On Fri, Apr 20, 2018 at 08:49:41AM -0400, Stephen Smalley wrote: > On 04/20/2018 08:31 AM, Petr Lautrbach wrote: > > On Thu, Apr 19, 2018 at 11:07:39AM -0400, Stephen Smalley wrote: > >> A 2.8-rc1 release candidate for the SELinux userspace is now available at: > >> https://github.com/SELinuxProject/selinux/wiki/Releases > >> > >> Please give it a test and let us know if there are any issues. > > > > > > I've built in my Fedora COPR repo [1] and I'm running Fedora CI [2] tests > > on it. > > > > So far there's one problem found by libselinux/selabel-function [3] test. It > > looks like commit 814631d3aebaa changed the behavior of selabel_open() when > > SELABEL_OPT_VALIDATE is null - a context should not be validated, but it is. > > So, is this a bug in the test or a bug in libselinux? As noted in that > commit description, > failing to verify contexts at all before use can lead to applying an invalid > label (if the system is permissive).
selabel_open(3) states that "an invalid context may not be treated as an
error unless it is actually encountered during a lookup operation ". So at
least, it's some disproportion between the code and the documentation.
I read the commit message as that a context should be validated before it's
applied. But now it's validated during lookup.
> Are there real users of libselinux that rely on the current behavior or is
> there some use case where
> it is desirable?
I don't know. I was thinking about setfiles but it always validate. There might
be 3rd party users who
lookups for labels in chroot.
> >
> > The reproducer code:
> >
> > #include <errno.h>
> > #include <stdio.h>
> >
> > #include <selinux/selinux.h>
> > #include <selinux/label.h>
> >
> > int main() {
> > struct selabel_handle *hnd = NULL;
> > security_context_t selabel_context;
> >
> > struct selinux_opt selabel_option [] = {
> > { SELABEL_OPT_PATH, "my_contexts" },
> > { SELABEL_OPT_SUBSET, NULL },
> > { SELABEL_OPT_VALIDATE, (char *) 0 },
> > { SELABEL_OPT_BASEONLY, (char *) 0 }
> > };
> > int result = 0;
> >
> > if ((hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 4)) == NULL) {
> > return 1;
> > }
> >
> > if ((result = selabel_lookup_raw(hnd, &selabel_context, "/tmp/mypath",
> > 0)) == -1) {
> > perror("selabel_lookup_raw - ERROR");
> > return 1;
> > }
> >
> > printf("%s\n", selabel_context);
> >
> > return 0;
> > }
> >
> > ---
> >
> > $ gcc -o selabel_reproducer selabel_reproducer.c -lselinux
> > $ echo '/tmp/mypath my_user_u:my_role_r:my_type_t:s' > my_contexts
> >
> > Before:
> >
> > $ ./selabel_reproducer
> > my_user_u:my_role_r:my_type_t:s
> >
> > After:
> >
> > $ ./selabel_reproducer
> > my_contexts: line 1 has invalid context my_user_u:my_role_r:my_type_t:s
> > selabel_lookup_raw - ERROR: Invalid argument
> >
> >
> >
> >
> > [1]
> > https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/packages/
> > [2] https://src.fedoraproject.org/tests/selinux/tree/master
> > [3]
> > https://src.fedoraproject.org/tests/selinux/blob/master/f/libselinux/selabel-functions
> >
> >> If there are specific changes that you think should be called out in
> >> release notes for packagers and users in the final release announcement,
> >> let us know.
> >>
> >> Thanks to all the contributors to this release candidate!
> >>
> >> A shortlog of changes since the 2.7 release is below.
> >>
> >> Dan Cashman (1):
> >> libsepol: cil: Add ability to redeclare types[attributes]
> >>
> >> Dominick Grift (1):
> >> Describe multiple-decls in secilc.8.xml
> >>
> >> Grégoire Colbert (1):
> >> Fixed bad reference in roleattribute
> >>
> >> James Carter (4):
> >> libsepol/cil: Keep attributes used by generated attributes in
> >> neverallow rules
> >> libsepol/cil: Create new keep field for type attribute sets
> >> libsepol: Prevent freeing unitialized value in ibendport handling
> >> libsepol/cil: Improve processing of context rules
> >>
> >> Jan Zarsky (6):
> >> libsepol: reset pointer after free
> >> libsepol: fix memory leak in sepol_bool_query()
> >> libsepol: free ibendport device names
> >> libsemanage: free genhomedircon fallback user
> >> libsemanage: properly check return value of iterate function
> >> python/sepolgen: fix typo in PolicyGenerator
> >>
> >> Lee Stubbs (1):
> >> Minor update for bash completion. Bash completion for ports is
> >> missing '-' for type. Based on documentation, it should be --type, not
> >> -type.
> >>
> >> Lukas Vrabec (1):
> >> python/sepolicy: Fix sepolicy manpage.
