Re: [PATCH v2] libsepol: add missing ibendport port validity check

[William Roberts]

On Tue, Oct 23, 2018 at 10:29 AM William Roberts
 wrote:
>
> On Mon, Oct 22, 2018 at 11:58 PM Ondrej Mosnacek  wrote:
> >
> > The kernel checks if the port is in the range 1-255 when loading an
> > ibenportcon rule. Add the same check to libsepol.
> >
> > Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling")
> > Signed-off-by: Ondrej Mosnacek 
> > ---
> >  libsepol/src/policydb.c | 11 +--
> >  1 file changed, 9 insertions(+), 2 deletions(-)
> >
> > Changes in v2:
> >  - use UINT8_MAX as the limit for ibendport.port value to emphasize that
> >it is an 8-bit value
> >
> > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> > index db6765ba..96176d80 100644
> > --- a/libsepol/src/policydb.c
> > +++ b/libsepol/src/policydb.c
> > @@ -2854,7 +2854,9 @@ static int ocontext_read_selinux(struct 
> > policydb_compat_info *info,
> > return -1;
> > break;
> > }
> > -   case OCON_IBENDPORT:
> > +   case OCON_IBENDPORT: {
> > +   uint32_t port;
> > +
> > rc = next_entry(buf, fp, sizeof(uint32_t) * 
> > 2);
> > if (rc < 0)
> > return -1;
> > @@ -2862,6 +2864,10 @@ static int ocontext_read_selinux(struct 
> > policydb_compat_info *info,
> > if (len == 0 || len > IB_DEVICE_NAME_MAX - 
> > 1)
> > return -1;
> >
> > +   port = le32_to_cpu(buf[1]);
> > +   if (port > UINT8_MAX || port == 0)
> > +   return -1;
> > +
> > c->u.ibendport.dev_name = malloc(len + 1);
> > if (!c->u.ibendport.dev_name)
> > return -1;
> > @@ -2869,11 +2875,12 @@ static int ocontext_read_selinux(struct 
> > policydb_compat_info *info,
> > if (rc < 0)
> > return -1;
> > c->u.ibendport.dev_name[len] = 0;
> > -   c->u.ibendport.port = le32_to_cpu(buf[1]);
> > +   c->u.ibendport.port = port;
> > if (context_read_and_validate
> > (>context[0], p, fp))
> > return -1;
> > break;
> > +   }
> > case OCON_PORT:
> > rc = next_entry(buf, fp, sizeof(uint32_t) * 
> > 3);
> > if (rc < 0)
> > --
> > 2.17.2
> >
>
> ack. I dropped it on top of https://github.com/SELinuxProject/selinux/pull/105
merged: https://github.com/SELinuxProject/selinux/pull/105
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH v2] libsepol: add missing ibendport port validity check

[William Roberts]

On Mon, Oct 22, 2018 at 11:58 PM Ondrej Mosnacek  wrote:
>
> The kernel checks if the port is in the range 1-255 when loading an
> ibenportcon rule. Add the same check to libsepol.
>
> Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling")
> Signed-off-by: Ondrej Mosnacek 
> ---
>  libsepol/src/policydb.c | 11 +--
>  1 file changed, 9 insertions(+), 2 deletions(-)
>
> Changes in v2:
>  - use UINT8_MAX as the limit for ibendport.port value to emphasize that
>it is an 8-bit value
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index db6765ba..96176d80 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -2854,7 +2854,9 @@ static int ocontext_read_selinux(struct 
> policydb_compat_info *info,
> return -1;
> break;
> }
> -   case OCON_IBENDPORT:
> +   case OCON_IBENDPORT: {
> +   uint32_t port;
> +
> rc = next_entry(buf, fp, sizeof(uint32_t) * 
> 2);
> if (rc < 0)
> return -1;
> @@ -2862,6 +2864,10 @@ static int ocontext_read_selinux(struct 
> policydb_compat_info *info,
> if (len == 0 || len > IB_DEVICE_NAME_MAX - 1)
> return -1;
>
> +   port = le32_to_cpu(buf[1]);
> +   if (port > UINT8_MAX || port == 0)
> +   return -1;
> +
> c->u.ibendport.dev_name = malloc(len + 1);
> if (!c->u.ibendport.dev_name)
> return -1;
> @@ -2869,11 +2875,12 @@ static int ocontext_read_selinux(struct 
> policydb_compat_info *info,
> if (rc < 0)
> return -1;
> c->u.ibendport.dev_name[len] = 0;
> -   c->u.ibendport.port = le32_to_cpu(buf[1]);
> +   c->u.ibendport.port = port;
> if (context_read_and_validate
> (>context[0], p, fp))
> return -1;
> break;
> +   }
> case OCON_PORT:
> rc = next_entry(buf, fp, sizeof(uint32_t) * 
> 3);
> if (rc < 0)
> --
> 2.17.2
>

ack. I dropped it on top of https://github.com/SELinuxProject/selinux/pull/105

Thanks
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libsepol: add missing ibendport port validity check

[William Roberts]

On Mon, Oct 22, 2018 at 1:18 AM Ondrej Mosnacek  wrote:
>
> The kernel checks if the port is in the range 1-255 when loading an
> ibenportcon rule. Add the same check to libsepol.
>
> Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling")
> Signed-off-by: Ondrej Mosnacek 
> ---
>  libsepol/src/policydb.c | 11 +--
>  1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index db6765ba..e2808b2d 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -2854,7 +2854,9 @@ static int ocontext_read_selinux(struct 
> policydb_compat_info *info,
> return -1;
> break;
> }
> -   case OCON_IBENDPORT:
> +   case OCON_IBENDPORT: {
> +   uint32_t port;
> +
> rc = next_entry(buf, fp, sizeof(uint32_t) * 
> 2);
> if (rc < 0)
> return -1;
> @@ -2862,6 +2864,10 @@ static int ocontext_read_selinux(struct 
> policydb_compat_info *info,
> if (len == 0 || len > IB_DEVICE_NAME_MAX - 1)
> return -1;
>
> +   port = le32_to_cpu(buf[1]);
> +   if (port > 0xff || port == 0)
> +   return -1;

You switched the other code to using UINT16_MAX, should probably use
UINT8_MAX here.

> +
> c->u.ibendport.dev_name = malloc(len + 1);
> if (!c->u.ibendport.dev_name)
> return -1;
> @@ -2869,11 +2875,12 @@ static int ocontext_read_selinux(struct 
> policydb_compat_info *info,
> if (rc < 0)
> return -1;
> c->u.ibendport.dev_name[len] = 0;
> -   c->u.ibendport.port = le32_to_cpu(buf[1]);
> +   c->u.ibendport.port = port;
> if (context_read_and_validate
> (>context[0], p, fp))
> return -1;
> break;
> +   }
> case OCON_PORT:
> rc = next_entry(buf, fp, sizeof(uint32_t) * 
> 3);
> if (rc < 0)
> --
> 2.17.2
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH v4] selinux: policydb - fix byte order and alignment issues

[William Roberts]

On Fri, Oct 19, 2018 at 7:28 AM Stephen Smalley  wrote:
>
> On 10/18/2018 03:47 AM, Ondrej Mosnacek wrote:
> > Do the LE conversions before doing the Infiniband-related range checks.
> > The incorrect checks are otherwise causing a failure to load any policy
> > with an ibendportcon rule on BE systems. This can be reproduced by
> > running (on e.g. ppc64):
> >
> > cat >my_module.cil < > (type test_ibendport_t)
> > (roletype object_r test_ibendport_t)
> > (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0
> > EOF
> > semodule -i my_module.cil
> >
> > Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
> > use a correctly aligned buffer.
> >
> > Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
> > should be used instead.
> >
> > Tested internally on a ppc64 machine with a RHEL 7 kernel with this
> > patch applied.
> >
> > Cc: Daniel Jurgens 
> > Cc: Eli Cohen 
> > Cc: James Morris 
> > Cc: Doug Ledford 
> > Cc:  # 4.13+
> > Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband 
> > support")
> > Signed-off-by: Ondrej Mosnacek 
> > ---
> >   security/selinux/ss/policydb.c | 46 +++---
> >   1 file changed, 32 insertions(+), 14 deletions(-)
> >
> > Changes in v4:
> >   - defer assignment to 16-bit struct fields to after the range check
> >
> > Changes in v3:
> >   - use separate buffer for the 64-bit subnet_prefix
> >   - add comments on the byte ordering of subnet_prefix
> >   - deduplicate the le32_to_cpu() calls from checks
> >
> > Changes in v2:
> >   - add reproducer to commit message
> >   - update e-mail address of James Morris
> >   - better Cc also the old SELinux ML
> >
> > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > index f4eadd3f7350..d50668006a52 100644
> > --- a/security/selinux/ss/policydb.c
> > +++ b/security/selinux/ss/policydb.c
> > @@ -2108,6 +2108,7 @@ static int ocontext_read(struct policydb *p, struct 
> > policydb_compat_info *info,
> >   {
> >   int i, j, rc;
> >   u32 nel, len;
> > + __be64 prefixbuf[1];
> >   __le32 buf[3];
> >   struct ocontext *l, *c;
> >   u32 nodebuf[8];
> > @@ -2217,21 +2218,30 @@ static int ocontext_read(struct policydb *p, struct 
> > policydb_compat_info *info,
> >   goto out;
> >   break;
> >   }
> > - case OCON_IBPKEY:
> > - rc = next_entry(nodebuf, fp, sizeof(u32) * 4);
> > + case OCON_IBPKEY: {
> > + u32 pkey_lo, pkey_hi;
> > +
> > + rc = next_entry(prefixbuf, fp, sizeof(u64));
> > + if (rc)
> > + goto out;
> > +
> > + /* we need to have subnet_prefix in CPU order 
> > */
> > + c->u.ibpkey.subnet_prefix = 
> > be64_to_cpu(prefixbuf[0]);
> > +
> > + rc = next_entry(buf, fp, sizeof(u32) * 2);
> >   if (rc)
> >   goto out;
> >
> > - c->u.ibpkey.subnet_prefix = 
> > be64_to_cpu(*((__be64 *)nodebuf));
> > + pkey_lo = le32_to_cpu(buf[0]);
> > + pkey_hi = le32_to_cpu(buf[1]);
> >
> > - if (nodebuf[2] > 0x ||
> > - nodebuf[3] > 0x) {
> > + if (pkey_lo > U16_MAX || pkey_hi > U16_MAX) {
> >   rc = -EINVAL;
> >   goto out;
> >   }
> >
> > - c->u.ibpkey.low_pkey = 
> > le32_to_cpu(nodebuf[2]);
> > - c->u.ibpkey.high_pkey = 
> > le32_to_cpu(nodebuf[3]);
> > + c->u.ibpkey.low_pkey  = pkey_lo;
> > + c->u.ibpkey.high_pkey = pkey_hi;
> >
> >   rc = context_read_and_validate(>context[0],
> >  p,
> > @@ -2239,6 +2249,7 @@ static int ocontext_read(struct policydb *p, struct 
> > policydb_compat_info *info,
> >   if (rc)
> >   goto out;
> >   break;
> > + }
> >   case OCON_IBENDPORT:
> >   rc = next_entry(buf, fp, sizeof(u32) * 2);
> >   if (rc)
> > @@ -2249,13 +2260,14 @@ static int ocontext_read(struct policydb *p, struct 
> > policydb_compat_info *info,
> >   if (rc)
> >   goto out;
> >
> > - if (buf[1] > 0xff || buf[1] == 0) {
> > +

Re: [PATCH v2] libsepol: fix endianity in ibpkey range checks

[William Roberts]

On Thu, Oct 18, 2018 at 12:50 AM Ondrej Mosnacek  wrote:
>
> We need to convert from little-endian before dong range checks on the
> ibpkey port numbers, otherwise we would be checking a wrong value on
> big-endian systems.
>
> Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling")
> Signed-off-by: Ondrej Mosnacek 
> ---
>  libsepol/src/policydb.c | 21 -
>  1 file changed, 16 insertions(+), 5 deletions(-)
>
> Changes in v2:
>  - defer assignment to 16-bit struct fields to after the range check
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index a6d76ca3..db6765ba 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -2828,21 +2828,32 @@ static int ocontext_read_selinux(struct 
> policydb_compat_info *info,
> (>context[1], p, fp))
> return -1;
> break;
> -   case OCON_IBPKEY:
> +   case OCON_IBPKEY: {
> +   uint32_t pkey_lo, pkey_hi;
> +
> rc = next_entry(buf, fp, sizeof(uint32_t) * 
> 4);
> -   if (rc < 0 || buf[2] > 0x || buf[3] > 
> 0x)
> +   if (rc < 0)
> +   return -1;
> +
> +   pkey_lo = le32_to_cpu(buf[2]);
> +   pkey_hi = le32_to_cpu(buf[3]);
> +
> +   if (pkey_lo > UINT16_MAX || pkey_hi > 
> UINT16_MAX)
> return -1;
>
> +   c->u.ibpkey.low_pkey  = pkey_lo;
> +   c->u.ibpkey.high_pkey = pkey_hi;
> +
> +   /* we want c->u.ibpkey.subnet_prefix in 
> network
> +* (big-endian) order, just memcpy it */
> memcpy(>u.ibpkey.subnet_prefix, buf,
>sizeof(c->u.ibpkey.subnet_prefix));
>
> -   c->u.ibpkey.low_pkey = le32_to_cpu(buf[2]);
> -   c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
> -
> if (context_read_and_validate
> (>context[0], p, fp))
> return -1;
> break;
> +           }
> case OCON_IBENDPORT:
> rc = next_entry(buf, fp, sizeof(uint32_t) * 
> 2);
> if (rc < 0)
> --
> 2.17.2
>

Acked-by: William Roberts william.c.robe...@intel.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH v4] selinux: policydb - fix byte order and alignment issues

[William Roberts]

On Thu, Oct 18, 2018 at 5:57 AM Ondrej Mosnacek  wrote:
>
> Do the LE conversions before doing the Infiniband-related range checks.
> The incorrect checks are otherwise causing a failure to load any policy
> with an ibendportcon rule on BE systems. This can be reproduced by
> running (on e.g. ppc64):
>
> cat >my_module.cil < (type test_ibendport_t)
> (roletype object_r test_ibendport_t)
> (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0
> EOF
> semodule -i my_module.cil
>
> Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
> use a correctly aligned buffer.
>
> Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
> should be used instead.
>
> Tested internally on a ppc64 machine with a RHEL 7 kernel with this
> patch applied.
>
> Cc: Daniel Jurgens 
> Cc: Eli Cohen 
> Cc: James Morris 
> Cc: Doug Ledford 
> Cc:  # 4.13+
> Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband 
> support")
> Signed-off-by: Ondrej Mosnacek 
> ---
>  security/selinux/ss/policydb.c | 46 +++---
>  1 file changed, 32 insertions(+), 14 deletions(-)
>
> Changes in v4:
>  - defer assignment to 16-bit struct fields to after the range check
>
> Changes in v3:
>  - use separate buffer for the 64-bit subnet_prefix
>  - add comments on the byte ordering of subnet_prefix
>  - deduplicate the le32_to_cpu() calls from checks
>
> Changes in v2:
>  - add reproducer to commit message
>  - update e-mail address of James Morris
>  - better Cc also the old SELinux ML
>
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index f4eadd3f7350..d50668006a52 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2108,6 +2108,7 @@ static int ocontext_read(struct policydb *p, struct 
> policydb_compat_info *info,
>  {
> int i, j, rc;
> u32 nel, len;
> +   __be64 prefixbuf[1];
> __le32 buf[3];
> struct ocontext *l, *c;
> u32 nodebuf[8];
> @@ -2217,21 +2218,30 @@ static int ocontext_read(struct policydb *p, struct 
> policydb_compat_info *info,
> goto out;
> break;
> }
> -   case OCON_IBPKEY:
> -   rc = next_entry(nodebuf, fp, sizeof(u32) * 4);
> +   case OCON_IBPKEY: {
> +   u32 pkey_lo, pkey_hi;
> +
> +   rc = next_entry(prefixbuf, fp, sizeof(u64));
> +   if (rc)
> +   goto out;
> +
> +   /* we need to have subnet_prefix in CPU order 
> */
> +   c->u.ibpkey.subnet_prefix = 
> be64_to_cpu(prefixbuf[0]);
> +
> +   rc = next_entry(buf, fp, sizeof(u32) * 2);
> if (rc)
> goto out;
>
> -   c->u.ibpkey.subnet_prefix = 
> be64_to_cpu(*((__be64 *)nodebuf));
> +   pkey_lo = le32_to_cpu(buf[0]);
> +   pkey_hi = le32_to_cpu(buf[1]);
>
> -   if (nodebuf[2] > 0x ||
> -   nodebuf[3] > 0x) {
> +   if (pkey_lo > U16_MAX || pkey_hi > U16_MAX) {
> rc = -EINVAL;
> goto out;
> }
>
> -   c->u.ibpkey.low_pkey = 
> le32_to_cpu(nodebuf[2]);
> -   c->u.ibpkey.high_pkey = 
> le32_to_cpu(nodebuf[3]);
> +   c->u.ibpkey.low_pkey  = pkey_lo;
> +   c->u.ibpkey.high_pkey = pkey_hi;
>
> rc = context_read_and_validate(>context[0],
>p,
> @@ -2239,6 +2249,7 @@ static int ocontext_read(struct policydb *p, struct 
> policydb_compat_info *info,
> if (rc)
> goto out;
> break;
> +   }
> case OCON_IBENDPORT:
> rc = next_entry(buf, fp, sizeof(u32) * 2);
> if (rc)
> @@ -2249,13 +2260,14 @@ static int ocontext_read(struct policydb *p, struct 
> policydb_compat_info *info,
> if (rc)
> goto out;
>
> -   if (buf[1] > 0xff || buf[1] == 0) {
> +   c->u.ibendport.port = le32_to_cpu(buf[1]);
> +
> +   if (c->u.ibendport.port > 0xff ||
> +   c->u.ibendport.port == 0) {
>

Re: [PATCH v3] selinux: policydb - fix byte order and alignment issues

[William Roberts]

On Wed, Oct 17, 2018 at 7:19 AM Ondrej Mosnacek  wrote:
>
> Do the LE conversions before doing the Infiniband-related range checks.
> The incorrect checks are otherwise causing a failure to load any policy
> with an ibendportcon rule on BE systems. This can be reproduced by
> running (on e.g. ppc64):
>
> cat >my_module.cil < (type test_ibendport_t)
> (roletype object_r test_ibendport_t)
> (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0
> EOF
> semodule -i my_module.cil
>
> Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
> use a correctly aligned buffer.
>
> Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
> should be used instead.
>
> Tested internally on a ppc64 machine with a RHEL 7 kernel with this
> patch applied.
>
> Cc: Daniel Jurgens 
> Cc: Eli Cohen 
> Cc: James Morris 
> Cc: Doug Ledford 
> Cc:  # 4.13+
> Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband 
> support")
> Signed-off-by: Ondrej Mosnacek 
> ---
>  security/selinux/ss/policydb.c | 41 ++
>  1 file changed, 27 insertions(+), 14 deletions(-)
>
> Changes in v3:
>  - use separate buffer for the 64-bit subnet_prefix
>  - add comments on the byte ordering of subnet_prefix
>  - deduplicate the le32_to_cpu() calls from checks
>
> Changes in v2:
>  - add reproducer to commit message
>  - update e-mail address of James Morris
>  - better Cc also the old SELinux ML
>
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index f4eadd3f7350..b9029491869b 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2108,6 +2108,7 @@ static int ocontext_read(struct policydb *p, struct 
> policydb_compat_info *info,
>  {
> int i, j, rc;
> u32 nel, len;
> +   __be64 prefixbuf[1];
> __le32 buf[3];
> struct ocontext *l, *c;
> u32 nodebuf[8];
> @@ -2218,21 +2219,26 @@ static int ocontext_read(struct policydb *p, struct 
> policydb_compat_info *info,
> break;
> }
> case OCON_IBPKEY:
> -   rc = next_entry(nodebuf, fp, sizeof(u32) * 4);
> +   rc = next_entry(prefixbuf, fp, sizeof(u64));
> if (rc)
> goto out;
>
> -   c->u.ibpkey.subnet_prefix = 
> be64_to_cpu(*((__be64 *)nodebuf));
> +   /* we need to have subnet_prefix in CPU order 
> */
> +   c->u.ibpkey.subnet_prefix = 
> be64_to_cpu(prefixbuf[0]);
>
> -   if (nodebuf[2] > 0x ||
> -   nodebuf[3] > 0x) {
> +   rc = next_entry(buf, fp, sizeof(u32) * 2);
> +   if (rc)
> +   goto out;
> +
> +   c->u.ibpkey.low_pkey  = le32_to_cpu(buf[0]);
> +   c->u.ibpkey.high_pkey = le32_to_cpu(buf[1]);

We noticed this in the coresponding user space patch. Assigning 32 to
16 truncates the values and thus
the conditionals below are always false.

struct {
  u64 subnet_prefix;
  u16 low_pkey;   <-- u16
  u16 high_pkey;  <-- u16
} ibpkey;

I figured I would comment just to make sure folks following one patch
and not the other are
informed. You'll need to respin a v4 and asign to a u32 intermediate,
range check and the assign.

> +
> +   if (c->u.ibpkey.low_pkey  > 0x ||
> +   c->u.ibpkey.high_pkey > 0x) {
> rc = -EINVAL;
> goto out;
> }
>
> -   c->u.ibpkey.low_pkey = 
> le32_to_cpu(nodebuf[2]);
> -   c->u.ibpkey.high_pkey = 
> le32_to_cpu(nodebuf[3]);
> -
> rc = context_read_and_validate(>context[0],
>p,
>fp);
> @@ -2249,13 +2255,14 @@ static int ocontext_read(struct policydb *p, struct 
> policydb_compat_info *info,
> if (rc)
> goto out;
>
> -   if (buf[1] > 0xff || buf[1] == 0) {
> +   c->u.ibendport.port = le32_to_cpu(buf[1]);
> +
> +   if (c->u.ibendport.port > 0xff ||
> +   c->u.ibendport.port == 0) {
> rc = -EINVAL;
> goto out;
> }
>
> -   c->u.ibendport.port = le32_to_cpu(buf[1]);
> -
> 

Re: [PATCH] libsepol: fix endianity in ibpkey range checks

[William Roberts]

On Wed, Oct 17, 2018 at 2:21 PM Stephen Smalley  wrote:
>
> On 10/17/2018 05:18 PM, Paul Moore wrote:
> > On Wed, Oct 17, 2018 at 12:07 PM William Roberts
> >  wrote:
> >> On Wed, Oct 17, 2018 at 7:48 AM Ondrej Mosnacek  
> >> wrote:
> >>>
> >>> We need to convert from little-endian before dong range checks on the
> >>> ibpkey port numbers, otherwise we would be checking a wrong value.
> >>>
> >>> Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling")
> >>> Signed-off-by: Ondrej Mosnacek 
> >>> ---
> >>>   libsepol/src/policydb.c | 14 ++
> >>>   1 file changed, 10 insertions(+), 4 deletions(-)
> >>>
> >>> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> >>> index a6d76ca3..dc201e2f 100644
> >>> --- a/libsepol/src/policydb.c
> >>> +++ b/libsepol/src/policydb.c
> >>> @@ -2830,15 +2830,21 @@ static int ocontext_read_selinux(struct 
> >>> policydb_compat_info *info,
> >>>  break;
> >>>  case OCON_IBPKEY:
> >>>  rc = next_entry(buf, fp, 
> >>> sizeof(uint32_t) * 4);
> >>> -   if (rc < 0 || buf[2] > 0x || buf[3] > 
> >>> 0x)
> >>> +   if (rc < 0)
> >>>  return -1;
> >>>
> >>> +   c->u.ibpkey.low_pkey  = 
> >>> le32_to_cpu(buf[2]);
> >>> +   c->u.ibpkey.high_pkey = 
> >>> le32_to_cpu(buf[3]);
> >>
> >> Ahh you're assigning a 32 bit value to a 16 bit variable low|high_pkey. I 
> >> think
> >> you need to assign them to a uint32_t if you want to actually range check 
> >> them.
> >
> > If you can, give me a chance to look over the kernel changes first.  I
> > doubt I'll see anything objectionable given the review the patches
> > have already seen, but one never knows.
>
> The kernel patch has the same bug, so it will also need a re-spin.  Good
> catch.

Don't thank me, thank GCC and Travis. This compiled on my local machine
and ran the test suite just fine. I had clang set up, I guess this re-iterates
the need and benefit of Travis testing in different environments.

>
> >
> >>> +
> >>> +   if (c->u.ibpkey.low_pkey  > 0x ||
> >>> +   c->u.ibpkey.high_pkey > 0x)
> >>> +   return -1;
> >>> +
> >>> +   /* we want c->u.ibpkey.subnet_prefix in 
> >>> network
> >>> +* (big-endian) order, just memcpy it */
> >>>  memcpy(>u.ibpkey.subnet_prefix, buf,
> >>> 
> >>> sizeof(c->u.ibpkey.subnet_prefix));
> >>>
> >>> -   c->u.ibpkey.low_pkey = 
> >>> le32_to_cpu(buf[2]);
> >>> -   c->u.ibpkey.high_pkey = 
> >>> le32_to_cpu(buf[3]);
> >>> -
> >>>  if (context_read_and_validate
> >>>  (>context[0], p, fp))
> >>>  return -1;
> >>> --
> >>> 2.17.2
> >>>
> >> See job: https://travis-ci.org/SELinuxProject/selinux/jobs/442750208
> >>
> >> Build fail with gcc:
> >>
> >> policydb.c:2839:31: error: comparison is always false due to limited
> >> range of data type [-Werror=type-limits]
> >>   if (c->u.ibpkey.low_pkey  > 0x ||
> >> ^
> >> policydb.c:2840:31: error: comparison is always false due to limited
> >> range of data type [-Werror=type-limits]
> >>   c->u.ibpkey.high_pkey > 0x)
> >
> >
> >
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libsepol: fix endianity in ibpkey range checks

[William Roberts]

On Wed, Oct 17, 2018 at 7:48 AM Ondrej Mosnacek  wrote:
>
> We need to convert from little-endian before dong range checks on the
> ibpkey port numbers, otherwise we would be checking a wrong value.
>
> Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling")
> Signed-off-by: Ondrej Mosnacek 
> ---
>  libsepol/src/policydb.c | 14 ++
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index a6d76ca3..dc201e2f 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -2830,15 +2830,21 @@ static int ocontext_read_selinux(struct 
> policydb_compat_info *info,
> break;
> case OCON_IBPKEY:
> rc = next_entry(buf, fp, sizeof(uint32_t) * 
> 4);
> -   if (rc < 0 || buf[2] > 0x || buf[3] > 
> 0x)
> +   if (rc < 0)
> return -1;
>
> +   c->u.ibpkey.low_pkey  = le32_to_cpu(buf[2]);
> +   c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);

Ahh you're assigning a 32 bit value to a 16 bit variable low|high_pkey. I think
you need to assign them to a uint32_t if you want to actually range check them.

> +
> +   if (c->u.ibpkey.low_pkey  > 0x ||
> +   c->u.ibpkey.high_pkey > 0x)
> +   return -1;
> +
> +   /* we want c->u.ibpkey.subnet_prefix in 
> network
> +* (big-endian) order, just memcpy it */
> memcpy(>u.ibpkey.subnet_prefix, buf,
>sizeof(c->u.ibpkey.subnet_prefix));
>
> -   c->u.ibpkey.low_pkey = le32_to_cpu(buf[2]);
> -   c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
> -
> if (context_read_and_validate
> (>context[0], p, fp))
> return -1;
> --
> 2.17.2
>
See job: https://travis-ci.org/SELinuxProject/selinux/jobs/442750208

Build fail with gcc:

policydb.c:2839:31: error: comparison is always false due to limited
range of data type [-Werror=type-limits]
 if (c->u.ibpkey.low_pkey  > 0x ||
   ^
policydb.c:2840:31: error: comparison is always false due to limited
range of data type [-Werror=type-limits]
 c->u.ibpkey.high_pkey > 0x)
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libsepol: fix endianity in ibpkey range checks

[William Roberts]

On Wed, Oct 17, 2018 at 8:30 AM Stephen Smalley  wrote:
>
> On 10/17/2018 10:46 AM, Ondrej Mosnacek wrote:
> > We need to convert from little-endian before dong range checks on the
> > ibpkey port numbers, otherwise we would be checking a wrong value.
> >
> > Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling")
> > Signed-off-by: Ondrej Mosnacek 
>
> Acked-by: Stephen Smalley 

Stephen,
Ill stage this as a PR. Do you want to wait until the kernel changes
are in or just
the normal 24 hours?

Bill

>
> > ---
> >   libsepol/src/policydb.c | 14 ++
> >   1 file changed, 10 insertions(+), 4 deletions(-)
> >
> > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> > index a6d76ca3..dc201e2f 100644
> > --- a/libsepol/src/policydb.c
> > +++ b/libsepol/src/policydb.c
> > @@ -2830,15 +2830,21 @@ static int ocontext_read_selinux(struct 
> > policydb_compat_info *info,
> >   break;
> >   case OCON_IBPKEY:
> >   rc = next_entry(buf, fp, sizeof(uint32_t) * 
> > 4);
> > - if (rc < 0 || buf[2] > 0x || buf[3] > 
> > 0x)
> > + if (rc < 0)
> >   return -1;
> >
> > + c->u.ibpkey.low_pkey  = le32_to_cpu(buf[2]);
> > + c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
> > +
> > + if (c->u.ibpkey.low_pkey  > 0x ||
> > + c->u.ibpkey.high_pkey > 0x)
> > + return -1;
> > +
> > + /* we want c->u.ibpkey.subnet_prefix in 
> > network
> > +  * (big-endian) order, just memcpy it */
> >   memcpy(>u.ibpkey.subnet_prefix, buf,
> >  sizeof(c->u.ibpkey.subnet_prefix)); >
> > - c->u.ibpkey.low_pkey = le32_to_cpu(buf[2]);
> > - c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
> > -
> >   if (context_read_and_validate
> >   (>context[0], p, fp))
> >   return -1;
> >
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libsepol: fix endianity in ibpkey range checks

[William Roberts]

On Wed, Oct 17, 2018 at 7:48 AM Ondrej Mosnacek  wrote:
>
> We need to convert from little-endian before dong range checks on the
> ibpkey port numbers, otherwise we would be checking a wrong value.
>
> Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling")
> Signed-off-by: Ondrej Mosnacek 
> ---
>  libsepol/src/policydb.c | 14 ++
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index a6d76ca3..dc201e2f 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -2830,15 +2830,21 @@ static int ocontext_read_selinux(struct 
> policydb_compat_info *info,
> break;
> case OCON_IBPKEY:
> rc = next_entry(buf, fp, sizeof(uint32_t) * 
> 4);
> -   if (rc < 0 || buf[2] > 0x || buf[3] > 
> 0x)
> +   if (rc < 0)
> return -1;
>
> +   c->u.ibpkey.low_pkey  = le32_to_cpu(buf[2]);
> +   c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
> +
> +   if (c->u.ibpkey.low_pkey  > 0x ||
> +   c->u.ibpkey.high_pkey > 0x)
> +   return -1;
> +
> +   /* we want c->u.ibpkey.subnet_prefix in 
> network
> +* (big-endian) order, just memcpy it */
> memcpy(>u.ibpkey.subnet_prefix, buf,
>sizeof(c->u.ibpkey.subnet_prefix));
>
> -   c->u.ibpkey.low_pkey = le32_to_cpu(buf[2]);
> -   c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
> -
> if (context_read_and_validate
> (>context[0], p, fp))
> return -1;
> --
> 2.17.2

This seems to line up with what I have been following on the kernel
side. But since Stephen
committed the patch this fixes up and is way more involved, ill defer
to him. Soft ack from me,
but I would imagine we would want to see an ack on the kernel side
before pulling this in.

>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Fix alias handling in sepolicy and semaange

[William Roberts]

I'm really not that familiar with the Python code to review this at
the moment, perhaps Nicolas is?
On Tue, Oct 16, 2018 at 1:27 AM Vit Mojzis  wrote:
>
> Sepolicy and semanage do not work with aliases properly (aliases are
> mostly treated as invalid types). Fix this by determining corresponding
> type when an alias is used and working with the type instead.
>
> python/semanage/seobject.py  | 21 ++---
> python/sepolicy/sepolicy.py  |  8 +++-
> python/sepolicy/sepolicy/__init__.py | 22 ++
> 3 files changed, 31 insertions(+), 20 deletions(-)
>
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files

[William Roberts]

merged:
https://github.com/SELinuxProject/selinux/pull/104
On Thu, Oct 11, 2018 at 4:58 PM William Roberts
 wrote:
>
> On Thu, Oct 11, 2018 at 5:37 AM James Carter  wrote:
> >
> > [Resending because I originally only sent these to the new list]
> >
> > - Removes some redundent definitions of initial sid name strings
> > - Adds range checking when looking up an initial sid name string for an 
> > index
> > - Adds two new Xen initial sids
> >
> > James Carter (4):
> >   libsepol: Rename kernel_to_common.c stack functions
> >   libsepol: Eliminate initial sid string definitions in module_to_cil.c
> >   libsepol: Check that initial sid indexes are within the valid range
> >   libsepol: Add two new Xen initial SIDs
> >
> >  libsepol/src/kernel_to_cil.c| 78 +
> >  libsepol/src/kernel_to_common.c | 10 ++---
> >  libsepol/src/kernel_to_common.h | 16 ---
> >  libsepol/src/kernel_to_conf.c   | 78 +
> >  libsepol/src/module_to_cil.c| 78 +
> >  5 files changed, 136 insertions(+), 124 deletions(-)
>
> LGTM. I ran these locally and they seemed to be OK and I was able
> to list the new SIDs from the policy db.
>
> I staged them here to have travis run the CI as well:
> https://github.com/SELinuxProject/selinux/pull/104
>
> >
> > --
> > 2.17.1
> >
> > ___
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to 
> > selinux-requ...@tycho.nsa.gov.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libsemanage: improve semanage_migrate_store import failure

[William Roberts]

Weird Gmail removed my text box for plain text mode in Gmail,
re-sending since it got
filtered out of the mailing list.

