Re: file context not being set on el7
Ted Toth writes: On Fri, Sep 21, 2018 at 7:21 AM Ted Toth wrote: On Fri, Sep 21, 2018 at 3:58 AM Petr Lautrbach wrote: Ted Toth writes: > I have something very much like the following in an fc file: > /usr/lib64/python2\.(6|7)/site-packages/xyz/paste -- > gen_context(system_u:object_r:jxyz_exec_t,s0) > > and I use the same file on el6 and el7. On el6 the file is > labeled as > specified in the python2.6 directory. However on el7 where > the > file gets > installed into python2.7 the file is not labeled correctly. > On > el7 > `semanage fcontext -l | grep xyz` shows the file context > expected but > `matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste` > does > not return > the expected context and `restorecon -RFv > /usr/lib64/python2.7/site-packages/xyz` has no affect. The > type > xyz_exec_t > exists on both systems. It's probably something stupid I'm > doing > but I'm > just not seeing it. Has anyone else experienced similar > issues? > There's equivalency rule /usr/lib64 -> /usr/lib on el7: # semanage fcontext -a -t tmp_t '/usr/lib64/python2\.(6|7)/site-packages/xyz/paste' ValueError: File spec /usr/lib64/python2\.(6|7)/site-packages/xyz/paste conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/python2\.(6|7)/site-packages/xyz/paste' instead # semanage fcontext -a -t tmp_t '/usr/lib/python2\.(6|7)/site-packages/xyz/paste' # matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste /usr/lib64/python2.7/site-packages/xyz/paste system_u:object_r:tmp_t:s0 Petr Thanks, where is this equivalency rule defined/documented? You can see them at the end of 'semanage fcontext -l' output: SELinux Distribution fcontext Equivalence /usr/local/lib64 = /usr/lib /etc/systemd/system = /usr/lib/systemd/system /run/systemd/system = /usr/lib/systemd/system /run/systemd/generator = /usr/lib/systemd/system /var/home = /home /sbin = /usr/sbin /var/roothome = /root /usr/lib64 = /usr/lib /var/lib/xguest/home = /home /var/named/chroot/lib64 = /usr/lib /var/named/chroot/usr/lib64 = /usr/lib /run = /var/run /usr/local/lib32 = /usr/lib /lib64 = /usr/lib /lib = /usr/lib /run/lock = /var/lock /usr/lib(64)?/python... doesn't work either how can I make it backward compatible? '/usr/lib(64)?/python2\.(6|7)/site-packages/xyz/paste' works for me on both el6 and el7. Petr ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: file context not being set on el7
Ted Toth writes: I have something very much like the following in an fc file: /usr/lib64/python2\.(6|7)/site-packages/xyz/paste -- gen_context(system_u:object_r:jxyz_exec_t,s0) and I use the same file on el6 and el7. On el6 the file is labeled as specified in the python2.6 directory. However on el7 where the file gets installed into python2.7 the file is not labeled correctly. On el7 `semanage fcontext -l | grep xyz` shows the file context expected but `matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste` does not return the expected context and `restorecon -RFv /usr/lib64/python2.7/site-packages/xyz` has no affect. The type xyz_exec_t exists on both systems. It's probably something stupid I'm doing but I'm just not seeing it. Has anyone else experienced similar issues? There's equivalency rule /usr/lib64 -> /usr/lib on el7: # semanage fcontext -a -t tmp_t '/usr/lib64/python2\.(6|7)/site-packages/xyz/paste' ValueError: File spec /usr/lib64/python2\.(6|7)/site-packages/xyz/paste conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/python2\.(6|7)/site-packages/xyz/paste' instead # semanage fcontext -a -t tmp_t '/usr/lib/python2\.(6|7)/site-packages/xyz/paste' # matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste /usr/lib64/python2.7/site-packages/xyz/paste system_u:object_r:tmp_t:s0 Petr ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] python/sepolicy: search() for dontaudit rules as well
dontaudit rules were accidentally dropped during rewrite to SETools 4 API in 97d5f6a2 Fixes: >>> import sepolicy >>> sepolicy.search(['dontaudit']) [] Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/__init__.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py index 89346aba..c1a60798 100644 --- a/python/sepolicy/sepolicy/__init__.py +++ b/python/sepolicy/sepolicy/__init__.py @@ -334,6 +334,8 @@ def search(types, seinfo=None): tertypes.append(NEVERALLOW) if AUDITALLOW in types: tertypes.append(AUDITALLOW) +if DONTAUDIT in types: +tertypes.append(DONTAUDIT) if len(tertypes) > 0: q = setools.TERuleQuery(_pol, -- 2.19.0 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: is_selinux_enabled() after chroot()
On Mon, Jun 18, 2018 at 04:06:11PM -0400, Stephen Smalley wrote:
> On 06/18/2018 03:24 PM, Petr Lautrbach wrote:
> > Hello,
> >
> > libselinux sets selinut_mnt and has_selinux_config only in its constructor
> > and
> > is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
> > enabled. But it doesn't work correctly when you use chroot() to a directory
> > without /proc
> > and /sys/fs/selinux mounted as it was discovered in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1321375
> >
> > In this case, is_selinux_enabled() after chroot() returns true while in a
> > new
> > program run from chrooted process it returns false. It can be demonstrated
> > by
> > the steps below.
> >
> > The solution could be to check if selinux_mnt still exists whenever a
> > function
> > depending on this is called. Would this be acceptable?
>
> You want to call stat() or access(F_OK) on selinux_mnt and/or SELINUXCONFIG
> in is_selinux_enabled()?
Yes. I was thinking about something like this:
@@ -16,7 +16,7 @@ int is_selinux_enabled(void)
#ifdef ANDROID
return (selinux_mnt ? 1 : 0);
#else
- return (selinux_mnt && has_selinux_config);
+ return (selinux_mnt && (access(selinux_mnt, F_OK) == 0) &&
has_selinux_config);
#endif
}
But the problem seems to be more complex and it would probably be better to fix
it on a callers side - mount /sys/fs/selinux and /proc into chroots or do all
SELinux checks before chroot().
> Could potentially trigger a permission check that wasn't previously required,
> thereby breaking existing policies.
> Caller might just be checking to see if SELinux is enabled before using
> interfaces other than selinuxfs (e.g. setexeccon, setfilecon, etc) and
> therefore didn't previously need permissions to selinuxfs or
> /etc/selinux/config.
> So, possible but you'd need to make sure you don't break anything.
> Definitely don't want that changed in Android.
> >
> >
> >
> >
> > $ sudo dnf --nogpg --installroot=/var/lib/machines/example install systemd
> >
> > $ cat > test_libselinux.c < > #include
> > #include
> > #include
> > #include
> > #include
> >
> > int main(int argc, char *argv[]) {
> > pid_t pid;
> > int wstatus;
> >
> > if (argc > 1) {
> > printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
> > return 0;
> > }
> > if (chroot("/var/lib/machines/example") != 0)
> > return -1;
> >
> > printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
> > printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
> > printf("/etc/selinux/config exists: %d\n\n",
> > access("/etc/selinux/config", F_OK));
> >
> > if ((pid = fork()) == 0 ) {
> > execv("./test_is_selinux_enabled", (char *[]){
> > "./test_is_selinux_enabled", "chrooted", NULL});
> > }
> >
> > wait(&wstatus);
> > return 0;
> > }
> > EOF
> >
> > $ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux
> >
> > $ sudo ./test_is_selinux_enabled
> > SELinux in process after chroot(): 1
> > /sys/fs/selinux exists: -1
> > /etc/selinux/config exists: -1
> >
> > SELinux in chrooted process: 0
> >
> >
> >
> > ___
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> > selinux-requ...@tycho.nsa.gov.
> >
>
signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
is_selinux_enabled() after chroot()
Hello,
libselinux sets selinut_mnt and has_selinux_config only in its constructor and
is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
enabled. But it doesn't work correctly when you use chroot() to a directory
without /proc
and /sys/fs/selinux mounted as it was discovered in
https://bugzilla.redhat.com/show_bug.cgi?id=1321375
In this case, is_selinux_enabled() after chroot() returns true while in a new
program run from chrooted process it returns false. It can be demonstrated by
the steps below.
The solution could be to check if selinux_mnt still exists whenever a function
depending on this is called. Would this be acceptable?
$ sudo dnf --nogpg --installroot=/var/lib/machines/example install systemd
$ cat > test_libselinux.c <
#include
#include
#include
#include
int main(int argc, char *argv[]) {
pid_t pid;
int wstatus;
if (argc > 1) {
printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
return 0;
}
if (chroot("/var/lib/machines/example") != 0)
return -1;
printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
printf("/etc/selinux/config exists: %d\n\n", access("/etc/selinux/config",
F_OK));
if ((pid = fork()) == 0 ) {
execv("./test_is_selinux_enabled", (char *[]){ "./test_is_selinux_enabled",
"chrooted", NULL});
}
wait(&wstatus);
return 0;
}
EOF
$ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux
$ sudo ./test_is_selinux_enabled
SELinux in process after chroot(): 1
/sys/fs/selinux exists: -1
/etc/selinux/config exists: -1
SELinux in chrooted process: 0
signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [RFC PATCH] selinux-testsuite: check the "expand-check" setting in semanage.conf
On Tue, May 15, 2018 at 05:03:42PM -0400, Paul Moore wrote: > From: Paul Moore > > If expand-check is non-zero in semanage.conf the policy load will likely fail, > try to provide a more helpful error to users running the tests. > > Signed-off-by: Paul Moore > --- > policy/Makefile | 12 ++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/policy/Makefile b/policy/Makefile > index 8ed5e46..cc022e3 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -87,6 +87,14 @@ build: $(BUILD_TARGET) > load: $(LOAD_TARGET) > unload: $(UNLOAD_TARGET) > > +expand_check: > + # Test for "expand-check = 0" in /etc/selinux/semanage.conf > + @cat /etc/selinux/semanage.conf | \ > + sed -n 's/^[ \t]*expand-check[ \t]*=[ \t]*0/OK/p' | \ > + grep -q "OK" || \ > + (echo "ERROR: set 'expand-check = 0' in semanage.conf"; \ > + /bin/false) > + You can use grep directly: + grep -q '^[ \t]*expand-check[ \t]*=[ \t]*0' /etc/selinux/semanage.conf || \ + (echo "ERROR: set 'expand-check = 0' in semanage.conf"; + /bin/false) > build_rhel: $(TARGETS) > # RHEL specific policy build > $(MAKE) -C redhat/$(RHEL_VERS) all > @@ -103,11 +111,11 @@ build_general: $(TARGETS) > echo "ERROR: You must have selinux-policy-devel installed."; \ > fi > > -load_rhel: all > +load_rhel: expand_check all > # RHEL specific policy load > $(MAKE) -C redhat/$(RHEL_VERS) load > > -load_general: all > +load_general: expand_check all > # General policy load > @-/usr/sbin/setsebool allow_domain_fd_use=0 > $(SEMODULE) -i test_policy/test_policy.pp > > signature.asc Description: PGP signature
Re: [PATCH] python/semanage/seobject.py: Fix undefined store check
On Mon, May 07, 2018 at 09:58:28AM -0400, Stephen Smalley wrote: > On 05/04/2018 04:12 PM, Petr Lautrbach wrote: > > On Fri, May 04, 2018 at 01:58:08PM -0400, Stephen Smalley wrote: > >> On 05/04/2018 07:51 AM, Petr Lautrbach wrote: > >>> From: Vit Mojzis > >>> > >>> self.store is always a string (actual store name or "") because of > >>> semanageRecords.__init__. Fix check for not defined store. > >>> > >>> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3 > >>> > >>> Signed-off-by: Vit Mojzis > >>> --- > >>> python/semanage/seobject.py | 2 +- > >>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>> > >>> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py > >>> index ac310ea6..c76dce85 100644 > >>> --- a/python/semanage/seobject.py > >>> +++ b/python/semanage/seobject.py > >>> @@ -2651,7 +2651,7 @@ class booleanRecords(semanageRecords): > >>> self.current_booleans = [] > >>> ptype = None > >>> > >>> -if self.store is None or self.store == ptype: > >>> +if self.store == "" or self.store == ptype: > >>> self.modify_local = True > >>> else: > >>> self.modify_local = False > >>> > >> > >> Is there a reason you didn't use if not self.store here? > >> > > > > There's a similar check on line 258 and this just follows the same pattern. > > Ok, I don't have a strong opinion on it either way, but noticed that it was > recommended > to use not self.store in that bugzilla entry, comment #9, and was claimed to > have been changed > in comment #10. Up to you. > I think that the important part of the message is not use `self.store is ""` as it has unpredictable behavior. The check `not self.store` is already in __init__ on line 252: 252if not self.store: 253self.store = getattr(args, "store", "") If there's no objection, I'd leave as it is now. FYI: I'll be offline most time of the week so I won't be able to respond to emails during this time. signature.asc Description: PGP signature
Re: [PATCH] python/semanage/seobject.py: Fix undefined store check
On Fri, May 04, 2018 at 01:58:08PM -0400, Stephen Smalley wrote: > On 05/04/2018 07:51 AM, Petr Lautrbach wrote: > > From: Vit Mojzis > > > > self.store is always a string (actual store name or "") because of > > semanageRecords.__init__. Fix check for not defined store. > > > > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3 > > > > Signed-off-by: Vit Mojzis > > --- > > python/semanage/seobject.py | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py > > index ac310ea6..c76dce85 100644 > > --- a/python/semanage/seobject.py > > +++ b/python/semanage/seobject.py > > @@ -2651,7 +2651,7 @@ class booleanRecords(semanageRecords): > > self.current_booleans = [] > > ptype = None > > > > -if self.store is None or self.store == ptype: > > +if self.store == "" or self.store == ptype: > > self.modify_local = True > > else: > > self.modify_local = False > > > > Is there a reason you didn't use if not self.store here? > There's a similar check on line 258 and this just follows the same pattern. signature.asc Description: PGP signature
[PATCH] python/semanage/seobject.py: Fix undefined store check
From: Vit Mojzis self.store is always a string (actual store name or "") because of semanageRecords.__init__. Fix check for not defined store. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3 Signed-off-by: Vit Mojzis --- python/semanage/seobject.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py index ac310ea6..c76dce85 100644 --- a/python/semanage/seobject.py +++ b/python/semanage/seobject.py @@ -2651,7 +2651,7 @@ class booleanRecords(semanageRecords): self.current_booleans = [] ptype = None -if self.store is None or self.store == ptype: +if self.store == "" or self.store == ptype: self.modify_local = True else: self.modify_local = False -- 2.17.0
Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 03:16:43PM +0200, Dominick Grift wrote:
> On Fri, May 04, 2018 at 09:09:20AM -0400, Stephen Smalley wrote:
> > On 05/04/2018 08:19 AM, Dominick Grift wrote:
> > > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
> > >> Hi,
> > >>
> > >> If you have encountered any unreported problems with the 2.8-rcX
> > >> releases or have any
> > >> pending patches you believe should be included in the 2.8 release,
> > >> please post them soon.
> > >> Also, let us know of any additions or changes that should be made to the
> > >> release notes;
> > >> the current draft is as follows.
> > >>
> > >> User-visible changes:
> > >
> > > One might see processes "validate_context" where they didnt before
> > >
> > > Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm,
> > > various systemd components etc)
> >
> > That should no longer be true as of -rc2 since I reverted the libselinux:
> > verify file_contexts when using restorecon change.
>
> Oh thanks, yes fedora is still on RC1.
I've just built the following packages in Rawhide:
libselinux-2.8-0.rc2.1.fc29 -
https://koji.fedoraproject.org/koji/taskinfo?taskID=26767629
libsemanage-2.8-0.rc2.1.fc29 -
https://koji.fedoraproject.org/koji/taskinfo?taskID=26767782
policycoreutils-2.8-0.rc2.1.fc29 -
https://koji.fedoraproject.org/koji/taskinfo?taskID=26767903
> >
> > >
> > >>
> > >> * semanage fcontext -l now also lists home directory entries from
> > >> file_contexts.homedirs.
> > >>
> > >> * semodule can now enable or disable multiple modules in the same
> > >> operation by specifying a list of modules after -e or -d, making them
> > >> consistent with the -i/u/r/E options.
> > >>
> > >> * CIL now supports multiple declarations of types, attributes, and
> > >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m
> > >> or --multiple-decls option to secilc.
> > >>
> > >> * libsemanage no longer deletes the tmp directory if there is an error
> > >> while committing the policy transaction, so that any temporary files
> > >> can be further inspected for debugging purposes (e.g. to examine a
> > >> particular line of the generated CIL module). The tmp directory will
> > >> be deleted upon the next transaction, so no manual removal is needed.
> > >>
> > >> * Support was added for SCTP portcon statements. The corresponding
> > >> kernel support was introduced in Linux 4.17, and is only active if the
> > >> extended_socket_class policy capability is enabled in the policy.
> > >>
> > >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol
> > >> interface, initially for use by setools4.
> > >>
> > >> * semodule_deps was removed since it has long been broken and is not
> > >> useful
> > >> for CIL modules.
> > >>
> > >> Packaging-relevant changes:
> > >>
> > >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
> > >> DESTDIR has to be removed from the definition. For example on Arch
> > >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
> > >>
> > >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
> > >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
> > >> Makefiles).
> > >>
> > >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
> > >>
> > >> * selinux-gui (i.e. system-config-selinux GUI application) is now
> > >> compatible with Python 3. Doing this required migrating away from
> > >> PyGTK to the supported PyGI library. This means that selinux-gui now
> > >> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
> > >> requires PyGtk or Python 2.
> > >
> >
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
signature.asc
Description: PGP signature
Re: Alias path subbing results in unexpected policy labelling
On Mon, Apr 23, 2018 at 04:21:22PM +, Joe Kirwin wrote:
> Petr, Daniel,
>
> Have you had time to verify this issue yet?
> Any comments to add?
>
I consider this as the expected behavior.
It's defined as "Substitute target path with sourcepath when generating default
label." It means that /apple is substituted for /banana and the lookup is made
for /banana/orange/foo.
On the other hand, `semanage-fcontext` man page and `semanage fcontext -h`
output could be misleading a bit as they use words "EQUAL" and "equivalent"
while it's not a symmetric relation, it's just a substitution.
I don't have an opinion about proposed change to have a real equivalence. It
could complicate some things a lot and the benefit is not clear to me right now.
Petr
>
> On Tue, Mar 20, 2018 at 8:14 AM Stephen Smalley wrote:
>
> > On 03/19/2018 10:29 PM, Joe Kirwin wrote:
> > > *_Empirical Observations _*
> > > *
> > > *
> > > If I was to create an SELinux policy containing the following
> > file_contexts (fruits.fc)
> > > ```
> > > /apple/orange/.* --
> > gen_context(system_u:object_r:atype_t,s0)
> > > /banana/.* --
> > gen_context(system_u:object_r:btype_t,s0)
> > > ```
> > >
> > > If I then take the file
> > > /etc/selinux/default/contexts/files/file_contexts.subs_dist and append
> > to it the alias
> > > ```
> > > /apple /banana
> > > ```
> > >
> > > The resulting behavior is that when running:
> > > ```
> > > $ ./libselinux/utils/selabel_lookup_best_match -p /apple/orange/foo
> > > Best match context: system_u:object_r:btype_t:s0
> > >
> > > But the expected behavior is to match `atype_t` as that is a
> > "more-specific" match pattern
> >
> > I don't think this is a bug based on the documented behavior for
> > file_contexts.subs. That said,
> > that support was added by Red Hat so I'll let them speak to it.
> >
> > >
> > > *_Looking into why_*
> > >
> > > From the method in `libselinux/src/label_file.c` :
> > > lookup_common(struct selabel_handle *rec, const
> > char *key, int type, bool partial)
> > >
> > > we encounter a call to :
> > > selabel_sub_key(struct saved_data *data, const char
> > *key)
> > >
> > > In the example above the candidate path we're trying to match (referred
> > to as the key in the code) is "canonicalized" to the /banana alias but the
> > regex being evaluated is not
> > >
> > > *_A proposed fix_*
> > > *
> > > *
> > > /Also attached (label_file.patch), if the patch formatting is off on
> > this thread, apologies./
> > > *
> > > *
> > > diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> > > index 560d8c3..98a8d1b 100644
> > > --- a/libselinux/src/label_file.c
> > > +++ b/libselinux/src/label_file.c
> > > @@ -848,7 +848,7 @@ static struct spec *lookup_common(struct
> > selabel_handle *rec,
> > > {
> > > struct saved_data *data = (struct saved_data *)rec->data;
> > > struct spec *spec_arr = data->spec_arr;
> > > - int i, rc, file_stem;
> > > + int i, rc, file_stem, orig_file_stem;
> > > mode_t mode = (mode_t)type;
> > > const char *buf;
> > > struct spec *ret = NULL;
> > > @@ -879,8 +879,12 @@ static struct spec *lookup_common(struct
> > selabel_handle *rec,
> > > }
> > >
> > > sub = selabel_sub_key(data, key);
> > > - if (sub)
> > > + orig_file_stem = -1;
> > > + if (sub) {
> > > + orig_file_stem = find_stem_from_file(data, &key);
> > > key = sub;
> > > + }
> > >
> > > buf = key;
> > > file_stem = find_stem_from_file(data, &buf);
> > > @@ -896,7 +900,8 @@ static struct spec *lookup_common(struct
> > selabel_handle *rec,
> > > * stem as the file AND if the spec in question has no mode
> > > * specified or if the mode matches the file mode then we do
> > > * a regex check*/
> > > - if ((spec->stem_id == -1 || spec->stem_id == file_stem) &&
> > > + if ((spec->stem_id == -1 || spec->stem_id == file_stem ||
> > > +spec->stem_id == orig_file_stem) &&
> > > (!mode || !spec->mode || mode == spec->mode)) {
> > > if (compile_regex(data, spec, NULL) < 0)
> > > goto finish;
> > >
> > >
> > >
> > > I think there is still some simplification that could be done with
> > aliases, in that they really shouldn't have a direction (e.g. alias ->
> > original) instead they should go both ways and if there is a tie it should
> > go by the ordering of the specs.
> > > Reason for this is that a developer of an SELinux policy, may not know
> > the contents or directionality of file_contexts.subs_dist ahead of time or
> > when it might change.
> > >
> > > Thanks,
> > > Joe Kirwin and Travis Szucs
> > >
> >
> > --
> --
> *Joe Kirwin* | *Senior Security Developer_*
> *E:* j...@cmd.com*M:* 1.604.365.2823
>
>
Re: ANN: SELinux userspace 2.8-rc1 release candidate
On Fri, Apr 20, 2018 at 08:49:41AM -0400, Stephen Smalley wrote:
> On 04/20/2018 08:31 AM, Petr Lautrbach wrote:
> > On Thu, Apr 19, 2018 at 11:07:39AM -0400, Stephen Smalley wrote:
> >> A 2.8-rc1 release candidate for the SELinux userspace is now available at:
> >> https://github.com/SELinuxProject/selinux/wiki/Releases
> >>
> >> Please give it a test and let us know if there are any issues.
> >
> >
> > I've built in my Fedora COPR repo [1] and I'm running Fedora CI [2] tests
> > on it.
> >
> > So far there's one problem found by libselinux/selabel-function [3] test. It
> > looks like commit 814631d3aebaa changed the behavior of selabel_open() when
> > SELABEL_OPT_VALIDATE is null - a context should not be validated, but it is.
>
> So, is this a bug in the test or a bug in libselinux? As noted in that
> commit description,
> failing to verify contexts at all before use can lead to applying an invalid
> label (if the system is permissive).
selabel_open(3) states that "an invalid context may not be treated as an
error unless it is actually encountered during a lookup operation ". So at
least, it's some disproportion between the code and the documentation.
I read the commit message as that a context should be validated before it's
applied. But now it's validated during lookup.
> Are there real users of libselinux that rely on the current behavior or is
> there some use case where
> it is desirable?
I don't know. I was thinking about setfiles but it always validate. There might
be 3rd party users who
lookups for labels in chroot.
> >
> > The reproducer code:
> >
> > #include
> > #include
> >
> > #include
> > #include
> >
> > int main() {
> > struct selabel_handle *hnd = NULL;
> > security_context_t selabel_context;
> >
> > struct selinux_opt selabel_option [] = {
> > { SELABEL_OPT_PATH, "my_contexts" },
> > { SELABEL_OPT_SUBSET, NULL },
> > { SELABEL_OPT_VALIDATE, (char *) 0 },
> > { SELABEL_OPT_BASEONLY, (char *) 0 }
> > };
> > int result = 0;
> >
> > if ((hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 4)) == NULL) {
> > return 1;
> > }
> >
> > if ((result = selabel_lookup_raw(hnd, &selabel_context, "/tmp/mypath",
> > 0)) == -1) {
> > perror("selabel_lookup_raw - ERROR");
> > return 1;
> > }
> >
> > printf("%s\n", selabel_context);
> >
> > return 0;
> > }
> >
> > ---
> >
> > $ gcc -o selabel_reproducer selabel_reproducer.c -lselinux
> > $ echo '/tmp/mypath my_user_u:my_role_r:my_type_t:s' > my_contexts
> >
> > Before:
> >
> > $ ./selabel_reproducer
> > my_user_u:my_role_r:my_type_t:s
> >
> > After:
> >
> > $ ./selabel_reproducer
> > my_contexts: line 1 has invalid context my_user_u:my_role_r:my_type_t:s
> > selabel_lookup_raw - ERROR: Invalid argument
> >
> >
> >
> >
> > [1]
> > https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/packages/
> > [2] https://src.fedoraproject.org/tests/selinux/tree/master
> > [3]
> > https://src.fedoraproject.org/tests/selinux/blob/master/f/libselinux/selabel-functions
> >
> >> If there are specific changes that you think should be called out in
> >> release notes for packagers and users in the final release announcement,
> >> let us know.
> >>
> >> Thanks to all the contributors to this release candidate!
> >>
> >> A shortlog of changes since the 2.7 release is below.
