3
@@ -12,7 +12,7 @@ selinux_boolean_sub \-
 searches the
 .I \%/etc/selinux/{POLICYTYPE}/booleans.subs_dist
 file
-for a maching boolean_name record.  If the record exists the boolean 
substitution name is returned.  If not
+for a matching boolean_name record.  If the record exists the boolean 
substitution name is returned.  If not
 .BR \%selinux_boolean_sub ()
 returns the original
 .IR \%boolean_name .
diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 
b/libselinux/man/man3/selinux_restorecon_xattr.3
index 7280c958..516d2669 100644
--- a/libselinux/man/man3/selinux_restorecon_xattr.3
+++ b/libselinux/man/man3/selinux_restorecon_xattr.3
@@ -119,7 +119,7 @@ By default
 .BR selinux_restorecon_xattr (3)
 will use the default set of specfiles described in
 .BR files_contexts (5)
-to calculate the initial SHA1 digest to be used for comparision.
+to calculate the initial SHA1 digest to be used for comparison.
 To change this default behavior
 .BR selabel_open (3)
 must be called specifying the required
-- 
2.17.0


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] secilc: Make the clean target call the clean target of docs/

[Laurent Bigonville]

From: Laurent Bigonville 

Thanks to Russell Coker 

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899083

Signed-off-by: Laurent Bigonville 
---
 secilc/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/secilc/Makefile b/secilc/Makefile
index dfd79cef..16640098 100644
--- a/secilc/Makefile
+++ b/secilc/Makefile
@@ -58,6 +58,7 @@ clean:
rm -f file_contexts
rm -f $(SECILC_MANPAGE)
rm -f $(SECIL2CONF_MANPAGE)
+   $(MAKE) -C docs clean
 
 relabel:
 
-- 
2.17.0


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] restorecond: Fix consistancy of DESTDIR usage

[Laurent Bigonville]

From: Laurent Bigonville 

---
 restorecond/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/restorecond/Makefile b/restorecond/Makefile
index 25be18d4..fed65bba 100644
--- a/restorecond/Makefile
+++ b/restorecond/Makefile
@@ -9,7 +9,7 @@ DBUSSERVICEDIR = $(PREFIX)/share/dbus-1/services
 SYSTEMDDIR ?= $(PREFIX)/lib/systemd
 
 autostart_DATA = sealertauto.desktop
-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
+INITDIR ?= /etc/rc.d/init.d
 SELINUXDIR = $(DESTDIR)/etc/selinux
 
 DBUSFLAGS = -DHAVE_DBUS $(shell $(PKG_CONFIG) --cflags dbus-glib-1)
@@ -42,8 +42,8 @@ install: all
-mkdir -p $(DESTDIR)$(SBINDIR)
install -m 755 restorecond $(DESTDIR)$(SBINDIR)
install -m 644 restorecond.8 $(DESTDIR)$(MANDIR)/man8
-   -mkdir -p $(INITDIR)
-   install -m 755 restorecond.init $(INITDIR)/restorecond
+   -mkdir -p $(DESTDIR)$(INITDIR)
+   install -m 755 restorecond.init $(DESTDIR)$(INITDIR)/restorecond
-mkdir -p $(SELINUXDIR)
install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf
install -m 644 restorecond_user.conf $(SELINUXDIR)/restorecond_user.conf
-- 
2.17.0


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: dbus-daemon patches review

[Laurent Bigonville]

Le 23/03/18 à 13:26, Stephen Smalley a écrit :

On 03/23/2018 06:31 AM, Laurent Bigonville wrote:

Le 22/03/18 à 17:09, Stephen Smalley a écrit :

On 03/21/2018 07:58 AM, Laurent Bigonville wrote:

Hello,

Could somebody have a quick look at the two patches that I opened for two dbus 
bugs:

https://bugs.freedesktop.org/show_bug.cgi?id=92831  (stop using avc_init())

https://bugs.freedesktop.org/attachment.cgi?id=138021  (stop using 
selinux_set_mapping())

I'm also wondering whether the call to avc_add_callback() shouldn't be replaced 
by selinux_set_callback(), an opinion on this?

Patches look sane to me although I'm not really familiar with dbus code.

Thanks for the review, Simon already had a look at the dbus part of the code


Looks like the callback is only used to trigger a reload of the dbus 
configuration (for dbus_contexts updates), and thus 
selinux_set_callback(SELINUX_CB_POLICYLOAD) is more appropriate than 
avc_add_callback(AVC_CALLBACK_RESET), since the latter is called upon 
setenforce 1 as well.  However, if it were truly only for that purpose, one 
might argue that it ought to be a watch on the dbus_contexts file instead and 
not be tied to selinux at all.

I really don't know the original rational of this. But I guess that if somebody 
is modifying dbus_contexts file, there are big chances that he will reload the 
policy as well(?).

I'll change avc_add_callback() by selinux_set_callback(), we could say that as 
the file is in the SELinux path it's its responsibility.


NB This still won't fix the case where dbusd has already performed a 
string_to_security_class/av_perm lookup and the result has been cached by the 
libselinux class cache and then a subsequent policy update alters those values. 
 That is what was fixed for systemd's usage of selinux_check_access() by 
selinux commit b408d72ca9104cb0c1bc4e154d8732cc7c0a9190.  Offhand, I'm now 
wondering why I didn't just call flush_class_cache() from avc_reset() itself.  
That would fix it for other users of the AVC.  You can't directly call 
flush_class_cache() from the dbus selinux policyload callback because it is 
hidden presently.  If we can fix it directly in libselinux, then that is 
better.  If not, we'd need to export it and probably give it a more unique 
name, ala selinux_flush_class_cache().

Right, that's a really good point, that I apparently overlooked...

Is that cache really supposed to substantially speedup things? Would it be 
possible to create a version of selinux_check_access() that allows to pass a 
reference the cache or let selinux_check_access() create that cache itself? If 
it's the case I guess that dbus-broker would benefit of that as well as they 
are using selinux_check_access().

Otherwise we can indeed clean up the cache our self, but wasn't the goal of 
selinux_check_access() to be an "easy" interface to use, asking the 
applications to do this kind of housekeeping is defeating that purpose, isn't it?

If you use selinux_check_access(), then the class cache is already flushed for 
you upon an AVC reset; that is what the commit I referenced above did.  The 
problem in the case of dbusd is that it is not using selinux_check_access() but 
rather its own direct usage of string_to_security_class/av_perm() and 
avc_has_perm().  That's why we need to either take the call to 
flush_class_cache() in libselinux to avc_reset() so that it is done for all 
users of the AVC, or we need to export it and have dbusd call it from its 
policy reload callback.


No, I meant the decision cache used by avc_has_perm(). dbus is not using 
selinux_check_access() because there is no way to set that decision 
cache (the 5th parameter of avc_has_perm() is NULL)

Re: dbus-daemon patches review

[Laurent Bigonville]

Le 22/03/18 à 17:09, Stephen Smalley a écrit :

On 03/21/2018 07:58 AM, Laurent Bigonville wrote:

Hello,

Could somebody have a quick look at the two patches that I opened for two dbus 
bugs:

https://bugs.freedesktop.org/show_bug.cgi?id=92831  (stop using avc_init())

https://bugs.freedesktop.org/attachment.cgi?id=138021  (stop using 
selinux_set_mapping())

I'm also wondering whether the call to avc_add_callback() shouldn't be replaced 
by selinux_set_callback(), an opinion on this?

Patches look sane to me although I'm not really familiar with dbus code.


Thanks for the review, Simon already had a look at the dbus part of the code


Looks like the callback is only used to trigger a reload of the dbus 
configuration (for dbus_contexts updates), and thus 
selinux_set_callback(SELINUX_CB_POLICYLOAD) is more appropriate than 
avc_add_callback(AVC_CALLBACK_RESET), since the latter is called upon 
setenforce 1 as well.  However, if it were truly only for that purpose, one 
might argue that it ought to be a watch on the dbus_contexts file instead and 
not be tied to selinux at all.
I really don't know the original rational of this. But I guess that if 
somebody is modifying dbus_contexts file, there are big chances that he 
will reload the policy as well(?).


I'll change avc_add_callback() by selinux_set_callback(), we could say 
that as the file is in the SELinux path it's its responsibility.



NB This still won't fix the case where dbusd has already performed a 
string_to_security_class/av_perm lookup and the result has been cached by the 
libselinux class cache and then a subsequent policy update alters those values. 
 That is what was fixed for systemd's usage of selinux_check_access() by 
selinux commit b408d72ca9104cb0c1bc4e154d8732cc7c0a9190.  Offhand, I'm now 
wondering why I didn't just call flush_class_cache() from avc_reset() itself.  
That would fix it for other users of the AVC.  You can't directly call 
flush_class_cache() from the dbus selinux policyload callback because it is 
hidden presently.  If we can fix it directly in libselinux, then that is 
better.  If not, we'd need to export it and probably give it a more unique 
name, ala selinux_flush_class_cache().

Right, that's a really good point, that I apparently overlooked...

Is that cache really supposed to substantially speedup things? Would it 
be possible to create a version of selinux_check_access() that allows to 
pass a reference the cache or let selinux_check_access() create that 
cache itself? If it's the case I guess that dbus-broker would benefit of 
that as well as they are using selinux_check_access().


Otherwise we can indeed clean up the cache our self, but wasn't the goal 
of selinux_check_access() to be an "easy" interface to use, asking the 
applications to do this kind of housekeeping is defeating that purpose, 
isn't it?

dbus-daemon patches review

[Laurent Bigonville]

Hello,

Could somebody have a quick look at the two patches that I opened for 
two dbus bugs:


https://bugs.freedesktop.org/show_bug.cgi?id=92831 (stop using avc_init())

https://bugs.freedesktop.org/attachment.cgi?id=138021 (stop using 
selinux_set_mapping())


I'm also wondering whether the call to avc_add_callback() shouldn't be 
replaced by selinux_set_callback(), an opinion on this?


