09d99e8bec6e112598518c08a90d9423e61c8540 |
|
22-Sep-2016 |
Jason Zaman <jason@perfinion.com> |
libselinux: Add openrc_contexts functions The file will initially contain: run_init=run_init_t There can not be any spaces around the = since OpenRC's existing config files and the methods it uses require it. Signed-off-by: Jason Zaman <jason@perfinion.com>
/external/selinux/libselinux/src/selinux_internal.h
|
b2c1b0baaf52d79f8050fc1e3c146c698ef0ad7a |
|
20-Jun-2016 |
Petr Lautrbach <plautrba@redhat.com> |
libselinux: add selinux_snapperd_contexts_path() Snapper needs a way how to set a proper selinux context on btrfs subvolumes originating in snapshot create command. Fs can't handle it on its own so snapper will enforce .snapshots subvolume relabeling according to a file returned by selinux_snapperd_contexts_path(). The format of the file will be similar to other contexts file: snapperd_data = system_u:object_r:snapperd_data_t:s0 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1247530 https://bugzilla.redhat.com/show_bug.cgi?id=1247532 Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
/external/selinux/libselinux/src/selinux_internal.h
|
b408d72ca9104cb0c1bc4e154d8732cc7c0a9190 |
|
18-Sep-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
libselinux: flush the class/perm string mapping cache on policy reload This improves the robustness of programs using selinux_check_access() in the face of policy updates that alter the values of the class or permissions that they are checking. Otherwise, a policy update can trigger false permission denials, as in https://bugzilla.redhat.com/show_bug.cgi?id=1264051 Changes to the userspace class/permission definitions should still be handled with care, as not all userspace object managers have been converted to use selinux_check_access() and even those that do use it are still not entirely safe against an interleaving of a policy reload and a call to selinux_check_access(). The change does however address the issue in the above bug and avoids the need to restart systemd. This change restores the flush_class_cache() function that was removed in commit 435fae64a931 ("libselinux: Remove unused flush_class_cache method") because it had no users at the time, but makes it hidden to avoid exposing it as part of the libselinux ABI. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_internal.h
|
8d7c2854c579a2bc85b49b62ccbf38a98fbdd475 |
|
21-May-2015 |
Petr Lautrbach <plautrba@redhat.com> |
libselinux: add selinux_openssh_contexts_path() openssh in Fedora uses "sshd_net_t" type for privilege separated processes in the preauthentication phase. Similarly, openssh portable uses "sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal. Therefore selinux_openssh_contexts_path() was created to get a path where sshd can get a correct types prepared by a distribution or an administrator. Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
/external/selinux/libselinux/src/selinux_internal.h
|
c08c4eacab8d55598b9e5caaef8a871a7a476cab |
|
11-May-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
libselinux: is_selinux_enabled: Add /etc/selinux/config test. To avoid regressions such as the one reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1219045 add a test for /etc/selinux/config to is_selinux_enabled(). This ensures that systems that do not install selinux-policy will continue to return 0 from is_selinux_enabled(). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_internal.h
|
7eec00a5be8b5cebcbbc9a30b42b34f4a623c587 |
|
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Add selinux_current_policy_path, which returns the a pointer to the loaded policy Also change audit2why to look at the loaded policy rather then searching on disk for the policy file. It is more likely that you are examining the running policy.
/external/selinux/libselinux/src/selinux_internal.h
|
ce2a8848ad45e375cfdb58cebe28bc12431bb3db |
|
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Add selinux_systemd_contexts_path systemd has some internal contexts like generated systemd unit files that we want to allow it to check against processes trying to manage them.