On Mon, Oct 8, 2018 at 9:09 AM William Roberts  wrote:
>
> Yuli,
> If you respin this with just import error looks like its a go.
> Bill
>
> On Fri, Oct 5, 2018 at 12:53 PM Chris PeBenito  wrote:
>>
>> On 10/05/2018 10:32 AM, Jason Zaman wrote:
>> > On Fri, Oct 05, 2018 at 07:13:23AM -0700, William Roberts wrote:
>> >> On Thu, Oct 4, 2018 at 12:46 PM Yuli Khodorkovskiy <
>> >> yuli.khodorkovs...@crunchydata.com> wrote:
>> >>
>> >>> The python module import error in semanage_migrate_store was misleading.
>> >>> Before, it would print that the module is not installed, even though
>> >>> it is in fact on the system.
>> >>>
>> >>> Now the python module import failure is correctly reported if the module
>> >>> is not installed or the exact reason for failure is reported to the user.
>> >>>
>> >>> Signed-off-by: Yuli Khodorkovskiy 
>> >>> ---
>> >>>   libsemanage/utils/semanage_migrate_store | 6 --
>> >>>   1 file changed, 4 insertions(+), 2 deletions(-)
>> >>>
>> >>> diff --git a/libsemanage/utils/semanage_migrate_store
>> >>> b/libsemanage/utils/semanage_migrate_store
>> >>> index 2e6cb278..50eb59ef 100755
>> >>> --- a/libsemanage/utils/semanage_migrate_store
>> >>> +++ b/libsemanage/utils/semanage_migrate_store
>> >>> @@ -15,10 +15,12 @@ sepol = ctypes.cdll.LoadLibrary('libsepol.so.1')
>> >>>   try:
>> >>>  import selinux
>> >>>  import semanage
>> >>> -except:
>> >>> +except ImportError:
>> >>>  print("You must install libselinux-python and libsemanage-python
>> >>> before running this tool", file=sys.stderr)
>> >>>  exit(1)
>> >>> -
>> >>> +except Exception as e:
>> >>> +   print("Failed to import libselinux-python/libsemanage-python: %s"
>> >>> % str(e))
>> >>> +   exit(1)
>> >>>
>> >>
>> >> We should really only be handling exceptions we reasonably expect and
>> >> discourage
>> >> the usage of catching raw Exception, especially considering not-catching
>> >> this will
>> >> cause the runtime to print a stack trace, the error and exit non-zero.
>> >>
>> >> We probably only need the except ImportError change and can drop the 
>> >> second
>> >> hunk.
>> >>
>> >> Does anyone disagree with this?
>>
>> For this case, I agree that ImportError is the only thing that should be
>> caught.
>>
>> > Agreed. catching Exception is bad cuz it also catches KeyboardInterrupt
>> > and stuff like that.
>>
>> That's not correct.  Catching BaseException would catch
>> KeyboardInterrupt.  Catching Exception would not.  See the Python
>> builtin exception hierarchy:
>>
>> https://docs.python.org/3/library/exceptions.html#exception-hierarchy
>>
>> IMO catching Exception has valid uses.
>>
>> --
>> Chris PeBenito
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libsemanage: improve semanage_migrate_store import failure

[William Roberts]

Yuli,
If you respin this with just import error looks like its a go.
Bill

On Fri, Oct 5, 2018 at 12:53 PM Chris PeBenito  wrote:

> On 10/05/2018 10:32 AM, Jason Zaman wrote:
> > On Fri, Oct 05, 2018 at 07:13:23AM -0700, William Roberts wrote:
> >> On Thu, Oct 4, 2018 at 12:46 PM Yuli Khodorkovskiy <
> >> yuli.khodorkovs...@crunchydata.com> wrote:
> >>
> >>> The python module import error in semanage_migrate_store was
> misleading.
> >>> Before, it would print that the module is not installed, even though
> >>> it is in fact on the system.
> >>>
> >>> Now the python module import failure is correctly reported if the
> module
> >>> is not installed or the exact reason for failure is reported to the
> user.
> >>>
> >>> Signed-off-by: Yuli Khodorkovskiy 
> >>> ---
> >>>   libsemanage/utils/semanage_migrate_store | 6 --
> >>>   1 file changed, 4 insertions(+), 2 deletions(-)
> >>>
> >>> diff --git a/libsemanage/utils/semanage_migrate_store
> >>> b/libsemanage/utils/semanage_migrate_store
> >>> index 2e6cb278..50eb59ef 100755
> >>> --- a/libsemanage/utils/semanage_migrate_store
> >>> +++ b/libsemanage/utils/semanage_migrate_store
> >>> @@ -15,10 +15,12 @@ sepol = ctypes.cdll.LoadLibrary('libsepol.so.1')
> >>>   try:
> >>>  import selinux
> >>>  import semanage
> >>> -except:
> >>> +except ImportError:
> >>>  print("You must install libselinux-python and
> libsemanage-python
> >>> before running this tool", file=sys.stderr)
> >>>  exit(1)
> >>> -
> >>> +except Exception as e:
> >>> +   print("Failed to import libselinux-python/libsemanage-python:
> %s"
> >>> % str(e))
> >>> +   exit(1)
> >>>
> >>
> >> We should really only be handling exceptions we reasonably expect and
> >> discourage
> >> the usage of catching raw Exception, especially considering not-catching
> >> this will
> >> cause the runtime to print a stack trace, the error and exit non-zero.
> >>
> >> We probably only need the except ImportError change and can drop the
> second
> >> hunk.
> >>
> >> Does anyone disagree with this?
>
> For this case, I agree that ImportError is the only thing that should be
> caught.
>
> > Agreed. catching Exception is bad cuz it also catches KeyboardInterrupt
> > and stuff like that.
>
> That's not correct.  Catching BaseException would catch
> KeyboardInterrupt.  Catching Exception would not.  See the Python
> builtin exception hierarchy:
>
> https://docs.python.org/3/library/exceptions.html#exception-hierarchy
>
> IMO catching Exception has valid uses.
>
> --
> Chris PeBenito
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libsemanage: improve semanage_migrate_store import failure

[William Roberts]

On Thu, Oct 4, 2018 at 12:46 PM Yuli Khodorkovskiy <
yuli.khodorkovs...@crunchydata.com> wrote:

> The python module import error in semanage_migrate_store was misleading.
> Before, it would print that the module is not installed, even though
> it is in fact on the system.
>
> Now the python module import failure is correctly reported if the module
> is not installed or the exact reason for failure is reported to the user.
>
> Signed-off-by: Yuli Khodorkovskiy 
> ---
>  libsemanage/utils/semanage_migrate_store | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/libsemanage/utils/semanage_migrate_store
> b/libsemanage/utils/semanage_migrate_store
> index 2e6cb278..50eb59ef 100755
> --- a/libsemanage/utils/semanage_migrate_store
> +++ b/libsemanage/utils/semanage_migrate_store
> @@ -15,10 +15,12 @@ sepol = ctypes.cdll.LoadLibrary('libsepol.so.1')
>  try:
> import selinux
> import semanage
> -except:
> +except ImportError:
> print("You must install libselinux-python and libsemanage-python
> before running this tool", file=sys.stderr)
> exit(1)
> -
> +except Exception as e:
> +   print("Failed to import libselinux-python/libsemanage-python: %s"
> % str(e))
> +   exit(1)
>

We should really only be handling exceptions we reasonably expect and
discourage
the usage of catching raw Exception, especially considering not-catching
this will
cause the runtime to print a stack trace, the error and exit non-zero.

We probably only need the except ImportError change and can drop the second
hunk.

Does anyone disagree with this?


>
>  def copy_file(src, dst):
> if DEBUG:
> --
> 2.19.0
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: fix selinux_restorecon() on non-SELinux hosts

[William Roberts]

On Wed, Sep 26, 2018 at 8:12 AM Stephen Smalley  wrote:

> The kernel only supports seclabel if it is >= 2.6.30 _and_
> SELinux is enabled, since seclabel is generated by SELinux
> based partly on policy (e.g. is the filesystem type configured in policy
> with a labeling behavior that supports userspace labeling). For some
> reason, when this logic was moved from setfiles to libselinux,
> the test of whether SELinux was enabled was dropped.  Restore it.
>
> This is necessary to enable use of setfiles on non-SELinux hosts
> without requiring explicit use of the -m option.
>
> Fixes: 602347c7422e971a5674fe2767267a96e3b4f61c ("policycoreutils:
> setfiles - Modify to use selinux_restorecon")
> Reported-by: sajjad ahmed 
> Signed-off-by: Stephen Smalley 
> Cc: Richard Haines 
> ---
>  libselinux/src/selinux_restorecon.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/libselinux/src/selinux_restorecon.c
> b/libselinux/src/selinux_restorecon.c
> index 41f22250..34a6408a 100644
> --- a/libselinux/src/selinux_restorecon.c
> +++ b/libselinux/src/selinux_restorecon.c
> @@ -241,6 +241,8 @@ static int exclude_non_seclabel_mounts(void)
> /* Check to see if the kernel supports seclabel */
> if (uname() == 0 && strverscmp(uts.release, "2.6.30") < 0)
> return 0;
> +   if (is_selinux_enabled() <= 0)
> +   return 0;
>
>
LGTM


> fp = fopen("/proc/mounts", "re");
> if (!fp)
> --
> 2.14.4
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/2] whitespace and spelling cleanup

[William Roberts]

Both patches were applied:
https://github.com/SELinuxProject/selinux/pull/100

On Mon, Sep 24, 2018 at 11:55 AM William Roberts 
wrote:

> ack
>
> On Mon, Sep 24, 2018 at 11:12 AM Nick Kralevich via Selinux <
> selinux@tycho.nsa.gov> wrote:
>
>> Signed-off-by: Nick Kralevich 
>> ---
>>  libsepol/include/sepol/errcodes.h |  2 +-
>>  secilc/secilc.c   | 14 +++---
>>  2 files changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/libsepol/include/sepol/errcodes.h
>> b/libsepol/include/sepol/errcodes.h
>> index 0136564a..6e9ff316 100644
>> --- a/libsepol/include/sepol/errcodes.h
>> +++ b/libsepol/include/sepol/errcodes.h
>> @@ -12,7 +12,7 @@ extern "C" {
>>  #define SEPOL_OK 0
>>
>>  /* These first error codes are defined for compatibility with
>> - * previous version of libsepol. In the future, custome error
>> + * previous version of libsepol. In the future, custom error
>>   * codes that don't map to system error codes should be defined
>>   * outside of the range of system error codes.
>>   */
>> diff --git a/secilc/secilc.c b/secilc/secilc.c
>> index 0be6975b..e1347205 100644
>> --- a/secilc/secilc.c
>> +++ b/secilc/secilc.c
>> @@ -1,16 +1,16 @@
>>  /*
>>   * Copyright 2011 Tresys Technology, LLC. All rights reserved.
>> - *
>> + *
>>   * Redistribution and use in source and binary forms, with or without
>>   * modification, are permitted provided that the following conditions
>> are met:
>> - *
>> + *
>>   *1. Redistributions of source code must retain the above copyright
>> notice,
>>   *   this list of conditions and the following disclaimer.
>> - *
>> + *
>>   *2. Redistributions in binary form must reproduce the above
>> copyright notice,
>>   *   this list of conditions and the following disclaimer in the
>> documentation
>>   *   and/or other materials provided with the distribution.
>> - *
>> + *
>>   * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY
>> EXPRESS
>>   * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
>> WARRANTIES OF
>>   * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>> IN NO
>> @@ -21,7 +21,7 @@
>>   * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
>> NEGLIGENCE
>>   * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
>> EVEN IF
>>   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> - *
>> + *
>>   * The views and conclusions contained in the software and documentation
>> are those
>>   * of the authors and should not be interpreted as representing official
>> policies,
>>   * either expressed or implied, of Tresys Technology, LLC.
>> @@ -259,7 +259,7 @@ int main(int argc, char *argv[])
>> fprintf(stderr, "Could not stat file: %s\n",
>> argv[i]);
>> goto exit;
>> }
>> -   file_size = filedata.st_size;
>> +   file_size = filedata.st_size;
>>
>> buffer = malloc(file_size);
>> rc = fread(buffer, file_size, 1, file);
>> @@ -347,7 +347,7 @@ int main(int argc, char *argv[])
>> fprintf(stderr, "Failed to open file_contexts file\n");
>> goto exit;
>> }
>> -
>> +
>> if (fwrite(fc_buf, sizeof(char), fc_size, file_contexts) !=
>> fc_size) {
>> fprintf(stderr, "Failed to write file_contexts file\n");
>> goto exit;
>> --
>> 2.19.0.444.g18242da7ef-goog
>>
>> ___
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> selinux-requ...@tycho.nsa.gov.
>>
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 2/2] secilc: better error handling

[William Roberts]

ack

On Mon, Sep 24, 2018 at 11:12 AM Nick Kralevich via Selinux <
selinux@tycho.nsa.gov> wrote:

> Fix a situation where the secilc command line tool could return success
> even though the compilation failed.
>
>   $ secilc /dev/null -o /dev/null -f /dev/null
>   Failure reading file: /dev/null
>   $ echo $?
>   0
>
> Signed-off-by: Nick Kralevich 
> ---
>  secilc/secilc.c | 4 
>  1 file changed, 4 insertions(+)
>
> diff --git a/secilc/secilc.c b/secilc/secilc.c
> index e1347205..ad6862ba 100644
> --- a/secilc/secilc.c
> +++ b/secilc/secilc.c
> @@ -257,6 +257,7 @@ int main(int argc, char *argv[])
> rc = stat(argv[i], );
> if (rc == -1) {
> fprintf(stderr, "Could not stat file: %s\n",
> argv[i]);
> +   rc = SEPOL_ERR;
> goto exit;
> }
> file_size = filedata.st_size;
> @@ -265,6 +266,7 @@ int main(int argc, char *argv[])
> rc = fread(buffer, file_size, 1, file);
> if (rc != 1) {
> fprintf(stderr, "Failure reading file: %s\n",
> argv[i]);
> +   rc = SEPOL_ERR;
> goto exit;
> }
> fclose(file);
> @@ -345,11 +347,13 @@ int main(int argc, char *argv[])
>
> if (file_contexts == NULL) {
> fprintf(stderr, "Failed to open file_contexts file\n");
> +   rc = SEPOL_ERR;
> goto exit;
> }
>
> if (fwrite(fc_buf, sizeof(char), fc_size, file_contexts) !=
> fc_size) {
> fprintf(stderr, "Failed to write file_contexts file\n");
> +   rc = SEPOL_ERR;
> goto exit;
> }
>
> --
> 2.19.0.444.g18242da7ef-goog
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/2] whitespace and spelling cleanup

[William Roberts]

ack

On Mon, Sep 24, 2018 at 11:12 AM Nick Kralevich via Selinux <
selinux@tycho.nsa.gov> wrote:

> Signed-off-by: Nick Kralevich 
> ---
>  libsepol/include/sepol/errcodes.h |  2 +-
>  secilc/secilc.c   | 14 +++---
>  2 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/libsepol/include/sepol/errcodes.h
> b/libsepol/include/sepol/errcodes.h
> index 0136564a..6e9ff316 100644
> --- a/libsepol/include/sepol/errcodes.h
> +++ b/libsepol/include/sepol/errcodes.h
> @@ -12,7 +12,7 @@ extern "C" {
>  #define SEPOL_OK 0
>
>  /* These first error codes are defined for compatibility with
> - * previous version of libsepol. In the future, custome error
> + * previous version of libsepol. In the future, custom error
>   * codes that don't map to system error codes should be defined
>   * outside of the range of system error codes.
>   */
> diff --git a/secilc/secilc.c b/secilc/secilc.c
> index 0be6975b..e1347205 100644
> --- a/secilc/secilc.c
> +++ b/secilc/secilc.c
> @@ -1,16 +1,16 @@
>  /*
>   * Copyright 2011 Tresys Technology, LLC. All rights reserved.
> - *
> + *
>   * Redistribution and use in source and binary forms, with or without
>   * modification, are permitted provided that the following conditions are
> met:
> - *
> + *
>   *1. Redistributions of source code must retain the above copyright
> notice,
>   *   this list of conditions and the following disclaimer.
> - *
> + *
>   *2. Redistributions in binary form must reproduce the above
> copyright notice,
>   *   this list of conditions and the following disclaimer in the
> documentation
>   *   and/or other materials provided with the distribution.
> - *
> + *
>   * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY
> EXPRESS
>   * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
> WARRANTIES OF
>   * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> IN NO
> @@ -21,7 +21,7 @@
>   * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
> NEGLIGENCE
>   * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
> IF
>   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> - *
> + *
>   * The views and conclusions contained in the software and documentation
> are those
>   * of the authors and should not be interpreted as representing official
> policies,
>   * either expressed or implied, of Tresys Technology, LLC.
> @@ -259,7 +259,7 @@ int main(int argc, char *argv[])
> fprintf(stderr, "Could not stat file: %s\n",
> argv[i]);
> goto exit;
> }
> -   file_size = filedata.st_size;
> +   file_size = filedata.st_size;
>
> buffer = malloc(file_size);
> rc = fread(buffer, file_size, 1, file);
> @@ -347,7 +347,7 @@ int main(int argc, char *argv[])
> fprintf(stderr, "Failed to open file_contexts file\n");
> goto exit;
> }
> -
> +
> if (fwrite(fc_buf, sizeof(char), fc_size, file_contexts) !=
> fc_size) {
> fprintf(stderr, "Failed to write file_contexts file\n");
> goto exit;
> --
> 2.19.0.444.g18242da7ef-goog
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] secilc: better error handling

[William Roberts]

On Fri, Sep 21, 2018 at 5:12 PM Nick Kralevich via Selinux <
selinux@tycho.nsa.gov> wrote:

> Fix a situation where the secilc command line tool could return success
> even though the compilation failed.
>
>   $ secilc /dev/null -o /dev/null -f /dev/null
>   Failure reading file: /dev/null
>   $ echo $?
>   0
>
> Fix a few other minor oversights while I'm here.
>

I'd prefer this split into at least 2 patches on the off chance we
need to revert the actual code changes we don't lose the spelling
and whitespace fixes. Otherwise LGTM.


>
> Signed-off-by: Nick Kralevich 
> ---
>  libsepol/include/sepol/errcodes.h | 2 +-
>  secilc/secilc.c   | 8 ++--
>  2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/libsepol/include/sepol/errcodes.h
> b/libsepol/include/sepol/errcodes.h
> index 0136564a..6e9ff316 100644
> --- a/libsepol/include/sepol/errcodes.h
> +++ b/libsepol/include/sepol/errcodes.h
> @@ -12,7 +12,7 @@ extern "C" {
>  #define SEPOL_OK 0
>
>  /* These first error codes are defined for compatibility with
> - * previous version of libsepol. In the future, custome error
> + * previous version of libsepol. In the future, custom error
>   * codes that don't map to system error codes should be defined
>   * outside of the range of system error codes.
>   */
> diff --git a/secilc/secilc.c b/secilc/secilc.c
> index 0be6975b..8578cc26 100644
> --- a/secilc/secilc.c
> +++ b/secilc/secilc.c
> @@ -257,14 +257,16 @@ int main(int argc, char *argv[])
> rc = stat(argv[i], );
> if (rc == -1) {
> fprintf(stderr, "Could not stat file: %s\n",
> argv[i]);
> +   rc = SEPOL_ERR;
> goto exit;
> }
> -   file_size = filedata.st_size;
> +   file_size = filedata.st_size;
>
> buffer = malloc(file_size);
> rc = fread(buffer, file_size, 1, file);
> if (rc != 1) {
> fprintf(stderr, "Failure reading file: %s\n",
> argv[i]);
> +   rc = SEPOL_ERR;
> goto exit;
> }
> fclose(file);
> @@ -345,11 +347,13 @@ int main(int argc, char *argv[])
>
> if (file_contexts == NULL) {
> fprintf(stderr, "Failed to open file_contexts file\n");
> +   rc = SEPOL_ERR;
> goto exit;
> }
> -
> +
> if (fwrite(fc_buf, sizeof(char), fc_size, file_contexts) !=
> fc_size) {
> fprintf(stderr, "Failed to write file_contexts file\n");
> +   rc = SEPOL_ERR;
> goto exit;
> }
>
> --
> 2.19.0.444.g18242da7ef-goog
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] checkpolicy: remove extraneous policy build noise

[William Roberts]

merged: https://github.com/SELinuxProject/selinux/pull/99

On Wed, Sep 19, 2018 at 12:13 PM Nick Kralevich via Selinux <
selinux@tycho.nsa.gov> wrote:

> Reduce noise when calling the checkpolicy command line. In Android, this
> creates unnecessary build noise which we'd like to avoid.
>
> https://en.wikipedia.org/wiki/Unix_philosophy
>
>   Rule of Silence
>   Developers should design programs so that they do not print
>   unnecessary output. This rule aims to allow other programs
>   and developers to pick out the information they need from a
>   program's output without having to parse verbosity.
>
> An alternative approach would be to add a -s (silent) option to these
> tools, or to have the Android build system redirect stdout to /dev/null.
>
> Signed-off-by: Nick Kralevich 
> ---
>  checkpolicy/checkmodule.c |  8 
>  checkpolicy/checkpolicy.c | 11 ---
>  2 files changed, 19 deletions(-)
>
> diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
> index 46ce258f..8edc1f8c 100644
> --- a/checkpolicy/checkmodule.c
> +++ b/checkpolicy/checkmodule.c
> @@ -228,7 +228,6 @@ int main(int argc, char **argv)
> if (optind != argc)
> usage(argv[0]);
> }
> -   printf("%s:  loading policy configuration from %s\n", argv[0],
> file);
>
> /* Set policydb and sidtab used by libsepol service functions
>to my structures, so that I can directly populate and
> @@ -302,8 +301,6 @@ int main(int argc, char **argv)
>
> sepol_sidtab_destroy();
>
> -   printf("%s:  policy configuration loaded\n", argv[0]);
> -
> if (outfile) {
> FILE *outfp = fopen(outfile, "w");
>
> @@ -313,16 +310,11 @@ int main(int argc, char **argv)
> }
>
> if (!cil) {
> -   printf("%s:  writing binary representation
> (version %d) to %s\n",
> -  argv[0], policyvers, outfile);
> -
> if (write_binary_policy(, outfp) != 0)
> {
> fprintf(stderr, "%s:  error writing %s\n",
> argv[0], outfile);
> exit(1);
> }
> } else {
> -   printf("%s:  writing CIL to %s\n",argv[0],
> outfile);
> -
> if (sepol_module_policydb_to_cil(outfp,
> , 0) != 0) {
> fprintf(stderr, "%s:  error writing %s\n",
> argv[0], outfile);
> exit(1);
> diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
> index fbda4558..12c4c405 100644
> --- a/checkpolicy/checkpolicy.c
> +++ b/checkpolicy/checkpolicy.c
> @@ -512,8 +512,6 @@ int main(int argc, char **argv)
> if (optind != argc)
> usage(argv[0]);
> }
> -   printf("%s:  loading policy configuration from %s\n", argv[0],
> file);
> -
> /* Set policydb and sidtab used by libsepol service functions
>to my structures, so that I can directly populate and
>manipulate them. */
> @@ -623,8 +621,6 @@ int main(int argc, char **argv)
> if (policydb_load_isids(, ))
> exit(1);
>
> -   printf("%s:  policy configuration loaded\n", argv[0]);
> -
> if (outfile) {
> outfp = fopen(outfile, "w");
> if (!outfp) {
> @@ -636,8 +632,6 @@ int main(int argc, char **argv)
>
> if (!cil) {
> if (!conf) {
> -   printf("%s:  writing binary representation
> (version %d) to %s\n", argv[0], policyvers, outfile);
> -
> policydb.policy_type = POLICY_KERN;
>
> policy_file_init();
> @@ -645,8 +639,6 @@ int main(int argc, char **argv)
> pf.fp = outfp;
> ret = policydb_write(, );
> } else {
> -   printf("%s:  writing policy.conf to %s\n",
> -  argv[0], outfile);
> ret = sepol_kernel_policydb_to_conf(outfp,
> policydbp);
> }
> if (ret) {
> @@ -655,7 +647,6 @@ int main(int argc, char **argv)
> exit(1);
> }
> } else {
> -   printf("%s:  writing CIL to %s\n",argv[0],
> outfile);
> if (binary) {
> ret = sepol_kernel_policydb_to_cil(outfp,
> policydbp);
> } else {
> @@ -894,8 +885,6 @@ int main(int argc, char **argv)
> FGETS(ans, sizeof(ans), stdin);
> pathlen = strlen(ans);
> ans[pathlen - 1] = 0;
> -   printf("%s:  loading policy configuration from
> %s\n",
> -

Re: [PATCH] checkpolicy: remove extraneous policy build noise

[William Roberts]

On Wed, Sep 19, 2018 at 12:36 PM Stephen Smalley  wrote:

> On 09/19/2018 03:21 PM, William Roberts wrote:
> > Some people might be checking this output since it's been there so long,
> > -s would be a good way to go.
> >
> > Alternatively, a way to bring back this information via a verbose option
> > -V could
> > be considered.
> >
> > Either way, a simple logging mechanism analogous to
> > LOGV/LOGW/LOGE could be useful, I wonder what subordinate routines
> > are logging. IIRC it was all fprintf(stderr) stuff in libselinux proper
> > as you allude
> > to in the redirection of stdout comment. We don't need to address this
> > in this
> > patch, but we may want to consider it at some point.
> >
> > I would lean towards a silent flag as it's backwards compatible,
> > but noting that it doesn't suppress subordinate callers.
> >
> > I would also yield that opinion, as removing it works for me.
>
> I'm ok dropping the output unless someone knows of an existing user that
> relies upon it (which I can't really envision).
>

Why don't we extend the review period to 72 hours, and ill apply this
Friday unless we hear of this breaking someone. Essentially
consider this a soft-ack.


>
> With regard to subordinate routines, libsepol has sepol_debug(0) or
> sepol_msg_set_callback() to suppress or redirect its logging.



> checkpolicy doesn't use libselinux but it likewise has
> selinux_set_callback().
>

What about things like:
libselinux/src/load_policy.c:299: fprintf(stderr, "libselinux:  %s\n",
errormsg);

Also utils and others are using fprintf directly perhaps something we
wish to make common
across utilities and subordinate libs.


> >
> > On Wed, Sep 19, 2018 at 12:13 PM Nick Kralevich via Selinux
> > mailto:selinux@tycho.nsa.gov>> wrote:
> >
> > Reduce noise when calling the checkpolicy command line. In Android,
> this
> > creates unnecessary build noise which we'd like to avoid.
> >
> > https://en.wikipedia.org/wiki/Unix_philosophy
> >
> >Rule of Silence
> >Developers should design programs so that they do not print
> >unnecessary output. This rule aims to allow other programs
> >and developers to pick out the information they need from a
> >program's output without having to parse verbosity.
> >
> > An alternative approach would be to add a -s (silent) option to these
> > tools, or to have the Android build system redirect stdout to
> /dev/null.
> >
> > Signed-off-by: Nick Kralevich mailto:n...@google.com
> >>
> > ---
> >   checkpolicy/checkmodule.c |  8 
> >   checkpolicy/checkpolicy.c | 11 ---
> >   2 files changed, 19 deletions(-)
> >
> > diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
> > index 46ce258f..8edc1f8c 100644
> > --- a/checkpolicy/checkmodule.c
> > +++ b/checkpolicy/checkmodule.c
> > @@ -228,7 +228,6 @@ int main(int argc, char **argv)
> >  if (optind != argc)
> >  usage(argv[0]);
> >  }
> > -   printf("%s:  loading policy configuration from %s\n",
> > argv[0], file);
> >
> >  /* Set policydb and sidtab used by libsepol service
> functions
> > to my structures, so that I can directly populate and
> > @@ -302,8 +301,6 @@ int main(int argc, char **argv)
> >
> >  sepol_sidtab_destroy();
> >
> > -   printf("%s:  policy configuration loaded\n", argv[0]);
> > -
> >  if (outfile) {
> >  FILE *outfp = fopen(outfile, "w");
> >
> > @@ -313,16 +310,11 @@ int main(int argc, char **argv)
> >  }
> >
> >  if (!cil) {
> > -   printf("%s:  writing binary representation
> > (version %d) to %s\n",
> > -  argv[0], policyvers, outfile);
> > -
> >  if (write_binary_policy(,
> > outfp) != 0) {
> >  fprintf(stderr, "%s:  error writing
> > %s\n", argv[0], outfile);
> >  exit(1);
> >  }
> >  } else {
> > -   printf("%s:  writing CIL to %s\n",argv[0],
> > outfile);
> > -
> >  if

Re: [PATCH] checkpolicy: remove extraneous policy build noise

[William Roberts]

Some people might be checking this output since it's been there so long,
-s would be a good way to go.

Alternatively, a way to bring back this information via a verbose option -V
could
be considered.

Either way, a simple logging mechanism analogous to
LOGV/LOGW/LOGE could be useful, I wonder what subordinate routines
are logging. IIRC it was all fprintf(stderr) stuff in libselinux proper as
you allude
to in the redirection of stdout comment. We don't need to address this in
this
patch, but we may want to consider it at some point.

I would lean towards a silent flag as it's backwards compatible,
but noting that it doesn't suppress subordinate callers.

I would also yield that opinion, as removing it works for me.

On Wed, Sep 19, 2018 at 12:13 PM Nick Kralevich via Selinux <
selinux@tycho.nsa.gov> wrote:

> Reduce noise when calling the checkpolicy command line. In Android, this
> creates unnecessary build noise which we'd like to avoid.
>
> https://en.wikipedia.org/wiki/Unix_philosophy
>
>   Rule of Silence
>   Developers should design programs so that they do not print
>   unnecessary output. This rule aims to allow other programs
>   and developers to pick out the information they need from a
>   program's output without having to parse verbosity.
>
> An alternative approach would be to add a -s (silent) option to these
> tools, or to have the Android build system redirect stdout to /dev/null.
>
> Signed-off-by: Nick Kralevich 
> ---
>  checkpolicy/checkmodule.c |  8 
>  checkpolicy/checkpolicy.c | 11 ---
>  2 files changed, 19 deletions(-)
>
> diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
> index 46ce258f..8edc1f8c 100644
> --- a/checkpolicy/checkmodule.c
> +++ b/checkpolicy/checkmodule.c
> @@ -228,7 +228,6 @@ int main(int argc, char **argv)
> if (optind != argc)
> usage(argv[0]);
> }
> -   printf("%s:  loading policy configuration from %s\n", argv[0],
> file);
>
> /* Set policydb and sidtab used by libsepol service functions
>to my structures, so that I can directly populate and
> @@ -302,8 +301,6 @@ int main(int argc, char **argv)
>
> sepol_sidtab_destroy();
>
> -   printf("%s:  policy configuration loaded\n", argv[0]);
> -
> if (outfile) {
> FILE *outfp = fopen(outfile, "w");
>
> @@ -313,16 +310,11 @@ int main(int argc, char **argv)
> }
>
> if (!cil) {
> -   printf("%s:  writing binary representation
> (version %d) to %s\n",
> -  argv[0], policyvers, outfile);
> -
> if (write_binary_policy(, outfp) != 0)
> {
> fprintf(stderr, "%s:  error writing %s\n",
> argv[0], outfile);
> exit(1);
> }
> } else {
> -   printf("%s:  writing CIL to %s\n",argv[0],
> outfile);
> -
> if (sepol_module_policydb_to_cil(outfp,
> , 0) != 0) {
> fprintf(stderr, "%s:  error writing %s\n",
> argv[0], outfile);
> exit(1);
> diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
> index fbda4558..12c4c405 100644
> --- a/checkpolicy/checkpolicy.c
> +++ b/checkpolicy/checkpolicy.c
> @@ -512,8 +512,6 @@ int main(int argc, char **argv)
> if (optind != argc)
> usage(argv[0]);
> }
> -   printf("%s:  loading policy configuration from %s\n", argv[0],
> file);
> -
> /* Set policydb and sidtab used by libsepol service functions
>to my structures, so that I can directly populate and
>manipulate them. */
> @@ -623,8 +621,6 @@ int main(int argc, char **argv)
> if (policydb_load_isids(, ))
> exit(1);
>
> -   printf("%s:  policy configuration loaded\n", argv[0]);
> -
> if (outfile) {
> outfp = fopen(outfile, "w");
> if (!outfp) {
> @@ -636,8 +632,6 @@ int main(int argc, char **argv)
>
> if (!cil) {
> if (!conf) {
> -   printf("%s:  writing binary representation
> (version %d) to %s\n", argv[0], policyvers, outfile);
> -
> policydb.policy_type = POLICY_KERN;
>
> policy_file_init();
> @@ -645,8 +639,6 @@ int main(int argc, char **argv)
> pf.fp = outfp;
> ret = policydb_write(, );
> } else {
> -   printf("%s:  writing policy.conf to %s\n",
> -  argv[0], outfile);
> ret = sepol_kernel_policydb_to_conf(outfp,
> policydbp);
> }
> if (ret) {
> @@ -655,7 +647,6 @@ int 

Re: [PATCH 2/2] semanage: add a missing space in ibendport help

[William Roberts]

ack

On Wed, Sep 5, 2018 at 2:53 PM Nicolas Iooss  wrote:

> Currently, in:
>
> # semanage ibendport --help
> usage: semanage ibendport [-h] [-n] [-N] [-s STORE] [ --add -t TYPE
> -z IBDEV_NAME -r RANGE ( port ) | --delete -z IBDEV_NAME -r RANGE(
> port ) | --deleteall  | --extract  | --list -C | --modify -t TYPE -z
> IBDEV_NAME -r RANGE ( port ) ]
>
> ... a space is missing between "RANGE" and "( port )" in the usage of
> --delete. Add it by splitting the string correctly in the usage line
> definition.
>
> Signed-off-by: Nicolas Iooss 
> ---
>  python/semanage/semanage | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/python/semanage/semanage b/python/semanage/semanage
> index e32d1e8ad387..f4be97507c18 100644
> --- a/python/semanage/semanage
> +++ b/python/semanage/semanage
> @@ -62,7 +62,7 @@ usage_ibpkey = "semanage ibpkey [-h] [-n] [-N] [-s
> STORE] ["
>  usage_ibpkey_dict = {' --add': ('-t TYPE', '-x SUBNET_PREFIX', '-r
> RANGE', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --modify': ('-t
> TYPE', '-x SUBNET_PREFIX', '-r RANGE', '(', 'ibpkey_name', '|',
> 'pkey_range', ')'), ' --delete': ('-x SUBNET_PREFIX', '(', 'ibpkey_name',
> '|', 'pkey_range', ')'), ' --list': ('-C',), ' --extract': ('',), '
> --deleteall': ('',)}
>
>  usage_ibendport = "semanage ibendport [-h] [-n] [-N] [-s STORE] ["
> -usage_ibendport_dict = {' --add': ('-t TYPE', '-z IBDEV_NAME', '-r
> RANGE', '(', 'port', ')'), ' --modify': ('-t TYPE', '-z IBDEV_NAME', '-r
> RANGE', '(', 'port', ')'), ' --delete': ('-z IBDEV_NAME', '-r RANGE''(',
> 'port', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall':
> ('',)}
> +usage_ibendport_dict = {' --add': ('-t TYPE', '-z IBDEV_NAME', '-r
> RANGE', '(', 'port', ')'), ' --modify': ('-t TYPE', '-z IBDEV_NAME', '-r
> RANGE', '(', 'port', ')'), ' --delete': ('-z IBDEV_NAME', '-r RANGE', '(',
> 'port', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall':
> ('',)}
>
>  usage_node = "semanage node [-h] [-n] [-N] [-S STORE] ["
>  usage_node_dict = {' --add': ('-M NETMASK', '-p PROTOCOL', '-t TYPE', '-r
> RANGE', 'node'), ' --modify': ('-M NETMASK', '-p PROTOCOL', '-t TYPE', '-r
> RANGE', 'node'), ' --delete': ('-M NETMASK', '-p PROTOCOL', 'node'), '
> --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
> --
> 2.18.0
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 3/3] python: remove semicolon from end of lines

[William Roberts]

Ack on these as well

On Sun, Aug 19, 2018 at 11:49 AM, Nicolas Iooss 
wrote:

> Python does not need to end a statement with a semicolon. Doing this
> gets reported by linters such as flake8 ("E703 statement ends with a
> semicolon").
>
> Remove such semicolons in the code and enable this warning in
> scripts/run-flake8.
>
> Signed-off-by: Nicolas Iooss 
> ---
>  python/sepolgen/src/sepolgen/audit.py | 2 +-
>  python/sepolgen/src/sepolgen/yacc.py  | 8 
>  python/sepolicy/sepolicy/manpage.py   | 2 +-
>  scripts/run-flake8| 1 -
>  4 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/python/sepolgen/src/sepolgen/audit.py b/python/sepolgen/src/
> sepolgen/audit.py
> index daed58ce9643..4adb851f3e93 100644
> --- a/python/sepolgen/src/sepolgen/audit.py
> +++ b/python/sepolgen/src/sepolgen/audit.py
> @@ -258,7 +258,7 @@ class AVCMessage(AuditMessage):
>  if (scontext, tcontext, self.tclass, access_tuple) in
> avcdict.keys():
>  self.type, self.data = avcdict[(scontext, tcontext,
> self.tclass, access_tuple)]
>  else:
> -self.type, self.data = audit2why.analyze(scontext, tcontext,
> self.tclass, self.accesses);
> +self.type, self.data = audit2why.analyze(scontext, tcontext,
> self.tclass, self.accesses)
>  if self.type == audit2why.NOPOLICY:
>  self.type = audit2why.TERULE
>  if self.type == audit2why.BADTCON:
> diff --git a/python/sepolgen/src/sepolgen/yacc.py b/python/sepolgen/src/
> sepolgen/yacc.py
> index f00635469af1..afef174849f2 100644
> --- a/python/sepolgen/src/sepolgen/yacc.py
> +++ b/python/sepolgen/src/sepolgen/yacc.py
> @@ -1864,10 +1864,10 @@ del _lr_action_items
>  """)
>
>  else:
> -f.write("\n_lr_action = { ");
> +f.write("\n_lr_action = { ")
>  for k,v in _lr_action.items():
>  f.write("(%r,%r):%r," % (k[0],k[1],v))
> -f.write("}\n");
> +f.write("}\n")
>
>  if smaller:
>  # Factor out names to try and make smaller
> @@ -1901,10 +1901,10 @@ for _k, _v in _lr_goto_items.items():
>  del _lr_goto_items
>  """)
>  else:
> -f.write("\n_lr_goto = { ");
> +f.write("\n_lr_goto = { ")
>  for k,v in _lr_goto.items():
>  f.write("(%r,%r):%r," % (k[0],k[1],v))
> -f.write("}\n");
> +f.write("}\n")
>
>  # Write production table
>  f.write("_lr_productions = [\n")
> diff --git a/python/sepolicy/sepolicy/manpage.py
> b/python/sepolicy/sepolicy/manpage.py
> index cb211ba083ca..cfcb7c3932d7 100755
> --- a/python/sepolicy/sepolicy/manpage.py
> +++ b/python/sepolicy/sepolicy/manpage.py
> @@ -539,7 +539,7 @@ class ManPage:
>  self.fd = fd
>  self.man_page_path = man_page_path
>  except KeyError:
> -continue;
> +continue
>  self.attributes[domain_type] = next(sepolicy.info(sepolicy.TYPE,
> ("%s") % domain_type))["attributes"]
>
>  self._header()
> diff --git a/scripts/run-flake8 b/scripts/run-flake8
> index 8a1f490b8a62..207edd20dd89 100755
> --- a/scripts/run-flake8
> +++ b/scripts/run-flake8
> @@ -14,7 +14,6 @@ IGNORE_LIST=''
>  IGNORE_LIST="$IGNORE_LIST,W191" # indentation contains tabs
>
>  IGNORE_LIST="$IGNORE_LIST,E101" # indentation contains mixed spaces and
> tabs
> -IGNORE_LIST="$IGNORE_LIST,E703" # statement ends with a semicolon
>  IGNORE_LIST="$IGNORE_LIST,E711" # comparison to None should be 'if cond
> is not None:'
>  IGNORE_LIST="$IGNORE_LIST,E712" # comparison to False should be 'if cond
> is False:' or 'if not cond:'
>  IGNORE_LIST="$IGNORE_LIST,E722" # do not use bare 'except'
> --
> 2.18.0
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 2/2] libsemanage: make pywrap-test.py compatible with Python 3

[William Roberts]

On Sun, Aug 19, 2018 at 1:53 AM, Nicolas Iooss 
wrote:

> On Sat, Aug 18, 2018 at 8:43 PM William Roberts
>  wrote:
> >
> > Im assuming with your attention on the python side of the house we're
> going to see a lot of
> > formatting change patches heading the mailing list. I don't have any
> problems with them.
> >
> > Are you using some formatter for these, if so which one is it? Is it
> flake8 still?
>
> I did not use a "formatter" here (I do not consider 2to3 to be a
> formatter). I only looked at pep8 and pylint warnings and modified the
> code with search-and-replace commands on the file (using regular
> expressions). I usually do not like large changes which reindent a
> file or add spaces, because it increases the amount of work needed to
> backport a later bugfix to released versions, for package maintainers.
> Nevertheless when the modified file is not used "in production" (only
> when debugging issues or when testing things), as is the case here, I
> prefer cleaning up the code.
>

This seems reasonable. Clean up flake8 errors while ensuring we don't
introduce
new ones.