Kind regards,

Laurent Bigonville

>From 1299035853924131d40d1033ce367153933d4a84 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bi...@bigon.be>
Date: Sat, 3 Mar 2018 13:15:17 +0100
Subject: [PATCH 1/2] Stop using avc_init() which is deprecated

Stop using avc_init() and use avc_open() instead. With this commit
dbus-daemon will stop using a thread to monitor the avc netlink and will
poll it instead.

https://bugs.freedesktop.org/show_bug.cgi?id=92831
---
 bus/bus.c   |   2 +-
 bus/selinux.c   | 213 +++-
 bus/selinux.h   |   2 +-
 bus/test-main.c |   6 --
 bus/test.c  |   9 +++
 5 files changed, 113 insertions(+), 119 deletions(-)

diff --git a/bus/bus.c b/bus/bus.c
index 9fd9820b..5b59ed45 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -995,7 +995,7 @@ bus_context_new (const DBusString *config_file,
*/
   bus_audit_init (context);
 
-  if (!bus_selinux_full_init ())
+  if (!bus_selinux_full_init (context, error))
 {
   bus_context_log (context, DBUS_SYSTEM_LOG_ERROR,
"SELinux enabled but D-Bus initialization failed; "
diff --git a/bus/selinux.c b/bus/selinux.c
index d09afb4b..f0ddfa11 100644
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -49,6 +49,7 @@
 #include 
 #include 
 #include 
+#include 
 #endif /* HAVE_SELINUX */
 #ifdef HAVE_LIBAUDIT
 #include 
@@ -64,45 +65,20 @@ static dbus_bool_t selinux_enabled = FALSE;
 /* Store an avc_entry_ref to speed AVC decisions. */
 static struct avc_entry_ref aeref;
 
+/* Store the avc netlink fd. */
+static int avc_netlink_fd = -1;
+
+/* Watch to listen for SELinux status changes via netlink. */
+static DBusWatch *avc_netlink_watch_obj = NULL;
+static DBusLoop *avc_netlink_loop_obj = NULL;
+
 /* Store the SID of the bus itself to use as the default. */
 static security_id_t bus_sid = SECSID_WILD;
 
-/* Thread to listen for SELinux status changes via netlink. */
-static pthread_t avc_notify_thread;
-
 /* Prototypes for AVC callback functions.  */
-static void log_callback (const char *fmt, ...) _DBUS_GNUC_PRINTF (1, 2);
-static void log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft);
-static void *avc_create_thread (void (*run) (void));
-static void avc_stop_thread (void *thread);
-static void *avc_alloc_lock (void);
-static void avc_get_lock (void *lock);
-static void avc_release_lock (void *lock);
-static void avc_free_lock (void *lock);
-
-/* AVC callback structures for use in avc_init.  */
-static const struct avc_memory_callback mem_cb =
-{
-  .func_malloc = dbus_malloc,
-  .func_free = dbus_free
-};
-static const struct avc_log_callback log_cb =
-{
-  .func_log = log_callback,
-  .func_audit = log_audit_callback
-};
-static const struct avc_thread_callback thread_cb =
-{
-  .func_create_thread = avc_create_thread,
-  .func_stop_thread = avc_stop_thread
-};
-static const struct avc_lock_callback lock_cb =
-{
-  .func_alloc_lock = avc_alloc_lock,
-  .func_get_lock = avc_get_lock,
-  .func_release_lock = avc_release_lock,
-  .func_free_lock = avc_free_lock
-};
+static int log_callback (int type, const char *fmt, ...) _DBUS_GNUC_PRINTF (2, 3);
+static int log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft);
+
 #endif /* HAVE_SELINUX */
 
 /**
@@ -115,8 +91,8 @@ static const struct avc_lock_callback lock_cb =
  */
 #ifdef HAVE_SELINUX
 
-static void 
-log_callback (const char *fmt, ...) 
+static int
+log_callback (int type, const char *fmt, ...)
 {
   va_list ap;
 #ifdef HAVE_LIBAUDIT
@@ -150,6 +126,8 @@ log_callback (const char *fmt, ...)
 out:
 #endif
   va_end(ap);
+
+  return 0;
 }
 
 /**
@@ -170,7 +148,7 @@ policy_reload_callback (u_int32_t event, security_id_t ssid,
 /**
  * Log any auxiliary data 
  */
-static void
+static int
 log_audit_callback (void *data, security_class_t class, char *buf, size_t bufleft)
 {
   DBusString *audmsg = data;
@@ -188,73 +166,20 @@ log_audit_callback (void *data, security_class_t class, char *buf, size_t buflef
   if (bufleft > (size_t) _dbus_string_get_length())
 _dbus_string_copy_to_buffer_with_nul (, buf, bufleft);
 }
-}
-
-/**
- * Create thread to notify the AVC of enforcing and policy reload
- * changes via netlink.
- *
- * @param run the thread run function
- * @return pointer to the thread
- */
-static void *
-avc_create_thread (void (*run) (void))
-{
-  int rc;
-
-  rc = pthread_create (_notify_thread, NULL, (void *(*) (void *)) run, NULL);
-  if (rc != 0)
-{
-  _dbus_warn ("Failed to start AVC thread: %s", _dbu

Re: setfiles crashing when SELinux is disabled

[Laurent Bigonville]

Le 30/07/17 à 21:40, Nicolas Iooss a écrit :

On Sun, Jul 30, 2017 at 8:52 PM, Laurent Bigonville <bi...@debian.org> wrote:

Hi,

When using sefiles (setfiles -m -F -v
/etc/selinux/refpolicy/contexts/files/file_contexts.bin  /) when SELinux is
disabled, it crahes with the fillowing trace:

#0  __strcmp_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
No locals.
#1  0x7f13241957be in restorecon_sb (pathname=0xd36aa93160
"/usr/include/xf86drm.h", flags=flags@entry=0x7fffd3700ae3, sb=, sb=) at selinux_restorecon.c:666
 newcon = 0xd36abdc100 "system_u:object_r:usr_t:s0"
 curcon = 0x0
 newtypecon = 0x0
 rc = 
 updated = false
 lookup_path = 
#2  0x7f1324196810 in selinux_restorecon
(pathname_orig=pathname_orig@entry=0xd36aa943e0 "/",
restorecon_flags=) at selinux_restorecon.c:984

Having "curcon = 0x0" with a non-NULL newcon in selinux_restorecon.c
looks like the bug fixed by commit a9094fae2c7b ("libselinux: avoid
calling strcmp() on a NULL pointer",
https://github.com/SELinuxProject/selinux/commit/a9094fae2c7bcd14af7263f9bb7fbacff5bc761c).
Which version are you using? Does back-porting this commit fix your
issue?

It was 2.6 on that machine. Seems to be fixed with 2.7~rc2, thanks

setfiles crashing when SELinux is disabled

[Laurent Bigonville]

Hi,

When using sefiles (setfiles -m -F -v 
/etc/selinux/refpolicy/contexts/files/file_contexts.bin  /) when SELinux 
is disabled, it crahes with the fillowing trace:


#0  __strcmp_sse2_unaligned () at 
../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
No locals.
#1  0x7f13241957be in restorecon_sb (pathname=0xd36aa93160 "/usr/include/xf86drm.h", 
flags=flags@entry=0x7fffd3700ae3, sb=, sb=) at 
selinux_restorecon.c:666
newcon = 0xd36abdc100 "system_u:object_r:usr_t:s0"
curcon = 0x0
newtypecon = 0x0
rc = 
updated = false
lookup_path = 
#2  0x7f1324196810 in selinux_restorecon (pathname_orig=pathname_orig@entry=0xd36aa943e0 
"/", restorecon_flags=) at selinux_restorecon.c:984
flags = {nochange = false, verbose = true, progress = false, 
set_specctx = true, add_assoc = true, ignore_digest = false, recurse = true, 
userealpath = false, set_xdev = true, abort_on_error = true,
  syslog_changes = false, log_matches = false, ignore_noent = false}
issys = false
setrestoreconlast = 
sb = {st_dev = 64769, st_ino = 2, st_nlink = 20, st_mode = 16877, 
st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 4096, st_blksize = 
4096, st_blocks = 8, st_atim = {tv_sec = 1501439201,
tv_nsec = 886964517}, st_mtim = {tv_sec = 1501435537, tv_nsec = 
187391390}, st_ctim = {tv_sec = 1501439165, tv_nsec = 374865190}, 
__glibc_reserved = {0, 0, 0}}
sfsb = {f_type = 61267, f_bsize = 4096, f_blocks = 3838052, f_bfree = 
480404, f_bavail = 295268, f_files = 977280, f_ffree = 677268, f_fsid = {__val 
= {9930339, 726475040}}, f_namelen = 255,
  f_frsize = 4096, f_flags = 4128, f_spare = {0, 0, 0, 0}}
fts = 0xd36aa93110
ftsent = 0xd36ab77290
pathname = 0xd36aa943a0 "/"
pathdnamer = 0x0
pathdname = 
pathbname = 
paths = {0xd36aa943a0 "/", 0x0}
fts_flags = 
error = 0
sverrno = 
xattr_value = 0x0
size = 
dev_num = 64769
__func__ = "selinux_restorecon"
#3  0x00d368f23152 in process_glob (name=, opts=) at restore.c:89
globbuf = {gl_pathc = 1, gl_pathv = 0xd36aa943c0, gl_offs = 0, gl_flags 
= 13456, gl_closedir = 0x0, gl_readdir = 0x0, gl_opendir = 0x0, gl_lstat = 0x0, 
gl_stat = 0x0}
i = 0
len = 
rc = 
errors = 0
#4  0x00d368f229b0 in main (argc=6, argv=0x7fffd3700eb8) at setfiles.c:459
sb = {st_dev = 64769, st_ino = 391936, st_nlink = 1, st_mode = 33188, 
st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 1383869, st_blksize 
= 4096, st_blocks = 2712, st_atim = {
tv_sec = 1501439075, tv_nsec = 298617901}, st_mtim = {tv_sec = 
1501438955, tv_nsec = 50281901}, st_ctim = {tv_sec = 1501438955, tv_nsec = 
50281901}, __glibc_reserved = {0, 0, 0}}
opt = 
i = 
input_filename = 0x0
use_input_file = 
buf = 0x0
buf_len = 71776119061217535
base = 
mass_relabel = 
errors = 0
ropts = 0xd368f2367c "e:f:hiIDlmno:pqrsvFRW0"
sopts = 0xd368f23660 "c:de:f:hiIDlmno:pqr:svFR:W0"
opts = 

Re: open_init_pty: Do not make stdin and stdout non-blocking

[Laurent Bigonville]

commit fb081eb64b36a9de5a43f3d69d9e628b6eb1afc7 (HEAD -> master, 
origin/master)

Author: Stephen Smalley 
Date:   Mon Jul 10 13:03:01 2017 -0400

open_init_pty: Do not make stdin and stdout non-blocking

It is unclear why this was being done in the first place, and
it has caused multiple bugs with run_init/open_init_pty usage.

