Discussion:
ANN: SELinux userspace 2.8-rc1 release candidate
Stephen Smalley
2018-04-19 15:07:39 UTC
Permalink
A 2.8-rc1 release candidate for the SELinux userspace is now available at:
https://github.com/SELinuxProject/selinux/wiki/Releases

Please give it a test and let us know if there are any issues.

If there are specific changes that you think should be called out in
release notes for packagers and users in the final release announcement, let us know.

Thanks to all the contributors to this release candidate!

A shortlog of changes since the 2.7 release is below.

Dan Cashman (1):
libsepol: cil: Add ability to redeclare types[attributes]

Dominick Grift (1):
Describe multiple-decls in secilc.8.xml

Grégoire Colbert (1):
Fixed bad reference in roleattribute

James Carter (4):
libsepol/cil: Keep attributes used by generated attributes in neverallow rules
libsepol/cil: Create new keep field for type attribute sets
libsepol: Prevent freeing unitialized value in ibendport handling
libsepol/cil: Improve processing of context rules

Jan Zarsky (6):
libsepol: reset pointer after free
libsepol: fix memory leak in sepol_bool_query()
libsepol: free ibendport device names
libsemanage: free genhomedircon fallback user
libsemanage: properly check return value of iterate function
python/sepolgen: fix typo in PolicyGenerator

Lee Stubbs (1):
Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type.

Lukas Vrabec (1):
python/sepolicy: Fix sepolicy manpage.

Marcus Folkesson (15):
libsepol: build: follow standard semantics for DESTDIR and PREFIX
libselinux: build: follow standard semantics for DESTDIR and PREFIX
libsemanage: build: follow standard semantics for DESTDIR and PREFIX
checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
gui: build: follow standard semantics for DESTDIR and PREFIX
mcstrans: build: follow standard semantics for DESTDIR and PREFIX
policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
python: build: follow standard semantics for DESTDIR and PREFIX
python: build: move modules from platform-specific to platform-shared
restorecond: build: follow standard semantics for DESTDIR and PREFIX
sandbox: build: follow standard semantics for DESTDIR and PREFIX
secilc: build: follow standard semantics for DESTDIR and PREFIX
semodule-utils: build: follow standard semantics for DESTDIR and PREFIX
dbus: build: follow standard semantics for DESTDIR and PREFIX
build: setup buildpaths if DESTDIR is specified

Nicolas Iooss (36):
Travis-CI: use sugulite environment
Travis-CI: do not test gold linkers with clang
sepolicy: fix Python3 syntax in manpage
sepolicy: do not fail when file_contexts.local does not exist
sepolicy: fix misspelling of _ra_content_t suffix
sepolicy: support non-MLS policy in manpage
sepolicy: support non-MCS policy in manpage
sepolicy: remove stray space in section "SEE ALSO"
libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses
libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use extra_args
libsepol/cil: fix -Wwrite-strings warning
libsepol/cil: drop wrong unused attribute
restorecond: check write() and daemon() results
Makefile: define a default value for CFLAGS
sepolicy: do not fail when file_contexts.local or .subs do not exist
gui: port to Python 3 by migrating to PyGI
Travis-CI: fix configuration after September's update
sepolicy: ignore comments and empty lines in file_contexts.subs_dist
sepolicy: support non-MLS policy in gui
gui: remove the status bar
gui: fix parsing of "semodule -lfull" in tab Modules
gui: delete overridden definition of usersPage.delete()
gui: remove mappingsPage
Travis-CI: try working around network issues by retrying downloads
Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR
python/sepolicy: Fix translated strings with parameters
python/sepolicy: Support non-MLS policy
python/sepolicy: Initialize policy.ports as a dict in generate.py
libsepol: cil: show an error when cil_expr_to_string() fails
libsemanage: silence clang static analyzer report
libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libsepol: do not dereference NULL if stack_init fails
libsepol: ensure the level context is not empty
libselinux: label_file: fix memory management in store_stem()
libselinux: fix memory leak in getconlist
libselinux: remove unused variable usercon

Petr Lautrbach (12):
libselinux: Add support for pcre2 to pkgconfig definition
python/semanage: drop *_ini functions
python/semanage: Don't use global setup variable
python/semanage: Enforce noreload only if it's requested by -N option
libsemanage: Use umask(0077) for fopen() write operations
python/semanage: make seobject.py backward compatible
python/semanage: bring semanageRecords.set_reload back
gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
python/sepolicy: Use list instead of map
python/sepolicy: Do not use types.BooleanType
gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name

Richard Haines (3):
libselinux: Correct manpages regarding removable_context
libsemanage: Return commit number if save-previous false
libsemanage: Allow tmp files to be kept if a compile fails

Richard Haines via Selinux (1):
selinux: Add support for the SCTP portcon keyword

Stephen Smalley (4):
checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
semodule-utils: remove semodule_deps
libsepol: Export sepol_polcap_getnum/name functions
Update VERSION files to 2.8-rc1

Tri Vo (1):
Resolve conflicts in expandattribute.

Vit Mojzis (18):
libsemanage: Keep copy of file_contexts.homedirs in policy store
libsemanage: Add support for listing fcontext.homedirs file
python/semanage: Enable listing file_contexts.homedirs
python/semanage: Fix export of ibendport entries
python/semanage: Update Infiniband code to work on python3
python/semanage: Remove redundant and broken moduleRecords.modify()
semodule-utils/semodule_package: fix semodule_unpackage man page
libsemanage: Improve warning for installing disabled module
gui/semanagePage: Close "edit" and "add" dialogues when successfull
gui/fcontextPage: Set default object class in addDialog
libsemanage: remove access() check to make setuid programs work
libsemanage: remove access() check to make setuid programs work
libsemanage: replace access() checks to make setuid programs work
libsemanage/direct_api.c: Fix iterating over array
policycoreutils/semodule: Improve man page and unify it with --help
policycoreutils/semodule: Allow enabling/disabling multiple modules at once
python/sepolgen: Try to translate SELinux contexts to raw
libsemanage: do not change file mode of seusers and users_extra

Yuli Khodorkovskiy (3):
secilc: Fix documentation build for OS X systems
libselinux: verify file_contexts when using restorecon
libselinux: echo line number of bad label in selabel_fini()
Petr Lautrbach
2018-04-20 12:31:36 UTC
Permalink
Post by Stephen Smalley
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
I've built in my Fedora COPR repo [1] and I'm running Fedora CI [2] tests on it.

So far there's one problem found by libselinux/selabel-function [3] test. It
looks like commit 814631d3aebaa changed the behavior of selabel_open() when
SELABEL_OPT_VALIDATE is null - a context should not be validated, but it is.

The reproducer code:

#include <errno.h>
#include <stdio.h>

#include <selinux/selinux.h>
#include <selinux/label.h>

int main() {
struct selabel_handle *hnd = NULL;
security_context_t selabel_context;

struct selinux_opt selabel_option [] = {
{ SELABEL_OPT_PATH, "my_contexts" },
{ SELABEL_OPT_SUBSET, NULL },
{ SELABEL_OPT_VALIDATE, (char *) 0 },
{ SELABEL_OPT_BASEONLY, (char *) 0 }
};
int result = 0;

if ((hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 4)) == NULL) {
return 1;
}

if ((result = selabel_lookup_raw(hnd, &selabel_context, "/tmp/mypath", 0)) == -1) {
perror("selabel_lookup_raw - ERROR");
return 1;
}

printf("%s\n", selabel_context);

return 0;
}

---

$ gcc -o selabel_reproducer selabel_reproducer.c -lselinux
$ echo '/tmp/mypath my_user_u:my_role_r:my_type_t:s' > my_contexts

Before:

$ ./selabel_reproducer
my_user_u:my_role_r:my_type_t:s

After:

$ ./selabel_reproducer
my_contexts: line 1 has invalid context my_user_u:my_role_r:my_type_t:s
selabel_lookup_raw - ERROR: Invalid argument