> > We should probably document that patches should be sent formatted, ie if
> a patch introduces a delta
> > after applying the patch and running , it's an issue.
>
> I upstreamed scripts/run-flake8 with this in mind ;) (and this is why
> I added it to Travis-CI tests too). And one of the reasons that led me
> to disable many warnings was to preserve some flexibility in order not
> to make submitting patches too hard for new contributors.
>
> In the next days, I plan to send some more patches to fix some
> formatting issues I consider important (for example removing
> semicolons at the end of Python statements), but I will not send
> patches which modify the spaces around operators in files where there
> could be bugs which would need to be backported.
>

When I review these I am literally just applying the patches, running the
test and
making sure that flake8 errors go down. I'm thinking for these, since you
have
we have this integrated in the build, send the patches, but if no one
responds
id be ok with you applying them. Albeit this not 100% in line with agreed
practices
these patches are just mostly large noise changes. Does anyone rebuke this?


>
> As always, thanks for your review!
> Nicolas
>
> PS: I am also playing with clang's static analyzer and I am currently
> testing a CircleCI configuration which runs it on every push (using
> scripts/run-scan-build) and publishes the results as HTML build
> artifacts. I will submit a proper patch for this once it is stable
> enough and once all the most important issues reported by the analyzer
> are fixed.
>

Oh the HTML will be interesting. I have scan-build integrated in my Travis
for other projects. Its nice.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 00/13] Fix some issues found by flake8

[William Roberts]

On Mon, Aug 6, 2018 at 1:26 PM, Nicolas Iooss  wrote:

> On Mon, Aug 6, 2018 at 5:05 PM, William Roberts
>  wrote:
> >
> > On Sat, Aug 4, 2018 at 12:47 PM, Nicolas Iooss 
> > wrote:
> >>
> >> Hi,
> >>
> >> I have been working on a script which uses flake8 to discover issues in
> >> Python code. This led me to discover several issues which are fixed by
> >> these patches. Distribution maintainers might be interested in
> >> backporting some of them (at least patches 5 and 10 and probably the
> >> ones which fix usage of undefined variables).
> >>
> >> As Travis-CI is experiencing issues today (it fails to launch new
> >> builds), I have not been able to test the integration of my script with
> >> Travis-CI yet. Once it works again I will submit this script too.
> >>
> >> Thanks,
> >> Nicolas
> >>
> >> ---
> >> Here comes the description generated by "git format-patch --cover":
> >>
> >> Nicolas Iooss (13):
> >>   libselinux: fix flake8 warnings in SWIG-generated code
> >>   python/sepolgen: do not import twice the modules
> >>   python/sepolgen: return NotImplemented instead of raising it
> >>   python/sepolicy: drop unused CheckPolicyType
> >>   python/sepolicy: use lowercase variable name
> >>   python/sepolgen: fix refpolicy parsing of "permissive"
> >>
> >>   python/sepolgen: silence linter warning about has_key
> >
> >
> > This is the only one I don't particularly like:
> >>
> >>   python/sepolgen: comment buggy code
> >
> >
> > If we choose to comment out it out, a block comment explaining why would
> be
> > helpful or just delete it if it is dead code.
>
> It feels like this code could be useful if an interface parameter
> ("$1") is used as a permission, which is why I have not deleted it. I
> suggest adding the following comment:
>
> # This function currently ignores parameters which are used in
> permission.
> # The following code has been present for a long time and contains two
> # syntax errors (__param_insert takes 4 arguments and PERM is not
> defined)
> # which proves that it is actually dead code.
> #for perm in av.perms:
> #if access.is_idparam(perm):
> #if __param_insert(perm, PERM) == 1:
> #ret = 1
>
> Does this suit you? By the way, I do not have a strong opinion about
> commenting or deleting it, so I am fine if we choose to remove this
> code instead.
>

I'm all for deleting it. I think we should just do that.


>
> Thanks for your review,
> Nicolas
>
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 00/13] Fix some issues found by flake8

[William Roberts]

On Sat, Aug 4, 2018 at 12:47 PM, Nicolas Iooss 
wrote:

> Hi,
>
> I have been working on a script which uses flake8 to discover issues in
> Python code. This led me to discover several issues which are fixed by
> these patches. Distribution maintainers might be interested in
> backporting some of them (at least patches 5 and 10 and probably the
> ones which fix usage of undefined variables).
>
> As Travis-CI is experiencing issues today (it fails to launch new
> builds), I have not been able to test the integration of my script with
> Travis-CI yet. Once it works again I will submit this script too.
>
> Thanks,
> Nicolas
>
> ---
> Here comes the description generated by "git format-patch --cover":
>
> Nicolas Iooss (13):
>   libselinux: fix flake8 warnings in SWIG-generated code
>   python/sepolgen: do not import twice the modules
>   python/sepolgen: return NotImplemented instead of raising it
>   python/sepolicy: drop unused CheckPolicyType
>   python/sepolicy: use lowercase variable name
>   python/sepolgen: fix refpolicy parsing of "permissive"
>
  python/sepolgen: silence linter warning about has_key
>

This is the only one I don't particularly like:

>   python/sepolgen: comment buggy code
>

If we choose to comment out it out, a block comment explaining why would be
helpful or just delete it if it is dead code.

   python/sepolgen: use self when accessing members in FilesystemUse

>   python/sepolicy: fix "procotol" misspelling
>   python/sepolicy: use variables which exists in the gui.py
>   python/sepolicy: do not import sepolicy.generate.DAEMON twice
>   python/sepolicy: do not import types
>
>  libselinux/src/selinuxswig_python.i|  5 +++--
>  python/sepolgen/src/sepolgen/interfaces.py | 10 +-
>  python/sepolgen/src/sepolgen/refparser.py  |  4 ++--
>  python/sepolgen/src/sepolgen/refpolicy.py  |  6 +++---
>  python/sepolgen/src/sepolgen/util.py   |  6 +-
>  python/sepolicy/sepolicy.py| 12 +---
>  python/sepolicy/sepolicy/generate.py   |  1 -
>  python/sepolicy/sepolicy/gui.py| 12 ++--
>  8 files changed, 21 insertions(+), 35 deletions(-)
>
> --
> 2.18.0
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/1] mcstrans: fix memory leaks reported by clang's static analyzer

[William Roberts]

On Mon, Jul 2, 2018 at 11:38 AM, Nicolas Iooss  wrote:
> On Sun, Jul 1, 2018 at 10:51 PM, William Roberts
>  wrote:
>> I see lots of repeating blocks, would it make more sense to goto an
>> error label and free them then return -1?
>
> Both trans_context() and untrans_context() currently define "char
> *ltrans = NULL, *utrans = NULL;" and "char *lrange = NULL, *urange =
> NULL;" in the body of a for loop. Introducing an error label at the
> end of these functions requires moving these definition outside of the
> loop (which could introduce side effects) and introducing the label at
> the end of the loop makes the code less readable, IMHO. I guess this
> could explain why the current code does not use a "goto error" or
> "goto clean" approach and leaks memory where an error occurs.
>
> Anyway, if you are fine with moving the definitions of some variables
> (ltrans and utrans for trans_context(), lrange and urange for
> untrans_context()), I can write, test and send a new patch with a
> "goto error" instead of several free().

This seems fine. I just applied and tested this (finally). Ack.

>
> Thanks for your review,
> Nicolas
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/1] restorecond: close the PID file if writing to it failed

[William Roberts]

On Sun, Jul 1, 2018 at 7:59 AM, Nicolas Iooss  wrote:
> write_pid_file() leaks a file descriptor to /var/run/restorecond.pid if
> it fails to write the PID to it. Close the file before returning.
>
> Signed-off-by: Nicolas Iooss 
> ---
>  restorecond/restorecond.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c
> index 6fbbd35dc1b3..e1d26cb9190d 100644
> --- a/restorecond/restorecond.c
> +++ b/restorecond/restorecond.c
> @@ -105,6 +105,7 @@ static int write_pid_file(void)
> }
> if (write(pidfd, val, (unsigned int)len) != len) {
> syslog(LOG_ERR, "Unable to write to pidfile (%s)", 
> strerror(errno));
> +   close(pidfd);
> return 1;
> }
> close(pidfd);
> --
> 2.17.1
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

ack
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/1] Travis-CI: use new location of refpolicy repository

[William Roberts]

On Sun, Jul 1, 2018 at 7:56 AM, Nicolas Iooss  wrote:
> refpolicy moved from github.com/TresysTechnology to
> github.com/SELinuxProject. It is still used in sepolgen tests (they
> build modules using Makefile.devel and build.conf) so update the
> location of the repository.
>
> Signed-off-by: Nicolas Iooss 
> ---
>  .travis.yml | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/.travis.yml b/.travis.yml
> index 823af7ece532..0612eb5480e5 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -65,10 +65,10 @@ addons:
>  install:
># Download refpolicy Makefile for sepolgen tests
>- sudo mkdir -p /usr/share/selinux/default
> -  - sudo curl --retry 10 -o /usr/share/selinux/default/Makefile 
> 'https://raw.githubusercontent.com/TresysTechnology/refpolicy/RELEASE_2_20170204/support/Makefile.devel'
> +  - sudo curl --retry 10 -o /usr/share/selinux/default/Makefile 
> 'https://raw.githubusercontent.com/SELinuxProject/refpolicy/RELEASE_2_20180114/support/Makefile.devel'
>- sudo sed "s,^PREFIX :=.*,PREFIX := $TRAVIS_BUILD_DIR/installdir/usr," -i 
> /usr/share/selinux/default/Makefile
>- sudo mkdir -p /usr/share/selinux/refpolicy/include
> -  - sudo curl --retry 10 -o /usr/share/selinux/refpolicy/include/build.conf 
> 'https://raw.githubusercontent.com/TresysTechnology/refpolicy/RELEASE_2_20170204/build.conf'
> +  - sudo curl --retry 10 -o /usr/share/selinux/refpolicy/include/build.conf 
> 'https://raw.githubusercontent.com/SELinuxProject/refpolicy/RELEASE_2_20180114/build.conf'
>- sudo mkdir -p /etc/selinux
>- echo 'SELINUXTYPE=refpolicy' | sudo tee /etc/selinux/config
>
> --
> 2.17.1
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

ack
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 7/7] libsepol: destroy the copied va_list

[William Roberts]

ack

On Sat, May 26, 2018 at 11:42 AM, Nicolas Iooss  wrote:
> va_copy()'s manpage [1] states:
>
> Each invocation of va_copy() must be matched by a corresponding
> invocation of va_end() in the same function.
>
> create_str_helper() is using va_copy() without va_end(). Add the missing
> call.
>
> [1] https://linux.die.net/man/3/va_copy
>
> Signed-off-by: Nicolas Iooss 
> ---
>  libsepol/src/kernel_to_common.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
> index 342bc3c91df9..7c5699c52c95 100644
> --- a/libsepol/src/kernel_to_common.c
> +++ b/libsepol/src/kernel_to_common.c
> @@ -80,10 +80,13 @@ static char *create_str_helper(const char *fmt, int num, 
> va_list vargs)
> goto exit;
> }
>
> +   va_end(vargs2);
> +
> return str;
>
>  exit:
> free(str);
> +   va_end(vargs2);
> return NULL;
>  }
>
> --
> 2.17.0
>
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libsemanage: prevent string overflow on final paths

[William Roberts]

On Tue, May 8, 2018 at 7:32 AM, Stephen Smalley  wrote:
> Verify that the final path does not exceed the size of the
> buffer before copying.  This can only occur if an alternate
> path for the policy root and/or the policy store root has been
> specified and if the resulting path would exceed PATH_MAX. A
> similar check is already applied by semanage_make_final().
>
> Signed-off-by: Stephen Smalley 
> ---
>  libsemanage/src/semanage_store.c | 7 ++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/libsemanage/src/semanage_store.c 
> b/libsemanage/src/semanage_store.c
> index bce648c4..f1984c50 100644
> --- a/libsemanage/src/semanage_store.c
> +++ b/libsemanage/src/semanage_store.c
> @@ -1597,7 +1597,12 @@ static int 
> semanage_install_final_tmp(semanage_handle_t * sh)
> /* skip genhomedircon if configured */
> if (sh->conf->disable_genhomedircon &&
> i == SEMANAGE_FC_HOMEDIRS) continue;
> -
> +
> +   if (strlen(dst) >= sizeof(fn)) {
> +   ERR(sh, "Unable to compose the final paths.");
> +   status = -1;
> +   goto cleanup;
> +   }
> strcpy(fn, dst);
> ret = semanage_mkpath(sh, dirname(fn));
> if (ret < 0) {
> --
> 2.14.3
>

ack

Re: [PATCH 1/1] libsemanage: always check append_arg return value

[William Roberts]

Merged: https://github.com/SELinuxProject/selinux/pull/94

On Mon, Apr 23, 2018 at 9:50 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Sun, Apr 22, 2018 at 12:30 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote:
>> When split_args() calls append_arg(), the returned value needs to be
>> checked in order to detect memory allocation failure. Checks were
>> missing in two places, which are spotted by clang's static analyzer:
>>
>> semanage_store.c:1352:7: warning: Value stored to 'rc' is never
>> read
>> rc = append_arg(, _args, arg);
>> ^~
>> semanage_store.c:1368:3: warning: Value stored to 'rc' is never read
>> rc = append_arg(, _args, arg);
>> ^~
>>
>> Signed-off-by: Nicolas Iooss <nicolas.io...@m4x.org>
>> ---
>>  libsemanage/src/semanage_store.c | 4 
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/libsemanage/src/semanage_store.c 
>> b/libsemanage/src/semanage_store.c
>> index 14ad99c152ad..bce648c46464 100644
>> --- a/libsemanage/src/semanage_store.c
>> +++ b/libsemanage/src/semanage_store.c
>> @@ -1350,6 +1350,8 @@ static char **split_args(const char *arg0, char 
>> *arg_string,
>> if (isspace(*s) && !in_quote && !in_dquote) {
>> if (arg != NULL) {
>> rc = append_arg(, 
>> _args, arg);
>> +   if (rc)
>> +   goto cleanup;
>> free(arg);
>> arg = NULL;
>> }
>> @@ -1366,6 +1368,8 @@ static char **split_args(const char *arg0, char 
>> *arg_string,
>> }
>> if (arg != NULL) {
>> rc = append_arg(, _args, arg);
>> +   if (rc)
>> +   goto cleanup;
>> free(arg);
>> arg = NULL;
>> }
>> --
>> 2.17.0
>>
>>
>
> ack

Re: [PATCH 2/2] sestatus: free process and file contexts which are checked

[William Roberts]

Merged: https://github.com/SELinuxProject/selinux/pull/94

On Mon, Apr 23, 2018 at 9:54 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Sun, Apr 22, 2018 at 12:21 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote:
>> clang's static analyzer reports a potential memory leak because the
>> buffers allocated in pc and fc are not freed in main(), in sestatus.c.
>> Free these buffers properly.
>>
>> Signed-off-by: Nicolas Iooss <nicolas.io...@m4x.org>
>> ---
>>  policycoreutils/sestatus/sestatus.c | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/policycoreutils/sestatus/sestatus.c 
>> b/policycoreutils/sestatus/sestatus.c
>> index d7f198c2fa0d..9a92e72ff4fd 100644
>> --- a/policycoreutils/sestatus/sestatus.c
>> +++ b/policycoreutils/sestatus/sestatus.c
>> @@ -436,6 +436,7 @@ int main(int argc, char **argv)
>> printf("%s\n", context);
>> freecon(context);
>> }
>> +   free(pc[i]);
>> }
>>
>> printf("\nFile contexts:\n");
>> @@ -478,6 +479,7 @@ int main(int argc, char **argv)
>> freecon(context);
>> }
>> }
>> +   free(fc[i]);
>> }
>>
>> return 0;
>> --
>> 2.17.0
>>
>>
> ack on both patches in this series.

Re: [PATCH] Revert "libselinux: verify file_contexts when using restorecon"

[William Roberts]

On Mon, Apr 23, 2018 at 9:55 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Fri, Apr 20, 2018 at 7:17 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> This reverts commit 814631d3aebaa041073a42c677c1ed62ce7830d5.
>> As reported by Petr Lautrbach, this commit changed the behavior
>> of selabel_open() when SELABEL_OPT_VALIDATE is 0, and this would
>> be an API change.
>>
>> Reported-by: Petr Lautrbach <plaut...@redhat.com>
>> Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
>> ---
>>  libselinux/src/label.c  | 7 ---
>>  libselinux/src/label_backends_android.c | 2 +-
>>  libselinux/src/label_file.c | 2 +-
>>  libselinux/src/label_file.h | 2 +-
>>  libselinux/src/label_internal.h | 6 --
>>  libselinux/src/matchpathcon.c   | 5 +++--
>>  6 files changed, 14 insertions(+), 10 deletions(-)
>>
>> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
>> index 591815a7..8d586bda 100644
>> --- a/libselinux/src/label.c
>> +++ b/libselinux/src/label.c
>> @@ -121,11 +121,12 @@ static inline int selabel_is_validate_set(const struct 
>> selinux_opt *opts,
>> return 0;
>>  }
>>
>> -int selabel_validate(struct selabel_lookup_rec *contexts)
>> +int selabel_validate(struct selabel_handle *rec,
>> +struct selabel_lookup_rec *contexts)
>>  {
>> int rc = 0;
>>
>> -   if (contexts->validated)
>> +   if (!rec->validating || contexts->validated)
>> goto out;
>>
>> rc = selinux_validate(>ctx_raw);
>> @@ -142,7 +143,7 @@ static int selabel_fini(struct selabel_handle *rec,
>> struct selabel_lookup_rec *lr,
>> int translating)
>>  {
>> -   if (compat_validate(lr, rec->spec_file, lr->lineno))
>> +   if (compat_validate(rec, lr, rec->spec_file, lr->lineno))
>> return -1;
>>
>> if (translating && !lr->ctx_trans &&
>> diff --git a/libselinux/src/label_backends_android.c 
>> b/libselinux/src/label_backends_android.c
>> index 49e39ec8..cb8aae26 100644
>> --- a/libselinux/src/label_backends_android.c
>> +++ b/libselinux/src/label_backends_android.c
>> @@ -122,7 +122,7 @@ static int process_line(struct selabel_handle *rec,
>> spec_arr[nspec].lr.ctx_raw = context;
>>
>> if (rec->validating) {
>> -   if (selabel_validate(_arr[nspec].lr) < 0) {
>> +   if (selabel_validate(rec, _arr[nspec].lr) < 0) {
>> selinux_log(SELINUX_ERROR,
>> "%s:  line %u has invalid 
>> context %s\n",
>> path, lineno, 
>> spec_arr[nspec].lr.ctx_raw);
>> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
>> index 169fed70..560d8c3d 100644
>> --- a/libselinux/src/label_file.c
>> +++ b/libselinux/src/label_file.c
>> @@ -328,7 +328,7 @@ end_arch_check:
>> spec->lr.ctx_raw = str_buf;
>>
>> if (strcmp(spec->lr.ctx_raw, "<>") && rec->validating) 
>> {
>> -   if (selabel_validate(>lr) < 0) {
>> +   if (selabel_validate(rec, >lr) < 0) {
>> selinux_log(SELINUX_ERROR,
>> "%s: context %s is invalid\n",
>> path, spec->lr.ctx_raw);
>> diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
>> index 1ab139e9..2fa85474 100644
>> --- a/libselinux/src/label_file.h
>> +++ b/libselinux/src/label_file.h
>> @@ -509,7 +509,7 @@ static inline int process_line(struct selabel_handle 
>> *rec,
>> spec_hasMetaChars(_arr[nspec]);
>>
>> if (strcmp(context, "<>") && rec->validating)
>> -   return compat_validate(_arr[nspec].lr, path, lineno);
>> +   return compat_validate(rec, _arr[nspec].lr, path, 
>> lineno);
>>
>> return 0;
>>  }
>> diff --git a/libselinux/src/label_internal.h 
>> b/libselinux/src/label_internal.h
>> index b0d05882..0e020557 100644
>> --- a/libselinux/src/label_internal.h
>> +++ b/libselinux/src/label_internal.h
>> @@ -112,7 +112,8 @@ struct

Re: [PATCH 2/2] sestatus: free process and file contexts which are checked

[William Roberts]

On Sun, Apr 22, 2018 at 12:21 PM, Nicolas Iooss  wrote:
> clang's static analyzer reports a potential memory leak because the
> buffers allocated in pc and fc are not freed in main(), in sestatus.c.
> Free these buffers properly.
>
> Signed-off-by: Nicolas Iooss 
> ---
>  policycoreutils/sestatus/sestatus.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/policycoreutils/sestatus/sestatus.c 
> b/policycoreutils/sestatus/sestatus.c
> index d7f198c2fa0d..9a92e72ff4fd 100644
> --- a/policycoreutils/sestatus/sestatus.c
> +++ b/policycoreutils/sestatus/sestatus.c
> @@ -436,6 +436,7 @@ int main(int argc, char **argv)
> printf("%s\n", context);
> freecon(context);
> }
> +   free(pc[i]);
> }
>
> printf("\nFile contexts:\n");
> @@ -478,6 +479,7 @@ int main(int argc, char **argv)
> freecon(context);
> }
> }
> +   free(fc[i]);
> }
>
> return 0;
> --
> 2.17.0
>
>
ack on both patches in this series.

Re: [PATCH 5/5] libselinux: remove unused variable usercon

[William Roberts]

On Mon, Apr 16, 2018 at 5:34 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 04/13/2018 08:40 PM, William Roberts wrote:
>> In general this series looks fine.
>>
>> However, checkpatch.pl is complaining about DOS line endings in your patches:
>>
>> For example:
>> ERROR: DOS line endings
>> #325: FILE: libselinux/src/label_file.h:281:
>> +^I^Iint alloc_stems = data->alloc_stems * 2 + 16;^M$
>
> If needed, dos2unix can be used to strip them. However, I think git am takes 
> care of this for you.
>

FYI your patches are staged here:
https://github.com/SELinuxProject/selinux/pull/93

If no one nacks them, ill merge latter this week. Thanks.

>>
>>
>>
>>
>>
>> On Fri, Apr 13, 2018 at 1:34 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote:
>>> In getconlist.c, main() does not use usercon. Remove this variable.
>>>
>>> Signed-off-by: Nicolas Iooss <nicolas.io...@m4x.org>
>>> ---
>>>  libselinux/utils/getconlist.c | 3 +--
>>>  1 file changed, 1 insertion(+), 2 deletions(-)
>>>
>>> diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c
>>> index abfe2c742bfb..5ac0ca85075c 100644
>>> --- a/libselinux/utils/getconlist.c
>>> +++ b/libselinux/utils/getconlist.c
>>> @@ -19,7 +19,7 @@ static __attribute__ ((__noreturn__)) void usage(const 
>>> char *name, const char *d
>>>
>>>  int main(int argc, char **argv)
>>>  {
>>> -   char **list, *usercon = NULL, *cur_context = NULL;
>>> +   char **list, *cur_context = NULL;
>>> char *user = NULL, *level = NULL;
>>> int ret, i, opt;
>>>
>>> @@ -69,7 +69,6 @@ int main(int argc, char **argv)
>>> freeconary(list);
>>> }
>>>
>>> -   free(usercon);
>>> free(level);
>>>
>>> return 0;
>>> --
>>> 2.17.0
>>>
>>>
>>
>

Re: [PATCH 5/5] libselinux: remove unused variable usercon

[William Roberts]

In general this series looks fine.

However, checkpatch.pl is complaining about DOS line endings in your patches:

For example:
ERROR: DOS line endings
#325: FILE: libselinux/src/label_file.h:281:
+^I^Iint alloc_stems = data->alloc_stems * 2 + 16;^M$





On Fri, Apr 13, 2018 at 1:34 PM, Nicolas Iooss  wrote:
> In getconlist.c, main() does not use usercon. Remove this variable.
>
> Signed-off-by: Nicolas Iooss 
> ---
>  libselinux/utils/getconlist.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c
> index abfe2c742bfb..5ac0ca85075c 100644
> --- a/libselinux/utils/getconlist.c
> +++ b/libselinux/utils/getconlist.c
> @@ -19,7 +19,7 @@ static __attribute__ ((__noreturn__)) void usage(const char 
> *name, const char *d
>
>  int main(int argc, char **argv)
>  {
> -   char **list, *usercon = NULL, *cur_context = NULL;
> +   char **list, *cur_context = NULL;
> char *user = NULL, *level = NULL;
> int ret, i, opt;
>
> @@ -69,7 +69,6 @@ int main(int argc, char **argv)
> freeconary(list);
> }
>
> -   free(usercon);
> free(level);
>
> return 0;
> --
> 2.17.0
>
>

Re: [PATCH v3 0/2] restorecon context validation improvement

[William Roberts]

On Fri, Mar 30, 2018 at 11:59 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Thu, Mar 29, 2018 at 5:16 PM, Yuli Khodorkovskiy <ykh...@gmail.com> wrote:
>> In permissive, if a bad label is written to a file_context file,
>> restorecon will not verify the label before succesfully applying the
>> context. These patches fix validation of labels during restorecon
>> while not breaking current behavior of lazy validation.
>>
>> Changes since V1:
>> - Continue using lazy validation for restorecon that was broken in V1 of
>> the patch.
>> - Add line number tracking for error messages in restorecon.
>>
>> Changes since V2:
>> - Fix compiler error caused by unused variable in selabel_validate()
>>
>> Yuli Khodorkovskiy (2):
>>   libselinux: verify file_contexts when using restorecon
>>   libselinux: echo line number of bad label in selabel_fini()
>>
>>  libselinux/src/label.c  | 7 +++
>>  libselinux/src/label_backends_android.c | 2 +-
>>  libselinux/src/label_file.c | 2 +-
>>  libselinux/src/label_file.h | 3 ++-
>>  libselinux/src/label_internal.h | 7 +++
>>  libselinux/src/matchpathcon.c   | 5 ++---
>>  6 files changed, 12 insertions(+), 14 deletions(-)
>>
>> --
>> 2.14.3
>>
>>
>
> These look good to me and pass all my testing. I have them on
> github passing CI as well:
> https://github.com/SELinuxProject/selinux/pull/90
>
> ack. Unless someone finds an issue, will merge
> on 4/3.

merged. Thank you.

Re: [PATCH v3 0/2] restorecon context validation improvement

[William Roberts]

On Thu, Mar 29, 2018 at 5:16 PM, Yuli Khodorkovskiy  wrote:
> In permissive, if a bad label is written to a file_context file,
> restorecon will not verify the label before succesfully applying the
> context. These patches fix validation of labels during restorecon
> while not breaking current behavior of lazy validation.
>
> Changes since V1:
> - Continue using lazy validation for restorecon that was broken in V1 of
> the patch.
> - Add line number tracking for error messages in restorecon.
>
> Changes since V2:
> - Fix compiler error caused by unused variable in selabel_validate()
>
> Yuli Khodorkovskiy (2):
>   libselinux: verify file_contexts when using restorecon
>   libselinux: echo line number of bad label in selabel_fini()
>
>  libselinux/src/label.c  | 7 +++
>  libselinux/src/label_backends_android.c | 2 +-
>  libselinux/src/label_file.c | 2 +-
>  libselinux/src/label_file.h | 3 ++-
>  libselinux/src/label_internal.h | 7 +++
>  libselinux/src/matchpathcon.c   | 5 ++---
>  6 files changed, 12 insertions(+), 14 deletions(-)
>
> --
> 2.14.3
>
>

These look good to me and pass all my testing. I have them on
github passing CI as well:
https://github.com/SELinuxProject/selinux/pull/90

ack. Unless someone finds an issue, will merge
on 4/3.

Re: [PATCH v2 1/2] libselinux: verify file_contexts when using restorecon

[William Roberts]

On Thu, Mar 29, 2018 at 5:37 AM, Stephen Smalley  wrote:
> On 03/28/2018 11:40 PM, Yuli Khodorkovskiy wrote:
>> In permissive mode, calling restorecon with a bad label in file_contexts
>> does not verify the label's existence in the loaded policy. This
>> results in any label successfully applying to a file, as long as the
>> file exists.
>>
>> This issue has two assumptions:
>>
>> 1) file_contexts must be manually updated with the invalid label.
>> Running `semanage fcontext` will error when attempting to add
>> an invalid label to file_contexts.
>> 2) the system must be in permissive. Although applying an invalid label
>> in enforcing gives an error and fails, successfully labeling a file with a
>> bad label could cause issues during policy development in permissive.
>>
>> Instead, as each context is used, verify it is valid before blindly
>> applying the label. If an error with validation occurs in restorecon,
>> application of remaining valid labels will be uninterrupted as before.
>>
>> Signed-off-by: Yuli Khodorkovskiy 
>> ---
>>  libselinux/src/label.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
>> index 48f4d2d6..e642a97b 100644
>> --- a/libselinux/src/label.c
>> +++ b/libselinux/src/label.c
>> @@ -126,7 +126,7 @@ int selabel_validate(struct selabel_handle *rec,
>>  {
>>   int rc = 0;
>>
>> - if (!rec->validating || contexts->validated)
>> + if (contexts->validated)
>>   goto out;
>>
>>   rc = selinux_validate(>ctx_raw);
>>
>
> label.c: In function ‘selabel_validate’:
> label.c:124:45: error: unused parameter ‘rec’ [-Werror=unused-parameter]
>  int selabel_validate(struct selabel_handle *rec,
>  ^~~
> Need to drop the rec argument to selabel_validate() since it is no longer 
> used.

I figured with -Wall -Werror we would be good. For some reason, I
can't reproduce with my
ancient version of gcc. gcc versions 5 and above properly reports this. Weird.

Re: [PATCH v2 0/2] restorecon context validation improvement

[William Roberts]

On Wed, Mar 28, 2018 at 8:40 PM, Yuli Khodorkovskiy  wrote:
> In permissive, if a bad label is written to a file_context file,
> restorecon will not verify the label before succesfully applying the
> context. These patches fix validation of labels during restorecon
> while not breaking current behavior of lazy validation.
>
> Yuli Khodorkovskiy (2):
>   libselinux: verify file_contexts when using restorecon
>   libselinux: echo line number of bad label in selabel_fini()
>
>  libselinux/src/label.c  | 4 ++--
>  libselinux/src/label_file.h | 1 +
>  libselinux/src/label_internal.h | 1 +
>  3 files changed, 4 insertions(+), 2 deletions(-)
>
> --
> 2.14.3
>
>

ack, LGTM.

Re: [PATCH] libsemanage/direct_api.c: Fix iterating over array

[William Roberts]

On Mon, Mar 19, 2018 at 8:19 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Mon, Mar 19, 2018 at 7:46 AM, Vit Mojzis <vmoj...@redhat.com> wrote:
>> Fix sizeof calculation in array iteration introduced by commit
>> 6bb8282c4cf66e93daa9684dbe9c75bb6b1e09a7
>> "libsemanage: replace access() checks to make setuid programs work"
>>
>> Signed-off-by: Vit Mojzis <vmoj...@redhat.com>
>> ---
>>  libsemanage/src/direct_api.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>> index 439122df..e7ec952f 100644
>> --- a/libsemanage/src/direct_api.c
>> +++ b/libsemanage/src/direct_api.c
>> @@ -60,6 +60,7 @@
>>
>>  #define PIPE_READ 0
>>  #define PIPE_WRITE 1
>> +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
>>
>>  static void semanage_direct_destroy(semanage_handle_t * sh);
>>  static int semanage_direct_disconnect(semanage_handle_t * sh);
>> @@ -1332,7 +1333,7 @@ static int semanage_direct_commit(semanage_handle_t * 
>> sh)
>>SEMANAGE_SEUSERS_LINKED,
>>SEMANAGE_USERS_EXTRA_LINKED};
>>
>> -   for (i = 0; i < (int) sizeof(files); i++) {
>> +   for (i = 0; i < (int) ARRAY_SIZE(files); i++) {
>> path = semanage_path(SEMANAGE_TMP, files[i]);
>> if (stat(path, ) != 0) {
>> if (errno != ENOENT) {
>> --
>> 2.14.3
>>
>>
> ack

Thanks, merged:
https://github.com/SELinuxProject/selinux/pull/87

>
> Just noticing: that code has i as an int, which it probably should be size_t 
> and
> the files array as an array of int's, it should probably use the
> enum type.

Re: [PATCH v3] Resolve conflicts in expandattribute.