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187
Fixes: https://bugs.gentoo.org/show_bug.cgi?id=621062
Signed-off-by: Stephen Smalley 


I see you fixed the issue with run_init/open_init_pty messing up with 
the terminals but I think it's introducing an other issue :/


FTR I found the reason why stdin/stdout were not blocking, it's a fix 
for this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474956#10


Apparently if the descriptors are closed, open_init_pty hangs, example:

./open_init_pty bash -c 'echo hello; exec >&- 2>&- <&-; sleep 1; '

[PATCH] Fix consistency of PYTHONLIBDIR variable across modules

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

PYTHONLIBDIR is currently also used in sepolgen but has a different
behaviour regarding DESTDIR. Let's try to make this consistant.

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 python/semanage/Makefile | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/semanage/Makefile b/python/semanage/Makefile
index 60c36a3a..132162bc 100644
--- a/python/semanage/Makefile
+++ b/python/semanage/Makefile
@@ -5,8 +5,8 @@ PREFIX ?= $(DESTDIR)/usr
 LIBDIR ?= $(PREFIX)/lib
 SBINDIR ?= $(PREFIX)/sbin
 MANDIR = $(PREFIX)/share/man
-PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % 
sys.version_info[0:2])')
-PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; 
print(get_python_lib(1))")
+PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)
 BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
 
 TARGETS=semanage
@@ -20,8 +20,8 @@ install: all
-mkdir -p $(SBINDIR)
install -m 755 semanage $(SBINDIR)
install -m 644 *.8 $(MANDIR)/man8
-   test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d 
$(PYTHONLIBDIR)/site-packages
-   install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
+   test -d $(PACKAGEDIR) || install -m 755 -d $(PACKAGEDIR)
+   install -m 755 seobject.py $(PACKAGEDIR)
-mkdir -p $(BASHCOMPLETIONDIR)
install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage
 
-- 
2.13.2

Re: [PATCH] Fix consistency of PYTHONLIBDIR variable

[Laurent Bigonville]

Le 26/06/17 à 21:37, Stephen Smalley a écrit :

On Mon, 2017-06-26 at 18:46 +0200, bi...@debian.org wrote:

From: Laurent Bigonville <bi...@bigon.be>

PYTHONLIBDIR is currently not consistant, at one place it's
influanced
by DESTDIR an at another one it's not.

Fix this and make it consistant

Seems like it is influenced by DESTDIR before and after this change
(before, PYTHONLIBDIR is defined relative to LIBDIR which is defined
relative to PREFIX which is define relative to DESTDIR).

If I do a make DESTDIR=/path/to/foo install before and after this
change (with an empty /path/to/foo before each run), the only
difference is that it moves from $(DESTDIR)/usr/lib/pythonM.N/site-
packages to $(DESTDIR)/usr/lib64/pythonM.N/site-packages.

This makes it consistent with sepolgen but inconsistent with sepolicy,
which is installed to usr/lib, not usr/lib64.

So, I'm unclear on whether this is an improvement.


With the debian build system, LIBDIR is set to 
$(DESTDIR)/usr/lib/ this means that PYTHONLIBDIR will end 
up as $(DESTDIR)/usr/lib//python/.


If I override PYTHONLIBDIR to $(DESTDIR)/usr/lib/python/ I ends 
up with sepolicy being installed in 
$(DESTDIR)/$(DESTDIR)/usr/lib//python/ which is 
not what I want either





---
  python/semanage/Makefile | 8 
  1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/semanage/Makefile b/python/semanage/Makefile
index 60c36a3a..132162bc 100644
--- a/python/semanage/Makefile
+++ b/python/semanage/Makefile
@@ -5,8 +5,8 @@ PREFIX ?= $(DESTDIR)/usr
  LIBDIR ?= $(PREFIX)/lib
  SBINDIR ?= $(PREFIX)/sbin
  MANDIR = $(PREFIX)/share/man
-PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" %
sys.version_info[0:2])')
-PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
import *; print(get_python_lib(1))")
+PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)
  BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-
completion/completions
  
  TARGETS=semanage

@@ -20,8 +20,8 @@ install: all
-mkdir -p $(SBINDIR)
install -m 755 semanage $(SBINDIR)
install -m 644 *.8 $(MANDIR)/man8
-   test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d
$(PYTHONLIBDIR)/site-packages
-   install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
+   test -d $(PACKAGEDIR) || install -m 755 -d $(PACKAGEDIR)
+   install -m 755 seobject.py $(PACKAGEDIR)
-mkdir -p $(BASHCOMPLETIONDIR)
install -m 644 $(BASHCOMPLETIONS)
$(BASHCOMPLETIONDIR)/semanage
  

Re: run_init messes up terminal settings

[Laurent Bigonville]

Le 26/06/17 à 15:08, Stephen Smalley a écrit :

On Sat, 2017-06-24 at 12:20 +0200, Laurent Bigonville wrote:

Hello,
Russell opened the following bug regarding run_init in the debian
bts:

[...]
It turns out that the problem was not running $(arch), but running
run_init in
the shell it spawned.  Below is an example of reproducing this, the
first time
run_init performs as expected.  The second time is fails without me
even
typing a password or pressing ENTER.  The result is the same with any
command,
but ls is just a good example.  This happens no matter what shell is
spawned
(whether it's ssh, su, or just an Xterm), run_init seems generally
broken with
the 4.9.0-2-amd64/4.9.13-1 kernel at least.

NB I can't rule out the possibility of a kernel bug at this
stage.  But at
this time it seems best to assume it's a run_init bug until proven
otherwise.

Sorry for the inconvenience Andreas.

# run_init ls /boot
Authenticating root.
Password:
config-4.9.0-2-amd64  lost+foundSystem.map-4.9.0-
3-amd64
config-4.9.0-3-amd64  memtest86+.binvmlinuz-4.9.0-2-
amd64
grub  memtest86+_multiboot.bin  vmlinuz-4.9.0-3-
amd64
initrd.img-4.9.0-2-amd64  real
initrd.img-4.9.0-3-amd64  System.map-4.9.0-2-amd64
# run_init ls /boot
Authenticating root.
Password:
run_init: incorrect password for root
authentication failed.
#

I can reproduce this with 2.7-rc3, run_init is compiled with pam and
audit support.
An idea what could happen here?
Regards,
Laurent Bigonville
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187

I don't think this could have ever worked under run_init since
open_init_pty was introduced (originally from Debian); note that
open_init_pty does alter terminal settings.

I don't quite follow the example given above.  It shows executing
run_init twice with ls /boot as the arguments, which is not running
run_init within run_init.  That works fine for me.


I just re-tried again and I can definitely reproduce this in debian 
unstable. My complete test case is:


sudo -i

run_init ls /boot


run_init ls /boot


If I exit the shell started by sudo, run_init will works again for one 
invocation before getting the error again.



If I try something like:
run_init run_init ls /boot
which actually runs run_init within run_init, then that also works for
me without problem.

If I try something like:
run_init /bin/bash
then I lose any echoing of input characters to the shell (due to
open_init_pty turning it off), but I can enter commands and execute
them, or run stty sane to regain echoing.  But I don't think that has
ever been supported since the introduction of open_init_pty in 2005
(policycoreutils 1.21.2).  What's the use case for it?

Side bar: run_init (and open_init_pty) are no longer packaged by Fedora
since systemd renders it unnecessary, and even prior to that, Fedora
policy enabled DIRECT_INITRC=y in build.conf, and therefore run_init
wasn't required for typical operation (maybe under -mls policy it was
still needed, not sure). Possibly we should move run_init out of
policycoreutils into its own subdirectory in the selinux userspace tree
to reflect this transition and start deprecating it.
run_init and newrole executables are still packaged in debian but in a 
different package that is not pulled by anything, so people that need it 
have to manually install it.

run_init messes up terminal settings

[Laurent Bigonville]

Hello,

Russell opened the following bug regarding run_init in the debian bts:



[...]
It turns out that the problem was not running $(arch), but running run_init in
the shell it spawned.  Below is an example of reproducing this, the first time
run_init performs as expected.  The second time is fails without me even
typing a password or pressing ENTER.  The result is the same with any command,
but ls is just a good example.  This happens no matter what shell is spawned
(whether it's ssh, su, or just an Xterm), run_init seems generally broken with
the 4.9.0-2-amd64/4.9.13-1 kernel at least.

NB I can't rule out the possibility of a kernel bug at this stage.  But at
this time it seems best to assume it's a run_init bug until proven otherwise.

Sorry for the inconvenience Andreas.

# run_init ls /boot
Authenticating root.
Password:
config-4.9.0-2-amd64  lost+foundSystem.map-4.9.0-3-amd64
config-4.9.0-3-amd64  memtest86+.binvmlinuz-4.9.0-2-amd64
grub  memtest86+_multiboot.bin  vmlinuz-4.9.0-3-amd64
initrd.img-4.9.0-2-amd64  real
initrd.img-4.9.0-3-amd64  System.map-4.9.0-2-amd64
# run_init ls /boot
Authenticating root.
Password:
run_init: incorrect password for root
authentication failed.
#



I can reproduce this with 2.7-rc3, run_init is compiled with pam and 
audit support.


An idea what could happen here?

Regards,

Laurent Bigonville

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187

Re: [PATCH 2/4] libselinux, libsemanage: link Ruby wrapper with -lruby

[Laurent Bigonville]

Hello,

Le 14/11/16 à 22:28, Nicolas Iooss a écrit :

When linking with -Wl,-no-undefined in LDFLAGS (in order to find
possible link-time errors), the Ruby wrapper module needs to be linked
with the libruby.so which is used by $(RUBY). Introduce a new RUBYLIBS
variable to find this library.

Signed-off-by: Nicolas Iooss <nicolas.io...@m4x.org>
---
  libselinux/src/Makefile  | 3 ++-
  libsemanage/src/Makefile | 3 ++-
  2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 4fe1f7002181..82a1010af2d8 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -15,6 +15,7 @@ INCLUDEDIR ?= $(PREFIX)/include
  PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
  PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; 
print(site.getsitepackages()[0])')
  RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + 
RbConfig::CONFIG["rubyhdrdir"]')
+RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " 
-lruby"')


I'm trying to package 2.7-rc2 in debian and unfortunately this is not 
working out of the box for me. The library is not installed as -lruby 
but as -lruby-2.3 (for ruby 2.3). In addition the lib is not installed 
in /usr/lib.


I can see in the RbConfig::CONFIG hash a key called LIBRUBYARG_SHARED or 
LIBRUBYARG which contains "-lruby-2.3". Also I see a "archlibdir" or 
"sitearchlibdir" key which contains the correct path to the lib (the 
multiarch path)


RUBYLIBS ?= $(shell $@ -e 'puts "-L" + RbConfig::CONFIG["archlibdir"] + 
" " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')


Could this be a possible alternatives for the other distributions?