> >>
> >> Dan Cashman (1):
> >> libsepol: cil: Add ability to redeclare types[attributes]
> >>
> >> Dominick Grift (1):
> >> Describe multiple-decls in secilc.8.xml
> >>
> >> Grégoire Colbert (1):
> >> Fixed bad reference in roleattribute
> >>
> >> James Carter (4):
> >> libsepol/cil: Keep attributes used by generated attributes in
> >> neverallow rules
> >> libsepol/cil: Create new keep field for type attribute sets
> >> libsepol: Prevent freeing unitialized value in ibendport handling
> >> libsepol/cil: Improve processing of context rules
> >>
> >> Jan Zarsky (6):
> >> libsepol: reset pointer after free
> >> libsepol: fix memory leak in sepol_bool_query()
> >> libsepol: free ibendport device names
> >>
Re: ANN: SELinux userspace 2.8-rc1 release candidate
port non-MLS policy in manpage > sepolicy: support non-MCS policy in manpage > sepolicy: remove stray space in section "SEE ALSO" > libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses > libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use > extra_args > libsepol/cil: fix -Wwrite-strings warning > libsepol/cil: drop wrong unused attribute > restorecond: check write() and daemon() results > Makefile: define a default value for CFLAGS > sepolicy: do not fail when file_contexts.local or .subs do not exist > gui: port to Python 3 by migrating to PyGI > Travis-CI: fix configuration after September's update > sepolicy: ignore comments and empty lines in file_contexts.subs_dist > sepolicy: support non-MLS policy in gui > gui: remove the status bar > gui: fix parsing of "semodule -lfull" in tab Modules > gui: delete overridden definition of usersPage.delete() > gui: remove mappingsPage > Travis-CI: try working around network issues by retrying downloads > Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR > python/sepolicy: Fix translated strings with parameters > python/sepolicy: Support non-MLS policy > python/sepolicy: Initialize policy.ports as a dict in generate.py > libsepol: cil: show an error when cil_expr_to_string() fails > libsemanage: silence clang static analyzer report > libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR > libsepol: do not dereference NULL if stack_init fails > libsepol: ensure the level context is not empty > libselinux: label_file: fix memory management in store_stem() > libselinux: fix memory leak in getconlist > libselinux: remove unused variable usercon > > Petr Lautrbach (12): > libselinux: Add support for pcre2 to pkgconfig definition > python/semanage: drop *_ini functions > python/semanage: Don't use global setup variable > python/semanage: Enforce noreload only if it's requested by -N option > libsemanage: Use umask(0077) for fopen() write operations > python/semanage: make seobject.py backward compatible > python/semanage: bring semanageRecords.set_reload back > gui/polgengui.py: Fix sepolicy.generate import in polgengui.py > gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui > python/sepolicy: Use list instead of map > python/sepolicy: Do not use types.BooleanType > gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name > > Richard Haines (3): > libselinux: Correct manpages regarding removable_context > libsemanage: Return commit number if save-previous false > libsemanage: Allow tmp files to be kept if a compile fails > > Richard Haines via Selinux (1): > selinux: Add support for the SCTP portcon keyword > > Stephen Smalley (4): > checkpolicy,libselinux,libsepol,policycoreutils: Update my email address > semodule-utils: remove semodule_deps > libsepol: Export sepol_polcap_getnum/name functions > Update VERSION files to 2.8-rc1 > > Tri Vo (1): > Resolve conflicts in expandattribute. > > Vit Mojzis (18): > libsemanage: Keep copy of file_contexts.homedirs in policy store > libsemanage: Add support for listing fcontext.homedirs file > python/semanage: Enable listing file_contexts.homedirs > python/semanage: Fix export of ibendport entries > python/semanage: Update Infiniband code to work on python3 > python/semanage: Remove redundant and broken moduleRecords.modify() > semodule-utils/semodule_package: fix semodule_unpackage man page > libsemanage: Improve warning for installing disabled module > gui/semanagePage: Close "edit" and "add" dialogues when successfull > gui/fcontextPage: Set default object class in addDialog > libsemanage: remove access() check to make setuid programs work > libsemanage: remove access() check to make setuid programs work > libsemanage: replace access() checks to make setuid programs work > libsemanage/direct_api.c: Fix iterating over array > policycoreutils/semodule: Improve man page and unify it with --help > policycoreutils/semodule: Allow enabling/disabling multiple modules at > once > python/sepolgen: Try to translate SELinux contexts to raw > libsemanage: do not change file mode of seusers and users_extra > > Yuli Khodorkovskiy (3): > secilc: Fix documentation build for OS X systems > libselinux: verify file_contexts when using restorecon > libselinux: echo line number of bad label in selabel_fini() > > signature.asc Description: PGP signature
Re: [PATCH] libsemanage: do not change file mode of seusers and users_extra
On Thu, Apr 12, 2018 at 01:22:40PM -0400, Stephen Smalley wrote: > On 04/12/2018 11:07 AM, Stephen Smalley wrote: > > On 04/12/2018 06:26 AM, Vit Mojzis wrote: > >> Commit 8702a865e08b5660561e194a83e4a363061edc03 causes file mode of > >> seusers and users_extra to change based on the value defined in config > >> file whenever direct_commit is called and policy is not rebuilt. > >> (e.g. when setting a boolean). > >> > >> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1512639 > > > > I think this patch is correct and expect to apply it, but am left wondering > > about the permissions > > on /var/lib/selinux/targeted in general. It appears that we are > > inconsistent in our file modes > > on files under /var/lib/selinux/targeted/active, e.g. > > file_contexts.homedirs, *.local, and modules/*/* are 0644, > > whereas other files are 0600. Of course, given that the directories are > > 0600, only root can even lookup files under > > these directories regardless of their individual file modes so it isn't as > > though those files are truly accessible. > > Looks like there are other uses of sh->conf->file_mode that are suspect in > > semanage_direct_commit() for files > > in the store, whereas I think it should only be used for installed files > > (i.e. /etc/selinux/targeted/*). > > Actually, we seem to be inconsistent even among different modules; some seem > to be 0600 and others 0644, likely due > to some being prebuilt/prepackaged that way and others installed via semodule > -i. Also, policy.kern and policy.linked are presently 0644. > > On a separate but related note, rpm -V selinux-policy-targeted output seems > somewhat surprising, e.g. wouldn't expect file_contexts.local, commit_num, > etc to be managed by rpm itself. Not sure it should be managing > /var/lib/selinux at all. Note that /etc/selinux/targeted/modules/active was part of selinux-policy-targeted since 2011. file_contexts.local is in /etc/selinux and is shipped with %config(noreplace). It means it's preserved during updates and `rpm -qf /etc/selinux/targeted/contexts/files/file_contexts.local` shows the relevant package. The other files showed by `rpm -V` are probably not necessary to be included in the package. As far as I know we need to ship the SELinux store in /var/lib/selinux as whole for systems using OSTree where packages are not installed, i.e. post installation scripts are not run, but they are just extracted to a filesystem. > > > >> > >> $ ll /var/lib/selinux/targeted/active/users_extra > >> -rw---. 1 root root 101 11. dub 17.31 > >> /var/lib/selinux/targeted/active/users_extra > >> $ ll /var/lib/selinux/targeted/active/seusers > >> -rw---. 1 root root 73 11. dub 17.31 > >> /var/lib/selinux/targeted/active/seusers > >> $ semanage boolean -m --on httpd_can_network_connect > >> $ ll /var/lib/selinux/targeted/active/seusers > >> -rw-r--r--. 1 root root 73 23. bře 16.59 > >> /var/lib/selinux/targeted/active/seusers > >> $ ll /var/lib/selinux/targeted/active/users_extra > >> -rw-r--r--. 1 root root 101 23. bře 16.59 > >> /var/lib/selinux/targeted/active/users_extra > >> $ rpm -Vq selinux-policy-targeted > >> .M.T./var/lib/selinux/targeted/active/seusers > >> .M.T./var/lib/selinux/targeted/active/users_extra > >> > >> Signed-off-by: Vit Mojzis > >> --- > >> libsemanage/src/direct_api.c | 4 ++-- > >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> > >> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c > >> index e7ec952f..c58961be 100644 > >> --- a/libsemanage/src/direct_api.c > >> +++ b/libsemanage/src/direct_api.c > >> @@ -1481,7 +1481,7 @@ rebuild: > >>retval = semanage_copy_file(path, > >>semanage_path(SEMANAGE_TMP, > >> > >> SEMANAGE_STORE_SEUSERS), > >> - sh->conf->file_mode); > >> + 0); > >>if (retval < 0) > >>goto cleanup; > >>pseusers->dtable->drop_cache(pseusers->dbase); > >> @@ -1499,7 +1499,7 @@ rebuild: > >>retval = semanage_copy_file(path, > >>semanage_path(SEMANAGE_TMP, > >> > >> SEMANAGE_USERS_EXTRA), > >> - sh->conf->file_mode); > >> + 0); > >>if (retval < 0) > >>goto cleanup; > >>pusers_extra->dtable->drop_cache(pusers_extra->dbase); > >> > > > signature.asc Description: PGP signature
Re: [PATCH] libsemanage: replace access() checks to make setuid programs work
On Fri, Mar 09, 2018 at 04:39:44PM +0100, Vit Mojzis wrote:
> access() uses real UID instead of effective UID which causes false
> negative checks in setuid programs.
> Replace access() calls (mostly tests for file existence) by stat().
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>
> Signed-off-by: Vit Mojzis
> ---
> libsemanage/src/direct_api.c | 137
> +--
> libsemanage/src/semanage_store.c | 11 +++-
> 2 files changed, 98 insertions(+), 50 deletions(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index 92d7517d..439122df 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -140,6 +140,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
> int semanage_direct_connect(semanage_handle_t * sh)
> {
> const char *path;
> + struct stat sb;
>
> if (semanage_check_init(sh, sh->conf->store_root_path))
> goto err;
> @@ -302,10 +303,16 @@ int semanage_direct_connect(semanage_handle_t * sh)
>
> /* set the disable dontaudit value */
> path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_DISABLE_DONTAUDIT);
> - if (access(path, F_OK) == 0)
> +
> + if (stat(path, &sb) == 0)
> sepol_set_disable_dontaudit(sh->sepolh, 1);
> - else
> + else if (errno == ENOENT) {
> + /* The file does not exist */
> sepol_set_disable_dontaudit(sh->sepolh, 0);
> + } else {
> + ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
> + goto err;
> + }
>
> return STATUS_SUCCESS;
>
> @@ -1139,6 +1146,7 @@ static int
> semanage_compile_hll_modules(semanage_handle_t *sh,
> int status = 0;
> int i;
> char cil_path[PATH_MAX];
> + struct stat sb;
>
> assert(sh);
> assert(modinfos);
> @@ -1155,9 +1163,13 @@ static int
> semanage_compile_hll_modules(semanage_handle_t *sh,
> }
>
> if (semanage_get_ignore_module_cache(sh) == 0 &&
> - access(cil_path, F_OK) == 0) {
> + (status = stat(cil_path, &sb)) == 0) {
> continue;
> }
> + if (status != 0 && errno != ENOENT) {
> + ERR(sh, "Unable to access %s: %s\n", cil_path,
> strerror(errno));
> + goto cleanup; //an error in the "stat" call
> + }
>
> status = semanage_compile_module(sh, &modinfos[i]);
> if (status < 0) {
> @@ -1196,6 +1208,7 @@ static int semanage_direct_commit(semanage_handle_t *
> sh)
> struct cil_db *cildb = NULL;
> semanage_module_info_t *modinfos = NULL;
> mode_t mask = umask(0077);
> + struct stat sb;
>
> int do_rebuild, do_write_kernel, do_install;
> int fcontexts_modified, ports_modified, seusers_modified,
> @@ -1234,10 +1247,16 @@ static int semanage_direct_commit(semanage_handle_t *
> sh)
>
> /* Create or remove the disable_dontaudit flag file. */
> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
> - if (access(path, F_OK) == 0)
> + if (stat(path, &sb) == 0)
> do_rebuild |= !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
> - else
> + else if (errno == ENOENT) {
> + /* The file does not exist */
> do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1);
> + } else {
> + ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
> + retval = -1;
> + goto cleanup;
> + }
> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
> FILE *touch;
> touch = fopen(path, "w");
> @@ -1259,10 +1278,17 @@ static int semanage_direct_commit(semanage_handle_t *
> sh)
>
> /* Create or remove the preserve_tunables flag file. */
> path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
> - if (access(path, F_OK) == 0)
> + if (stat(path, &sb) == 0)
> do_rebuild |= !(sepol_get_preserve_tunables(sh->sepolh) == 1);
> - else
> + else if (errno == ENOENT) {
> + /* The file does not exist */
> do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1);
> + } else {
> + ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
> + retval = -1;
> + goto cleanup;
> + }
> +
> if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
> FILE *touch;
> touch = fopen(path, "w");
> @@ -1299,40 +1325,25 @@ static int semanage_direct_commit(semanage_handle_t *
> sh)
>* a rebuild.
>*/
> if (!do_rebuild) {
> - path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
> - if (access(path, F_OK) != 0) {
> - do_rebuild = 1;
> - goto rebuild;
> -
Re: [PATCH v2 1/1] libselinux, libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
On Sun, Mar 11, 2018 at 11:15:27PM +0100, Nicolas Iooss wrote:
> libselinux and libsemanage Makefiles invoke site.getsitepackages() in
> order to get the path to the directory /usr/lib/pythonX.Y/site-packages
> that matches the Python interpreter chosen with $(PYTHON). This method
> is incompatible with Python virtual environments, as described in
> https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
> This issue has been opened for more than 5 years.
>
> On the contrary python/semanage/ and python/sepolgen/ Makefiles use
> distutils.sysconfig.get_python_lib() in order to get the site-packages
> path into a variable named PYTHONLIBDIR. This way of computing
> PYTHONLIBDIR is compatible with virtual environments and gives the same
> result as PYSITEDIR.
>
> As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and
> libsemanage Makefiles use it. And as native code is installed (as part
> of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64
> on systems which distinguish /usr/lib64 from /usr/lib.
>
> Signed-off-by: Nicolas Iooss
Looks good to me. Thanks!
https://github.com/SELinuxProject/selinux/pull/86
Acked-by: Petr Lautrbach
> ---
> v2: add plat_specific=1
>
> .travis.yml | 5 +
> libselinux/src/Makefile | 10 +-
> libsemanage/src/Makefile | 8
> 3 files changed, 10 insertions(+), 13 deletions(-)
>
> diff --git a/.travis.yml b/.travis.yml
> index 0312e996e333..63c7a544aa45 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -96,9 +96,6 @@ before_script:
>- export PKG_CONFIG_PATH="/opt/python/$($PYTHON -c 'import
> sys;print("%d.%d.%d" % sys.version_info[:3])')/lib/pkgconfig"
># PyPy does not provide a config file for pkg-config nor a pypy-c.so
>- if echo "$PYVER" | grep -q pypy ; then export PYINC=-I$($PYTHON -c
> 'import sys;print(sys.prefix)')/include PYLIBS= ; fi
> - # Python virtualenvs do not support "import site;
> print(site.getsitepackages()[0]"
> - # cf. https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452
> - - export PYSITEDIR="/usr/lib/$($PYTHON -c 'import sys;print("python%d.%d"
> % sys.version_info[:2])')/site-packages"
>
># Find the Ruby executable with version $RUBYLIBVER
>- export RUBY="$(ls -d -1 "$HOME/.rvm/rubies/ruby-$RUBYLIBVER"*/bin/ruby |
> head -n 1)"
> @@ -126,7 +123,7 @@ script:
># Set up environment variables for the tests
>- export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib"
>- export
> PATH="$DESTDIR/usr/sbin:$DESTDIR/usr/bin:$DESTDIR/sbin:$DESTDIR/bin:$PATH"
> - - export PYTHONPATH="$DESTDIR$PYSITEDIR"
> + - export PYTHONPATH="$DESTDIR$($PYTHON -c "from distutils.sysconfig import
> *;print(get_python_lib(prefix='/usr'))")"
>- export RUBYLIB="$DESTDIR/$($RUBY -e 'puts
> RbConfig::CONFIG["vendorlibdir"]'):$DESTDIR/$($RUBY -e 'puts
> RbConfig::CONFIG["vendorarchdir"]')"
>
># Show variables (to help debugging issues)
> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> index 18588da586bf..8af04aab0ec2 100644
> --- a/libselinux/src/Makefile
> +++ b/libselinux/src/Makefile
> @@ -14,7 +14,7 @@ SHLIBDIR ?= /lib
> INCLUDEDIR ?= $(PREFIX)/include
> PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
> PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
> -PYSITEDIR ?= $(shell $(PYTHON) -c 'import site;
> print(site.getsitepackages()[0])')
> +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *;
> print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
> PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in
> imp.get_suffixes() if t == imp.C_EXTENSION][0])')
> RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" +
> RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
> RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + "
> -L" + RbConfig::CONFIG["archlibdir"] + " " +
> RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
> @@ -191,10 +191,10 @@ install: all
> ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO)
> $(DESTDIR)$(LIBDIR)/$(TARGET)
>
> install-pywrap: pywrap
> - test -d $(DESTDIR)$(PYSITEDIR)/selinux || install -m 755 -d
> $(DESTDIR)$(PYSITEDIR)/selinux
> - install -m 755 $(SWIGSO) $(DESTDIR)$(PYSITEDIR)/_selinux$(PYCEXT)
> - install -m 755 $(AUDIT2WHYSO)
Re: [PATCH] libsemanage: replace access() checks to make setuid programs work
On Fri, Mar 09, 2018 at 10:51:20AM -0500, Stephen Smalley wrote:
> On 03/09/2018 10:39 AM, Vit Mojzis wrote:
> > access() uses real UID instead of effective UID which causes false
> > negative checks in setuid programs.
> > Replace access() calls (mostly tests for file existence) by stat().
> >
> > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>
> Thanks, I've put this up as a PR for testing here:
> https://github.com/SELinuxProject/selinux/pull/84
>
> I won't be around next week so someone else can merge it or I will get to it
> when I return.
This is merged now. Thanks!
> >
> > Signed-off-by: Vit Mojzis
> > ---
> > libsemanage/src/direct_api.c | 137
> > +--
> > libsemanage/src/semanage_store.c | 11 +++-
> > 2 files changed, 98 insertions(+), 50 deletions(-)
> >
> > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> > index 92d7517d..439122df 100644
> > --- a/libsemanage/src/direct_api.c
> > +++ b/libsemanage/src/direct_api.c
> > @@ -140,6 +140,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
> > int semanage_direct_connect(semanage_handle_t * sh)
> > {
> > const char *path;
> > + struct stat sb;
> >
> > if (semanage_check_init(sh, sh->conf->store_root_path))
> > goto err;
> > @@ -302,10 +303,16 @@ int semanage_direct_connect(semanage_handle_t * sh)
> >
> > /* set the disable dontaudit value */
> > path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_DISABLE_DONTAUDIT);
> > - if (access(path, F_OK) == 0)
> > +
> > + if (stat(path, &sb) == 0)
> > sepol_set_disable_dontaudit(sh->sepolh, 1);
> > - else
> > + else if (errno == ENOENT) {
> > + /* The file does not exist */
> > sepol_set_disable_dontaudit(sh->sepolh, 0);
> > + } else {
> > + ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
> > + goto err;
> > + }
> >
> > return STATUS_SUCCESS;
> >
> > @@ -1139,6 +1146,7 @@ static int
> > semanage_compile_hll_modules(semanage_handle_t *sh,
> > int status = 0;
> > int i;
> > char cil_path[PATH_MAX];
> > + struct stat sb;
> >
> > assert(sh);
> > assert(modinfos);
> > @@ -1155,9 +1163,13 @@ static int
> > semanage_compile_hll_modules(semanage_handle_t *sh,
> > }
> >
> > if (semanage_get_ignore_module_cache(sh) == 0 &&
> > - access(cil_path, F_OK) == 0) {
> > + (status = stat(cil_path, &sb)) == 0) {
> > continue;
> > }
> > + if (status != 0 && errno != ENOENT) {
> > + ERR(sh, "Unable to access %s: %s\n", cil_path,
> > strerror(errno));
> > + goto cleanup; //an error in the "stat" call
> > + }
> >
> > status = semanage_compile_module(sh, &modinfos[i]);
> > if (status < 0) {
> > @@ -1196,6 +1208,7 @@ static int semanage_direct_commit(semanage_handle_t *
> > sh)
> > struct cil_db *cildb = NULL;
> > semanage_module_info_t *modinfos = NULL;
> > mode_t mask = umask(0077);
> > + struct stat sb;
> >
> > int do_rebuild, do_write_kernel, do_install;
> > int fcontexts_modified, ports_modified, seusers_modified,
> > @@ -1234,10 +1247,16 @@ static int semanage_direct_commit(semanage_handle_t
> > * sh)
> >
> > /* Create or remove the disable_dontaudit flag file. */
> > path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
> > - if (access(path, F_OK) == 0)
> > + if (stat(path, &sb) == 0)
> > do_rebuild |= !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
> > - else
> > + else if (errno == ENOENT) {
> > + /* The file does not exist */
> > do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1);
> > + } else {
> > + ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
> > + retval = -1;
> > + goto cleanup;
> > + }
> > if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
> > FILE *touch;
> > touch = fopen(path, "w");
> > @@ -1259,10 +1278,17 @@ static int semanage_direct_commit(semanage_handle_t
> > * sh)
> >
> > /* Create or remove the preserve_tunables flag file. */
> > path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
> > - if (access(path, F_OK) == 0)
> > + if (stat(path, &sb) == 0)
> > do_rebuild |= !(sepol_get_preserve_tunables(sh->sepolh) == 1);
> > - else
> > + else if (errno == ENOENT) {
> > + /* The file does not exist */
> > do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1);
> > + } else {
> > + ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
> > + retval = -1;
> > + goto cleanup;
> > + }
> > +
> > if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
> > FILE *touch;
> > touch = fopen(p
Re: [PATCH 1/1] libselinux, libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
On Fri, Mar 09, 2018 at 03:39:13PM +0100, Petr Lautrbach wrote:
> On Fri, Mar 09, 2018 at 08:55:11AM -0500, Stephen Smalley wrote:
> > On 03/09/2018 07:25 AM, Petr Lautrbach wrote:
> > > On Thu, Mar 08, 2018 at 10:19:26PM +0100, Nicolas Iooss wrote:
> > >> On Thu, Mar 8, 2018 at 8:34 PM, Stephen Smalley
> > >> wrote:
> > >>> On 03/06/2018 04:19 PM, Stephen Smalley wrote:
> > >>>> On 03/05/2018 05:16 PM, Nicolas Iooss wrote:
> > >>>>> libselinux and libsemanage Makefiles invoke site.getsitepackages() in
> > >>>>> order to get the path to the directory
> > >>>>> /usr/lib/pythonX.Y/site-packages
> > >>>>> that matches the Python interpreter chosen with $(PYTHON). This method
> > >>>>> is incompatible with Python virtual environments, as described in
> > >>>>> https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
> > >>>>> This issue has been opened for more than 5 years.
> > >>>>>
> > >>>>> On the contrary python/semanage/ and python/sepolgen/ Makefiles use
> > >>>>> distutils.sysconfig.get_python_lib() in order to get the site-packages
> > >>>>> path into a variable named PYTHONLIBDIR. This way of computing
> > >>>>> PYTHONLIBDIR is compatible with virtual environments and gives the
> > >>>>> same
> > >>>>> result as PYSITEDIR.
> > >>>>>
> > >>>>> As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux
> > >>>>> and
> > >>>>> libsemanage Makefiles use it.
> > >>>>
> > >>>> On Fedora x86_64, this changes the install location from /usr/lib64 to
> > >>>> /usr/lib.
> > >>>
> > >>> That said I agree we ought to be consistent, and it does seem that we
> > >>> are not currently.
> > >>> I'm just not sure what the best fix is in this case and the impact on
> > >>> distro packagers.
> > >>
> > >> Good point. I have read
> > >> https://marc.info/?l=selinux&m=151670320132614&w=2 too quickly (and
> > >> missed "given that there's only pure python modules"). This message
> > >> suggests that doing using get_python_lib(plat_specific=1) would keep
> > >> /usr/lib64 on Fedora (unfortunately I only have access to Debian,
> > >> Ubuntu and Arch Linux systems right now so I am not able to test).
> > >
> > > On Fedora Rawhide:
> > >
> > >>>> get_python_lib()
> > > '/usr/lib/python3.6/site-packages'
> > >>>> get_python_lib(plat_specific=1)
> > > '/usr/lib64/python3.6/site-packages'
> > >>>> get_python_lib(prefix='/usr/local')
> > > '/usr/local/lib/python3.6/site-packages'
> > >>>> get_python_lib(prefix='/usr/local', plat_specific=1)
> > > '/usr/local/lib64/python3.6/site-packages'
> > >
> > >
> > >> And
> > >> to be consistent, I suggest naming the variable differently from
> > >> PYTHONLIBDIR. For example:
> > >>
> > >> PYTHONPLATLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
> > >> import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
> > >>
> > >> ... or PYPLATLIBDIR if PYTHONPLATLIBDIR is too long. Or we also can
> > >> keep the name PYSITEDIR while changing its definition, in order to
> > >> minimize the impact. What would be acceptable?
> > >>
> > >
> > > Given that libselinux and libsemanage provides only extension SWIG
> > > generated
> > > modules I'd just set plat_specific=1 and use PYTHONLIBDIR in this case.
> >
> > Looking at the Fedora packages (on 27), I see that:
> >
> > 1) libselinux-python{3} and libsemanage-python{3} puts all of their files
> > under /usr/lib64
> > 2) policycoreutils-python puts sepolicy under /usr/lib but the rest (e.g.
> > seobject, sepolgen) under /usr/lib64
> >
> > Meanwhile, a "make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap
> > relabel" from selinux userspace (as per the README) installs the libselinux
> > and libsemanage python modules under /usr/lib64 (the same as the Fedora
> > packages) but all of the former policycoreutils ones (now python/*) under
> > /usr/lib, and this seems to have been a change as part of Marcus' recent
> > patch series (python: build: move modules from platform-specific to
> > platform-shared).
> >
> > So is Fedora also going to move all of the policycoreutils-python modules
> > to /usr/lib (maybe this has already happened in rawhide)?
>
> Yes. Everything from python/ will be moved to /usr/lib to follow the Marcus
> change. Currently, It's not in Fedora as I haven't rebased packages yet but
> it should
> happen soon in F28 and Rawhide.
>
A test policycoreutils build based on latest changes can be found in my
plautrba/selinux-fedora COPR repo [1]
$ rpm -qpl python2-policycoreutils-2.7-99.fc29.20180309170801.x86_64.rpm
python3-policycoreutils-2.7-99.fc29.20180309170801.x86_64.rpm | grep
/usr/lib64/ | wc -l
0
$ rpm -qpl python2-policycoreutils-2.7-99.fc29.20180309170801.x86_64.rpm
python3-policycoreutils-2.7-99.fc29.20180309170801.x86_64.rpm | grep /usr/lib/
| wc -l
349
[1] https://copr.fedorainfracloud.org/coprs/build/726366/
signature.asc
Description: PGP signature
Re: [PATCH 1/1] libselinux, libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
On Fri, Mar 09, 2018 at 08:55:11AM -0500, Stephen Smalley wrote:
> On 03/09/2018 07:25 AM, Petr Lautrbach wrote:
> > On Thu, Mar 08, 2018 at 10:19:26PM +0100, Nicolas Iooss wrote:
> >> On Thu, Mar 8, 2018 at 8:34 PM, Stephen Smalley wrote:
> >>> On 03/06/2018 04:19 PM, Stephen Smalley wrote:
> >>>> On 03/05/2018 05:16 PM, Nicolas Iooss wrote:
> >>>>> libselinux and libsemanage Makefiles invoke site.getsitepackages() in
> >>>>> order to get the path to the directory /usr/lib/pythonX.Y/site-packages
> >>>>> that matches the Python interpreter chosen with $(PYTHON). This method
> >>>>> is incompatible with Python virtual environments, as described in
> >>>>> https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
> >>>>> This issue has been opened for more than 5 years.
> >>>>>
> >>>>> On the contrary python/semanage/ and python/sepolgen/ Makefiles use
> >>>>> distutils.sysconfig.get_python_lib() in order to get the site-packages
> >>>>> path into a variable named PYTHONLIBDIR. This way of computing
> >>>>> PYTHONLIBDIR is compatible with virtual environments and gives the same
> >>>>> result as PYSITEDIR.
> >>>>>
> >>>>> As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and
> >>>>> libsemanage Makefiles use it.
> >>>>
> >>>> On Fedora x86_64, this changes the install location from /usr/lib64 to
> >>>> /usr/lib.
> >>>
> >>> That said I agree we ought to be consistent, and it does seem that we are
> >>> not currently.
> >>> I'm just not sure what the best fix is in this case and the impact on
> >>> distro packagers.
> >>
> >> Good point. I have read
> >> https://marc.info/?l=selinux&m=151670320132614&w=2 too quickly (and
> >> missed "given that there's only pure python modules"). This message
> >> suggests that doing using get_python_lib(plat_specific=1) would keep
> >> /usr/lib64 on Fedora (unfortunately I only have access to Debian,
> >> Ubuntu and Arch Linux systems right now so I am not able to test).
> >
> > On Fedora Rawhide:
> >
> >>>> get_python_lib()
> > '/usr/lib/python3.6/site-packages'
> >>>> get_python_lib(plat_specific=1)
> > '/usr/lib64/python3.6/site-packages'
> >>>> get_python_lib(prefix='/usr/local')
> > '/usr/local/lib/python3.6/site-packages'
> >>>> get_python_lib(prefix='/usr/local', plat_specific=1)
> > '/usr/local/lib64/python3.6/site-packages'
> >
> >
> >> And
> >> to be consistent, I suggest naming the variable differently from
> >> PYTHONLIBDIR. For example:
> >>
> >> PYTHONPLATLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
> >> import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
> >>
> >> ... or PYPLATLIBDIR if PYTHONPLATLIBDIR is too long. Or we also can
> >> keep the name PYSITEDIR while changing its definition, in order to
> >> minimize the impact. What would be acceptable?
> >>
> >
> > Given that libselinux and libsemanage provides only extension SWIG generated
> > modules I'd just set plat_specific=1 and use PYTHONLIBDIR in this case.
>
> Looking at the Fedora packages (on 27), I see that:
>
> 1) libselinux-python{3} and libsemanage-python{3} puts all of their files
> under /usr/lib64
> 2) policycoreutils-python puts sepolicy under /usr/lib but the rest (e.g.
> seobject, sepolgen) under /usr/lib64
>
> Meanwhile, a "make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap
> relabel" from selinux userspace (as per the README) installs the libselinux
> and libsemanage python modules under /usr/lib64 (the same as the Fedora
> packages) but all of the former policycoreutils ones (now python/*) under
> /usr/lib, and this seems to have been a change as part of Marcus' recent
> patch series (python: build: move modules from platform-specific to
> platform-shared).
>
> So is Fedora also going to move all of the policycoreutils-python modules to
> /usr/lib (maybe this has already happened in rawhide)?