[William Roberts]

On Fri, Mar 16, 2018 at 11:17 AM, Jeffrey Vander Stoep <je...@google.com> wrote:
> On Fri, Mar 16, 2018 at 11:11 AM, Tri Vo <tr...@android.com> wrote:
>> This commit resolves conflicts in values of expandattribute statements
>> in policy language and expandtypeattribute in CIL.
>>
>> For example, these statements resolve to false in policy language:
>>  expandattribute hal_audio true;
>>  expandattribute hal_audio false;
>>
>> Similarly, in CIL these also resolve to false.
>>  (expandtypeattribute (hal_audio) true)
>>  (expandtypeattribute (hal_audio) false)
>>
>> A warning will be issued on this conflict.
>>
>> Motivation
>> When Android combines multiple .cil files from system.img and vendor.img
>> it's possible to have conflicting expandattribute statements.
>>
>> This change deals with this scenario by resolving the value of the
>> corresponding expandtypeattribute to false. The rationale behind this
>> override is that true is used for reduce run-time lookups, while
>> false is used for tests which must pass.
>>
>> Signed-off-by: Tri Vo <tr...@android.com>
>
> Acked-by: Jeff Vander Stoep <je...@google.com>

Acked-by: William Roberts <william.c.robe...@intel.com>

Jeff are you going to merge this?

>
>> ---
>>  checkpolicy/policy_define.c| 10 ++
>>  libsepol/cil/src/cil_resolve_ast.c | 21 ++---
>>  2 files changed, 12 insertions(+), 19 deletions(-)
>>
>> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
>> index 2c5db55d..40cc62b0 100644
>> --- a/checkpolicy/policy_define.c
>> +++ b/checkpolicy/policy_define.c
>> @@ -1182,10 +1182,6 @@ int expand_attrib(void)
>> goto exit;
>> }
>>
>> -   if (attr->flags & TYPE_FLAGS_EXPAND_ATTR) {
>> -   yyerror2("%s already has the expandattribute option 
>> specified", id);
>> -   goto exit;
>> -   }
>> if (ebitmap_set_bit(, attr->s.value - 1, TRUE)) {
>> yyerror("Out of memory!");
>> goto exit;
>> @@ -1213,6 +1209,12 @@ int expand_attrib(void)
>> attr = hashtab_search(policydbp->p_types.table,
>> policydbp->sym_val_to_name[SYM_TYPES][i]);
>> attr->flags |= flags;
>> +   if ((attr->flags & TYPE_FLAGS_EXPAND_ATTR_TRUE) &&
>> +   (attr->flags & 
>> TYPE_FLAGS_EXPAND_ATTR_FALSE)) {
>> +   yywarn("Expandattribute option was set to both true 
>> and false. "
>> +   "Resolving to false.");
>> +   attr->flags &= ~TYPE_FLAGS_EXPAND_ATTR_TRUE;
>> +   }
>> }
>>
>> rc = 0;
>> diff --git a/libsepol/cil/src/cil_resolve_ast.c 
>> b/libsepol/cil/src/cil_resolve_ast.c
>> index d1a5ed87..02259241 100644
>> --- a/libsepol/cil/src/cil_resolve_ast.c
>> +++ b/libsepol/cil/src/cil_resolve_ast.c
>> @@ -269,9 +269,8 @@ exit:
>> return rc;
>>  }
>>
>> -int cil_type_used(struct cil_symtab_datum *datum, int used)
>> +void cil_type_used(struct cil_symtab_datum *datum, int used)
>>  {
>> -   int rc = SEPOL_ERR;
>> struct cil_typeattribute *attr = NULL;
>>
>> if (FLAVOR(datum) == CIL_TYPEATTRIBUTE) {
>> @@ -279,16 +278,12 @@ int cil_type_used(struct cil_symtab_datum *datum, int 
>> used)
>> attr->used |= used;
>> if ((attr->used & CIL_ATTR_EXPAND_TRUE) &&
>> (attr->used & CIL_ATTR_EXPAND_FALSE)) {
>> -   cil_log(CIL_ERR, "Conflicting use of 
>> expandtypeattribute. "
>> -   "Expandtypeattribute may be set to 
>> true or false "
>> -   "but not both. \n");
>> -   goto exit;
>> +   cil_log(CIL_WARN, "Conflicting use of 
>> expandtypeattribute. "
>> +   "Expandtypeattribute was set to both 
>> true or false for %s. "
>> +   "Resolving to false. \n", 
>> attr->datum.name);
>> +   attr->used &= ~CIL_ATTR_E

Re: [PATCH v2] Resolve conflicts in expandattribute.

[William Roberts]

On Thu, Mar 15, 2018 at 8:16 PM, Tri Vo  wrote:
> This commit resolves conflicts in values of expandattribute statements
> in policy language and expandtypeattribute in CIL.
>
> For example, these statements resolve to false in policy language:
>  expandattribute hal_audio true;
>  expandattribute hal_audio false;
>
> Similarly, in CIL these also resolve to false.
>  (expandtypeattribute (hal_audio) true)
>  (expandtypeattribute (hal_audio) false)
>
> Motivation
> When Android combines multiple .cil files from system.img and vendor.img
> it's possible to have conflicting expandattribute statements.
>
> This change deals with this scenario by resolving the value of the
> corresponding expandtypeattribute to false. The rationale behind this
> override is that true is used for reduce run-time lookups, while
> false is used for tests which must pass.
>
> Signed-off-by: Tri Vo 
> ---
>  checkpolicy/policy_define.c|  8 
>  libsepol/cil/src/cil_resolve_ast.c | 21 ++---
>  2 files changed, 10 insertions(+), 19 deletions(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 2c5db55d..1e632ef7 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1182,10 +1182,6 @@ int expand_attrib(void)
> goto exit;
> }
>
> -   if (attr->flags & TYPE_FLAGS_EXPAND_ATTR) {
> -   yyerror2("%s already has the expandattribute option 
> specified", id);
> -   goto exit;
> -   }
> if (ebitmap_set_bit(, attr->s.value - 1, TRUE)) {
> yyerror("Out of memory!");
> goto exit;
> @@ -1213,6 +1209,10 @@ int expand_attrib(void)
> attr = hashtab_search(policydbp->p_types.table,
> policydbp->sym_val_to_name[SYM_TYPES][i]);
> attr->flags |= flags;

I'd like to see a comment here. The CIL case is much easier to understand
because the error messages contain information about what's going on.

Maybe something like:
/*
 * if an expandattr rule conflicts, set the expandattr to false. False always
 * works, at the expense of performance for run-time attribute resolution.
 */

> +   if ((attr->flags & TYPE_FLAGS_EXPAND_ATTR_TRUE) &&
> +   (attr->flags & TYPE_FLAGS_EXPAND_ATTR_FALSE)) 
> {
> +   attr->flags &= ~TYPE_FLAGS_EXPAND_ATTR_TRUE;
> +   }
> }
>
> rc = 0;
> diff --git a/libsepol/cil/src/cil_resolve_ast.c 
> b/libsepol/cil/src/cil_resolve_ast.c
> index d1a5ed87..02259241 100644
> --- a/libsepol/cil/src/cil_resolve_ast.c
> +++ b/libsepol/cil/src/cil_resolve_ast.c
> @@ -269,9 +269,8 @@ exit:
> return rc;
>  }
>
> -int cil_type_used(struct cil_symtab_datum *datum, int used)
> +void cil_type_used(struct cil_symtab_datum *datum, int used)
>  {
> -   int rc = SEPOL_ERR;
> struct cil_typeattribute *attr = NULL;
>
> if (FLAVOR(datum) == CIL_TYPEATTRIBUTE) {
> @@ -279,16 +278,12 @@ int cil_type_used(struct cil_symtab_datum *datum, int 
> used)
> attr->used |= used;
> if ((attr->used & CIL_ATTR_EXPAND_TRUE) &&
> (attr->used & CIL_ATTR_EXPAND_FALSE)) {
> -   cil_log(CIL_ERR, "Conflicting use of 
> expandtypeattribute. "
> -   "Expandtypeattribute may be set to 
> true or false "
> -   "but not both. \n");
> -   goto exit;
> +   cil_log(CIL_WARN, "Conflicting use of 
> expandtypeattribute. "
> +   "Expandtypeattribute was set to both 
> true or false for %s. "
> +   "Resolving to false. \n", 
> attr->datum.name);
> +   attr->used &= ~CIL_ATTR_EXPAND_TRUE;
> }
> }
> -
> -   return SEPOL_OK;
> -exit:
> -   return rc;
>  }
>
>  int cil_resolve_permissionx(struct cil_tree_node *current, struct 
> cil_permissionx *permx, void *extra_args)
> @@ -488,11 +483,7 @@ int cil_resolve_expandtypeattribute(struct cil_tree_node 
> *current, void *extra_a
> goto exit;
> }
> used = expandattr->expand ? CIL_ATTR_EXPAND_TRUE : 
> CIL_ATTR_EXPAND_FALSE;
> -   rc = cil_type_used(attr_datum, used);
> -   if (rc != SEPOL_OK) {
> -   goto exit;
> -   }
> -
> +   cil_type_used(attr_datum, used);
> cil_list_append(expandattr->attr_datums, CIL_TYPE, 
> attr_datum);
> }
>
> --
> 2.16.2.804.g6dcf76e118-goog
>

Overall this looks good, just add that comment.
Well see if anyone else has more feedback.

Re: [PATCH] libsepol: Export sepol_polcap_getnum/name functions

[William Roberts]

merged:
https://github.com/SELinuxProject/selinux/pull/85


On Thu, Mar 15, 2018 at 11:31 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Thu, Mar 15, 2018 at 11:01 AM, jwcart2 <jwca...@tycho.nsa.gov> wrote:
>> On 03/08/2018 03:19 PM, Stephen Smalley wrote:
>>>
>>> Export the sepol_polcap_getnum/name() functions to users of
>>> the shared library.  This will enable SETools to stop depending
>>> on the static library.
>>>
>>> Note that we may want to move polcaps.h up one level since
>>> the convention is that headers directly under include/sepol are
>>> shared library APIs while headers under include/sepol/policydb
>>> are limited to static users.  However, this will unnecessarily
>>> break the build for existing static users so it is deferred.
>>>
>>> Suggested-by: Chris PeBenito <peben...@ieee.org>
>>> Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
>>
>>
>> Acked-by: James Carter <jwca...@tycho.nsa.gov>
>>
>>> ---
>>>   libsepol/src/libsepol.map.in | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
>>> index 2a9996f7..d879016c 100644
>>> --- a/libsepol/src/libsepol.map.in
>>> +++ b/libsepol/src/libsepol.map.in
>>> @@ -56,4 +56,6 @@ LIBSEPOL_1.1 {
>>> sepol_module_policydb_to_cil;
>>> sepol_kernel_policydb_to_cil;
>>> sepol_kernel_policydb_to_conf;
>>> +   sepol_polcap_getnum;
>>> +   sepol_polcap_getname;
>>>   } LIBSEPOL_1.0;
>>>
> Acked-by: William Roberts <william.c.robe...@intel.com>

Re: [PATCH] libsepol: Export sepol_polcap_getnum/name functions

[William Roberts]

On Thu, Mar 15, 2018 at 11:01 AM, jwcart2 <jwca...@tycho.nsa.gov> wrote:
> On 03/08/2018 03:19 PM, Stephen Smalley wrote:
>>
>> Export the sepol_polcap_getnum/name() functions to users of
>> the shared library.  This will enable SETools to stop depending
>> on the static library.
>>
>> Note that we may want to move polcaps.h up one level since
>> the convention is that headers directly under include/sepol are
>> shared library APIs while headers under include/sepol/policydb
>> are limited to static users.  However, this will unnecessarily
>> break the build for existing static users so it is deferred.
>>
>> Suggested-by: Chris PeBenito <peben...@ieee.org>
>> Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
>
>
> Acked-by: James Carter <jwca...@tycho.nsa.gov>
>
>> ---
>>   libsepol/src/libsepol.map.in | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
>> index 2a9996f7..d879016c 100644
>> --- a/libsepol/src/libsepol.map.in
>> +++ b/libsepol/src/libsepol.map.in
>> @@ -56,4 +56,6 @@ LIBSEPOL_1.1 {
>> sepol_module_policydb_to_cil;
>> sepol_kernel_policydb_to_cil;
>> sepol_kernel_policydb_to_conf;
>> +   sepol_polcap_getnum;
>> +   sepol_polcap_getname;
>>   } LIBSEPOL_1.0;
>>
Acked-by: William Roberts <william.c.robe...@intel.com>

Re: [PATCH] secilc: resolve conflicts in expandattribute.

[William Roberts]

On Wed, Mar 14, 2018 at 3:17 PM, Tri Vo  wrote:
> When Android combines multiple .cil files from system.img and vendor.img
> it's possible to have conflicting expandattribute statements, e.g.
>  expandattribute hal_audio true;
>  expandattribute hal_audio false;

Isn't this the policy.conf version? I thought cil files had:
expandtypeattribute, am I wrong here?

>
> This change deals with scenario be resolving the value of the
> corresponding expandattribute to false. The rationale behind this
> override is that true is used for reduce run-time lookups, while
> false is used for tests which must pass.

So in a conflict, it's always forced to false, which prevents expansion.
That seems reasonable. I would imagine this should also update some
document somewhere that describes this behavior, does one exist?
I couldn't find anything, but not sure if it's on some external webpage.
Stephen do you know?

> ---
>  libsepol/cil/src/cil_resolve_ast.c | 12 
>  1 file changed, 4 insertions(+), 8 deletions(-)
>
> diff --git a/libsepol/cil/src/cil_resolve_ast.c 
> b/libsepol/cil/src/cil_resolve_ast.c
> index d1a5ed87..5c66f663 100644
> --- a/libsepol/cil/src/cil_resolve_ast.c
> +++ b/libsepol/cil/src/cil_resolve_ast.c
> @@ -271,7 +271,6 @@ exit:
>
>  int cil_type_used(struct cil_symtab_datum *datum, int used)
>  {
> -   int rc = SEPOL_ERR;
> struct cil_typeattribute *attr = NULL;
>
> if (FLAVOR(datum) == CIL_TYPEATTRIBUTE) {
> @@ -279,16 +278,13 @@ int cil_type_used(struct cil_symtab_datum *datum, int 
> used)
> attr->used |= used;
> if ((attr->used & CIL_ATTR_EXPAND_TRUE) &&
> (attr->used & CIL_ATTR_EXPAND_FALSE)) {
> -   cil_log(CIL_ERR, "Conflicting use of 
> expandtypeattribute. "
> -   "Expandtypeattribute may be set to 
> true or false "
> -   "but not both. \n");
> -   goto exit;
> +   cil_log(CIL_WARN, "Conflicting use of 
> expandtypeattribute. "
> +   "Expandtypeattribute was set to both 
> true or false for %s. "
> +   "Resolving to false. \n", 
> attr->datum.name);
> +   attr->used ^= CIL_ATTR_EXPAND_TRUE;

Sure, this saves an operation, but:

attr->used &= ~CIL_ATTR_EXPAND_TRUE;

Is less fragile and the usual unset idiom. I won't request this changed unless
either you agree or someone else has the same opinion as me.

One could always argue that conditional code that relies on the entry
condition is the whole
point of conditional code :-P

> }
> }
> -
> return SEPOL_OK;
> -exit:
> -   return rc;
>  }
>
>  int cil_resolve_permissionx(struct cil_tree_node *current, struct 
> cil_permissionx *permx, void *extra_args)
> --
> 2.16.2.804.g6dcf76e118-goog
>
>

Re: Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

[William Roberts]

On Wed, Feb 28, 2018 at 11:39 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 02/28/2018 02:26 PM, William Roberts wrote:
>> So peeking through the code base, I see:
>>
>> int semanage_direct_is_managed(semanage_handle_t * sh)
>> {
>> if (semanage_check_init(sh, sh->conf->store_root_path))
>> goto err;
>>
>> if (semanage_access_check(sh) < 0)
>> return 0;
>>
>> return 1;
>>
>>   err:
>> ERR(sh, "could not check whether policy is managed");
>> return STATUS_ERR;
>> }
>>
>> Which semanage_access_check eventually gets down to a raw access check.
>>
>> Which is only ever used in test_fcontext
>>
>> semanage_access_check is also the only consumer of 
>> semanage_direct_access_check
>>
>> which is the semanage_store_access_check is only consumed by the
>> former and test case and
>> the same could be said for semanage_store_access_check
>>
>> I think this is a good time to roll in patch 4 and drop everything
>> relying on semanage_store_access_check.
>>
>> Thoughts?
>
> semanage_access_check() is part of the shared library ABI. Can't be
> removed.  Used by seobject.py via the python bindings.  At most, we can
> kill all internal users but the ABI has to remain.

Ahh yes, duh.

Outside of just killing off internal users of it, should we modify it
to not use access?
So it at least works under setuid?

>
>>
>> On Wed, Feb 28, 2018 at 11:07 AM, William Roberts
>> <bill.c.robe...@gmail.com> wrote:
>>> On Wed, Feb 28, 2018 at 10:43 AM, Stephen Smalley <s...@tycho.nsa.gov> 
>>> wrote:
>>>> On 02/28/2018 01:24 PM, William Roberts wrote:
>>>>> Where is patch 2/2, I have yet to see it?
>>>>>
>>>>> Did something get screwy and is it: [PATCH] libsemanage: Improve
>>>>> warning for installing disabled module
>>>>
>>>> No, 2/3 was a separate patch and had the 2/3 in the subject line.
>>>> I received all three from the list, both locally and on my gmail.
>>>>
>>>
>>> Thanks gmail for folding the patch 1/3 and 2/3 into the same "conversation" 
>>> or
>>> whatever it does.
>>>
>>>
>>>>>
>>>>>
>>>>> On Wed, Feb 28, 2018 at 9:50 AM, William Roberts
>>>>> <bill.c.robe...@gmail.com> wrote:
>>>>>> On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis <vmoj...@redhat.com> wrote:
>>>>>>> access() uses real UID instead of effective UID which causes false
>>>>>>> negative checks in setuid programs.
>>>>>>> Replace access(,F_OK) (i.e. tests for file existence) by stat().
>>>>>>> And access(,R_OK) by fopen(,"r")
>>>>>>>
>>>>>>> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>>>>>>>
>>>>>>> Signed-off-by: Vit Mojzis <vmoj...@redhat.com>
>>>>>>> ---
>>>>>>>  libsemanage/src/direct_api.c | 132 
>>>>>>> +--
>>>>>>>  libsemanage/src/semanage_store.c |  14 -
>>>>>>>  2 files changed, 98 insertions(+), 48 deletions(-)
>>>>>>>
>>>>>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>>>>>> index f4d57cf8..d42a51cd 100644
>>>>>>> --- a/libsemanage/src/direct_api.c
>>>>>>> +++ b/libsemanage/src/direct_api.c
>>>>>>> @@ -140,6 +140,7 @@ int semanage_direct_is_managed(semanage_handle_t * 
>>>>>>> sh)
>>>>>>>  int semanage_direct_connect(semanage_handle_t * sh)
>>>>>>>  {
>>>>>>> const char *path;
>>>>>>> +   struct stat sb;
>>>>>>>
>>>>>>> if (semanage_check_init(sh, sh->conf->store_root_path))
>>>>>>> goto err;
>>>>>>> @@ -302,10 +303,17 @@ int semanage_direct_connect(semanage_handle_t * 
>>>>>>> sh)
>>>>>>>
>>>>>>> /* set the disable dontaudit value */
>>>>>>> path = semanage_path(SEMANAGE_ACTIVE, 
>>>>>>> SEMANAGE_DISABLE_DONTAUDIT);
>>>>>>> -   if (access(path, F_OK) == 0)
>>>>>>> +
>>>>>>> +   if

Re: [PATCH] libsemanage: Improve warning for installing disabled module

[William Roberts]

On Wed, Feb 28, 2018 at 9:44 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Wed, Feb 28, 2018 at 4:12 AM, Vit Mojzis <vmoj...@redhat.com> wrote:
>> Resolves: rhbz#1337199
>>
>> Signed-off-by: Vit Mojzis <vmoj...@redhat.com>
>> ---
>>  libsemanage/src/direct_api.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>> index 88873c43..9c305c75 100644
>> --- a/libsemanage/src/direct_api.c
>> +++ b/libsemanage/src/direct_api.c
>> @@ -2797,7 +2797,7 @@ static int 
>> semanage_direct_install_info(semanage_handle_t *sh,
>> if (higher_info->enabled == 0 && modinfo->enabled == -1) {
>> errno = 0;
>> WARN(sh,
>> -"%s module will be disabled after install due 
>> to default enabled status.",
>> +"%s module will be disabled after install as 
>> there is a disabled instance of this module present in the system.",
>>  modinfo->name);
>> }
>> }
>> --
>> 2.14.3
>>
>>
>
> ack

merged: https://github.com/SELinuxProject/selinux/pull/82

Re: [PATCH 2/3] libsemanage: remove access() check to make setuid programs work

[William Roberts]

On Wed, Feb 28, 2018 at 10:26 AM, Stephen Smalley  wrote:
> On 02/28/2018 05:15 AM, Vit Mojzis wrote:
>> F_OK access checks only work properly as long as all directories along
>> the path are accessible to real user running the program.
>> Replace F_OK access checks by testing return value of open, write, etc.
>>
>> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>>
>> Signed-off-by: Vit Mojzis 
>> ---
>>  libsemanage/src/direct_api.c | 39 +++
>>  1 file changed, 15 insertions(+), 24 deletions(-)
>>
>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>> index b7899d68..f4d57cf8 100644
>> --- a/libsemanage/src/direct_api.c
>> +++ b/libsemanage/src/direct_api.c
>> @@ -1563,34 +1563,25 @@ rebuild:
>>   goto cleanup;
>>   }
>>
>> - path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
>> - if (access(path, F_OK) == 0) {
>> - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
>> SEMANAGE_STORE_FC_LOCAL),
>> - 
>> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
>> - sh->conf->file_mode);
>> - if (retval < 0) {
>> - goto cleanup;
>> - }
>> + retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
>> SEMANAGE_STORE_FC_LOCAL),
>> + 
>> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
>> + sh->conf->file_mode);
>> + if (retval < 0 && errno != ENOENT) {
>> + goto cleanup;
>>   }
>>
>> - path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
>> - if (access(path, F_OK) == 0) {
>> - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
>> SEMANAGE_STORE_FC),
>> - 
>> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
>> - sh->conf->file_mode);
>> - if (retval < 0) {
>> - goto cleanup;
>> - }
>> + retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
>> SEMANAGE_STORE_FC),
>> + 
>> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
>> + sh->conf->file_mode);
>> + if (retval < 0 && errno != ENOENT) {
>> + goto cleanup;
>>   }
>>
>> - path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
>> - if (access(path, F_OK) == 0) {
>> - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
>> SEMANAGE_STORE_SEUSERS),
>> - 
>> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
>> - sh->conf->file_mode);
>> - if (retval < 0) {
>> - goto cleanup;
>> - }
>> + retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
>> SEMANAGE_STORE_SEUSERS),
>> + 
>> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
>> + sh->conf->file_mode);
>> + if (retval < 0 && errno != ENOENT) {
>> + goto cleanup;
>>   }
>
> I think we need to clear retval here to ensure that we don't later
> misinterpret a negative retval as an error.  Otherwise, if
> disable_genhomedircon && !do_install, we'll fall through to the end of
> the function without ever setting retval again, so the mere absence of a
> seusers file will cause a fatal error from semanage_direct_commit.
>

That's spot on. That is precisely what happens. In the case retval is
-1 and errno IS
ENOENT, retval needs to be set to 0.

Maybe just make a static helper so this way you don't have to even
worry about errno here:

static int copy_file(...) {
   int rc = semanage_copy_file(...);
   return !(rc < 0 && errno != ENOENT);
}

It would make that main code simpler to read and then retval should be
0 on ENOENT case.

>>
>>   /* run genhomedircon if its enabled, this should be the last operation



-- 
Respectfully,

William C Roberts

Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

[William Roberts]

So peeking through the code base, I see:

int semanage_direct_is_managed(semanage_handle_t * sh)
{
if (semanage_check_init(sh, sh->conf->store_root_path))
goto err;

if (semanage_access_check(sh) < 0)
return 0;

return 1;

  err:
ERR(sh, "could not check whether policy is managed");
return STATUS_ERR;
}

Which semanage_access_check eventually gets down to a raw access check.

Which is only ever used in test_fcontext

semanage_access_check is also the only consumer of semanage_direct_access_check

which is the semanage_store_access_check is only consumed by the
former and test case and
the same could be said for semanage_store_access_check

I think this is a good time to roll in patch 4 and drop everything
relying on semanage_store_access_check.

Thoughts?

On Wed, Feb 28, 2018 at 11:07 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Wed, Feb 28, 2018 at 10:43 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On 02/28/2018 01:24 PM, William Roberts wrote:
>>> Where is patch 2/2, I have yet to see it?
>>>
>>> Did something get screwy and is it: [PATCH] libsemanage: Improve
>>> warning for installing disabled module
>>
>> No, 2/3 was a separate patch and had the 2/3 in the subject line.
>> I received all three from the list, both locally and on my gmail.
>>
>
> Thanks gmail for folding the patch 1/3 and 2/3 into the same "conversation" or
> whatever it does.
>
>
>>>
>>>
>>> On Wed, Feb 28, 2018 at 9:50 AM, William Roberts
>>> <bill.c.robe...@gmail.com> wrote:
>>>> On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis <vmoj...@redhat.com> wrote:
>>>>> access() uses real UID instead of effective UID which causes false
>>>>> negative checks in setuid programs.
>>>>> Replace access(,F_OK) (i.e. tests for file existence) by stat().
>>>>> And access(,R_OK) by fopen(,"r")
>>>>>
>>>>> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>>>>>
>>>>> Signed-off-by: Vit Mojzis <vmoj...@redhat.com>
>>>>> ---
>>>>>  libsemanage/src/direct_api.c | 132 
>>>>> +--
>>>>>  libsemanage/src/semanage_store.c |  14 -
>>>>>  2 files changed, 98 insertions(+), 48 deletions(-)
>>>>>
>>>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>>>> index f4d57cf8..d42a51cd 100644
>>>>> --- a/libsemanage/src/direct_api.c
>>>>> +++ b/libsemanage/src/direct_api.c
>>>>> @@ -140,6 +140,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
>>>>>  int semanage_direct_connect(semanage_handle_t * sh)
>>>>>  {
>>>>> const char *path;
>>>>> +   struct stat sb;
>>>>>
>>>>> if (semanage_check_init(sh, sh->conf->store_root_path))
>>>>> goto err;
>>>>> @@ -302,10 +303,17 @@ int semanage_direct_connect(semanage_handle_t * sh)
>>>>>
>>>>> /* set the disable dontaudit value */
>>>>> path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_DISABLE_DONTAUDIT);
>>>>> -   if (access(path, F_OK) == 0)
>>>>> +
>>>>> +   if (stat(path, ) == 0)
>>>>> sepol_set_disable_dontaudit(sh->sepolh, 1);
>>>>> -   else
>>>>> +   else {
>>>>> +   if (errno != ENOENT) {
>>>>> +   ERR(sh, "Unable to access %s: %s\n", path, 
>>>>> strerror(errno));
>>>>> +   goto err;
>>>>> +   }
>>>>> +
>>>>> sepol_set_disable_dontaudit(sh->sepolh, 0);
>>>>> +   }
>>>>>
>>>>> return STATUS_SUCCESS;
>>>>>
>>>>> @@ -1139,6 +1147,7 @@ static int 
>>>>> semanage_compile_hll_modules(semanage_handle_t *sh,
>>>>> int status = 0;
>>>>> int i;
>>>>> char cil_path[PATH_MAX];
>>>>> +   struct stat sb;
>>>>>
>>>>> assert(sh);
>>>>> assert(modinfos);
>>>>> @@ -1155,9 +1164,13 @@ static int 
>>>>> semanage_compile_hll_modules(semanage_handle_t *sh,
>>>>> }
>>>>>
>>>>&g

Re: [PATCH 1/3] libsemanage: remove access() check to make setuid programs work

[William Roberts]

On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis  wrote:
> access() uses real UID instead of effective UID which causes false
> negative checks in setuid programs. Remove redundant access() checks
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>
> Signed-off-by: Vit Mojzis 
> ---
>  libsemanage/src/direct_api.c |  7 ---
>  libsemanage/src/semanage_store.c | 17 -
>  2 files changed, 8 insertions(+), 16 deletions(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index 88873c43..b7899d68 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -148,9 +148,6 @@ int semanage_direct_connect(semanage_handle_t * sh)
> if (semanage_create_store(sh, 1))
> goto err;
>
> -   if (semanage_access_check(sh) < SEMANAGE_CAN_READ)
> -   goto err;
> -
> sh->u.direct.translock_file_fd = -1;
> sh->u.direct.activelock_file_fd = -1;
>
> @@ -398,10 +395,6 @@ static int semanage_direct_disconnect(semanage_handle_t 
> *sh)
>
>  static int semanage_direct_begintrans(semanage_handle_t * sh)
>  {
> -
> -   if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) {
> -   return -1;
> -   }
> if (semanage_get_trans_lock(sh) < 0) {
> return -1;
> }
> diff --git a/libsemanage/src/semanage_store.c 
> b/libsemanage/src/semanage_store.c
> index 936e6495..4bd1d651 100644
> --- a/libsemanage/src/semanage_store.c
> +++ b/libsemanage/src/semanage_store.c
> @@ -538,7 +538,6 @@ char *semanage_conf_path(void)
>  int semanage_create_store(semanage_handle_t * sh, int create)
>  {
> struct stat sb;
> -   int mode_mask = R_OK | W_OK | X_OK;
> const char *path = semanage_files[SEMANAGE_ROOT];
> int fd;
>
> @@ -557,9 +556,9 @@ int semanage_create_store(semanage_handle_t * sh, int 
> create)
> return -1;
> }
> } else {
> -   if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
> +   if (!S_ISDIR(sb.st_mode)) {
> ERR(sh,
> -   "Could not access module store at %s, or it is 
> not a directory.",
> +   "Module store at %s is not a directory.",
> path);
> return -1;
> }
> @@ -580,9 +579,9 @@ int semanage_create_store(semanage_handle_t * sh, int 
> create)
> return -1;
> }
> } else {
> -   if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
> +   if (!S_ISDIR(sb.st_mode)) {
> ERR(sh,
> -   "Could not access module store active 
> subdirectory at %s, or it is not a directory.",
> +   "Module store active subdirectory at %s is not a 
> directory.",
> path);
> return -1;
> }
> @@ -603,9 +602,9 @@ int semanage_create_store(semanage_handle_t * sh, int 
> create)
> return -1;
> }
> } else {
> -   if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
> +   if (!S_ISDIR(sb.st_mode)) {
> ERR(sh,
> -   "Could not access module store active modules 
> subdirectory at %s, or it is not a directory.",
> +   "Module store active modules subdirectory at %s 
> is not a directory.",
> path);
> return -1;
> }
> @@ -624,8 +623,8 @@ int semanage_create_store(semanage_handle_t * sh, int 
> create)
> return -1;
> }
> } else {
> -   if (!S_ISREG(sb.st_mode) || access(path, R_OK | W_OK) == -1) {
> -   ERR(sh, "Could not access lock file at %s.", path);
> +   if (!S_ISREG(sb.st_mode)) {
> +   ERR(sh, "Object at %s is not a lock file.", path);
> return -1;
> }
> }
> --
> 2.14.3
>
>

Tenative ack on testing. This routine semanage_create_store() has some
crazy indenting,
a lot of that could be organized to be way-less horizontal.

Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

[William Roberts]

On Wed, Feb 28, 2018 at 10:43 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 02/28/2018 01:24 PM, William Roberts wrote:
>> Where is patch 2/2, I have yet to see it?
>>
>> Did something get screwy and is it: [PATCH] libsemanage: Improve
>> warning for installing disabled module
>
> No, 2/3 was a separate patch and had the 2/3 in the subject line.
> I received all three from the list, both locally and on my gmail.
>

Thanks gmail for folding the patch 1/3 and 2/3 into the same "conversation" or
whatever it does.


>>
>>
>> On Wed, Feb 28, 2018 at 9:50 AM, William Roberts
>> <bill.c.robe...@gmail.com> wrote:
>>> On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis <vmoj...@redhat.com> wrote:
>>>> access() uses real UID instead of effective UID which causes false
>>>> negative checks in setuid programs.
>>>> Replace access(,F_OK) (i.e. tests for file existence) by stat().
>>>> And access(,R_OK) by fopen(,"r")
>>>>
>>>> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>>>>
>>>> Signed-off-by: Vit Mojzis <vmoj...@redhat.com>
>>>> ---
>>>>  libsemanage/src/direct_api.c | 132 
>>>> +--
>>>>  libsemanage/src/semanage_store.c |  14 -
>>>>  2 files changed, 98 insertions(+), 48 deletions(-)
>>>>
>>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>>> index f4d57cf8..d42a51cd 100644
>>>> --- a/libsemanage/src/direct_api.c
>>>> +++ b/libsemanage/src/direct_api.c
>>>> @@ -140,6 +140,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
>>>>  int semanage_direct_connect(semanage_handle_t * sh)
>>>>  {
>>>> const char *path;
>>>> +   struct stat sb;
>>>>
>>>> if (semanage_check_init(sh, sh->conf->store_root_path))
>>>> goto err;
>>>> @@ -302,10 +303,17 @@ int semanage_direct_connect(semanage_handle_t * sh)
>>>>
>>>> /* set the disable dontaudit value */
>>>> path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_DISABLE_DONTAUDIT);
>>>> -   if (access(path, F_OK) == 0)
>>>> +
>>>> +   if (stat(path, ) == 0)
>>>> sepol_set_disable_dontaudit(sh->sepolh, 1);
>>>> -   else
>>>> +   else {
>>>> +   if (errno != ENOENT) {
>>>> +   ERR(sh, "Unable to access %s: %s\n", path, 
>>>> strerror(errno));
>>>> +   goto err;
>>>> +   }
>>>> +
>>>> sepol_set_disable_dontaudit(sh->sepolh, 0);
>>>> +   }
>>>>
>>>> return STATUS_SUCCESS;
>>>>
>>>> @@ -1139,6 +1147,7 @@ static int 
>>>> semanage_compile_hll_modules(semanage_handle_t *sh,
>>>> int status = 0;
>>>> int i;
>>>> char cil_path[PATH_MAX];
>>>> +   struct stat sb;
>>>>
>>>> assert(sh);
>>>> assert(modinfos);
>>>> @@ -1155,9 +1164,13 @@ static int 
>>>> semanage_compile_hll_modules(semanage_handle_t *sh,
>>>> }
>>>>
>>>> if (semanage_get_ignore_module_cache(sh) == 0 &&
>>>> -   access(cil_path, F_OK) == 0) {
>>>> +   (status = stat(cil_path, )) == 0) {
>>>> continue;
>>>> }
>>>> +   if (status != 0 && errno != ENOENT) {
>>>> +   ERR(sh, "Unable to access %s: %s\n", cil_path, 
>>>> strerror(errno));
>>>> +   goto cleanup; //an error in the "stat" call
>>>> +   }
>>>>
>>>> status = semanage_compile_module(sh, [i]);
>>>> if (status < 0) {
>>>> @@ -1188,6 +1201,7 @@ static int semanage_direct_commit(semanage_handle_t 
>>>> * sh)
>>>> struct cil_db *cildb = NULL;
>>>> semanage_module_info_t *modinfos = NULL;
>>>> mode_t mask = umask(0077);
>>>> +   struct stat sb;
>>>>
>>>> int do_rebuild, do_write_kernel

Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

[William Roberts]

Where is patch 2/2, I have yet to see it?