Regards,

Laurent Bigonville

SO_PEERSEC on socket connected to the same process

[Laurent Bigonville]

Hi,

Currently the dbus-daemon is not returning anything when asked about its 
own security context (using GetConnectionSELinuxSecurityContext or 
GetConnectionCredentials methods). This cause some issues[0] with 
systemd now that it's enforcing the policy for user sessions again.


I already made a patch that has been merged[1][2] upstream in the 
GetConnectionSELinuxSecurityContext case and it now returns the SELinux 
context of the dbus-daemon process itself.


For the GetConnectionCredentials case, upstream wanted a generic way of 
getting the security label and went the way of using SO_PEERSEC on a 
socket connected to itself.


But for some reasons it's always returning unlabeled_t. Note that the 
same value is returned by the getpeercon() function as well.


I've made a small test case (see attached file) and tested it on both 
debian and RHEL7.


Is this somehow expected? Is this a bug?

Cheers,

Laurent Bigonville

[0]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864221
[1]https://bugs.freedesktop.org/show_bug.cgi?id=101315
[2] https://phabricator.freedesktop.org/rDBUSdcf02f80656d
#include 
#include 
#include 
#include 
#include 

int main(void) {

	int socks[2];
	char buf[1024] = "";
	int len = sizeof(buf);
	char *context = NULL;

	if (getcon_raw() < 0)
		perror("getcon_raw");
	printf("getcon: %s\n", context);
	freecon(context);

	if (socketpair (AF_UNIX, SOCK_STREAM, 0, socks) < 0)
		perror("socketpair");

	if (getsockopt (socks[0], SOL_SOCKET, SO_PEERSEC, , ) < 0)
		perror("getsockopt 1");
	printf("socket 1: %s\n", buf);

	len = sizeof(buf);

	if (getsockopt (socks[1], SOL_SOCKET, SO_PEERSEC, , ) < 0)
		perror("getsockopt 2");
	printf("socket 2: %s\n", buf);

	if (getpeercon_raw(socks[0], ) < 0)
		perror("getpeercon_raw 1");
	printf("getpeercon 1: %s\n", context);
	freecon(context);

	if (getpeercon_raw(socks[1], ) < 0)
		perror("getpeercon_raw 2");
	printf("getpeercon 2: %s\n", context);
	freecon(context);

	close(socks[0]);
	close(socks[1]);


	return 0;
}

Re: selabel_lookup_raw() doesn't find correct context for path with double slashes

[Laurent Bigonville]

Le 01/06/17 à 15:24, Stephen Smalley a écrit :

On Thu, 2017-06-01 at 11:29 +0200, Laurent Bigonville wrote:

Hello,

While investigating a bug about systemd/udev not setting the proper
context on the hwdb.bin file, Michael Biebl discovered that
apparently
the selabel_lookup_raw() function is not coping properly with paths
with
double slashes (like "//lib/udev/hwdb.bin")

Shouldn't the selabel_lookup*() functions be more resilient to this
case? Or should application canonicalize (with realpath()?) the path
before calling these functions?

Regards,

Laurent Bigonville

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854

AFAICS, it already does this, and has done so for a long time.

$ selabel_lookup -r -b file -k //lib/udev/hwdb.bin
Default context: system_u:object_r:bin_t:s0

$ selabel_lookup -r -b file -k /lib/udev/hwdb.bin
Default context: system_u:object_r:bin_t:s0

(The output may differ on your system due to policy differences - mine
was on Fedora - but the point is that the resulting context is the same
with and without the double slashes.)

Thanks for the reply.

Interesting, this doesn't seem to be the case in debian unstable 
(SELinux userspace 2.6) and I'm using the refpolicy here on my test machine:


$ /usr/sbin/selabel_lookup -r -b file -k //lib/udev/hwdb.bin
Default context: system_u:object_r:default_t:s0

$ /usr/sbin/selabel_lookup -r -b file -k /lib/udev/hwdb.bin
Default context: system_u:object_r:bin_t:s0



The relevant code is:
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/label_file.c#L716

The commit was:
https://github.com/SELinuxProject/selinux/commit/8f007923dd4ff89652479587d96e22bc63dbf822

That said, if further canonicalization beyond duplicate slash removal
is needed (ala realpath), that is on the caller.  That is done for
example by selinux_restorecon(3), if SELINUX_RESTORECON_REALPATH is
passed to it.

selabel_lookup_raw() doesn't find correct context for path with double slashes

[Laurent Bigonville]

Hello,

While investigating a bug about systemd/udev not setting the proper 
context on the hwdb.bin file, Michael Biebl discovered that apparently 
the selabel_lookup_raw() function is not coping properly with paths with 
double slashes (like "//lib/udev/hwdb.bin")


Shouldn't the selabel_lookup*() functions be more resilient to this 
case? Or should application canonicalize (with realpath()?) the path 
before calling these functions?


Regards,

Laurent Bigonville

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854

Re: Wrong alignment when listing user/login with semanage in French

[Laurent Bigonville]

Le 17/01/17 à 22:45, Stephen Smalley a écrit :

On Sat, 2017-01-14 at 13:48 +0100, Laurent Bigonville wrote:

Hi,

Not sure I already posted this on the ML.

When listing the user/login with semanage (login/user -l) in French
(and
probably in other languages as well), the columns headers are not
properly aligned.

This makes it sometimes difficult to read the output(and it's ugly),
see: https://i.imgur.com/zhZkebc.png

Some of the translations should maybe be fixed in this case to make
them
shorter, but the alignment should probably be dynamic.

RHEL/Fedora[1] contains the python binding for libsmartcols, maybe
this
could be used to do the formating?

Not sure.  Is it readily available in other distributions and in
OpenEmbedded?


It's not in Debian (or Ubuntu) yet but I could package it for the next 
cycle. libsmartcols itself is part of util-linux.


For OpenEmbedded I don't know.


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Wrong alignment when listing user/login with semanage in French

[Laurent Bigonville]

Hi,

Not sure I already posted this on the ML.

When listing the user/login with semanage (login/user -l) in French (and 
probably in other languages as well), the columns headers are not 
properly aligned.


This makes it sometimes difficult to read the output(and it's ugly), 
see: https://i.imgur.com/zhZkebc.png


Some of the translations should maybe be fixed in this case to make them 
shorter, but the alignment should probably be dynamic.


RHEL/Fedora[1] contains the python binding for libsmartcols, maybe this 
could be used to do the formating?


Regards,

Laurent Bigonvlle

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1369558
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Another getcon() vs getcon_raw() issue in systemd

[Laurent Bigonville]

Le 30/12/16 à 18:43, Stephen Smalley a écrit :
Fedora no longer runs mcstransd by default, so that may also be 
relevant.  Dbusd should likely provide the raw context to clients so 
that they are free to use either the raw or translated interfaces 
without difficulty.

Hi,

FTR, I've open https://bugs.freedesktop.org/show_bug.cgi?id=99234

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

setools: cast increases required alignment of target type

[Laurent Bigonville]

Hi,

When compiling setools on at least mips64el and sparc64, I get the 
following error:


mips64el-linux-gnuabi64-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall 
-Wstrict-prototypes -g -O2 -fdebug-prefix-map=/«PKGBUILDDIR»=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wno-sign-compare 
-Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibqpol -Ilibqpol/include 
-I/usr/include/python3.5m -c libqpol/module_compiler.c -o 
build/temp.linux-mips64-3.5/libqpol/module_compiler.o -Werror -Wextra 
-Waggregate-return -Wcast-align -Wfloat-equal -Wformat -Wformat=2 -Winit-self 
-Winline -Wmissing-format-attribute -Wmissing-include-dirs -Wnested-externs 
-Wold-style-definition -Wpointer-arith -Wredundant-decls -Wstrict-prototypes 
-Wunknown-pragmas -Wwrite-strings -Wno-missing-field-initializers 
-Wno-unused-parameter -Wno-cast-qual -Wno-shadow -Wno-unreachable-code 
-fno-exceptions
libqpol/module_compiler.c: In function ‘declare_symbol’:
libqpol/module_compiler.c:155:19: error: cast increases required alignment of 
target type [-Werror=cast-align]
*dest_value = ((level_datum_t *)s)->level->sens;
   ^
libqpol/module_compiler.c: In function ‘require_symbol’:
libqpol/module_compiler.c:650:19: error: cast increases required alignment of 
target type [-Werror=cast-align]
*dest_value = ((level_datum_t *)s)->level->sens;
   ^
libqpol/module_compiler.c: In function ‘require_bool_tunable’:
libqpol/module_compiler.c:1077:36: error: cast increases required alignment of 
target type [-Werror=cast-align]
  require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
^
libqpol/module_compiler.c: In function ‘require_cat’:
libqpol/module_compiler.c:1201:40: error: cast increases required alignment of 
target type [-Werror=cast-align]
  retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
^
cc1: all warnings being treated as errors
error: command 'mips64el-linux-gnuabi64-gcc' failed with exit status 1

This is fatal only on some architectures, but I guess fixing this could 
also improve the performances on the others.


Regards,

Laurent Bigonville

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 1/2] policycoreutils: Force GTK3.0 for sepolicy gui

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

This removes the following warning when running sepolicy gui command:

/usr/lib/python3/dist-packages/sepolicy/gui.py:29: PyGIWarning: Gtk was 
imported without specifying a version first. Use gi.require_version('Gtk', 
'3.0') before import to ensure that the right version gets loaded.

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 policycoreutils/sepolicy/sepolicy/gui.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policycoreutils/sepolicy/sepolicy/gui.py 
b/policycoreutils/sepolicy/sepolicy/gui.py
index 7f1888c..ee78e0c 100644
--- a/policycoreutils/sepolicy/sepolicy/gui.py
+++ b/policycoreutils/sepolicy/sepolicy/gui.py
@@ -26,6 +26,8 @@
 #
 #
 
+import gi
+gi.require_version('Gtk', '3.0')
 from gi.repository import Gtk
 from gi.repository import Gdk
 from gi.repository import GLib
-- 
2.10.2

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 2/2] policycoreutils: Use GObject introspection binding instead of python-gobject in selinux_server.py

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 policycoreutils/sepolicy/selinux_server.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/sepolicy/selinux_server.py 
b/policycoreutils/sepolicy/selinux_server.py
index cdf4d16..8bd1fe5 100644
--- a/policycoreutils/sepolicy/selinux_server.py
+++ b/policycoreutils/sepolicy/selinux_server.py
@@ -3,7 +3,7 @@
 import dbus
 import dbus.service
 import dbus.mainloop.glib
-import gobject
+from gi.repository import GObject
 import slip.dbus.service
 from slip.dbus import polkit
 import os
@@ -128,7 +128,7 @@ class selinux_server(slip.dbus.service.Object):
 raise ValueError("%s does not exist" % path)
 
 if __name__ == "__main__":
-mainloop = gobject.MainLoop()
+mainloop = GObject.MainLoop()
 dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
 system_bus = dbus.SystemBus()
 name = dbus.service.BusName("org.selinux", system_bus)
-- 
2.10.2

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result

[Laurent Bigonville]

Le 08/11/16 à 15:57, Stephen Smalley a écrit :

On 11/08/2016 08:34 AM, Stephen Smalley wrote:

On 11/07/2016 06:09 PM, Laurent Bigonville wrote:

Le 07/11/16 à 22:13, Stephen Smalley a écrit :

On 11/07/2016 03:01 AM, Laurent Bigonville wrote:

From: Laurent Bigonville <bi...@bigon.be>

sepolicy.info() now returns a generator, use next() to get the results.