Yes. Everything from python/ will be moved to /usr/lib to follow the Marcus
change. Currently, It's not in Fedora as I haven't rebased packages yet but it
should
happen soon in F28 and Rawhide.
signature.asc
Description: PGP signature
Re: [PATCH 1/1] libselinux, libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
On Thu, Mar 08, 2018 at 10:19:26PM +0100, Nicolas Iooss wrote: > On Thu, Mar 8, 2018 at 8:34 PM, Stephen Smalley wrote: > > On 03/06/2018 04:19 PM, Stephen Smalley wrote: > >> On 03/05/2018 05:16 PM, Nicolas Iooss wrote: > >>> libselinux and libsemanage Makefiles invoke site.getsitepackages() in > >>> order to get the path to the directory /usr/lib/pythonX.Y/site-packages > >>> that matches the Python interpreter chosen with $(PYTHON). This method > >>> is incompatible with Python virtual environments, as described in > >>> https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 . > >>> This issue has been opened for more than 5 years. > >>> > >>> On the contrary python/semanage/ and python/sepolgen/ Makefiles use > >>> distutils.sysconfig.get_python_lib() in order to get the site-packages > >>> path into a variable named PYTHONLIBDIR. This way of computing > >>> PYTHONLIBDIR is compatible with virtual environments and gives the same > >>> result as PYSITEDIR. > >>> > >>> As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and > >>> libsemanage Makefiles use it. > >> > >> On Fedora x86_64, this changes the install location from /usr/lib64 to > >> /usr/lib. > > > > That said I agree we ought to be consistent, and it does seem that we are > > not currently. > > I'm just not sure what the best fix is in this case and the impact on > > distro packagers. > > Good point. I have read > https://marc.info/?l=selinux&m=151670320132614&w=2 too quickly (and > missed "given that there's only pure python modules"). This message > suggests that doing using get_python_lib(plat_specific=1) would keep > /usr/lib64 on Fedora (unfortunately I only have access to Debian, > Ubuntu and Arch Linux systems right now so I am not able to test). On Fedora Rawhide: >>> get_python_lib() '/usr/lib/python3.6/site-packages' >>> get_python_lib(plat_specific=1) '/usr/lib64/python3.6/site-packages' >>> get_python_lib(prefix='/usr/local') '/usr/local/lib/python3.6/site-packages' >>> get_python_lib(prefix='/usr/local', plat_specific=1) '/usr/local/lib64/python3.6/site-packages' > And > to be consistent, I suggest naming the variable differently from > PYTHONLIBDIR. For example: > > PYTHONPLATLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig > import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))") > > ... or PYPLATLIBDIR if PYTHONPLATLIBDIR is too long. Or we also can > keep the name PYSITEDIR while changing its definition, in order to > minimize the impact. What would be acceptable? > Given that libselinux and libsemanage provides only extension SWIG generated modules I'd just set plat_specific=1 and use PYTHONLIBDIR in this case. > Cheers, > Nicolas > signature.asc Description: PGP signature
[PATCH] gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
Fixes:
/usr/share/system-config-selinux/polgengui.py:679: PyGIDeprecationWarning:
Deprecated, please use stop_emission_by_name.
entry.emit_stop_by_name("insert_text")
Signed-off-by: Petr Lautrbach
---
This is based on the set of patches related to polgengui.py:
https://marc.info/?l=selinux&m=151860211514842&w=2
https://marc.info/?l=selinux&m=151864307629079&w=2
https://marc.info/?l=selinux&m=151864311929090&w=2
https://marc.info/?l=selinux&m=151864316529106&w=2
gui/polgengui.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gui/polgengui.py b/gui/polgengui.py
index cd73ea6d..1601dbef 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -674,7 +674,7 @@ class childWindow:
def on_name_entry_changed(self, entry, text, size, position):
if text.find(" ") >= 0:
-entry.emit_stop_by_name("insert_text")
+entry.stop_emission_by_name("insert-text")
def on_focus_out_event(self, entry, third):
name = entry.get_text()
--
2.16.2
Re: Update selinux-sepolgengui to be compatible with Gtk3, Python 3
On Thu, Feb 22, 2018 at 04:31:46PM +0100, Petr Lautrbach wrote:
> On Sun, Feb 18, 2018 at 07:20:02PM +0100, Nicolas Iooss wrote:
> > On Sun, Feb 18, 2018 at 7:09 PM, Nicolas Iooss
> > wrote:
> > > On Wed, Feb 14, 2018 at 10:53 AM, Petr Lautrbach
> > > wrote:
> > >> Hi,
> > >>
> > >> The following set of patches update polgengui.py, rename polgen.glade to
> > >> polgen.ui, convert it to new format, and fix some other sepolicy Python 3
> > >> related issues.
> > >
> > > Hi,
> > > I have read and tested these patches and they look good to me.
> > (Oops, the mail has been sent before I finished writing it...)
> >
> > In order to run polgengui on my development system which uses a policy
> > without MLS, I needed a patch in sepolicy, that I sent a few days ago
> > ("[PATCH 1/3] python/sepolicy: Support non-MLS policy"). With this I
> > have been able to play with polgengui and have been surprised by a
> > warning which appears on my terminal every time I type anything in the
> > "name" field of the form in the second tab ("Enter name of application
> > or user role:"):
> >
> > polgengui.py:778: Warning: g_value_get_int: assertion
> > 'G_VALUE_HOLDS_INT (value)' failed
> > Gtk.main()
> >
> > Have you got such warning on your system? Do you know where this
> > warning comes from? For information I use Gtk3 3.22.26 with
> > python-gobject 3.26.1.
>
>
> I see it as well. I'll try to find the problem and sent a patch for that.
It's caused by line 624 in polgengui.py
624self.name_entry.connect("insert_text", self.on_name_entry_changed)
According to [2][3] it's long term known problem. There's a suggested fix in [1]
but I don't know how to apply it at this moment.
Given that it's not fatal and doesn't have a real impact on the code - you can't
insert " " into Name value, I'd leave as it is for now.
[1]
https://stackoverflow.com/questions/38815694/gtk-3-position-attribute-on-insert-text-signal-from-gtk-entry-is-always-0
[2] https://bugzilla.gnome.org/show_bug.cgi?id=644927
[3] https://gitlab.gnome.org/GNOME/pygobject/issues/12
There's another deprecation warning:
/usr/share/system-config-selinux/polgengui.py:679: PyGIDeprecationWarning:
Deprecated, please use stop_emission_by_name.
entry.emit_stop_by_name("insert_text")
which seems to be easy to fix
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -674,7 +674,7 @@ class childWindow:
def on_name_entry_changed(self, entry, text, size, position):
if text.find(" ") >= 0:
-entry.emit_stop_by_name("insert_text")
+entry.stop_emission_by_name("insert-text")
def on_focus_out_event(self, entry, third):
name = entry.get_text()
I'll send a patch for that.
> >
> > Anyway, this looks like a harmless warning. Feel free to add
> > "Tested-by: Nicolas Iooss " to your patches.
> >
>
> Thanks!
signature.asc
Description: PGP signature
Re: Update selinux-sepolgengui to be compatible with Gtk3, Python 3
On Sun, Feb 18, 2018 at 07:20:02PM +0100, Nicolas Iooss wrote:
> On Sun, Feb 18, 2018 at 7:09 PM, Nicolas Iooss wrote:
> > On Wed, Feb 14, 2018 at 10:53 AM, Petr Lautrbach
> > wrote:
> >> Hi,
> >>
> >> The following set of patches update polgengui.py, rename polgen.glade to
> >> polgen.ui, convert it to new format, and fix some other sepolicy Python 3
> >> related issues.
> >
> > Hi,
> > I have read and tested these patches and they look good to me.
> (Oops, the mail has been sent before I finished writing it...)
>
> In order to run polgengui on my development system which uses a policy
> without MLS, I needed a patch in sepolicy, that I sent a few days ago
> ("[PATCH 1/3] python/sepolicy: Support non-MLS policy"). With this I
> have been able to play with polgengui and have been surprised by a
> warning which appears on my terminal every time I type anything in the
> "name" field of the form in the second tab ("Enter name of application
> or user role:"):
>
> polgengui.py:778: Warning: g_value_get_int: assertion
> 'G_VALUE_HOLDS_INT (value)' failed
> Gtk.main()
>
> Have you got such warning on your system? Do you know where this
> warning comes from? For information I use Gtk3 3.22.26 with
> python-gobject 3.26.1.
I see it as well. I'll try to find the problem and sent a patch for that.
>
> Anyway, this looks like a harmless warning. Feel free to add
> "Tested-by: Nicolas Iooss " to your patches.
>
Thanks!
signature.asc
Description: PGP signature
[PATCH 4/4] python/sepolicy: Do not use types.BooleanType
It was removed from Python 3
Fixes:
File "polgengui.py", line 390, in forward
self.generate_policy()
File "polgengui.py", line 491, in generate_policy
my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1)
File
"/home/plautrba/devel/github/bachradsusi/SELinuxProject-selinux/python/sepolicy/sepolicy/generate.py",
line 468, in set_use_syslog
if not isinstance(val, types.BooleanType):
AttributeError: module 'types' has no attribute 'BooleanType'
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/generate.py | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/python/sepolicy/sepolicy/generate.py
b/python/sepolicy/sepolicy/generate.py
index 1b36eb6e..31aa968f 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -459,25 +459,25 @@ class policy:
self.out_udp = [all, False, False, verify_ports(ports)]
def set_use_resolve(self, val):
-if not isinstance(val, types.BooleanType):
+if type(val) is not bool:
raise ValueError(_("use_resolve must be a boolean value "))
self.use_resolve = val
def set_use_syslog(self, val):
-if not isinstance(val, types.BooleanType):
+if type(val) is not bool:
raise ValueError(_("use_syslog must be a boolean value "))
self.use_syslog = val
def set_use_kerberos(self, val):
-if not isinstance(val, types.BooleanType):
+if type(val) is not bool:
raise ValueError(_("use_kerberos must be a boolean value "))
self.use_kerberos = val
def set_manage_krb5_rcache(self, val):
-if not isinstance(val, types.BooleanType):
+if type(val) is not bool:
raise ValueError(_("manage_krb5_rcache must be a boolean value "))
self.manage_krb5_rcache = val
--
2.16.1
[PATCH 1/4] gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
b43991f9 added direct import of sepolicy but it forgot to import
sepolicy.generate and didn't change use of generate to sepolicy.generate
Fixes:
Traceback (most recent call last):
File "/usr/bin/selinux-polgengui", line 778, in
app = childWindow()
File "/usr/bin/selinux-polgengui", line 205, in __init__
self.all_types = sepolicy.generate.get_all_types()
AttributeError: 'module' object has no attribute 'generate'
Traceback (most recent call last):
File "/usr/share/system-config-selinux/polgengui.py", line 365, in forward
if self.on_in_net_page_next():
File "/usr/share/system-config-selinux/polgengui.py", line 701, in
on_in_net_page_next
generate.verify_ports(self.in_tcp_entry.get_text())
NameError: global name 'generate' is not defined
Signed-off-by: Petr Lautrbach
---
gui/polgengui.py | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/gui/polgengui.py b/gui/polgengui.py
index af6b822b..09723278 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -34,7 +34,9 @@ except ValueError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
+import sepolicy.generate
import sepolicy.interface
+
try:
from subprocess import getstatusoutput
except ImportError:
@@ -696,16 +698,16 @@ class childWindow:
def on_in_net_page_next(self, *args):
try:
-generate.verify_ports(self.in_tcp_entry.get_text())
-generate.verify_ports(self.in_udp_entry.get_text())
+sepolicy.generate.verify_ports(self.in_tcp_entry.get_text())
+sepolicy.generate.verify_ports(self.in_udp_entry.get_text())
except ValueError as e:
self.error(e.message)
return True
def on_out_net_page_next(self, *args):
try:
-generate.verify_ports(self.out_tcp_entry.get_text())
-generate.verify_ports(self.out_udp_entry.get_text())
+sepolicy.generate.verify_ports(self.out_tcp_entry.get_text())
+sepolicy.generate.verify_ports(self.out_udp_entry.get_text())
except ValueError as e:
self.error(e.message)
return True
@@ -741,7 +743,7 @@ class childWindow:
if exe == "":
self.error(_("You must enter a executable"))
return True
-policy = generate.policy(name, self.get_type())
+policy = sepolicy.generate.policy(name, self.get_type())
policy.set_program(exe)
policy.gen_writeable()
policy.gen_symbols()
--
2.16.1
[PATCH 3/4] python/sepolicy: Use list instead of map
map() returns an iterator in python3, list in python2
Fixes:
File "/usr/lib/python3.6/site-packages/sepolicy/generate.py", line 114, in
get_all_users
users.remove("system_u")
AttributeError: 'map' object has no attribute 'remove'
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/generate.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py
b/python/sepolicy/sepolicy/generate.py
index d68f96ef..1b36eb6e 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -110,7 +110,7 @@ def get_all_ports():
def get_all_users():
-users = map(lambda x: x['name'], sepolicy.info(sepolicy.USER))
+users = [x['name'] for x in sepolicy.info(sepolicy.USER)]
users.remove("system_u")
users.remove("root")
users.sort()
--
2.16.1
Update selinux-sepolgengui to be compatible with Gtk3, Python 3
Hi, The following set of patches update polgengui.py, rename polgen.glade to polgen.ui, convert it to new format, and fix some other sepolicy Python 3 related issues. Thanks, Petr
Re: [SELinuxProject/selinux] gui: remove selinux-sepolgengui (#77)
On Thu, Jan 25, 2018 at 01:58:46PM -0800, Nicolas Iooss wrote:
> Hi,
> I sent a few hours ago these two patches on the mailing list, by as the first
> one seems to be blocked somewhere (I have only received back the second one),
> I am publishing them on Github too, as a Pull Request.
>
> These patches removes selinux-sepolgengui because this application is not
> compatible with Gtk3, Python 3 (it requires PyGTK), etc. and would otherwise
> require some effort to update it.
> More precisely, even though ``pygi-convert.sh`` updated the code in order to
> try making the application compatible with Python 3, PyGI... (in commit
> 0f3beeb00e7a42cc2f44ef0392b8a3a7566a17d7), ``polgen.glade`` is still
> incompatible with Gtk-Builder (it would need to be converted). I do not want
> to spend time converting this file when I see that a bug preventing this
> application to launch has been present for more than one year.
> polgengui.py is not compatible with Gtk3, Python 3, etc. Moreover it
> fails to load at least since the release 2.6-rc1:
>
> $ python2 /usr/share/system-config-selinux/polgengui.py
> Traceback (most recent call last):
> File "/usr/share/system-config-selinux/polgengui.py", line 778, in
> app = childWindow()
> File "/usr/share/system-config-selinux/polgengui.py", line 205, in __init__
> self.all_types = sepolicy.generate.get_all_types()
> AttributeError: 'module' object has no attribute 'generate'
This particular problem was fixed in Fedora by
https://github.com/fedora-selinux/selinux/commit/ecd050d12cde54f3d7a31029be8582223d3d6eba
I must have forgotten to re-send it. Sorry.
> In fact, this bug has been introduced more than a year ago by commit
> b43991f ("policycoreutils: import sepolicy directly"), which
> replaced "from sepolicy import generate" with "import sepolicy" instead
> of "import sepolicy.generate".
>
> As no one seems to have noticed, this application seems to be no longer
> used. Remove it from gui/.
I'd like to ask to postpone accepting this patch for another 2
weeks. I'll try to port/convert polgengui.py to be compatible with
Gtk-Builder. I'll come back either with patch or with Ack to drop it.
Thanks,
Petr
> Cheers
> You can view, comment on, or merge this pull request online at:
>
> https://github.com/SELinuxProject/selinux/pull/77
>
> -- Commit Summary --
>
> * gui: remove selinux-polgengui application
> * gui: remove "new" button in Modules page
>
> -- File Changes --
>
> M gui/Makefile (5)
> M gui/modulesPage.py (8)
> D gui/polgen.glade (2468)
> D gui/polgengui.py (779)
> D gui/selinux-polgengui.8 (35)
> D gui/selinux-polgengui.desktop (66)
> M gui/system-config-selinux.ui (12)
>
> -- Patch Links --
>
> https://github.com/SELinuxProject/selinux/pull/77.patch
> https://github.com/SELinuxProject/selinux/pull/77.diff
>
> --
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly or view it on GitHub:
> https://github.com/SELinuxProject/selinux/pull/77
signature.asc
Description: PGP signature
Re: [PATCH v2 02/14] libselinux: build: follow standard semantics for DESTDIR and PREFIX
On Tue, Jan 23, 2018 at 08:34:09PM +0100, Marcus Folkesson wrote:
> On Mon, Jan 22, 2018 at 09:50:36PM +0100, Nicolas Iooss wrote:
> > On 19/01/18 13:07, Marcus Folkesson wrote:
> > > Hi Nicolas!
> > >
> > > On Wed, Jan 17, 2018 at 11:12:56PM +0100, Nicolas Iooss wrote:
> > >> On Tue, Jan 16, 2018 at 9:23 PM, Marcus Folkesson
> > >> wrote:
> > >>> This patch solves the following issues:
> > >>> - The pkg-config files generates odd paths when using DESTDIR without
> > >>> PREFIX
> > >>> - DESTDIR is needed during compile time to compute library and header
> > >>> paths which it should not.
> > >>> - Installing with both DESTDIR and PREFIX set gives us odd paths
> > >>> - Make usage of DESTDIR and PREFIX more standard
> > >>>
> > >>> Signed-off-by: Marcus Folkesson
> > >>> ---
> > >>> libselinux/include/Makefile | 4 ++--
> > >>> libselinux/man/Makefile | 7 ---
> > >>> libselinux/src/Makefile | 12 +---
> > >>> libselinux/src/libselinux.pc.in | 2 +-
> > >>> libselinux/utils/Makefile | 6 ++
> > >>> 5 files changed, 14 insertions(+), 17 deletions(-)
> > >>>
> > >>> diff --git a/libselinux/include/Makefile b/libselinux/include/Makefile
> > >>> index 757a6c9c..3b51f5ce 100644
> > >>> --- a/libselinux/include/Makefile
> > >>> +++ b/libselinux/include/Makefile
> > >>> @@ -1,6 +1,6 @@
> > >>> # Installation directories.
> > >>> -PREFIX ?= $(DESTDIR)/usr
> > >>> -INCDIR ?= $(PREFIX)/include/selinux
> > >>> +PREFIX ?= /usr
> > >>> +INCDIR = $(DESTDIR)$(PREFIX)/include/selinux
> > >>>
> > >>> all:
> > >>>
> > >>> diff --git a/libselinux/man/Makefile b/libselinux/man/Makefile
> > >>> index 0643e6af..233bfaa9 100644
> > >>> --- a/libselinux/man/Makefile
> > >>> +++ b/libselinux/man/Makefile
> > >>> @@ -1,7 +1,8 @@
> > >>> # Installation directories.
> > >>> -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
> > >>> -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5
> > >>> -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3
> > >>> +PREFIX ?= /usr
> > >>> +MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8
> > >>> +MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5
> > >>> +MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3
> > >>>
> > >>> all:
> > >>>
> > >>> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> > >>> index 18df75c8..18a58164 100644
> > >>> --- a/libselinux/src/Makefile
> > >>> +++ b/libselinux/src/Makefile
> > >>> @@ -8,8 +8,8 @@ RUBYPREFIX ?= $(notdir $(RUBY))
> > >>> PKG_CONFIG ?= pkg-config
> > >>>
> > >>> # Installation directories.
> > >>> -PREFIX ?= $(DESTDIR)/usr
> > >>> -LIBDIR ?= $(PREFIX)/lib
> > >>> +PREFIX ?= /usr
> > >>> +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
> > >>> SHLIBDIR ?= $(DESTDIR)/lib
> > >>> INCLUDEDIR ?= $(PREFIX)/include
> > >>> PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
> > >>> @@ -19,8 +19,6 @@ PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s
> > >>> for s,m,t in imp.get_suffixe
> > >>> RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" +
> > >>> RbConfig::CONFIG["rubyarchhdrdir"] + " -I" +
> > >>> RbConfig::CONFIG["rubyhdrdir"]')
> > >>> RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"]
> > >>> + " -L" + RbConfig::CONFIG["archlibdir"] + " " +
> > >>> RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
> > >>> RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts
> > >>> RbConfig::CONFIG["vendorarchdir"]')
> > >>> -LIBBASE ?= $(shell basename $(LIBDIR))
> > >>> -LIBSEPOLA ?= $(LIBDIR)/libsepol.a
> > >>>
> > >>> VERSION = $(shell cat ../VERSION)
> > >>> LIBVERSION = 1
> > >>> @@ -148,7 +146,7 @@ $(LIBSO): $(LOBJS)
> > >>> ln -sf $@ $(TARGET)
> > >>>
> > >>> $(LIBPC): $(LIBPC).in ../VERSION
> > >>> - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
> > >>> s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):;
> > >>> s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
> > >>> + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
> > >>> s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):;
> > >>> s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
> > >>>
> > >>> selinuxswig_python_exception.i: ../include/selinux/selinux.h
> > >>> bash -e exception.sh > $@ || (rm -f $@ ; false)
> > >>> @@ -156,8 +154,8 @@ selinuxswig_python_exception.i:
> > >>> ../include/selinux/selinux.h
> > >>> $(AUDIT2WHYLOBJ): audit2why.c
> > >>> $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED
> > >>> -c -o $@ $<
> > >>>
> > >>> -$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
> > >>> - $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux
> > >>> $(PYLIBS)
> > >>> +$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ)
> > >>> + $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux
> > >>> $(PYLIBS) -l:libsepol.a
> > >>
> > >> Hello,
> > >> This change makes audit2why.so no longer being rebuilt when libsepol's
> > >> code change. This is an issue when debugging issues in libsepol, which
> > >> is why I added $(LIBSEPOLA) to the dependencies of $(AUDIT2WHYSO) in
> > >> commit dcd135cc06ab ("Re-link programs
Re: [PATCH v3 08/14] python: build: follow standard semantics for DESTDIR and PREFIX
On Sun, Jan 21, 2018 at 10:46:11PM +0100, Marcus Folkesson wrote: > Signed-off-by: Marcus Folkesson > --- > python/audit2allow/Makefile | 17 ++--- > python/chcat/Makefile | 8 > python/semanage/Makefile | 11 +-- > python/sepolgen/src/sepolgen/Makefile | 3 ++- > python/sepolicy/Makefile | 18 +- > 5 files changed, 30 insertions(+), 27 deletions(-) > > diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile > index 8db8075f..d1d4ca8d 100644 > --- a/python/audit2allow/Makefile > +++ b/python/audit2allow/Makefile > @@ -1,19 +1,22 @@ > PYTHON ?= python > > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -BINDIR ?= $(PREFIX)/bin > -LIBDIR ?= $(PREFIX)/lib > -MANDIR ?= $(PREFIX)/share/man > -LOCALEDIR ?= /usr/share/locale > -INCLUDEDIR ?= $(PREFIX)/include > -LIBSEPOLA ?= $(LIBDIR)/libsepol.a > +PREFIX ?= /usr > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > CFLAGS ?= -Werror -Wall -W > > +# If no specific libsepol.a is specified, fall back on LDFLAGS search path > +ifeq ($(LIBSEPOLA),) > + LDFLAGS += -l:libsepol.a > +endif > + > all: audit2why sepolgen-ifgen-attr-helper > > sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o $(LIBSEPOLA) > + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) > > audit2why: > ln -sf audit2allow audit2why > diff --git a/python/chcat/Makefile b/python/chcat/Makefile > index 0fd12d6d..947734a0 100644 > --- a/python/chcat/Makefile > +++ b/python/chcat/Makefile > @@ -1,8 +1,8 @@ > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -BINDIR ?= $(PREFIX)/bin > -MANDIR ?= $(PREFIX)/share/man > -LOCALEDIR ?= $(PREFIX)/share/locale > +PREFIX ?= /usr > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > .PHONY: all > all: chcat > diff --git a/python/semanage/Makefile b/python/semanage/Makefile > index 132162bc..0218222d 100644 > --- a/python/semanage/Makefile > +++ b/python/semanage/Makefile > @@ -1,13 +1,12 @@ > PYTHON ?= python > > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -LIBDIR ?= $(PREFIX)/lib > -SBINDIR ?= $(PREFIX)/sbin > -MANDIR = $(PREFIX)/share/man > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(1))") > +PREFIX ?= /usr > +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin > +MANDIR = $(DESTDIR)$(PREFIX)/share/man > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(prefix='$(PREFIX)'))") Note that this change move paths for modules from platform-specific to platform-shared: - /home/vagrant/build/usr/lib64/python3.6/site-packages/seobject.py + /home/vagrant/build/usr/lib/python3.6/site-packages/seobject.py I think it's a good change given that there's only pure python modules, but it would be good to document it in the commit message. > PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > TARGETS=semanage > > diff --git a/python/sepolgen/src/sepolgen/Makefile > b/python/sepolgen/src/sepolgen/Makefile > index d3aa7715..2121a955 100644 > --- a/python/sepolgen/src/sepolgen/Makefile > +++ b/python/sepolgen/src/sepolgen/Makefile > @@ -1,5 +1,6 @@ > +PREFIX ?= /usr > PYTHON ?= python > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(1))") > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(prefix='$(PREFIX)'))") > PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen > > all: > diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile > index 5a56e6c8..1c02ee06 100644 > --- a/python/sepolicy/Makefile > +++ b/python/sepolicy/Makefile > @@ -1,14 +1,14 @@ > PYTHON ?= python > > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -LIBDIR ?= $(PREFIX)/lib > -BINDIR ?= $(PREFIX)/bin > -DATADIR ?= $(PREFIX)/share > -MANDIR ?= $(PREFIX)/share/man > -LOCALEDIR ?= /usr/share/locale > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > -SHAREDIR ?= $(PREFIX)/share/sandbox > +PREFIX ?= /usr > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > +DATADIR ?= $(DESTDIR)$(PREFIX)/share > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions > +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox > CFLAGS ?= -Wall -Werror -Wextra -W > override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared > > @@ -30,7 +30,7 @@ test: > @$(PYTHON) test_sepolicy.py -v > > install: > - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root > $(DESTDIR)` > + $(PYT
Re: [PATCH v2 08/14] python: build: follow standard semantics for DESTDIR and PREFIX
On Wed, Jan 17, 2018 at 11:43:58AM +0100, Marcus Folkesson wrote: > Hi, > > On Wed, Jan 17, 2018 at 11:11:35AM +0100, Petr Lautrbach wrote: > > On Tue, Jan 16, 2018 at 09:23:21PM +0100, Marcus Folkesson wrote: > > > Signed-off-by: Marcus Folkesson > > > --- > > > python/audit2allow/Makefile | 10 -- > > > python/chcat/Makefile | 8 > > > python/semanage/Makefile | 13 ++--- > > > python/sepolgen/src/sepolgen/Makefile | 3 ++- > > > python/sepolicy/Makefile | 18 +- > > > 5 files changed, 25 insertions(+), 27 deletions(-) > > > > > > diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile > > > index 8db8075f..a73c8c68 100644 > > > --- a/python/audit2allow/Makefile > > > +++ b/python/audit2allow/Makefile > > > @@ -1,12 +1,10 @@ > > > PYTHON ?= python > > > > > > # Installation directories. > > > -PREFIX ?= $(DESTDIR)/usr > > > -BINDIR ?= $(PREFIX)/bin > > > -LIBDIR ?= $(PREFIX)/lib > > > -MANDIR ?= $(PREFIX)/share/man > > > -LOCALEDIR ?= /usr/share/locale > > > -INCLUDEDIR ?= $(PREFIX)/include > > > +PREFIX ?= /usr > > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > > LIBSEPOLA ?= $(LIBDIR)/libsepol.a > > > > > > CFLAGS ?= -Werror -Wall -W > > > diff --git a/python/chcat/Makefile b/python/chcat/Makefile > > > index 0fd12d6d..947734a0 100644 > > > --- a/python/chcat/Makefile > > > +++ b/python/chcat/Makefile > > > @@ -1,8 +1,8 @@ > > > # Installation directories. > > > -PREFIX ?= $(DESTDIR)/usr > > > -BINDIR ?= $(PREFIX)/bin > > > -MANDIR ?= $(PREFIX)/share/man > > > -LOCALEDIR ?= $(PREFIX)/share/locale > > > +PREFIX ?= /usr > > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > > > > > .PHONY: all > > > all: chcat > > > diff --git a/python/semanage/Makefile b/python/semanage/Makefile > > > index 132162bc..70759087 100644 > > > --- a/python/semanage/Makefile > > > +++ b/python/semanage/Makefile > > > @@ -1,13 +1,12 @@ > > > PYTHON ?= python > > > > > > # Installation directories. > > > -PREFIX ?= $(DESTDIR)/usr > > > -LIBDIR ?= $(PREFIX)/lib > > > -SBINDIR ?= $(PREFIX)/sbin > > > -MANDIR = $(PREFIX)/share/man > > > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > > print(get_python_lib(1))") > > > -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) > > > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > > > +PREFIX ?= /usr > > > +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin > > > +MANDIR = $(DESTDIR)$(PREFIX)/share/man > > > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > > print(get_python_lib(prefix='$(PREFIX)'))") > > > +PACKAGEDIR ?= $(DESTDIR)$(PYTHONLIBDIR) > > > +BASHCOMPLETIONDIR ?= > > > $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > > > > > TARGETS=semanage > > > > > > diff --git a/python/sepolgen/src/sepolgen/Makefile > > > b/python/sepolgen/src/sepolgen/Makefile > > > index d3aa7715..2121a955 100644 > > > --- a/python/sepolgen/src/sepolgen/Makefile > > > +++ b/python/sepolgen/src/sepolgen/Makefile > > > @@ -1,5 +1,6 @@ > > > +PREFIX ?= /usr > > > PYTHON ?= python > > > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > > print(get_python_lib(1))") > > > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > > print(get_python_lib(prefix='$(PREFIX)'))") > > > PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen > > > > > > all: > > > diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile > > > index 5a56e6c8..c528ae43 100644 > > > --- a/python/sepolicy/Makefile > > > +++ b/python/sepolicy/Makefile > > > @@ -1,14 +1,14 @@ > > > PYTHON ?= python > > > > > > # Installation directories. > > > -PREFIX ?= $(DESTDIR)/usr > > > -LIBDIR ?= $(PREFIX)/lib > > > -BINDIR ?= $(PREFIX)/bin > > &
Re: [PATCH v2 08/14] python: build: follow standard semantics for DESTDIR and PREFIX
On Tue, Jan 16, 2018 at 09:23:21PM +0100, Marcus Folkesson wrote: > Signed-off-by: Marcus Folkesson > --- > python/audit2allow/Makefile | 10 -- > python/chcat/Makefile | 8 > python/semanage/Makefile | 13 ++--- > python/sepolgen/src/sepolgen/Makefile | 3 ++- > python/sepolicy/Makefile | 18 +- > 5 files changed, 25 insertions(+), 27 deletions(-) > > diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile > index 8db8075f..a73c8c68 100644 > --- a/python/audit2allow/Makefile > +++ b/python/audit2allow/Makefile > @@ -1,12 +1,10 @@ > PYTHON ?= python > > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -BINDIR ?= $(PREFIX)/bin > -LIBDIR ?= $(PREFIX)/lib > -MANDIR ?= $(PREFIX)/share/man > -LOCALEDIR ?= /usr/share/locale > -INCLUDEDIR ?= $(PREFIX)/include > +PREFIX ?= /usr > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > LIBSEPOLA ?= $(LIBDIR)/libsepol.a > > CFLAGS ?= -Werror -Wall -W > diff --git a/python/chcat/Makefile b/python/chcat/Makefile > index 0fd12d6d..947734a0 100644 > --- a/python/chcat/Makefile > +++ b/python/chcat/Makefile > @@ -1,8 +1,8 @@ > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -BINDIR ?= $(PREFIX)/bin > -MANDIR ?= $(PREFIX)/share/man > -LOCALEDIR ?= $(PREFIX)/share/locale > +PREFIX ?= /usr > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > .PHONY: all > all: chcat > diff --git a/python/semanage/Makefile b/python/semanage/Makefile > index 132162bc..70759087 100644 > --- a/python/semanage/Makefile > +++ b/python/semanage/Makefile > @@ -1,13 +1,12 @@ > PYTHON ?= python > > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -LIBDIR ?= $(PREFIX)/lib > -SBINDIR ?= $(PREFIX)/sbin > -MANDIR = $(PREFIX)/share/man > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(1))") > -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > +PREFIX ?= /usr > +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin > +MANDIR = $(DESTDIR)$(PREFIX)/share/man > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(prefix='$(PREFIX)'))") > +PACKAGEDIR ?= $(DESTDIR)$(PYTHONLIBDIR) > +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > TARGETS=semanage > > diff --git a/python/sepolgen/src/sepolgen/Makefile > b/python/sepolgen/src/sepolgen/Makefile > index d3aa7715..2121a955 100644 > --- a/python/sepolgen/src/sepolgen/Makefile > +++ b/python/sepolgen/src/sepolgen/Makefile > @@ -1,5 +1,6 @@ > +PREFIX ?= /usr > PYTHON ?= python > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(1))") > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(prefix='$(PREFIX)'))") > PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen > > all: > diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile > index 5a56e6c8..c528ae43 100644 > --- a/python/sepolicy/Makefile > +++ b/python/sepolicy/Makefile > @@ -1,14 +1,14 @@ > PYTHON ?= python > > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -LIBDIR ?= $(PREFIX)/lib > -BINDIR ?= $(PREFIX)/bin > -DATADIR ?= $(PREFIX)/share > -MANDIR ?= $(PREFIX)/share/man > -LOCALEDIR ?= /usr/share/locale > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > -SHAREDIR ?= $(PREFIX)/share/sandbox > +PREFIX ?= /usr > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > +DATADIR ?= $(DESTDIR)$(PREFIX)/share > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions > +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox > CFLAGS ?= -Wall -Werror -Wextra -W > override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared > > @@ -30,7 +30,7 @@ test: > @$(PYTHON) test_sepolicy.py -v > > install: > - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root > $(DESTDIR)` > + $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n > "$(DESTDIR)$(PREFIX)" && echo --root $(DESTDIR)$(PREFIX)` --root $(DESTDIR)$(PREFIX) seems to duplicate prefix from --prefix=$(PREFIX) $ cd python $ make \ DESTDIR=/home/build/rpmbuild/BUILDROOT/policycoreutils-2.7-99.fc28.20180117103354.x86_64 \ LIBSEPOLA=/usr/lib64/libsepol.a install $ find /home/build/rpmbuild/BUILDROOT/policycoreutils-2.7-99.fc28.20180117103354.x86_64/usr/ -type d -name sepolicy /home/build/rpmbuild/BUILDROOT/policycoreutils-2.7-99.fc28.20180117103354.x86_64//usr/usr/lib/python2.7/site-packages/sepolicy > [ -d $(BINDIR) ] || mkdir -p $(BINDIR) > install -m 755 sepolicy.py $(BINDIR)/sepoli
Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails
On Mon, Jan 15, 2018 at 07:46:27AM -0800, William Roberts wrote:
> On Sun, Jan 14, 2018 at 7:34 AM, Richard Haines
> wrote:
> > Add new option to semanage.conf that allows the tmp build files
> > to be kept for debugging when building policy.