Did something get screwy and is it: [PATCH] libsemanage: Improve
warning for installing disabled module


On Wed, Feb 28, 2018 at 9:50 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis <vmoj...@redhat.com> wrote:
>> access() uses real UID instead of effective UID which causes false
>> negative checks in setuid programs.
>> Replace access(,F_OK) (i.e. tests for file existence) by stat().
>> And access(,R_OK) by fopen(,"r")
>>
>> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>>
>> Signed-off-by: Vit Mojzis <vmoj...@redhat.com>
>> ---
>>  libsemanage/src/direct_api.c | 132 
>> +--
>>  libsemanage/src/semanage_store.c |  14 -
>>  2 files changed, 98 insertions(+), 48 deletions(-)
>>
>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>> index f4d57cf8..d42a51cd 100644
>> --- a/libsemanage/src/direct_api.c
>> +++ b/libsemanage/src/direct_api.c
>> @@ -140,6 +140,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
>>  int semanage_direct_connect(semanage_handle_t * sh)
>>  {
>> const char *path;
>> +   struct stat sb;
>>
>> if (semanage_check_init(sh, sh->conf->store_root_path))
>> goto err;
>> @@ -302,10 +303,17 @@ int semanage_direct_connect(semanage_handle_t * sh)
>>
>> /* set the disable dontaudit value */
>> path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_DISABLE_DONTAUDIT);
>> -   if (access(path, F_OK) == 0)
>> +
>> +   if (stat(path, ) == 0)
>> sepol_set_disable_dontaudit(sh->sepolh, 1);
>> -   else
>> +   else {
>> +   if (errno != ENOENT) {
>> +   ERR(sh, "Unable to access %s: %s\n", path, 
>> strerror(errno));
>> +   goto err;
>> +   }
>> +
>> sepol_set_disable_dontaudit(sh->sepolh, 0);
>> +   }
>>
>> return STATUS_SUCCESS;
>>
>> @@ -1139,6 +1147,7 @@ static int 
>> semanage_compile_hll_modules(semanage_handle_t *sh,
>> int status = 0;
>> int i;
>> char cil_path[PATH_MAX];
>> +   struct stat sb;
>>
>> assert(sh);
>> assert(modinfos);
>> @@ -1155,9 +1164,13 @@ static int 
>> semanage_compile_hll_modules(semanage_handle_t *sh,
>> }
>>
>> if (semanage_get_ignore_module_cache(sh) == 0 &&
>> -   access(cil_path, F_OK) == 0) {
>> +   (status = stat(cil_path, )) == 0) {
>> continue;
>> }
>> +   if (status != 0 && errno != ENOENT) {
>> +   ERR(sh, "Unable to access %s: %s\n", cil_path, 
>> strerror(errno));
>> +   goto cleanup; //an error in the "stat" call
>> +   }
>>
>> status = semanage_compile_module(sh, [i]);
>> if (status < 0) {
>> @@ -1188,6 +1201,7 @@ static int semanage_direct_commit(semanage_handle_t * 
>> sh)
>> struct cil_db *cildb = NULL;
>> semanage_module_info_t *modinfos = NULL;
>> mode_t mask = umask(0077);
>> +   struct stat sb;
>>
>> int do_rebuild, do_write_kernel, do_install;
>> int fcontexts_modified, ports_modified, seusers_modified,
>> @@ -1226,10 +1240,16 @@ static int semanage_direct_commit(semanage_handle_t 
>> * sh)
>>
>> /* Create or remove the disable_dontaudit flag file. */
>> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
>> -   if (access(path, F_OK) == 0)
>> +   if (stat(path, ) == 0)
>> do_rebuild |= !(sepol_get_disable_dontaudit(sh->sepolh) == 
>> 1);
>> -   else
>> +   else {
>> +   if (errno != ENOENT) {
>> +   ERR(sh, "Unable to access %s: %s\n", path, 
>> strerror(errno));
>> +   goto cleanup;
>> +   }
>> +
>
> I am not a huge fan of this if under else block of if (errno !=ENOENT).
>
> maybe this is a bit cleaner:
>
> if (stat() == 0)
>   //exists
> else if (errno == ENOENT)
>   // doesn't exist
> else
>   //fail
>
>> do_rebuild |= (sepol_get_d

Re: [PATCH 2/3] libsemanage: remove access() check to make setuid programs work

[William Roberts]

On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis  wrote:
> F_OK access checks only work properly as long as all directories along
> the path are accessible to real user running the program.
> Replace F_OK access checks by testing return value of open, write, etc.
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>
> Signed-off-by: Vit Mojzis 
> ---
>  libsemanage/src/direct_api.c | 39 +++
>  1 file changed, 15 insertions(+), 24 deletions(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index b7899d68..f4d57cf8 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -1563,34 +1563,25 @@ rebuild:
> goto cleanup;
> }
>
> -   path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
> -   if (access(path, F_OK) == 0) {
> -   retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
> SEMANAGE_STORE_FC_LOCAL),
> -   
> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
> -   sh->conf->file_mode);
> -   if (retval < 0) {
> -   goto cleanup;
> -   }
> +   retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
> SEMANAGE_STORE_FC_LOCAL),
> +   
> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
> +   sh->conf->file_mode);
> +   if (retval < 0 && errno != ENOENT) {
> +   goto cleanup;
> }
>
> -   path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
> -   if (access(path, F_OK) == 0) {
> -   retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
> SEMANAGE_STORE_FC),
> -   
> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
> -   sh->conf->file_mode);
> -   if (retval < 0) {
> -   goto cleanup;
> -   }
> +   retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
> SEMANAGE_STORE_FC),
> +   
> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
> +   sh->conf->file_mode);
> +   if (retval < 0 && errno != ENOENT) {
> +   goto cleanup;
> }
>
> -   path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
> -   if (access(path, F_OK) == 0) {
> -   retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
> SEMANAGE_STORE_SEUSERS),
> -   
> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
> -   sh->conf->file_mode);
> -   if (retval < 0) {
> -   goto cleanup;
> -   }
> +   retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, 
> SEMANAGE_STORE_SEUSERS),
> +   
> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
> +   sh->conf->file_mode);
> +   if (retval < 0 && errno != ENOENT) {
> +   goto cleanup;
> }
>
> /* run genhomedircon if its enabled, this should be the last operation
> --
> 2.14.3
>
>

tentative ack. I need to run tests on this one, but it looks fine. I
suspect this should work looking at semanage_copy_file() internals.

Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

[William Roberts]

On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis  wrote:
> access() uses real UID instead of effective UID which causes false
> negative checks in setuid programs.
> Replace access(,F_OK) (i.e. tests for file existence) by stat().
> And access(,R_OK) by fopen(,"r")
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
>
> Signed-off-by: Vit Mojzis 
> ---
>  libsemanage/src/direct_api.c | 132 
> +--
>  libsemanage/src/semanage_store.c |  14 -
>  2 files changed, 98 insertions(+), 48 deletions(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index f4d57cf8..d42a51cd 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -140,6 +140,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
>  int semanage_direct_connect(semanage_handle_t * sh)
>  {
> const char *path;
> +   struct stat sb;
>
> if (semanage_check_init(sh, sh->conf->store_root_path))
> goto err;
> @@ -302,10 +303,17 @@ int semanage_direct_connect(semanage_handle_t * sh)
>
> /* set the disable dontaudit value */
> path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_DISABLE_DONTAUDIT);
> -   if (access(path, F_OK) == 0)
> +
> +   if (stat(path, ) == 0)
> sepol_set_disable_dontaudit(sh->sepolh, 1);
> -   else
> +   else {
> +   if (errno != ENOENT) {
> +   ERR(sh, "Unable to access %s: %s\n", path, 
> strerror(errno));
> +   goto err;
> +   }
> +
> sepol_set_disable_dontaudit(sh->sepolh, 0);
> +   }
>
> return STATUS_SUCCESS;
>
> @@ -1139,6 +1147,7 @@ static int 
> semanage_compile_hll_modules(semanage_handle_t *sh,
> int status = 0;
> int i;
> char cil_path[PATH_MAX];
> +   struct stat sb;
>
> assert(sh);
> assert(modinfos);
> @@ -1155,9 +1164,13 @@ static int 
> semanage_compile_hll_modules(semanage_handle_t *sh,
> }
>
> if (semanage_get_ignore_module_cache(sh) == 0 &&
> -   access(cil_path, F_OK) == 0) {
> +   (status = stat(cil_path, )) == 0) {
> continue;
> }
> +   if (status != 0 && errno != ENOENT) {
> +   ERR(sh, "Unable to access %s: %s\n", cil_path, 
> strerror(errno));
> +   goto cleanup; //an error in the "stat" call
> +   }
>
> status = semanage_compile_module(sh, [i]);
> if (status < 0) {
> @@ -1188,6 +1201,7 @@ static int semanage_direct_commit(semanage_handle_t * 
> sh)
> struct cil_db *cildb = NULL;
> semanage_module_info_t *modinfos = NULL;
> mode_t mask = umask(0077);
> +   struct stat sb;
>
> int do_rebuild, do_write_kernel, do_install;
> int fcontexts_modified, ports_modified, seusers_modified,
> @@ -1226,10 +1240,16 @@ static int semanage_direct_commit(semanage_handle_t * 
> sh)
>
> /* Create or remove the disable_dontaudit flag file. */
> path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
> -   if (access(path, F_OK) == 0)
> +   if (stat(path, ) == 0)
> do_rebuild |= !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
> -   else
> +   else {
> +   if (errno != ENOENT) {
> +   ERR(sh, "Unable to access %s: %s\n", path, 
> strerror(errno));
> +   goto cleanup;
> +   }
> +

I am not a huge fan of this if under else block of if (errno !=ENOENT).

maybe this is a bit cleaner:

if (stat() == 0)
  //exists
else if (errno == ENOENT)
  // doesn't exist
else
  //fail

> do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1);
> +   }
> if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
> FILE *touch;
> touch = fopen(path, "w");
> @@ -1251,10 +1271,17 @@ static int semanage_direct_commit(semanage_handle_t * 
> sh)
>
> /* Create or remove the preserve_tunables flag file. */
> path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
> -   if (access(path, F_OK) == 0)
> +   if (stat(path, ) == 0)
> do_rebuild |= !(sepol_get_preserve_tunables(sh->sepolh) == 1);
> -   else
> +   else {
> +   if (errno != ENOENT) {
> +   ERR(sh, "Unable to access %s: %s\n", path, 
> strerror(errno));
> +   goto cleanup;
> +   }
> +
> do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1);
> +   }
> +
> if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
> FILE *touch;
> touch = fopen(path, "w");
> @@ -1291,40 +1318,24 @@ static int 

Re: [PATCH] libsemanage: Improve warning for installing disabled module

[William Roberts]

On Wed, Feb 28, 2018 at 4:12 AM, Vit Mojzis  wrote:
> Resolves: rhbz#1337199
>
> Signed-off-by: Vit Mojzis 
> ---
>  libsemanage/src/direct_api.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index 88873c43..9c305c75 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -2797,7 +2797,7 @@ static int 
> semanage_direct_install_info(semanage_handle_t *sh,
> if (higher_info->enabled == 0 && modinfo->enabled == -1) {
> errno = 0;
> WARN(sh,
> -"%s module will be disabled after install due to 
> default enabled status.",
> +"%s module will be disabled after install as 
> there is a disabled instance of this module present in the system.",
>  modinfo->name);
> }
> }
> --
> 2.14.3
>
>

ack

Re: Minor bash completion update for semanage ports

[William Roberts]

On Mon, Feb 12, 2018 at 5:58 PM, Lee Stubbs  wrote:
> Based on the semanage-port documentation, I believe the semanage ports type
> bash autocompletion may be missing a '-'. Please see the attached patch file

This isn't how we take patches on the list, please use git send-email.

With that said, the patch looks fine, please resend with git send-email

> for a possible update.
>
> -Lee



-- 
Respectfully,

William C Roberts

Re: [PATCH] [RFC] sidtab: use memset vs loop for init

[William Roberts]

On Thu, Feb 8, 2018 at 8:51 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Thu, 2018-02-08 at 08:34 -0800, William Roberts wrote:
>> On Thu, Feb 8, 2018 at 7:47 AM, Stephen Smalley <s...@tycho.nsa.gov>
>> wrote:
>> > On Thu, 2018-02-08 at 10:20 -0500, Paul Moore wrote:
>> > > On Wed, Feb 7, 2018 at 6:46 PM,  <william.c.robe...@intel.com>
>> > > wrote:
>> > > > From: William Roberts <william.c.robe...@intel.com>
>> > > >
>> > > > Commit:
>> > > > 73ff5fc selinux: cache sidtab_context_to_sid results
>> > >
>> > > This wouldn't prevent me from merging the patch, but since it is
>> > > an
>> > > RFC I'll go ahead and provide some nitpickery here ... the
>> > > general
>> > > recommendation (for the kernel) when referencing previous
>> > > comments is
>> > > to use the following format:
>> > >
>> > >  <12_char_id> ()
>> > >
>> > > ... so the reference in your patch should look like this:
>> > >
>> > >  73ff5fc0a86b ("selinux: cache sidtab_context_to_sid results")
>> > >
>> > >  as generated by the following git command line:
>> > >
>> > >  # git show -s --format="%h (\"%s\")" 73ff5fc
>> > >  73ff5fc0a86b ("selinux: cache sidtab_context_to_sid results")
>> > >
>> > > > Uses a for loop to NULL the sidtab_node cache pointers.
>> > > > Use memset, which allows for compiler optimizations
>> > > > when present. Note that gcc sometimes sees this loop/set
>> > > > pattern and properly optimimizes it.
>> > > >
>> > > > I sent this as an RFC for 2 reasons:
>> > > > 1. NOT TESTED
>> > >
>> > > So yes, this is a pretty trivial patch, and it is an RFC, but if
>> > > you
>> > > want me to merge this at some point you need to at least build
>> > > and
>> > > boot a patched kernel successfully.  I try not to be the
>> > > grumpiest
>> > > maintainer, but one of the things that does really bother me is
>> > > when
>> > > people submit code without testing and it blows up on me; that
>> > > makes
>> > > me not like you, which is generally a Bad Thing.
>> > >
>> > > > 2. Was there some point not clear in doing it via the loop?
>> > >
>> > > Nothing immediately comes to mind.  Although it is worth noting
>> > > that
>> > > this code will likely only be hit a few times on a normal system
>> > > so I
>> > > wouldn't really consider it "performance critical" in the
>> > > traditional
>> > > sense.  This doesn't mean we shouldn't improve the code, just
>> > > that I
>> > > don't think anyone has really looked that carefully at it.  It
>> > > looks
>> > > like there are other loops in ss/sidtab.c that could probably be
>> > > memset'd too.
>> > >
>> > > Thinking out loud, I suppose we could also move the loop/memset
>> > > outside the locked region as well since the lock is for the src
>> > > sidtab
>> > > and not the dst sidtab.  The same for clearing the shutdown
>> > > field.
>> > >
>> > > Looking a bit deeper, I'm starting to question how we use
>> > > sidtab_set(), especially since it looks like the only caller is
>> > > security_load_policy() which takes a rather *creative* approach
>> > > to
>> > > changing the sidtab on policy (re)load (to be fair, this looks to
>> > > be
>> > > an effort to limit the work in the locked section).  I wonder if
>> > > we
>> > > are better served by getting rid of sidtab_set() and replacing it
>> > > with
>> > > a sidtab_replace() function that would release the old state and
>> > > replace it with the new.  It would be a more work with the policy
>> > > write lock held, but that may soon be less of an issue with some
>> > > of
>> > > the patches being discussed.  It would definitely be a bit
>> > > cleaner.
>> >
>> > What is really needed here is that all of the security server state
>> > associated with a policy (policydb, sidtab, current_mapping) needs
>> > to
>> > be accessed through a single pointer that can be atomically s

Re: [PATCH] [RFC] sidtab: use memset vs loop for init

[William Roberts]

On Thu, Feb 8, 2018 at 7:20 AM, Paul Moore <p...@paul-moore.com> wrote:
> On Wed, Feb 7, 2018 at 6:46 PM,  <william.c.robe...@intel.com> wrote:
>> From: William Roberts <william.c.robe...@intel.com>
>>
>> Commit:
>> 73ff5fc selinux: cache sidtab_context_to_sid results
>
> This wouldn't prevent me from merging the patch, but since it is an
> RFC I'll go ahead and provide some nitpickery here ... the general
> recommendation (for the kernel) when referencing previous comments is
> to use the following format:
>
>  <12_char_id> ()
>
> ... so the reference in your patch should look like this:
>
>  73ff5fc0a86b ("selinux: cache sidtab_context_to_sid results")
>
>  as generated by the following git command line:
>
>  # git show -s --format="%h (\"%s\")" 73ff5fc
>  73ff5fc0a86b ("selinux: cache sidtab_context_to_sid results")

Good to know.

>
>> Uses a for loop to NULL the sidtab_node cache pointers.
>> Use memset, which allows for compiler optimizations
>> when present. Note that gcc sometimes sees this loop/set
>> pattern and properly optimimizes it.
>>
>> I sent this as an RFC for 2 reasons:
>> 1. NOT TESTED
>
> So yes, this is a pretty trivial patch, and it is an RFC, but if you
> want me to merge this at some point you need to at least build and
> boot a patched kernel successfully.

Well yes, I would never send a patch that I intended for merge
without thorough testing. This is why it is clearly marked and such.

I try not to be the grumpiest
> maintainer, but one of the things that does really bother me is when
> people submit code without testing and it blows up on me; that makes
> me not like you, which is generally a Bad Thing.
>
>> 2. Was there some point not clear in doing it via the loop?
>
> Nothing immediately comes to mind.  Although it is worth noting that
> this code will likely only be hit a few times on a normal system so I
> wouldn't really consider it "performance critical" in the traditional
> sense.  This doesn't mean we shouldn't improve the code, just that I
> don't think anyone has really looked that carefully at it.  It looks
> like there are other loops in ss/sidtab.c that could probably be
> memset'd too.
>
> Thinking out loud, I suppose we could also move the loop/memset
> outside the locked region as well since the lock is for the src sidtab
> and not the dst sidtab.  The same for clearing the shutdown field.
>
> Looking a bit deeper, I'm starting to question how we use
> sidtab_set(), especially since it looks like the only caller is
> security_load_policy() which takes a rather *creative* approach to
> changing the sidtab on policy (re)load (to be fair, this looks to be
> an effort to limit the work in the locked section).  I wonder if we
> are better served by getting rid of sidtab_set() and replacing it with
> a sidtab_replace() function that would release the old state and
> replace it with the new.  It would be a more work with the policy
> write lock held, but that may soon be less of an issue with some of
> the patches being discussed.  It would definitely be a bit cleaner.

The reason for the RFC patch was for the above discussion. I was
just looking at things briefly yesterday and noticed this odd loop sticking
out. The reason I was looking at things, is that their is some performance
concerns during load, which likely couples back into the patches that
Peter Enderborg is working on. Which IIUC should swap out those
memcpy's into an atomic policy pointer switch. Which then harkens
to Stephen's response to this as well.

>
>> Signed-off-by: William Roberts <william.c.robe...@intel.com>
>> ---
>>  security/selinux/ss/sidtab.c | 3 +--
>>  1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
>> index 5be31b7..fb88ef4 100644
>> --- a/security/selinux/ss/sidtab.c
>> +++ b/security/selinux/ss/sidtab.c
>> @@ -292,8 +292,7 @@ void sidtab_set(struct sidtab *dst, struct sidtab *src)
>> dst->nel = src->nel;
>> dst->next_sid = src->next_sid;
>> dst->shutdown = 0;
>> -   for (i = 0; i < SIDTAB_CACHE_LEN; i++)
>> -   dst->cache[i] = NULL;
>> +   memset(dst->cache, 0, sizeof(dst->cache));
>> spin_unlock_irqrestore(>lock, flags);
>>  }
>>
>> --
>> 2.7.4
>
> --
> paul moore
> www.paul-moore.com
>



-- 
Respectfully,

William C Roberts

Re: [PATCH V3] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

Thanks, applied: https://github.com/SELinuxProject/selinux/pull/76

On Thu, Jan 25, 2018 at 10:49 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Thu, 2018-01-25 at 10:22 -0800, William Roberts wrote:
>> On Wed, Jan 24, 2018 at 1:42 AM, Richard Haines
>> <richard_c_hai...@btinternet.com> wrote:
>> > Allow the tmp build files to be kept for debugging when a policy
>> > build fails.
>> >
>> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
>> > ---
>> > V2 Changes:
>> > Remove the retain-tmp flag and just keep tmp files on build errors.
>> > V3 Changes:
>> > Release transaction lock after tmp files removed.
>> > Add additional comments to commit_err in handle.h
>> >
>> >  libsemanage/src/direct_api.c | 56 ++
>> > --
>> >  libsemanage/src/handle.c |  2 ++
>> >  libsemanage/src/handle.h |  4 
>> >  3 files changed, 44 insertions(+), 18 deletions(-)
>> >
>> > diff --git a/libsemanage/src/direct_api.c
>> > b/libsemanage/src/direct_api.c
>> > index a455612f..88873c43 100644
>> > --- a/libsemanage/src/direct_api.c
>> > +++ b/libsemanage/src/direct_api.c
>> > @@ -323,25 +323,43 @@ static void
>> > semanage_direct_destroy(semanage_handle_t * sh
>> > /* do nothing */
>> >  }
>> >
>> > -static int semanage_direct_disconnect(semanage_handle_t * sh)
>> > +static int semanage_remove_tmps(semanage_handle_t *sh)
>> >  {
>> > -   /* destroy transaction */
>> > -   if (sh->is_in_transaction) {
>> > -   /* destroy sandbox */
>> > -   if (semanage_remove_directory
>> > -   (semanage_path(SEMANAGE_TMP,
>> > SEMANAGE_TOPLEVEL)) < 0) {
>> > +   if (sh->commit_err)
>> > +   return 0;
>> > +
>> > +   /* destroy sandbox if it exists */
>> > +   if (semanage_remove_directory
>> > +   (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
>> > +   if (errno != ENOENT) {
>> > ERR(sh, "Could not cleanly remove sandbox
>> > %s.",
>> > semanage_path(SEMANAGE_TMP,
>> > SEMANAGE_TOPLEVEL));
>> > return -1;
>> > }
>> > -   if (semanage_remove_directory
>> > -   (semanage_final_path(SEMANAGE_FINAL_TMP,
>> > -SEMANAGE_FINAL_TOPLEVEL))
>> > < 0) {
>> > +   }
>> > +
>> > +   /* destroy tmp policy if it exists */
>> > +   if (semanage_remove_directory
>> > +   (semanage_final_path(SEMANAGE_FINAL_TMP,
>> > +SEMANAGE_FINAL_TOPLEVEL)) < 0) {
>> > +   if (errno != ENOENT) {
>> > ERR(sh, "Could not cleanly remove tmp %s.",
>> > semanage_final_path(SEMANAGE_FINAL_TMP,
>> > SEMANAGE_FINAL_TOPL
>> > EVEL));
>> > return -1;
>> > }
>> > +   }
>> > +
>> > +   return 0;
>> > +}
>> > +
>> > +static int semanage_direct_disconnect(semanage_handle_t *sh)
>> > +{
>> > +   int retval = 0;
>> > +
>> > +   /* destroy transaction and remove tmp files if no commit
>> > error */
>> > +   if (sh->is_in_transaction) {
>> > +   retval = semanage_remove_tmps(sh);
>> > semanage_release_trans_lock(sh);
>> > }
>> >
>> > @@ -375,7 +393,7 @@ static int
>> > semanage_direct_disconnect(semanage_handle_t * sh)
>> > /* Release object databases: active kernel policy */
>> > bool_activedb_dbase_release(semanage_bool_dbase_active(sh))
>> > ;
>> >
>> > -   return 0;
>> > +   return retval;
>> >  }
>> >
>> >  static int semanage_direct_begintrans(semanage_handle_t * sh)
>> > @@ -1635,17 +1653,19 @@ cleanup:
>> > free(mod_filenames);
>> > sepol_policydb_free(out);
>> > cil_db_destroy();
>> > -   semanage_release_trans_lock(sh);
>> >
>> > free(fc_buffer);
>> >
>&

Re: [PATCH V3] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

On Wed, Jan 24, 2018 at 1:42 AM, Richard Haines
 wrote:
> Allow the tmp build files to be kept for debugging when a policy
> build fails.
>
> Signed-off-by: Richard Haines 
> ---
> V2 Changes:
> Remove the retain-tmp flag and just keep tmp files on build errors.
> V3 Changes:
> Release transaction lock after tmp files removed.
> Add additional comments to commit_err in handle.h
>
>  libsemanage/src/direct_api.c | 56 
> ++--
>  libsemanage/src/handle.c |  2 ++
>  libsemanage/src/handle.h |  4 
>  3 files changed, 44 insertions(+), 18 deletions(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index a455612f..88873c43 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -323,25 +323,43 @@ static void semanage_direct_destroy(semanage_handle_t * 
> sh
> /* do nothing */
>  }
>
> -static int semanage_direct_disconnect(semanage_handle_t * sh)
> +static int semanage_remove_tmps(semanage_handle_t *sh)
>  {
> -   /* destroy transaction */
> -   if (sh->is_in_transaction) {
> -   /* destroy sandbox */
> -   if (semanage_remove_directory
> -   (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
> +   if (sh->commit_err)
> +   return 0;
> +
> +   /* destroy sandbox if it exists */
> +   if (semanage_remove_directory
> +   (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
> +   if (errno != ENOENT) {
> ERR(sh, "Could not cleanly remove sandbox %s.",
> semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
> return -1;
> }
> -   if (semanage_remove_directory
> -   (semanage_final_path(SEMANAGE_FINAL_TMP,
> -SEMANAGE_FINAL_TOPLEVEL)) < 0) {
> +   }
> +
> +   /* destroy tmp policy if it exists */
> +   if (semanage_remove_directory
> +   (semanage_final_path(SEMANAGE_FINAL_TMP,
> +SEMANAGE_FINAL_TOPLEVEL)) < 0) {
> +   if (errno != ENOENT) {
> ERR(sh, "Could not cleanly remove tmp %s.",
> semanage_final_path(SEMANAGE_FINAL_TMP,
> SEMANAGE_FINAL_TOPLEVEL));
> return -1;
> }
> +   }
> +
> +   return 0;
> +}
> +
> +static int semanage_direct_disconnect(semanage_handle_t *sh)
> +{
> +   int retval = 0;
> +
> +   /* destroy transaction and remove tmp files if no commit error */
> +   if (sh->is_in_transaction) {
> +   retval = semanage_remove_tmps(sh);
> semanage_release_trans_lock(sh);
> }
>
> @@ -375,7 +393,7 @@ static int semanage_direct_disconnect(semanage_handle_t * 
> sh)
> /* Release object databases: active kernel policy */
> bool_activedb_dbase_release(semanage_bool_dbase_active(sh));
>
> -   return 0;
> +   return retval;
>  }
>
>  static int semanage_direct_begintrans(semanage_handle_t * sh)
> @@ -1635,17 +1653,19 @@ cleanup:
> free(mod_filenames);
> sepol_policydb_free(out);
> cil_db_destroy();
> -   semanage_release_trans_lock(sh);
>
> free(fc_buffer);
>
> -   /* regardless if the commit was successful or not, remove the
> -  sandbox if it is still there */
> -   semanage_remove_directory(semanage_path
> - (SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
> -   semanage_remove_directory(semanage_final_path
> - (SEMANAGE_FINAL_TMP,
> -  SEMANAGE_FINAL_TOPLEVEL));
> +   /* Set commit_err so other functions can detect any errors. Note that
> +* retval > 0 will be the commit number.
> +*/
> +   if (retval < 0)
> +   sh->commit_err = retval;
> +
> +   if (semanage_remove_tmps(sh) != 0)
> +   retval = -1;
> +
> +   semanage_release_trans_lock(sh);
> umask(mask);
>
> return retval;
> diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
> index 4ce1df03..a6567bd4 100644
> --- a/libsemanage/src/handle.c
> +++ b/libsemanage/src/handle.c
> @@ -86,6 +86,8 @@ semanage_handle_t *semanage_handle_create(void)
>  * If any changes are made, this flag is ignored */
> sh->do_rebuild = 0;
>
> +   sh->commit_err = 0;
> +
> /* By default always reload policy after commit if SELinux is 
> enabled. */
> sh->do_reload = (is_selinux_enabled() > 0);
>
> diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h
> index 1780ac81..a91907b0 100644
> --- a/libsemanage/src/handle.h
> +++ b/libsemanage/src/handle.h
> @@ -62,6 +62,10 @@ struct semanage_handle {
> 

Re: [PATCH V2] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

On Mon, Jan 22, 2018 at 8:38 AM, Richard Haines
 wrote:
> Allow the tmp build files to be kept for debugging when a policy
> build fails.
>
> Signed-off-by: Richard Haines 
> ---
> V2 Changes:
> Remove the retain-tmp flag and just keep tmp files on build errors.
>
>  libsemanage/src/direct_api.c | 54 
> ++--
>  libsemanage/src/handle.c |  2 ++
>  libsemanage/src/handle.h |  1 +
>  3 files changed, 40 insertions(+), 17 deletions(-)
>
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index a455612f..3d1cf1fe 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -323,26 +323,44 @@ static void semanage_direct_destroy(semanage_handle_t * 
> sh
> /* do nothing */
>  }
>
> -static int semanage_direct_disconnect(semanage_handle_t * sh)
> +static int semanage_remove_tmps(semanage_handle_t *sh)
>  {
> -   /* destroy transaction */
> -   if (sh->is_in_transaction) {
> -   /* destroy sandbox */
> -   if (semanage_remove_directory
> -   (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
> +   if (sh->commit_err)
> +   return 0;
> +
> +   /* destroy sandbox if it exists */
> +   if (semanage_remove_directory
> +   (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
> +   if (errno != ENOENT) {
> ERR(sh, "Could not cleanly remove sandbox %s.",
> semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
> return -1;
> }
> -   if (semanage_remove_directory
> -   (semanage_final_path(SEMANAGE_FINAL_TMP,
> -SEMANAGE_FINAL_TOPLEVEL)) < 0) {
> +   }
> +
> +   /* destroy tmp policy if it exists */
> +   if (semanage_remove_directory
> +   (semanage_final_path(SEMANAGE_FINAL_TMP,
> +SEMANAGE_FINAL_TOPLEVEL)) < 0) {
> +   if (errno != ENOENT) {
> ERR(sh, "Could not cleanly remove tmp %s.",
> semanage_final_path(SEMANAGE_FINAL_TMP,
> SEMANAGE_FINAL_TOPLEVEL));
> return -1;
> }
> +   }
> +
> +   return 0;
> +}
> +
> +static int semanage_direct_disconnect(semanage_handle_t *sh)
> +{
> +   int retval = 0;
> +
> +   /* destroy transaction and remove tmp files if no commit error */
> +   if (sh->is_in_transaction) {
> semanage_release_trans_lock(sh);
> +   retval = semanage_remove_tmps(sh);
> }
>
> /* Release object databases: local modifications */
> @@ -375,7 +393,7 @@ static int semanage_direct_disconnect(semanage_handle_t * 
> sh)
> /* Release object databases: active kernel policy */
> bool_activedb_dbase_release(semanage_bool_dbase_active(sh));
>
> -   return 0;
> +   return retval;
>  }
>
>  static int semanage_direct_begintrans(semanage_handle_t * sh)
> @@ -1639,13 +1657,15 @@ cleanup:
>
> free(fc_buffer);
>
> -   /* regardless if the commit was successful or not, remove the
> -  sandbox if it is still there */
> -   semanage_remove_directory(semanage_path
> - (SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
> -   semanage_remove_directory(semanage_final_path
> - (SEMANAGE_FINAL_TMP,
> -  SEMANAGE_FINAL_TOPLEVEL));
> +   /* Set commit_err so other functions can detect any errors. Note that
> +* retval > 0 will be the commit number.
> +*/
> +   if (retval < 0)
> +   sh->commit_err = retval;
> +
> +   if (semanage_remove_tmps(sh) != 0)
> +   retval = -1;
> +
> umask(mask);
>
> return retval;
> diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
> index 4ce1df03..a6567bd4 100644
> --- a/libsemanage/src/handle.c
> +++ b/libsemanage/src/handle.c
> @@ -86,6 +86,8 @@ semanage_handle_t *semanage_handle_create(void)
>  * If any changes are made, this flag is ignored */
> sh->do_rebuild = 0;
>
> +   sh->commit_err = 0;
> +
> /* By default always reload policy after commit if SELinux is 
> enabled. */
> sh->do_reload = (is_selinux_enabled() > 0);
>
> diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h
> index 1780ac81..65b15600 100644
> --- a/libsemanage/src/handle.h
> +++ b/libsemanage/src/handle.h
> @@ -62,6 +62,7 @@ struct semanage_handle {
> int is_in_transaction;
> int do_reload;  /* whether to reload policy after commit */
> int do_rebuild; /* whether to rebuild policy if there were no 
> changes */
> +   int commit_err; /* set by 

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

Richard, are you going to respin this?

On Tue, Jan 16, 2018 at 9:35 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Tue, Jan 16, 2018 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote:
>>> On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley
>>> <stephen.smal...@gmail.com> wrote:
>>> > On Jan 14, 2018 10:36 AM, "Richard Haines" <richard_c_haines@btinte
>>> > rnet.com>
>>> > wrote:
>>> >
>>> > Add new option to semanage.conf that allows the tmp build files
>>> > to be kept for debugging when building policy.
>>> >
>>> >
>>> > Would it be better to just retain the files by default if there is
>>> > an error?
>>>
>>> I thought about this as well, my reasoning as to why Richard's
>>> approach was
>>> better is that if someone does it N times trying to figure out an
>>> issue,
>>> then there would be N piles of files in the tmp folder. This way they
>>> have to opt in to have their tmp folder spammed.
>>
>> I believe that the tmp directories are deleted and re-created by
>> libsemanage each time before use (otherwise we'd have a different
>> problem with not removing them, since we could end up with a mix of
>> files from different, incomplete transactions being intermingled
>> there). So I don't think this would be a problem.  It might however
>
> Oh I see it looks like its just generating a /tmp "store" directory
> under the semanage path. I thought that enum was triggering a true
> /tmp style thing. I should have looksed closer.
>
>> require saving the commit success/failure result in the handle so that
>> we know in semanage_direct_disconnect() whether or not we should delete
>> it.
>
> Now that I understand that tid-bit, I think you're right, let's just
> leave it on error.
>
>>
>> If we truly need to make it optional, then I'd rather have it be an
>> option flag to semodule and a runtime setting of libsemanage (ala
>> reload, disable_dontaudit, etc) than a semanage.conf setting, as this
>> is something a user will want to be able to use without having to edit
>> a config file, re-run the transaction, and then re-edit the config file
>> each time.  But I'm not convinced we can't just make it the default
>> behavior whenever the commit fails.  Deleting the tmp files
>> automatically only really makes sense when it succeeds.
>
>
>
>>
>>>
>>> >
>>> >
>>> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
>>> > ---
>>> >  libsemanage/man/man5/semanage.conf.5 |  8 
>>> >  libsemanage/src/conf-parse.y | 15 ++-
>>> >  libsemanage/src/conf-scan.l  |  1 +
>>> >  libsemanage/src/direct_api.c | 21 -
>>> >  libsemanage/src/semanage_conf.h  |  1 +
>>> >  5 files changed, 36 insertions(+), 10 deletions(-)
>>> >
>>> > diff --git a/libsemanage/man/man5/semanage.conf.5
>>> > b/libsemanage/man/man5/semanage.conf.5
>>> > index 8f8de55a..10cab65a 100644
>>> > --- a/libsemanage/man/man5/semanage.conf.5
>>> > +++ b/libsemanage/man/man5/semanage.conf.5
>>> > @@ -121,6 +121,14 @@ and by default it is set to "false".
>>> >  Please note that since this option deletes all HLL files, an
>>> > updated HLL
>>> > compiler will not be able to recompile the original HLL file into
>>> > CIL.
>>> >  In order to compile the original HLL file into CIL, the same HLL
>>> > file will
>>> > need to be reinstalled.
>>> >
>>> > +.TP
>>> > +.B retain-tmp
>>> > +When set to "true", tmp directories (the sandbox at
>>> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final
>>> > policy at
>>> > \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after
>>> > compilation to allow debugging of any build errors. Note that on a
>>> > successful build the sandbox becomes
>>> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR.
>>> > +.br
>>> > +The
>>> > +.B retain-tmp
>>> > +option can be set to either "true" or "false" and by default it is
>>> > set to
>>> > "false".
>>> > +
>>> >  .SH "SEE ALSO"
>>

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

On Tue, Jan 16, 2018 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote:
>> On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley
>> <stephen.smal...@gmail.com> wrote:
>> > On Jan 14, 2018 10:36 AM, "Richard Haines" <richard_c_haines@btinte
>> > rnet.com>
>> > wrote:
>> >
>> > Add new option to semanage.conf that allows the tmp build files
>> > to be kept for debugging when building policy.
>> >
>> >
>> > Would it be better to just retain the files by default if there is
>> > an error?
>>
>> I thought about this as well, my reasoning as to why Richard's
>> approach was
>> better is that if someone does it N times trying to figure out an
>> issue,
>> then there would be N piles of files in the tmp folder. This way they
>> have to opt in to have their tmp folder spammed.
>
> I believe that the tmp directories are deleted and re-created by
> libsemanage each time before use (otherwise we'd have a different
> problem with not removing them, since we could end up with a mix of
> files from different, incomplete transactions being intermingled
> there). So I don't think this would be a problem.  It might however

Oh I see it looks like its just generating a /tmp "store" directory
under the semanage path. I thought that enum was triggering a true
/tmp style thing. I should have looksed closer.