> >>
> >> Marcus Folkesson (15):
> >> libsepol: build: follow standard semantics for DESTDIR and PREFIX
> >> libselinux: build: follow standard semantics for DESTDIR and PREFIX
> >> libsemanage: build: follow standard semantics for DESTDIR and PREFIX
> >> checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
> >> gui: build: follow standard semantics for DESTDIR and PREFIX
> >> mcstrans: build: follow standard semantics for DESTDIR and PREFIX
> >> policycoreutils: build: follow standard semantics for DESTDIR and
> >> PREFIX
> >> python: build: follow standard semantics for DESTDIR and PREFIX
> >> python: build: move modules from platform-specific to platform-shared
> >> restorecond: build: follow standard semantics for DESTDIR and PREFIX
> >> sandbox: build: follow standard semantics for DESTDIR and PREFIX
> >> secilc: build: follow standard semantics for DESTDIR and PREFIX
> >> semodule-utils: build: follow standard semantics for DESTDIR and
> >> PREFIX
> >> dbus: build: follow standard semantics for DESTDIR and PREFIX
> >> build: setup buildpaths if DESTDIR is specified
> >>
> >> Nicolas Iooss (36):
> >> Travis-CI: use sugulite environment
> >> Travis-CI: do not test gold linkers with clang
> >> sepolicy: fix Python3 syntax in manpage
> >> sepolicy: do not fail when file_contexts.local does not exist
> >> sepolicy: fix misspelling of _ra_content_t suffix
> >> sepolicy: support non-MLS policy in manpage
> >> sepolicy: support non-MCS policy in manpage
> >> sepolicy: remove stray space in section "SEE ALSO"
> >> libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses
> >> libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use
> >> extra_args
> >> libsepol/cil: fix -Wwrite-strings warning
> >> libsepol/cil: drop wrong unused attribute
> >> restorecond: check write() and daemon() results
> >> Makefile: define a default value for CFLAGS
> >> sepolicy: do not fail when file_contexts.local or .subs do not exist
> >> gui: port to Python 3 by migrating to PyGI
> >> Travis-CI: fix configuration after September's update
> >> sepolicy: ignore comments and empty lines in file_contexts.subs_dist
> >> sepolicy: support non-MLS policy in gui
> >> gui: remove the status bar
> >> gui: fix parsing of "semodule -lfull" in tab Modules
> >> gui: delete overridden definition of usersPage.delete()
> >> gui: remove mappingsPage
> >> Travis-CI: try working around network issues by retrying downloads
> >> Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR
> >> python/sepolicy: Fix translated strings with parameters
> >> python/sepolicy: Support non-MLS policy
> >> python/sepolicy: Initialize policy.ports as a dict in generate.py
> >> libsepol: cil: show an error when cil_expr_to_string() fails
> >> libsemanage: silence clang static analyzer report
> >> libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
> >> libsepol: do not dereference NULL if stack_init fails
> >> libsepol: ensure the level context is not empty
> >> libselinux: label_file: fix memory management in store_stem()
> >> libselinux: fix memory leak in getconlist
> >> libselinux: remove unused variable usercon
> >>
> >> Petr Lautrbach (12):
> >> libselinux: Add support for pcre2 to pkgconfig definition
> >> python/semanage: drop *_ini functions
> >> python/semanage: Don't use global setup variable
> >> python/semanage: Enforce noreload only if it's requested by -N option
> >> libsemanage: Use umask(0077) for fopen() write operations
> >> python/semanage: make seobject.py backward compatible
> >> python/semanage: bring semanageRecords.set_reload back
> >> gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
> >> gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
> >> python/sepolicy: Use list instead of map
> >> python/sepolicy: Do not use types.BooleanType
> >> gui/polgengui.py: Use stop_emission_by_name instead of
> >> emit_stop_by_name
> >>
> >> Richard Haines (3):
> >> libselinux: Correct manpages regarding removable_context
> >> libsemanage: Return commit number if save-previous false
> >> libsemanage: Allow tmp files to be kept if a compile fails
> >>
> >> Richard Haines via Selinux (1):
> >> selinux: Add support for the SCTP portcon keyword
> >>
> >> Stephen Smalley (4):
> >> checkpolicy,libselinux,libsepol,policycoreutils: Update my email
> >> address
> >> semodule-utils: remove semodule_deps
> >> libsepol: Export sepol_polcap_getnum/name functions
> >> Update VERSION files to 2.8-rc1
> >>
> >> Tri Vo (1):
> >> Resolve conflicts in expandattribute.
> >>
> >> Vit Mojzis (18):
> >> libsemanage: Keep copy of file_contexts.homedirs in policy store
> >> libsemanage: Add support for listing fcontext.homedirs file
> >> python/semanage: Enable listing file_contexts.homedirs
> >> python/semanage: Fix export of ibendport entries
> >> python/semanage: Update Infiniband code to work on python3
> >> python/semanage: Remove redundant and broken moduleRecords.modify()
> >> semodule-utils/semodule_package: fix semodule_unpackage man page
> >> libsemanage: Improve warning for installing disabled module
> >> gui/semanagePage: Close "edit" and "add" dialogues when successfull
> >> gui/fcontextPage: Set default object class in addDialog
> >> libsemanage: remove access() check to make setuid programs work
> >> libsemanage: remove access() check to make setuid programs work
> >> libsemanage: replace access() checks to make setuid programs work
> >> libsemanage/direct_api.c: Fix iterating over array
> >> policycoreutils/semodule: Improve man page and unify it with --help
> >> policycoreutils/semodule: Allow enabling/disabling multiple modules
> >> at once
> >> python/sepolgen: Try to translate SELinux contexts to raw
> >> libsemanage: do not change file mode of seusers and users_extra
> >>
> >> Yuli Khodorkovskiy (3):
> >> secilc: Fix documentation build for OS X systems
> >> libselinux: verify file_contexts when using restorecon
> >> libselinux: echo line number of bad label in selabel_fini()
> >>
> >>
>
signature.asc
Description: PGP signature