This breaks sandbox for me,
$ /usr/bin/sandbox -X firefox
Traceback (most recent call last):
File "/usr/bin/sandbox", line 529, in 
  rc = sandbox.main()
File "/usr/bin/sandbox", line 513, in main
  self.__parse_options()
File "/usr/bin/sandbox", line 308, in __parse_options
  """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
"sandbox_type"))['types'])
TypeError: list object is not an iterator

Which version of python and setools are you using?

I have installed setools4 from source, both running setup.py via python
and via python3 to install it for python 2.7 and python 3.5 (both are
installed on Fedora, with python referencing 2.7 by default).  I have
likewise built and installed the selinux userspace with PYTHON=python
and with PYTHON=python3. I have tried running sandbox via python and via
python3, and it yields the same exception in both cases with your patch,
and works fine without your patch.

Ok, I forcibly removed the Fedora setools* packages (which also
uninstalled policycoreutils) and built and installed setools4 and
policycoreutils from upstream source again.  Now I do not get that
exception with your patch, but it also works fine without your patch - I
see no difference in behavior.  Not sure what I am missing.


If I don't have the sandbox policy installed I get a backtrace instead 
of a nice error:


Traceback (most recent call last):
  File "sandbox", line 529, in 
rc = sandbox.main()
  File "sandbox", line 513, in main
self.__parse_options()
  File "sandbox", line 308, in __parse_options
""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, 
"sandbox_type"))[0]['types'])
IndexError: list index out of range

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result

[Laurent Bigonville]

Le 07/11/16 à 22:13, Stephen Smalley a écrit :

On 11/07/2016 03:01 AM, Laurent Bigonville wrote:

From: Laurent Bigonville <bi...@bigon.be>

sepolicy.info() now returns a generator, use next() to get the results.

This breaks sandbox for me,
$ /usr/bin/sandbox -X firefox
Traceback (most recent call last):
   File "/usr/bin/sandbox", line 529, in 
 rc = sandbox.main()
   File "/usr/bin/sandbox", line 513, in main
 self.__parse_options()
   File "/usr/bin/sandbox", line 308, in __parse_options
 """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
"sandbox_type"))['types'])
TypeError: list object is not an iterator


Which version of python and setools are you using?




Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
  policycoreutils/sandbox/sandbox | 8 
  1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 4010e83..c07a1d8 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -305,8 +305,8 @@ kill -TERM $WM_PID  2> /dev/null
  types = _("""
  Policy defines the following types for use with the -t:
  \t%s
-""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, 
"sandbox_type"))[0]['types'])
-except RuntimeError:
+""") % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE, 
"sandbox_type"))['types'])
+except StopIteration:
  pass
  
  usage = _("""

@@ -380,8 +380,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] 
[-I includefile ] [-
  self.setype = DEFAULT_X_TYPE
  else:
  try:
-sepolicy.info(sepolicy.TYPE, "sandbox_t")
-except RuntimeError:
+next(sepolicy.info(sepolicy.TYPE, "sandbox_t"))
+except StopIteration:
  raise ValueError(_("Sandbox Policy is not currently 
installed.\nYou need to install the selinux-policy-sandbox package in order to run this 
command"))
  
  if self.__options.setype:




___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[Patch v2 2/2] policycoreutils: Make sepolicy work with python3

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

Add python3 support for sepolicy

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 policycoreutils/sepolicy/selinux_client.py   |  6 ++--
 policycoreutils/sepolicy/sepolicy.py | 38 
 policycoreutils/sepolicy/sepolicy/__init__.py| 16 ++
 policycoreutils/sepolicy/sepolicy/communicate.py |  4 +--
 policycoreutils/sepolicy/sepolicy/generate.py| 30 +--
 policycoreutils/sepolicy/sepolicy/interface.py   | 14 ++---
 policycoreutils/sepolicy/sepolicy/manpage.py |  7 +++--
 7 files changed, 65 insertions(+), 50 deletions(-)

diff --git a/policycoreutils/sepolicy/selinux_client.py 
b/policycoreutils/sepolicy/selinux_client.py
index 7f4a91c..dc29f28 100644
--- a/policycoreutils/sepolicy/selinux_client.py
+++ b/policycoreutils/sepolicy/selinux_client.py
@@ -39,6 +39,6 @@ if __name__ == "__main__":
 try:
 dbus_proxy = SELinuxDBus()
 resp = dbus_proxy.customized()
-print convert_customization(resp)
-except dbus.DBusException, e:
-print e
+print(convert_customization(resp))
+except dbus.DBusException as e:
+print(e)
diff --git a/policycoreutils/sepolicy/sepolicy.py 
b/policycoreutils/sepolicy/sepolicy.py
index 3e502a7..5bf9b52 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -262,7 +262,7 @@ def _print_net(src, protocol, perm):
 if len(portdict) > 0:
 bold_start = "\033[1m"
 bold_end = "\033[0;0m"
-print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
bold_end
+print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
bold_end)
 port_strings = []
 boolean_text = ""
 for p in portdict:
@@ -275,7 +275,7 @@ def _print_net(src, protocol, perm):
 port_strings.append("%s (%s)" % (", ".join(recs), t))
 port_strings.sort(numcmp)
 for p in port_strings:
-print "\t" + p
+print("\t" + p)
 
 
 def network(args):
@@ -286,7 +286,7 @@ def network(args):
 if i[0] not in all_ports:
 all_ports.append(i[0])
 all_ports.sort()
-print "\n".join(all_ports)
+print("\n".join(all_ports))
 
 for port in args.port:
 found = False
@@ -297,18 +297,18 @@ def network(args):
 else:
 range = "%s-%s" % (i[0], i[1])
 found = True
-print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range)
+print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], 
range))
 if not found:
 if port < 500:
-print "Undefined reserved port type"
+print("Undefined reserved port type")
 else:
-print "Undefined port type"
+print("Undefined port type")
 
 for t in args.type:
 if (t, 'tcp') in portrecs.keys():
-print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))
+print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])))
 if (t, 'udp') in portrecs.keys():
-print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))
+print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])))
 
 for a in args.applications:
 d = sepolicy.get_init_transtype(a)
@@ -357,7 +357,7 @@ def manpage(args):
 
 for domain in test_domains:
 m = ManPage(domain, path, args.root, args.source_files, args.web)
-print m.get_man_page_path()
+print(m.get_man_page_path())
 
 if args.web:
 HTMLManPages(manpage_roles, manpage_domains, path, args.os)
@@ -418,7 +418,7 @@ def communicate(args):
 out = list(set(writable) & set(readable))
 
 for t in out:
-print t
+print(t)
 
 
 def gen_communicate_args(parser):
@@ -445,7 +445,7 @@ def booleans(args):
 args.booleans.sort()
 
 for b in args.booleans:
-print "%s=_(\"%s\")" % (b, boolean_desc(b))
+print("%s=_(\"%s\")" % (b, boolean_desc(b)))
 
 
 def gen_booleans_args(parser):
@@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""):
 for i in interfaces:
 if args.verbose:
 try:
-print get_interface_format_text(i + append)
+print(get_interface_format_text(i + append))
 except KeyError:
-print i
+print(i)
 if args.compile:
 try:
 interface_compile_test(i)
 except KeyError:
-

[PATCH 2/2] policycoreutils: Make sepolicy work with python3

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

Add python3 support for sepolicy

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 policycoreutils/sepolicy/selinux_client.py   |  6 ++--
 policycoreutils/sepolicy/sepolicy.py | 38 
 policycoreutils/sepolicy/sepolicy/__init__.py| 16 ++
 policycoreutils/sepolicy/sepolicy/communicate.py |  4 +--
 policycoreutils/sepolicy/sepolicy/generate.py| 30 +--
 policycoreutils/sepolicy/sepolicy/interface.py   | 14 ++---
 policycoreutils/sepolicy/sepolicy/manpage.py |  7 +++--
 7 files changed, 65 insertions(+), 50 deletions(-)

diff --git a/policycoreutils/sepolicy/selinux_client.py 
b/policycoreutils/sepolicy/selinux_client.py
index 7f4a91c..dc29f28 100644
--- a/policycoreutils/sepolicy/selinux_client.py
+++ b/policycoreutils/sepolicy/selinux_client.py
@@ -39,6 +39,6 @@ if __name__ == "__main__":
 try:
 dbus_proxy = SELinuxDBus()
 resp = dbus_proxy.customized()
-print convert_customization(resp)
-except dbus.DBusException, e:
-print e
+print(convert_customization(resp))
+except dbus.DBusException as e:
+print(e)
diff --git a/policycoreutils/sepolicy/sepolicy.py 
b/policycoreutils/sepolicy/sepolicy.py
index 3e502a7..5bf9b52 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -262,7 +262,7 @@ def _print_net(src, protocol, perm):
 if len(portdict) > 0:
 bold_start = "\033[1m"
 bold_end = "\033[0;0m"
-print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
bold_end
+print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
bold_end)
 port_strings = []
 boolean_text = ""
 for p in portdict:
@@ -275,7 +275,7 @@ def _print_net(src, protocol, perm):
 port_strings.append("%s (%s)" % (", ".join(recs), t))
 port_strings.sort(numcmp)
 for p in port_strings:
-print "\t" + p
+print("\t" + p)
 
 
 def network(args):
@@ -286,7 +286,7 @@ def network(args):
 if i[0] not in all_ports:
 all_ports.append(i[0])
 all_ports.sort()
-print "\n".join(all_ports)
+print("\n".join(all_ports))
 
 for port in args.port:
 found = False
@@ -297,18 +297,18 @@ def network(args):
 else:
 range = "%s-%s" % (i[0], i[1])
 found = True
-print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range)
+print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], 
range))
 if not found:
 if port < 500:
-print "Undefined reserved port type"
+print("Undefined reserved port type")
 else:
-print "Undefined port type"
+print("Undefined port type")
 
 for t in args.type:
 if (t, 'tcp') in portrecs.keys():
-print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))
+print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])))
 if (t, 'udp') in portrecs.keys():
-print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))
+print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])))
 
 for a in args.applications:
 d = sepolicy.get_init_transtype(a)
@@ -357,7 +357,7 @@ def manpage(args):
 
 for domain in test_domains:
 m = ManPage(domain, path, args.root, args.source_files, args.web)
-print m.get_man_page_path()
+print(m.get_man_page_path())
 
 if args.web:
 HTMLManPages(manpage_roles, manpage_domains, path, args.os)
@@ -418,7 +418,7 @@ def communicate(args):
 out = list(set(writable) & set(readable))
 
 for t in out:
-print t
+print(t)
 
 
 def gen_communicate_args(parser):
@@ -445,7 +445,7 @@ def booleans(args):
 args.booleans.sort()
 
 for b in args.booleans:
-print "%s=_(\"%s\")" % (b, boolean_desc(b))
+print("%s=_(\"%s\")" % (b, boolean_desc(b)))
 
 
 def gen_booleans_args(parser):
@@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""):
 for i in interfaces:
 if args.verbose:
 try:
-print get_interface_format_text(i + append)
+print(get_interface_format_text(i + append))
 except KeyError:
-print i
+print(i)
 if args.compile:
 try:
 interface_compile_test(i)
 except KeyError:
-

[PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

sepolicy.info() now returns a generator, use next() to get the results.

