| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
The variable is used quoted.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
In case of a non-default toolchain also set the environment variable
PTYHONPATH to run sepolgen related python code from that toolchain.
See scripts/env_use_destdir in the SELinux userland repository.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
When building with a non default toolchain by setting the environment
variable TEST_TOOLCHAIN also use the sepolgen-ifgen helper binary
sepolgen-ifgen-attr-helper from this toolchain.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
| |
On install pre-compile the file contexts.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
| |
egrep has been deprecated since 2007 and with version 3.8 calling this
commands issues a warning.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
When adding program options to checkpolicy and checkmodule use
override to add them even when CHECKPOLICY or CHECKMODULE have been
set by the caller.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
Fail on python code calling str(bytes_instance) or
str(bytearray_instance), or comparing bytes/bytearray with str.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
These blocks are always enabled.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Use install(1) with explicit permission to create directories and
files. In case umask(2) is set too strict the installed files will
otherwise not be readable by unprivileged users.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When building a monolithic policy with 'make load', the
selinux_config(5) file 'SELINUXTYPE' entry determines what policy
is loaded as load_policy(8) does not take a path value (it always loads
the active system policy as defined by /etc/selinux/config).
Currently it is possible to load the wrong binary policy, for example if
the Reference Policy source is located at:
/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=targeted
Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when
'make load' is executed.
Resolve this by using selinux_binary_policy_path(3) to determine the
current configured policy name and its location.
Another example is that if the Reference Policy source is located at:
/tmp/custom-rootfs/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=refpolicy
Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when
'make DESTDIR=/tmp/custom-rootfs load' is executed (not the
/tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy.<ver> that the
developer thought would be loaded).
Resolve this by checking if DESTDIR has been set.
Remove the '@touch $(tmpdir)/load' line as the file is never referenced.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
This will cause setfiles to error if there are conflicting labeling
specifications for files due to hardlinks.
closes #218
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set build options to expand to "true". This will enable writing build
options using m4 ifelse, for example:
ifelse(`init_systemd',`true',`
[init_systemd rules]
',`direct_sysadm_daemon',`true',
[direct_sysadm_daemon rules]
',` dnl else
[else rules]
')
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Build the policy interface database with 'sepolgen-ifgen'.
This database is required for reference style policy generation by
'audit2allow --reference'
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
With the removal of fc_sort there are no more .c files in the repository.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
Build SECMARK rules for iptables and NFT, install them as
/usr/share/doc/$PKGNAME/netfilter_contexts{,.nft}.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
Use a separate directory for files generated my 'make conf', so the clean targets from Rules.* do not remove them.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
This doesn't work on dash, the default shell on Debian.
Closes #110
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fc_sort is the only/last build tool that requires a C compiler
Re-implement it in python, so that gcc dependencies can be dropped
The output of the C and the python version differ slightly in the order of equally specific file contexts
old:
/.* system_u:object_r:default_t
/sys(/.*)? system_u:object_r:sysfs_t
/mnt(/[^/]*) -l system_u:object_r:mnt_t
/mnt(/[^/]*)? -d system_u:object_r:mnt_t
/opt/.* system_u:object_r:usr_t
/var/.* system_u:object_r:var_t
/usr/.* system_u:object_r:usr_t
/srv/.* system_u:object_r:var_t
/tmp/.* <<none>>
/run/.* <<none>>
/dev/.* system_u:object_r:device_t
/etc/.* system_u:object_r:etc_t
new:
/.* system_u:object_r:default_t
/sys(/.*)? system_u:object_r:sysfs_t
/mnt(/[^/]*) -l system_u:object_r:mnt_t
/mnt(/[^/]*)? -d system_u:object_r:mnt_t
/dev/.* system_u:object_r:device_t
/etc/.* system_u:object_r:etc_t
/opt/.* system_u:object_r:usr_t
/run/.* <<none>>
/srv/.* system_u:object_r:var_t
/tmp/.* <<none>>
/usr/.* system_u:object_r:usr_t
/var/.* system_u:object_r:var_t
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently policy module directories must have a same ending.
Reproduce with:
mv policy/modules/admin/ policy/modules/adminapps
make conf
Results in:
...
cat policy/modules/adminapps/metadata.xml policy/modules/apps/metadata.xml > tmp/apps.xml
...
doc/policy.xml:4332: element layer: validity error : Element layer content does not follow the DTD, expecting (summary , module+), got (summary summary module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module )
Document doc/policy.xml does not validate against doc/policy.dtd
make: *** [Makefile:452: doc/policy.xml] Error 3
Add a leading slash to the filter pattern, to not match partial names
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Fixes: #26
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this fix, building a custom module in a directory that contains
a file with special characters in its name (e.g. '(') triggers a syntax
error:
$ cat >foo.te <<EOF
module foo 1.0;
require {
class file entrypoint;
type shell_exec_t;
type vmtools_unconfined_t;
}
allow vmtools_unconfined_t shell_exec_t : file entrypoint;
EOF
$ touch "my broken (file)"
$ make -f /usr/share/selinux/devel/Makefile foo.pp
/bin/sh: -c: line 0: syntax error near unexpected token `('
/bin/sh: -c: line 0: `find anaconda-ks.cfg my broken (file) vncserver.strace systemd.strace rhel-server-7.6-x86_64-boot.iso rt_minimal.c vnc.cil foo.te rsyslog tmp virt-install.log evil_banner.sh livemedia.log program.log foo.if rhel7-minimal.ks TestZip.java TestZip.class foo.fc sudoloop foo.pp strace.log -maxdepth 0 -type d'
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1692676
Reported-by: Renaud Métrich <rmetrich@redhat.com>
Suggested-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Jason Zaman <jason@perfinion.com>
|
|
|
|
|
|
|
|
| |
Have Makefile include CUSTOM_BUILDOPT in generated build.conf
Update Makefile.devel to pass CUSTOM_BUILDOPT while building module
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Signed-off-by: Jason Zaman <jason@perfinion.com>
|
| |
|
|
|
|
|
|
|
| |
Update the Makefile to first build the template files (template code
definitions) and then have all segenxml calls use these files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.
Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.
This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Add this to all Travis-CI builds.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Since the awk scripts appear to use some GNU extensions, make sure we always use $(AWK).
Fixes an issue where the system /usr/bin/awk may be another implementation, say mawk on a Ubuntu system.
|
|
|
|
|
|
|
|
|
| |
selinux_lxc_contexts_path() function in upstream libselinux points to
this config file. It is ATM used by libvirt.
The file from Fedora also contains sandbox_lxc_process and
sandbox_kvm_process parameters, but I cannot find where they are used,
keep them out of the file for the time being.
|
| |
|
| |
|
|
|
|
|
| |
This compile-time feature is in the minimum-required checkpolicy/checkmodule
for building the policy, so it should always be used.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This eliminates the hardcoded /selinux in Rules.monolithic, which
broke when the filesystem mount was moved to /sys/fs/selinux.
|
|
|
|
|
|
|
|
|
|
| |
When tunables are generated through a template, their documentation is not added
to the XML file that is parsed by "semanage boolean". As the current method for
obtaining the information is not M4-aware, we cannot get the information from
the policy sources themselves.
As a result, we now add in a gentoo_tunables.xml file that contains static
declarations of the booleans.
|
|
|