>
> How do people know where the tmp files are, does something print it out or is
> it
> documented in a manpage somewhere?
I usually see them when I try to load a module with some problem, e.g.
# semodule -i myconfined10.cil
neverallow check failed at
/var/lib/selinux/targeted/tmp/modules/100/base/cil:13249
...
> >
> > Signed-off-by: Richard Haines
> > ---
> > libsemanage/man/man5/semanage.conf.5 | 8
> > libsemanage/src/conf-parse.y | 15 ++-
> > libsemanage/src/conf-scan.l | 1 +
> > libsemanage/src/direct_api.c | 21 -
> > libsemanage/src/semanage_conf.h | 1 +
> > 5 files changed, 36 insertions(+), 10 deletions(-)
> >
> > diff --git a/libsemanage/man/man5/semanage.conf.5
> > b/libsemanage/man/man5/semanage.conf.5
> > index 8f8de55a..10cab65a 100644
> > --- a/libsemanage/man/man5/semanage.conf.5
> > +++ b/libsemanage/man/man5/semanage.conf.5
> > @@ -121,6 +121,14 @@ and by default it is set to "false".
> > Please note that since this option deletes all HLL files, an updated HLL
> > compiler will not be able to recompile the original HLL file into CIL.
> > In order to compile the original HLL file into CIL, the same HLL file will
> > need to be reinstalled.
> >
> > +.TP
> > +.B retain-tmp
> > +When set to "true", tmp directories (the sandbox at
> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final policy at
> > \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after
> > compilation to allow debugging of any build errors. Note that on a
> > successful build the sandbox becomes
> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR.
> > +.br
> > +The
> > +.B retain-tmp
> > +option can be set to either "true" or "false" and by default it is set to
> > "false".
> > +
> > .SH "SEE ALSO"
> > .TP
> > semanage(8)
> > diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
> > index b527e893..f098e55d 100644
> > --- a/libsemanage/src/conf-parse.y
> > +++ b/libsemanage/src/conf-parse.y
> > @@ -61,7 +61,7 @@ static int parse_errors;
> >
> > %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS
> > SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
> > %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START
> > DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
> > -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
> > +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP
> > %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
> > %token PROG_PATH PROG_ARGS
> > %token ARG
> > @@ -95,6 +95,7 @@ single_opt: module_store
> > | bzip_blocksize
> > | bzip_small
> > | remove_hll
> > + | retain_tmp
> > ;
> >
> > module_store: MODULE_STORE '=' ARG {
> > @@ -268,6 +269,17 @@ remove_hll: REMOVE_HLL'=' ARG {
> > free($3);
> > }
> >
> > +retain_tmp: RETAIN_TMP'=' ARG {
> > + if (strcasecmp($3, "false") == 0) {
> > + current_conf->retain_tmp = 0;
> > + } else if (strcasecmp($3, "true") == 0) {
> > + current_conf->retain_tmp = 1;
> > + } else {
> > + yyerror("retain-tmp can only be 'true' or 'false'");
> > + }
> > + free($3);
> > +}
> > +
> > command_block:
> > command_start external_opts BLOCK_END {
> > if (new_external->path == NULL) {
> > @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
> > conf->bzip_small = 0;
> > conf->ignore_module_cache = 0;
> > conf->remove_hll = 0;
> > + conf->retain_tmp = 0;
> >
> > conf->save_previous = 0;
> > conf->save_linked = 0;
> > diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
> > index 607bbf0b..e26c3494 100644
> > --- a/libsemanage/src/conf-scan.l
> > +++ b/libsemanage/src/conf-scan.l
> > @@ -54,6 +54,7 @@ handle-unknownreturn HANDLE_UNKNOWN;
> > bzip-blocksize return BZIP_BLOCKSIZE;
> > bzip-small return BZIP_SMALL;
> > remove-hll return REMOVE_HLL;
> > +retain-tmp return RETAIN_TMP;
> > "[load_policy]" return LOAD_POLICY_START;
> > "[setfiles]" return SETFILES_START;
> > "[sefcontext_compile]" return SEFCONTEXT_COMPILE_START;
> > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> > index a455612f..5d2a443c 100644
> > --- a/libsemanage/src/direct_api.c
> > +++ b/libsemanage/src/direct_api.c
> > @@ -326,7 +326,10 @@ static void semanage_direct_destroy(semanage_handle_t
> > * sh
> > static int semanage_direct_disconnect(semanage_handle_t * sh)
> > {
> > /* destroy transaction */
> > -
Re: Re: selabel_lookup() with MEDIA backend issue
On Tue, Jan 09, 2018 at 12:24:12PM -0500, Stephen Smalley wrote: > On Tue, 2018-01-09 at 16:56 +, Richard Haines wrote: > > On Tue, 2018-01-09 at 10:11 -0500, Stephen Smalley wrote: > > > On Mon, 2018-01-08 at 16:10 +0100, Vit Mojzis wrote: > > > > Hi all, > > > > there seems to be a discrepancy between man page and actual > > > > behavior > > > > of > > > > selabel_lookup() with MEDIA backend. > > > > selabel_media man page says: > > > > "Should there not be a valid entry in the media file, then > > > > the > > > > default removable_context file will be read (see > > > > removable_context(5))." > > > > > > > > but the removable_context file is never used (for more details > > > > and > > > > a > > > > reproducer see https://bugzilla.redhat.com/show_bug.cgi?id=139562 > > > > 1) > > > > . > > > > > > > > I can see two possible solutions: > > > > 1) Remove the removable_context file and adjust man pages > > > > accordingly. > > > > > > > > 2) (Probably better) Add mechanism for using the > > > > removable_context > > > > > > > > Which one would you prefer? > > > > > > > > In case of the latter, would adding the content of > > > > removable_context > > > > file to saved_data->spec_arr[nspec + 1] (label_media.c) and > > > > returning > > > > it > > > > in case lookup fails be a reasonable solution? > > > > > > > > Thank you. > > > > > > It appears that selinux_removable_context_path() and the > > > removable_context configuration were added by Dan Walsh in 2004 for > > > use > > > by an external caller. The selabel_media backend wasn't introduced > > > until 2007, and has never called selinux_removable_context_path() > > > AFAICT. The man page reference to removable_context in > > > selabel_media.5 > > > was added by Richard Haines in 2011. I think the man page is just > > > wrong. I don't know if there are any users of > > > selinux_removable_context_path() still but we can't remove it > > > without > > > breaking ABI. > > > > > > > As I screwed up the man page I'll fix, however would you prefer > > option > > 2 where it will check the removable_context file as I'm happy to do > > that instead. > > I don't think we should change the behavior of the label media backend, > since this is not a regression in the code and altering it could have > side effects on existing callers. I would appreciate it if someone > could check whether selinux_removable_context_path() is in fact used by > anything still, and if so, how (e.g. are they using it as a fallback in > the event of selabel_lookup failure?). I couldn't seem to find any > callers in the debian codesearch tool, but not sure if Fedora has > anything equivalent? > There's no such equivalent for Fedora. But I checked sources in Red Hat Enterprise Linux and I didn't find anything what would use selinux_removable_context_path(). Petr signature.asc Description: PGP signature
[PATCH] python/semanage: bring semanageRecords.set_reload back
It's used by third parties, e.g. Ansible modules Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1527745 Signed-off-by: Petr Lautrbach --- python/semanage/seobject.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py index b927b184..c2966251 100644 --- a/python/semanage/seobject.py +++ b/python/semanage/seobject.py @@ -260,6 +260,9 @@ class semanageRecords: else: self.mylog = nulllogger() +def set_reload(self, load): +self.noreload = not load + def get_handle(self, store): global is_mls_enabled -- 2.15.1
[PATCH] python/semanage: make seobject.py backward compatible
Commit 985753f changed behavior of seobject class constructors. While semanage itself was fixed, there are other tools like system-config-selinux and chcat which depend on the original behavior. This change make the constructors backward compatible. Fixes: $ system-config-selinux Traceback (most recent call last): File "/usr/share/system-config-selinux/system-config-selinux.py", line 196, in app = childWindow() File "/usr/share/system-config-selinux/system-config-selinux.py", line 100, in __init__ self.add_page(booleansPage.booleansPage(xml)) File "/usr/share/system-config-selinux/booleansPage.py", line 142, in __init__ self.load(self.filter) File "/usr/share/system-config-selinux/booleansPage.py", line 212, in load self.booleans = seobject.booleanRecords() TypeError: __init__() missing 1 required positional argument: 'args' Signed-off-by: Petr Lautrbach --- python/semanage/seobject.py | 45 + 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py index 770745e4..b927b184 100644 --- a/python/semanage/seobject.py +++ b/python/semanage/seobject.py @@ -240,17 +240,22 @@ class semanageRecords: store = None args = None -def __init__(self, args): +def __init__(self, args = None): global handle -self.args = args -try: -self.noreload = args.noreload -except: -self.noreload = False -self.sh = self.get_handle(args.store) +if args: +# legacy code - args was store originally +if type(args) == str: +self.store = args +else: +self.args = args +self.noreload = getattr(args, "noreload", False) +if not self.store: +self.store = getattr(args, "store", "") + +self.sh = self.get_handle(self.store) rc, localstore = selinux.selinux_getpolicytype() -if args.store == "" or args.store == localstore: +if self.store == "" or self.store == localstore: self.mylog = logger() else: self.mylog = nulllogger() @@ -331,7 +336,7 @@ class semanageRecords: class moduleRecords(semanageRecords): -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) def get_all(self): @@ -443,7 +448,7 @@ class moduleRecords(semanageRecords): class dontauditClass(semanageRecords): -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) def toggle(self, dontaudit): @@ -456,7 +461,7 @@ class dontauditClass(semanageRecords): class permissiveRecords(semanageRecords): -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) def get_all(self): @@ -525,7 +530,7 @@ class permissiveRecords(semanageRecords): class loginRecords(semanageRecords): -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) self.oldsename = None self.oldserange = None @@ -782,7 +787,7 @@ class loginRecords(semanageRecords): class seluserRecords(semanageRecords): -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) def get(self, name): @@ -1045,7 +1050,7 @@ class portRecords(semanageRecords): except RuntimeError: valid_types = [] -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) def __genkey(self, port, proto): @@ -1320,7 +1325,7 @@ class ibpkeyRecords(semanageRecords): except: valid_types = [] -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) def __genkey(self, pkey, subnet_prefix): @@ -1573,7 +1578,7 @@ class ibendportRecords(semanageRecords): except: valid_types = [] -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) def __genkey(self, ibendport, ibdev_name): @@ -1809,7 +1814,7 @@ class nodeRecords(semanageRecords): except RuntimeError: valid_types = [] -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) self.protocol = ["ipv4", "ipv6"] @@ -2045,7 +2050,7 @@ class nodeRecords(semanageRecords): class interfaceRecords(semanageRecords): -def __init__(self, args): +def __init__(self, args = None): semanageRecords.__init__(self, args) def __add(self, interface, serange, ctype): @@ -2242,7 +2247,7 @@ class fcontextRecords(semanageRecords):
[PATCH v2] libsemanage: Use umask(0077) for fopen() write operations
When a calling process uses umask(0) some files in the SELinux module
store can be created to be world writeable. With this patch, libsemanage
sets umask(0077) before fopen() operations and restores the original
umask value when it's done.
Fixes:
drwx--. /var/lib/selinux/targeted/active
-rw-rw-rw-. /var/lib/selinux/targeted/active/booleans.local
-rw-rw-rw-. /var/lib/selinux/targeted/active/policy.linked
-rw-rw-rw-. /var/lib/selinux/targeted/active/seusers.local
drwx--. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/cil
-rw-rw-rw-.
/var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/lang_ext
drwx--. /var/lib/selinux/targeted/active/modules/disabled
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/disabled/zosremote
Signed-off-by: Petr Lautrbach
---
libsemanage/src/database_file.c | 3 +++
libsemanage/src/direct_api.c | 8
libsemanage/src/semanage_store.c | 2 ++
3 files changed, 13 insertions(+)
diff --git a/libsemanage/src/database_file.c b/libsemanage/src/database_file.c
index a21b3eeb..a51269e7 100644
--- a/libsemanage/src/database_file.c
+++ b/libsemanage/src/database_file.c
@@ -119,13 +119,16 @@ static int dbase_file_flush(semanage_handle_t * handle,
dbase_file_t * dbase)
cache_entry_t *ptr;
const char *fname = NULL;
FILE *str = NULL;
+ mode_t mask;
if (!dbase_llist_is_modified(&dbase->llist))
return STATUS_SUCCESS;
fname = dbase->path[handle->is_in_transaction];
+ mask = umask(0077);
str = fopen(fname, "w");
+ umask(mask);
if (!str) {
ERR(handle, "could not open %s for writing: %s",
fname, strerror(errno));
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index 00ad8201..a455612f 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -1176,6 +1176,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
sepol_policydb_t *out = NULL;
struct cil_db *cildb = NULL;
semanage_module_info_t *modinfos = NULL;
+ mode_t mask = umask(0077);
int do_rebuild, do_write_kernel, do_install;
int fcontexts_modified, ports_modified, seusers_modified,
@@ -1645,6 +1646,8 @@ cleanup:
semanage_remove_directory(semanage_final_path
(SEMANAGE_FINAL_TMP,
SEMANAGE_FINAL_TOPLEVEL));
+ umask(mask);
+
return retval;
}
@@ -2016,6 +2019,7 @@ static int semanage_direct_set_enabled(semanage_handle_t
*sh,
const char *path = NULL;
FILE *fp = NULL;
semanage_module_info_t *modinfo = NULL;
+ mode_t mask;
/* check transaction */
if (!sh->is_in_transaction) {
@@ -2076,7 +2080,9 @@ static int semanage_direct_set_enabled(semanage_handle_t
*sh,
switch (enabled) {
case 0: /* disable the module */
+ mask = umask(0077);
fp = fopen(fn, "w");
+ umask(mask);
if (fp == NULL) {
ERR(sh,
@@ -2722,6 +2728,7 @@ static int semanage_direct_install_info(semanage_handle_t
*sh,
int type;
char path[PATH_MAX];
+ mode_t mask = umask(0077);
semanage_module_info_t *higher_info = NULL;
semanage_module_key_t higher_key;
@@ -2833,6 +2840,7 @@ cleanup:
semanage_module_key_destroy(sh, &higher_key);
semanage_module_info_destroy(sh, higher_info);
free(higher_info);
+ umask(mask);
return status;
}
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 63c80b04..37ff5ace 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -2099,6 +2099,7 @@ int semanage_write_policydb(semanage_handle_t * sh,
sepol_policydb_t * out,
const char *kernel_filename = NULL;
struct sepol_policy_file *pf = NULL;
FILE *outfile = NULL;
+ mode_t mask = umask(0077);
if ((kernel_filename =
semanage_path(SEMANAGE_TMP, file)) == NULL) {
@@ -2127,6 +2128,7 @@ int semanage_write_policydb(semanage_handle_t * sh,
sepol_policydb_t * out,
if (outfile != NULL) {
fclose(outfile);
}
+ umask(mask);
sepol_policy_file_free(pf);
return retval;
}
--
2.15.0
Re: [PATCH] python/sepolicy: Fix sepolicy manpage.
On Wed, Nov 15, 2017 at 02:25:53PM +0100, Lukas Vrabec wrote: > Arguments generate and gui was mixed together and information didn't make > sense. This fix split gui and generate sections. > > Signed-off-by: Lukas Vrabec Applied, thanks. > --- > python/sepolicy/sepolicy.8 | 7 --- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/python/sepolicy/sepolicy.8 b/python/sepolicy/sepolicy.8 > index 79005866..09d2b247 100644 > --- a/python/sepolicy/sepolicy.8 > +++ b/python/sepolicy/sepolicy.8 > @@ -22,14 +22,15 @@ Query SELinux policy to see if domains can communicate > with each other > .br > > .Bgenerate > -.br > .br > Generate SELinux Policy module template > -.Bgui > +.B sepolicy-generate(8) > .br > + > +.Bgui > .br > Launch Graphical User Interface for SELinux Policy, requires > policycoreutils-gui package. > -.B sepolicy-generate(8) > +.B sepolicy-gui(8) > .br > > .Binterface > -- > 2.13.6 > >
[PATCH] libsemanage: Use umask(0077) for fopen() write operations
When a calling process uses umask(0) some files in the SELinux module
store can be created to be world writeable. With this patch, libsemanage
sets umask(0077) before fopen() operations and restores the original
umask value when it's done.
Fixes:
drwx--. /var/lib/selinux/targeted/active
-rw-rw-rw-. /var/lib/selinux/targeted/active/booleans.local
-rw-rw-rw-. /var/lib/selinux/targeted/active/policy.linked
-rw-rw-rw-. /var/lib/selinux/targeted/active/seusers.local
drwx--. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/cil
-rw-rw-rw-.
/var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/lang_ext
drwx--. /var/lib/selinux/targeted/active/modules/disabled
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/disabled/zosremote
Signed-off-by: Petr Lautrbach
---
libsemanage/src/database_file.c | 3 +++
libsemanage/src/direct_api.c | 15 +++
libsemanage/src/semanage_store.c | 4
3 files changed, 22 insertions(+)
diff --git a/libsemanage/src/database_file.c b/libsemanage/src/database_file.c
index a21b3eeb..d0172e73 100644
--- a/libsemanage/src/database_file.c
+++ b/libsemanage/src/database_file.c
@@ -119,13 +119,16 @@ static int dbase_file_flush(semanage_handle_t * handle,
dbase_file_t * dbase)
cache_entry_t *ptr;
const char *fname = NULL;
FILE *str = NULL;
+ mode_t mask = 0;
if (!dbase_llist_is_modified(&dbase->llist))
return STATUS_SUCCESS;
fname = dbase->path[handle->is_in_transaction];
+ mask = umask(0077);
str = fopen(fname, "w");
+ umask(mask);
if (!str) {
ERR(handle, "could not open %s for writing: %s",
fname, strerror(errno));
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index 00ad8201..46072f92 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -1176,6 +1176,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
sepol_policydb_t *out = NULL;
struct cil_db *cildb = NULL;
semanage_module_info_t *modinfos = NULL;
+ mode_t mask = 0;
int do_rebuild, do_write_kernel, do_install;
int fcontexts_modified, ports_modified, seusers_modified,
@@ -1212,6 +1213,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
/* Rebuild if explicitly requested or any module changes occurred. */
do_rebuild = sh->do_rebuild | sh->modules_modified;
+ mask = umask(0077);
+
/* Create or remove the disable_dontaudit flag file. */
path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
if (access(path, F_OK) == 0)
@@ -1645,6 +1648,10 @@ cleanup:
semanage_remove_directory(semanage_final_path
(SEMANAGE_FINAL_TMP,
SEMANAGE_FINAL_TOPLEVEL));
+ if (mask) {
+ umask(mask);
+ }
+
return retval;
}
@@ -2016,6 +2023,7 @@ static int semanage_direct_set_enabled(semanage_handle_t
*sh,
const char *path = NULL;
FILE *fp = NULL;
semanage_module_info_t *modinfo = NULL;
+ mode_t mask = 0;
/* check transaction */
if (!sh->is_in_transaction) {
@@ -2076,7 +2084,9 @@ static int semanage_direct_set_enabled(semanage_handle_t
*sh,
switch (enabled) {
case 0: /* disable the module */
+ mask = umask(0077);
fp = fopen(fn, "w");
+ umask(mask);
if (fp == NULL) {
ERR(sh,
@@ -2722,7 +2732,9 @@ static int semanage_direct_install_info(semanage_handle_t
*sh,
int type;
char path[PATH_MAX];
+ mode_t mask = 0;
+ mask = umask(0077);
semanage_module_info_t *higher_info = NULL;
semanage_module_key_t higher_key;
ret = semanage_module_key_init(sh, &higher_key);
@@ -2834,6 +2846,9 @@ cleanup:
semanage_module_info_destroy(sh, higher_info);
free(higher_info);
+ if (mask) {
+ umask(mask);
+ }
return status;
}
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 63c80b04..74fbb677 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -2099,11 +2099,13 @@ int semanage_write_policydb(semanage_handle_t * sh,
sepol_policydb_t * out,
const char *kernel_filename = NULL;
struct sepol_policy_file *pf = NULL;
FILE *outfile = NULL;
+ mode_t mask = 0;
if ((kernel_filename =
semanage_path(SEMANAGE_TMP, file)) == NULL) {
goto cleanup;
}
+ mask = umask(0077);
if ((outfile = fopen(kernel_filename, "wb")) == NULL)
Re: [PATCH] python/semanage: Update Infiniband code to work on python3
On Tue, Nov 14, 2017 at 09:33:54AM +0100, Petr Lautrbach wrote:
> On Mon, Nov 13, 2017 at 09:56:26AM +0100, Vit Mojzis wrote:
> > Update Infiniband "port" and "key" listing and export to work on
> > python3.
> > {}.keys() does not support .sort() operation on Py3.
> >
> > Signed-off-by: Vit Mojzis
>
> Both patches look good to me. I'll merge them tomorrow if there's no
> other comments.
>
Merged. Thanks!
>
>
> > ---
> > python/semanage/seobject.py | 16 ++--
> > 1 file changed, 6 insertions(+), 10 deletions(-)
> >
> > diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> > index 380256b..770745e 100644
> > --- a/python/semanage/seobject.py
> > +++ b/python/semanage/seobject.py
> > @@ -1543,9 +1543,8 @@ class ibpkeyRecords(semanageRecords):
> > def customized(self):
> > l = []
> > ddict = self.get_all(True)
> > -keys = ddict.keys()
> > -keys.sort()
> > -for k in keys:
> > +
> > +for k in sorted(ddict.keys()):
> > if k[0] == k[1]:
> > l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
> > else:
> > @@ -1557,11 +1556,10 @@ class ibpkeyRecords(semanageRecords):
> > keys = ddict.keys()
> > if len(keys) == 0:
> > return
> > -keys.sort()
> >
> > if heading:
> > print("%-30s %-18s %s\n" % (_("SELinux IB Pkey Type"),
> > _("Subnet_Prefix"), _("Pkey Number")))
> > -for i in keys:
> > +for i in sorted(keys):
> > rec = "%-30s %-18s " % i
> > rec += "%s" % ddict[i][0]
> > for p in ddict[i][1:]:
> > @@ -1785,9 +1783,8 @@ class ibendportRecords(semanageRecords):
> > def customized(self):
> > l = []
> > ddict = self.get_all(True)
> > -keys = ddict.keys()
> > -keys.sort()
> > -for k in keys:
> > +
> > +for k in sorted(ddict.keys()):
> > l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0],
> > ddict[k][1], k[1], k[0]))
> > return l
> >
> > @@ -1796,11 +1793,10 @@ class ibendportRecords(semanageRecords):
> > keys = ddict.keys()
> > if len(keys) == 0:
> > return
> > -keys.sort()
> >
> > if heading:
> > print("%-30s %-18s %s\n" % (_("SELinux IB End Port Type"),
> > _("IB Device Name"), _("Port Number")))
> > -for i in keys:
> > +for i in sorted(keys):
> > rec = "%-30s %-18s " % i
> > rec += "%s" % ddict[i][0]
> > for p in ddict[i][1:]:
> > --
> > 2.9.4
> >
> >
>
Re: [PATCH] python/semanage: Update Infiniband code to work on python3
On Mon, Nov 13, 2017 at 09:56:26AM +0100, Vit Mojzis wrote:
> Update Infiniband "port" and "key" listing and export to work on
> python3.
