From edf1a80fa41fa34ad849fbf5098eddd4c5339c18 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 9 May 2023 19:22:01 +0200 Subject: [PATCH 1/9] Disable/remove neverallow options in sediff. Apply change from commit 06335957b701 ("Disable/remove neverallow options in frontends.") to sediff Signed-off-by: Petr Lautrbach --- man/ru/sediff.1 | 4 ---- man/sediff.1 | 4 ---- sediff | 10 +++++++--- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/man/ru/sediff.1 b/man/ru/sediff.1 index c6bf2939..af5d8efc 100644 --- a/man/ru/sediff.1 +++ b/man/ru/sediff.1 @@ -57,16 +57,12 @@ sediff \- утилита выявления различий политик SELi Найти различия правил включения журналирования событий. .IP "--dontaudit" Найти различия правил запрета журналирования событий. -.IP "--neverallow" -Найти различия запрещающих правил. .IP "--allowxperm" Найти различия расширенных разрешительных правил. .IP "--auditallowxperm" Найти различия расширенных правил включения журналирования событий. .IP "--dontauditxperm" Найти различия расширенных правил запрета журналирования событий. -.IP "--neverallowxperm" -Найти различия расширенных запрещающих правил. .IP "-T, --type_trans" Найти различия правил перехода типов. .IP "--type_member" diff --git a/man/sediff.1 b/man/sediff.1 index ed3b497d..18466d8a 100644 --- a/man/sediff.1 +++ b/man/sediff.1 @@ -50,16 +50,12 @@ Find differences in allow rules. Find differences in auditallow rules. .IP "--dontaudit" Find differences in dontaudit rules. -.IP "--neverallow" -Find differences in neverallow rules. .IP "--allowxperm" Find differences in allowxperm rules. .IP "--auditallowxperm" Find differences in auditallowxperm rules. .IP "--dontauditxperm" Find differences in dontauditxperm rules. -.IP "--neverallowxperm" -Find differences in neverallowxperm rules. .IP "-T, --type_trans" Find differences in type_transition rules. .IP "--type_member" diff --git a/sediff b/sediff index b2fef977..a39d6f5c 100755 --- a/sediff +++ b/sediff @@ -45,12 +45,12 @@ comp.add_argument("--level", action="store_true", help="Print MLS level definiti terule = parser.add_argument_group("type enforcement rule differences") terule.add_argument("-A", action="store_true", help="Print allow and allowxperm rule differences") terule.add_argument("--allow", action="store_true", help="Print allow rule differences") -terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences") +# terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences") terule.add_argument("--auditallow", action="store_true", help="Print auditallow rule differences") terule.add_argument("--dontaudit", action="store_true", help="Print dontaudit rule differences") terule.add_argument("--allowxperm", action="store_true", help="Print allowxperm rule differences") -terule.add_argument("--neverallowxperm", action="store_true", - help="Print neverallowxperm rule differences") +# terule.add_argument("--neverallowxperm", action="store_true", +# help="Print neverallowxperm rule differences") terule.add_argument("--auditallowxperm", action="store_true", help="Print auditallowxperm rule differences") terule.add_argument("--dontauditxperm", action="store_true", @@ -97,6 +97,10 @@ other.add_argument("--typebounds", action="store_true", help="Print typebounds d args = parser.parse_args() +# neverallow and neverallowxperm options are disabled +args.neverallow = False +args.neverallowxperm = False + if args.A: args.allow = True args.allowxperm = True From 2fea8eb0d4aedbbdca2209ee904eb10df69737b8 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Thu, 11 May 2023 18:38:21 +0200 Subject: [PATCH 2/9] Improve man pages - Add missing parameters - Add examples - Fix typos Signed-off-by: Vit Mojzis --- man/sechecker.1 | 6 +++--- man/sediff.1 | 12 ++++++++++++ man/sedta.1 | 9 +++++++++ man/seinfo.1 | 25 +++++++++++++++++++++++++ man/seinfoflow.1 | 9 +++++++++ man/sesearch.1 | 12 ++++++++++++ 6 files changed, 70 insertions(+), 3 deletions(-) diff --git a/man/sechecker.1 b/man/sechecker.1 index 507b8615..e32d6d61 100644 --- a/man/sechecker.1 +++ b/man/sechecker.1 @@ -81,7 +81,7 @@ A space-separated list of object class criteria for the query. A space-separated list of permissions for the query. .PP -\fBA least one of the above options must be set in this check.