[1] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/packages/
[2] https://src.fedoraproject.org/tests/selinux/tree/master
[3] https://src.fedoraproject.org/tests/selinux/blob/master/f/libselinux/selabel-functions
Post by Stephen Smalley
If there are specific changes that you think should be called out in
release notes for packagers and users in the final release announcement, let us know.
Thanks to all the contributors to this release candidate!
A shortlog of changes since the 2.7 release is below.
libsepol: cil: Add ability to redeclare types[attributes]
Describe multiple-decls in secilc.8.xml
Fixed bad reference in roleattribute
libsepol/cil: Keep attributes used by generated attributes in neverallow rules
libsepol/cil: Create new keep field for type attribute sets
libsepol: Prevent freeing unitialized value in ibendport handling
libsepol/cil: Improve processing of context rules
libsepol: reset pointer after free
libsepol: fix memory leak in sepol_bool_query()
libsepol: free ibendport device names
libsemanage: free genhomedircon fallback user
libsemanage: properly check return value of iterate function
python/sepolgen: fix typo in PolicyGenerator
Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type.
python/sepolicy: Fix sepolicy manpage.
libsepol: build: follow standard semantics for DESTDIR and PREFIX
libselinux: build: follow standard semantics for DESTDIR and PREFIX
libsemanage: build: follow standard semantics for DESTDIR and PREFIX
checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
gui: build: follow standard semantics for DESTDIR and PREFIX
mcstrans: build: follow standard semantics for DESTDIR and PREFIX
policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
python: build: follow standard semantics for DESTDIR and PREFIX
python: build: move modules from platform-specific to platform-shared
restorecond: build: follow standard semantics for DESTDIR and PREFIX
sandbox: build: follow standard semantics for DESTDIR and PREFIX
secilc: build: follow standard semantics for DESTDIR and PREFIX
semodule-utils: build: follow standard semantics for DESTDIR and PREFIX
dbus: build: follow standard semantics for DESTDIR and PREFIX
build: setup buildpaths if DESTDIR is specified
Travis-CI: use sugulite environment
Travis-CI: do not test gold linkers with clang
sepolicy: fix Python3 syntax in manpage
sepolicy: do not fail when file_contexts.local does not exist
sepolicy: fix misspelling of _ra_content_t suffix
sepolicy: support non-MLS policy in manpage
sepolicy: support non-MCS policy in manpage
sepolicy: remove stray space in section "SEE ALSO"
libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses
libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use extra_args
libsepol/cil: fix -Wwrite-strings warning
libsepol/cil: drop wrong unused attribute
restorecond: check write() and daemon() results
Makefile: define a default value for CFLAGS
sepolicy: do not fail when file_contexts.local or .subs do not exist
gui: port to Python 3 by migrating to PyGI
Travis-CI: fix configuration after September's update
sepolicy: ignore comments and empty lines in file_contexts.subs_dist
sepolicy: support non-MLS policy in gui
gui: remove the status bar
gui: fix parsing of "semodule -lfull" in tab Modules
gui: delete overridden definition of usersPage.delete()
gui: remove mappingsPage
Travis-CI: try working around network issues by retrying downloads
Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR
python/sepolicy: Fix translated strings with parameters
python/sepolicy: Support non-MLS policy
python/sepolicy: Initialize policy.ports as a dict in generate.py
libsepol: cil: show an error when cil_expr_to_string() fails
libsemanage: silence clang static analyzer report
libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libsepol: do not dereference NULL if stack_init fails
libsepol: ensure the level context is not empty
libselinux: label_file: fix memory management in store_stem()
libselinux: fix memory leak in getconlist
libselinux: remove unused variable usercon
libselinux: Add support for pcre2 to pkgconfig definition
python/semanage: drop *_ini functions
python/semanage: Don't use global setup variable
python/semanage: Enforce noreload only if it's requested by -N option
libsemanage: Use umask(0077) for fopen() write operations
python/semanage: make seobject.py backward compatible
python/semanage: bring semanageRecords.set_reload back
gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
python/sepolicy: Use list instead of map
python/sepolicy: Do not use types.BooleanType
gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
libselinux: Correct manpages regarding removable_context
libsemanage: Return commit number if save-previous false
libsemanage: Allow tmp files to be kept if a compile fails
selinux: Add support for the SCTP portcon keyword
checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
semodule-utils: remove semodule_deps
libsepol: Export sepol_polcap_getnum/name functions
Update VERSION files to 2.8-rc1
Resolve conflicts in expandattribute.
libsemanage: Keep copy of file_contexts.homedirs in policy store
libsemanage: Add support for listing fcontext.homedirs file
python/semanage: Enable listing file_contexts.homedirs
python/semanage: Fix export of ibendport entries
python/semanage: Update Infiniband code to work on python3
python/semanage: Remove redundant and broken moduleRecords.modify()
semodule-utils/semodule_package: fix semodule_unpackage man page
libsemanage: Improve warning for installing disabled module
gui/semanagePage: Close "edit" and "add" dialogues when successfull
gui/fcontextPage: Set default object class in addDialog
libsemanage: remove access() check to make setuid programs work
libsemanage: remove access() check to make setuid programs work
libsemanage: replace access() checks to make setuid programs work
libsemanage/direct_api.c: Fix iterating over array
policycoreutils/semodule: Improve man page and unify it with --help
policycoreutils/semodule: Allow enabling/disabling multiple modules at once
python/sepolgen: Try to translate SELinux contexts to raw
libsemanage: do not change file mode of seusers and users_extra
secilc: Fix documentation build for OS X systems
libselinux: verify file_contexts when using restorecon
libselinux: echo line number of bad label in selabel_fini()
Stephen Smalley
2018-04-20 12:49:41 UTC
Permalink
Post by Petr Lautrbach
Post by Stephen Smalley
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
I've built in my Fedora COPR repo [1] and I'm running Fedora CI [2] tests on it.
So far there's one problem found by libselinux/selabel-function [3] test. It
looks like commit 814631d3aebaa changed the behavior of selabel_open() when
SELABEL_OPT_VALIDATE is null - a context should not be validated, but it is.
So, is this a bug in the test or a bug in libselinux? As noted in that commit description,
failing to verify contexts at all before use can lead to applying an invalid label (if the system is permissive).

Are there real users of libselinux that rely on the current behavior or is there some use case where
it is desirable?
Post by Petr Lautrbach
#include <errno.h>
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
int main() {
struct selabel_handle *hnd = NULL;
security_context_t selabel_context;
struct selinux_opt selabel_option [] = {
{ SELABEL_OPT_PATH, "my_contexts" },
{ SELABEL_OPT_SUBSET, NULL },
{ SELABEL_OPT_VALIDATE, (char *) 0 },
{ SELABEL_OPT_BASEONLY, (char *) 0 }
};
int result = 0;
if ((hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 4)) == NULL) {
return 1;
}
if ((result = selabel_lookup_raw(hnd, &selabel_context, "/tmp/mypath", 0)) == -1) {
perror("selabel_lookup_raw - ERROR");
return 1;
}
printf("%s\n", selabel_context);
return 0;
}
---
$ gcc -o selabel_reproducer selabel_reproducer.c -lselinux
$ echo '/tmp/mypath my_user_u:my_role_r:my_type_t:s' > my_contexts
$ ./selabel_reproducer
my_user_u:my_role_r:my_type_t:s
$ ./selabel_reproducer
my_contexts: line 1 has invalid context my_user_u:my_role_r:my_type_t:s
selabel_lookup_raw - ERROR: Invalid argument
[1] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/packages/
[2] https://src.fedoraproject.org/tests/selinux/tree/master
[3] https://src.fedoraproject.org/tests/selinux/blob/master/f/libselinux/selabel-functions
Post by Stephen Smalley
If there are specific changes that you think should be called out in
release notes for packagers and users in the final release announcement, let us know.
Thanks to all the contributors to this release candidate!
A shortlog of changes since the 2.7 release is below.
libsepol: cil: Add ability to redeclare types[attributes]
Describe multiple-decls in secilc.8.xml
Fixed bad reference in roleattribute
libsepol/cil: Keep attributes used by generated attributes in neverallow rules
libsepol/cil: Create new keep field for type attribute sets
libsepol: Prevent freeing unitialized value in ibendport handling
libsepol/cil: Improve processing of context rules
libsepol: reset pointer after free
libsepol: fix memory leak in sepol_bool_query()
libsepol: free ibendport device names
libsemanage: free genhomedircon fallback user
libsemanage: properly check return value of iterate function
python/sepolgen: fix typo in PolicyGenerator
Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type.
python/sepolicy: Fix sepolicy manpage.
libsepol: build: follow standard semantics for DESTDIR and PREFIX
libselinux: build: follow standard semantics for DESTDIR and PREFIX
libsemanage: build: follow standard semantics for DESTDIR and PREFIX
checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
gui: build: follow standard semantics for DESTDIR and PREFIX
mcstrans: build: follow standard semantics for DESTDIR and PREFIX
policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
python: build: follow standard semantics for DESTDIR and PREFIX
python: build: move modules from platform-specific to platform-shared
restorecond: build: follow standard semantics for DESTDIR and PREFIX
sandbox: build: follow standard semantics for DESTDIR and PREFIX
secilc: build: follow standard semantics for DESTDIR and PREFIX
semodule-utils: build: follow standard semantics for DESTDIR and PREFIX
dbus: build: follow standard semantics for DESTDIR and PREFIX
build: setup buildpaths if DESTDIR is specified
Travis-CI: use sugulite environment
Travis-CI: do not test gold linkers with clang
sepolicy: fix Python3 syntax in manpage
sepolicy: do not fail when file_contexts.local does not exist
sepolicy: fix misspelling of _ra_content_t suffix
sepolicy: support non-MLS policy in manpage
sepolicy: support non-MCS policy in manpage
sepolicy: remove stray space in section "SEE ALSO"
libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses
libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use extra_args
libsepol/cil: fix -Wwrite-strings warning
libsepol/cil: drop wrong unused attribute
restorecond: check write() and daemon() results
Makefile: define a default value for CFLAGS
sepolicy: do not fail when file_contexts.local or .subs do not exist
gui: port to Python 3 by migrating to PyGI
Travis-CI: fix configuration after September's update
sepolicy: ignore comments and empty lines in file_contexts.subs_dist
sepolicy: support non-MLS policy in gui
gui: remove the status bar
gui: fix parsing of "semodule -lfull" in tab Modules
gui: delete overridden definition of usersPage.delete()
gui: remove mappingsPage
Travis-CI: try working around network issues by retrying downloads
Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR
python/sepolicy: Fix translated strings with parameters
python/sepolicy: Support non-MLS policy
python/sepolicy: Initialize policy.ports as a dict in generate.py
libsepol: cil: show an error when cil_expr_to_string() fails
libsemanage: silence clang static analyzer report
libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libsepol: do not dereference NULL if stack_init fails
libsepol: ensure the level context is not empty
libselinux: label_file: fix memory management in store_stem()
libselinux: fix memory leak in getconlist
libselinux: remove unused variable usercon
libselinux: Add support for pcre2 to pkgconfig definition
python/semanage: drop *_ini functions
python/semanage: Don't use global setup variable
python/semanage: Enforce noreload only if it's requested by -N option
libsemanage: Use umask(0077) for fopen() write operations
python/semanage: make seobject.py backward compatible
python/semanage: bring semanageRecords.set_reload back
gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
python/sepolicy: Use list instead of map
python/sepolicy: Do not use types.BooleanType
gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
libselinux: Correct manpages regarding removable_context
libsemanage: Return commit number if save-previous false
libsemanage: Allow tmp files to be kept if a compile fails
selinux: Add support for the SCTP portcon keyword
checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
semodule-utils: remove semodule_deps
libsepol: Export sepol_polcap_getnum/name functions
Update VERSION files to 2.8-rc1
Resolve conflicts in expandattribute.
libsemanage: Keep copy of file_contexts.homedirs in policy store
libsemanage: Add support for listing fcontext.homedirs file
python/semanage: Enable listing file_contexts.homedirs
python/semanage: Fix export of ibendport entries
python/semanage: Update Infiniband code to work on python3
python/semanage: Remove redundant and broken moduleRecords.modify()
semodule-utils/semodule_package: fix semodule_unpackage man page
libsemanage: Improve warning for installing disabled module
gui/semanagePage: Close "edit" and "add" dialogues when successfull
gui/fcontextPage: Set default object class in addDialog
libsemanage: remove access() check to make setuid programs work
libsemanage: remove access() check to make setuid programs work
libsemanage: replace access() checks to make setuid programs work
libsemanage/direct_api.c: Fix iterating over array
policycoreutils/semodule: Improve man page and unify it with --help
policycoreutils/semodule: Allow enabling/disabling multiple modules at once
python/sepolgen: Try to translate SELinux contexts to raw
libsemanage: do not change file mode of seusers and users_extra
secilc: Fix documentation build for OS X systems
libselinux: verify file_contexts when using restorecon
libselinux: echo line number of bad label in selabel_fini()
Petr Lautrbach
2018-04-20 13:31:41 UTC
Permalink
Post by Stephen Smalley
Post by Petr Lautrbach
Post by Stephen Smalley
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
I've built in my Fedora COPR repo [1] and I'm running Fedora CI [2] tests on it.
So far there's one problem found by libselinux/selabel-function [3] test. It
looks like commit 814631d3aebaa changed the behavior of selabel_open() when
SELABEL_OPT_VALIDATE is null - a context should not be validated, but it is.
So, is this a bug in the test or a bug in libselinux? As noted in that commit description,
failing to verify contexts at all before use can lead to applying an invalid label (if the system is permissive).
selabel_open(3) states that "an invalid context may not be treated as an
error unless it is actually encountered during a lookup operation ". So at
least, it's some disproportion between the code and the documentation.