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 policycoreutils/sandbox/sandbox | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 4010e83..c07a1d8 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -305,8 +305,8 @@ kill -TERM $WM_PID  2> /dev/null
 types = _("""
 Policy defines the following types for use with the -t:
 \t%s
-""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, 
"sandbox_type"))[0]['types'])
-except RuntimeError:
+""") % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE, 
"sandbox_type"))['types'])
+except StopIteration:
 pass
 
 usage = _("""
@@ -380,8 +380,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] 
[-I includefile ] [-
 self.setype = DEFAULT_X_TYPE
 else:
 try:
-sepolicy.info(sepolicy.TYPE, "sandbox_t")
-except RuntimeError:
+next(sepolicy.info(sepolicy.TYPE, "sandbox_t"))
+except StopIteration:
 raise ValueError(_("Sandbox Policy is not currently 
installed.\nYou need to install the selinux-policy-sandbox package in order to 
run this command"))
 
 if self.__options.setype:
-- 
2.10.2

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] policycoreutils: Use "new" sepolicy icon in .desktop file for sepolicy gui

[Laurent Bigonville]

Le 02/11/16 à 14:27, Stephen Smalley a écrit :

On 11/02/2016 09:04 AM, Laurent Bigonville wrote:

From: Laurent Bigonville<bi...@bigon.be>

New hires icons have been added to the repository end 2013 but the
sepolicy .desktop file is not using it, let's fix that.

Thanks, applied.  I plan to move these icon files over to the gui/
directory in the splitpolicycoreutils branch.

Thanks,

I should probably reply to your initial mail about the split, but 
shouldn't the gui directory completely dropped? I mean 
system-config-selinux is python2 only and need to be ported to GObject 
introspection and GTKBuilder if we want it to work in python3 (or it 
should be ported, but it looked non trivial to my meager knowledge).
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] Revert "libselinux: support new python3 functions"

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

With the reverted commit applied, some functions were returning arrays
of bytes instead of python strings under python3 this was causing issues
with string manipulation functions like split().

Swig (checked with 3.0.7) is adding compatibility macros that take care
of the differences between python2 and python3.

This reverts commit 63df0f7ef12844b9b86cc293299671da772fcf84.

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 libselinux/src/selinuxswig_python.i | 22 +++---
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/libselinux/src/selinuxswig_python.i 
b/libselinux/src/selinuxswig_python.i
index 8cea18d..43df291 100644
--- a/libselinux/src/selinuxswig_python.i
+++ b/libselinux/src/selinuxswig_python.i
@@ -64,7 +64,7 @@ def install(src, dest):
PyObject* list = PyList_New(*$2);
int i;
for (i = 0; i < *$2; i++) {
-   PyList_SetItem(list, i, PyBytes_FromString((*$1)[i]));
+   PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
}
$result = SWIG_Python_AppendOutput($result, list);
 }
@@ -97,9 +97,7 @@ def install(src, dest):
len++;
plist = PyList_New(len);
for (i = 0; i < len; i++) {
-   PyList_SetItem(plist, i,
-   PyBytes_FromString((*$1)[i])
-   );
+   PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
}
} else {
plist = PyList_New(0);
@@ -116,9 +114,7 @@ def install(src, dest):
if (*$1) {
plist = PyList_New(result);
for (i = 0; i < result; i++) {
-   PyList_SetItem(plist, i,
-   PyBytes_FromString((*$1)[i])
-   );
+   PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
}
} else {
plist = PyList_New(0);
@@ -171,20 +167,16 @@ def install(src, dest):
$1 = (char**) malloc(size + 1);
 
for(i = 0; i < size; i++) {
-   if (!PyBytes_Check(PySequence_GetItem($input, i))) {
-   PyErr_SetString(PyExc_ValueError, "Sequence must 
contain only bytes");
-
+   if (!PyString_Check(PySequence_GetItem($input, i))) {
+   PyErr_SetString(PyExc_ValueError, "Sequence must 
contain only strings");
return NULL;
}
-
}

for(i = 0; i < size; i++) {
s = PySequence_GetItem($input, i);
-
-   $1[i] = (char*) malloc(PyBytes_Size(s) + 1);
-   strcpy($1[i], PyBytes_AsString(s));
-
+   $1[i] = (char*) malloc(PyString_Size(s) + 1);
+   strcpy($1[i], PyString_AsString(s));
}
$1[size] = NULL;
 }
-- 
2.10.2

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] policycoreutils: Use "new" sepolicy icon in .desktop file for sepolicy gui

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

New hires icons have been added to the repository end 2013 but the
sepolicy .desktop file is not using it, let's fix that.
---
 policycoreutils/sepolicy/sepolicy.desktop | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/sepolicy/sepolicy.desktop 
b/policycoreutils/sepolicy/sepolicy.desktop
index f9d0cec..181a1c5 100644
--- a/policycoreutils/sepolicy/sepolicy.desktop
+++ b/policycoreutils/sepolicy/sepolicy.desktop
@@ -1,7 +1,7 @@
 [Desktop Entry]
 Name=SELinux Policy Management Tool
 Comment=Generate SELinux policy modules
-Icon=system-config-selinux
+Icon=sepolicy
 Exec=/usr/bin/sepolicy gui
 Type=Application
 Terminal=false
-- 
2.10.2

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Backtrace in sandbox command

[Laurent Bigonville]

Hi,

I get the following backtrace in sandbox because there are no types 
marked with the "sandbox_type" attribute in my test policy:


Traceback (most recent call last):
  File "/usr/bin/sandbox", line 529, in 
rc = sandbox.main()
  File "/usr/bin/sandbox", line 513, in main
self.__parse_options()
  File "/usr/bin/sandbox", line 308, in __parse_options
""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, 
"sandbox_type"))[0]['types'])
IndexError: list index out of range

It seems that sepolicy.info() is not returning a RuntimeError exception 
if there are not types returned.


There is a 2nd call to sepolicy.info() later in the code where the same 
exception is catch.


In both cases, sepolicy.info() is returning an iterator. Has anything 
changed in sepolicy behavior here?


Laurent Bigonville

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v2] libselinux: Add clean-pywrap and clean-rubywrap targets

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

Add clean targets to just clean the python and ruby wrapper objects

Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 libselinux/Makefile |  6 ++
 libselinux/src/Makefile | 12 +---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/libselinux/Makefile b/libselinux/Makefile
index ef971f4..979e225 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -57,4 +57,10 @@ install-pywrap:
 install-rubywrap: 
$(MAKE) -C src install-rubywrap $@
 
+clean-pywrap:
+   $(MAKE) -C src clean-pywrap $@
+
+clean-rubywrap:
+   $(MAKE) -C src clean-rubywrap $@
+
 test:
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index ccd8442..c9f35b1 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -187,8 +187,14 @@ install-rubywrap: rubywrap
 relabel:
/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
 
-clean: 
-   -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) 
$(SWIGRUBYLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~
+clean-pywrap:
+   -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
+
+clean-rubywrap:
+   -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
+
+clean: clean-pywrap clean-rubywrap
+   -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~
 
 distclean: clean
rm -f $(GENERATED) $(SWIGFILES)
@@ -196,4 +202,4 @@ distclean: clean
 indent:
../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
 
-.PHONY: all clean pywrap rubywrap swigify install install-pywrap 
install-rubywrap distclean
+.PHONY: all clean clean-pywrap clean-rubywrap pywrap rubywrap swigify install 
install-pywrap install-rubywrap distclean
-- 
2.10.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] libselinux: Add clean-pywrap and clean-rubywrap targets

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

Add clean targets to just clean the python and ruby wrapper objects

Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 libselinux/Makefile |  6 ++
 libselinux/src/Makefile | 10 --
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/libselinux/Makefile b/libselinux/Makefile
index ef971f4..979e225 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -57,4 +57,10 @@ install-pywrap:
 install-rubywrap: 
$(MAKE) -C src install-rubywrap $@
 
+clean-pywrap:
+   $(MAKE) -C src clean-pywrap $@
+
+clean-rubywrap:
+   $(MAKE) -C src clean-rubywrap $@
+
 test:
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index ccd8442..1871551 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -187,8 +187,14 @@ install-rubywrap: rubywrap
 relabel:
/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
 
-clean: 
-   -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) 
$(SWIGRUBYLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~
+clean-pywrap:
+   -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
+
+clean-rubywrap:
+   -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
+
+clean: clean-pywrap clean-rubywrap
+   -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~
 
 distclean: clean
rm -f $(GENERATED) $(SWIGFILES)
-- 
2.10.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [Patch v3] sandbox: Use dbus-run-session instead of dbus-launch when available

[Laurent Bigonville]

Le 27/09/16 à 15:50, Stephen Smalley a écrit :

On 09/27/2016 08:39 AM, Laurent Bigonville wrote:

From: Laurent Bigonville <bi...@bigon.be>

According to dbus upstream: "dbus-launch is fairly horrible code,
complicated by the historical need for it to support X11 autolaunching,
so the D-Bus maintainers would like to move it out of the critical path
and minimize its use."

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289

Signed-off-by: Laurent Bigonville <bi...@bigon.be>

Thanks, applied.