\fR +\fBAt least one of the above options must be set in this check.\fR .PP Additional Options: @@ -123,7 +123,7 @@ The source role criteria for the query. The target role criteria for the query. .PP -\fBA least one of the above options must be set in this check.\fR +\fBAt least one of the above options must be set in this check.\fR .PP Additional Options: @@ -205,7 +205,7 @@ executable types are read-only.\fR .\} .nf [ro_execs] -check_type = empty_typeattr +check_type = ro_execs desc = Verify that the all executables and libraries are read-only. .fi .if n \{\ diff --git a/man/sediff.1 b/man/sediff.1 index 18466d8a..9b189885 100644 --- a/man/sediff.1 +++ b/man/sediff.1 @@ -84,6 +84,10 @@ Find differences in validatetrans rules. Find differences in mlsvalidatetrans rules. .SS Labeling Statement Differences +.IP "--ibendportcon" +Find differences in ibendportcon (InfiniBand endport context) statements. +.IP "--ibpkeycon" +Find differences in ibpkeycon (InfiniBand parition key context) statements. .IP "--initialsid" Find differences in initial SID statements. .IP "--fs_use" @@ -136,6 +140,14 @@ For example, a class is modified if one or more permissions are added or removed .RE .PP +.SH EXAMPLE +.nf +Show differences in boolean settings +# sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33 +Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified) +#sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33 + + .SH AUTHOR Chris PeBenito diff --git a/man/sedta.1 b/man/sedta.1 index 1d84d926..d3d21db6 100644 --- a/man/sedta.1 +++ b/man/sedta.1 @@ -49,6 +49,8 @@ Specify the maximum number of domain transitions to output. The default is unlim A space-separated list of types to exclude from the analysis. .SS General Options +.IP "--full" +Print rule lists for transitions. .IP "--stats" Print domain transition graph statistics at the end of the analysis. .IP "-h, --help" @@ -60,6 +62,13 @@ Print additional informational messages. .IP "--debug" Enable debugging output. +.SH EXAMPLE +.nf +Show the shortest transition paths from httpd_t to unconfined_t, while not using container_runtime_t +# sedta -s httpd_t -t unconfined_t -S container_runtime_t +List all domain transition paths shorter than 3 steps from init_t to smbd_t +# sedta -s init_t -t smbd_t -A 3 + .SH AUTHOR Chris PeBenito diff --git a/man/seinfo.1 b/man/seinfo.1 index 1adea986..9e7cbde8 100644 --- a/man/seinfo.1 +++ b/man/seinfo.1 @@ -56,6 +56,10 @@ There is no expanded information for this component. .IP "--genfscon [FS_TYPE]" Print a list of genfscon statements or, if FS_TYPE is provided, print the statement for the named filesystem type. There is no expanded information for this component. +.IP "--ibpkeycon [PKEY[-PKEY]]" +Print a list of InfiniBand parition key contexts. +.IP "--ibendportcon [NAME]" +Print a list of InfiniBand endport contexts. .IP "--initialsid [NAME]" Print a list of initial SIDs or, if NAME is provided, print the named initial SID. With \fI-x\fR, print the context assigned to each displayed SID. @@ -86,6 +90,18 @@ There is no expanded information for this component. .IP "--all" Print all components. +.IP "\fB Xen Component Queries: \fR" +.IP "--ioportcon" +Print all ioportcon statements. +.IP "--iomemcon" +Print all iomemcon statements. +.IP "--pcidevicecon" +Print all pcidevicecon statements. +.IP "--pirqcon" +Print all pirqcon statements. +.IP "--devicetreecon" +Print all devicetreecon statements. + .SH OPTIONS .IP "-x, --expand" Print additional details for each component matching the expression. @@ -101,6 +117,15 @@ Print additional informational messages. .IP "--debug" Enable debugging output. +.SH EXAMPLE +.nf +List aliases of and attributes assigned to type httpd_t +# seinfo -t httpd_t -x +List all executable types (all types assigned to "exec_type" attribute) +# seinfo -a exec_type -x +List all constrains and mlsconstrains for class "file" +# seinfo --constrain file + .SH AUTHOR Chris PeBenito diff --git a/man/seinfoflow.1 b/man/seinfoflow.1 index 2e4a2616..75763d6f 100644 --- a/man/seinfoflow.1 +++ b/man/seinfoflow.1 @@ -54,6 +54,8 @@ A space-separated list of types to exclude from the analysis. Print information flow graph statistics at the end of the analysis. .IP "-h, --help" Print help information and exit. +.IP "--full" +Print full rule lists for information flows. .IP "--version" Print version information and exit. .IP "-v, --verbose" @@ -61,6 +63,13 @@ Print additional informational messages. .IP "--debug" Enable debugging output. +.SH EXAMPLE +.nf +Show the shortest paths for process running as httpd_t to access user home files, using permission map from /var/lib/sepolgen/perm_map +# seinfoflow -m /var/lib/sepolgen/perm_map -s httpd_t -t user_home_t -S +List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled +# seinfoflow -m /var/lib/sepolgen/perm_map -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true" + .SH AUTHOR Chris PeBenito diff --git a/man/sesearch.1 b/man/sesearch.1 index 35f16c4b..edc18346 100644 --- a/man/sesearch.1 +++ b/man/sesearch.1 @@ -48,6 +48,7 @@ Find type_change rules. Find role allow rules. .IP "--role_trans" Find role_transition rules. +.IP "Note: TE/MLS rule searches cannot be mixed with RBAC rule searches" .SS MLS Rule Types .IP "--range_trans" @@ -80,6 +81,8 @@ A matching rule must have the specified target attribute/type/role explicitly, i A matching rule must have all specified Booleans, instead of matching any of the specified Boolean. .IP "-ep" A matching rule must have exactly the specified permissions, instead of matching any of the specified permission. +.IP "-ex" +A matching rule must have exactly the specified extended permissions, instead of matching any listed extended permission. .IP "-Sp" A matching rule must have permissions where are a superset of the specified permissions, instead of matching any of the permissions. .IP "-rs" @@ -103,6 +106,15 @@ Print additional informational messages. .IP "--debug" Enable debugging output. +.SH EXAMPLE +.nf +List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain +# sesearch -A -s container_domain -t container_file_t -c file +List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices +# sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices +List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded) +# sesearch --dontaudit -s application_domain_type -ds + .SH AUTHOR Chris PeBenito From 6425b45e2748605b99d4e45b286fbf5bb8e8243e Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 17 Jul 2023 16:45:01 -0400 Subject: [PATCH 3/9] tox.ini: Change environments to use "python" instead of "py". Signed-off-by: Chris PeBenito --- .github/workflows/tests.yml | 12 ++++++------ tox.ini | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index eb443ae7..c3c8d552 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -27,12 +27,12 @@ jobs: matrix: build-opts: - - {python: '3.6', tox: py36} - - {python: '3.7', tox: py37} - - {python: '3.8', tox: py38} - - {python: '3.9', tox: py39} - - {python: '3.10', tox: py310} - - {python: '3.11', tox: py311} + - {python: '3.6', tox: python3.6} + - {python: '3.7', tox: python3.7} + - {python: '3.8', tox: python3.8} + - {python: '3.9', tox: python3.9} + - {python: '3.10', tox: python3.10} + - {python: '3.11', tox: python3.11} - {python: '3.6', tox: pep8} - {python: '3.6', tox: lint} - {python: '3.6', tox: mypy} diff --git a/tox.ini b/tox.ini index b2f6b518..a668bb3d 100644 --- a/tox.ini +++ b/tox.ini @@ -1,6 +1,6 @@ [tox] minversion = 1.4 -envlist = py3, pep8, lint, mypy +envlist = python3, pep8, lint, mypy [pycodestyle] max-line-length = 100 @@ -53,8 +53,8 @@ passenv = USERSPACE_SRC deps = networkx>=2.0 cython>=0.27 pytest - py38: cython>=0.29.14 - py39: networkx>=2.6 - py39: cython>=0.29.14 + python38: cython>=0.29.14 + python39: networkx>=2.6 + python39: cython>=0.29.14 commands_pre = {envpython} setup.py build_ext -i commands = pytest tests From 8ec295066289cf74df0e3f2c6e068abe503f1121 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 21 Jun 2023 08:56:08 -0400 Subject: [PATCH 4/9] seinfoflow: Add -r option to get flows into the source type. Signed-off-by: Chris PeBenito --- man/seinfoflow.1 | 2 ++ seinfoflow | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/man/seinfoflow.1 b/man/seinfoflow.1 index 75763d6f..63c70c0e 100644 --- a/man/seinfoflow.1 +++ b/man/seinfoflow.1 @@ -50,6 +50,8 @@ Specify the maximum number of information flows to output. The default is unlimi A space-separated list of types to exclude from the analysis. .SS General Options +.IP "-r, --reverse" +Display information flows into the source type. No effect if a target type is specified. .IP "--stats" Print information flow graph statistics at the end of the analysis. .IP "-h, --help" diff --git a/seinfoflow b/seinfoflow index 5f4e7642..9bd1bec4 100755 --- a/seinfoflow +++ b/seinfoflow @@ -42,6 +42,9 @@ alg.add_argument("-A", "--all_paths", type=int, metavar="MAX_STEPS", help="Calculate all paths, with the specified maximum path length. (Expensive)") opts = parser.add_argument_group("Analysis options") +opts.add_argument("-r", "--reverse", action="store_false", + help="Display information flows into the source type. " + "No effect if a target type is specified.") opts.add_argument("-w", "--min_weight", default=3, type=int, help="Minimum permission weight. Default is 3.") opts.add_argument("-l", "--limit_flows", default=0, type=int, @@ -119,7 +122,7 @@ try: else: # single direct info flow flownum = 0 - for flownum, flow in enumerate(g.infoflows(args.source), start=1): + for flownum, flow in enumerate(g.infoflows(args.source, out=args.reverse), start=1): print("Flow {0}: {1} -> {2}".format(flownum, flow.source, flow.target)) if args.full: From 32ebd2c802ca0fcf3b920b298f0d2d8b2972cfa9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 21 Jun 2023 08:56:53 -0400 Subject: [PATCH 5/9] seinfoflow.1: Remove references to sepolgen permission map. SETools ships with its own so that it is usable on non-SELinux systems. Signed-off-by: Chris PeBenito --- man/seinfoflow.1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/man/seinfoflow.1 b/man/seinfoflow.1 index 63c70c0e..e482520a 100644 --- a/man/seinfoflow.1 +++ b/man/seinfoflow.1 @@ -67,10 +67,10 @@ Enable debugging output. .SH EXAMPLE .nf -Show the shortest paths for process running as httpd_t to access user home files, using permission map from /var/lib/sepolgen/perm_map -# seinfoflow -m /var/lib/sepolgen/perm_map -s httpd_t -t user_home_t -S +Show the shortest paths for process running as httpd_t to access user home files, using the default permission map: +# seinfoflow -s httpd_t -t user_home_t -S List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled -# seinfoflow -m /var/lib/sepolgen/perm_map -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true" +# seinfoflow -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true" .SH AUTHOR Chris PeBenito From 725d224e8dd8af3a5a56c71b9de7936d098cae61 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 16 May 2023 13:21:09 -0400 Subject: [PATCH 6/9] AVRule/AVRuleXperm: Treat rules with no permissions as invalid policy. Signed-off-by: Chris PeBenito --- setools/policyrep/terule.pxi | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi index 6c869ed0..4f4a95f5 100644 --- a/setools/policyrep/terule.pxi +++ b/setools/policyrep/terule.pxi @@ -120,6 +120,17 @@ cdef class