/external/selinux/libselinux/src/selinux_internal.h
|
ee6901618c9da360515474145504c7b58258441f |
|
11-Jun-2012 |
Dan Walsh <dwalsh@redhat.com> |
libselinux: expose selinux_boolean_sub Make selinux_boolean_sub a public method so getsebool can use it, as well as potentially used within libsemanage. Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/libselinux/src/selinux_internal.h
|
88c35241535803247bd3044187c6c3b3c7f02c79 |
|
18-Apr-2012 |
Eric Paris <eparis@redhat.com> |
libselinux: boolean name equivalency Add support for booleans.subs file. Basically this allows us to finally change badly named booleans to some standard name. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/selinux_internal.h
|
c802d4a6d53120a7c067c29625a17b09f922f4d3 |
|
18-Apr-2012 |
Dan Walsh <dwalsh@redhat.com> |
libselinux: Add support for lxc_contexts_path In order for lxc to look up its process and file labels we add new libselinux support. This is what we do for everything else, like libvirt, seposgresql, etc. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/selinux_internal.h
|
2b5a0530e7c06150c84fc233fbfab40c57130f84 |
|
25-Mar-2012 |
Kohei KaiGai <kaigai@kaigai.gr.jp> |
libselinux: security_compute_create_name(3) I'd like to use this interface to implement special case handling for the default labeling behavior on temporary database objects. Allow userspace to use the filename_trans rules added to policy. Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/libselinux/src/selinux_internal.h
|
b3b19fdce58ff6ddfa6dfb8e5576c922c96e1e45 |
|
22-Sep-2011 |
Eric Paris <eparis@redhat.com> |
libselinux: load_policy: handle selinux=0 and /sys/fs/selinux not exist Handle situation where selinux=0 passed to the kernel and both /selinux and /sys/fs/selinux directories do not exist. We used to handle selinux=0 (or kernel compile without selinux) by getting ENODEV when we tried to mount selinuxfs on /selinux. Now selinux=0 means that /sys/fs/selinux won't exist and we never create the real directory /selinux at all. So we get ENOENT instead of ENODEV. The solution is to check to see if the mount failure was for ENODEV and if not to check if selinuxfs exists in /proc/filesystems at all. If it doesn't exist, that's equivalent to ENODEV. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/selinux_internal.h
|
20b43b3fd3d392c4f12a963a4e46c264e7ed5163 |
|
06-Apr-2011 |
Daniel J Walsh <dwalsh@redhat.com> |
This patch adds a new subs_dist file. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The idea is to allow distributions to ship a subs file as well as let the user modify subs. In F16 we are looking at shipping a file_contexts.subs_dist file like this cat file_contexts.subs_dist /run /var/run /run/lock /var/lock /var/run/lock /var/lock /lib64 /lib /usr/lib64 /usr/lib The we will remove all (64)? from policy. This will allow us to make sure all /usr/lib/libBLAH is labeled the same as /usr/lib64/libBLAH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2c1ksACgkQrlYvE4MpobNXcQCgqgAiQJxmwa1+NdIq8E3tQRp6 QT0An0ihA60di9CRsEqEdVbSaHOwtte5 =LXgd -----END PGP SIGNATURE----- Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libselinux/src/selinux_internal.h
|
1629d2f89a8c5f758413b87b94740aaaa5f21144 |
|
06-Apr-2011 |
Daniel J Walsh <dwalsh@redhat.com> |
This patch cleans up a couple of crashes caused by libselinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you fail to load_policy in the init or SELinux is disabled, you need to free the selinux_mnt variable and clear the memory. systemd was calling load_polcy on a DISABLED system then later on it would call is_selinux_enabled() and get incorrect response, since selinux_mnt still had valid data. The second bug in libselinux, resolves around calling the selinux_key_delete(destructor_key) if the selinux_key_create call had never been called. This was causing data to be freed in other applications that loaded an unloaded the libselinux library but never setup setrans or matchpathcon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj =jpyr -----END PGP SIGNATURE----- Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libselinux/src/selinux_internal.h
|
f0b3127ca3c99ae218dba43a6e3f7430081c412b |
|
09-Mar-2011 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
Use library destructors to destroy per-thread keys. This prevents the key destructors, intented to free per-thread heap storage, from being called after libselinux has been unloaded. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=680887 Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_internal.h
|
a29ff33baf366825c0fbe721d30b12b5b96a64e1 |
|
02-Dec-2010 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