I read the commit message as that a context should be validated before it's
applied. But now it's validated during lookup.
Post by Stephen Smalley
Are there real users of libselinux that rely on the current behavior or is there some use case where
it is desirable?
I don't know. I was thinking about setfiles but it always validate. There might be 3rd party users who
lookups for labels in chroot.
Post by Stephen Smalley
Post by Petr Lautrbach
#include <errno.h>
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
int main() {
struct selabel_handle *hnd = NULL;
security_context_t selabel_context;
struct selinux_opt selabel_option [] = {
{ SELABEL_OPT_PATH, "my_contexts" },
{ SELABEL_OPT_SUBSET, NULL },
{ SELABEL_OPT_VALIDATE, (char *) 0 },
{ SELABEL_OPT_BASEONLY, (char *) 0 }
};
int result = 0;
if ((hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 4)) == NULL) {
return 1;
}
if ((result = selabel_lookup_raw(hnd, &selabel_context, "/tmp/mypath", 0)) == -1) {
perror("selabel_lookup_raw - ERROR");
return 1;
}
printf("%s\n", selabel_context);
return 0;
}
---
$ gcc -o selabel_reproducer selabel_reproducer.c -lselinux
$ echo '/tmp/mypath my_user_u:my_role_r:my_type_t:s' > my_contexts
$ ./selabel_reproducer
my_user_u:my_role_r:my_type_t:s
$ ./selabel_reproducer
my_contexts: line 1 has invalid context my_user_u:my_role_r:my_type_t:s
selabel_lookup_raw - ERROR: Invalid argument
[1] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/packages/
[2] https://src.fedoraproject.org/tests/selinux/tree/master
[3] https://src.fedoraproject.org/tests/selinux/blob/master/f/libselinux/selabel-functions
Post by Stephen Smalley
If there are specific changes that you think should be called out in
release notes for packagers and users in the final release announcement, let us know.
Thanks to all the contributors to this release candidate!
A shortlog of changes since the 2.7 release is below.
libsepol: cil: Add ability to redeclare types[attributes]
Describe multiple-decls in secilc.8.xml
Fixed bad reference in roleattribute
libsepol/cil: Keep attributes used by generated attributes in neverallow rules
libsepol/cil: Create new keep field for type attribute sets
libsepol: Prevent freeing unitialized value in ibendport handling
libsepol/cil: Improve processing of context rules
libsepol: reset pointer after free
libsepol: fix memory leak in sepol_bool_query()
libsepol: free ibendport device names
libsemanage: free genhomedircon fallback user
libsemanage: properly check return value of iterate function
python/sepolgen: fix typo in PolicyGenerator
Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type.
python/sepolicy: Fix sepolicy manpage.
libsepol: build: follow standard semantics for DESTDIR and PREFIX
libselinux: build: follow standard semantics for DESTDIR and PREFIX
libsemanage: build: follow standard semantics for DESTDIR and PREFIX
checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
gui: build: follow standard semantics for DESTDIR and PREFIX
mcstrans: build: follow standard semantics for DESTDIR and PREFIX
policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
python: build: follow standard semantics for DESTDIR and PREFIX
python: build: move modules from platform-specific to platform-shared
restorecond: build: follow standard semantics for DESTDIR and PREFIX
sandbox: build: follow standard semantics for DESTDIR and PREFIX
secilc: build: follow standard semantics for DESTDIR and PREFIX
semodule-utils: build: follow standard semantics for DESTDIR and PREFIX
dbus: build: follow standard semantics for DESTDIR and PREFIX
build: setup buildpaths if DESTDIR is specified
Travis-CI: use sugulite environment
Travis-CI: do not test gold linkers with clang
sepolicy: fix Python3 syntax in manpage
sepolicy: do not fail when file_contexts.local does not exist
sepolicy: fix misspelling of _ra_content_t suffix
sepolicy: support non-MLS policy in manpage
sepolicy: support non-MCS policy in manpage
sepolicy: remove stray space in section "SEE ALSO"
libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses
libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use extra_args
libsepol/cil: fix -Wwrite-strings warning
libsepol/cil: drop wrong unused attribute
restorecond: check write() and daemon() results
Makefile: define a default value for CFLAGS
sepolicy: do not fail when file_contexts.local or .subs do not exist
gui: port to Python 3 by migrating to PyGI
Travis-CI: fix configuration after September's update
sepolicy: ignore comments and empty lines in file_contexts.subs_dist
sepolicy: support non-MLS policy in gui
gui: remove the status bar
gui: fix parsing of "semodule -lfull" in tab Modules
gui: delete overridden definition of usersPage.delete()
gui: remove mappingsPage
Travis-CI: try working around network issues by retrying downloads
Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR
python/sepolicy: Fix translated strings with parameters
python/sepolicy: Support non-MLS policy
python/sepolicy: Initialize policy.ports as a dict in generate.py
libsepol: cil: show an error when cil_expr_to_string() fails
libsemanage: silence clang static analyzer report
libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libsepol: do not dereference NULL if stack_init fails
libsepol: ensure the level context is not empty
libselinux: label_file: fix memory management in store_stem()
libselinux: fix memory leak in getconlist
libselinux: remove unused variable usercon
libselinux: Add support for pcre2 to pkgconfig definition
python/semanage: drop *_ini functions
python/semanage: Don't use global setup variable
python/semanage: Enforce noreload only if it's requested by -N option
libsemanage: Use umask(0077) for fopen() write operations
python/semanage: make seobject.py backward compatible
python/semanage: bring semanageRecords.set_reload back
gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
python/sepolicy: Use list instead of map
python/sepolicy: Do not use types.BooleanType
gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
libselinux: Correct manpages regarding removable_context
libsemanage: Return commit number if save-previous false
libsemanage: Allow tmp files to be kept if a compile fails
selinux: Add support for the SCTP portcon keyword
checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
semodule-utils: remove semodule_deps
libsepol: Export sepol_polcap_getnum/name functions
Update VERSION files to 2.8-rc1
Resolve conflicts in expandattribute.
libsemanage: Keep copy of file_contexts.homedirs in policy store
libsemanage: Add support for listing fcontext.homedirs file
python/semanage: Enable listing file_contexts.homedirs
python/semanage: Fix export of ibendport entries
python/semanage: Update Infiniband code to work on python3
python/semanage: Remove redundant and broken moduleRecords.modify()
semodule-utils/semodule_package: fix semodule_unpackage man page
libsemanage: Improve warning for installing disabled module
gui/semanagePage: Close "edit" and "add" dialogues when successfull
gui/fcontextPage: Set default object class in addDialog
libsemanage: remove access() check to make setuid programs work
libsemanage: remove access() check to make setuid programs work
libsemanage: replace access() checks to make setuid programs work
libsemanage/direct_api.c: Fix iterating over array
policycoreutils/semodule: Improve man page and unify it with --help
policycoreutils/semodule: Allow enabling/disabling multiple modules at once
python/sepolgen: Try to translate SELinux contexts to raw
libsemanage: do not change file mode of seusers and users_extra
secilc: Fix documentation build for OS X systems
libselinux: verify file_contexts when using restorecon
libselinux: echo line number of bad label in selabel_fini()
Stephen Smalley
2018-04-20 14:09:02 UTC
Permalink
Post by Petr Lautrbach
Post by Stephen Smalley
Post by Petr Lautrbach
Post by Stephen Smalley
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
I've built in my Fedora COPR repo [1] and I'm running Fedora CI [2] tests on it.
So far there's one problem found by libselinux/selabel-function [3] test. It
looks like commit 814631d3aebaa changed the behavior of selabel_open() when
SELABEL_OPT_VALIDATE is null - a context should not be validated, but it is.
So, is this a bug in the test or a bug in libselinux? As noted in that commit description,
failing to verify contexts at all before use can lead to applying an invalid label (if the system is permissive).
selabel_open(3) states that "an invalid context may not be treated as an
error unless it is actually encountered during a lookup operation ". So at
least, it's some disproportion between the code and the documentation.
I read the commit message as that a context should be validated before it's
applied. But now it's validated during lookup.
I guess it would be an API change given the way SELABEL_OPT_VALIDATE is documented in the man page,
although that description doesn't quite match the current code either.