AVRule(BaseTERule): r._conditional = conditional r._conditional_block = conditional_block r.origin = None + + if not r.perms: + rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {{ }};" + try: + rule_string += f" [ {r.conditional} ]:{r.conditional_block}" + except RuleNotConditional: + pass + + raise LowLevelPolicyError("Invalid policy: Found a rule with no permissions: " + f"{rule_string}") + return r def __hash__(self): @@ -319,6 +330,17 @@ cdef class AVRuleXperm(BaseTERule): r._conditional = conditional r._conditional_block = conditional_block r.origin = None + + if not perms: + rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {r.xperm_type} {{ }};" + try: + rule_string += f" [ {r.conditional} ]:{r.conditional_block}" + except RuleNotConditional: + pass + + raise LowLevelPolicyError( + f"Invalid policy: Found a rule with no extended permissions: {rule_string}.") + return r def __hash__(self): From fc443b5a0379f3644e071a458e996ea6115ccba3 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 17 Jul 2023 16:08:21 -0400 Subject: [PATCH 7/9] SELinuxPolicy: Add explicit cast for libspol message callback. Cython 3.0 is more strict. The change fixes this issue: setools/policyrep/selinuxpolicy.pxi:685:46: Cannot assign type 'void (void *, sepol_handle_t *, const char *, ...) except *' to 'msg_callback' Additionally, the msg_callback is not typedef-ed in sepol/debug.h, so it must be explicitly defined in sepol.pxd for the casting to work. Signed-off-by: Chris PeBenito --- setools/policyrep/selinuxpolicy.pxi | 2 +- setools/policyrep/sepol.pxd | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/setools/policyrep/selinuxpolicy.pxi b/setools/policyrep/selinuxpolicy.pxi index 9267a0c4..236316f1 100644 --- a/setools/policyrep/selinuxpolicy.pxi +++ b/setools/policyrep/selinuxpolicy.pxi @@ -668,7 +668,7 @@ cdef class SELinuxPolicy: if self.sh == NULL: raise MemoryError - sepol.sepol_msg_set_callback(self.sh, sepol_logging_callback, self.handle) + sepol.sepol_msg_set_callback(self.sh, sepol_logging_callback, self.handle) if sepol.sepol_policydb_create(&self.handle) < 0: raise MemoryError diff --git a/setools/policyrep/sepol.pxd b/setools/policyrep/sepol.pxd index 769498f2..36589ed1 100644 --- a/setools/policyrep/sepol.pxd +++ b/setools/policyrep/sepol.pxd @@ -16,8 +16,10 @@ cdef extern from "": void sepol_handle_destroy(sepol_handle_t *sh) +ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...) + + cdef extern from "": - ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...) void sepol_msg_set_callback(sepol_handle * handle, msg_callback cb, void *cb_arg) From 00c965ddb85e5ac44217cf4ed32ddcce7a4c1ee1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 27 Jul 2023 14:36:51 -0400 Subject: [PATCH 8/9] Set version to 4.4.3. Signed-off-by: Chris PeBenito --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index b7568e52..3cfd9271 100644 --- a/setup.py +++ b/setup.py @@ -133,7 +133,7 @@ def run(self): installed_data.append((join('share/man', lang, 'man1'), glob.glob(join("man", lang, "*.1")))) setup(name='setools', - version='4.4.2', + version='4.4.3', description='SELinux policy analysis tools.', author='Chris PeBenito', author_email='pebenito@ieee.org', From f6f812b3233cce1767d086e7d2b20ff48055e07b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 27 Jul 2023 14:43:14 -0400 Subject: [PATCH 9/9] Update ChangeLog for 4.4.3 release. Signed-off-by: Chris PeBenito --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 26e14fe6..e0f43e2b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +*setools-4-4.3 (27 Jul 2023) + * Fix compilation with Cython 3.0.0. + * Improve man pages. + * Remove neverallow options in sediff. + * Add -r option to seinfoflow to get flows into the source type. + * Reject a rule with no permissions as invalid policy. + *setools-4-4.2 (19 Apr 2023) * Make NetworkX optional. sedta and seinfoflow tools, along with the