> {}.keys() does not support .sort() operation on Py3.
>
> Signed-off-by: Vit Mojzis
Both patches look good to me. I'll merge them tomorrow if there's no
other comments.
Thanks,
Petr
> ---
> python/semanage/seobject.py | 16 ++--
> 1 file changed, 6 insertions(+), 10 deletions(-)
>
> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> index 380256b..770745e 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -1543,9 +1543,8 @@ class ibpkeyRecords(semanageRecords):
> def customized(self):
> l = []
> ddict = self.get_all(True)
> -keys = ddict.keys()
> -keys.sort()
> -for k in keys:
> +
> +for k in sorted(ddict.keys()):
> if k[0] == k[1]:
> l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
> else:
> @@ -1557,11 +1556,10 @@ class ibpkeyRecords(semanageRecords):
> keys = ddict.keys()
> if len(keys) == 0:
> return
> -keys.sort()
>
> if heading:
> print("%-30s %-18s %s\n" % (_("SELinux IB Pkey Type"),
> _("Subnet_Prefix"), _("Pkey Number")))
> -for i in keys:
> +for i in sorted(keys):
> rec = "%-30s %-18s " % i
> rec += "%s" % ddict[i][0]
> for p in ddict[i][1:]:
> @@ -1785,9 +1783,8 @@ class ibendportRecords(semanageRecords):
> def customized(self):
> l = []
> ddict = self.get_all(True)
> -keys = ddict.keys()
> -keys.sort()
> -for k in keys:
> +
> +for k in sorted(ddict.keys()):
> l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0], ddict[k][1],
> k[1], k[0]))
> return l
>
> @@ -1796,11 +1793,10 @@ class ibendportRecords(semanageRecords):
> keys = ddict.keys()
> if len(keys) == 0:
> return
> -keys.sort()
>
> if heading:
> print("%-30s %-18s %s\n" % (_("SELinux IB End Port Type"), _("IB
> Device Name"), _("Port Number")))
> -for i in keys:
> +for i in sorted(keys):
> rec = "%-30s %-18s " % i
> rec += "%s" % ddict[i][0]
> for p in ddict[i][1:]:
> --
> 2.9.4
>
>
Re: [PATCH] python/semanage: Do not try to reload policy when SELinux is disabled
First two patches do a little cleanup and try to re factorize the code used for seobject object initialization. The 3rd patch changes the behavior in order to call semanage_set_reload() only if -N is used.
[PATCH 2/3] python/semanage: Don't use global setup variable
In order to do that we need to propagate args into seobject objects and
use args.store to get a store name.
Signed-off-by: Petr Lautrbach
---
python/semanage/semanage| 40 +++--
python/semanage/seobject.py | 62 +++--
2 files changed, 47 insertions(+), 55 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 8acfc855..bcac20b2 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -89,16 +89,6 @@ class CheckRole(argparse.Action):
newval.append(v)
setattr(namespace, self.dest, newval)
-store = ''
-
-
-class SetStore(argparse.Action):
-
-def __call__(self, parser, namespace, values, option_string=None):
-global store
-store = values
-setattr(namespace, self.dest, values)
-
class seParser(argparse.ArgumentParser):
@@ -192,7 +182,7 @@ def handleLogin(args):
handle_opts(args, login_args, args.action)
-OBJECT = object_dict['login']()
+OBJECT = object_dict['login'](args)
OBJECT.set_reload(args.noreload)
if args.action is "add":
@@ -211,7 +201,7 @@ def handleLogin(args):
def parser_add_store(parser, name):
-parser.add_argument('-S', '--store', action=SetStore, help=_("Select an
alternate SELinux Policy Store to manage"))
+parser.add_argument('-S', '--store', default='', help=_("Select an
alternate SELinux Policy Store to manage"))
def parser_add_priority(parser, name):
@@ -326,7 +316,7 @@ def handleFcontext(args):
else:
handle_opts(args, fcontext_args, args.action)
-OBJECT = object_dict['fcontext']()
+OBJECT = object_dict['fcontext'](args)
OBJECT.set_reload(args.noreload)
if args.action is "add":
@@ -395,7 +385,7 @@ def handleUser(args):
handle_opts(args, user_args, args.action)
-OBJECT = object_dict['user']()
+OBJECT = object_dict['user'](args)
OBJECT.set_reload(args.noreload)
if args.action is "add":
@@ -446,7 +436,7 @@ def handlePort(args):
handle_opts(args, port_args, args.action)
-OBJECT = object_dict['port']()
+OBJECT = object_dict['port'](args)
OBJECT.set_reload(args.noreload)
if args.action is "add":
@@ -492,7 +482,7 @@ def handlePkey(args):
handle_opts(args, ibpkey_args, args.action)
-OBJECT = object_dict['ibpkey']()
+OBJECT = object_dict['ibpkey'](args)
OBJECT.set_reload(args.noreload)
if args.action is "add":
@@ -536,7 +526,7 @@ def handleIbendport(args):
handle_opts(args, ibendport_args, args.action)
-OBJECT = object_dict['ibendport']()
+OBJECT = object_dict['ibendport'](args)
OBJECT.set_reload(args.noreload)
if args.action is "add":
@@ -580,7 +570,7 @@ def handleInterface(args):
handle_opts(args, interface_args, args.action)
-OBJECT = object_dict['interface']()
+OBJECT = object_dict['interface'](args)
OBJECT.set_reload(args.noreload)
if args.action is "add":
@@ -620,7 +610,7 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
-OBJECT = seobject.moduleRecords(store)
+OBJECT = seobject.moduleRecords(args)
OBJECT.set_reload(args.noreload)
if args.action == "add":
OBJECT.add(args.module_name, args.priority)
@@ -663,7 +653,7 @@ def handleNode(args):
node_args = {'list': [('node', 'type', 'proto', 'netmask'), ('')], 'add':
[('locallist'), ('type', 'node', 'proto', 'netmask')], 'modify':
[('locallist'), ('node', 'netmask', 'proto')], 'delete': [('locallist'),
('node', 'netmask', 'prototype')], 'extract': [('locallist', 'node', 'type',
'proto', 'netmask'), ('')], 'deleteall': [('locallist'), ('')]}
handle_opts(args, node_args, args.action)
-OBJECT = object_dict['node']()
+OBJECT = object_dict['node'](args)
OBJECT.set_reload(args.noreload)
if args.action is "add":
@@ -710,7 +700,7 @@ def handleBoolean(args):
handle_opts(args, boolean_args, args.action)
-OBJECT = object_dict['boolean']()
+OBJECT = object_dict['boolean'](args)
OBJECT.set_reload(args.noreload)
if args.action is "modify":
@@ -749,7 +739,7 @@ def setupBooleanParser(subparsers):
def handlePermissive(args):
-OBJECT = object_dict['permissive']()
+OB
[PATCH 3/3] python/semanage: Enforce noreload only if it's requested by -N option
We want to call semanage_set_reload() only if -N option is used.
Fixes:
$ sudo umount /sys/fs/selinux
$ sudo semanage fcontext -a --type=postfix_local_tmp_t /var/opt/01789667
SELinux: Could not downgrade policy file
/etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31:
No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such
file or directory).
SELinux: Could not downgrade policy file
/etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31:
No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such
file or directory).
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Petr Lautrbach
---
python/semanage/semanage| 15 +--
python/semanage/seobject.py | 11 ++-
2 files changed, 7 insertions(+), 19 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index bcac20b2..8d8a0860 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -183,7 +183,6 @@ def handleLogin(args):
handle_opts(args, login_args, args.action)
OBJECT = object_dict['login'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "add":
OBJECT.add(args.login, args.seuser, args.range)
@@ -213,7 +212,7 @@ def parser_add_noheading(parser, name):
def parser_add_noreload(parser, name):
-parser.add_argument('-N', '--noreload', action='store_false',
default=True, help=_('Do not reload policy after commit'))
+parser.add_argument('-N', '--noreload', action='store_true',
default=False, help=_('Do not reload policy after commit'))
def parser_add_locallist(parser, name):
@@ -317,7 +316,6 @@ def handleFcontext(args):
handle_opts(args, fcontext_args, args.action)
OBJECT = object_dict['fcontext'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "add":
if args.equal:
@@ -386,7 +384,6 @@ def handleUser(args):
handle_opts(args, user_args, args.action)
OBJECT = object_dict['user'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "add":
OBJECT.add(args.selinux_name, args.roles, args.level, args.range,
args.prefix)
@@ -437,7 +434,6 @@ def handlePort(args):
handle_opts(args, port_args, args.action)
OBJECT = object_dict['port'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "add":
OBJECT.add(args.port, args.proto, args.range, args.type)
@@ -483,7 +479,6 @@ def handlePkey(args):
handle_opts(args, ibpkey_args, args.action)
OBJECT = object_dict['ibpkey'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "add":
OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type)
@@ -527,7 +522,6 @@ def handleIbendport(args):
handle_opts(args, ibendport_args, args.action)
OBJECT = object_dict['ibendport'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "add":
OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type)
@@ -571,7 +565,6 @@ def handleInterface(args):
handle_opts(args, interface_args, args.action)
OBJECT = object_dict['interface'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "add":
OBJECT.add(args.interface, args.range, args.type)
@@ -611,7 +604,6 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
OBJECT = seobject.moduleRecords(args)
-OBJECT.set_reload(args.noreload)
if args.action == "add":
OBJECT.add(args.module_name, args.priority)
if args.action == "enable":
@@ -654,7 +646,6 @@ def handleNode(args):
handle_opts(args, node_args, args.action)
OBJECT = object_dict['node'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "add":
OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
@@ -701,7 +692,6 @@ def handleBoolean(args):
handle_opts(args, boolean_args, args.action)
OBJECT = object_dict['boolean'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "modify":
if args.boolean:
@@ -740,7 +730,6 @@ def setupBooleanParser(subparsers):
def handlePermissive(args):
OBJECT = object_dict['permissive'](args)
-OBJECT.set_reload(args.noreload)
if args.action is "list":
[PATCH 1/3] python/semanage: drop *_ini functions
Signed-off-by: Petr Lautrbach
---
python/semanage/semanage | 74 +---
1 file changed, 14 insertions(+), 60 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 313537c5..8acfc855 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -134,67 +134,21 @@ class SetImportFile(argparse.Action):
sys.exit(1)
setattr(namespace, self.dest, values)
-# functions for OBJECT initialization
-
-
-def login_ini():
-OBJECT = seobject.loginRecords(store)
-return OBJECT
-
-
-def user_ini():
-OBJECT = seobject.seluserRecords(store)
-return OBJECT
-
-
-def port_ini():
-OBJECT = seobject.portRecords(store)
-return OBJECT
-
-def ibpkey_ini():
-OBJECT = seobject.ibpkeyRecords(store)
-return OBJECT
-
-def ibendport_ini():
-OBJECT = seobject.ibendportRecords(store)
-return OBJECT
-
-def module_ini():
-OBJECT = seobject.moduleRecords(store)
-return OBJECT
-
-
-def interface_ini():
-OBJECT = seobject.interfaceRecords(store)
-return OBJECT
-
-
-def node_ini():
-OBJECT = seobject.nodeRecords(store)
-return OBJECT
-
-
-def fcontext_ini():
-OBJECT = seobject.fcontextRecords(store)
-return OBJECT
-
-
-def boolean_ini():
-OBJECT = seobject.booleanRecords(store)
-return OBJECT
-
-
-def permissive_ini():
-OBJECT = seobject.permissiveRecords(store)
-return OBJECT
-
-
-def dontaudit_ini():
-OBJECT = seobject.dontauditClass(store)
-return OBJECT
-
# define dictonary for seobject OBEJCTS
-object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini,
'module': module_ini, 'interface': interface_ini, 'node': node_ini, 'fcontext':
fcontext_ini, 'boolean': boolean_ini, 'permissive': permissive_ini,
'dontaudit': dontaudit_ini, 'ibpkey': ibpkey_ini, 'ibendport': ibendport_ini}
+object_dict = {
+'login': seobject.loginRecords,
+'user': seobject.seluserRecords,
+'port': seobject.portRecords,
+'module': seobject.moduleRecords,
+'interface': seobject.interfaceRecords,
+'node': seobject.nodeRecords,
+'fcontext': seobject.fcontextRecords,
+'boolean': seobject.booleanRecords,
+'permissive': seobject.permissiveRecords,
+'dontaudit': seobject.dontauditClass,
+'ibpkey': seobject.ibpkeyRecords,
+'ibendport': seobject.ibendportRecords
+}
def generate_custom_usage(usage_text, usage_dict):
# generate custom usage from given text and dictonary
--
2.14.3
Re: [PATCH] python/semanage: Do not try to reload policy when SELinux is disabled
On Thu, Nov 02, 2017 at 10:48:31AM -0400, Stephen Smalley wrote: > On Thu, 2017-11-02 at 15:17 +0100, Petr Lautrbach wrote: > > On Thu, Nov 02, 2017 at 09:52:25AM -0400, Stephen Smalley wrote: > > > On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote: > > > > When SELinux is disabled, semanage without -N fails with a quite > > > > complicated > > > > error message when it tries to reload a new policy. Since reload > > > > in > > > > this case > > > > doesn't make sense, we should probably try to avoid that. > > > > > > I haven't looked closely at this yet, but I know libsemanage itself > > > internally sets ->do_reload to false if is_selinux_enabled() is 0 > > > (or > > > -1), so why is it that seobject.py is manually deciding whether to > > > reload policy? > > > > semanageRecords.commit() method calls semanage_set_reload(self.sh, > > self.load) > > and this overrides the default value set in semanage_handle_create() > > > > the flow something like this: > > > > seobject: __init__(self, store): > > self.sh = self.get_handle(store) > > > > semanage: semanageRecords.get_handle() > > handle = semanage_handle_create() > > > > libsemanage: semanage_handle_create() > > sh->do_reload = (is_selinux_enabled() > 0); > > > > seobject: commit() > > semanage_set_reload(self.sh, self.load) > > > > Looking into this, the check if SELinux is enabled could be moved to > > libsemanage: semanage_set_reload() and maybe with WARN message in > > case > > that it doesn't set a new value. > > Hmm...why does seobject.py call semanage_set_reload() at all except in > the case where it is explicitly called with -N and wants to forcibly > suppress policy reload? If we can avoid making the call except in that > case, then we don't need to change libsemanage at all. I'll prepare another patch based on your comments and sugestions. Thanks, Petr > > > > > > > > > > > > Fixes: > > > > $ sudo umount /sys/fs/selinux > > > > > > > > $ sudo semanage fcontext -a --type=postfix_local_tmp_t > > > > /var/opt/01789667 > > > > SELinux: Could not downgrade policy file > > > > /etc/selinux/targeted/policy/policy.31, searching for an older > > > > version. > > > > SELinux: Could not open policy file <= > > > > /etc/selinux/targeted/policy/policy.31: No such file or > > > > directory > > > > /sbin/load_policy: Can't load policy: No such file or directory > > > > libsemanage.semanage_reload_policy: load_policy returned error > > > > code > > > > 2. (No such file or directory). > > > > SELinux: Could not downgrade policy file > > > > /etc/selinux/targeted/policy/policy.31, searching for an older > > > > version. > > > > SELinux: Could not open policy file <= > > > > /etc/selinux/targeted/policy/policy.31: No such file or > > > > directory > > > > /sbin/load_policy: Can't load policy: No such file or directory > > > > libsemanage.semanage_reload_policy: load_policy returned error > > > > code > > > > 2. (No such file or directory). > > > > FileNotFoundError: [Errno 2] No such file or directory > > > > > > > > Signed-off-by: Petr Lautrbach > > > > --- > > > > python/semanage/seobject.py | 4 ++-- > > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/python/semanage/seobject.py > > > > b/python/semanage/seobject.py > > > > index 1385315f..37f2b8c6 100644 > > > > --- a/python/semanage/seobject.py > > > > +++ b/python/semanage/seobject.py > > > > @@ -241,7 +241,7 @@ class semanageRecords: > > > > > > > > def __init__(self, store): > > > > global handle > > > > -self.load = True > > > > +self.load = selinux.is_selinux_enabled() > > > > self.sh = self.get_handle(store) > > > > > > > > rc, localstore = selinux.selinux_getpolicytype() > > > > @@ -251,7 +251,7 @@ class semanageRecords: > > > > self.mylog = nulllogger() > > > > > > > > def set_reload(self, load): > > > > -self.load = load > > > > +self.load = selinux.is_selinux_enabled() and load > > > > > > > > def get_handle(self, store): > > > > global is_mls_enabled > > > >
Re: [PATCH] python/semanage: Do not try to reload policy when SELinux is disabled
On Thu, Nov 02, 2017 at 09:52:25AM -0400, Stephen Smalley wrote: > On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote: > > When SELinux is disabled, semanage without -N fails with a quite > > complicated > > error message when it tries to reload a new policy. Since reload in > > this case > > doesn't make sense, we should probably try to avoid that. > > I haven't looked closely at this yet, but I know libsemanage itself > internally sets ->do_reload to false if is_selinux_enabled() is 0 (or > -1), so why is it that seobject.py is manually deciding whether to > reload policy? semanageRecords.commit() method calls semanage_set_reload(self.sh, self.load) and this overrides the default value set in semanage_handle_create() the flow something like this: seobject: __init__(self, store): self.sh = self.get_handle(store) semanage: semanageRecords.get_handle() handle = semanage_handle_create() libsemanage: semanage_handle_create() sh->do_reload = (is_selinux_enabled() > 0); seobject: commit() semanage_set_reload(self.sh, self.load) Looking into this, the check if SELinux is enabled could be moved to libsemanage: semanage_set_reload() and maybe with WARN message in case that it doesn't set a new value. > > > > Fixes: > > $ sudo umount /sys/fs/selinux > > > > $ sudo semanage fcontext -a --type=postfix_local_tmp_t > > /var/opt/01789667 > > SELinux: Could not downgrade policy file > > /etc/selinux/targeted/policy/policy.31, searching for an older > > version. > > SELinux: Could not open policy file <= > > /etc/selinux/targeted/policy/policy.31: No such file or directory > > /sbin/load_policy: Can't load policy: No such file or directory > > libsemanage.semanage_reload_policy: load_policy returned error code > > 2. (No such file or directory). > > SELinux: Could not downgrade policy file > > /etc/selinux/targeted/policy/policy.31, searching for an older > > version. > > SELinux: Could not open policy file <= > > /etc/selinux/targeted/policy/policy.31: No such file or directory > > /sbin/load_policy: Can't load policy: No such file or directory > > libsemanage.semanage_reload_policy: load_policy returned error code > > 2. (No such file or directory). > > FileNotFoundError: [Errno 2] No such file or directory > > > > Signed-off-by: Petr Lautrbach > > --- > > python/semanage/seobject.py | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/python/semanage/seobject.py > > b/python/semanage/seobject.py > > index 1385315f..37f2b8c6 100644 > > --- a/python/semanage/seobject.py > > +++ b/python/semanage/seobject.py > > @@ -241,7 +241,7 @@ class semanageRecords: > > > > def __init__(self, store): > > global handle > > -self.load = True > > +self.load = selinux.is_selinux_enabled() > > self.sh = self.get_handle(store) > > > > rc, localstore = selinux.selinux_getpolicytype() > > @@ -251,7 +251,7 @@ class semanageRecords: > > self.mylog = nulllogger() > > > > def set_reload(self, load): > > -self.load = load > > +self.load = selinux.is_selinux_enabled() and load > > > > def get_handle(self, store): > > global is_mls_enabled
[PATCH] python/semanage: Do not try to reload policy when SELinux is disabled
When SELinux is disabled, semanage without -N fails with a quite complicated error message when it tries to reload a new policy. Since reload in this case doesn't make sense, we should probably try to avoid that. Fixes: $ sudo umount /sys/fs/selinux $ sudo semanage fcontext -a --type=postfix_local_tmp_t /var/opt/01789667 SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory /sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory). SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory /sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory). FileNotFoundError: [Errno 2] No such file or directory Signed-off-by: Petr Lautrbach --- python/semanage/seobject.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py index 1385315f..37f2b8c6 100644 --- a/python/semanage/seobject.py +++ b/python/semanage/seobject.py @@ -241,7 +241,7 @@ class semanageRecords: def __init__(self, store): global handle -self.load = True +self.load = selinux.is_selinux_enabled() self.sh = self.get_handle(store) rc, localstore = selinux.selinux_getpolicytype() @@ -251,7 +251,7 @@ class semanageRecords: self.mylog = nulllogger() def set_reload(self, load): -self.load = load +self.load = selinux.is_selinux_enabled() and load def get_handle(self, store): global is_mls_enabled -- 2.14.3
Value of file_contexts.bin after the move to pcre2
On Fri, Oct 13, 2017 at 03:31:39PM -0400, Stephen Smalley wrote: > We still need to revisit the value proposition of file_contexts.bin > after the move to pcre2, given the large increase in file size and the > runtime overhead. We can add -r to the sefcontext_compile args via > semanage.conf, but then I'm wondering whether it is worth having > file_contexts.bin at all. We already use -r in Fedora 27 by default. Jan Zarsky did some investigation related to file_contexts.bin [1] and according to his results, we it looks like we can simply drop file_contexts.bin completely. But there were some bugs in past which prevented Anaconda and systems based on OSTree to work when there was no such file in selinux-policy-targeted package. Therefore we need to confirm that if we drop it in Fedora it wouldn't affect them. Using this configuration in semanage.conf we can avoid creating such files without any change in the code: [sefcontext_compile] path = /bin/true [end] [1] https://janzarskyblog.wordpress.com/2017/09/06/why-we-dont-need-to-ship-file_contexts-bin-with-selinux-policy/ Petr
[PATCH] libselinux: Add support for pcre2 to pkgconfig definition
When libselinux is built using USE_PCRE2 libselinux.pc needs to require
libpcre2-8 instead of libpcre.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1487521
Signed-off-by: Petr Lautrbach
---
libselinux/Makefile | 11 ++-
libselinux/src/Makefile | 2 +-
libselinux/src/libselinux.pc.in | 2 +-
3 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/libselinux/Makefile b/libselinux/Makefile
index 1ecab178..16531fe9 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -21,13 +21,14 @@ export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS
ANDROID_HOST
USE_PCRE2 ?= n
ifeq ($(USE_PCRE2),y)
- PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 $(shell
$(PKG_CONFIG) --cflags libpcre2-8)
- PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs libpcre2-8)
+ PCRE_MODULE := libpcre2-8
+ PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8
else
- PCRE_CFLAGS := $(shell $(PKG_CONFIG) --cflags libpcre)
- PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs libpcre)
+ PCRE_MODULE := libpcre
endif
-export PCRE_CFLAGS PCRE_LDLIBS
+PCRE_CFLAGS += $(shell $(PKG_CONFIG) --cflags $(PCRE_MODULE))
+PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs $(PCRE_MODULE))
+export PCRE_MODULE PCRE_CFLAGS PCRE_LDLIBS
OS := $(shell uname)
export OS
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 2408faea..18df75c8 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -148,7 +148,7 @@ $(LIBSO): $(LOBJS)
ln -sf $@ $(TARGET)
$(LIBPC): $(LIBPC).in ../VERSION
- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):;
s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
selinuxswig_python_exception.i: ../include/selinux/selinux.h
bash -e exception.sh > $@ || (rm -f $@ ; false)
diff --git a/libselinux/src/libselinux.pc.in b/libselinux/src/libselinux.pc.in
index 2cd04d38..2e90a844 100644
--- a/libselinux/src/libselinux.pc.in
+++ b/libselinux/src/libselinux.pc.in
@@ -7,6 +7,6 @@ Name: libselinux
Description: SELinux utility library
Version: @VERSION@
URL: http://userspace.selinuxproject.org/
-Requires.private: libsepol libpcre
+Requires.private: libsepol @PCRE_MODULE@
Libs: -L${libdir} -lselinux
Cflags: -I${includedir}
--
2.14.2
[PATCH 1/4] sepolicy: Fix minor typo in 'transition -s' test
Signed-off-by: Petr Lautrbach --- python/sepolicy/test_sepolicy.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/sepolicy/test_sepolicy.py b/python/sepolicy/test_sepolicy.py index 304e56f6..6d60d6f6 100644 --- a/python/sepolicy/test_sepolicy.py +++ b/python/sepolicy/test_sepolicy.py @@ -60,7 +60,7 @@ class SepolicyTests(unittest.TestCase): self.assertSuccess(p.returncode, err) def test_transition_s(self): -"Verify sepolicy transition -l works" +"Verify sepolicy transition -s works" p = Popen(['sepolicy', 'transition', '-s', 'httpd_t'], stdout=PIPE) out, err = p.communicate() self.assertSuccess(p.returncode, err) -- 2.13.3
[PATCH 2/4] sepolicy: Fix syntax errors in 'manpage -w'
Fixes:
File "python/sepolicy/sepolicy/manpage.py", line 373, in _gen_css
print("%s has been created") % style_css
TypeError: unsupported operand type(s) for %: 'NoneType' and 'str'
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/manpage.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py
b/python/sepolicy/sepolicy/manpage.py
index a5e36cf3..7f17ba29 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -333,7 +333,7 @@ Fedora or Red Hat Enterprise Linux Man Pages.
""" % domainname_body)
fd.close()
-print("%s has been created") % html
+print("%s has been created" % html)
def _gen_css(self):
style_css = self.old_path + "style.css"
@@ -396,7 +396,7 @@ pre.code {
""")
fd.close()
-print("%s has been created") % style_css
+print("%s has been created" % style_css)
class ManPage:
--
2.13.3
[PATCH 4/4] sepolicy: File labels used to be sorted in a man page
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/manpage.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/python/sepolicy/sepolicy/manpage.py
b/python/sepolicy/sepolicy/manpage.py
index 6df6f431..4d846364 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -807,6 +807,7 @@ Note: SELinux often uses regular expressions to specify
labels that match multip
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
""" % {'domainname': self.domainname})
+flist.sort()
for f in flist:
self.fd.write("""
--
2.13.3
[PATCH 3/4] sepolicy: Make manpage and transition faster
SETools4 and Python 3 versions of map() and filter() uses iterators to
generates query results and these iterators can't be imply re-used. It
makes manpage and transitions operations really slow as they do lot of queries.
This patch changes it in the way that it caches results in lists for all
types, allow rules and transitions first and use cached results to
filter them using Python's filter() function.