I was thinking that {SELABEL_OPT_VALIDATE,1} was intended to mean "validate all contexts during selabel_open() and fail the open on any errors". Which is good for setfiles (particularly when invoked by libsemanage to check file_contexts against the policy) but was considered problematic for restorecon, as it meant that a single typo in file_contexts could prevent your system from booting (e.g. restorecon -R /dev or similar during boot may fail even if the error has nothing to do with /dev entries). I thought {SELABEL_OPT_VALIDATE,0} was intended to mean "don't validate during selabel_open(); instead, lazily validate just before returning from selabel_lookup()". That makes more sense to me.

However, if it is an API change, I guess we have to revert it. In which case maybe we should just change restorecon itself
to validate the context it gets from selabel_lookup (which might have been Yuli's original approach; I don't remember -
I think I sent him down this path instead).

On a separate but related note, I have seen situations where people really wanted setfiles to have an option to suppress validation for use when labeling in a chroot with a policy that differs from the host policy.
Post by Petr Lautrbach
Post by Stephen Smalley
Are there real users of libselinux that rely on the current behavior or is there some use case where
it is desirable?
I don't know. I was thinking about setfiles but it always validate. There might be 3rd party users who
lookups for labels in chroot.
Post by Stephen Smalley
Post by Petr Lautrbach
#include <errno.h>
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
int main() {
struct selabel_handle *hnd = NULL;
security_context_t selabel_context;
struct selinux_opt selabel_option [] = {
{ SELABEL_OPT_PATH, "my_contexts" },
{ SELABEL_OPT_SUBSET, NULL },
{ SELABEL_OPT_VALIDATE, (char *) 0 },
{ SELABEL_OPT_BASEONLY, (char *) 0 }
};
int result = 0;
if ((hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 4)) == NULL) {
return 1;
}
if ((result = selabel_lookup_raw(hnd, &selabel_context, "/tmp/mypath", 0)) == -1) {
perror("selabel_lookup_raw - ERROR");
return 1;
}
printf("%s\n", selabel_context);
return 0;
}
---
$ gcc -o selabel_reproducer selabel_reproducer.c -lselinux
$ echo '/tmp/mypath my_user_u:my_role_r:my_type_t:s' > my_contexts
$ ./selabel_reproducer
my_user_u:my_role_r:my_type_t:s
$ ./selabel_reproducer
my_contexts: line 1 has invalid context my_user_u:my_role_r:my_type_t:s
selabel_lookup_raw - ERROR: Invalid argument
[1] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/packages/
[2] https://src.fedoraproject.org/tests/selinux/tree/master
[3] https://src.fedoraproject.org/tests/selinux/blob/master/f/libselinux/selabel-functions
Post by Stephen Smalley
If there are specific changes that you think should be called out in
release notes for packagers and users in the final release announcement, let us know.
Thanks to all the contributors to this release candidate!
A shortlog of changes since the 2.7 release is below.
libsepol: cil: Add ability to redeclare types[attributes]
Describe multiple-decls in secilc.8.xml
Fixed bad reference in roleattribute
libsepol/cil: Keep attributes used by generated attributes in neverallow rules
libsepol/cil: Create new keep field for type attribute sets
libsepol: Prevent freeing unitialized value in ibendport handling
libsepol/cil: Improve processing of context rules
libsepol: reset pointer after free
libsepol: fix memory leak in sepol_bool_query()
libsepol: free ibendport device names
libsemanage: free genhomedircon fallback user
libsemanage: properly check return value of iterate function
python/sepolgen: fix typo in PolicyGenerator
Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type.
python/sepolicy: Fix sepolicy manpage.
libsepol: build: follow standard semantics for DESTDIR and PREFIX
libselinux: build: follow standard semantics for DESTDIR and PREFIX
libsemanage: build: follow standard semantics for DESTDIR and PREFIX
checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
gui: build: follow standard semantics for DESTDIR and PREFIX
mcstrans: build: follow standard semantics for DESTDIR and PREFIX
policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
python: build: follow standard semantics for DESTDIR and PREFIX
python: build: move modules from platform-specific to platform-shared
restorecond: build: follow standard semantics for DESTDIR and PREFIX
sandbox: build: follow standard semantics for DESTDIR and PREFIX
secilc: build: follow standard semantics for DESTDIR and PREFIX
semodule-utils: build: follow standard semantics for DESTDIR and PREFIX
dbus: build: follow standard semantics for DESTDIR and PREFIX
build: setup buildpaths if DESTDIR is specified
Travis-CI: use sugulite environment
Travis-CI: do not test gold linkers with clang
sepolicy: fix Python3 syntax in manpage
sepolicy: do not fail when file_contexts.local does not exist
sepolicy: fix misspelling of _ra_content_t suffix
sepolicy: support non-MLS policy in manpage
sepolicy: support non-MCS policy in manpage
sepolicy: remove stray space in section "SEE ALSO"
libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses
libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use extra_args
libsepol/cil: fix -Wwrite-strings warning
libsepol/cil: drop wrong unused attribute
restorecond: check write() and daemon() results
Makefile: define a default value for CFLAGS
sepolicy: do not fail when file_contexts.local or .subs do not exist
gui: port to Python 3 by migrating to PyGI
Travis-CI: fix configuration after September's update
sepolicy: ignore comments and empty lines in file_contexts.subs_dist
sepolicy: support non-MLS policy in gui
gui: remove the status bar
gui: fix parsing of "semodule -lfull" in tab Modules
gui: delete overridden definition of usersPage.delete()
gui: remove mappingsPage
Travis-CI: try working around network issues by retrying downloads
Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR
python/sepolicy: Fix translated strings with parameters
python/sepolicy: Support non-MLS policy
python/sepolicy: Initialize policy.ports as a dict in generate.py
libsepol: cil: show an error when cil_expr_to_string() fails
libsemanage: silence clang static analyzer report
libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libsepol: do not dereference NULL if stack_init fails
libsepol: ensure the level context is not empty
libselinux: label_file: fix memory management in store_stem()
libselinux: fix memory leak in getconlist
libselinux: remove unused variable usercon
libselinux: Add support for pcre2 to pkgconfig definition
python/semanage: drop *_ini functions
python/semanage: Don't use global setup variable
python/semanage: Enforce noreload only if it's requested by -N option
libsemanage: Use umask(0077) for fopen() write operations
python/semanage: make seobject.py backward compatible
python/semanage: bring semanageRecords.set_reload back
gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
python/sepolicy: Use list instead of map
python/sepolicy: Do not use types.BooleanType
gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
libselinux: Correct manpages regarding removable_context
libsemanage: Return commit number if save-previous false
libsemanage: Allow tmp files to be kept if a compile fails
selinux: Add support for the SCTP portcon keyword
checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
semodule-utils: remove semodule_deps
libsepol: Export sepol_polcap_getnum/name functions
Update VERSION files to 2.8-rc1
Resolve conflicts in expandattribute.
libsemanage: Keep copy of file_contexts.homedirs in policy store
libsemanage: Add support for listing fcontext.homedirs file
python/semanage: Enable listing file_contexts.homedirs
python/semanage: Fix export of ibendport entries
python/semanage: Update Infiniband code to work on python3
python/semanage: Remove redundant and broken moduleRecords.modify()
semodule-utils/semodule_package: fix semodule_unpackage man page
libsemanage: Improve warning for installing disabled module
gui/semanagePage: Close "edit" and "add" dialogues when successfull
gui/fcontextPage: Set default object class in addDialog
libsemanage: remove access() check to make setuid programs work
libsemanage: remove access() check to make setuid programs work
libsemanage: replace access() checks to make setuid programs work
libsemanage/direct_api.c: Fix iterating over array
policycoreutils/semodule: Improve man page and unify it with --help
policycoreutils/semodule: Allow enabling/disabling multiple modules at once
python/sepolgen: Try to translate SELinux contexts to raw
libsemanage: do not change file mode of seusers and users_extra
secilc: Fix documentation build for OS X systems
libselinux: verify file_contexts when using restorecon
libselinux: echo line number of bad label in selabel_fini()
Yuli Khodorkovskiy
2018-04-25 14:11:22 UTC
Permalink
Post by Stephen Smalley
Post by Petr Lautrbach
Post by Stephen Smalley
Post by Petr Lautrbach
Post by Stephen Smalley
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
I've built in my Fedora COPR repo [1] and I'm running Fedora CI [2] tests on it.
So far there's one problem found by libselinux/selabel-function [3] test. It
looks like commit 814631d3aebaa changed the behavior of selabel_open() when
SELABEL_OPT_VALIDATE is null - a context should not be validated, but it is.
So, is this a bug in the test or a bug in libselinux? As noted in that commit description,
failing to verify contexts at all before use can lead to applying an invalid label (if the system is permissive).
selabel_open(3) states that "an invalid context may not be treated as an
error unless it is actually encountered during a lookup operation ". So at
least, it's some disproportion between the code and the documentation.
I read the commit message as that a context should be validated before it's
applied. But now it's validated during lookup.
I guess it would be an API change given the way SELABEL_OPT_VALIDATE is documented in the man page,
although that description doesn't quite match the current code either.
I was thinking that {SELABEL_OPT_VALIDATE,1} was intended to mean "validate all contexts during selabel_open() and fail the open on any errors". Which is good for setfiles (particularly when invoked by libsemanage to check file_contexts against the policy) but was considered problematic for restorecon, as it meant that a single typo in file_contexts could prevent your system from booting (e.g. restorecon -R /dev or similar during boot may fail even if the error has nothing to do with /dev entries). I thought {SELABEL_OPT_VALIDATE,0} was intended to mean "don't validate during selabel_open(); instead, lazily validate just before returning from selabel_lookup()". That makes more sense to me.
However, if it is an API change, I guess we have to revert it. In which case maybe we should just change restorecon itself