Implement destructors for thread-local heap data. Description of problem: Use of __thread variables is great for creating a thread-safe variable, but only insofar as the contents of that variable can safely be abandoned on pthread_exit(). The moment you store malloc()d data into a __thread void* variable, you have leaked memory when the thread exits, since there is no way to associate a destructor with __thread variables. The _only_ safe way to use thread-local caching of malloc()d data is to use pthread_key_create, and associate a destructor that will call free() on the resulting data when the thread exits. libselinux is guilty of abusing __thread variables to store malloc()d data as a form of a cache, to minimize computation by reusing earlier results from the same thread. As a result of this memory leak, repeated starting and stopping of domains via libvirt can result in the OOM killer triggering, since libvirt fires up a thread per domain, and each thread uses selinux calls such as fgetfilecon. Version-Release number of selected component (if applicable): libselinux-2.0.94-2.el6.x86_64 libvirt-0.8.1-27.el6.x86_64 How reproducible: 100% Steps to Reproduce: 0. These steps are run as root, assuming hardware kvm support and existence of a VM named fedora (adjust the steps below as appropriate); if desired, I can reduce this to a simpler test case that does not rely on libvirt, by using a single .c file that links against libselinux and repeatedly spawns threads. 1. service libvirtd stop 2. valgrind --quiet --leak-check=full /usr/sbin/libvirtd& pid=$! 3. virsh start fedora 4. kill $pid Actual results: The biggest leak reported is due to libselinux' abuse of __thread: ==26696== 829,730 (40 direct, 829,690 indirect) bytes in 1 blocks are definitely lost in loss record 500 of 500 ==26696== at 0x4A0515D: malloc (vg_replace_malloc.c:195) ==26696== by 0x3022E0D48C: selabel_open (label.c:165) ==26696== by 0x3022E11646: matchpathcon_init_prefix (matchpathcon.c:296) ==26696== by 0x3022E1190D: matchpathcon (matchpathcon.c:317) ==26696== by 0x3033ED7FB5: SELinuxRestoreSecurityFileLabel (security_selinux.c:381) ==26696== by 0x3033ED8539: SELinuxRestoreSecurityAllLabel (security_selinux.c:749) ==26696== by 0x459153: qemuSecurityStackedRestoreSecurityAllLabel (qemu_security_stacked.c:257) ==26696== by 0x43F0C5: qemudShutdownVMDaemon (qemu_driver.c:4311) ==26696== by 0x4555C9: qemudStartVMDaemon (qemu_driver.c:4234) ==26696== by 0x458416: qemudDomainObjStart (qemu_driver.c:7268) ==26696== by 0x45896F: qemudDomainStart (qemu_driver.c:7308) ==26696== by 0x3033E75412: virDomainCreate (libvirt.c:4881) ==26696== Basically, libvirt created a thread that used matchpathcon during 'virsh start fedora', and matchpathcon stuffed over 800k of malloc'd data into: static __thread char **con_array; which are then inaccessible when libvirt exits the thread as part of shutting down on SIGTERM. Expected results: valgrind should not report any memory leaks related to libselinux. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> Reported-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com>
/external/selinux/libselinux/src/selinux_internal.h
|
70aeeb918aa721ad90ed8e1b433a55c8ecf2cb83 |
|
15-Mar-2010 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
This patch allows selabel_*() interfaces to provide an expected security context for the given database object identified by its name and object class. It is necessary to implement a feature something like the restorecon on databases. The specfile shall be described as follows: ------------------------ # # The specfile for database objects # (for SE-PostgreSQL) # # <object class> <object name> <security context> # db_database * system_u:object_r:sepgsql_db_t:s0 db_schema *.pg_catalog system_u:obejct_r:sepgsql_sys_schema_t:s0 db_schema *.* system_u:object_r:sepgsql_schema_t:s0 db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 db_table *.*.* system_u:object_r:sepgsql_table_t:s0 ------------------------ - All the characters after the '#' are ignored. - Wildcards ('*' and '?') are available. - It returns the first match security context. Note that hierarchy of the namespace of database objects depends on RDBMS. So, author of the specfile needs to write correct patterns which are suitable for the target RDBMS. The patched selabel_*() interfaces don't have any heuristics for the namespace hierarchy to be suitable for widespread RDBMSs. In the case of SE-PgSQL, when we lookup an expected security context for the 'my_table' table in the 'public' schema and 'postgres' database, the caller shall provide 'postgres.public.my_table' as a key. In the default, it tries to read a specfile which maps database objects and security context from the /etc/selinux/$POLICYTYPE/contexts/sepgsql_contexts. Note that when another RDBMS uses this interface, it needs to give an explicit SELABEL_OPT_PATH option on the selabel_open(). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_internal.h