Before:
$ time sepolicy manpage -d httpd_t sshd_t init_t
real0m53.486s
user0m53.171s
sys 0m0.054s
After:
$ time sepolicy manpage -d httpd_t sshd_t init_t
real0m10.532s
user0m10.368s
sys 0m0.114s
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/__init__.py | 62 --
python/sepolicy/sepolicy/manpage.py| 29
python/sepolicy/sepolicy/transition.py | 8 +++--
3 files changed, 73 insertions(+), 26 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py
b/python/sepolicy/sepolicy/__init__.py
index 8fa2c2ae..5cfc0715 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -99,6 +99,7 @@ local_files = None
fcdict = None
methods = []
all_types = None
+all_types_info = None
user_types = None
role_allows = None
portrecs = None
@@ -113,6 +114,8 @@ bools = None
all_attributes = None
booleans = None
booleans_dict = None
+all_allow_rules = None
+all_transitions = None
def get_installed_policy(root="/"):
@@ -168,10 +171,10 @@ def info(setype, name=None):
q.name = name
return ({
-'aliases': map(str, x.aliases()),
+'aliases': list(map(str, x.aliases())),
'name': str(x),
'permissive': bool(x.ispermissive),
-'attributes': map(str, x.attributes())
+'attributes': list(map(str, x.attributes()))
} for x in q.results())
elif setype == ROLE:
@@ -181,8 +184,8 @@ def info(setype, name=None):
return ({
'name': str(x),
-'roles': map(str, x.expand()),
-'types': map(str, x.types()),
+'roles': list(map(str, x.expand())),
+'types': list(map(str, x.types())),
} for x in q.results())
elif setype == ATTRIBUTE:
@@ -192,7 +195,7 @@ def info(setype, name=None):
return ({
'name': str(x),
-'types': map(str, x.expand()),
+'types': list(map(str, x.expand())),
} for x in q.results())
elif setype == PORT:
@@ -220,7 +223,7 @@ def info(setype, name=None):
return ({
'range': str(x.mls_range),
'name': str(x),
-'roles': map(str, x.roles),
+'roles': list(map(str, x.roles)),
'level': str(x.mls_level),
} for x in q.results())
@@ -362,17 +365,26 @@ def search(types, seinfo=None):
def get_conditionals(src, dest, tclass, perm):
tdict = {}
tlist = []
-if dest.endswith("_t"):
-allows = search([ALLOW], {SOURCE: src, TARGET: dest, CLASS: tclass,
PERMS: perm})
-else:
-# to include attribute
-allows = search([ALLOW], {SOURCE: src, CLASS: tclass, PERMS: perm})
-for i in allows:
-if i['target'] == dest:
-allows = []
-allows.append(i)
+src_list = [src]
+dest_list = [dest]
+# add assigned attributes
+try:
+src_list += list(filter(lambda x: x['name'] == src,
get_all_types_info()))[0]['attributes']
+except:
+pass
try:
-for i in map(lambda y: (y), filter(lambda x:
set(perm).issubset(x[PERMS]) and x['boolean'], allows)):
+dest_list += list(filter(lambda x: x['name'] == dest,
get_all_types_info()))[0]['attributes']
+except:
+pass
+allows = map(lambda y: y, filter(lambda x:
+x['source'] in src_list and
+x['target'] in dest_list and
+set(perm).issubset(x[PERMS]) and
+'boolean' in x,
+get_all_allow_rules()))
+
+try:
+for i in allows:
tdict.update({'source': i['source'], 'boolean': i['boolean']})
if tdict not in tlist:
tlist.append(tdict)
@@ -734,6 +746,11 @@ def get_all_types():
all_types = [x['name'] for x in info(TYPE)]
return all_types
+def get_all_types_info():
+global all_types_info
+if all_types_info is None:
+all_types_info = list(info(TYPE))
+return all_types_info
def get_user_types():
global user_types
@@ -1018,12 +1035,23 @@ def gen_short_name(setype):
sh
[PATCH] mcstrans: Allow overriding libsepol.a location during build
Signed-off-by: Petr Lautrbach --- mcstrans/src/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile index 709e1e02..3f4a89c3 100644 --- a/mcstrans/src/Makefile +++ b/mcstrans/src/Makefile @@ -4,6 +4,7 @@ LIBDIR ?= $(PREFIX)/lib SBINDIR ?= $(DESTDIR)/sbin INITDIR ?= $(DESTDIR)/etc/rc.d/init.d SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd +LIBSEPOLA ?= $(LIBDIR)/libsepol.a PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC)) @@ -15,7 +16,7 @@ override CFLAGS += -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 all: $(PROG) $(PROG): $(PROG_OBJS) - $(CC) $(LDFLAGS) -pie -o $@ $^ -lselinux -lcap -lpcre $(LIBDIR)/libsepol.a + $(CC) $(LDFLAGS) -pie -o $@ $^ -lselinux -lcap -lpcre $(LIBSEPOLA) %.o: %.c $(CC) $(CFLAGS) -fPIE -c -o $@ $< -- 2.13.0
Re: [PATCH] Use DESTDIR only in install targets
On 06/21/2017 09:51 PM, Stephen Smalley wrote:
Hmm...seems like we're still using DESTDIR for more than just install.
So either the patch or the patch description isn't quite right.
The original usage of make DESTDIR in selinux was to support building
and installing to a private directory, so we wanted it to affect more
than just install. If we truly make this transition to conform to the
GNU standards, then we still need a clean way of building and
installing to a private directory for local testing. The top-level
Makefile has a workaround currently of automatically defining CFLAGS
and LDFLAGS when DESTDIR is defined, but that has a side effect: it
suppresses any non-override CFLAGS and LDFLAGS definitions in the
Makefiles, so then we no longer get all of the warning options enabled
in such local builds like we used to do. All of this leaves me
wondering about whether we ought to just revert the earlier changes and
preserve our usage of DESTDIR, even if it doesn't correspond to GNU.
PREFIX could be used for the case you described and DESTDIR would be
used just for installing to a different root directory.
The difference could be seen in .pc files:
$ make DESTDIR=/selinux-DESTDIR
LIBSEPOLA=/selinux-DESTDIR/usr/lib/libsepol.a install install-pywrap
install-rubywrap
$ head -n 2 /selinux-DESTDIR/usr/lib/pkgconfig/libsepol.pc
prefix=//usr
exec_prefix=${prefix}
vs
$ make PREFIX=/selinux-PREFIX install install-pywrap install-rubywrap
$ head -n 2 /selinux-PREFIX/usr/lib/pkgconfig/libsepol.pc
prefix=/selinux-PREFIX/usr
exec_prefix=${prefix}
I've got two work-in-progress patches for that:
https://github.com/bachradsusi/SELinuxProject-selinux/commit/03d7e6a3802aa5376fe6162f6e7f9a6314f2b028
https://github.com/bachradsusi/SELinuxProject-selinux/commit/ddf070fa82a4331b8fe2d82f61929c1120a12630
They need more testing and some enhancements but for the first look they
seem to work. At least structure of directories seem to be same.
-checkmodule: $(CHECKMODOBJS) $(LIBSEPOLA)
+checkmodule: $(CHECKMODOBJS) $(DESTDIR)$(LIBSEPOLA)
%.o: %.c
$(CC) $(CFLAGS) -o $@ -c $<
@@ -46,15 +46,15 @@ lex.yy.c: policy_scan.l y.tab.c
$(LEX) policy_scan.l
install: all
- -mkdir -p $(BINDIR)
- -mkdir -p $(MANDIR)/man8
- install -m 755 $(TARGETS) $(BINDIR)
- install -m 644 checkpolicy.8 $(MANDIR)/man8
- install -m 644 checkmodule.8 $(MANDIR)/man8
+ -mkdir -p $(DESTDIR)$(BINDIR)
+ -mkdir -p $(DESTDIR)$(MANDIR)/man8
+ install -m 755 $(TARGETS) $(DESTDIR)$(BINDIR)
+ install -m 644 checkpolicy.8 $(DESTDIR)$(MANDIR)/man8
+ install -m 644 checkmodule.8 $(DESTDIR)$(MANDIR)/man8
relabel: install
- /sbin/restorecon $(BINDIR)/checkpolicy
- /sbin/restorecon $(BINDIR)/checkmodule
+ /sbin/restorecon $(DESTDIR)$(BINDIR)/checkpolicy
+ /sbin/restorecon $(DESTDIR)$(BINDIR)/checkmodule
clean:
-rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c
y.tab.h lex.yy.c
diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
index 59fa4460..c9a8d4c5 100644
--- a/checkpolicy/test/Makefile
+++ b/checkpolicy/test/Makefile
@@ -1,7 +1,7 @@
#
# Makefile for building the dispol program
#
-PREFIX ?= $(DESTDIR)/usr
+PREFIX ?= /usr
BINDIR ?= $(PREFIX)/bin
LIBDIR ?= $(PREFIX)/lib
INCLUDEDIR ?= $(PREFIX)/include
@@ -11,9 +11,9 @@ CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
all: dispol dismod
-dispol: dispol.o $(LIBSEPOLA)
+dispol: dispol.o $(DESTDIR)$(LIBSEPOLA)
-dismod: dismod.o $(LIBSEPOLA)
+dismod: dismod.o $(DESTDIR)$(LIBSEPOLA)
Ditto
clean:
-rm -f dispol dismod *.o
diff --git a/gui/Makefile b/gui/Makefile
index 4fc2c1a1..52c3cab2 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -1,5 +1,5 @@
# Installation directories.
-PREFIX ?= ${DESTDIR}/usr
+PREFIX ?= /usr
BINDIR ?= $(PREFIX)/bin
SHAREDIR ?= $(PREFIX)/share/system-config-selinux
DATADIR ?= $(PREFIX)/share
@@ -24,29 +24,29 @@ usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
install: all
- -mkdir -p $(MANDIR)/man8
- -mkdir -p $(SHAREDIR)
- -mkdir -p $(BINDIR)
- -mkdir -p $(DATADIR)/pixmaps
- -mkdir -p $(DATADIR)/icons/hicolor/24x24/apps
- -mkdir -p $(DATADIR)/polkit-1/actions/
- install -m 755 system-config-selinux.py $(SHAREDIR)
- install -m 755 system-config-selinux $(BINDIR)
- install -m 755 polgengui.py $(SHAREDIR)
- install -m 644 $(TARGETS) $(SHAREDIR)
- install -m 644 system-config-selinux.8 $(MANDIR)/man8
- install -m 644 selinux-polgengui.8 $(MANDIR)/man8
- install -m 644 system-config-selinux.png $(DATADIR)/pixmaps
- install -m 644 system-config-selinux.png
$(DATADIR)/icons/hicolor/24x24/apps
- install -m 644 system-config-selinux.png $(DATADIR)/system-
config-selinux
- install -m 644 *.desktop $(DATADIR)/system-config-selinux
This one see
[PATCH] Use DESTDIR only in install targets
https://www.gnu.org/prep/standards/html_node/DESTDIR.html DESTDIR should be supported only in the install* and uninstall* targets, as those are the only targets where it is useful. Signed-off-by: Petr Lautrbach --- checkpolicy/Makefile | 20 +++ checkpolicy/test/Makefile| 6 ++--- gui/Makefile | 44 libselinux/include/Makefile | 6 ++--- libselinux/src/Makefile | 38 +-- libselinux/utils/Makefile| 6 ++--- libsemanage/include/Makefile | 6 ++--- libsemanage/src/Makefile | 32 +++ libsemanage/tests/Makefile | 2 +- libsemanage/utils/Makefile | 6 ++--- libsepol/include/Makefile| 14 +- libsepol/src/Makefile| 20 +++ libsepol/utils/Makefile | 6 ++--- mcstrans/man/Makefile| 6 ++--- mcstrans/src/Makefile| 22 mcstrans/utils/Makefile | 8 +++--- policycoreutils/hll/pp/Makefile | 6 ++--- policycoreutils/load_policy/Makefile | 14 +- policycoreutils/man/Makefile | 6 ++--- policycoreutils/newrole/Makefile | 22 policycoreutils/run_init/Makefile| 20 +++ policycoreutils/scripts/Makefile | 12 - policycoreutils/secon/Makefile | 10 policycoreutils/semodule/Makefile| 14 +- policycoreutils/sestatus/Makefile| 20 +++ policycoreutils/setfiles/Makefile| 22 policycoreutils/setsebool/Makefile | 16 ++-- python/audit2allow/Makefile | 20 +++ python/chcat/Makefile| 10 python/semanage/Makefile | 22 python/sepolgen/src/sepolgen/Makefile| 6 ++--- python/sepolgen/src/share/Makefile | 8 +++--- python/sepolicy/Makefile | 18 ++--- restorecond/Makefile | 44 sandbox/Makefile | 32 +++ secilc/Makefile | 14 +- semodule-utils/semodule_deps/Makefile| 12 - semodule-utils/semodule_expand/Makefile | 10 semodule-utils/semodule_link/Makefile| 12 - semodule-utils/semodule_package/Makefile | 14 +- 40 files changed, 313 insertions(+), 313 deletions(-) diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile index 68e11f2a..e4f4fa19 100644 --- a/checkpolicy/Makefile +++ b/checkpolicy/Makefile @@ -1,7 +1,7 @@ # # Makefile for building the checkpolicy program # -PREFIX ?= $(DESTDIR)/usr +PREFIX ?= /usr BINDIR ?= $(PREFIX)/bin MANDIR ?= $(PREFIX)/share/man LIBDIR ?= $(PREFIX)/lib @@ -26,9 +26,9 @@ GENERATED=lex.yy.c y.tab.c y.tab.h all: $(TARGETS) $(MAKE) -C test -checkpolicy: $(CHECKPOLOBJS) $(LIBSEPOLA) +checkpolicy: $(CHECKPOLOBJS) $(DESTDIR)$(LIBSEPOLA) -checkmodule: $(CHECKMODOBJS) $(LIBSEPOLA) +checkmodule: $(CHECKMODOBJS) $(DESTDIR)$(LIBSEPOLA) %.o: %.c $(CC) $(CFLAGS) -o $@ -c $< @@ -46,15 +46,15 @@ lex.yy.c: policy_scan.l y.tab.c $(LEX) policy_scan.l install: all - -mkdir -p $(BINDIR) - -mkdir -p $(MANDIR)/man8 - install -m 755 $(TARGETS) $(BINDIR) - install -m 644 checkpolicy.8 $(MANDIR)/man8 - install -m 644 checkmodule.8 $(MANDIR)/man8 + -mkdir -p $(DESTDIR)$(BINDIR) + -mkdir -p $(DESTDIR)$(MANDIR)/man8 + install -m 755 $(TARGETS) $(DESTDIR)$(BINDIR) + install -m 644 checkpolicy.8 $(DESTDIR)$(MANDIR)/man8 + install -m 644 checkmodule.8 $(DESTDIR)$(MANDIR)/man8 relabel: install - /sbin/restorecon $(BINDIR)/checkpolicy - /sbin/restorecon $(BINDIR)/checkmodule + /sbin/restorecon $(DESTDIR)$(BINDIR)/checkpolicy + /sbin/restorecon $(DESTDIR)$(BINDIR)/checkmodule clean: -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile index 59fa4460..c9a8d4c5 100644 --- a/checkpolicy/test/Makefile +++ b/checkpolicy/test/Makefile @@ -1,7 +1,7 @@ # # Makefile for building the dispol program # -PREFIX ?= $(DESTDIR)/usr +PREFIX ?= /usr BINDIR ?= $(PREFIX)/bin LIBDIR ?= $(PREFIX)/lib INCLUDEDIR ?= $(PREFIX)/include @@ -11,9 +11,9 @@ CFLAGS ?= -g -Wall -W -Werror -O2 -pipe all: dispol dismod -dispol: dispol.o $(LIBSEPOLA) +dispol: dispol.o $(DESTDIR)$(LIBSEPOLA) -dismod: dismod.o $(LIBSEPOLA) +dismod: dismod.o $(DESTDIR)$(LIBSEPOLA) clean: -rm -f dispol dismod *.o diff --git a/gui/Makefile b/gui/Makefile index 4fc2c1a1..52c3cab2 100644 --- a/gui/Makefile +++ b/gui/Makefile @@ -1,5 +
Re: ANN: SELinux userspace 2.7-rc2 release
On 06/20/2017 04:22 PM, Jason Zaman wrote: On Tue, Jun 20, 2017 at 03:28:44PM +0200, Petr Lautrbach wrote: On 06/20/2017 02:14 PM, Stephen Smalley wrote: On Tue, 2017-06-20 at 12:54 +0200, Petr Lautrbach wrote: On 06/18/2017 09:46 AM, Jason Zaman wrote: On Sun, Jun 18, 2017 at 03:32:33PM +0800, Jason Zaman wrote: There is a bug that needs to be fixed before the final release: https://bugs.gentoo.org/show_bug.cgi?id=621762 I think the fix is just add override in utils/Makefile to the LDLIBS and LDFLAGS bits. I'm not sure I'll have time to get around to testing it so just wanted to let you know before the final release. Yep, thats the fix, I sent a patch. https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-libs/libselinux/ libselinux-.ebuild#n58 The gentoo ebuild overrides LDFLAGS on the commandline which is why the override was required. When i first tried to repro manually i just exported LDFLAGS and couldnt repro. once i read the docs on override it was pretty obvious. A similar patch is needed almost for every other part when you try to build everything from git first and then install it. In order to that I need to apply a patch [1] and do the following steps: ... [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/0001-Fix-build -without-install.patch Using this I preserve rpath problems pointing to DESTDIR and rpm can simply use everything from DESTDIR for / That seems very onerous for packagers. So, are you advocating for reverting fcb5d5cc721187b3e3a19b44155d5b824d7be7e6, or are you proposing the patch cited above for upstream instead? Actually it seems that fcb5d5cc7 didn't break this use case. At the moment, we still build SELinux tools and libraries from tar balls in Fedora so it's not affected. But since some of directories were split I decided to build snapshot SELinux rpms [2] from one selinux src rpm which uses the whole git snapshot. Ooohh.. okay i was about to ask i thought fedora packaged everything separately. and didnt get why things were refering to libsepol and libselinux in the same build script. In gentoo they're all separate no matter if its git or a release, the only thing we change is if we have to cd into a subdir with version number or without. the repo doesnt build very well unless you've installed the earlier deps before building the later ones. you'll probably have a better time if the builds are split out again or if you build and install each one separately It seems to be only working solution right now. But it's the most complicated in regards of Fedora build systems koji and COPR. Packages are built using mock and non-root user - a build process can't install files to /. So one need to build libsepol package first, push it to the buildroot so that it's installed during build of other packages, build libselinux, push it to the buildroot, ... This quite a long and complicated process even in COPR. There are a bunch of issues with the patch tho, it moves -L around to the wrong places. -L should be before the objects and -l after Also, https://gitlab.com/bachradsusi/selinux-rpm/blob/master/0001-Fix-build-without-install.patch#L288 that check echos out a y above, so replacing it there will always be false which is probably wrong. I changed it because in gentoo we dont do automagic dependencies so it needs a good way to en/disable manually but the default was unchanged to check if the system has the header. Thanks for the comment. I'll take a look at it. But the bits in the patch with override are probably right. I'll check through all the Makefiles and see where needs overriding and send a patch tmrr. -- Jason For my use case, I'd rather see the [1] patch upstream if it's acceptable solution. I'll rebase it against latest HEAD and sent it for review. [2] https://gitlab.com/bachradsusi/selinux-rpm Petr
Re: ANN: SELinux userspace 2.7-rc2 release
On 06/20/2017 03:28 PM, Petr Lautrbach wrote: On 06/20/2017 02:14 PM, Stephen Smalley wrote: On Tue, 2017-06-20 at 12:54 +0200, Petr Lautrbach wrote: On 06/18/2017 09:46 AM, Jason Zaman wrote: On Sun, Jun 18, 2017 at 03:32:33PM +0800, Jason Zaman wrote: There is a bug that needs to be fixed before the final release: https://bugs.gentoo.org/show_bug.cgi?id=621762 I think the fix is just add override in utils/Makefile to the LDLIBS and LDFLAGS bits. I'm not sure I'll have time to get around to testing it so just wanted to let you know before the final release. Yep, thats the fix, I sent a patch. https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-libs/libselinux/ libselinux-.ebuild#n58 The gentoo ebuild overrides LDFLAGS on the commandline which is why the override was required. When i first tried to repro manually i just exported LDFLAGS and couldnt repro. once i read the docs on override it was pretty obvious. A similar patch is needed almost for every other part when you try to build everything from git first and then install it. In order to that I need to apply a patch [1] and do the following steps: ... [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/0001-Fix-build -without-install.patch Using this I preserve rpath problems pointing to DESTDIR and rpm can simply use everything from DESTDIR for / That seems very onerous for packagers. So, are you advocating for reverting fcb5d5cc721187b3e3a19b44155d5b824d7be7e6, or are you proposing the patch cited above for upstream instead? Actually it seems that fcb5d5cc7 didn't break this use case. I mean it was broken even before this change according to my testing. cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -I../include -I/usr/include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -c -o load_policy.o load_policy.c load_policy.c:15:10: fatal error: sepol/sepol.h: No such file or directory #include ^~~ At the moment, we still build SELinux tools and libraries from tar balls in Fedora so it's not affected. But since some of directories were split I decided to build snapshot SELinux rpms [2] from one selinux src rpm which uses the whole git snapshot. For my use case, I'd rather see the [1] patch upstream if it's acceptable solution. I'll rebase it against latest HEAD and sent it for review. [2] https://gitlab.com/bachradsusi/selinux-rpm Petr
Re: ANN: SELinux userspace 2.7-rc2 release
On 06/20/2017 02:14 PM, Stephen Smalley wrote: On Tue, 2017-06-20 at 12:54 +0200, Petr Lautrbach wrote: On 06/18/2017 09:46 AM, Jason Zaman wrote: On Sun, Jun 18, 2017 at 03:32:33PM +0800, Jason Zaman wrote: There is a bug that needs to be fixed before the final release: https://bugs.gentoo.org/show_bug.cgi?id=621762 I think the fix is just add override in utils/Makefile to the LDLIBS and LDFLAGS bits. I'm not sure I'll have time to get around to testing it so just wanted to let you know before the final release. Yep, thats the fix, I sent a patch. https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-libs/libselinux/ libselinux-.ebuild#n58 The gentoo ebuild overrides LDFLAGS on the commandline which is why the override was required. When i first tried to repro manually i just exported LDFLAGS and couldnt repro. once i read the docs on override it was pretty obvious. A similar patch is needed almost for every other part when you try to build everything from git first and then install it. In order to that I need to apply a patch [1] and do the following steps: ... [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/0001-Fix-build -without-install.patch Using this I preserve rpath problems pointing to DESTDIR and rpm can simply use everything from DESTDIR for / That seems very onerous for packagers. So, are you advocating for reverting fcb5d5cc721187b3e3a19b44155d5b824d7be7e6, or are you proposing the patch cited above for upstream instead? Actually it seems that fcb5d5cc7 didn't break this use case. At the moment, we still build SELinux tools and libraries from tar balls in Fedora so it's not affected. But since some of directories were split I decided to build snapshot SELinux rpms [2] from one selinux src rpm which uses the whole git snapshot. For my use case, I'd rather see the [1] patch upstream if it's acceptable solution. I'll rebase it against latest HEAD and sent it for review. [2] https://gitlab.com/bachradsusi/selinux-rpm Petr
Re: ANN: SELinux userspace 2.7-rc2 release
On 06/18/2017 09:46 AM, Jason Zaman wrote:
On Sun, Jun 18, 2017 at 03:32:33PM +0800, Jason Zaman wrote:
There is a bug that needs to be fixed before the final release:
https://bugs.gentoo.org/show_bug.cgi?id=621762
I think the fix is just add override in utils/Makefile to the LDLIBS and
LDFLAGS bits. I'm not sure I'll have time to get around to testing
it so just wanted to let you know before the final release.
Yep, thats the fix, I sent a patch.
https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-libs/libselinux/libselinux-.ebuild#n58
The gentoo ebuild overrides LDFLAGS on the commandline which is why the
override was required. When i first tried to repro manually i just
exported LDFLAGS and couldnt repro. once i read the docs on override it
was pretty obvious.
A similar patch is needed almost for every other part when you try to
build everything from git first and then install it.
In order to that I need to apply a patch [1] and do the following steps:
ln -s ../../cil/include/cil libsepol/include/sepol/cil
make \
CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" \
LIBSEPOLA="`pwd`/libsepol/src/libsepol.a"
make -C libselinux \
CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" \
LIBSEPOLA="`pwd`/libsepol/src/libsepol.a" \
PYTHON=%{__python} pywrap
make \
DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" \
CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" \
SHLIBDIR="%{buildroot}/%{_lib}" \
BINDIR="%{buildroot}%{_bindir}" \
SBINDIR="%{buildroot}%{_sbindir}" \
PYTHON=%{__python} \
install install-pywrap
[1]
https://gitlab.com/bachradsusi/selinux-rpm/blob/master/0001-Fix-build-without-install.patch
Using this I preserve rpath problems pointing to DESTDIR and rpm can
simply use everything from DESTDIR for /
Petr
-- Jason
On Fri, Jun 16, 2017 at 12:55:09PM -0400, Stephen Smalley wrote:
A second release candidate for the SELinux userspace is now available
at:
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
Changes from the -rc1 release:
James Carter (2):
libsepol: Fix neverallow bug when checking conditional policy
libsepol/cil: Fix bugs when writing policy.conf rules
Nicolas Iooss (1):
libsepol: destroy the expanded level when
mls_semantic_level_expand() fails
Richard Haines (2):
libsepol/cil: ibendportcon fails to resolve in CIL policy
secilc: Update test policy and documentation for Infiniband
Stephen Smalley (1):
Update VERSION files for 2.7-rc2 release.
Vit Mojzis (1):
policycoreutils/fixfiles: do not dereference link files in tmp
[PATCH 2/2] sepolicy: Fix sorting of port_strings in python 3
Fixes:
$ sepolicy network -d httpd_t
httpd_t: tcp name_connect
Traceback (most recent call last):
File /usr/bin/sepolicy, line 699, in
args.func(args)
File /usr/bin/sepolicy, line 319, in network
_print_net(d, tcp, name_connect)
File /usr/bin/sepolicy, line 276, in _print_net
port_strings.sort(numcmp)
TypeError: must use keyword argument for key function
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy.py | 18 ++
1 file changed, 6 insertions(+), 12 deletions(-)
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 5bf9b526..141f64ec 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -241,19 +241,13 @@ def generate_custom_usage(usage_text, usage_dict):
return usage_text
-
-def numcmp(val1, val2):
+# expects formats:
+# "22 (sshd_t)", "80, 8080 (httpd_t)", "all ports (port_type)"
+def port_string_to_num(val):
try:
-v1 = int(val1.split(",")[0].split("-")[0])
-v2 = int(val2.split(",")[0].split("-")[0])
-if v1 > v2:
-return 1
-if v1 == v2:
-return 0
-if v1 < v2:
-return -1
+return int(val.split(" ")[0].split(",")[0].split("-")[0])
except:
-return cmp(val1, val2)
+return
def _print_net(src, protocol, perm):
@@ -273,7 +267,7 @@ def _print_net(src, protocol, perm):
port_strings.append("%s (%s) %s" % (", ".join(recs), t,
boolean_text))
else:
port_strings.append("%s (%s)" % (", ".join(recs), t))
-port_strings.sort(numcmp)
+port_strings.sort(key=lambda param: port_string_to_num(param))
for p in port_strings:
print("\t" + p)
--
2.13.0
[PATCH 1/2] sepolicy/interface: Use relative python 3 imports
Fixes:
Verify sepolicy interface -c -i works ... Traceback (most recent call last):
File "/usr/bin/sepolicy", line 699, in
args.func(args)
File "/usr/bin/sepolicy", line 508, in interface
print_interfaces(args.interfaces, args)
File "/usr/bin/sepolicy", line 492, in print_interfaces
interface_compile_test(i)
File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 226, in
interface_compile_test
fd.write(generate_compile_te(interface, idict))
File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 184, in
generate_compile_te
from templates import test_module
ModuleNotFoundError: No module named 'templates'
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/interface.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/interface.py
b/python/sepolicy/sepolicy/interface.py
index 8956f394..c64122e5 100644
--- a/python/sepolicy/sepolicy/interface.py
+++ b/python/sepolicy/sepolicy/interface.py
@@ -171,7 +171,7 @@ def get_interface_format_text(interface,
path="/usr/share/selinux/devel/policy.x
def get_interface_compile_format_text(interfaces_dict, interface):
-from templates import test_module
+from .templates import test_module
param_tmp = []
for i in interfaces_dict[interface][0]:
param_tmp.append(test_module.dict_values[i])
@@ -181,7 +181,7 @@ def get_interface_compile_format_text(interfaces_dict,
interface):
def generate_compile_te(interface, idict, name="compiletest"):
-from templates import test_module
+from .templates import test_module
te = ""
te += re.sub("TEMPLATETYPE", name, test_module.te_test_module)
te += get_interface_compile_format_text(idict, interface)
--
2.13.0
[no subject]
The following patches fix sepolicy python3 issues found by `make test` in python/sepolicy
Re: [PATCH] Fix recently introduced TabError's
On Fri, May 26, 2017 at 04:09:51PM +0200, Petr Lautrbach wrote:
> Commits a3d2c7a 6a7a5aa introduced inconsistent use of tabs and spaces
> in indentation what makes python3.6 unhappy.
>
There's another python3 problem with using "print ". I'll resend another
patch which will it together with use of tabs and spaces.
> Signed-off-by: Petr Lautrbach
> ---
> libsemanage/utils/semanage_migrate_store | 4 ++--
> python/semanage/seobject.py | 6 +++---
> 2 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/libsemanage/utils/semanage_migrate_store
> b/libsemanage/utils/semanage_migrate_store
> index 9a9fac22..2e6cb278 100755
> --- a/libsemanage/utils/semanage_migrate_store
> +++ b/libsemanage/utils/semanage_migrate_store
> @@ -254,8 +254,8 @@ if __name__ == "__main__":
> "policy.kern",
> "file_contexts",
> "homedir_template",
> -"pkeys.local",
> -"ibendports.local"]
> + "pkeys.local",
> + "ibendports.local"]
>
>
> create_dir(newroot_path(), 0o755)
> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> index 61be6198..c97a9f0c 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -1321,10 +1321,10 @@ class ibpkeyRecords(semanageRecords):
> semanageRecords.__init__(self, store)
>
> def __genkey(self, pkey, subnet_prefix):
> - if subnet_prefix == "":
> +if subnet_prefix == "":
> raise ValueError(_("Subnet Prefix is required"))
>
> - pkeys = pkey.split("-")
> +pkeys = pkey.split("-")
> if len(pkeys) == 1:
> high = low = int(pkeys[0], 0)
> else:
> @@ -1576,7 +1576,7 @@ class ibendportRecords(semanageRecords):
> semanageRecords.__init__(self, store)
>
> def __genkey(self, ibendport, ibdev_name):
> - if ibdev_name == "":
> +if ibdev_name == "":
> raise ValueError(_("IB device name is required"))
>
> port = int(ibendport)
> --
> 2.13.0
>
Re: [PATCH] Fix recently introduced TabError's
On Fri, May 26, 2017 at 10:36:59AM -0400, Stephen Smalley wrote:
> On Fri, 2017-05-26 at 16:09 +0200, Petr Lautrbach wrote:
> > Commits a3d2c7a 6a7a5aa introduced inconsistent use of tabs and
> > spaces
> > in indentation what makes python3.6 unhappy.