to validate the context it gets from selabel_lookup (which might have been Yuli's original approach; I don't remember -
I think I sent him down this path instead).
Iirc, my original patch did not do lazy validation, which is why we
went down this path. Is the right approach to change restorecon or to
update the API and maintain compatibility?
Post by Stephen Smalley
On a separate but related note, I have seen situations where people really wanted setfiles to have an option to suppress validation for use when labeling in a chroot with a policy that differs from the host policy.
Post by Petr Lautrbach
Post by Stephen Smalley
Are there real users of libselinux that rely on the current behavior or is there some use case where
it is desirable?
I don't know. I was thinking about setfiles but it always validate. There might be 3rd party users who
lookups for labels in chroot.
Post by Stephen Smalley
Post by Petr Lautrbach
#include <errno.h>
#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
int main() {
struct selabel_handle *hnd = NULL;
security_context_t selabel_context;
struct selinux_opt selabel_option [] = {
{ SELABEL_OPT_PATH, "my_contexts" },
{ SELABEL_OPT_SUBSET, NULL },
{ SELABEL_OPT_VALIDATE, (char *) 0 },
{ SELABEL_OPT_BASEONLY, (char *) 0 }
};
int result = 0;
if ((hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 4)) == NULL) {
return 1;
}
if ((result = selabel_lookup_raw(hnd, &selabel_context, "/tmp/mypath", 0)) == -1) {
perror("selabel_lookup_raw - ERROR");
return 1;
}
printf("%s\n", selabel_context);
return 0;
}
---
$ gcc -o selabel_reproducer selabel_reproducer.c -lselinux
$ echo '/tmp/mypath my_user_u:my_role_r:my_type_t:s' > my_contexts
$ ./selabel_reproducer
my_user_u:my_role_r:my_type_t:s
$ ./selabel_reproducer
my_contexts: line 1 has invalid context my_user_u:my_role_r:my_type_t:s
selabel_lookup_raw - ERROR: Invalid argument
[1] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/packages/
[2] https://src.fedoraproject.org/tests/selinux/tree/master
[3] https://src.fedoraproject.org/tests/selinux/blob/master/f/libselinux/selabel-functions
Post by Stephen Smalley
If there are specific changes that you think should be called out in
release notes for packagers and users in the final release announcement, let us know.
Thanks to all the contributors to this release candidate!
A shortlog of changes since the 2.7 release is below.
libsepol: cil: Add ability to redeclare types[attributes]
Describe multiple-decls in secilc.8.xml
Fixed bad reference in roleattribute
libsepol/cil: Keep attributes used by generated attributes in neverallow rules
libsepol/cil: Create new keep field for type attribute sets
libsepol: Prevent freeing unitialized value in ibendport handling
libsepol/cil: Improve processing of context rules
libsepol: reset pointer after free
libsepol: fix memory leak in sepol_bool_query()
libsepol: free ibendport device names
libsemanage: free genhomedircon fallback user
libsemanage: properly check return value of iterate function
python/sepolgen: fix typo in PolicyGenerator
Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type.
python/sepolicy: Fix sepolicy manpage.
libsepol: build: follow standard semantics for DESTDIR and PREFIX
libselinux: build: follow standard semantics for DESTDIR and PREFIX
libsemanage: build: follow standard semantics for DESTDIR and PREFIX
checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
gui: build: follow standard semantics for DESTDIR and PREFIX
mcstrans: build: follow standard semantics for DESTDIR and PREFIX
policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
python: build: follow standard semantics for DESTDIR and PREFIX
python: build: move modules from platform-specific to platform-shared
restorecond: build: follow standard semantics for DESTDIR and PREFIX
sandbox: build: follow standard semantics for DESTDIR and PREFIX
secilc: build: follow standard semantics for DESTDIR and PREFIX
semodule-utils: build: follow standard semantics for DESTDIR and PREFIX
dbus: build: follow standard semantics for DESTDIR and PREFIX
build: setup buildpaths if DESTDIR is specified
Travis-CI: use sugulite environment
Travis-CI: do not test gold linkers with clang
sepolicy: fix Python3 syntax in manpage
sepolicy: do not fail when file_contexts.local does not exist
sepolicy: fix misspelling of _ra_content_t suffix
sepolicy: support non-MLS policy in manpage
sepolicy: support non-MCS policy in manpage
sepolicy: remove stray space in section "SEE ALSO"
libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses
libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use extra_args
libsepol/cil: fix -Wwrite-strings warning
libsepol/cil: drop wrong unused attribute
restorecond: check write() and daemon() results
Makefile: define a default value for CFLAGS
sepolicy: do not fail when file_contexts.local or .subs do not exist
gui: port to Python 3 by migrating to PyGI
Travis-CI: fix configuration after September's update
sepolicy: ignore comments and empty lines in file_contexts.subs_dist
sepolicy: support non-MLS policy in gui
gui: remove the status bar
gui: fix parsing of "semodule -lfull" in tab Modules
gui: delete overridden definition of usersPage.delete()
gui: remove mappingsPage
Travis-CI: try working around network issues by retrying downloads
Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR
python/sepolicy: Fix translated strings with parameters
python/sepolicy: Support non-MLS policy
python/sepolicy: Initialize policy.ports as a dict in generate.py
libsepol: cil: show an error when cil_expr_to_string() fails
libsemanage: silence clang static analyzer report
libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libsepol: do not dereference NULL if stack_init fails
libsepol: ensure the level context is not empty
libselinux: label_file: fix memory management in store_stem()
libselinux: fix memory leak in getconlist
libselinux: remove unused variable usercon
libselinux: Add support for pcre2 to pkgconfig definition
python/semanage: drop *_ini functions
python/semanage: Don't use global setup variable
python/semanage: Enforce noreload only if it's requested by -N option
libsemanage: Use umask(0077) for fopen() write operations
python/semanage: make seobject.py backward compatible
python/semanage: bring semanageRecords.set_reload back
gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
python/sepolicy: Use list instead of map
python/sepolicy: Do not use types.BooleanType
gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
libselinux: Correct manpages regarding removable_context
libsemanage: Return commit number if save-previous false
libsemanage: Allow tmp files to be kept if a compile fails
selinux: Add support for the SCTP portcon keyword
checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
semodule-utils: remove semodule_deps
libsepol: Export sepol_polcap_getnum/name functions
Update VERSION files to 2.8-rc1
Resolve conflicts in expandattribute.
libsemanage: Keep copy of file_contexts.homedirs in policy store
libsemanage: Add support for listing fcontext.homedirs file
python/semanage: Enable listing file_contexts.homedirs
python/semanage: Fix export of ibendport entries
python/semanage: Update Infiniband code to work on python3
python/semanage: Remove redundant and broken moduleRecords.modify()
semodule-utils/semodule_package: fix semodule_unpackage man page
libsemanage: Improve warning for installing disabled module
gui/semanagePage: Close "edit" and "add" dialogues when successfull
gui/fcontextPage: Set default object class in addDialog
libsemanage: remove access() check to make setuid programs work
libsemanage: remove access() check to make setuid programs work
libsemanage: replace access() checks to make setuid programs work
libsemanage/direct_api.c: Fix iterating over array
policycoreutils/semodule: Improve man page and unify it with --help
policycoreutils/semodule: Allow enabling/disabling multiple modules at once
python/sepolgen: Try to translate SELinux contexts to raw
libsemanage: do not change file mode of seusers and users_extra
secilc: Fix documentation build for OS X systems
libselinux: verify file_contexts when using restorecon
libselinux: echo line number of bad label in selabel_fini()
Stephen Smalley
2018-04-25 14:32:35 UTC
Permalink
Post by Yuli Khodorkovskiy
Post by Stephen Smalley
Post by Petr Lautrbach
Post by Stephen Smalley
Post by Petr Lautrbach
Post by Stephen Smalley
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
I've built in my Fedora COPR repo [1] and I'm running Fedora CI [2] tests on it.
So far there's one problem found by libselinux/selabel-function [3] test. It
looks like commit 814631d3aebaa changed the behavior of selabel_open() when
SELABEL_OPT_VALIDATE is null - a context should not be validated, but it is.
So, is this a bug in the test or a bug in libselinux? As noted in that commit description,
failing to verify contexts at all before use can lead to applying an invalid label (if the system is permissive).
selabel_open(3) states that "an invalid context may not be treated as an
error unless it is actually encountered during a lookup operation ". So at
least, it's some disproportion between the code and the documentation.
I read the commit message as that a context should be validated before it's
applied. But now it's validated during lookup.
I guess it would be an API change given the way SELABEL_OPT_VALIDATE is documented in the man page,
although that description doesn't quite match the current code either.
I was thinking that {SELABEL_OPT_VALIDATE,1} was intended to mean "validate all contexts during selabel_open() and fail the open on any errors". Which is good for setfiles (particularly when invoked by libsemanage to check file_contexts against the policy) but was considered problematic for restorecon, as it meant that a single typo in file_contexts could prevent your system from booting (e.g. restorecon -R /dev or similar during boot may fail even if the error has nothing to do with /dev entries). I thought {SELABEL_OPT_VALIDATE,0} was intended to mean "don't validate during selabel_open(); instead, lazily validate just before returning from selabel_lookup()". That makes more sense to me.
However, if it is an API change, I guess we have to revert it. In which case maybe we should just change restorecon itself
to validate the context it gets from selabel_lookup (which might have been Yuli's original approach; I don't remember -
I think I sent him down this path instead).
Iirc, my original patch did not do lazy validation, which is why we
went down this path. Is the right approach to change restorecon or to
update the API and maintain compatibility?
I reverted the change because technically it breaks the documented semantics of SELABEL_OPT_VALIDATE and thus could
break existing external users, particularly ones that do not specify SELABEL_OPT_VALIDATE at all or specify it as 0. Use case example is for labeling filesystem images where the file contexts aren't defined in the host policy.