> require saving the commit success/failure result in the handle so that
> we know in semanage_direct_disconnect() whether or not we should delete
> it.

Now that I understand that tid-bit, I think you're right, let's just
leave it on error.

>
> If we truly need to make it optional, then I'd rather have it be an
> option flag to semodule and a runtime setting of libsemanage (ala
> reload, disable_dontaudit, etc) than a semanage.conf setting, as this
> is something a user will want to be able to use without having to edit
> a config file, re-run the transaction, and then re-edit the config file
> each time.  But I'm not convinced we can't just make it the default
> behavior whenever the commit fails.  Deleting the tmp files
> automatically only really makes sense when it succeeds.



>
>>
>> >
>> >
>> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
>> > ---
>> >  libsemanage/man/man5/semanage.conf.5 |  8 
>> >  libsemanage/src/conf-parse.y | 15 ++-
>> >  libsemanage/src/conf-scan.l  |  1 +
>> >  libsemanage/src/direct_api.c | 21 -
>> >  libsemanage/src/semanage_conf.h  |  1 +
>> >  5 files changed, 36 insertions(+), 10 deletions(-)
>> >
>> > diff --git a/libsemanage/man/man5/semanage.conf.5
>> > b/libsemanage/man/man5/semanage.conf.5
>> > index 8f8de55a..10cab65a 100644
>> > --- a/libsemanage/man/man5/semanage.conf.5
>> > +++ b/libsemanage/man/man5/semanage.conf.5
>> > @@ -121,6 +121,14 @@ and by default it is set to "false".
>> >  Please note that since this option deletes all HLL files, an
>> > updated HLL
>> > compiler will not be able to recompile the original HLL file into
>> > CIL.
>> >  In order to compile the original HLL file into CIL, the same HLL
>> > file will
>> > need to be reinstalled.
>> >
>> > +.TP
>> > +.B retain-tmp
>> > +When set to "true", tmp directories (the sandbox at
>> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final
>> > policy at
>> > \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after
>> > compilation to allow debugging of any build errors. Note that on a
>> > successful build the sandbox becomes
>> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR.
>> > +.br
>> > +The
>> > +.B retain-tmp
>> > +option can be set to either "true" or "false" and by default it is
>> > set to
>> > "false".
>> > +
>> >  .SH "SEE ALSO"
>> >  .TP
>> >  semanage(8)
>> > diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-
>> > parse.y
>> > index b527e893..f098e55d 100644
>> > --- a/libsemanage/src/conf-parse.y
>> > +++ b/libsemanage/src/conf-parse.y
>> > @@ -61,7 +61,7 @@ static int parse_errors;
>> >
>> >  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS
>> > SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley
 wrote:
> On Jan 14, 2018 10:36 AM, "Richard Haines" 
> wrote:
>
> Add new option to semanage.conf that allows the tmp build files
> to be kept for debugging when building policy.
>
>
> Would it be better to just retain the files by default if there is an error?

I thought about this as well, my reasoning as to why Richard's approach was
better is that if someone does it N times trying to figure out an issue,
then there would be N piles of files in the tmp folder. This way they
have to opt in to have their tmp folder spammed.

>
>
> Signed-off-by: Richard Haines 
> ---
>  libsemanage/man/man5/semanage.conf.5 |  8 
>  libsemanage/src/conf-parse.y | 15 ++-
>  libsemanage/src/conf-scan.l  |  1 +
>  libsemanage/src/direct_api.c | 21 -
>  libsemanage/src/semanage_conf.h  |  1 +
>  5 files changed, 36 insertions(+), 10 deletions(-)
>
> diff --git a/libsemanage/man/man5/semanage.conf.5
> b/libsemanage/man/man5/semanage.conf.5
> index 8f8de55a..10cab65a 100644
> --- a/libsemanage/man/man5/semanage.conf.5
> +++ b/libsemanage/man/man5/semanage.conf.5
> @@ -121,6 +121,14 @@ and by default it is set to "false".
>  Please note that since this option deletes all HLL files, an updated HLL
> compiler will not be able to recompile the original HLL file into CIL.
>  In order to compile the original HLL file into CIL, the same HLL file will
> need to be reinstalled.
>
> +.TP
> +.B retain-tmp
> +When set to "true", tmp directories (the sandbox at
> \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final policy at
> \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after
> compilation to allow debugging of any build errors. Note that on a
> successful build the sandbox becomes
> \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR.
> +.br
> +The
> +.B retain-tmp
> +option can be set to either "true" or "false" and by default it is set to
> "false".
> +
>  .SH "SEE ALSO"
>  .TP
>  semanage(8)
> diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
> index b527e893..f098e55d 100644
> --- a/libsemanage/src/conf-parse.y
> +++ b/libsemanage/src/conf-parse.y
> @@ -61,7 +61,7 @@ static int parse_errors;
>
>  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS
> SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
>  %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START
> DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
> -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
> +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP
>  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
>  %token PROG_PATH PROG_ARGS
>  %token  ARG
> @@ -95,6 +95,7 @@ single_opt: module_store
> |   bzip_blocksize
> |   bzip_small
> |   remove_hll
> +   |   retain_tmp
>  ;
>
>  module_store:   MODULE_STORE '=' ARG {
> @@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
> free($3);
>  }
>
> +retain_tmp:  RETAIN_TMP'=' ARG {
> +   if (strcasecmp($3, "false") == 0) {
> +   current_conf->retain_tmp = 0;
> +   } else if (strcasecmp($3, "true") == 0) {
> +   current_conf->retain_tmp = 1;
> +   } else {
> +   yyerror("retain-tmp can only be 'true' or 'false'");
> +   }
> +   free($3);
> +}
> +
>  command_block:
>  command_start external_opts BLOCK_END  {
>  if (new_external->path == NULL) {
> @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
> conf->bzip_small = 0;
> conf->ignore_module_cache = 0;
> conf->remove_hll = 0;
> +   conf->retain_tmp = 0;
>
> conf->save_previous = 0;
> conf->save_linked = 0;
> diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
> index 607bbf0b..e26c3494 100644
> --- a/libsemanage/src/conf-scan.l
> +++ b/libsemanage/src/conf-scan.l
> @@ -54,6 +54,7 @@ handle-unknownreturn HANDLE_UNKNOWN;
>  bzip-blocksize return BZIP_BLOCKSIZE;
>  bzip-small return BZIP_SMALL;
>  remove-hll return REMOVE_HLL;
> +retain-tmp return RETAIN_TMP;
>  "[load_policy]"   return LOAD_POLICY_START;
>  "[setfiles]"  return SETFILES_START;
>  "[sefcontext_compile]"  return SEFCONTEXT_COMPILE_START;
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index a455612f..5d2a443c 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -326,7 +326,10 @@ static void semanage_direct_destroy(semanage_handle_t *
> sh
>  static int semanage_direct_disconnect(semanage_handle_t * sh)
>  {
> /* destroy transaction */
> -   if (sh->is_in_transaction) {
> +   if (sh->is_in_transaction)
> +   semanage_release_trans_lock(sh);

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

On Mon, Jan 15, 2018 at 8:39 AM, Richard Haines
<richard_c_hai...@btinternet.com> wrote:
> On Mon, 2018-01-15 at 07:46 -0800, William Roberts wrote:
>> On Sun, Jan 14, 2018 at 7:34 AM, Richard Haines
>> <richard_c_hai...@btinternet.com> wrote:
>> > Add new option to semanage.conf that allows the tmp build files
>> > to be kept for debugging when building policy.
>>
>> How do people know where the tmp files are, does something print it
>> out or is it
>> documented in a manpage somewhere?
>
> I updated the semanage.conf man page in the patch that states where
> they are located.

I read right past that, thanks for pointing it out. I need all the help I can
get some days.

If you think more clarification is required let me
> know. I guess the semanage/semodule man pages could do with a reference
> to semanage.conf as it does influence the policy build, but that would
> be a separate patch.
>
> I added this patch as when running semodule to add a new hand cranked
> module, I make a mistake and the following error was displayed showing
> the file location:
>
> Failed to resolve typeattributeset statement at
> /var/lib/selinux/targeted/tmp/modules/400/local/cil:3
>
> However without the patch it deleted the tmp directory so I could not
> find the mistake.

This seems very reasonable. I have had similar issues in Android build
where I have to make sure it doesn't clobber intermediate files.

Ack by me. I am going to let this sit until Wednesday since some
folks have today off in the US and might not be following.

Assuming no complaints from others, ill take to merge Wednesday.

>
>>
>> >
>> > Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
>> > ---
>> >  libsemanage/man/man5/semanage.conf.5 |  8 
>> >  libsemanage/src/conf-parse.y | 15 ++-
>> >  libsemanage/src/conf-scan.l  |  1 +
>> >  libsemanage/src/direct_api.c | 21 -
>> >  libsemanage/src/semanage_conf.h  |  1 +
>> >  5 files changed, 36 insertions(+), 10 deletions(-)
>> >
>> > diff --git a/libsemanage/man/man5/semanage.conf.5
>> > b/libsemanage/man/man5/semanage.conf.5
>> > index 8f8de55a..10cab65a 100644
>> > --- a/libsemanage/man/man5/semanage.conf.5
>> > +++ b/libsemanage/man/man5/semanage.conf.5
>> > @@ -121,6 +121,14 @@ and by default it is set to "false".
>> >  Please note that since this option deletes all HLL files, an
>> > updated HLL compiler will not be able to recompile the original HLL
>> > file into CIL.
>> >  In order to compile the original HLL file into CIL, the same HLL
>> > file will need to be reinstalled.
>> >
>> > +.TP
>> > +.B retain-tmp
>> > +When set to "true", tmp directories (the sandbox at \fBstore-
>> > root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final policy at
>> > \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after
>> > compilation to allow debugging of any build errors. Note that on a
>> > successful build the sandbox becomes \fBstore-root/\fR[\fIpolicy-
>> > store\fR]\fB/active\fR.
>> > +.br
>> > +The
>> > +.B retain-tmp
>> > +option can be set to either "true" or "false" and by default it is
>> > set to "false".
>> > +
>> >  .SH "SEE ALSO"
>> >  .TP
>> >  semanage(8)
>> > diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-
>> > parse.y
>> > index b527e893..f098e55d 100644
>> > --- a/libsemanage/src/conf-parse.y
>> > +++ b/libsemanage/src/conf-parse.y
>> > @@ -61,7 +61,7 @@ static int parse_errors;
>> >
>> >  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS
>> > SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE
>> > STORE_ROOT
>> >  %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START
>> > DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
>> > -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
>> > +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP
>> >  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START
>> > BLOCK_END
>> >  %token PROG_PATH PROG_ARGS
>> >  %token  ARG
>> > @@ -95,6 +95,7 @@ single_opt: module_store
>> > |   bzip_blocksize
>> > |   bzip_small
>> > |   remove_hll
>> > +   |   retain_tmp
>> >  ;
>> >
>> >  modul

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

On Sun, Jan 14, 2018 at 7:34 AM, Richard Haines
 wrote:
> Add new option to semanage.conf that allows the tmp build files
> to be kept for debugging when building policy.

How do people know where the tmp files are, does something print it out or is it
documented in a manpage somewhere?

>
> Signed-off-by: Richard Haines 
> ---
>  libsemanage/man/man5/semanage.conf.5 |  8 
>  libsemanage/src/conf-parse.y | 15 ++-
>  libsemanage/src/conf-scan.l  |  1 +
>  libsemanage/src/direct_api.c | 21 -
>  libsemanage/src/semanage_conf.h  |  1 +
>  5 files changed, 36 insertions(+), 10 deletions(-)
>
> diff --git a/libsemanage/man/man5/semanage.conf.5 
> b/libsemanage/man/man5/semanage.conf.5
> index 8f8de55a..10cab65a 100644
> --- a/libsemanage/man/man5/semanage.conf.5
> +++ b/libsemanage/man/man5/semanage.conf.5
> @@ -121,6 +121,14 @@ and by default it is set to "false".
>  Please note that since this option deletes all HLL files, an updated HLL 
> compiler will not be able to recompile the original HLL file into CIL.
>  In order to compile the original HLL file into CIL, the same HLL file will 
> need to be reinstalled.
>
> +.TP
> +.B retain-tmp
> +When set to "true", tmp directories (the sandbox at 
> \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final policy at 
> \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after 
> compilation to allow debugging of any build errors. Note that on a successful 
> build the sandbox becomes \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR.
> +.br
> +The
> +.B retain-tmp
> +option can be set to either "true" or "false" and by default it is set to 
> "false".
> +
>  .SH "SEE ALSO"
>  .TP
>  semanage(8)
> diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
> index b527e893..f098e55d 100644
> --- a/libsemanage/src/conf-parse.y
> +++ b/libsemanage/src/conf-parse.y
> @@ -61,7 +61,7 @@ static int parse_errors;
>
>  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED 
> TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
>  %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START 
> DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
> -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
> +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP
>  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
>  %token PROG_PATH PROG_ARGS
>  %token  ARG
> @@ -95,6 +95,7 @@ single_opt: module_store
> |   bzip_blocksize
> |   bzip_small
> |   remove_hll
> +   |   retain_tmp
>  ;
>
>  module_store:   MODULE_STORE '=' ARG {
> @@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
> free($3);
>  }
>
> +retain_tmp:  RETAIN_TMP'=' ARG {
> +   if (strcasecmp($3, "false") == 0) {
> +   current_conf->retain_tmp = 0;
> +   } else if (strcasecmp($3, "true") == 0) {
> +   current_conf->retain_tmp = 1;
> +   } else {
> +   yyerror("retain-tmp can only be 'true' or 'false'");
> +   }
> +   free($3);
> +}
> +
>  command_block:
>  command_start external_opts BLOCK_END  {
>  if (new_external->path == NULL) {
> @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
> conf->bzip_small = 0;
> conf->ignore_module_cache = 0;
> conf->remove_hll = 0;
> +   conf->retain_tmp = 0;
>
> conf->save_previous = 0;
> conf->save_linked = 0;
> diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
> index 607bbf0b..e26c3494 100644
> --- a/libsemanage/src/conf-scan.l
> +++ b/libsemanage/src/conf-scan.l
> @@ -54,6 +54,7 @@ handle-unknownreturn HANDLE_UNKNOWN;
>  bzip-blocksize return BZIP_BLOCKSIZE;
>  bzip-small return BZIP_SMALL;
>  remove-hll return REMOVE_HLL;
> +retain-tmp return RETAIN_TMP;
>  "[load_policy]"   return LOAD_POLICY_START;
>  "[setfiles]"  return SETFILES_START;
>  "[sefcontext_compile]"  return SEFCONTEXT_COMPILE_START;
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index a455612f..5d2a443c 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -326,7 +326,10 @@ static void semanage_direct_destroy(semanage_handle_t * 
> sh
>  static int semanage_direct_disconnect(semanage_handle_t * sh)
>  {
> /* destroy transaction */
> -   if (sh->is_in_transaction) {
> +   if (sh->is_in_transaction)
> +   semanage_release_trans_lock(sh);
> +
> +   if (!sh->conf->retain_tmp && sh->is_in_transaction) {
> /* destroy sandbox */
> if (semanage_remove_directory
> (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
> @@ -342,7 +345,6 @@ static int semanage_direct_disconnect(semanage_handle_t 

Re: [PATCH] libselinux: Correct manpages regarding removable_context

[William Roberts]

On Wed, Jan 10, 2018 at 6:12 AM, Richard Haines
 wrote:
> The selabel_media(5) man page incorrectly stated that the
> removable_context(5) would be read if an selabel_lookup(3)
> failed. Correct the man pages that fixes [1].
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1395621
>
> Signed-off-by: Richard Haines 
> ---
>  libselinux/man/man5/removable_context.5 | 5 ++---
>  libselinux/man/man5/selabel_media.5 | 4 +---
>  2 files changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/libselinux/man/man5/removable_context.5 
> b/libselinux/man/man5/removable_context.5
> index 60aaa938..f16e8bdc 100644
> --- a/libselinux/man/man5/removable_context.5
> +++ b/libselinux/man/man5/removable_context.5
> @@ -3,8 +3,7 @@
>  removable_context \- The SELinux removable devices context configuration file
>  .
>  .SH "DESCRIPTION"
> -This file contains the default label that should be used for removable 
> devices that are not defined in the \fImedia\fR file (that is described in
> -.BR selabel_media "(5)). "
> +This file contains the default label that should be used for removable 
> devices.
>  .sp
>  .BR selinux_removable_context_path "(3) "
>  will return the active policy path to this file. The default removable 
> context file is:
> @@ -34,4 +33,4 @@ A user, role, type and optional range (for MCS/MLS) 
> separated by colons (:) that
>  system_u:object_r:removable_t:s0
>  .
>  .SH "SEE ALSO"
> -.BR selinux "(8), " selinux_removable_context_path "(3), " selabel_media 
> "(5), " selinux_config "(5) "
> +.BR selinux "(8), " selinux_removable_context_path "(3), " selinux_config 
> "(5) "
> diff --git a/libselinux/man/man5/selabel_media.5 
> b/libselinux/man/man5/selabel_media.5
> index 395ed0e7..b7c28e32 100644
> --- a/libselinux/man/man5/selabel_media.5
> +++ b/libselinux/man/man5/selabel_media.5
> @@ -52,8 +52,6 @@ The default media contexts file is:
>  .RE
>  .sp
>  Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file 
> \fIconfig\fR (see \fBselinux_config\fR(5)).
> -.sp
> -Should there not be a valid entry in the \fImedia\fR file, then the default 
> \fIremovable_context\fR file will be read (see \fBremovable_context\fR(5)).
>  .
>  .SH "FILE FORMAT"
>  Each line within the \fImedia\fR file is as follows:
> @@ -90,4 +88,4 @@ this is not set, then it is possible for an invalid context 
> to be returned.
>  .SH "SEE ALSO"
>  .ad l
>  .nh
> -.BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " 
> selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " 
> selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5), " 
> removable_context "(5) "
> +.BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " 
> selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " 
> selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5) "
> --
> 2.14.3
>
>

Thanks applied.
https://github.com/SELinuxProject/selinux/pull/74

Re: [PATCH] libselinux: Correct manpages regarding removable_context

[William Roberts]

On Wed, Jan 10, 2018 at 6:12 AM, Richard Haines
 wrote:
> The selabel_media(5) man page incorrectly stated that the
> removable_context(5) would be read if an selabel_lookup(3)
> failed. Correct the man pages that fixes [1].
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1395621
>
> Signed-off-by: Richard Haines 
> ---
>  libselinux/man/man5/removable_context.5 | 5 ++---
>  libselinux/man/man5/selabel_media.5 | 4 +---
>  2 files changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/libselinux/man/man5/removable_context.5 
> b/libselinux/man/man5/removable_context.5
> index 60aaa938..f16e8bdc 100644
> --- a/libselinux/man/man5/removable_context.5
> +++ b/libselinux/man/man5/removable_context.5
> @@ -3,8 +3,7 @@
>  removable_context \- The SELinux removable devices context configuration file
>  .
>  .SH "DESCRIPTION"
> -This file contains the default label that should be used for removable 
> devices that are not defined in the \fImedia\fR file (that is described in
> -.BR selabel_media "(5)). "
> +This file contains the default label that should be used for removable 
> devices.
>  .sp
>  .BR selinux_removable_context_path "(3) "
>  will return the active policy path to this file. The default removable 
> context file is:
> @@ -34,4 +33,4 @@ A user, role, type and optional range (for MCS/MLS) 
> separated by colons (:) that
>  system_u:object_r:removable_t:s0
>  .
>  .SH "SEE ALSO"
> -.BR selinux "(8), " selinux_removable_context_path "(3), " selabel_media 
> "(5), " selinux_config "(5) "
> +.BR selinux "(8), " selinux_removable_context_path "(3), " selinux_config 
> "(5) "
> diff --git a/libselinux/man/man5/selabel_media.5 
> b/libselinux/man/man5/selabel_media.5
> index 395ed0e7..b7c28e32 100644
> --- a/libselinux/man/man5/selabel_media.5
> +++ b/libselinux/man/man5/selabel_media.5
> @@ -52,8 +52,6 @@ The default media contexts file is:
>  .RE
>  .sp
>  Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file 
> \fIconfig\fR (see \fBselinux_config\fR(5)).
> -.sp
> -Should there not be a valid entry in the \fImedia\fR file, then the default 
> \fIremovable_context\fR file will be read (see \fBremovable_context\fR(5)).
>  .
>  .SH "FILE FORMAT"
>  Each line within the \fImedia\fR file is as follows:
> @@ -90,4 +88,4 @@ this is not set, then it is possible for an invalid context 
> to be returned.
>  .SH "SEE ALSO"
>  .ad l
>  .nh
> -.BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " 
> selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " 
> selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5), " 
> removable_context "(5) "
> +.BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " 
> selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " 
> selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5) "
> --
> 2.14.3
>
>

Ack.

Re: [PATCH v2] selinux: ensure the context is NUL terminated in security_context_to_sid_core()

[William Roberts]

On Fri, Dec 1, 2017 at 1:31 PM, Paul Moore  wrote:
> From: Paul Moore 
>
> The syzbot/syzkaller automated tests found a problem in
> security_context_to_sid_core() during early boot (before we load the
> SELinux policy) where we could potentially feed context strings without
> NUL terminators into the strcmp() function.
>
> We already guard against this during normal operation (after the SELinux
> policy has been loaded) by making a copy of the context strings and
> explicitly adding a NUL terminator to the end.  The patch extends this
> protection to the early boot case (no loaded policy) by moving the context
> copy earlier in security_context_to_sid_core().
>
> Reported-by: syzbot 
> Signed-off-by: Paul Moore 
> ---
>  security/selinux/ss/services.c |   18 --
>  1 file changed, 8 insertions(+), 10 deletions(-)
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 33cfe5d3d6cb..d05496deb229 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1413,27 +1413,25 @@ static int security_context_to_sid_core(const char 
> *scontext, u32 scontext_len,
> if (!scontext_len)
> return -EINVAL;
>
> +   /* Copy the string to allow changes and ensure a NUL terminator */
> +   scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);
> +   if (!scontext2)
> +   return -ENOMEM;
> +
> if (!ss_initialized) {
> int i;
>
> for (i = 1; i < SECINITSID_NUM; i++) {
> -   if (!strcmp(initial_sid_to_string[i], scontext)) {
> +   if (!strcmp(initial_sid_to_string[i], scontext2)) {
> *sid = i;
> -   return 0;
> +   goto out;
> }
> }
> *sid = SECINITSID_KERNEL;
> -   return 0;
> +   goto out;
> }
> *sid = SECSID_NULL;
>
> -   /* Copy the string so that we can modify the copy as we parse it. */
> -   scontext2 = kmalloc(scontext_len + 1, gfp_flags);
> -   if (!scontext2)
> -   return -ENOMEM;
> -   memcpy(scontext2, scontext, scontext_len);
> -   scontext2[scontext_len] = 0;
> -
> if (force) {
> /* Save another copy for storing in uninterpreted form */
> rc = -ENOMEM;
>
>

I like negative diffstats.

Re: [PATCH] libsemanage: properly check return value of iterate function

[William Roberts]

Thanks. Applied: https://github.com/SELinuxProject/selinux/pull/71

On Wed, Nov 22, 2017 at 7:09 AM, Jan Zarsky  wrote:
> Function dbase_llist_iterate iterates over records and checks return
> value of iterate function. According to a manpage semanage_iterate(3),
> handler can return value 1 for early exit. dbase_llist_iterate
> currently checks for return value > 1, which does not include
> expected value 1. This affects most of the semanage_*_iterate
> and semanage_*_local functions.
>
> Signed-off-by: Jan Zarsky 
> ---
>  libsemanage/src/database_llist.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsemanage/src/database_llist.c 
> b/libsemanage/src/database_llist.c
> index 8ce2e2c1..c8f4ff0b 100644
> --- a/libsemanage/src/database_llist.c
> +++ b/libsemanage/src/database_llist.c
> @@ -263,7 +263,7 @@ int dbase_llist_iterate(semanage_handle_t * handle,
> if (rc < 0)
> goto err;
>
> -   else if (rc > 1)
> +   else if (rc > 0)
> break;
> }
>
> --
> 2.14.3
>
>



-- 
Respectfully,

William C Roberts

Re: [PATCH] libsemanage: properly check return value of iterate function

[William Roberts]

On Mon, Nov 27, 2017 at 2:01 AM, Jan Zarsky  wrote:
> Function dbase_llist_iterate() iterates over records and checks return
> value of iterate function. According to a manpage semanage_iterate(3),
> handler can return value 1 for early exit. dbase_llist_iterate()
> currently checks for return value > 1, which does not include
> expected value 1.
>
> Affected functions:
> semanage_bool_iterate_local
> semanage_fcontext_iterate
> semanage_fcontext_iterate_local
> semanage_ibendport_iterate_local
> semanage_ibpkey_iterate_local
> semanage_iface_iterate_local
> semanage_node_iterate_local
> semanage_port_iterate_local
> semanage_seuser_iterate
> semanage_seuser_iterate_local
> semanage_user_iterate
> semanage_user_iterate_local

Not really what I had in mind. I meant what was the affect. This is simple
enough to gather, so ack on v1,

My understanding is that the affect is that it that it doesn't short
circuit the iterate
routine so lockups take longer than they need be, is that correct?

>
> Signed-off-by: Jan Zarsky 
> ---
>  libsemanage/src/database_llist.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsemanage/src/database_llist.c 
> b/libsemanage/src/database_llist.c
> index 8ce2e2c1..c8f4ff0b 100644
> --- a/libsemanage/src/database_llist.c
> +++ b/libsemanage/src/database_llist.c
> @@ -263,7 +263,7 @@ int dbase_llist_iterate(semanage_handle_t * handle,
> if (rc < 0)
> goto err;
>
> -   else if (rc > 1)
> +   else if (rc > 0)
> break;
> }
>
> --
> 2.14.3
>
>



-- 
Respectfully,

William C Roberts

Re: [PATCH] libsemanage: properly check return value of iterate function

[William Roberts]

On Wed, Nov 22, 2017 at 7:09 AM, Jan Zarsky  wrote:
> Function dbase_llist_iterate iterates over records and checks return
> value of iterate function. According to a manpage semanage_iterate(3),
> handler can return value 1 for early exit. dbase_llist_iterate
> currently checks for return value > 1, which does not include
> expected value 1. This affects most of the semanage_*_iterate
> and semanage_*_local functions.

Can you update this message to describe what is affected.

>
> Signed-off-by: Jan Zarsky 
> ---
>  libsemanage/src/database_llist.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsemanage/src/database_llist.c 
> b/libsemanage/src/database_llist.c
> index 8ce2e2c1..c8f4ff0b 100644
> --- a/libsemanage/src/database_llist.c
> +++ b/libsemanage/src/database_llist.c
> @@ -263,7 +263,7 @@ int dbase_llist_iterate(semanage_handle_t * handle,
> if (rc < 0)
> goto err;
>
> -   else if (rc > 1)
> +   else if (rc > 0)

This looks fine to me.

> break;
> }
>
> --
> 2.14.3
>

Please resend with the message updated and I'll ack.

Re: [PATCH 1/1] Travis-CI: try working around network issues by retrying downloads

[William Roberts]

On Tue, Oct 24, 2017 at 2:39 PM, Nicolas Iooss  wrote:
> Some Travis-CI builds failed because of issues when downloading
> refpolicy files for sepolgen tests. Use curl's option --retry to make
> the downloads work when the networking issues are only transient.
>
> Signed-off-by: Nicolas Iooss 
> ---
>  .travis.yml | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/.travis.yml b/.travis.yml
> index e21b4d2198e5..88f6297e63bc 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -64,10 +64,10 @@ addons:
>  install:
># Download refpolicy Makefile for sepolgen tests
>- sudo mkdir -p /usr/share/selinux/default
> -  - sudo curl -o /usr/share/selinux/default/Makefile 
> 'https://raw.githubusercontent.com/TresysTechnology/refpolicy/RELEASE_2_20170204/support/Makefile.devel'
> +  - sudo curl --retry 10 -o /usr/share/selinux/default/Makefile 
> 'https://raw.githubusercontent.com/TresysTechnology/refpolicy/RELEASE_2_20170204/support/Makefile.devel'
>- sudo sed "s,^PREFIX :=.*,PREFIX := $TRAVIS_BUILD_DIR/installdir/usr," -i 
> /usr/share/selinux/default/Makefile
>- sudo mkdir -p /usr/share/selinux/refpolicy/include
> -  - sudo curl -o /usr/share/selinux/refpolicy/include/build.conf 
> 'https://raw.githubusercontent.com/TresysTechnology/refpolicy/RELEASE_2_20170204/build.conf'
> +  - sudo curl --retry 10 -o /usr/share/selinux/refpolicy/include/build.conf 
> 'https://raw.githubusercontent.com/TresysTechnology/refpolicy/RELEASE_2_20170204/build.conf'
>- sudo mkdir -p /etc/selinux
>- echo 'SELINUXTYPE=refpolicy' | sudo tee /etc/selinux/config
>
> @@ -77,7 +77,7 @@ install:
># Download the required python version if it is not installed
>- VIRTUAL_ENV="$HOME/virtualenv/$PYVER"
>- if ! [ -d "$VIRTUAL_ENV" ] ; then
> -curl -o python.tar.bz2 
> "https://s3.amazonaws.com/travis-python-archives/binaries/ubuntu/14.04/x86_64/${PYVER/python/python-}.tar.bz2;
>  &&
> +curl --retry 10 -o python.tar.bz2 
> "https://s3.amazonaws.com/travis-python-archives/binaries/ubuntu/14.04/x86_64/${PYVER/python/python-}.tar.bz2;
>  &&
>  sudo tar xjf python.tar.bz2 --directory / &&
>  rm python.tar.bz2 ;
>  fi
> --
> 2.14.2
>
>

Ack

Re: travis CI

[William Roberts]

On Oct 24, 2017 13:05, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:

On Tue, 2017-10-24 at 09:26 -0700, William Roberts wrote:
> Error 52, which if it lines up with what I am reading is
> CURLE_GOT_NOTHING
> https://curl.haxx.se/libcurl/c/libcurl-errors.html
>
> That url/command combo seems valid, likely a transient issue with
> github.

I restarted the job, and it failed again in the same way (but on
different cases).  Then I restarted it a third time, and this time it
ran to completion.  This seems problematic; we likely need to
reconsider any use of curl from the travis.yml file.


Weird. I wget things from sourceforge all the time. The only time I have
issues is when sourceforge is down.


>
>
>
>
> On Tue, Oct 24, 2017 at 9:05 AM, Stephen Smalley <s...@tycho.nsa.gov>
> wrote:
> > On Wed, 2017-10-18 at 19:30 -0700, William Roberts wrote:
> > > On Tue, Oct 17, 2017 at 12:50 PM, Stephen Smalley <s...@tycho.nsa.
> > > gov>
> > > wrote:
> > > > On Tue, 2017-10-17 at 11:49 -0700, William Roberts wrote:
> > > > > On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Iooss  > > > > @m4x
> > > > > .org
> > > > > > wrote:
> > > > > > On Fri, Oct 13, 2017 at 1:50 AM, William Roberts
> > > > > > <bill.c.robe...@gmail.com> wrote:
> > > > > > > On Thu, Oct 12, 2017 at 1:48 PM, Stephen Smalley <sds@tyc
> > > > > > > ho.n
> > > > > > > sa.g
> > > > > > > ov> wrote:
> > > > > > > > On Thu, 2017-10-12 at 11:29 -0700, William Roberts
> > > > > > > > wrote:
> > > > > > > > > I see a travis.yml file, recently modified by
> > > > > > > > > Nicolas,
> > > > > > > > > but I
> > > > > > > > > failed
> > > > > > > > > to
> > > > > > > > > find the Travis CI instance on travis.org, where is
> > > > > > > > > it?
> > > > > > > > >
> > > > > > > > > We should likely have it running on commits to the
> > > > > > > > > repo
> > > > > > > > > and
> > > > > > > > > PRs so we
> > > > > > > > > can have some independent way of verifying that our
> > > > > > > > > run
> > > > > > > > > of
> > > > > > > > > the tests
> > > > > > > > > was compromised by some env variation or mistake.
> > > > > > > > >
> > > > > > > > > Thoughts?
> > > > > > > >
> > > > > > > > To date he has just run it on his own fork.  Not
> > > > > > > > opposed to
> > > > > > > > enabling
> > > > > > > > it, just haven't looked into that...
> > > > > > >
> > > > > > > I have done it for my some of my projects, Ill go ahead
> > > > > > > and
> > > > > > > set
> > > > > > > this up.
> > > > > >
> > > > > > I configured Travis-CI to test the branches in my Github
> > > > > > repository
> > > > > > a
> > > > > > little more than one year ago, after several build
> > > > > > configurations
> > > > > > got
> > > > > > broken (clang on Linux for example). I later added more
> > > > > > features to
> > > > > > it
> > > > > > (for example warning about missing .gitignore entries,
> > > > > > testing
> > > > > > several
> > > > > > Ruby and Python versions, etc), before I upstreamed my
> > > > > > .travis.yml
> > > > > > file (a few months ago). When I did it, my main motivation
> > > > > > was
> > > > > > to
> > > > > > simplify the job of anyone who would want to configure a CI
> > > > > > system
> > > > > > on
> > > > > > the project (the building rules and dependencies should be
> > > > > > quite
> > > > > > similar). Using a continuous integration system is useful
> > > > > > to
> > > > > > prevent
> > > > > > simple regression issue

Re: travis CI

[William Roberts]

Error 52, which if it lines up with what I am reading is CURLE_GOT_NOTHING
https://curl.haxx.se/libcurl/c/libcurl-errors.html

That url/command combo seems valid, likely a transient issue with github.