>
> Thanks, applied, and also fixed up print statements -> functions.
Great thanks. In this case please ignore my previous email.
>
> >
> > Signed-off-by: Petr Lautrbach
> > ---
> > libsemanage/utils/semanage_migrate_store | 4 ++--
> > python/semanage/seobject.py | 6 +++---
> > 2 files changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/libsemanage/utils/semanage_migrate_store
> > b/libsemanage/utils/semanage_migrate_store
> > index 9a9fac22..2e6cb278 100755
> > --- a/libsemanage/utils/semanage_migrate_store
> > +++ b/libsemanage/utils/semanage_migrate_store
> > @@ -254,8 +254,8 @@ if __name__ == "__main__":
> > "policy.kern",
> > "file_contexts",
> > "homedir_template",
> > -"pkeys.local",
> > -"ibendports.local"]
> > + "pkeys.local",
> > + "ibendports.local"]
> >
> >
> > create_dir(newroot_path(), 0o755)
> > diff --git a/python/semanage/seobject.py
> > b/python/semanage/seobject.py
> > index 61be6198..c97a9f0c 100644
> > --- a/python/semanage/seobject.py
> > +++ b/python/semanage/seobject.py
> > @@ -1321,10 +1321,10 @@ class ibpkeyRecords(semanageRecords):
> > semanageRecords.__init__(self, store)
> >
> > def __genkey(self, pkey, subnet_prefix):
> > - if subnet_prefix == "":
> > +if subnet_prefix == "":
> > raise ValueError(_("Subnet Prefix is required"))
> >
> > - pkeys = pkey.split("-")
> > +pkeys = pkey.split("-")
> > if len(pkeys) == 1:
> > high = low = int(pkeys[0], 0)
> > else:
> > @@ -1576,7 +1576,7 @@ class ibendportRecords(semanageRecords):
> > semanageRecords.__init__(self, store)
> >
> > def __genkey(self, ibendport, ibdev_name):
> > - if ibdev_name == "":
> > +if ibdev_name == "":
> > raise ValueError(_("IB device name is required"))
> >
> > port = int(ibendport)
[PATCH] Fix recently introduced TabError's
Commits a3d2c7a 6a7a5aa introduced inconsistent use of tabs and spaces
in indentation what makes python3.6 unhappy.
Signed-off-by: Petr Lautrbach
---
libsemanage/utils/semanage_migrate_store | 4 ++--
python/semanage/seobject.py | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/libsemanage/utils/semanage_migrate_store
b/libsemanage/utils/semanage_migrate_store
index 9a9fac22..2e6cb278 100755
--- a/libsemanage/utils/semanage_migrate_store
+++ b/libsemanage/utils/semanage_migrate_store
@@ -254,8 +254,8 @@ if __name__ == "__main__":
"policy.kern",
"file_contexts",
"homedir_template",
-"pkeys.local",
-"ibendports.local"]
+ "pkeys.local",
+ "ibendports.local"]
create_dir(newroot_path(), 0o755)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 61be6198..c97a9f0c 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1321,10 +1321,10 @@ class ibpkeyRecords(semanageRecords):
semanageRecords.__init__(self, store)
def __genkey(self, pkey, subnet_prefix):
- if subnet_prefix == "":
+if subnet_prefix == "":
raise ValueError(_("Subnet Prefix is required"))
- pkeys = pkey.split("-")
+pkeys = pkey.split("-")
if len(pkeys) == 1:
high = low = int(pkeys[0], 0)
else:
@@ -1576,7 +1576,7 @@ class ibendportRecords(semanageRecords):
semanageRecords.__init__(self, store)
def __genkey(self, ibendport, ibdev_name):
- if ibdev_name == "":
+if ibdev_name == "":
raise ValueError(_("IB device name is required"))
port = int(ibendport)
--
2.13.0
Re: Fedora COPR repositories with builds of latest code
On 05/25/2017 07:44 AM, Dominick Grift wrote: On Wed, May 24, 2017 at 04:40:55PM -0400, Stephen Smalley wrote: On Wed, 2017-05-24 at 16:53 +0200, Dominick Grift wrote: On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote: On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote: For the motivation see https://marc.info/?l=selinux&m=149435307518336&w=2 Thanks! I enabled the one with Fedora patches because i need python3 support for setools4 This should allow me to enable extended_socket_class functionality and test it. I hope this repository will be maintained consistently so that it can be useful I just enabled the extended_socket_class capability and in seinfo -- polcap -x it currently shows up as "redhat1": # seinfo --polcap -x Polcap: 3 policycap network_peer_controls; policycap open_perms; policycap redhat1; I know the redhat1 polcap is re-used but not sure if this expected to return like that... Maybe setools4 hasn't been rebuilt to use the updated libsepol, or has its own internal table of the policy capability string names? thanks , yes thats the case (former) I will update scripts to rebuild setools together with selinux sources and provide setools builds in copr repos I've restarted building of Fedora packages based on latest SELinux userspace code in Fedora COPR. Packages are built using the https://gitlab.com/bachradsusi/selinux-rpm project. There is a new selinux.spec [1] file which allows to build all Fedora packages from one src.rpm and Makefile which makes the process simple. Currently there are two COPR projects: * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora / This is built with Python3 support based on Fedora patches which are rebased against latest upstream code. * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinu xProject/ This is based on pure upstream sources and without Python 3. Currently I run copr builds manually but the plan is to make it fully automated. Let me know if you find it useful or if you have ideas, comments and so on. [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinu x.spec Thanks, Petr -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6 B02 Dominick Grift
Fedora COPR repositories with builds of latest code
For the motivation see https://marc.info/?l=selinux&m=149435307518336&w=2 I've restarted building of Fedora packages based on latest SELinux userspace code in Fedora COPR. Packages are built using the https://gitlab.com/bachradsusi/selinux-rpm project. There is a new selinux.spec [1] file which allows to build all Fedora packages from one src.rpm and Makefile which makes the process simple. Currently there are two COPR projects: * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/ This is built with Python3 support based on Fedora patches which are rebased against latest upstream code. * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinuxProject/ This is based on pure upstream sources and without Python 3. Currently I run copr builds manually but the plan is to make it fully automated. Let me know if you find it useful or if you have ideas, comments and so on. [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinux.spec Thanks, Petr
Re: [PATCH 1/1] libselinux: add selinuxenforced tool
Dne 4.5.2017 v 23:12 Christian Göttsche via Selinux napsal(a):
> Add command line tool selinuxenforced to determine the current SELinux
> enforced via exit code.
> Useful for script usage or monitoring.
Could the following script do the work?
case $(getenforce) in
"Permissive") exit 1
;;
"Enforcing") exit 0
;;
"Disabled") exit 2
;;
esac
> ---
> libselinux/man/man8/selinuxenforced.8 | 24
> libselinux/utils/.gitignore | 1 +
> libselinux/utils/selinuxenforced.c| 33 +
> 3 files changed, 58 insertions(+)
> create mode 100644 libselinux/man/man8/selinuxenforced.8
> create mode 100644 libselinux/utils/selinuxenforced.c
>
> diff --git a/libselinux/man/man8/selinuxenforced.8
> b/libselinux/man/man8/selinuxenforced.8
> new file mode 100644
> index ..5ef746e5
> --- /dev/null
> +++ b/libselinux/man/man8/selinuxenforced.8
> @@ -0,0 +1,24 @@
> +.TH "selinuxenforced" "8" "4 May 2017" "Security Enhanced Linux" "SELinux
> Command Line documentation"
> +.SH "NAME"
> +selinuxenforced \- tool to be used within shell scripts to determine if
> SELinux is in enforced mode
> +.
> +.SH "SYNOPSIS"
> +.B selinuxenforced
> +.
> +.SH "DESCRIPTION"
> +Indicates whether SELinux is in enforced mode or not.
> +.
> +.SH "EXIT STATUS"
> +It exits with status 0 if SELinux is in enforced mode,
> +1 if SELinux is in permissive mode,
> +2 if SELinux is disabled,
> +and 10 if a library call fails.
> +.
> +.SH AUTHOR
> +Christian Göttsche,
> +.
> +.SH "SEE ALSO"
> +.BR selinux (8),
> +.BR setenforce (8),
> +.BR getenforce (8),
> +.BR selinuxenabled (8)
> diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
> index 5cd01025..bc1f4327 100644
> --- a/libselinux/utils/.gitignore
> +++ b/libselinux/utils/.gitignore
> @@ -21,6 +21,7 @@ selabel_partial_match
> selinux_check_securetty_context
> selinuxenabled
> selinuxexeccon
> +selinuxenforced
> setenforce
> setfilecon
> togglesebool
> diff --git a/libselinux/utils/selinuxenforced.c
> b/libselinux/utils/selinuxenforced.c
> new file mode 100644
> index ..b5e1c8e8
> --- /dev/null
> +++ b/libselinux/utils/selinuxenforced.c
> @@ -0,0 +1,33 @@
> +#include
> +#include
> +#include
> +#include
> +
> +int main(void)
> +{
> + int rc;
> +
> + rc = is_selinux_enabled();
> + if (rc < 0) {
> + fputs("selinuxenforced: is_selinux_enabled() failed", stderr);
> + return 10;
> + }
> + if (rc == 1) {
> + rc = security_getenforce();
> + if (rc < 0) {
> + fputs("selinuxenforced: security_getenforce() failed",
> stderr);
> + return 10;
> + }
> +
> + if (rc) {
> + // enforced mode
> + return 0;
> + }
> +
> + // permissive mode
> + return 1;
> + }
> +
> + // SELinux disabled
> + return 2;
> +}
>
Re: [PATCH] libsepol: Add INCLUDEDIR to utils/Makefile
Dne 4.5.2017 v 22:49 Stephen Smalley napsal(a): > On Thu, 2017-05-04 at 16:22 +0200, Petr Lautrbach wrote: >> The patch is wrong, please disregard. >> >> I'm not sure about the right fix in order not to break gentoo use >> case. >> I'd just revert fcb5d5c change in libsepol/utils/Makefile for now. > > Can't you just specify CFLAGS to make, similar to what is done in the > top-level Makefile for building with DESTDIR set? > I believe that ../include and ../src paths should be always added to CFLAGS and LDFLAGS in this case to prevent cases when LDFLAGS and CFLAGS are overriden on a command line without setting paths containing sepol.h and sepol.so. This way it's already used in libsepol/src/Makefile Petr
[PATCH] libsepol/utils: Fix build without system sepol.h
fcb5d5c removed ../include from CFLAGS from libsepol/utils/Makefile so that a build tool can't find sepol/sepol.h when only libsepol is built and a system is without sepol.h in standard paths. It should use its own sepol.h file during build. `oveeride` needs to be used in order not to be overridden by values provided on a command line. Same problem applies to LDFLAGS. Fixes: $ make CFLAGS="" LDFLAGS="" make[1]: Entering directory '/root/selinux/libsepol/utils' cc chkcon.c -lsepol -o chkcon chkcon.c:1:25: fatal error: sepol/sepol.h: No such file or directory #include $ make CFLAGS="" LDFLAGS="" ... make -C utils make[1]: Entering directory '/root/selinux/libsepol/utils' cc -I../includechkcon.c -lsepol -o chkcon /usr/bin/ld: cannot find -lsepol collect2: error: ld returned 1 exit status Signed-off-by: Petr Lautrbach --- libsepol/utils/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile index a13164e1..3b2fb771 100644 --- a/libsepol/utils/Makefile +++ b/libsepol/utils/Makefile @@ -3,7 +3,8 @@ PREFIX ?= $(DESTDIR)/usr BINDIR ?= $(PREFIX)/bin CFLAGS ?= -Wall -Werror -LDFLAGS += -L../src +override CFLAGS += -I../include +override LDFLAGS += -L../src LDLIBS += -lsepol TARGETS=$(patsubst %.c,%,$(wildcard *.c)) -- 2.12.2
Re: Policy capabilities: when to use and complications with using
On 05/04/2017 07:50 PM, Dominick Grift wrote: > On Thu, May 04, 2017 at 07:42:40PM +0200, Dominick Grift wrote: >> On Thu, May 04, 2017 at 11:50:15AM -0400, Paul Moore wrote: >>> On Wed, May 3, 2017 at 12:51 PM, Dominick Grift >>> wrote: On Wed, May 03, 2017 at 12:14:16PM -0400, Stephen Smalley wrote: > Part of the reason that we tend to not introduce a new policy > capability more often is that it is painful to do so currently. We > have to patch libsepol to recognize the new capability and patch the > policy to declare it (although for the latter we can now declare them > via a CIL module without modifying the base policy). And since the > policy or module won't build without the updated libsepol, we can't > turn on the capability by default in refpolicy without making it > dependent on a new libsepol version. That's why extended_socket_class > isn't yet enabled in refpolicy, for example. That causes enablement > and adoption to lag behind. It also makes it harder to test the new > kernel feature in the first place. I would like to see Fedora package the RC's in Rawhide as well (other distributions could help by packaging the RC's in unstable as well). That would atleast make the RC's a bit more accessible. In Fedora it is usually not the kernel that is the problem, it is user space that is generally to old. And as you've said policy is no longer a problem with CIL. >>> >>> [NOTE: I'm still thinking about the rest of Stephen's email, and the >>> follow up comments, but I wanted to reply to this particular comment >>> separately.] >>> >>> I'm not sure I want to see SELinux userspace release candidates in >>> normal Rawhide, but I think creating a COPR repository to >>> build/distribute release candidates could be a good thing. We already >>> do something similar for the kernel patches and it has been helpful in >>> my opinion. >> >> Thanks, Yes i suppose you are right. Release Candidates would probably >> potentially cause too much disruption even in Rawhide. >> COPR should do the job, although will not be as accessible as Rawhide. It >> won't get the same kind of attention, but it will do for me. > > With COPR though we might be able to package more frequent and not just RC's > (weekly's/nightly's)? If that can somehow be automated then we also do not > have to worrie so much about keeping things maintained over time I'm just building new set of updates in my COPR plautrba/selinux repository [1]. It's based on latest upstream sources with some Fedora patches on the top of it currently tracked in my github tree [2]. But there are some problems and it's not ready yet. I used to build vanilla upstream sources [3] but the latest build is 15 months old. I can restart this project if there's an interest. Since COPR provides API with an authentication token, builds can automated and I have few scripts I used before. I think it could even work for Rawhide with less frequent update cycle. [1] https://copr.fedorainfracloud.org/coprs/plautrba/selinux/ [2] https://github.com/bachradsusi/selinux/tree/WIP-master [3] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-master/builds/ Petr
Re: [PATCH] libsepol: Add INCLUDEDIR to utils/Makefile
The patch is wrong, please disregard. I'm not sure about the right fix in order not to break gentoo use case. I'd just revert fcb5d5c change in libsepol/utils/Makefile for now. On 05/04/2017 04:08 PM, Petr Lautrbach wrote: > fcb5d5c removed ../include from CFLAGS from libsepol/utils/Makefile so > that a build tool can't find sepol/sepol.h when libsepol is built on a > system without sepol.h in standard paths. > > Fixes: > chkcon.c:1:10: fatal error: sepol/sepol.h: No such file or directory > #include > > Signed-off-by: Petr Lautrbach > --- > libsepol/utils/Makefile | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile > index a13164e1..f5097be7 100644 > --- a/libsepol/utils/Makefile > +++ b/libsepol/utils/Makefile > @@ -1,6 +1,7 @@ > # Installation directories. > PREFIX ?= $(DESTDIR)/usr > BINDIR ?= $(PREFIX)/bin > +INCLUDEDIR ?= $(PREFIX)/include > > CFLAGS ?= -Wall -Werror > LDFLAGS += -L../src >
[PATCH] libsepol: Add INCLUDEDIR to utils/Makefile
fcb5d5c removed ../include from CFLAGS from libsepol/utils/Makefile so that a build tool can't find sepol/sepol.h when libsepol is built on a system without sepol.h in standard paths. Fixes: chkcon.c:1:10: fatal error: sepol/sepol.h: No such file or directory #include Signed-off-by: Petr Lautrbach --- libsepol/utils/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile index a13164e1..f5097be7 100644 --- a/libsepol/utils/Makefile +++ b/libsepol/utils/Makefile @@ -1,6 +1,7 @@ # Installation directories. PREFIX ?= $(DESTDIR)/usr BINDIR ?= $(PREFIX)/bin +INCLUDEDIR ?= $(PREFIX)/include CFLAGS ?= -Wall -Werror LDFLAGS += -L../src -- 2.12.2
[PATCH 15/19] dbus: Use text streams in selinux_server.py
subprocess.Popen called without universal_newlines=True opens stdin,
stout and stderr as binary stream which cause problems with Python 3.
Fixes:
Traceback (most recent call last):
File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 2773, in
unconfined_toggle
self.dbus.semanage("module -e unconfined")
File "", line 2, in semanage
File "/usr/lib/python3.4/site-packages/slip/dbus/polkit.py", line 121, in
_enable_proxy
return func(*p, **k)
File "/usr/lib64/python3.4/site-packages/sepolicy/sedbus.py", line 14, in
semanage
ret = self.dbus_object.semanage(buf, dbus_interface = "org.selinux")
File "/usr/lib64/python3.4/site-packages/dbus/proxies.py", line 145, in
__call__
**keywords)
File "/usr/lib64/python3.4/site-packages/dbus/connection.py", line 651, in
call_blocking
message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Python.TypeError:
TypeError: 'dbus.String' does not support the buffer interface
Signed-off-by: Petr Lautrbach
---
dbus/selinux_server.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index aae8b5fa..6e380e58 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -24,7 +24,7 @@ class selinux_server(slip.dbus.service.Object):
@slip.dbus.polkit.require_auth("org.selinux.semanage")
@dbus.service.method("org.selinux", in_signature='s')
def semanage(self, buf):
-p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE,
stdin=PIPE)
+p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE,
stdin=PIPE, universal_newlines=True)
p.stdin.write(buf)
output = p.communicate()
if p.returncode and p.returncode != 0:
@@ -38,7 +38,7 @@ class selinux_server(slip.dbus.service.Object):
@slip.dbus.polkit.require_auth("org.selinux.customized")
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
def customized(self):
-p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE)
+p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE,
universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
if p.returncode and p.returncode != 0:
@@ -52,7 +52,7 @@ class selinux_server(slip.dbus.service.Object):
@slip.dbus.polkit.require_auth("org.selinux.semodule_list")
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
def semodule_list(self):
-p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE,
stderr=PIPE)
+p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE,
stderr=PIPE, universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
if p.returncode and p.returncode != 0:
--
2.12.2
[PATCH 19/19] sepolicy/gui: Update text strings to use better gettext templates
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/gui.py | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 7f84b6f9..007c94a7 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -1378,8 +1378,8 @@ class SELinuxGui():
self.treeview = self.network_in_treeview
category = _("listen for inbound connections")
-self.add_button.set_tooltip_text(_("Add new port definition to
which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application,
"PERM": category})
-self.delete_button.set_tooltip_text(_("Delete modified port
definitions to which the '%(APP)s' domain is allowed to %s.") % {"APP":
self.application, "PERM": category})
+self.add_button.set_tooltip_text(_("Add new port definition to
which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP":
self.application, "PERM": category})
+self.delete_button.set_tooltip_text(_("Delete modified port
definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP":
self.application, "PERM": category})
self.modify_button.set_tooltip_text(_("Modify port definitions to
which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP":
self.application, "PERM": category})
if self.transitions_radio_button.get_active():
@@ -1599,8 +1599,8 @@ class SELinuxGui():
self.show_popup(self.login_popup_window)
if self.opage == FILE_EQUIV_PAGE:
-
self.file_equiv_source_entry.set_text(self.file_equiv_liststore.get_value(iter,
0))
-
self.file_equiv_dest_entry.set_text(self.file_equiv_liststore.get_value(iter,
1))
+
self.file_equiv_source_entry.set_text(self.unmarkup(self.file_equiv_liststore.get_value(iter,
0)))
+
self.file_equiv_dest_entry.set_text(self.unmarkup(self.file_equiv_liststore.get_value(iter,
1)))
self.file_equiv_label.set_text((_("Modify File Equivalency
Mapping. Mapping will be created when update is applied.")))
self.file_equiv_popup_window.set_title(_("Modify SELinux File
Equivalency"))
self.clear_entry = True
--
2.12.2
[PATCH 12/19] sepolicy: Simplify policy types detection
map() and filter() changed their return values from list to iterators in Python 3. This change drops filter() and map() from gui.py to make it work on Python 2 and 3 Fixes: Traceback (most recent call last): File "/bin/sepolicy", line 700, in args.func(args) File "/bin/sepolicy", line 326, in gui_run sepolicy.gui.SELinuxGui(args.domain, args.test) File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 238, in __init__ if self.populate_system_policy() < 2: File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 835, in populate_system_policy types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0] TypeError: 'map' object is not subscriptable Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/gui.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py index e361aa1c..8e86a369 100644 --- a/python/sepolicy/sepolicy/gui.py +++ b/python/sepolicy/sepolicy/gui.py @@ -831,8 +831,7 @@ class SELinuxGui(): self.enforce_button = self.disabled_button_default def populate_system_policy(self): -selinux_path = selinux.selinux_path() -types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0] +types = next(os.walk(selinux.selinux_path(), topdown=True))[1] types.sort() ctr = 0 for item in types: -- 2.12.2
[PATCH 16/19] sepolicy: setools.*Query wants a list in ruletype
This fixes a problem introduced in 18410c86 where ruletype is specified
as a string not a list.
Fixes:
>>> sepolicy.get_all_role_allows()
Traceback (most recent call last):
File "/usr/lib64/python3.6/site-packages/setools/policyrep/util.py", line 60,
in lookup
return cls(value)
File "/usr/lib64/python3.6/enum.py", line 291, in __call__
return cls.__new__(cls, value)
File "/usr/lib64/python3.6/enum.py", line 533, in __new__
return cls._missing_(value)
File "/usr/lib64/python3.6/enum.py", line 546, in _missing_
raise ValueError("%r is not a valid %s" % (value, cls.__name__))
ValueError: 'a' is not a valid RBACRuletype
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/__init__.py
b/python/sepolicy/sepolicy/__init__.py
index 074d20ef..d2e3fc46 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -747,7 +747,7 @@ def get_all_role_allows():
return role_allows
role_allows = {}
-q = setools.RBACRuleQuery(_pol, ruletype='allow')
+q = setools.RBACRuleQuery(_pol, ruletype=[ALLOW])
for r in q.results():
src = str(r.source)
tgt = str(r.target)
--
2.12.2
[PATCH 11/19] sepolicy: Don't return filter(), use [ ] notation instead
filter() changed it's behavior among python 2 and python 3
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/__init__.py | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py
b/python/sepolicy/sepolicy/__init__.py
index 22c72b2f..074d20ef 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -383,7 +383,12 @@ def get_conditionals(src, dest, tclass, perm):
def get_conditionals_format_text(cond):
-enabled = len(filter(lambda x: x['boolean'][0][1], cond)) > 0
+
+enabled = False
+for x in cond:
+if x['boolean'][0][1]:
+enabled = True
+break
return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x:
"%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond
@@ -465,7 +470,7 @@ def find_file(reg):
try:
pat = re.compile(r"%s$" % reg)
-return filter(pat.match, map(lambda x: path + x, os.listdir(path)))
+return [x for x in map(lambda x: path + x, os.listdir(path)) if
pat.match(x)]
except:
return []
@@ -589,7 +594,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
def get_transitions_into(setype):
try:
-return filter(lambda x: x["transtype"] == setype, search([TRANSITION],
{'class': 'process'}))
+return [x for x in search([TRANSITION], {'class': 'process'}) if
x["transtype"] == setype]
except (TypeError, AttributeError):
pass
return None
@@ -605,7 +610,7 @@ def get_transitions(setype):
def get_file_transitions(setype):
try:
-return filter(lambda x: x['class'] != "process", search([TRANSITION],
{'source': setype}))
+return [x for x in search([TRANSITION], {'source': setype}) if
x['class'] != "process"]
except (TypeError, AttributeError):
pass
return None
--
2.12.2
[PATCH 08/19] sepolicy: We should be creating _exec interfaces when we create the domtrans interface
From: Dan Walsh Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/templates/executable.py | 21 - 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py index 4cc5bfa4..456a7ca8 100644 --- a/python/sepolicy/sepolicy/templates/executable.py +++ b/python/sepolicy/sepolicy/templates/executable.py @@ -220,7 +220,7 @@ if_program_rules=""" ## -## Execute TEMPLATE in the TEMPLATETYPE domin. +## Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domin. ## ## ## @@ -236,6 +236,25 @@ interface(`TEMPLATETYPE_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t) ') + +## +## +## Execute TEMPLATETYPE in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_exec',` + gen_require(` + type TEMPLATETYPE_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, TEMPLATETYPE_exec_t) +') """ if_user_program_rules=""" -- 2.12.2
[PATCH 09/19] Fix typo in executable.py template.
From: Miroslav Grepl Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/templates/executable.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py index 456a7ca8..f2679938 100644 --- a/python/sepolicy/sepolicy/templates/executable.py +++ b/python/sepolicy/sepolicy/templates/executable.py @@ -220,7 +220,7 @@ if_program_rules=""" ## -## Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domin. +## Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain. ## ## ## -- 2.12.2
[PATCH 17/19] sepolicy: Fix several issues in 'sepolicy manpage -a'
Fixes:
$ sepolicy manpage -a
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 699, in
args.func(args)
File "/usr/bin/sepolicy", line 359, in manpage
m = ManPage(domain, path, args.root, args.source_files, args.web)
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in
__init__
self.__gen_man_page()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 495, in
__gen_man_page
self._entrypoints()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 903, in
_entrypoints
if len(entrypoints) > 1:
TypeError: object of type 'map' has no len()
$ sepolicy manpage -a
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 699, in
args.func(args)
File "/usr/bin/sepolicy", line 359, in manpage
m = ManPage(domain, path, args.root, args.source_files, args.web)
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in
__init__
self.__gen_man_page()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 497, in
__gen_man_page
self._mcs_types()
File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 927, in
_mcs_types
attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
TypeError: 'generator' object is not subscriptable
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/manpage.py | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py
b/python/sepolicy/sepolicy/manpage.py
index 4cebb299..a4dc717a 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -94,11 +94,10 @@ def get_all_users_info():
all_entrypoints = None
-
def get_entrypoints():
global all_entrypoints
if not all_entrypoints:
-all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE,
"entry_type")[0]["types"]
+all_entrypoints = next(sepolicy.info(sepolicy.ATTRIBUTE,
"entry_type"))["types"]
return all_entrypoints
domains = None
@@ -939,9 +938,8 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1),
sepolicy(8)
return True
def _entrypoints(self):
-try:
-entrypoints = map(lambda x: x['target'],
sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist':
['entrypoint'], 'class': 'file'}))
-except:
+entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW],
{'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})]
+if len(entrypoints) == 0:
return
self.fd.write("""
@@ -971,8 +969,8 @@ All executeables with the default executable label, usually
stored in /usr/bin a
%s""" % ", ".join(paths))
def _mcs_types(self):
-attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
-if "mcs_constrained_type" not in attributes:
+mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE,
"mcs_constrained_type"))
+if self.type not in mcs_constrained_type['types']:
return
self.fd.write ("""
.SH "MCS Constrained"
--
2.12.2
[PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin
From: Miroslav Grepl
Signed-off-by: Dan Walsh
---
python/sepolicy/sepolicy/templates/executable.py | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/templates/executable.py
b/python/sepolicy/sepolicy/templates/executable.py
index 0db6b9cc..4cc5bfa4 100644
--- a/python/sepolicy/sepolicy/templates/executable.py
+++ b/python/sepolicy/sepolicy/templates/executable.py
@@ -419,8 +419,12 @@ interface(`TEMPLATETYPE_admin',`
if_middle_admin="""
')
- allow $1 TEMPLATETYPE_t:process { ptrace signal_perms };
+ allow $1 TEMPLATETYPE_t:process { signal_perms };
ps_process_pattern($1, TEMPLATETYPE_t)
+
+tunable_policy(`deny_ptrace',`',`
+allow $1 TEMPLATETYPE_t:process ptrace;
+')
"""
if_initscript_admin_types="""
--
2.12.2
[PATCH 06/19] Fix up generation of application policy
From: Dan Walsh Signed-off-by: Dan Walsh --- python/sepolicy/sepolicy-generate.8 | 2 +- python/sepolicy/sepolicy/templates/executable.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy-generate.8 b/python/sepolicy/sepolicy-generate.8 index 2e674568..0c5f998f 100644 --- a/python/sepolicy/sepolicy-generate.8 +++ b/python/sepolicy/sepolicy-generate.8 @@ -13,7 +13,7 @@ Common options Confined Applications .br -.B sepolicy generate \-\-application [\-n NAME] command [\-w WRITE_PATH ] +.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ] .br .B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ] .br diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py index 4b9534d3..0db6b9cc 100644 --- a/python/sepolicy/sepolicy/templates/executable.py +++ b/python/sepolicy/sepolicy/templates/executable.py @@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles; type TEMPLATETYPE_t; type TEMPLATETYPE_exec_t; application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) +role TEMPLATETYPE_roles types TEMPLATETYPE_t; permissive TEMPLATETYPE_t; """ -- 2.12.2
[PATCH 18/19] sepolicy: info() should provide attributes for a TYPE
"attributes" used to be there when sepolicy.info() used setools3
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/__init__.py | 1 +
python/sepolicy/sepolicy/manpage.py | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py
b/python/sepolicy/sepolicy/__init__.py
index d2e3fc46..8fa2c2ae 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -171,6 +171,7 @@ def info(setype, name=None):
'aliases': map(str, x.aliases()),
'name': str(x),
'permissive': bool(x.ispermissive),
+'attributes': map(str, x.attributes())
} for x in q.results())
elif setype == ROLE:
diff --git a/python/sepolicy/sepolicy/manpage.py
b/python/sepolicy/sepolicy/manpage.py
index a4dc717a..4159bafb 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -494,7 +494,7 @@ class ManPage:
self.desc = "%s user role" % self.domainname
if self.domainname in self.all_users:
-self.attributes = sepolicy.info(sepolicy.TYPE,
(self.type))[0]["attributes"]
+self.attributes = next(sepolicy.info(sepolicy.TYPE,
(self.type)))["attributes"]
self._user_header()
self._user_attribute()
self._can_sudo()
@@ -539,7 +539,7 @@ class ManPage:
self.man_page_path = man_page_path
except KeyError:
continue;
-self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s")
% domain_type)[0]["attributes"]
+self.attributes[domain_type] = next(sepolicy.info(sepolicy.TYPE,
("%s") % domain_type))["attributes"]
self._header()
self._entrypoints()
--
2.12.2
[PATCH 13/19] sepolicy/generate.py: Fix string formatting
Fixes python3 problem:
>>> print("Failed to retrieve rpm info for %s") % package
Failed to retrieve rpm info for %s
Traceback (most recent call last):
File "", line 1, in
TypeError: unsupported operand type(s) for %: 'NoneType' and 'str'
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/generate.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py
b/python/sepolicy/sepolicy/generate.py
index 596891a4..d68f96ef 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -92,7 +92,7 @@ def get_rpm_nvr_list(package):
nvr = get_rpm_nvr_from_header(h)
break
except:
-print("Failed to retrieve rpm info for %s") % package
+print(("Failed to retrieve rpm info for %s") % package)
nvr = None
return nvr
--
2.12.2
[PATCH 10/19] sepolicy: Adapt to new the semodule list output
semodule in policycoreutils-2.4 changed the list format. With this
patch, org.selinux.semodule_list uses 'semodule --list=full' and the
code using this was adapted to the new format.