If we want to address the problem with restorecon potentially setting an invalid context when run in permissive mode,
then we would likely need to introduce yet another SELABEL_OPT_* value, e.g. SELABEL_OPT_VALIDATE_LAZILY, and have restorecon explicitly specify that as part of its selabel_open() call, in order to cause the lazy validation to occur
before returning from selabel_lookup(). This would avoid any compatibility breakage with existing callers of selabel_open(). restorecon (and setfiles) would still need an option to disable such validation for use cases where it isn't desirable.
Nicolas Iooss
2018-04-23 20:00:39 UTC
Permalink
Post by Stephen Smalley
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
If there are specific changes that you think should be called out in
release notes for packagers and users in the final release announcement, let us know.
Thanks to all the contributors to this release candidate!
Thanks for this release! I have built and installed Arch Linux
packages for it and have not experimented any noticeable issue.

Here are some notes which could be useful for packagers:

* Important notice: when overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR,
LIBEXECDIR, etc., DESTDIR has to be removed from the definition. For
example on Arch Linux, I had to change SBINDIR="${pkgdir}/usr/bin" to
SBINDIR="/usr/bin".
* Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).
* Still in Makfiles, PYSITEDIR has been renamed PYTHONLIBDIR (and its
definition changed).
* selinux-gui (ie. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.

By the way, for Arch Linux users who want to test the RC, I have
published the PKGBUILDs I have written on branch "selinux-2.8-rc" of
https://github.com/archlinuxhardened/selinux/commits/selinux-2.8-rc .

Cheers,
Nicolas
Stephen Smalley
2018-04-26 17:35:46 UTC
Permalink
A 2.8-rc2 release candidate for the SELinux userspace is now available at:
https://github.com/SELinuxProject/selinux/wiki/Releases

Please give it a test and let us know if there are any issues.

A draft of the release notes is now available from the Releases page,
as is the full git log output and git shortlog output since the 2.7
release. If there are further items we should mention or if something
should be amended in the release notes, let us know.

Thanks to all the contributors to this release candidate!

A shortlog of changes since the 2.8-rc1 release candidate is below.

Nicolas Iooss (3):
sestatus: resolve symlinks in path when looking for a process
sestatus: free process and file contexts which are checked
libsemanage: always check append_arg return value

Stephen Smalley (2):
Revert "libselinux: verify file_contexts when using restorecon"
Update VERSION files to 2.8-rc2.
Stephen Smalley
2018-05-03 14:52:24 UTC
Permalink
Hi,

If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
Also, let us know of any additions or changes that should be made to the release notes;
the current draft is as follows.

User-visible changes:

* semanage fcontext -l now also lists home directory entries from
file_contexts.homedirs.

* semodule can now enable or disable multiple modules in the same
operation by specifying a list of modules after -e or -d, making them
consistent with the -i/u/r/E options.

* CIL now supports multiple declarations of types, attributes, and
(non-conflicting) object contexts (e.g. genfscon), enabled via the -m
or --multiple-decls option to secilc.

* libsemanage no longer deletes the tmp directory if there is an error
while committing the policy transaction, so that any temporary files
can be further inspected for debugging purposes (e.g. to examine a
particular line of the generated CIL module). The tmp directory will
be deleted upon the next transaction, so no manual removal is needed.

* Support was added for SCTP portcon statements. The corresponding
kernel support was introduced in Linux 4.17, and is only active if the
extended_socket_class policy capability is enabled in the policy.

* sepol_polcap_getnum/name() were exported as part of the shared libsepol
interface, initially for use by setools4.

* semodule_deps was removed since it has long been broken and is not useful
for CIL modules.

Packaging-relevant changes:

* When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
DESTDIR has to be removed from the definition. For example on Arch
Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".

* Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).

* PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).

* selinux-gui (i.e. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.
Jason Zaman
2018-05-04 07:55:10 UTC
Permalink
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
the rc2 release has been fine for me for several days now. And I havent
heard any issues from any gentoo users either so we're probably good to
go. -rc1 failed to boot properly for me because some important things in
/run or /dev didnt get labeled but that was fixed in rc2.
Post by Stephen Smalley
Also, let us know of any additions or changes that should be made to the release notes;
the current draft is as follows.
* semanage fcontext -l now also lists home directory entries from
file_contexts.homedirs.
* semodule can now enable or disable multiple modules in the same
operation by specifying a list of modules after -e or -d, making them
consistent with the -i/u/r/E options.
* CIL now supports multiple declarations of types, attributes, and
(non-conflicting) object contexts (e.g. genfscon), enabled via the -m
or --multiple-decls option to secilc.
* libsemanage no longer deletes the tmp directory if there is an error
while committing the policy transaction, so that any temporary files
can be further inspected for debugging purposes (e.g. to examine a
particular line of the generated CIL module). The tmp directory will
be deleted upon the next transaction, so no manual removal is needed.
* Support was added for SCTP portcon statements. The corresponding
kernel support was introduced in Linux 4.17, and is only active if the
extended_socket_class policy capability is enabled in the policy.
Perhaps also note that the sctp stuff is in refpolicy and this 2.8
release is required to compile it.