|
7d19f9df510daef5dc929df5854c2dda2a64f475 |
|
20-Oct-2009 |
Chad Sellers <csellers@tresys.com> |
libselinux: Export reset_selinux_config() In integrating SELinux policy into rpm, we have a need to be able to reset the configuration data (e.g. policy type) loaded into libselinux. These values are currently loaded lazily by a number of different functions (e.g. matchpatchcon_init()). Since we are changing rpm to install policy, including initial base policy, we need to be able to reload these configuration items after the policy has been installed. reset_selinux_config() already exists and is used by selinux_init_load_policy() for a similar reason, but it is not exported. This was probably intentionaly since it is not thread safe at all. That said, rpm needs to do the same thing. This patch makes the function public, and places a warning in the header comment that it is not thread safe. Signed-off-by: Chad Sellers <csellers@tresys.com>
/external/selinux/libselinux/src/selinux_internal.h
|
8c372f665db44cf753bb299e2ee7dcf6143b9e9e |
|
01-Jul-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
libselinux: lazy init Revive Steve Grubb's patch for libselinux lazy init and extend it to address not only the reading of /etc/selinux/config but also probing for /selinux/class and reading of /selinux/mls. This should reduce the need for dontaudit rules for programs that link with libselinux and it should reduce unnecessary overhead. I did not convert init_selinuxmnt over to lazy init since the functions that use selinux_mnt are not localized, and it only requires stat'ing of /selinux in the common case. I couldn't see a valid reason why we needed fini_obj_class_compat(), as the existence of /selinux/class will only change across a reboot with different kernel versions. fini_context_translations() already had a comment saying that it was unnecessary as well. Before: $ strace ls 2> err $ grep selinux err open("/lib/libselinux.so.1", O_RDONLY) = 3 open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3 statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 stat64("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 After: $ strace ls 2> err $ grep selinux err open("/lib/libselinux.so.1", O_RDONLY) = 3 statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 Original-patch-by: Steve Grubb <linux_4ever@yahoo.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_internal.h
|
20271d94ed2b26b94b052ba6ed90b63566cecbb7 |
|
04-Jun-2009 |
Daniel J Walsh <dwalsh@redhat.com> |
Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: SELinux context patch Date: Mon, 18 May 2009 14:16:12 -0400 This patch adds context files for virtual_domain and virtual_image, these are both being used to locat the default context to be executed by svirt. I also included the subs patch which I submitted before. This patch allows us to substitute prefixes to matchpathcon. So we can say /export/home == /home and /web == /var/www Author: Chad Sellers Email: csellers@tresys.com Flipped free()'s in original patch when strdup'd fail to proper order. Signed-off-by: Chad Sellers <csellers@tresys.com>
/external/selinux/libselinux/src/selinux_internal.h
|
433a99d4032706af724ff779d8d9d539f20793f8 |
|
08-Apr-2009 |
KaiGai Kohei <kaigai@ak.jp.nec.com> |
It is useful for userspace object manager, if libselinux has an interface something like: int security_deny_unknown(void); This interface can suggest applications preferable behavior when string_to_security_class() or string_to_av_perm() returns invalid value which means the security policy does not define required ones. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
/external/selinux/libselinux/src/selinux_internal.h
|
55ed6e7fa6b7d55c628fa04508521920e60a43f7 |
|
08-Apr-2009 |
KaiGai Kohei <kaigai@ak.jp.nec.com> |
This patch enables applications to handle permissive domain correctly. Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly. This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing. This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
/external/selinux/libselinux/src/selinux_internal.h
|
f9b1f1a2a17298b60a94780ab5899a8d91cbf100 |
|
01-Jan-2009 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
Add config path function for secolor.conf file. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_internal.h
|
cfa3cb6fa5d0cc00fde75ee74ec2da577f62e141 |
|
26-Nov-2008 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
Add client routines for translating raw security contexts into colors. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_internal.h
|
13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/libselinux/src/selinux_internal.h
|