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1281309
Fixes:
File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 670, in
lockdown_init
self.enable_unconfined_button.set_active(not
self.module_dict["unconfined"]["Disabled"])
KeyError: 'unconfined'
Signed-off-by: Petr Lautrbach
---
dbus/selinux_server.py | 4 ++--
gui/polgengui.py| 2 +-
python/sepolicy/sepolicy/gui.py | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index 8bd1fe5b..aae8b5fa 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -46,13 +46,13 @@ class selinux_server(slip.dbus.service.Object):
return buf
#
-# The semodule_list method will return the output of semodule -l, using
the customized polkit,
+# The semodule_list method will return the output of semodule --list=full,
using the customized polkit,
# since this is a readonly behaviour
#
@slip.dbus.polkit.require_auth("org.selinux.semodule_list")
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
def semodule_list(self):
-p = Popen(["/usr/sbin/semodule", "-l"], stdout=PIPE, stderr=PIPE)
+p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE,
stderr=PIPE)
buf = p.stdout.read()
output = p.communicate()
if p.returncode and p.returncode != 0:
diff --git a/gui/polgengui.py b/gui/polgengui.py
index 1d262a95..7460cce2 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -679,7 +679,7 @@ class childWindow:
entry.set_text("")
return False
if name in self.all_modules:
-if self.verify(_("Module %s.pp already loaded in current
policy.\nDo you want to continue?") % name, _("Verify Name")) ==
gtk.RESPONSE_NO:
+if self.verify(_("Module %s already loaded in current
policy.\nDo you want to continue?") % name, _("Verify Name")) ==
gtk.RESPONSE_NO:
entry.set_text("")
return False
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index c9dd4c1c..e361aa1c 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -673,9 +673,9 @@ class SELinuxGui():
self.module_dict = {}
for m in self.dbus.semodule_list().split("\n"):
mod = m.split()
-if len(mod) < 2:
+if len(mod) < 3:
continue
-self.module_dict[mod[0]] = {"version": mod[1], "Disabled":
(len(mod) > 2)}
+self.module_dict[mod[1]] = { "priority": mod[0], "Disabled" :
(len(mod) > 3) }
self.enable_unconfined_button.set_active(not
self.module_dict["unconfined"]["Disabled"])
self.enable_permissive_button.set_active(not
self.module_dict["permissivedomains"]["Disabled"])
--
2.12.2
[PATCH 05/19] policycoreutils/sepolicy: boolean.png is in help/
Fixes: (sepolicy:2183): Gtk-WARNING **: Could not load image 'images/booleans.png': Failed to open file '/usr/lib64/python3.4/site-packages/sepolicy/images/booleans.png': No such file or directory Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/sepolicy.glade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/sepolicy.glade b/python/sepolicy/sepolicy/sepolicy.glade index e7d96f98..8f6ad650 100644 --- a/python/sepolicy/sepolicy/sepolicy.glade +++ b/python/sepolicy/sepolicy/sepolicy.glade @@ -1043,7 +1043,7 @@ True False -images/booleans.png +help/booleans.png False -- 2.12.2
[PATCH 14/19] policycoreutils/sepolicy: Define our own cmp()
Fixes:
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 1447, in
stripsort
return cmp(val1, val2)
NameError: name 'cmp' is not defined
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/gui.py | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 8e86a369..7f84b6f9 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -69,8 +69,14 @@ enabled = [_("No"), _("Yes")]
action = [_("Disable"), _("Enable")]
-def compare(a, b):
-return cmp(a.lower(), b.lower())
+def cmp(a, b):
+if a is None and b is None:
+return 0
+if a is None:
+return -1
+if b is None:
+return 1
+return (a > b) - (a < b)
import distutils.sysconfig
ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<"))
--
2.12.2
[PATCH 02/19] sepolicy: Fix spelling mistakes in commands in generated manpages
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/manpage.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py
b/python/sepolicy/sepolicy/manpage.py
index 3ebdfeb7..bd5a64ac 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -1172,7 +1172,7 @@ Three things can happen when %(type)s attempts to execute
a program.
Execute the following to see the types that the SELinux user %(type)s can
execute without transitioning:
-.B search -A -s %(type)s -c file -p execute_no_trans
+.B sesearch -A -s %(type)s -c file -p execute_no_trans
.TP
@@ -1180,7 +1180,7 @@ Execute the following to see the types that the SELinux
user %(type)s can execut
Execute the following to see the types that the SELinux user %(type)s can
execute and transition:
-.B $ search -A -s %(type)s -c process -p transition
+.B $ sesearch -A -s %(type)s -c process -p transition
""" % {'user': self.domainname, 'type': self.type})
--
2.12.2
[PATCH 04/19] sepolicy: Move svirt man page out of libvirt into its own
From: Dan Walsh
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/manpage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py
b/python/sepolicy/sepolicy/manpage.py
index b268680a..4cebb299 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -37,7 +37,7 @@ typealias_types = {
"httpd_t":("phpfpm_t"),
}
-equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt",
"libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named":
["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
+equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt",
"libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
equiv_dirs = ["/var"]
modules_dict = None
--
2.12.2
[PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS separated domains
From: Dan Walsh
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/manpage.py | 13 +
1 file changed, 13 insertions(+)
diff --git a/python/sepolicy/sepolicy/manpage.py
b/python/sepolicy/sepolicy/manpage.py
index 1af4295c..3ebdfeb7 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -504,6 +504,7 @@ class ManPage:
self._booleans()
self._port_types()
+self._mcs_types()
self._writes()
self._footer()
@@ -527,6 +528,7 @@ class ManPage:
self._header()
self._entrypoints()
self._process_types()
+self._mcs_types()
self._booleans()
self._nsswitch_domain()
self._port_types()
@@ -923,6 +925,17 @@ All executeables with the default executable label,
usually stored in /usr/bin a
self.fd.write("""
%s""" % ", ".join(paths))
+def _mcs_types(self):
+attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+if "mcs_constrained_type" not in attributes:
+return
+self.fd.write ("""
+.SH "MCS Constrained"
+The SELinux process type %(type)s_t is an MCS (Multi Category Security)
constrained type. Sometimes this separation is referred to as sVirt. These
types are usually used for securing multi-tenant environments, such as
virtualization, containers or separation of users. The tools used to launch
MCS types, pick out a different MCS label for each process group.
+
+For example one process might be launched with %(type)s_t:s0:c1,c2, and
another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only
allows these processes can only write to content with a matching MCS label, or
a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not
allowed to write to content with the MCS label of s0:c3,c4
+""" % {'type': self.domainname})
+
def _writes(self):
permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type,
'permlist': ['open', 'write'], 'class': 'file'})
if permlist is None or len(permlist) == 0:
--
2.12.2
[PATCH 03/19] sepolicy: Add manpages for typealiased types
From: Dan Walsh
Signed-off-by: Petr Lautrbach
---
python/sepolicy/sepolicy/manpage.py | 45 +
1 file changed, 45 insertions(+)
diff --git a/python/sepolicy/sepolicy/manpage.py
b/python/sepolicy/sepolicy/manpage.py
index bd5a64ac..b268680a 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -30,6 +30,13 @@ import sepolicy
import os
import time
+typealias_types = {
+"antivirus_t":("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"),
+"cluster_t":("rgmanager_t", "corosync_t", "aisexec_t", "pacemaker_t"),
+"svirt_t":("qemu_t"),
+"httpd_t":("phpfpm_t"),
+}
+
equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt",
"libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named":
["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
equiv_dirs = ["/var"]
@@ -523,6 +530,16 @@ class ManPage:
self._get_ptypes()
for domain_type in self.ptypes:
+try:
+if typealias_types[domain_type]:
+fd = self.fd
+man_page_path = self.man_page_path
+for t in typealias_types[domain_type]:
+self._typealias_gen_man(t)
+self.fd = fd
+self.man_page_path = man_page_path
+except KeyError:
+continue;
self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s")
% domain_type)[0]["attributes"]
self._header()
@@ -542,6 +559,34 @@ class ManPage:
if f.startswith(self.short_name) or f.startswith(self.domainname):
self.ptypes.append(f)
+def _typealias_gen_man(self, t):
+self.man_page_path = "%s/%s_selinux.8" % (self.path, t[:-2])
+self.ports = []
+self.booltext = ""
+self.fd = open(self.man_page_path, 'w')
+self._typealias(t[:-2])
+self._footer()
+self.fd.close()
+
+def _typealias(self,typealias):
+self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s"
"%(typealias)s" "SELinux Policy %(typealias)s"'
+ % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
+self.fd.write(r"""
+.SH "NAME"
+%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s
processes
+.SH "DESCRIPTION"
+
+%(typealias)s_t SELinux domain type is now associated with %(domainname)s
domain type (%(domainname)s_t).
+""" % {'typealias':typealias, 'domainname':self.domainname})
+
+self.fd.write(r"""
+Please see
+
+.B %(domainname)s_selinux
+
+man page for more details.
+""" % {'domainname':self.domainname})
+
def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s"
"%(domainname)s" "SELinux Policy %(domainname)s"'
% {'domainname': self.domainname, 'date':
time.strftime("%y-%m-%d")})
--
2.12.2
Several sepolicy fixes from Fedora
Hi, this is set of sepolicy fixes we use in Fedora. There are basically 2 groups of patches: 1. fixes which was pushed to Fedora few years ago and probably have not been sent upstream [PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS [PATCH 02/19] sepolicy: Fix spelling mistakes in commands in [PATCH 03/19] sepolicy: Add manpages for typealiased types [PATCH 04/19] sepolicy: Move svirt man page out of libvirt into its [PATCH 05/19] policycoreutils/sepolicy: boolean.png is in help/ [PATCH 06/19] Fix up generation of application policy [PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace [PATCH 08/19] sepolicy: We should be creating _exec interfaces when [PATCH 09/19] Fix typo in executable.py template. 2. fixes related to python 3 and the change to SETools 4 [PATCH 10/19] sepolicy: Adapt to new the semodule list output [PATCH 11/19] sepolicy: Don't return filter(), use [ ] notation [PATCH 12/19] sepolicy: Simplify policy types detection [PATCH 13/19] sepolicy/generate.py: Fix string formatting [PATCH 14/19] policycoreutils/sepolicy: Define our own cmp() [PATCH 15/19] dbus: Use text streams in selinux_server.py [PATCH 16/19] sepolicy: setools.*Query wants a list in ruletype [PATCH 17/19] sepolicy: Fix several issues in 'sepolicy manpage -a' [PATCH 18/19] sepolicy: info() should provide attributes for a TYPE [PATCH 19/19] sepolicy/gui: Update text strings to use better gettext
Re: [PATCH] Python 3.6 invalid escape sequence deprecation fixes
On 03/09/2017 10:09 AM, Ville Skyttä wrote:
> https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior
I'd suggest to add the text from the page directly to the commit message:
A backslash-character pair that is not a valid escape sequence now
generates a DeprecationWarning. Although this will eventually become a
SyntaxError, that will not be for several Python releases.
The problem appears when you use '-W error':
$ python3 -W error -c 'import re; re.findall("[^a-zA-Z0-9_\-\.]", " *%$")'
File "", line 1
SyntaxError: invalid escape sequence \-
> Signed-off-by: Ville Skyttä
> ---
> python/semanage/seobject.py| 4 ++--
> python/sepolgen/src/sepolgen/module.py | 2 +-
> python/sepolicy/sepolicy/generate.py | 2 +-
> 3 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> index c836cc5..94bd368 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -192,8 +192,8 @@ class nulllogger:
> def validate_level(raw):
> sensitivity = "s[0-9]*"
> category = "c[0-9]*"
> -cat_range = category + "(\." + category + ")?"
> -categories = cat_range + "(\," + cat_range + ")*"
> +cat_range = category + r"(\." + category + ")?"
> +categories = cat_range + r"(\," + cat_range + ")*"
> reg = sensitivity + "(-" + sensitivity + ")?" + "(:" + categories + ")?"
> return re.search("^" + reg + "$", raw)
>
> diff --git a/python/sepolgen/src/sepolgen/module.py
> b/python/sepolgen/src/sepolgen/module.py
> index c09676a..8766dd9 100644
> --- a/python/sepolgen/src/sepolgen/module.py
> +++ b/python/sepolgen/src/sepolgen/module.py
> @@ -40,7 +40,7 @@ from . import defaults
> def is_valid_name(modname):
> """Check that a module name is valid.
> """
> -m = re.findall("[^a-zA-Z0-9_\-\.]", modname)
> +m = re.findall(r"[^a-zA-Z0-9_\-\.]", modname)
> if len(m) == 0 and modname[0].isalpha():
> return True
> else:
> diff --git a/python/sepolicy/sepolicy/generate.py
> b/python/sepolicy/sepolicy/generate.py
> index 5696110..596891a 100644
> --- a/python/sepolicy/sepolicy/generate.py
> +++ b/python/sepolicy/sepolicy/generate.py
> @@ -1329,7 +1329,7 @@ allow %s_t %s_t:%s_socket name_%s;
> self.add_dir("/var/lib/%s" % self.name)
>
> if os.path.isfile("/etc/rc.d/init.d/%s" % self.name):
> -self.set_init_script("/etc/rc\.d/init\.d/%s" % self.name)
> +self.set_init_script(r"/etc/rc\.d/init\.d/%s" % self.name)
>
> # we don't want to have subdir in the .fc policy file
> # if we already specify labeling for parent dir
>
--
Petr Lautrbach
signature.asc
Description: OpenPGP digital signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] libsemanage: Perform access check using euid instead of uid
t; --- a/libsemanage/src/semanage_store.c
>> +++ b/libsemanage/src/semanage_store.c
>> @@ -517,7 +517,7 @@ char *semanage_conf_path(void)
>> snprintf(semanage_conf, len + 1, "%s%s%s", semanage_root(),
>> selinux_path(),
>> SEMANAGE_CONF_FILE);
>>
>> -if (access(semanage_conf, R_OK) != 0) {
>> +if (faccessat(AT_FDCWD, semanage_conf, R_OK, AT_EACCESS) !=
>> 0) {
>> snprintf(semanage_conf, len + 1, "%s%s",
>> selinux_path(), SEMANAGE_CONF_FILE);
>> }
>>
>> @@ -552,7 +552,7 @@ int semanage_create_store(semanage_handle_t * sh,
>> int create)
>> return -1;
>> }
>> } else {
>> -if (!S_ISDIR(sb.st_mode) || access(path, mode_mask)
>> == -1) {
>> +if (!S_ISDIR(sb.st_mode) || faccessat(AT_FDCWD,
>> path, mode_mask, AT_EACCESS) == -1) {
>> ERR(sh,
>> "Could not access module store at %s, or
>> it is not a directory.",
>> path);
>> @@ -575,7 +575,7 @@ int semanage_create_store(semanage_handle_t * sh,
>> int create)
>> return -1;
>> }
>> } else {
>> -if (!S_ISDIR(sb.st_mode) || access(path, mode_mask)
>> == -1) {
>> +if (!S_ISDIR(sb.st_mode) || faccessat(AT_FDCWD,
>> path, mode_mask, AT_EACCESS) == -1) {
>> ERR(sh,
>> "Could not access module store active
>> subdirectory at %s, or it is not a directory.",
>> path);
>> @@ -598,7 +598,7 @@ int semanage_create_store(semanage_handle_t * sh,
>> int create)
>> return -1;
>> }
>> } else {
>> -if (!S_ISDIR(sb.st_mode) || access(path, mode_mask)
>> == -1) {
>> +if (!S_ISDIR(sb.st_mode) || faccessat(AT_FDCWD,
>> path, mode_mask, AT_EACCESS) == -1) {
>> ERR(sh,
>> "Could not access module store active
>> modules subdirectory at %s, or it is not a directory.",
>> path);
>> @@ -619,7 +619,7 @@ int semanage_create_store(semanage_handle_t * sh,
>> int create)
>> return -1;
>> }
>> } else {
>> -if (!S_ISREG(sb.st_mode) || access(path, R_OK |
>> W_OK) == -1) {
>> +if (!S_ISREG(sb.st_mode) || faccessat(AT_FDCWD,
>> path, R_OK | W_OK, AT_EACCESS) == -1) {
>> ERR(sh, "Could not access lock file at %s.",
>> path);
>> return -1;
>> }
>> @@ -639,7 +639,7 @@ int semanage_store_access_check(void)
>>
>> /* read access on active store */
>> path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_TOPLEVEL);
>> -if (access(path, R_OK | X_OK) != 0)
>> +if (faccessat(AT_FDCWD, path, R_OK | X_OK, AT_EACCESS) != 0)
>> goto out;
>>
>> /* we can read the active store meaning it is managed
>> @@ -650,13 +650,13 @@ int semanage_store_access_check(void)
>> * write access necessary if the lock file does not exist
>> */
>> path = semanage_files[SEMANAGE_READ_LOCK];
>> -if (access(path, R_OK) != 0) {
>> +if (faccessat(AT_FDCWD, path, R_OK, AT_EACCESS) != 0) {
>> if (access(path, F_OK) == 0) {
>> goto out;
>> }
>>
>> path = semanage_files[SEMANAGE_ROOT];
>> -if (access(path, R_OK | W_OK | X_OK) != 0) {
>> +if (faccessat(AT_FDCWD, path, R_OK | W_OK | X_OK,
>> AT_EACCESS) != 0) {
>> goto out;
>> }
>> }
>> @@ -666,7 +666,7 @@ int semanage_store_access_check(void)
>>
>> /* check the modules directory */
>> path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_MODULES);
>> -if (access(path, R_OK | W_OK | X_OK) != 0)
>> +if (faccessat(AT_FDCWD, path, R_OK | W_OK | X_OK,
>> AT_EACCESS) != 0)
>> goto out;
>>
>> rc = SEMANAGE_CAN_WRITE;
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
>
--
Petr Lautrbach
signature.asc
Description: OpenPGP digital signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH v2] libsemanage: special handling of the identity reserved to system objects
On 01/09/2017 07:51 PM, Stephen Smalley wrote:
> On Mon, 2017-01-09 at 19:46 +0100, Guido Trentalancia wrote:
>> Hello,
>>
>> the patch has been motivated by the fact that libsemanage currently
>> searches for the user "system_u" in the passwd file and reports "user
>> system_u not in passwd file".
>
> Don't shoot the messenger. That warning is because the Fedora policy
> wrongly has system_u in its seusers/login mapping as a login name. We
> should fix it there instead by removing that entry, which should not be
> needed.
This is supposed to be fixed in selinux-policy-3.13.1-219.fc25
Currently there's no plan to backport it to Fedora 24 as genhomedircon
in Fedora 24 still uses hardcoded system_u.
>>
>> Also, I have considered the notes in the file policy/users from
>> Reference Policy.
>>
>> Finally, the prefix for system_u is wrongly set to "user_u" (it
>> shouldn't have it).
>>
>> I have tested the patch and it seems to work fine.
>>
>> I hope it helps.
>>
>> Kind regards,
>>
>> Guido Trentalancia
>>
>> On the 9th of January 2017 19:39:10 CET, Stephen Smalley > sa.gov> wrote:
>>>
>>> On Thu, 2016-12-29 at 19:45 +0100, Guido Trentalancia wrote:
The following patch makes sure that the SELinux identity
reserved for system processes and objects is skipped
when adding users.
A warning is produced when a Unix identity is found to be
equal to the SELinux user identity for system processes
and objects.
This patch also avoids creating an extra record for a user
if there is no prefix.
>>>
>>> What problem are you encountering that motivated this patch?
>>> What is a test case for this problem?
>>> What is the behavior before and after this patch?
>>>
Signed-off-by: Guido Trentalancia
---
include/semanage/user_record.h |2 ++
src/genhomedircon.c| 23 +++
src/user_extra_record.c| 39
---
src/user_record.c | 40 +-
--
4 files changed, 78 insertions(+), 26 deletions(-)
diff -pru a/include/semanage/user_record.h
b/include/semanage/user_record.h
--- a/include/semanage/user_record.h 2016-10-14
17:31:26.0 +0200
+++ b/include/semanage/user_record.h 2016-12-28
23:22:50.848589870 +0100
@@ -6,6 +6,8 @@
#include
#include
+#define SYS_OBJECTS_USERID"system_u"
+
struct semanage_user;
typedef struct semanage_user semanage_user_t;
diff -pru a/src/genhomedircon.c b/src/genhomedircon.c
--- a/src/genhomedircon.c 2016-10-14 17:31:26.0
+0200
+++ b/src/genhomedircon.c 2016-12-29 17:50:10.781727455
+0100
@@ -181,6 +181,9 @@ static int ignore(const char *homedir) {
static int prefix_is_homedir_role(const semanage_user_t *user,
const char *prefix)
{
+ if (!prefix)
+ return 0;
+
return strcmp(OBJECT_R, prefix) == 0 ||
semanage_user_has_role(user, prefix);
}
@@ -998,14 +1001,26 @@ static int add_user(genhomedircon_settin
homedir_role = prefix;
}
+ /* There should be no Unix identity corresponding
+ * to SELinux user reserved for system processes
+ * and objects */
retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen,
&pwent);
- if (retval != 0 || pwent == NULL) {
- if (retval != 0 && retval != ENOENT) {
+ if (strcmp(name, SYS_OBJECTS_USERID)) {
+ if (retval != 0 || pwent == NULL) {
+ if (retval != 0 && retval != ENOENT) {
+ goto cleanup;
+ }
+
+ WARN(s->h_semanage,
+ "user %s not in password file",
name);
+ retval = STATUS_SUCCESS;
goto cleanup;
}
+ } else {
+ if (retval)
+ WARN(s->h_semanage,
+ "There should be no Unix identity
\"%s\" !", SYS_OBJECTS_USERID);
- WARN(s->h_semanage,
- "user %s not in password file", name);
retval = STATUS_SUCCESS;
goto cleanup;
}
diff -pru a/src/user_extra_record.c b/src/user_extra_record.c
--- a/src/user_extra_record.c 2016-10-14
17:31:26.0
+0200
+++ b/src/user_extra_record.c 2016-12-29
17:17:26.168737139
+0100
@@ -37,8 +37,9 @@ static int semanage_user_extra_key_extra
semanage_user_key_t
**
key_ptr)
{
- if (semanage_user_key_create(handle, user_extra->name,
key_ptr) < 0)
- goto err;
+ if (user_
[PATCH 2/2] libselinux: Rewrite restorecon() python method
When the restorecon method was added to the libselinux swig python
bindings, there was no libselinux restorecon implementation and it
he had to call matchpathcon() which is deprecated in favor of
selabel_lookup().
The new restorecon method uses selinux_restorecon method from libselinux
and which is exported by the previous commit.
https://github.com/SELinuxProject/selinux/issues/29
Fixes:
>>> selinux.restorecon('/var/lib', recursive=True)
Traceback (most recent call last):
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 114, in
restorecon
status, context = matchpathcon(path, mode)
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Petr Lautrbach
---
libselinux/src/selinuxswig_python.i | 42 +++--
1 file changed, 17 insertions(+), 25 deletions(-)
diff --git a/libselinux/src/selinuxswig_python.i
b/libselinux/src/selinuxswig_python.i
index a239f30..be17cef 100644
--- a/libselinux/src/selinuxswig_python.i
+++ b/libselinux/src/selinuxswig_python.i
@@ -19,31 +19,23 @@ DISABLED = -1
PERMISSIVE = 0
ENFORCING = 1
-def restorecon(path, recursive=False):
-""" Restore SELinux context on a given path """
-
-try:
-mode = os.lstat(path)[stat.ST_MODE]
-status, context = matchpathcon(path, mode)
-except OSError:
-path = os.path.realpath(os.path.expanduser(path))
-mode = os.lstat(path)[stat.ST_MODE]
-status, context = matchpathcon(path, mode)
-
-if status == 0:
-try:
-status, oldcontext = lgetfilecon(path)
-except OSError as e:
-if e.errno != errno.ENODATA:
-raise
-oldcontext = None
-if context != oldcontext:
-lsetfilecon(path, context)
-
-if recursive:
-for root, dirs, files in os.walk(path):
-for name in files + dirs:
- restorecon(os.path.join(root, name))
+def restorecon(path, recursive=False, verbose=False):
+""" Restore SELinux context on a given path
+
+Arguments:
+path -- The pathname for the file or directory to be relabeled.
+
+Keyword arguments:
+recursive -- Change files and directories file labels recursively (default
False)
+verbose -- Show changes in file labels (default False)
+"""
+
+restorecon_flags = SELINUX_RESTORECON_IGNORE_DIGEST |
SELINUX_RESTORECON_REALPATH
+if recursive:
+restorecon_flags |= SELINUX_RESTORECON_RECURSE
+if verbose:
+restorecon_flags |= SELINUX_RESTORECON_VERBOSE
+selinux_restorecon(os.path.expanduser(path), restorecon_flags)
def chcon(path, context, recursive=False):
""" Set the SELinux context on a given path """
--
2.9.3
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/2] libselinux: Generate SWIG wrappers for selinux_restorecon()
Signed-off-by: Petr Lautrbach
---
libselinux/src/selinuxswig.i | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i
index c1e4ef7..687c43b 100644
--- a/libselinux/src/selinuxswig.i
+++ b/libselinux/src/selinuxswig.i
@@ -9,6 +9,7 @@
#include "../include/selinux/get_context_list.h"
#include "../include/selinux/get_default_type.h"
#include "../include/selinux/label.h"
+ #include "../include/selinux/restorecon.h"
#include "../include/selinux/selinux.h"
%}
%apply int *OUTPUT { int *enforce };
@@ -61,4 +62,5 @@
%include "../include/selinux/get_context_list.h"
%include "../include/selinux/get_default_type.h"
%include "../include/selinux/label.h"
+%include "../include/selinux/restorecon.h"
%include "../include/selinux/selinux.h"
--
2.9.3
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