I tried doing a release of the gentoo policy (we merge from HEAD fairly
frequently not only the big releases) and it fails to compile. I will
add the sctp stuff back into gentoo's policy later then make the
policies require >=2.8.

-- Jason
Post by Stephen Smalley
* sepol_polcap_getnum/name() were exported as part of the shared libsepol
interface, initially for use by setools4.
* semodule_deps was removed since it has long been broken and is not useful
for CIL modules.
* When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
DESTDIR has to be removed from the definition. For example on Arch
Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
* Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).
* PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
* selinux-gui (i.e. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.
Stephen Smalley
2018-05-04 13:08:36 UTC
Permalink
Post by Jason Zaman
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
the rc2 release has been fine for me for several days now. And I havent
heard any issues from any gentoo users either so we're probably good to
go. -rc1 failed to boot properly for me because some important things in
/run or /dev didnt get labeled but that was fixed in rc2.
Hmm...I'd like to understand that better. The change was verifying file_contexts when using restorecon,
which was reverted in -rc2. But the fact that it prevented labeling files in -rc1 means that either
you have a bug in your file_contexts configuration or there is some other bug there.
Post by Jason Zaman
Post by Stephen Smalley
Also, let us know of any additions or changes that should be made to the release notes;
the current draft is as follows.
* semanage fcontext -l now also lists home directory entries from
file_contexts.homedirs.
* semodule can now enable or disable multiple modules in the same
operation by specifying a list of modules after -e or -d, making them
consistent with the -i/u/r/E options.
* CIL now supports multiple declarations of types, attributes, and
(non-conflicting) object contexts (e.g. genfscon), enabled via the -m
or --multiple-decls option to secilc.
* libsemanage no longer deletes the tmp directory if there is an error
while committing the policy transaction, so that any temporary files
can be further inspected for debugging purposes (e.g. to examine a
particular line of the generated CIL module). The tmp directory will
be deleted upon the next transaction, so no manual removal is needed.
* Support was added for SCTP portcon statements. The corresponding
kernel support was introduced in Linux 4.17, and is only active if the
extended_socket_class policy capability is enabled in the policy.
Perhaps also note that the sctp stuff is in refpolicy and this 2.8
release is required to compile it.
I tried doing a release of the gentoo policy (we merge from HEAD fairly
frequently not only the big releases) and it fails to compile. I will
add the sctp stuff back into gentoo's policy later then make the
policies require >=2.8.
-- Jason
Post by Stephen Smalley
* sepol_polcap_getnum/name() were exported as part of the shared libsepol
interface, initially for use by setools4.
* semodule_deps was removed since it has long been broken and is not useful
for CIL modules.
* When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
DESTDIR has to be removed from the definition. For example on Arch
Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
* Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).
* PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
* selinux-gui (i.e. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.
Dominick Grift
2018-05-04 13:26:29 UTC
Permalink
Post by Stephen Smalley
Post by Jason Zaman
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
the rc2 release has been fine for me for several days now. And I havent
heard any issues from any gentoo users either so we're probably good to
go. -rc1 failed to boot properly for me because some important things in
/run or /dev didnt get labeled but that was fixed in rc2.
Hmm...I'd like to understand that better. The change was verifying file_contexts when using restorecon,
which was reverted in -rc2. But the fact that it prevented labeling files in -rc1 means that either
you have a bug in your file_contexts configuration or there is some other bug there.
If it cannot validate_context then it will be unhappy:

[***@julius ~]# dnf history info last
Transaction ID : 364
Begin time : Fri 04 May 2018 01:12:36 PM CEST
Begin rpmdb : 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76
End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds)
End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab **
User : kcinimod <kcinimod>
Return-Code : Success
Command Line : update --exclude efi-filesystem
Transaction performed with:
Installed dnf-2.7.5-12.fc29.noarch @rawhide
Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide
Packages Altered:
Upgraded cockpit-166-1.fc29.x86_64 @rawhide
... snip ...
Scriptlet output:
1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
3 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
4 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
5 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
Post by Stephen Smalley
Post by Jason Zaman
Post by Stephen Smalley
Also, let us know of any additions or changes that should be made to the release notes;
the current draft is as follows.
* semanage fcontext -l now also lists home directory entries from
file_contexts.homedirs.
* semodule can now enable or disable multiple modules in the same
operation by specifying a list of modules after -e or -d, making them
consistent with the -i/u/r/E options.
* CIL now supports multiple declarations of types, attributes, and
(non-conflicting) object contexts (e.g. genfscon), enabled via the -m
or --multiple-decls option to secilc.
* libsemanage no longer deletes the tmp directory if there is an error
while committing the policy transaction, so that any temporary files
can be further inspected for debugging purposes (e.g. to examine a
particular line of the generated CIL module). The tmp directory will
be deleted upon the next transaction, so no manual removal is needed.
* Support was added for SCTP portcon statements. The corresponding
kernel support was introduced in Linux 4.17, and is only active if the
extended_socket_class policy capability is enabled in the policy.
Perhaps also note that the sctp stuff is in refpolicy and this 2.8
release is required to compile it.
I tried doing a release of the gentoo policy (we merge from HEAD fairly
frequently not only the big releases) and it fails to compile. I will
add the sctp stuff back into gentoo's policy later then make the
policies require >=2.8.
-- Jason
Post by Stephen Smalley
* sepol_polcap_getnum/name() were exported as part of the shared libsepol
interface, initially for use by setools4.
* semodule_deps was removed since it has long been broken and is not useful
for CIL modules.
* When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
DESTDIR has to be removed from the definition. For example on Arch
Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
* Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).
* PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
* selinux-gui (i.e. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Stephen Smalley
2018-05-04 13:36:12 UTC
Permalink
Post by Dominick Grift
Post by Stephen Smalley
Post by Jason Zaman
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
the rc2 release has been fine for me for several days now. And I havent
heard any issues from any gentoo users either so we're probably good to
go. -rc1 failed to boot properly for me because some important things in
/run or /dev didnt get labeled but that was fixed in rc2.
Hmm...I'd like to understand that better. The change was verifying file_contexts when using restorecon,
which was reverted in -rc2. But the fact that it prevented labeling files in -rc1 means that either
you have a bug in your file_contexts configuration or there is some other bug there.
Transaction ID : 364
Begin time : Fri 04 May 2018 01:12:36 PM CEST
Begin rpmdb : 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76
End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds)
End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab **
User : kcinimod <kcinimod>
Return-Code : Success
Command Line : update --exclude efi-filesystem
... snip ...
1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
3 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
4 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
5 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
So, just to be clear: these contexts are in fact valid but the lack of permission to use the /sys/fs/selinux/context interface (for security_check_context) causes it to think the context is invalid and therefore fails? If so, then
that makes sense and would be another reason for reverting that change. In any case, -rc2 should have the fix.
Jason Zaman
2018-05-04 14:26:42 UTC
Permalink
Post by Stephen Smalley
Post by Dominick Grift
Post by Stephen Smalley
Post by Jason Zaman
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
the rc2 release has been fine for me for several days now. And I havent
heard any issues from any gentoo users either so we're probably good to
go. -rc1 failed to boot properly for me because some important things in
/run or /dev didnt get labeled but that was fixed in rc2.
Hmm...I'd like to understand that better. The change was verifying file_contexts when using restorecon,
which was reverted in -rc2. But the fact that it prevented labeling files in -rc1 means that either
you have a bug in your file_contexts configuration or there is some other bug there.
Transaction ID : 364
Begin time : Fri 04 May 2018 01:12:36 PM CEST
Begin rpmdb : 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76
End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds)
End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab **
User : kcinimod <kcinimod>
Return-Code : Success
Command Line : update --exclude efi-filesystem
... snip ...
1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
3 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
4 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
5 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
So, just to be clear: these contexts are in fact valid but the lack of permission to use the /sys/fs/selinux/context interface (for security_check_context) causes it to think the context is invalid and therefore fails? If so, then
that makes sense and would be another reason for reverting that change. In any case, -rc2 should have the fix.
Yeah im pretty sure this is what happened. The issues off the top of my
head were some relabelling very early on in boot of /dev/ and /run so
those ended up with completely wrong contexts so nothing afterwards
worked either. There wasnt much output cuz /dev/console was mislabelled.
Dbus and Udev stuff in /run was wrong too so X kind of started but I had
no keyboard or mouse and everything using dbus died too.

It apeared to mostly work if i booted in permissive and then force
relabelled a bunch of stuff then switched to enforcing. I only bumped to
-rc1 a day before -rc2 came out so I pretty much just updated again
immediately as soon as I saw the validation issues and everything was
fine again.

I could try out -rc1 in a VM again if you want to be certain but pretty
sure this is it.