Thanks,

Are there any plans to roll a new release of the userspace soon?
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[Patch v3] sandbox: Use dbus-run-session instead of dbus-launch when available

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

According to dbus upstream: "dbus-launch is fairly horrible code,
complicated by the historical need for it to support X11 autolaunching,
so the D-Bus maintainers would like to move it out of the critical path
and minimize its use."

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 policycoreutils/sandbox/sandbox | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index b6bc805..4010e83 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -285,9 +285,13 @@ class Sandbox:
 # /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
 %s &
 WM_PID=$!
-dbus-launch --exit-with-session %s
+if which dbus-run-session >/dev/null 2>&1; then
+dbus-run-session -- %s
+else
+dbus-launch --exit-with-session %s
+fi
 kill -TERM $WM_PID  2> /dev/null
-""" % (command, wm, command))
+""" % (command, wm, command, command))
 fd.close()
 os.chmod(execfile, 0o700)
 
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: sandox -X not working with recent Xephyr

[Laurent Bigonville]

Le 19/09/16 à 20:26, Stephen Smalley a écrit :

On 09/19/2016 02:02 PM, Petr Lautrbach wrote:

On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:

On 09/18/2016 02:39 PM, Laurent Bigonville wrote:

Hi,

It seems that sandbox -X is not working anymore on debian.

Xephyr (1.18.4) is giving me the following error:

_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
created.

The X socket is not created inside the sandbox and then the application
can obviously not connect to it.

I'm not sure how this could be fixed, maybe let's seunshare create that
directory?

I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
they have a fix?

That is using the Fedora policycoreutils-sandbox package, which yields a
functioning sandbox -X, e.g. sandbox -X firefox works correctly.

However, if I install sandbox from upstream, e.g.

cd selinux
sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel

then sandbox -X firefox fails immediately, and I have the following in
the audit log:
type=SELINUX_ERR msg=audit(1474295659.424:2189):
op=security_bounded_transition seresult=denied
oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002

It's most likely not related. Same error can be seen in stock Fedora.


So I guess there are other patches in the Fedora package that are needed?

It's this patch
https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d

But the patch bellow works too:

--- a/policycoreutils/sandbox/sandboxX.sh
+++ b/policycoreutils/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
  
  EOF
  
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do

+(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp 
-displayfd 5 5>&1 2>/dev/null) | while read D; do
  export DISPLAY=:$D
  cat > ~/seremote << __EOF
  #!/bin/sh



I'm not sure which one is correct.

I don't know either, but the one above does work and seems simpler, so
let's go with that one.

I don't really understand why it's working outside of the sandbox and 
why it was working before.


But indeed removing -terminate or add -reset seems to fix it
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v2] sandbox: Use GObject introspection binding instead of pygtk2

[Laurent Bigonville]

From: Petr Lautrbach <plaut...@redhat.com>

sandbox command is also now using GTK 3.0

This patch comes from Fedora patch set

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 policycoreutils/sandbox/sandbox | 18 +++---
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 9f200d5..726ba9b 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -111,16 +111,18 @@ def copyfile(file, srcdir, dest):
 def savefile(new, orig, X_ind):
 copy = False
 if(X_ind):
-import gtk
-dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
-gtk.BUTTONS_YES_NO,
+import gi
+gi.require_version('Gtk', '3.0')
+from gi.repository import Gtk
+dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO,
+Gtk.ButtonsType.YES_NO,
 _("Do you want to save changes to '%s' (Y/N): 
") % orig)
 dlg.set_title(_("Sandbox Message"))
-dlg.set_position(gtk.WIN_POS_MOUSE)
+dlg.set_position(Gtk.WindowPosition.MOUSE)
 dlg.show_all()
 rc = dlg.run()
 dlg.destroy()
-if rc == gtk.RESPONSE_YES:
+if rc == Gtk.ResponseType.YES:
 copy = True
 else:
 try:
@@ -452,8 +454,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T 
tempdir]] [-I includefile ] [-
 if self.__options.dpi:
 dpi = self.__options.dpi
 else:
-import gtk
-dpi = str(gtk.settings_get_default().props.gtk_xft_dpi 
/ 1024)
+import gi
+gi.require_version('Gtk', '3.0')
+from gi.repository import Gtk
+dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi 
/ 1024)
 
 xmodmapfile = self.__homedir + "/.xmodmap"
 xd = open(xmodmapfile, "w")
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] sandbox: Use dbus-launch instead of dbus-run-session

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

According to dbus upstream: "dbus-launch is fairly horrible code,
complicated by the historical need for it to support X11 autolaunching,
so the D-Bus maintainers would like to move it out of the critical path
and minimize its use."

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289
---
 policycoreutils/sandbox/sandbox | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 726ba9b..f537dc6 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -285,7 +285,7 @@ class Sandbox:
 /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
 %s &
 WM_PID=$!
-dbus-launch --exit-with-session %s
+dbus-run-session -- %s
 kill -TERM $WM_PID  2> /dev/null
 """ % (command, wm, command))
 fd.close()
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

sandox -X not working with recent Xephyr

[Laurent Bigonville]

Hi,

It seems that sandbox -X is not working anymore on debian.

Xephyr (1.18.4) is giving me the following error:

_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.

The X socket is not created inside the sandbox and then the application 
can obviously not connect to it.


I'm not sure how this could be fixed, maybe let's seunshare create that 
directory?


Cheers,

Laurent Bigonville

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] sandbox: Use GObject introspection binding instead of pygtk2

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

sandbox command is also now using GTK 3.0

This patch comes from Fedora patch set
---
 policycoreutils/sandbox/sandbox | 18 +++---
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 9f200d5..726ba9b 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -111,16 +111,18 @@ def copyfile(file, srcdir, dest):
 def savefile(new, orig, X_ind):
 copy = False
 if(X_ind):
-import gtk
-dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
-gtk.BUTTONS_YES_NO,
+import gi
+gi.require_version('Gtk', '3.0')
+from gi.repository import Gtk
+dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO,
+Gtk.ButtonsType.YES_NO,
 _("Do you want to save changes to '%s' (Y/N): 
") % orig)
 dlg.set_title(_("Sandbox Message"))
-dlg.set_position(gtk.WIN_POS_MOUSE)
+dlg.set_position(Gtk.WindowPosition.MOUSE)
 dlg.show_all()
 rc = dlg.run()
 dlg.destroy()
-if rc == gtk.RESPONSE_YES:
+if rc == Gtk.ResponseType.YES:
 copy = True
 else:
 try:
@@ -452,8 +454,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T 
tempdir]] [-I includefile ] [-
 if self.__options.dpi:
 dpi = self.__options.dpi
 else:
-import gtk
-dpi = str(gtk.settings_get_default().props.gtk_xft_dpi 
/ 1024)
+import gi
+gi.require_version('Gtk', '3.0')
+from gi.repository import Gtk
+dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi 
/ 1024)
 
 xmodmapfile = self.__homedir + "/.xmodmap"
 xd = open(xmodmapfile, "w")
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] libselinux/utils/Makefile: Fix in tree compilation

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

Some tools need the sepol/sepol.h header
---
 libselinux/utils/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index cf7af52..8497cb4 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -3,6 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
 LIBDIR ?= $(PREFIX)/lib
 USRBINDIR ?= $(PREFIX)/sbin
 SBINDIR ?= $(DESTDIR)/sbin
+INCLUDEDIR ?= $(PREFIX)/include
 
 MAX_STACK_SIZE=8192
 CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self 
-Wmissing-include-dirs \
@@ -23,7 +24,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security 
-Winit-self -Wmissi
   -fasynchronous-unwind-tables -fdiagnostics-show-option 
-funit-at-a-time \
   -fipa-pure-const -Wno-suggest-attribute=pure 
-Wno-suggest-attribute=const \
   -Werror -Wno-aggregate-return -Wno-redundant-decls
-override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS)
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS)
 LDLIBS += -L../src -lselinux -L$(LIBDIR)
 
 TARGETS=$(patsubst %.c,%,$(wildcard *.c))
-- 
2.8.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] Sort object files for deterministic linking order

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

This patch is part of the Debian effort to make the build reproducible

Thank to Reiner Herrmann <rei...@reiner-h.de> for the patches

Signed-off-by: Laurent Bigonville <bi...@bigon.be>
---
 libselinux/src/Makefile  | 2 +-
 libsemanage/src/Makefile | 2 +-
 libsepol/src/Makefile| 8 
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index ac9a5d6..d94163e 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -49,7 +49,7 @@ ifeq ($(DISABLE_BOOL),y)
 endif
 
 GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
-SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c))
+SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort $(wildcard 
*.c)))
 
 MAX_STACK_SIZE=32768
 
diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
index d6c3f0f..96ee652 100644
--- a/libsemanage/src/Makefile
+++ b/libsemanage/src/Makefile
@@ -52,7 +52,7 @@ SWIGRUBYSO=$(RUBYPREFIX)_semanage.so
 LIBSO=$(TARGET).$(LIBVERSION)
 
 GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) semanageswig_python_exception.i
-SRCS= $(filter-out $(GENERATED),$(wildcard *.c))
+SRCS= $(filter-out $(GENERATED),$(sort $(wildcard *.c)))
 
 OBJS= $(patsubst %.c,%.o,$(SRCS)) conf-scan.o conf-parse.o
 LOBJS= $(patsubst %.c,%.lo,$(SRCS)) conf-scan.lo conf-parse.lo
diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
index c0c3274..b0c901f 100644
--- a/libsepol/src/Makefile
+++ b/libsepol/src/Makefile
@@ -18,15 +18,15 @@ TARGET=libsepol.so
 LIBPC=libsepol.pc
 LIBMAP=libsepol.map
 LIBSO=$(TARGET).$(LIBVERSION)
-OBJS= $(patsubst %.c,%.o,$(wildcard *.c))
-LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c))
+OBJS= $(patsubst %.c,%.o,$(sort $(wildcard *.c)))
+LOBJS= $(patsubst %.c,%.lo,$(sort $(wildcard *.c)))
 CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-format-attribute -O2
 
 override CFLAGS += -I. -I../include -D_GNU_SOURCE
 
 ifneq ($(DISABLE_CIL),y)
-OBJS += $(sort $(patsubst %.c,%.o,$(wildcard $(CILDIR)/src/*.c) 
$(CIL_GENERATED)))
-LOBJS += $(sort $(patsubst %.c,%.lo,$(wildcard $(CILDIR)/src/*.c) 
$(CIL_GENERATED)))
+OBJS += $(sort $(patsubst %.c,%.o,$(sort $(wildcard $(CILDIR)/src/*.c)) 
$(CIL_GENERATED)))
+LOBJS += $(sort $(patsubst %.c,%.lo,$(sort $(wildcard $(CILDIR)/src/*.c)) 
$(CIL_GENERATED)))
 override CFLAGS += -I$(CILDIR)/include
 endif
 