On Tue, Oct 24, 2017 at 9:05 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Wed, 2017-10-18 at 19:30 -0700, William Roberts wrote:
>> On Tue, Oct 17, 2017 at 12:50 PM, Stephen Smalley <s...@tycho.nsa.gov>
>> wrote:
>> > On Tue, 2017-10-17 at 11:49 -0700, William Roberts wrote:
>> > > On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Iooss <nicolas.iooss@m4x
>> > > .org
>> > > > wrote:
>> > > > On Fri, Oct 13, 2017 at 1:50 AM, William Roberts
>> > > > <bill.c.robe...@gmail.com> wrote:
>> > > > > On Thu, Oct 12, 2017 at 1:48 PM, Stephen Smalley <sds@tycho.n
>> > > > > sa.g
>> > > > > ov> wrote:
>> > > > > > On Thu, 2017-10-12 at 11:29 -0700, William Roberts wrote:
>> > > > > > > I see a travis.yml file, recently modified by Nicolas,
>> > > > > > > but I
>> > > > > > > failed
>> > > > > > > to
>> > > > > > > find the Travis CI instance on travis.org, where is it?
>> > > > > > >
>> > > > > > > We should likely have it running on commits to the repo
>> > > > > > > and
>> > > > > > > PRs so we
>> > > > > > > can have some independent way of verifying that our run
>> > > > > > > of
>> > > > > > > the tests
>> > > > > > > was compromised by some env variation or mistake.
>> > > > > > >
>> > > > > > > Thoughts?
>> > > > > >
>> > > > > > To date he has just run it on his own fork.  Not opposed to
>> > > > > > enabling
>> > > > > > it, just haven't looked into that...
>> > > > >
>> > > > > I have done it for my some of my projects, Ill go ahead and
>> > > > > set
>> > > > > this up.
>> > > >
>> > > > I configured Travis-CI to test the branches in my Github
>> > > > repository
>> > > > a
>> > > > little more than one year ago, after several build
>> > > > configurations
>> > > > got
>> > > > broken (clang on Linux for example). I later added more
>> > > > features to
>> > > > it
>> > > > (for example warning about missing .gitignore entries, testing
>> > > > several
>> > > > Ruby and Python versions, etc), before I upstreamed my
>> > > > .travis.yml
>> > > > file (a few months ago). When I did it, my main motivation was
>> > > > to
>> > > > simplify the job of anyone who would want to configure a CI
>> > > > system
>> > > > on
>> > > > the project (the building rules and dependencies should be
>> > > > quite
>> > > > similar). Using a continuous integration system is useful to
>> > > > prevent
>> > > > simple regression issues which would otherwise only be detected
>> > > > when
>> > > > someone running a specific configuration tries to build the
>> > > > project.
>> > > >
>> > > > Before asking to enable Travis-CI on the main SELinux
>> > > > repository, I
>> > > > wanted to make sure it was stable/reliable enough. To do this,
>> > > > I
>> > > > created a branch named "travis-upstream" in my repository,
>> > > > which
>> > > > tracked the master branch of the main repository. All went well
>> > > > for
>> > > > quite some time, until Travis-CI modified this summer their
>> > > > environments, introducing some incompatibilities with projects
>> > > > which
>> > > > use several programming languages. Thankfully these changes
>> > > > have
>> > > > been
>> > > > documented in Travis-CI's blog and I updated the config file to
>> > > > fix
>> > > > the builds with commits b1ea8120832d ("Travis-CI: use sugulite
>> > > > environment") and 6d9258e5a05f ("Travis-CI: fix configuration
>> > > > after
>> 

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

[William Roberts]

On Mon, Oct 23, 2017 at 9:12 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Mon, Oct 23, 2017 at 8:57 AM, Dan Cashman <dcash...@android.com> wrote:
>> On 10/20/2017 09:09 AM, William Roberts wrote:
>>>
>>> On Thu, Oct 19, 2017 at 3:12 PM, Nicolas Iooss <nicolas.io...@m4x.org>
>>> wrote:
>>>>
>>>> On Thu, Oct 19, 2017 at 9:46 PM, Stephen Smalley <s...@tycho.nsa.gov>
>>>> wrote:
>>>>>
>>>>> On Thu, 2017-10-19 at 14:27 -0400, Stephen Smalley wrote:
>>>>>>
>>>>>> On Thu, 2017-10-19 at 09:25 -0700, William Roberts wrote:
>>>>>>>
>>>>>>> On Thu, Oct 19, 2017 at 7:26 AM, Stephen Smalley <s...@tycho.nsa.gov
>>>>>>>>
>>>>>>>>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On Tue, 2017-10-17 at 09:33 -0700, Daniel Cashman wrote:
>>>>>>>>>
>>>>>>>>> [...]
>>>>>>>>> diff --git a/libselinux/src/label_file.c
>>>>>>>>> b/libselinux/src/label_file.c
>>>>>>>>> index 560d8c3d..b3b36bc2 100644
>>>>>>>>> --- a/libselinux/src/label_file.c
>>>>>>>>> +++ b/libselinux/src/label_file.c
>>>>>>>>> @@ -709,28 +709,61 @@ static int init(struct selabel_handle
>>>>>>>>> *rec,
>>>>>>>>> const struct selinux_opt *opts,
>>>>>>>>>unsigned n)
>>>>>>>>>   {
>>>>>>>>>struct saved_data *data = (struct saved_data *)rec->data;
>>>>>>>>> - const char *path = NULL;
>>>>>>>>> + size_t num_paths = 0;
>>>>>>>>> + char **path = NULL;
>>>>>>>>>const char *prefix = NULL;
>>>>>>>>> - int status = -1, baseonly = 0;
>>>>>>>>> + int status = -1;
>>>>>>>>> + size_t i;
>>>>>>>>> + bool baseonly = false;
>>>>>>>>> + bool path_provided;
>>>>>>>>>
>>>>>>>>>/* Process arguments */
>>>>>>>>> - while (n--)
>>>>>>>>> - switch(opts[n].type) {
>>>>>>>>> + i = n;
>>>>>>>>> + while (i--)
>>>>>>>>> + switch(opts[i].type) {
>>>>>>>>>case SELABEL_OPT_PATH:
>>>>>>>>> - path = opts[n].value;
>>>>>>>>> + num_paths++;
>>>>>>>>>break;
>>>>>>>>>case SELABEL_OPT_SUBSET:
>>>>>>>>> - prefix = opts[n].value;
>>>>>>>>> + prefix = opts[i].value;
>>>>>>>>>break;
>>>>>>>>>case SELABEL_OPT_BASEONLY:
>>>>>>>>> - baseonly = !!opts[n].value;
>>>>>>>>> + baseonly = !!opts[i].value;
>>>>>>>>>break;
>>>>>>>>>}
>>>>>>>>>
>>>>>>>>> + if (!num_paths) {
>>>>>>>>> + num_paths = 1;
>>>>>>>>> + path_provided = false;
>>>>>>>>> + } else {
>>>>>>>>> + path_provided = true;
>>>>>>>>> + }
>>>>>>>>> +
>>>>>>>>> + path = calloc(num_paths, sizeof(*path));
>>>>>>>>> + if (path == NULL) {
>>>>>>>>> + goto finish;
>>>>>>>>> + }
>>>>>>>>> + rec->spec_files = path;
>>>>>>>>> + rec->spec_files_len = num_paths;
>>>>>>>>> +
>>>>>>>>> + if (path_provided) {
>>>>>>>>> + for (i = 0; i < n; i++) {
>>>>>>>>> + switch(opts[i]

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

[William Roberts]

On Mon, Oct 23, 2017 at 8:57 AM, Dan Cashman <dcash...@android.com> wrote:
> On 10/20/2017 09:09 AM, William Roberts wrote:
>>
>> On Thu, Oct 19, 2017 at 3:12 PM, Nicolas Iooss <nicolas.io...@m4x.org>
>> wrote:
>>>
>>> On Thu, Oct 19, 2017 at 9:46 PM, Stephen Smalley <s...@tycho.nsa.gov>
>>> wrote:
>>>>
>>>> On Thu, 2017-10-19 at 14:27 -0400, Stephen Smalley wrote:
>>>>>
>>>>> On Thu, 2017-10-19 at 09:25 -0700, William Roberts wrote:
>>>>>>
>>>>>> On Thu, Oct 19, 2017 at 7:26 AM, Stephen Smalley <s...@tycho.nsa.gov
>>>>>>>
>>>>>>>
>>>>>> wrote:
>>>>>>>
>>>>>>> On Tue, 2017-10-17 at 09:33 -0700, Daniel Cashman wrote:
>>>>>>>>
>>>>>>>> [...]
>>>>>>>> diff --git a/libselinux/src/label_file.c
>>>>>>>> b/libselinux/src/label_file.c
>>>>>>>> index 560d8c3d..b3b36bc2 100644
>>>>>>>> --- a/libselinux/src/label_file.c
>>>>>>>> +++ b/libselinux/src/label_file.c
>>>>>>>> @@ -709,28 +709,61 @@ static int init(struct selabel_handle
>>>>>>>> *rec,
>>>>>>>> const struct selinux_opt *opts,
>>>>>>>>unsigned n)
>>>>>>>>   {
>>>>>>>>struct saved_data *data = (struct saved_data *)rec->data;
>>>>>>>> - const char *path = NULL;
>>>>>>>> + size_t num_paths = 0;
>>>>>>>> + char **path = NULL;
>>>>>>>>const char *prefix = NULL;
>>>>>>>> - int status = -1, baseonly = 0;
>>>>>>>> + int status = -1;
>>>>>>>> + size_t i;
>>>>>>>> + bool baseonly = false;
>>>>>>>> + bool path_provided;
>>>>>>>>
>>>>>>>>/* Process arguments */
>>>>>>>> - while (n--)
>>>>>>>> - switch(opts[n].type) {
>>>>>>>> + i = n;
>>>>>>>> + while (i--)
>>>>>>>> + switch(opts[i].type) {
>>>>>>>>case SELABEL_OPT_PATH:
>>>>>>>> - path = opts[n].value;
>>>>>>>> + num_paths++;
>>>>>>>>break;
>>>>>>>>case SELABEL_OPT_SUBSET:
>>>>>>>> - prefix = opts[n].value;
>>>>>>>> + prefix = opts[i].value;
>>>>>>>>break;
>>>>>>>>case SELABEL_OPT_BASEONLY:
>>>>>>>> - baseonly = !!opts[n].value;
>>>>>>>> + baseonly = !!opts[i].value;
>>>>>>>>break;
>>>>>>>>}
>>>>>>>>
>>>>>>>> + if (!num_paths) {
>>>>>>>> + num_paths = 1;
>>>>>>>> + path_provided = false;
>>>>>>>> + } else {
>>>>>>>> + path_provided = true;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + path = calloc(num_paths, sizeof(*path));
>>>>>>>> + if (path == NULL) {
>>>>>>>> + goto finish;
>>>>>>>> + }
>>>>>>>> + rec->spec_files = path;
>>>>>>>> + rec->spec_files_len = num_paths;
>>>>>>>> +
>>>>>>>> + if (path_provided) {
>>>>>>>> + for (i = 0; i < n; i++) {
>>>>>>>> + switch(opts[i].type) {
>>>>>>>> + case SELABEL_OPT_PATH:
>>>>>>>> + *path = strdup(opts[i].value);
>>>>>>>
>>>>>>>
>>>>>>> Perhaps surprisingly, opts[i].value can be NULL here and some
>>>>>>> callers
>>>>>>> rely on 

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

[William Roberts]

On Thu, Oct 19, 2017 at 3:12 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote:
> On Thu, Oct 19, 2017 at 9:46 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On Thu, 2017-10-19 at 14:27 -0400, Stephen Smalley wrote:
>>> On Thu, 2017-10-19 at 09:25 -0700, William Roberts wrote:
>>> > On Thu, Oct 19, 2017 at 7:26 AM, Stephen Smalley <s...@tycho.nsa.gov
>>> > >
>>> > wrote:
>>> > > On Tue, 2017-10-17 at 09:33 -0700, Daniel Cashman wrote:
>>> > > > [...]
>>> > > > diff --git a/libselinux/src/label_file.c
>>> > > > b/libselinux/src/label_file.c
>>> > > > index 560d8c3d..b3b36bc2 100644
>>> > > > --- a/libselinux/src/label_file.c
>>> > > > +++ b/libselinux/src/label_file.c
>>> > > > @@ -709,28 +709,61 @@ static int init(struct selabel_handle
>>> > > > *rec,
>>> > > > const struct selinux_opt *opts,
>>> > > >   unsigned n)
>>> > > >  {
>>> > > >   struct saved_data *data = (struct saved_data *)rec->data;
>>> > > > - const char *path = NULL;
>>> > > > + size_t num_paths = 0;
>>> > > > + char **path = NULL;
>>> > > >   const char *prefix = NULL;
>>> > > > - int status = -1, baseonly = 0;
>>> > > > + int status = -1;
>>> > > > + size_t i;
>>> > > > + bool baseonly = false;
>>> > > > + bool path_provided;
>>> > > >
>>> > > >   /* Process arguments */
>>> > > > - while (n--)
>>> > > > - switch(opts[n].type) {
>>> > > > + i = n;
>>> > > > + while (i--)
>>> > > > + switch(opts[i].type) {
>>> > > >   case SELABEL_OPT_PATH:
>>> > > > - path = opts[n].value;
>>> > > > + num_paths++;
>>> > > >   break;
>>> > > >   case SELABEL_OPT_SUBSET:
>>> > > > - prefix = opts[n].value;
>>> > > > + prefix = opts[i].value;
>>> > > >   break;
>>> > > >   case SELABEL_OPT_BASEONLY:
>>> > > > - baseonly = !!opts[n].value;
>>> > > > + baseonly = !!opts[i].value;
>>> > > >   break;
>>> > > >   }
>>> > > >
>>> > > > + if (!num_paths) {
>>> > > > + num_paths = 1;
>>> > > > + path_provided = false;
>>> > > > + } else {
>>> > > > + path_provided = true;
>>> > > > + }
>>> > > > +
>>> > > > + path = calloc(num_paths, sizeof(*path));
>>> > > > + if (path == NULL) {
>>> > > > + goto finish;
>>> > > > + }
>>> > > > + rec->spec_files = path;
>>> > > > + rec->spec_files_len = num_paths;
>>> > > > +
>>> > > > + if (path_provided) {
>>> > > > + for (i = 0; i < n; i++) {
>>> > > > + switch(opts[i].type) {
>>> > > > + case SELABEL_OPT_PATH:
>>> > > > + *path = strdup(opts[i].value);
>>> > >
>>> > > Perhaps surprisingly, opts[i].value can be NULL here and some
>>> > > callers
>>> > > rely on that.  After applying your patch, coreutils,
>>> > > selabel_lookup,
>>> > > and other userspace programs all seg fault as a result.  The use
>>> > > case
>>> > > is programs where the selinux_opt structure is declared with a
>>> > > SELABEL_OPT_PATH entry whose value is subsequently filled in, and
>>> > > left
>>> > > NULL if they want to use the default path for file_contexts.
>>> > > Internally, libselinux also does this from the
>>> > > matchpathcon_init_prefix() function.
>>> > >
>>> > > In any event, you need to handle this case.
>>> > >
>>> >
>>> &g

Re: [PATCH] libselinux: android: support exact match for a property key

[William Roberts]

On Fri, Oct 20, 2017 at 7:54 AM, Jeffrey Vander Stoep via Selinux
 wrote:
> Please hold off on submission. We're discussing if this is really necessary.

Yeah I'd like to hear about what issues the current longest match
logic was causing
in the commit message.

>
> On Thu, Oct 19, 2017 at 4:49 PM, Jaekyun Seok via Selinux
>  wrote:
>> Performs exact match if a property key of property contexts ends with '$'
>> instead of prefix match.

This seems like an overly verbose way to accomplish exact match. The
property_contexts
file has things like:

*  <-- match everything
foo.bar.   <- match prefix foo.bar. properties
foo.bar.baz <-- currently matches foo.bar.baz, foo.bar.bazbaz, etc. No
trailing .
could be changed to mean exact match.

Really what you would want is that if it doesn't end with a dot, don't
do a prefix
match. No need to add the $ semantic AFAICT.

>>
>> This will enable to define an exact rule which can avoid unexpected
>> context assignment.
>>
>> Signed-off-by: Jaekyun Seok 
>> ---
>>  libselinux/src/label_backends_android.c | 9 +++--
>>  1 file changed, 7 insertions(+), 2 deletions(-)
>>
>> diff --git a/libselinux/src/label_backends_android.c 
>> b/libselinux/src/label_backends_android.c
>> index cb8aae26..4611d396 100644
>> --- a/libselinux/src/label_backends_android.c
>> +++ b/libselinux/src/label_backends_android.c
>> @@ -258,8 +258,13 @@ static struct selabel_lookup_rec 
>> *property_lookup(struct selabel_handle *rec,
>> }
>>
>> for (i = 0; i < data->nspec; i++) {
>> -   if (strncmp(spec_arr[i].property_key, key,
>> -   strlen(spec_arr[i].property_key)) == 0) {
>> +   size_t property_key_len = strlen(spec_arr[i].property_key);
>> +   if (spec_arr[i].property_key[property_key_len - 1] == '$' &&
>> +   strlen(key) == property_key_len - 1 &&
>> +   strncmp(spec_arr[i].property_key, key, property_key_len 
>> - 1) == 0) {
>> +   break;
>> +   }
>> +   if (strncmp(spec_arr[i].property_key, key, property_key_len) 
>> == 0) {
>> break;
>> }
>> if (strncmp(spec_arr[i].property_key, "*", 1) == 0)
>> --
>> 2.15.0.rc0.271.g36b669edcc-goog
>>
>>
>



-- 
Respectfully,

William C Roberts

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

[William Roberts]

On Thu, Oct 19, 2017 at 9:25 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Thu, Oct 19, 2017 at 7:26 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On Tue, 2017-10-17 at 09:33 -0700, Daniel Cashman wrote:
>>> From: Dan Cashman <dcash...@google.com>
>>>
>>> The file_contexts labeling backend, specified in label_file.c,
>>> currently assumes
>>> that only one path will be specified as an option to
>>> selabel_open().  The split
>>> of platform and non-platform policy on device, however, will
>>> necessitate the
>>> loading of two disparate policy files.  Rather than combining the
>>> files and then
>>> calling the existing API on a newly-formed file, just add the ability
>>> to specify
>>> multiple files to use.  Order of opt specification to selabel_open
>>> matters.
>>>
>>> This corresponds to AOSP commit
>>> 50400d38203e4db08314168e60c281cc61a717a8, which
>>> lead to a fork with upstream, which we'd like to correct.
>>>
>>> Signed-off-by: Dan Cashman <dcash...@android.com>
>>> ---
>>>  libselinux/src/label.c  |  21 +---
>>>  libselinux/src/label_db.c   |  13 -
>>>  libselinux/src/label_file.c | 104 +-
>>> --
>>>  libselinux/src/label_internal.h |   5 +-
>>>  libselinux/src/label_media.c|  10 +++-
>>>  libselinux/src/label_x.c|  10 +++-
>>>  6 files changed, 124 insertions(+), 39 deletions(-)
>>>
>>> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
>>> index 48f4d2d6..0dfa054c 100644
>>> --- a/libselinux/src/label.c
>>> +++ b/libselinux/src/label.c
>>> @@ -143,7 +143,11 @@ static int selabel_fini(struct selabel_handle
>>> *rec,
>>>   struct selabel_lookup_rec *lr,
>>>   int translating)
>>>  {
>>> - if (compat_validate(rec, lr, rec->spec_file, 0))
>>> + char *path = NULL;
>>> +
>>> + if (rec->spec_files)
>>> + path = rec->spec_files[0];
>>> + if (compat_validate(rec, lr, path, 0))
>>>   return -1;
>>>
>>>   if (translating && !lr->ctx_trans &&
>>> @@ -226,11 +230,9 @@ struct selabel_handle *selabel_open(unsigned int
>>> backend,
>>>   rec->digest = selabel_is_digest_set(opts, nopts, rec-
>>> >digest);
>>>
>>>   if ((*initfuncs[backend])(rec, opts, nopts)) {
>>> - free(rec->spec_file);
>>> - free(rec);
>>> + selabel_close(rec);
>>>   rec = NULL;
>>>   }
>>> -
>>>  out:
>>>   return rec;
>>>  }
>>> @@ -337,10 +339,17 @@ int selabel_digest(struct selabel_handle *rec,
>>>
>>>  void selabel_close(struct selabel_handle *rec)
>>>  {
>>> + size_t i;
>>> +
>>> + if (rec->spec_files) {
>>> + for (i = 0; i < rec->spec_files_len; i++)
>>> + free(rec->spec_files[i]);
>>> + free(rec->spec_files);
>>> + }
>>>   if (rec->digest)
>>>   selabel_digest_fini(rec->digest);
>>> - rec->func_close(rec);
>>> - free(rec->spec_file);
>>> + if (rec->func_close)
>>> + rec->func_close(rec);
>>>   free(rec);
>>>  }
>>>
>>> diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c
>>> index c46d0a1d..9a35abea 100644
>>> --- a/libselinux/src/label_db.c
>>> +++ b/libselinux/src/label_db.c
>>> @@ -290,7 +290,18 @@ db_init(const struct selinux_opt *opts, unsigned
>>> nopts,
>>>   errno = EINVAL;
>>>   return NULL;
>>>   }
>>> - rec->spec_file = strdup(path);
>>> + rec->spec_files_len = 1;
>>> + rec->spec_files = calloc(rec->spec_files_len, sizeof(rec-
>>> >spec_files[0]));
>>> + if (!rec->spec_files) {
>>> + free(catalog);
>>> + return NULL;
>>> + }
>>> + rec->spec_files[0] = strdup(path);
>>> + if (!rec->spec_files[0]) {
>>> + free(catalog);
>>> + free(rec->spec_files);
>>> + return NULL;
>>> + 

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

[William Roberts]

On Thu, Oct 19, 2017 at 7:26 AM, Stephen Smalley  wrote:
> On Tue, 2017-10-17 at 09:33 -0700, Daniel Cashman wrote:
>> From: Dan Cashman 
>>
>> The file_contexts labeling backend, specified in label_file.c,
>> currently assumes
>> that only one path will be specified as an option to
>> selabel_open().  The split
>> of platform and non-platform policy on device, however, will
>> necessitate the
>> loading of two disparate policy files.  Rather than combining the
>> files and then
>> calling the existing API on a newly-formed file, just add the ability
>> to specify
>> multiple files to use.  Order of opt specification to selabel_open
>> matters.
>>
>> This corresponds to AOSP commit
>> 50400d38203e4db08314168e60c281cc61a717a8, which
>> lead to a fork with upstream, which we'd like to correct.
>>
>> Signed-off-by: Dan Cashman 
>> ---
>>  libselinux/src/label.c  |  21 +---
>>  libselinux/src/label_db.c   |  13 -
>>  libselinux/src/label_file.c | 104 +-
>> --
>>  libselinux/src/label_internal.h |   5 +-
>>  libselinux/src/label_media.c|  10 +++-
>>  libselinux/src/label_x.c|  10 +++-
>>  6 files changed, 124 insertions(+), 39 deletions(-)
>>
>> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
>> index 48f4d2d6..0dfa054c 100644
>> --- a/libselinux/src/label.c
>> +++ b/libselinux/src/label.c
>> @@ -143,7 +143,11 @@ static int selabel_fini(struct selabel_handle
>> *rec,
>>   struct selabel_lookup_rec *lr,
>>   int translating)
>>  {
>> - if (compat_validate(rec, lr, rec->spec_file, 0))
>> + char *path = NULL;
>> +
>> + if (rec->spec_files)
>> + path = rec->spec_files[0];
>> + if (compat_validate(rec, lr, path, 0))
>>   return -1;
>>
>>   if (translating && !lr->ctx_trans &&
>> @@ -226,11 +230,9 @@ struct selabel_handle *selabel_open(unsigned int
>> backend,
>>   rec->digest = selabel_is_digest_set(opts, nopts, rec-
>> >digest);
>>
>>   if ((*initfuncs[backend])(rec, opts, nopts)) {
>> - free(rec->spec_file);
>> - free(rec);
>> + selabel_close(rec);
>>   rec = NULL;
>>   }
>> -
>>  out:
>>   return rec;
>>  }
>> @@ -337,10 +339,17 @@ int selabel_digest(struct selabel_handle *rec,
>>
>>  void selabel_close(struct selabel_handle *rec)
>>  {
>> + size_t i;
>> +
>> + if (rec->spec_files) {
>> + for (i = 0; i < rec->spec_files_len; i++)
>> + free(rec->spec_files[i]);
>> + free(rec->spec_files);
>> + }
>>   if (rec->digest)
>>   selabel_digest_fini(rec->digest);
>> - rec->func_close(rec);
>> - free(rec->spec_file);
>> + if (rec->func_close)
>> + rec->func_close(rec);
>>   free(rec);
>>  }
>>
>> diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c
>> index c46d0a1d..9a35abea 100644
>> --- a/libselinux/src/label_db.c
>> +++ b/libselinux/src/label_db.c
>> @@ -290,7 +290,18 @@ db_init(const struct selinux_opt *opts, unsigned
>> nopts,
>>   errno = EINVAL;
>>   return NULL;
>>   }
>> - rec->spec_file = strdup(path);
>> + rec->spec_files_len = 1;
>> + rec->spec_files = calloc(rec->spec_files_len, sizeof(rec-
>> >spec_files[0]));
>> + if (!rec->spec_files) {
>> + free(catalog);
>> + return NULL;
>> + }
>> + rec->spec_files[0] = strdup(path);
>> + if (!rec->spec_files[0]) {
>> + free(catalog);
>> + free(rec->spec_files);
>> + return NULL;
>> + }
>>
>>   /*
>>* Parse for each lines
>> diff --git a/libselinux/src/label_file.c
>> b/libselinux/src/label_file.c
>> index 560d8c3d..b3b36bc2 100644
>> --- a/libselinux/src/label_file.c
>> +++ b/libselinux/src/label_file.c
>> @@ -709,28 +709,61 @@ static int init(struct selabel_handle *rec,
>> const struct selinux_opt *opts,
>>   unsigned n)
>>  {
>>   struct saved_data *data = (struct saved_data *)rec->data;
>> - const char *path = NULL;
>> + size_t num_paths = 0;
>> + char **path = NULL;
>>   const char *prefix = NULL;
>> - int status = -1, baseonly = 0;
>> + int status = -1;
>> + size_t i;
>> + bool baseonly = false;
>> + bool path_provided;
>>
>>   /* Process arguments */
>> - while (n--)
>> - switch(opts[n].type) {
>> + i = n;
>> + while (i--)
>> + switch(opts[i].type) {
>>   case SELABEL_OPT_PATH:
>> - path = opts[n].value;
>> + num_paths++;
>>   break;
>>   case SELABEL_OPT_SUBSET:
>> - prefix = opts[n].value;
>> + prefix = opts[i].value;
>>   break;
>>   case SELABEL_OPT_BASEONLY:
>> - 

Re: travis CI

[William Roberts]

On Tue, Oct 17, 2017 at 12:50 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Tue, 2017-10-17 at 11:49 -0700, William Roberts wrote:
>> On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Iooss <nicolas.io...@m4x.org
>> > wrote:
>> > On Fri, Oct 13, 2017 at 1:50 AM, William Roberts
>> > <bill.c.robe...@gmail.com> wrote:
>> > > On Thu, Oct 12, 2017 at 1:48 PM, Stephen Smalley <s...@tycho.nsa.g
>> > > ov> wrote:
>> > > > On Thu, 2017-10-12 at 11:29 -0700, William Roberts wrote:
>> > > > > I see a travis.yml file, recently modified by Nicolas, but I
>> > > > > failed
>> > > > > to
>> > > > > find the Travis CI instance on travis.org, where is it?
>> > > > >
>> > > > > We should likely have it running on commits to the repo and
>> > > > > PRs so we
>> > > > > can have some independent way of verifying that our run of
>> > > > > the tests
>> > > > > was compromised by some env variation or mistake.
>> > > > >
>> > > > > Thoughts?
>> > > >
>> > > > To date he has just run it on his own fork.  Not opposed to
>> > > > enabling
>> > > > it, just haven't looked into that...
>> > >
>> > > I have done it for my some of my projects, Ill go ahead and set
>> > > this up.
>> >
>> > I configured Travis-CI to test the branches in my Github repository
>> > a
>> > little more than one year ago, after several build configurations
>> > got
>> > broken (clang on Linux for example). I later added more features to
>> > it
>> > (for example warning about missing .gitignore entries, testing
>> > several
>> > Ruby and Python versions, etc), before I upstreamed my .travis.yml
>> > file (a few months ago). When I did it, my main motivation was to
>> > simplify the job of anyone who would want to configure a CI system
>> > on
>> > the project (the building rules and dependencies should be quite
>> > similar). Using a continuous integration system is useful to
>> > prevent
>> > simple regression issues which would otherwise only be detected
>> > when
>> > someone running a specific configuration tries to build the
>> > project.
>> >
>> > Before asking to enable Travis-CI on the main SELinux repository, I
>> > wanted to make sure it was stable/reliable enough. To do this, I
>> > created a branch named "travis-upstream" in my repository, which
>> > tracked the master branch of the main repository. All went well for
>> > quite some time, until Travis-CI modified this summer their
>> > environments, introducing some incompatibilities with projects
>> > which
>> > use several programming languages. Thankfully these changes have
>> > been
>> > documented in Travis-CI's blog and I updated the config file to fix
>> > the builds with commits b1ea8120832d ("Travis-CI: use sugulite
>> > environment") and 6d9258e5a05f ("Travis-CI: fix configuration after
>> > September's update"). As Travis-CI does not seem to want to support
>> > multi-language projects (cf.
>> > https://github.com/travis-ci/travis-ci/issues/4090 for example),
>> > more
>> > breaking changes could be introduced as the provided environment
>> > are
>> > upgraded. Nevertheless I expect that such changes are quite easily
>> > fixable.
>> >
>> > In short, using a CI platform is useful and Travis-CI is a free one
>> > which makes it possible to test several build configurations (I
>> > also
>> > tried Circle-CI, which did not provide a similar feature) and
>> > maintaining a working configuration does not require much effort.
>> > Moreover when a Travis-CI job fails, the log contains the console
>> > output which usually is very clear about what has gone wrong.
>> > Travis-CI now also provides Docker images which help reproducing
>> > issues and understanding their cause without needing to submit a
>> > new
>> > job.
>> >
>> > If you want to set this platform up for SELinux userspace project,
>> > please go ahead :)
>> >
>> > Cheers,
>> > Nicolas
>> >
>>
>> I tried to turn it on in travis, but got the message:
>>
>> This is not an active repository
>>
>> You don't have sufficient rights to enable this repo on Travis.
>> Please contact the admin to enable it or to receive admin rights
>> yourself.
>>
>> Stephen maybe you can do this, or grant me the permissions?
>>
>> You should be able to go here:
>> https://travis-ci.org
>>
>> And login, and then in your organization for selinux flip the switch
>> for travis. Once it's on, and working, we can add the badge to the
>> README
>> file for build status.
>
> Enabled now for the selinux repo.
>
FYI this is up and running thanks to Nicolas's .travis.yml.

You can see it verifying this PR
https://github.com/SELinuxProject/selinux/pull/66

I've submitted that patch to the mailing list as well.

Re: travis CI

[William Roberts]

On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Iooss <nicolas.io...@m4x.org> wrote:
> On Fri, Oct 13, 2017 at 1:50 AM, William Roberts
> <bill.c.robe...@gmail.com> wrote:
>> On Thu, Oct 12, 2017 at 1:48 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>> On Thu, 2017-10-12 at 11:29 -0700, William Roberts wrote:
>>>> I see a travis.yml file, recently modified by Nicolas, but I failed
>>>> to
>>>> find the Travis CI instance on travis.org, where is it?
>>>>
>>>> We should likely have it running on commits to the repo and PRs so we
>>>> can have some independent way of verifying that our run of the tests
>>>> was compromised by some env variation or mistake.
>>>>
>>>> Thoughts?
>>>
>>> To date he has just run it on his own fork.  Not opposed to enabling
>>> it, just haven't looked into that...
>>
>> I have done it for my some of my projects, Ill go ahead and set this up.
>
> I configured Travis-CI to test the branches in my Github repository a
> little more than one year ago, after several build configurations got
> broken (clang on Linux for example). I later added more features to it
> (for example warning about missing .gitignore entries, testing several
> Ruby and Python versions, etc), before I upstreamed my .travis.yml
> file (a few months ago). When I did it, my main motivation was to
> simplify the job of anyone who would want to configure a CI system on
> the project (the building rules and dependencies should be quite
> similar). Using a continuous integration system is useful to prevent
> simple regression issues which would otherwise only be detected when
> someone running a specific configuration tries to build the project.
>
> Before asking to enable Travis-CI on the main SELinux repository, I
> wanted to make sure it was stable/reliable enough. To do this, I
> created a branch named "travis-upstream" in my repository, which
> tracked the master branch of the main repository. All went well for
> quite some time, until Travis-CI modified this summer their
> environments, introducing some incompatibilities with projects which
> use several programming languages. Thankfully these changes have been
> documented in Travis-CI's blog and I updated the config file to fix
> the builds with commits b1ea8120832d ("Travis-CI: use sugulite
> environment") and 6d9258e5a05f ("Travis-CI: fix configuration after
> September's update"). As Travis-CI does not seem to want to support
> multi-language projects (cf.
> https://github.com/travis-ci/travis-ci/issues/4090 for example), more
> breaking changes could be introduced as the provided environment are
> upgraded. Nevertheless I expect that such changes are quite easily
> fixable.
>
> In short, using a CI platform is useful and Travis-CI is a free one
> which makes it possible to test several build configurations (I also
> tried Circle-CI, which did not provide a similar feature) and
> maintaining a working configuration does not require much effort.
> Moreover when a Travis-CI job fails, the log contains the console
> output which usually is very clear about what has gone wrong.
> Travis-CI now also provides Docker images which help reproducing
> issues and understanding their cause without needing to submit a new
> job.
>
> If you want to set this platform up for SELinux userspace project,
> please go ahead :)
>
> Cheers,
> Nicolas
>

I tried to turn it on in travis, but got the message:

This is not an active repository

You don't have sufficient rights to enable this repo on Travis.
Please contact the admin to enable it or to receive admin rights yourself.

Stephen maybe you can do this, or grant me the permissions?

You should be able to go here:
https://travis-ci.org

And login, and then in your organization for selinux flip the switch
for travis. Once it's on, and working, we can add the badge to the README
file for build status.

travis CI

[William Roberts]

I see a travis.yml file, recently modified by Nicolas, but I failed to
find the Travis CI instance on travis.org, where is it?

We should likely have it running on commits to the repo and PRs so we
can have some independent way of verifying that our run of the tests
was compromised by some env variation or mistake.

Thoughts?