-- Jason
Dominick Grift
2018-05-04 14:43:18 UTC
Permalink
Post by Stephen Smalley
Post by Dominick Grift
Post by Stephen Smalley
Post by Jason Zaman
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
the rc2 release has been fine for me for several days now. And I havent
heard any issues from any gentoo users either so we're probably good to
go. -rc1 failed to boot properly for me because some important things in
/run or /dev didnt get labeled but that was fixed in rc2.
Hmm...I'd like to understand that better. The change was verifying file_contexts when using restorecon,
which was reverted in -rc2. But the fact that it prevented labeling files in -rc1 means that either
you have a bug in your file_contexts configuration or there is some other bug there.
Transaction ID : 364
Begin time : Fri 04 May 2018 01:12:36 PM CEST
Begin rpmdb : 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76
End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds)
End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab **
User : kcinimod <kcinimod>
Return-Code : Success
Command Line : update --exclude efi-filesystem
... snip ...
1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
3 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
4 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
5 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
So, just to be clear: these contexts are in fact valid but the lack of permission to use the /sys/fs/selinux/context interface (for security_check_context) causes it to think the context is invalid and therefore fails? If so, then
that makes sense and would be another reason for reverting that change. In any case, -rc2 should have the fix.
Yes contexts are valid but since validate_context was blocked this happened. By allowing validate_context this works fine
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Dominick Grift
2018-05-04 12:19:15 UTC
Permalink
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
Also, let us know of any additions or changes that should be made to the release notes;
the current draft is as follows.
One might see processes "validate_context" where they didnt before

Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm, various systemd components etc)
Post by Stephen Smalley
* semanage fcontext -l now also lists home directory entries from
file_contexts.homedirs.
* semodule can now enable or disable multiple modules in the same
operation by specifying a list of modules after -e or -d, making them
consistent with the -i/u/r/E options.
* CIL now supports multiple declarations of types, attributes, and
(non-conflicting) object contexts (e.g. genfscon), enabled via the -m
or --multiple-decls option to secilc.
* libsemanage no longer deletes the tmp directory if there is an error
while committing the policy transaction, so that any temporary files
can be further inspected for debugging purposes (e.g. to examine a
particular line of the generated CIL module). The tmp directory will
be deleted upon the next transaction, so no manual removal is needed.
* Support was added for SCTP portcon statements. The corresponding
kernel support was introduced in Linux 4.17, and is only active if the
extended_socket_class policy capability is enabled in the policy.
* sepol_polcap_getnum/name() were exported as part of the shared libsepol
interface, initially for use by setools4.
* semodule_deps was removed since it has long been broken and is not useful
for CIL modules.
* When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
DESTDIR has to be removed from the definition. For example on Arch
Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
* Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).
* PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
* selinux-gui (i.e. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Stephen Smalley
2018-05-04 13:09:20 UTC
Permalink
Post by Dominick Grift
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
Also, let us know of any additions or changes that should be made to the release notes;
the current draft is as follows.
One might see processes "validate_context" where they didnt before
Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm, various systemd components etc)
That should no longer be true as of -rc2 since I reverted the libselinux: verify file_contexts when using restorecon change.
Post by Dominick Grift
Post by Stephen Smalley
* semanage fcontext -l now also lists home directory entries from
file_contexts.homedirs.
* semodule can now enable or disable multiple modules in the same
operation by specifying a list of modules after -e or -d, making them
consistent with the -i/u/r/E options.
* CIL now supports multiple declarations of types, attributes, and
(non-conflicting) object contexts (e.g. genfscon), enabled via the -m
or --multiple-decls option to secilc.
* libsemanage no longer deletes the tmp directory if there is an error
while committing the policy transaction, so that any temporary files
can be further inspected for debugging purposes (e.g. to examine a
particular line of the generated CIL module). The tmp directory will
be deleted upon the next transaction, so no manual removal is needed.
* Support was added for SCTP portcon statements. The corresponding
kernel support was introduced in Linux 4.17, and is only active if the
extended_socket_class policy capability is enabled in the policy.
* sepol_polcap_getnum/name() were exported as part of the shared libsepol
interface, initially for use by setools4.
* semodule_deps was removed since it has long been broken and is not useful
for CIL modules.
* When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
DESTDIR has to be removed from the definition. For example on Arch
Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
* Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).
* PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
* selinux-gui (i.e. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.
Dominick Grift
2018-05-04 13:16:43 UTC
Permalink
Post by Stephen Smalley
Post by Dominick Grift
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
Also, let us know of any additions or changes that should be made to the release notes;
the current draft is as follows.
One might see processes "validate_context" where they didnt before
Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm, various systemd components etc)
That should no longer be true as of -rc2 since I reverted the libselinux: verify file_contexts when using restorecon change.
Oh thanks, yes fedora is still on RC1.
Post by Stephen Smalley
Post by Dominick Grift
Post by Stephen Smalley
* semanage fcontext -l now also lists home directory entries from
file_contexts.homedirs.
* semodule can now enable or disable multiple modules in the same
operation by specifying a list of modules after -e or -d, making them
consistent with the -i/u/r/E options.
* CIL now supports multiple declarations of types, attributes, and
(non-conflicting) object contexts (e.g. genfscon), enabled via the -m
or --multiple-decls option to secilc.
* libsemanage no longer deletes the tmp directory if there is an error
while committing the policy transaction, so that any temporary files
can be further inspected for debugging purposes (e.g. to examine a
particular line of the generated CIL module). The tmp directory will
be deleted upon the next transaction, so no manual removal is needed.
* Support was added for SCTP portcon statements. The corresponding
kernel support was introduced in Linux 4.17, and is only active if the
extended_socket_class policy capability is enabled in the policy.
* sepol_polcap_getnum/name() were exported as part of the shared libsepol
interface, initially for use by setools4.
* semodule_deps was removed since it has long been broken and is not useful
for CIL modules.
* When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
DESTDIR has to be removed from the definition. For example on Arch
Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
* Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).
* PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
* selinux-gui (i.e. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Petr Lautrbach
2018-05-04 14:30:09 UTC
Permalink
Post by Dominick Grift
Post by Stephen Smalley
Post by Dominick Grift
Post by Stephen Smalley
Hi,
If you have encountered any unreported problems with the 2.8-rcX releases or have any
pending patches you believe should be included in the 2.8 release, please post them soon.
Also, let us know of any additions or changes that should be made to the release notes;
the current draft is as follows.
One might see processes "validate_context" where they didnt before
Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm, various systemd components etc)
That should no longer be true as of -rc2 since I reverted the libselinux: verify file_contexts when using restorecon change.
Oh thanks, yes fedora is still on RC1.
I've just built the following packages in Rawhide:

libselinux-2.8-0.rc2.1.fc29 - https://koji.fedoraproject.org/koji/taskinfo?taskID=26767629
libsemanage-2.8-0.rc2.1.fc29 - https://koji.fedoraproject.org/koji/taskinfo?taskID=26767782
policycoreutils-2.8-0.rc2.1.fc29 - https://koji.fedoraproject.org/koji/taskinfo?taskID=26767903
Post by Dominick Grift
Post by Stephen Smalley
Post by Dominick Grift
Post by Stephen Smalley
* semanage fcontext -l now also lists home directory entries from
file_contexts.homedirs.
* semodule can now enable or disable multiple modules in the same
operation by specifying a list of modules after -e or -d, making them
consistent with the -i/u/r/E options.
* CIL now supports multiple declarations of types, attributes, and
(non-conflicting) object contexts (e.g. genfscon), enabled via the -m
or --multiple-decls option to secilc.
* libsemanage no longer deletes the tmp directory if there is an error
while committing the policy transaction, so that any temporary files
can be further inspected for debugging purposes (e.g. to examine a
particular line of the generated CIL module). The tmp directory will
be deleted upon the next transaction, so no manual removal is needed.
* Support was added for SCTP portcon statements. The corresponding
kernel support was introduced in Linux 4.17, and is only active if the
extended_socket_class policy capability is enabled in the policy.
* sepol_polcap_getnum/name() were exported as part of the shared libsepol
interface, initially for use by setools4.
* semodule_deps was removed since it has long been broken and is not useful
for CIL modules.
* When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
DESTDIR has to be removed from the definition. For example on Arch
Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
* Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).
* PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
* selinux-gui (i.e. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Jason Zaman
2018-05-16 17:31:38 UTC
Permalink
Just a quick note in case the release is soon.
I have a couple patches to make everything work on
Musl libc that im gonna clean them up and post in the morning.
Post by Stephen Smalley
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
A draft of the release notes is available from the Releases page, as
is the full git log output and git shortlog output since the 2.7
release. If there are further items we should mention or if something
should be amended in the release notes, let us know.
Thanks to all the contributors to this release candidate!
A shortlog of changes since the 2.8-rc2 release candidate is below.
libsepol: remove unused function and type
libselinux: fix build warning in save_booleans()
libselinux: avcstat: fix build warning
libselinux: audit2why: fix build warnings
libsemanage: prevent string overflow on final paths
libsepol: cil: prevent stack buffer overflow in cil_expr_to_string
Update VERSION files to 2.8-rc3
python/semanage/seobject.py: Fix undefined store check
Loading...