-- 
2.8.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] semodule: Fix the --list-modules=full example in the manpage

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

---
 policycoreutils/semodule/semodule.8 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/semodule/semodule.8 
b/policycoreutils/semodule/semodule.8
index 68e95ab..7b07c45 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -116,7 +116,7 @@ $ semodule \-d alsa
 # Install a module at a specific priority.
 $ semodule \-X 100 \-i alsa.pp
 # List all modules.
-$ semodule \-l full
+$ semodule \-\-list-modules=full
 # Set an alternate path for the policy root
 $ semodule \-B \-p "/tmp"
 # Set an alternate path for the policy store root
-- 
2.8.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v2] policycoreutils: Minor fix in a French translation

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

---
 policycoreutils/po/fr.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/po/fr.po b/policycoreutils/po/fr.po
index be33d59..5c797c9 100644
--- a/policycoreutils/po/fr.po
+++ b/policycoreutils/po/fr.po
@@ -1307,7 +1307,7 @@ msgstr "syntaxe :  %s [-q]\n"
 #: ../load_policy/load_policy.c:71
 #, c-format
 msgid "%s:  Policy is already loaded and initial load requested\n"
-msgstr "La stratégie %s est déjà chargée et un chargement initial est requis\n"
+msgstr "%s : La stratégie est déjà chargée et un chargement initial est 
demandé\n"
 
 #: ../load_policy/load_policy.c:80
 #, c-format
-- 
2.8.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] policycoreutils: Minor fix for in a French translation

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

---
 policycoreutils/po/fr.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/po/fr.po b/policycoreutils/po/fr.po
index be33d59..5c797c9 100644
--- a/policycoreutils/po/fr.po
+++ b/policycoreutils/po/fr.po
@@ -1307,7 +1307,7 @@ msgstr "syntaxe :  %s [-q]\n"
 #: ../load_policy/load_policy.c:71
 #, c-format
 msgid "%s:  Policy is already loaded and initial load requested\n"
-msgstr "La stratégie %s est déjà chargée et un chargement initial est requis\n"
+msgstr "%s : La stratégie est déjà chargée et un chargement initial est 
demandé\n"
 
 #: ../load_policy/load_policy.c:80
 #, c-format
-- 
2.8.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Licence of the new setools icons

[Laurent Bigonville]

Le 05/05/16 à 15:51, Christopher J. PeBenito a écrit :

On 5/5/2016 8:46 AM, Christopher J. PeBenito wrote:

On 5/5/2016 7:46 AM, Laurent Bigonville wrote:

Hello,

setools(4) includes a new set of icons. The COPYING file included in the
same directory states:


[...]

This doesn't seems free (as in freedom) as the license doesn't give
right to modify the icons.

This will make it difficult to include setools in some distro (Debian,
Fedora,...).

Couldn't the icons already present in the Qt icons theme be used
instead? Most of them should have equivalent.

If the licensing is a problem, then I can look into replacing the icons
with the Qt icons (patches welcome).

Replacing with standard icons ended up being straightforward and will be
in 4.0.1.

Thanks!
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] Fix multiple spelling errors

[Laurent Bigonville]

From: Laurent Bigonville <bi...@bigon.be>

Thanks to the lintian utility from Debian
---
 libselinux/man/man3/avc_add_callback.3   | 4 ++--
 libselinux/man/man3/avc_has_perm.3   | 2 +-
 libselinux/man/man3/is_selinux_enabled.3 | 2 +-
 libsemanage/include/semanage/handle.h| 2 +-
 libsemanage/src/database.h   | 2 +-
 libsepol/cil/src/cil_find.c  | 2 +-
 policycoreutils/sandbox/seunshare.8  | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/libselinux/man/man3/avc_add_callback.3 
b/libselinux/man/man3/avc_add_callback.3
index dbfe72d..bdbbadf 100644
--- a/libselinux/man/man3/avc_add_callback.3
+++ b/libselinux/man/man3/avc_add_callback.3
@@ -57,7 +57,7 @@ and will cause any SID to match.
 .I callback
 is the callback function provided by the userspace object manager.  The
 .I event
-argument indicates the security event which occured; the remaining arguments
+argument indicates the security event which occurred; the remaining arguments
 are interpreted according to the event as described below.  The return value
 of the callback should be zero on success, \-1 on error with
 .I errno
@@ -175,7 +175,7 @@ If the userspace AVC is running in threaded mode, callbacks 
registered via
 may be executed in the context of the netlink handler thread.  This will 
likely introduce synchronization issues requiring the use of locks.  See
 .BR avc_init (3).
 
-Support for dynamic revocation and retained permissions is mostly 
unimplemented in the SELinux kernel module.  The only security event that 
currently gets excercised is
+Support for dynamic revocation and retained permissions is mostly 
unimplemented in the SELinux kernel module.  The only security event that 
currently gets exercised is
 .BR AVC_CALLBACK_RESET .
 .
 .SH "AUTHOR"
diff --git a/libselinux/man/man3/avc_has_perm.3 
b/libselinux/man/man3/avc_has_perm.3
index 7353952..3e9fca8 100644
--- a/libselinux/man/man3/avc_has_perm.3
+++ b/libselinux/man/man3/avc_has_perm.3
@@ -108,7 +108,7 @@ for the first time.
 Using an uninitialized structure will produce undefined behavior.
 .
 .SH "RETURN VALUE"
-If requested permissions are granted, zero is returned.  If requested 
permissions are denied or an error occured, \-1 is returned and
+If requested permissions are granted, zero is returned.  If requested 
permissions are denied or an error occurred, \-1 is returned and
 .I errno
 is set appropriately.
 
diff --git a/libselinux/man/man3/is_selinux_enabled.3 
b/libselinux/man/man3/is_selinux_enabled.3
index f02052c..b2df562 100644
--- a/libselinux/man/man3/is_selinux_enabled.3
+++ b/libselinux/man/man3/is_selinux_enabled.3
@@ -3,7 +3,7 @@
 is_selinux_enabled \- check whether SELinux is enabled
 .
 .SH "NAME"
-is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level 
Securty) MLS 
+is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level 
Security) MLS
 .
 .SH "SYNOPSIS"
 .B #include 
diff --git a/libsemanage/include/semanage/handle.h 
b/libsemanage/include/semanage/handle.h
index 6cad529..c816590 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@@ -130,7 +130,7 @@ int semanage_commit(semanage_handle_t *);
 #define SEMANAGE_CAN_READ 1
 #define SEMANAGE_CAN_WRITE 2
 /* returns SEMANAGE_CAN_READ or SEMANAGE_CAN_WRITE if the store is readable
- * or writable, respectively. <0 if an error occured */
+ * or writable, respectively. <0 if an error occurred */
 int semanage_access_check(semanage_handle_t * sh);
 
 /* returns 0 if not connected, 1 if connected */
diff --git a/libsemanage/src/database.h b/libsemanage/src/database.h
index e460379..6a4a164 100644
--- a/libsemanage/src/database.h
+++ b/libsemanage/src/database.h
@@ -148,7 +148,7 @@ typedef struct dbase_table {
 * This function must be invoked before using
 * any of the database functions above. It may be invoked
 * multiple times, and will update the cache if a commit
-* occured between invocations */
+* occurred between invocations */
int (*cache) (struct semanage_handle * handle, dbase_t * dbase);
 
/* Forgets all changes that haven't been written
diff --git a/libsepol/cil/src/cil_find.c b/libsepol/cil/src/cil_find.c
index 8e0688c..4134242 100644
--- a/libsepol/cil/src/cil_find.c
+++ b/libsepol/cil/src/cil_find.c
@@ -383,7 +383,7 @@ int cil_find_matching_avrule_in_ast(struct cil_tree_node 
*current, enum cil_flav
 
rc = cil_tree_walk(current, __cil_find_matching_avrule_in_ast, NULL, 
NULL, );
if (rc) {
-   cil_log(CIL_ERR, "An error occured while searching for avrule 
in AST\n");
+   cil_log(CIL_ERR, "An error occurred while searching for avrule 
in AST\n");
}
 
return rc;
diff --git a/policycoreutils/sandbox/seunshare.8 
b/policycoreutils/sandbox/seunshare.8
index 76b75c8..9e105a1 100644

Copying/setting security.selinux xattr explicitly

[Laurent Bigonville]

Hello,

I've a question concerning copying the security.selinux xattr explicitly.

In you opinion what should happen in an implementation if it cannot be 
reset security.selinux on the target file?


Apparently GNU cp -a ignore failures (while cp --preserve=context fails).

In some python helper function (_copyxattr(), see 
https://bugs.python.org/issue14082), it will return an exception if the 
copy of any of the xattr is failing, there is no special case for 
security.selinux.


What do you think should be the behavior here?

Cheers,

Laurent Bigonville
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

chcat is using getlogin() function that sometimes returns null/empty string

[Laurent Bigonville]

Hi,

So apparently gnome-terminal developers have decided to stop updating 
utmp[0] file and this is breaking chcat -Ll with the following error:


Traceback (most recent call last):
  File "/usr/bin/chcat", line 409, in 
sys.exit(listusercats(cmds))
  File "/usr/bin/chcat", line 352, in listusercats
users.append(os.getlogin())
OSError: [Errno 2] No such file or directory

getlogin(3) manpage suggest to rely on the LOGNAME environment variable, 
so maybe chcat should fallback to this if getlogin() is not returning 
anything?


Cheers,

Laurent Bigonville

[0] https://bugzilla.gnome.org/show_bug.cgi?id=747046
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: newrole not working when built with LSPP_PRIV=y

[Laurent Bigonville]

Le 29/09/15 21:35, Stephen Smalley a écrit :

On 09/26/2015 09:10 PM, Laurent Bigonville wrote:

[...]

The patch seems to break an other thing, it Fedora the newrole
executable is not setuid root, but it is granted a bunch of capabilities
explicitly, if I setuid this executable instead of granting these
capabilities, I get yet an other error:

Sorry, newrole failed to drop capabilities: Operation not permitted

So I guess something need to be fixed here.


Yes, the current code just seems to be wrong here.  The setresuid() 
call will drop all capabilities if newrole is setuid-root and the 
caller is non-root, so it will end up dropping all capabilities 
immediately.  Then the attempt to further set the capabilities will 
fail (as above), as will any subsequent privileged operations.  As 
currently written, this can only work if not setuid-root and using 
file-caps.  And in that case, the setresuid() call doesn't make sense.


Dan?


Apparently libcapng has a capng_change_id(3) function that can be used 
to "change the credentials retaining capabilities".


Laurent Bigonville

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.