Bill

Re: [PATCH] semodule-utils: remove semodule_deps

[William Roberts]

Applied: https://github.com/SELinuxProject/selinux/pull/65

On Tue, Oct 3, 2017 at 7:21 AM, Stephen Smalley  wrote:
> As discussed in https://github.com/SELinuxProject/selinux/issues/64,
> semodule_deps has apparently been broken for a very long time for
> binary modules and is completely irrelevant for CIL modules.  If there
> are any users of it, they ought to be rewritten anyway since it is
> not producing correct dependency information, and the ultimate goal
> is to stop using binary modules altogether so it is not worth fixing.
> Remove it to avoid any further broken usage.
>
> Signed-off-by: Stephen Smalley 
> ---
>  semodule-utils/.gitignore|   1 -
>  semodule-utils/Makefile  |   2 +-
>  semodule-utils/semodule_deps/Makefile|  28 --
>  semodule-utils/semodule_deps/semodule_deps.8 |  46 ---
>  semodule-utils/semodule_deps/semodule_deps.c | 401 
> ---
>  5 files changed, 1 insertion(+), 477 deletions(-)
>  delete mode 100644 semodule-utils/semodule_deps/Makefile
>  delete mode 100644 semodule-utils/semodule_deps/semodule_deps.8
>  delete mode 100644 semodule-utils/semodule_deps/semodule_deps.c
>
> diff --git a/semodule-utils/.gitignore b/semodule-utils/.gitignore
> index 1667564..6ec4efe 100644
> --- a/semodule-utils/.gitignore
> +++ b/semodule-utils/.gitignore
> @@ -1,5 +1,4 @@
>  semodule_package/semodule_package
>  semodule_package/semodule_unpackage
> -semodule_deps/semodule_deps
>  semodule_expand/semodule_expand
>  semodule_link/semodule_link
> diff --git a/semodule-utils/Makefile b/semodule-utils/Makefile
> index 6bf4aee..e0a6579 100644
> --- a/semodule-utils/Makefile
> +++ b/semodule-utils/Makefile
> @@ -1,4 +1,4 @@
> -SUBDIRS = semodule_package semodule_link semodule_expand semodule_deps
> +SUBDIRS = semodule_package semodule_link semodule_expand
>
>  all install relabel clean indent:
> @for subdir in $(SUBDIRS); do \
> diff --git a/semodule-utils/semodule_deps/Makefile 
> b/semodule-utils/semodule_deps/Makefile
> deleted file mode 100644
> index 328a503..000
> --- a/semodule-utils/semodule_deps/Makefile
> +++ /dev/null
> @@ -1,28 +0,0 @@
> -# Installation directories.
> -PREFIX ?= $(DESTDIR)/usr
> -INCLUDEDIR ?= $(PREFIX)/include
> -BINDIR ?= $(PREFIX)/bin
> -LIBDIR ?= $(PREFIX)/lib
> -MANDIR ?= $(PREFIX)/share/man
> -LIBSEPOLA ?= $(LIBDIR)/libsepol.a
> -
> -CFLAGS ?= -Werror -Wall -W
> -
> -all: semodule_deps
> -
> -semodule_deps:  semodule_deps.o $(LIBSEPOLA)
> -
> -install: all
> -   -mkdir -p $(BINDIR)
> -   install -m 755 semodule_deps $(BINDIR)
> -   test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
> -   install -m 644 semodule_deps.8 $(MANDIR)/man8/
> -
> -relabel:
> -
> -clean:
> -   -rm -f semodule_deps *.o
> -
> -indent:
> -   ../../scripts/Lindent $(wildcard *.[ch])
> -
> diff --git a/semodule-utils/semodule_deps/semodule_deps.8 
> b/semodule-utils/semodule_deps/semodule_deps.8
> deleted file mode 100644
> index 6f21a64..000
> --- a/semodule-utils/semodule_deps/semodule_deps.8
> +++ /dev/null
> @@ -1,46 +0,0 @@
> -.TH SEMODULE_DEPS "8" "June 2006" "Security Enhanced Linux" NSA
> -.SH NAME
> -semodule_deps \- show the dependencies between SELinux policy packages.
> -
> -.SH SYNOPSIS
> -.B semodule_deps [\-v \-g \-b] basemodpkg modpkg1 [modpkg2 ... ]
> -.br
> -.SH DESCRIPTION
> -.PP
> -semodule_deps is a developer tool for showing the dependencies
> -between policy packages. For each module it prints a list of
> -modules that must be present for a module's requirements to
> -be satisfied. It only deals with requirements, not optional
> -dependencies.
> -
> -In order for semodule_deps to give useful information the list
> -of packages passed in cannot have unsatisfied dependencies. In
> -general this means that the list of modules will usually be
> -quite long.
> -
> -By default options to the base module are excluded as almost every
> -module has this dependency. The \-b option will include these
> -dependencies.
> -
> -In addition to human readable output, semodule_deps can output the
> -dependencies in the Graphviz dot format (http://www.graphviz.org/)
> -using the \-g option. This is useful for producing a picture of the
> -dependencies.
> -
> -.SH "OPTIONS"
> -.TP
> -.B \-v
> -verbose mode
> -.TP
> -.B \-g
> -output dependency information in Graphviz dot format
> -.TP
> -.B \-b
> -include dependencies to the base module - by default these are excluded
> -
> -.SH SEE ALSO
> -.B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8)
> -.SH AUTHORS
> -.nf
> -This manual page was written by Karl MacMillan 
> .
> -The program was written by Karl MacMillan .
> diff --git a/semodule-utils/semodule_deps/semodule_deps.c 
> b/semodule-utils/semodule_deps/semodule_deps.c
> deleted file mode 100644
> index 7a7ff2f..000
> --- 

Re: [PATCH] semodule-utils: remove semodule_deps

[William Roberts]

On Tue, Oct 3, 2017 at 7:21 AM, Stephen Smalley  wrote:
> As discussed in https://github.com/SELinuxProject/selinux/issues/64,
> semodule_deps has apparently been broken for a very long time for
> binary modules and is completely irrelevant for CIL modules.  If there
> are any users of it, they ought to be rewritten anyway since it is
> not producing correct dependency information, and the ultimate goal
> is to stop using binary modules altogether so it is not worth fixing.
> Remove it to avoid any further broken usage.
>
> Signed-off-by: Stephen Smalley 
> ---
>  semodule-utils/.gitignore|   1 -
>  semodule-utils/Makefile  |   2 +-
>  semodule-utils/semodule_deps/Makefile|  28 --
>  semodule-utils/semodule_deps/semodule_deps.8 |  46 ---
>  semodule-utils/semodule_deps/semodule_deps.c | 401 
> ---
>  5 files changed, 1 insertion(+), 477 deletions(-)
>  delete mode 100644 semodule-utils/semodule_deps/Makefile
>  delete mode 100644 semodule-utils/semodule_deps/semodule_deps.8
>  delete mode 100644 semodule-utils/semodule_deps/semodule_deps.c
>
> diff --git a/semodule-utils/.gitignore b/semodule-utils/.gitignore
> index 1667564..6ec4efe 100644
> --- a/semodule-utils/.gitignore
> +++ b/semodule-utils/.gitignore
> @@ -1,5 +1,4 @@
>  semodule_package/semodule_package
>  semodule_package/semodule_unpackage
> -semodule_deps/semodule_deps
>  semodule_expand/semodule_expand
>  semodule_link/semodule_link
> diff --git a/semodule-utils/Makefile b/semodule-utils/Makefile
> index 6bf4aee..e0a6579 100644
> --- a/semodule-utils/Makefile
> +++ b/semodule-utils/Makefile
> @@ -1,4 +1,4 @@
> -SUBDIRS = semodule_package semodule_link semodule_expand semodule_deps
> +SUBDIRS = semodule_package semodule_link semodule_expand
>
>  all install relabel clean indent:
> @for subdir in $(SUBDIRS); do \
> diff --git a/semodule-utils/semodule_deps/Makefile 
> b/semodule-utils/semodule_deps/Makefile
> deleted file mode 100644
> index 328a503..000
> --- a/semodule-utils/semodule_deps/Makefile
> +++ /dev/null
> @@ -1,28 +0,0 @@
> -# Installation directories.
> -PREFIX ?= $(DESTDIR)/usr
> -INCLUDEDIR ?= $(PREFIX)/include
> -BINDIR ?= $(PREFIX)/bin
> -LIBDIR ?= $(PREFIX)/lib
> -MANDIR ?= $(PREFIX)/share/man
> -LIBSEPOLA ?= $(LIBDIR)/libsepol.a
> -
> -CFLAGS ?= -Werror -Wall -W
> -
> -all: semodule_deps
> -
> -semodule_deps:  semodule_deps.o $(LIBSEPOLA)
> -
> -install: all
> -   -mkdir -p $(BINDIR)
> -   install -m 755 semodule_deps $(BINDIR)
> -   test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
> -   install -m 644 semodule_deps.8 $(MANDIR)/man8/
> -
> -relabel:
> -
> -clean:
> -   -rm -f semodule_deps *.o
> -
> -indent:
> -   ../../scripts/Lindent $(wildcard *.[ch])
> -
> diff --git a/semodule-utils/semodule_deps/semodule_deps.8 
> b/semodule-utils/semodule_deps/semodule_deps.8
> deleted file mode 100644
> index 6f21a64..000
> --- a/semodule-utils/semodule_deps/semodule_deps.8
> +++ /dev/null
> @@ -1,46 +0,0 @@
> -.TH SEMODULE_DEPS "8" "June 2006" "Security Enhanced Linux" NSA
> -.SH NAME
> -semodule_deps \- show the dependencies between SELinux policy packages.
> -
> -.SH SYNOPSIS
> -.B semodule_deps [\-v \-g \-b] basemodpkg modpkg1 [modpkg2 ... ]
> -.br
> -.SH DESCRIPTION
> -.PP
> -semodule_deps is a developer tool for showing the dependencies
> -between policy packages. For each module it prints a list of
> -modules that must be present for a module's requirements to
> -be satisfied. It only deals with requirements, not optional
> -dependencies.
> -
> -In order for semodule_deps to give useful information the list
> -of packages passed in cannot have unsatisfied dependencies. In
> -general this means that the list of modules will usually be
> -quite long.
> -
> -By default options to the base module are excluded as almost every
> -module has this dependency. The \-b option will include these
> -dependencies.
> -
> -In addition to human readable output, semodule_deps can output the
> -dependencies in the Graphviz dot format (http://www.graphviz.org/)
> -using the \-g option. This is useful for producing a picture of the
> -dependencies.
> -
> -.SH "OPTIONS"
> -.TP
> -.B \-v
> -verbose mode
> -.TP
> -.B \-g
> -output dependency information in Graphviz dot format
> -.TP
> -.B \-b
> -include dependencies to the base module - by default these are excluded
> -
> -.SH SEE ALSO
> -.B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8)
> -.SH AUTHORS
> -.nf
> -This manual page was written by Karl MacMillan 
> .
> -The program was written by Karl MacMillan .
> diff --git a/semodule-utils/semodule_deps/semodule_deps.c 
> b/semodule-utils/semodule_deps/semodule_deps.c
> deleted file mode 100644
> index 7a7ff2f..000
> --- a/semodule-utils/semodule_deps/semodule_deps.c
> +++ /dev/null
> @@ -1,401 +0,0 @@
> -/* 

Re: Labeling sysfs files

[William Roberts]

On Mon, Oct 2, 2017 at 2:54 PM, David Graziano
 wrote:
> I'm trying to find a way of labeling specific files/directories in
> sysfs that do not exist at boot time. I'm running an embedded SELinux
> enabled system (4.1 series kernel) where at boot there is an init
> script performing a restorecon on /sys.  Sometime later a usb cellular
> modem is powered on and enumerated at which point the it's sysfs
> sub-directory structure is added.
>
> This directory path is correctly getting my custom label via
> restorecon during boot
> /sys/devices/platform///fsl-ehci.0/usb1/
>
> After the cellular modem is powered on the following directory
> structure is created.
> /sys/devices/platform///fsl-ehci.0/usb1/1-1/1-1:1.10/net/wwan1/qmi
> Everything "1-1" and lower that is getting the "default" sysfs_t label.
>
> Is there a method of labeling that newly added sub-directory structure
> other than running restorecond or restorecon again? I specifically
> need to control access to the "qmi" file. I've tried adding a genfscon
> to the policy but it doesn't seem to work although I don't know if
> it's suppose to.
>
> Any advice would be appreciated.
>

Because of sysfs's dynamic nature, labeling is hard, as you found out.
We have these
issues on Android as well. The best solution for us was to use/add
genfscon support:
http://permalink.gmane.org/gmane.linux.kernel.commits.head/535516

But that patch looks like it won't apply to 4.1 as none of the
SB_GENFS infrastructure
is there.

You'd have to call the restorecon in a part where the file exists but
before any clients
start using it. Perhaps you could register something via inotify (I
don't know offhand
if that works on sysfs).

If it's a service, maybe you could have the service run/trigger the
restorecon on starup,
perhaps vis init/systemd scripts.

Or perhaps you can get on a newer kernel, looks like 4.4 has it:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/security/selinux/hooks.c?h=v4.4.89#n742

Re: [PATCH 1/2] libsemanage: Add support for listing fcontext.homedirs file

[William Roberts]

On Sun, Oct 1, 2017 at 8:43 AM, Vit Mojzis <vmoj...@redhat.com> wrote:
>
>
> On 27.9.2017 19:04, William Roberts wrote:
>>
>> 2017-09-27 1:16 GMT-07:00 Vit Mojzis <vmoj...@redhat.com>:
>>>
>>> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
>>> ---
>>>   libsemanage/include/semanage/fcontexts_policy.h |  4 
>>>   libsemanage/src/direct_api.c|  6 ++
>>>   libsemanage/src/fcontexts_policy.c  |  8 
>>>   libsemanage/src/handle.h| 19
>>> +--
>>>   4 files changed, 31 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/libsemanage/include/semanage/fcontexts_policy.h
>>> b/libsemanage/include/semanage/fcontexts_policy.h
>>> index a50db2b..199a1e1 100644
>>> --- a/libsemanage/include/semanage/fcontexts_policy.h
>>> +++ b/libsemanage/include/semanage/fcontexts_policy.h
>>> @@ -26,4 +26,8 @@ extern int semanage_fcontext_list(semanage_handle_t *
>>> handle,
>>>semanage_fcontext_t *** records,
>>>unsigned int *count);
>>>
>>> +extern int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
>>> + semanage_fcontext_t *** records,
>>> + unsigned int *count);
>>> +
>>>   #endif
>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>> index 65842df..886a228 100644
>>> --- a/libsemanage/src/direct_api.c
>>> +++ b/libsemanage/src/direct_api.c
>>> @@ -210,6 +210,12 @@ int semanage_direct_connect(semanage_handle_t * sh)
>>>   semanage_fcontext_dbase_local(sh))
>>> < 0)
>>>  goto err;
>>>
>>> +   if (fcontext_file_dbase_init(sh,
>>> +selinux_file_context_homedir_path(),
>>> +selinux_file_context_homedir_path(),
>>> +
>>> semanage_fcontext_dbase_homedirs(sh)) < 0)
>>> +   goto err;
>>> +
>>>  if (seuser_file_dbase_init(sh,
>>> semanage_path(SEMANAGE_ACTIVE,
>>>
>>> SEMANAGE_SEUSERS_LOCAL),
>>> diff --git a/libsemanage/src/fcontexts_policy.c
>>> b/libsemanage/src/fcontexts_policy.c
>>> index 0b063b1..98490ab 100644
>>> --- a/libsemanage/src/fcontexts_policy.c
>>> +++ b/libsemanage/src/fcontexts_policy.c
>>> @@ -51,3 +51,11 @@ int semanage_fcontext_list(semanage_handle_t * handle,
>>>  dbase_config_t *dconfig =
>>> semanage_fcontext_dbase_policy(handle);
>>>  return dbase_list(handle, dconfig, records, count);
>>>   }
>>> +
>>> +int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
>>> +  semanage_fcontext_t *** records, unsigned int
>>> *count)
>>> +{
>>> +
>>> +   dbase_config_t *dconfig =
>>> semanage_fcontext_dbase_homedirs(handle);
>>> +   return dbase_list(handle, dconfig, records, count);
>>> +}
>>> diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h
>>> index 889871d..1780ac8 100644
>>> --- a/libsemanage/src/handle.h
>>> +++ b/libsemanage/src/handle.h
>>> @@ -79,7 +79,7 @@ struct semanage_handle {
>>>  struct semanage_policy_table *funcs;
>>>
>>>  /* Object databases */
>>> -#define DBASE_COUNT  23
>>> +#define DBASE_COUNT  24
>>>
>>>   /* Local modifications */
>>>   #define DBASE_LOCAL_USERS_BASE  0
>>> @@ -102,13 +102,14 @@ struct semanage_handle {
>>>   #define DBASE_POLICY_INTERFACES  15
>>>   #define DBASE_POLICY_BOOLEANS16
>>>   #define DBASE_POLICY_FCONTEXTS   17
>>> -#define DBASE_POLICY_SEUSERS 18
>>> -#define DBASE_POLICY_NODES   19
>>> -#define DBASE_POLICY_IBPKEYS 20
>>> -#define DBASE_POLICY_IBENDPORTS  21
>>> +#define DBASE_POLICY_FCONTEXTS_H 18
>>> +#define DBASE_POLICY_SEUSERS 19
>>> +#define DBASE_POLICY_NODES   20
>>> +#define DBASE_POLICY_IBPKEYS 21
>>> +#define DBASE_POLICY_IBENDPORTS  22
>>>
>>>   /* Active kernel policy */
>>> -#define DBASE_ACTIVE_BOOLEANS22
>>> +#define DBASE_ACTIVE_BOOLEANS23
>>
>> Any particular reason to reassign all 

Re: [PATCH 1/2] libsemanage: Add support for listing fcontext.homedirs file

[William Roberts]

2017-09-27 1:16 GMT-07:00 Vit Mojzis :
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
> ---
>  libsemanage/include/semanage/fcontexts_policy.h |  4 
>  libsemanage/src/direct_api.c|  6 ++
>  libsemanage/src/fcontexts_policy.c  |  8 
>  libsemanage/src/handle.h| 19 +--
>  4 files changed, 31 insertions(+), 6 deletions(-)
>
> diff --git a/libsemanage/include/semanage/fcontexts_policy.h 
> b/libsemanage/include/semanage/fcontexts_policy.h
> index a50db2b..199a1e1 100644
> --- a/libsemanage/include/semanage/fcontexts_policy.h
> +++ b/libsemanage/include/semanage/fcontexts_policy.h
> @@ -26,4 +26,8 @@ extern int semanage_fcontext_list(semanage_handle_t * 
> handle,
>   semanage_fcontext_t *** records,
>   unsigned int *count);
>
> +extern int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
> + semanage_fcontext_t *** records,
> + unsigned int *count);
> +
>  #endif
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index 65842df..886a228 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -210,6 +210,12 @@ int semanage_direct_connect(semanage_handle_t * sh)
>  semanage_fcontext_dbase_local(sh)) < 0)
> goto err;
>
> +   if (fcontext_file_dbase_init(sh,
> +selinux_file_context_homedir_path(),
> +selinux_file_context_homedir_path(),
> +semanage_fcontext_dbase_homedirs(sh)) < 
> 0)
> +   goto err;
> +
> if (seuser_file_dbase_init(sh,
>semanage_path(SEMANAGE_ACTIVE,
>  SEMANAGE_SEUSERS_LOCAL),
> diff --git a/libsemanage/src/fcontexts_policy.c 
> b/libsemanage/src/fcontexts_policy.c
> index 0b063b1..98490ab 100644
> --- a/libsemanage/src/fcontexts_policy.c
> +++ b/libsemanage/src/fcontexts_policy.c
> @@ -51,3 +51,11 @@ int semanage_fcontext_list(semanage_handle_t * handle,
> dbase_config_t *dconfig = semanage_fcontext_dbase_policy(handle);
> return dbase_list(handle, dconfig, records, count);
>  }
> +
> +int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
> +  semanage_fcontext_t *** records, unsigned int 
> *count)
> +{
> +
> +   dbase_config_t *dconfig = semanage_fcontext_dbase_homedirs(handle);
> +   return dbase_list(handle, dconfig, records, count);
> +}
> diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h
> index 889871d..1780ac8 100644
> --- a/libsemanage/src/handle.h
> +++ b/libsemanage/src/handle.h
> @@ -79,7 +79,7 @@ struct semanage_handle {
> struct semanage_policy_table *funcs;
>
> /* Object databases */
> -#define DBASE_COUNT  23
> +#define DBASE_COUNT  24
>
>  /* Local modifications */
>  #define DBASE_LOCAL_USERS_BASE  0
> @@ -102,13 +102,14 @@ struct semanage_handle {
>  #define DBASE_POLICY_INTERFACES  15
>  #define DBASE_POLICY_BOOLEANS16
>  #define DBASE_POLICY_FCONTEXTS   17
> -#define DBASE_POLICY_SEUSERS 18
> -#define DBASE_POLICY_NODES   19
> -#define DBASE_POLICY_IBPKEYS 20
> -#define DBASE_POLICY_IBENDPORTS  21
> +#define DBASE_POLICY_FCONTEXTS_H 18
> +#define DBASE_POLICY_SEUSERS 19
> +#define DBASE_POLICY_NODES   20
> +#define DBASE_POLICY_IBPKEYS 21
> +#define DBASE_POLICY_IBENDPORTS  22
>
>  /* Active kernel policy */
> -#define DBASE_ACTIVE_BOOLEANS22
> +#define DBASE_ACTIVE_BOOLEANS23

Any particular reason to reassign all these defines instead
of just setting DBASE_POLICY_FCONTEXTS_H to 22 and
setting DBASE_ACTIVE_BOOLEANS to 23 other than just
to have DBASE_POLICY_FCONTEXTS_H follow
DBASE_POLICY_FCONTEXTS?

I'm also assuming, after looking at the code, that the database
itself is built every time so versioning mismatches are not a worry.

> dbase_config_t dbase[DBASE_COUNT];
>  };
>
> @@ -236,6 +237,12 @@ static inline
>  }
>
>  static inline
> +dbase_config_t * semanage_fcontext_dbase_homedirs(semanage_handle_t * 
> handle)
> +{
> +   return >dbase[DBASE_POLICY_FCONTEXTS_H];
> +}
> +
> +static inline
>  dbase_config_t * semanage_seuser_dbase_policy(semanage_handle_t * handle)
>  {
> return >dbase[DBASE_POLICY_SEUSERS];
> --
> 2.9.4
>
>



-- 
Respectfully,

William C Roberts

Re: [PATCH 1/1] sepolicy: do not fail when file_contexts.local or .subs do not exist

[William Roberts]

On Mon, Sep 18, 2017 at 3:59 PM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Mon, Sep 18, 2017 at 2:32 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote:
>>
>> On a system without any file context customizations, "sepolicy gui"
>> fails to load because it tries to read a non-existent file:
>>
>> FileNotFoundError: [Errno 2] No such file or directory:
>> '/etc/selinux/refpolicy-git/contexts/files/file_contexts.local'
>>
>> Once this issue is fixed, another one is triggered:
>>
>> FileNotFoundError: [Errno 2] No such file or directory:
>> '/etc/selinux/refpolicy-git/contexts/files/file_contexts.subs
>>
>> Use os.path.exists() to prevent trying to open non-existent files.
>>
>> Signed-off-by: Nicolas Iooss <nicolas.io...@m4x.org>
>> ---
>>  python/sepolicy/sepolicy/__init__.py | 4 
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/python/sepolicy/sepolicy/__init__.py 
>> b/python/sepolicy/sepolicy/__init__.py
>> index 03742346caf0..14d2ad634d7d 100644
>> --- a/python/sepolicy/sepolicy/__init__.py
>> +++ b/python/sepolicy/sepolicy/__init__.py
>> @@ -523,6 +523,8 @@ def find_entrypoint_path(exe, exclude_list=[]):
>>
>>
>>  def read_file_equiv(edict, fc_path, modify):
>> +if not os.path.exists(fc_path):
>> +return edict
>>  fd = open(fc_path, "r")
>>  fc = fd.readlines()
>>  fd.close()
>> @@ -555,6 +557,8 @@ def 
>> get_local_file_paths(fc_path=selinux.selinux_file_context_path()):
>>  if local_files:
>>  return local_files
>>  local_files = []
>> +if not os.path.exists(fc_path + ".local"):
>> +return []
>>  fd = open(fc_path + ".local", "r")
>
> Why not use Try/Except here with a pass here?

Wouldn't be a pass... but you get the idea.

> While you're at it, maybe update this to use a with
> statement. instead of an explicit close call.
>>  fc = fd.readlines()
>>  fd.close()
>> --
>> 2.14.1
>>

Re: [PATCH 1/1] sepolicy: do not fail when file_contexts.local or .subs do not exist

[William Roberts]

On Mon, Sep 18, 2017 at 2:32 PM, Nicolas Iooss  wrote:
>
> On a system without any file context customizations, "sepolicy gui"
> fails to load because it tries to read a non-existent file:
>
> FileNotFoundError: [Errno 2] No such file or directory:
> '/etc/selinux/refpolicy-git/contexts/files/file_contexts.local'
>
> Once this issue is fixed, another one is triggered:
>
> FileNotFoundError: [Errno 2] No such file or directory:
> '/etc/selinux/refpolicy-git/contexts/files/file_contexts.subs
>
> Use os.path.exists() to prevent trying to open non-existent files.
>
> Signed-off-by: Nicolas Iooss 
> ---
>  python/sepolicy/sepolicy/__init__.py | 4 
>  1 file changed, 4 insertions(+)
>
> diff --git a/python/sepolicy/sepolicy/__init__.py 
> b/python/sepolicy/sepolicy/__init__.py
> index 03742346caf0..14d2ad634d7d 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -523,6 +523,8 @@ def find_entrypoint_path(exe, exclude_list=[]):
>
>
>  def read_file_equiv(edict, fc_path, modify):
> +if not os.path.exists(fc_path):
> +return edict
>  fd = open(fc_path, "r")
>  fc = fd.readlines()
>  fd.close()
> @@ -555,6 +557,8 @@ def 
> get_local_file_paths(fc_path=selinux.selinux_file_context_path()):
>  if local_files:
>  return local_files
>  local_files = []
> +if not os.path.exists(fc_path + ".local"):
> +return []
>  fd = open(fc_path + ".local", "r")

Why not use Try/Except here with a pass here?
While you're at it, maybe update this to use a with
statement. instead of an explicit close call.
>  fc = fd.readlines()
>  fd.close()
> --
> 2.14.1
>

Re: [PATCH] selinux: libselinux: Enable multiple input files to selabel_open.

[William Roberts]

On Mon, Sep 11, 2017 at 11:04 AM, Daniel Cashman 
wrote:

> From: Dan Cashman 
>
> The file_contexts labeling backend, specified in label_file.c, currently
> assumes
> that only one path will be specified as an option to selabel_open().  The
> split
> of platform and non-platform policy on device, however, will necessitate
> the
> loading of two disparate policy files.  Rather than combining the files
> and then
> calling the existing API on a newly-formed file, just add the ability to
> specify
> multiple files to use.  Order of opt specification to selabel_open matters.
>
> This corresponds to AOSP commit 50400d38203e4db08314168e60c281cc61a717a8,
> which
> lead to a fork with upstream, which we'd like to correct.
>
> Signed-off-by: Dan Cashman 
> ---
>  libselinux/src/label.c  |  21 +---
>  libselinux/src/label_file.c | 104 +-
> --
>  libselinux/src/label_internal.h |   5 +-
>  3 files changed, 94 insertions(+), 36 deletions(-)
>
> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> index 48f4d2d6..0dfa054c 100644
> --- a/libselinux/src/label.c
> +++ b/libselinux/src/label.c
> @@ -143,7 +143,11 @@ static int selabel_fini(struct selabel_handle *rec,
> struct selabel_lookup_rec *lr,
> int translating)
>  {
> -   if (compat_validate(rec, lr, rec->spec_file, 0))
> +   char *path = NULL;
> +
> +   if (rec->spec_files)
> +   path = rec->spec_files[0];
> +   if (compat_validate(rec, lr, path, 0))
> return -1;
>
> if (translating && !lr->ctx_trans &&
> @@ -226,11 +230,9 @@ struct selabel_handle *selabel_open(unsigned int
> backend,
> rec->digest = selabel_is_digest_set(opts, nopts, rec->digest);
>
> if ((*initfuncs[backend])(rec, opts, nopts)) {
> -   free(rec->spec_file);
> -   free(rec);
> +   selabel_close(rec);
> rec = NULL;
> }
> -
>  out:
> return rec;
>  }
> @@ -337,10 +339,17 @@ int selabel_digest(struct selabel_handle *rec,
>
>  void selabel_close(struct selabel_handle *rec)
>  {
> +   size_t i;
> +
> +   if (rec->spec_files) {
> +   for (i = 0; i < rec->spec_files_len; i++)
> +   free(rec->spec_files[i]);
> +   free(rec->spec_files);
> +   }
> if (rec->digest)
> selabel_digest_fini(rec->digest);
> -   rec->func_close(rec);
> -   free(rec->spec_file);
> +   if (rec->func_close)
> +   rec->func_close(rec);
> free(rec);
>  }
>
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> index 560d8c3d..b3b36bc2 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -709,28 +709,61 @@ static int init(struct selabel_handle *rec, const
> struct selinux_opt *opts,
> unsigned n)
>  {
> struct saved_data *data = (struct saved_data *)rec->data;
> -   const char *path = NULL;
> +   size_t num_paths = 0;
> +   char **path = NULL;
> const char *prefix = NULL;
> -   int status = -1, baseonly = 0;
> +   int status = -1;
> +   size_t i;
> +   bool baseonly = false;
> +   bool path_provided;
>
> /* Process arguments */
> -   while (n--)
> -   switch(opts[n].type) {
> +   i = n;
> +   while (i--)
> +   switch(opts[i].type) {
> case SELABEL_OPT_PATH:
> -   path = opts[n].value;
> +   num_paths++;
> break;
> case SELABEL_OPT_SUBSET:
> -   prefix = opts[n].value;
> +   prefix = opts[i].value;
> break;
> case SELABEL_OPT_BASEONLY:
> -   baseonly = !!opts[n].value;
> +   baseonly = !!opts[i].value;
> break;
> }
>
> +   if (!num_paths) {
> +   num_paths = 1;
> +   path_provided = false;
> +   } else {
> +   path_provided = true;
> +   }
> +
> +   path = calloc(num_paths, sizeof(*path));
> +   if (path == NULL) {
> +   goto finish;
> +   }
> +   rec->spec_files = path;
> +   rec->spec_files_len = num_paths;
> +
> +   if (path_provided) {
> +   for (i = 0; i < n; i++) {
> +   switch(opts[i].type) {
>

Weird way to do an if/else?


> +   case SELABEL_OPT_PATH:
> +   *path = strdup(opts[i].value);
> +   if (*path == NULL)
> +   goto finish;
> +   path++;
> +   break;
> +   default:
> +

Re: file_contexts non-ascii error

[William Roberts]

On Tue, Aug 22, 2017 at 5:48 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Tue, 2017-08-22 at 15:15 +0300, Sky Autumn wrote:
>> Hello, everyone.
>> There's my problem. When I try to set label on directory with russian
>> letters in name with policy module, the following error occur:
>>  /etc/selinux/final/targeted/contexts/files/file_contexts:  line 5206
>> error due to: Non-ASCII characters found
>>
>> On other machine it works fine. libselinux version on first machine
>> 2.5-6, on second 2.2.2-6. Can I somehow install such policy on first
>> machine without renaming directory? Thank you.
>
> The check for non-ASCII characters was introduced by the following
> commit:
>
> commit 2981e0ba3a869d12ed6f376581277847421db2e7
> Author: William Roberts <william.c.robe...@intel.com>
> Date:   Tue Feb 9 13:59:46 2016 -0800
>
> read_spec_entry: fail on non-ascii
>
> Inserting non-ascii characters into the following files:
>  * file_contexts
>  * property_contexts
>  * service_contexts
> can cause a failure on labeling but still result in a successful
> build.
>
> Hard error on non-ascii characters with:
> :  line 229 error due to: Non-ASCII characters found
>
> Signed-off-by: William Roberts <william.c.robe...@intel.com>
>
> Even before that change, the code did not truly support unicode
> strings, so you could have inserted the module but restorecon or other
> commands could easily have mislabeled the directory.  I guess the
> question is what exactly would need to change to truly support unicode
> strings in the libselinux label code; at the least, we'd need to pass
> additional flags to pcre_compile().

We actually had weird behavior with things not working when unicode
characters were accidentally slipped into the files and since it was
unsupported, I wanted it to fail loudly. Since I don't do anything out of
the ASCII set, I felt I was a poor candidate to properly add UTF support.

I would assume all folks would want is UTF8, and that should be fairly
straightforward to add (I'm not doing it).


>
> As a workaround, I would think you could use regex meta characters e.g.
> .* or .+ to match the portion of the pathname that contains unicode
> characters, as long as that doesn't cause other directories/files to
> become mislabeled.
>



-- 
Respectfully,

William C Roberts

Re: [PATCH v6 1/2] selinux: add brief info to policydb

[William Roberts]

On Wed, May 17, 2017 at 11:30 AM, Stephen Smalley  wrote:
> On Thu, 2017-05-18 at 02:09 +0900, Sebastien Buisson wrote:
>> Add policybrief field to struct policydb. It holds a brief info
>> of the policydb, made of colon separated name and value pairs
>> that give information about how the policy is applied in the
>> security module(s).
>> Note that the ordering of the fields in the string may change.
>>
>> Policy brief is computed every time the policy is loaded, and when
>> enforce or checkreqprot are changed.
>>
>> Add security_policy_brief hook to give access to policy brief to
>> the rest of the kernel. It is useful for any network or
>> distributed file system that cares about how SELinux is enforced
>> on its client nodes. This information is used to detect changes
>> to the policy on file system client nodes, and can be forwarded
>> to file system server nodes. Depending on how the policy is
>> enforced on client side, server can refuse connection.
>>
>> Signed-off-by: Sebastien Buisson 
>
> Looks good to me, but we need to see the patch that uses the LSM hook
> interface too.  Also, I would split up this patch and fold your second
> patch into one of the parts.  You could have a first patch that
> implements the support within SELinux and uses it from selinuxfs (no
> dependency on the LSM hook interface or the SELinux hook function), a
> second patch that adds the LSM hook interface and SELinux hook function
> to expose it outside of SELinux, and then a third patch to call the
> hook from lustre.

The more I keep looking at this the more I dislike the interface.
We're actually building an interface that defeats any LSM abstraction,
and clients of the interface have to poll and parse to find out if
something they care about changed.

I think the interface should be inverted and provide an interface
to register callbacks so clients can just set a callback and be
notified of a changes.


>
>> ---
>>  include/linux/lsm_hooks.h   | 20 +
>>  include/linux/security.h|  7 +++
>>  security/security.c |  6 +++
>>  security/selinux/hooks.c|  7 +++
>>  security/selinux/include/security.h |  2 +
>>  security/selinux/selinuxfs.c|  2 +
>>  security/selinux/ss/policydb.c  | 88
>> +
>>  security/selinux/ss/policydb.h  |  3 ++
>>  security/selinux/ss/services.c  | 67
>> 
>>  9 files changed, 202 insertions(+)
>>
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index 080f34e..0bc0260 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -1336,6 +1336,24 @@
>>   *   @inode we wish to get the security context of.
>>   *   @ctx is a pointer in which to place the allocated security
>> context.
>>   *   @ctxlen points to the place to put the length of @ctx.
>> + *
>> + * Security hooks for policy brief
>> + *
>> + * @policy_brief:
>> + *
>> + *   Returns a string containing a brief info of the policydb.
>> The string
>> + *   contains colon separated name and value pairs that give
>> information
>> + *   about how the policy is applied in the security module(s).
>> + *   Note that the ordering of the fields in the string may
>> change.
>> + *
>> + *   @brief: pointer to buffer holding brief
>> + *   @len: in: brief buffer length if no alloc, out: brief
>> string len
>> + *   @alloc: whether to allocate buffer for brief or not
>> + *   If @alloc, *brief must be kfreed by caller.
>> + *   If not @alloc, caller must pass a buffer that can hold
>> policy brief
>> + *   info (including terminating NUL).
>> + *   On success 0 is returned , or negative value on error.
>> + *
>>   * This is the main security structure.
>>   */
>>
>> @@ -1568,6 +1586,7 @@
>>   int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32
>> ctxlen);
>>   int (*inode_getsecctx)(struct inode *inode, void **ctx, u32
>> *ctxlen);
>>
>> + int (*policy_brief)(char **brief, size_t *len, bool alloc);
>>  #ifdef CONFIG_SECURITY_NETWORK
>>   int (*unix_stream_connect)(struct sock *sock, struct sock
>> *other,
>>   struct sock *newsk);
>> @@ -1813,6 +1832,7 @@ struct security_hook_heads {
>>   struct list_head inode_notifysecctx;
>>   struct list_head inode_setsecctx;
>>   struct list_head inode_getsecctx;
>> + struct list_head policy_brief;
>>  #ifdef CONFIG_SECURITY_NETWORK
>>   struct list_head unix_stream_connect;
>>   struct list_head unix_may_send;
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index af675b5..3b72053 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -377,6 +377,8 @@ int security_sem_semop(struct sem_array *sma,
>> struct sembuf *sops,
>>  int security_inode_notifysecctx(struct inode *inode, void *ctx, u32
>> ctxlen);
>>  int security_inode_setsecctx(struct dentry *dentry, void 

Re: [PATCH v5 1/2] selinux: add brief info to policydb

[William Roberts]

On Wed, May 17, 2017 at 10:00 AM, Sebastien Buisson
<sbuisson@gmail.com> wrote:
> 2017-05-17 18:04 GMT+02:00 William Roberts <bill.c.robe...@gmail.com>:
>> I'm assuming in the Lustre code you're going to call security_policy_brief(),
>> how would the caller know how big that buffer is going to be?
>
> We can determine it at configure time for instance, given that len as
> an output parameter would give the size necessary to store the policy
> brief info.
>
>> I'm looking at both v5 patches, I don't see where it's being called with 
>> alloc
>> set to false.
>
> It would be called with alloc set to false from network and
> distributed file systems like Lustre.

That doesn't seem like a good way at all.
1. What happens as the brief is changed, all callers with false
would potentially need there buffer size increased.
2. There is no guarantee at runtime that as brief changes,
that the size will remain bounded. fields could be
added/changed/removed.
3. If/when stacking needs to be supported, brief size can
change dramatically, bringing us back to issue 1.

-- 
Respectfully,

William C Roberts