diff --git a/SOURCES/0003-Disable-remove-neverallow-options-in-frontends.patch b/SOURCES/0003-Disable-remove-neverallow-options-in-frontends.patch new file mode 100644 index 0000000..acfdba0 --- /dev/null +++ b/SOURCES/0003-Disable-remove-neverallow-options-in-frontends.patch @@ -0,0 +1,114 @@ +From 92b692452d07d67b1d901baf36798cab8e36077a Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Mon, 3 Apr 2023 09:13:31 -0400 +Subject: [PATCH] Disable/remove neverallow options in frontends. + +These rules are not available in the binary policy. Keep library support in +case this changes in the future. + +Signed-off-by: Chris PeBenito +--- + man/ru/sesearch.1 | 4 ---- + man/sesearch.1 | 4 ---- + sesearch | 12 ++++++------ + setoolsgui/apol/terulequery.ui | 12 ++++++++++++ + 4 files changed, 18 insertions(+), 14 deletions(-) + +diff --git a/man/ru/sesearch.1 b/man/ru/sesearch.1 +index df6f449..2f86f9c 100644 +--- a/man/ru/sesearch.1 ++++ b/man/ru/sesearch.1 +@@ -35,16 +35,12 @@ sesearch \- утилита опроса политики SELinux + Найти правила включения журналирования событий. + .IP "--dontaudit" + Найти правила запрета журналирования событий. +-.IP "--neverallow" +-Найти запрещающие правила. + .IP "--allowxperm" + Найти расширенные разрешительные правила. + .IP "--auditallowxperm" + Найти расширенные правила включения журналирования событий. + .IP "--dontauditxperm" + Найти расширенные правила запрета журналирования событий. +-.IP "--neverallowxperm" +-Найти расширенные запрещающие правила. + .IP "-T, --type_trans" + Найти правила перехода типов. + .IP "--type_member" +diff --git a/man/sesearch.1 b/man/sesearch.1 +index 65eebf9..97e9110 100644 +--- a/man/sesearch.1 ++++ b/man/sesearch.1 +@@ -30,16 +30,12 @@ Find allow rules. + Find auditallow rules. + .IP "--dontaudit" + Find dontaudit rules. +-.IP "--neverallow" +-Find neverallow rules. + .IP "--allowxperm" + Find allowxperm rules. + .IP "--auditallowxperm" + Find auditallowxperm rules. + .IP "--dontauditxperm" + Find dontauditxperm rules. +-.IP "--neverallowxperm" +-Find neverallowxperm rules. + .IP "-T, --type_trans" + Find type_transition rules. + .IP "--type_member" +diff --git a/sesearch b/sesearch +index 733f3d3..7caa41d 100755 +--- a/sesearch ++++ b/sesearch +@@ -54,12 +54,12 @@ rtypes.add_argument("--dontaudit", action="append_const", + rtypes.add_argument("--dontauditxperm", action="append_const", + const=setools.TERuletype.dontauditxperm, dest="tertypes", + help="Search dontauditxperm rules.") +-rtypes.add_argument("--neverallow", action="append_const", +- const=setools.TERuletype.neverallow, dest="tertypes", +- help="Search neverallow rules.") +-rtypes.add_argument("--neverallowxperm", action="append_const", +- const=setools.TERuletype.neverallowxperm, dest="tertypes", +- help="Search neverallowxperm rules.") ++# rtypes.add_argument("--neverallow", action="append_const", ++# const=setools.TERuletype.neverallow, dest="tertypes", ++# help="Search neverallow rules.") ++# rtypes.add_argument("--neverallowxperm", action="append_const", ++# const=setools.TERuletype.neverallowxperm, dest="tertypes", ++# help="Search neverallowxperm rules.") + rtypes.add_argument("-T", "--type_trans", action="append_const", + const=setools.TERuletype.type_transition, dest="tertypes", + help="Search type_transition rules.") +diff --git a/setoolsgui/apol/terulequery.ui b/setoolsgui/apol/terulequery.ui +index 950c590..6c6f14f 100644 +--- a/setoolsgui/apol/terulequery.ui ++++ b/setoolsgui/apol/terulequery.ui +@@ -465,6 +465,12 @@ + + + ++ ++ false ++ ++ ++ Neverallow is not available in binary policies. ++ + + Neverallow + +@@ -482,6 +488,12 @@ + + + ++ ++ false ++ ++ ++ Neverallowxperms is not available in binary policies. ++ + + Neverallowxperms + +-- +2.40.0 + diff --git a/SOURCES/0004-Disable-remove-neverallow-options-in-sediff.patch b/SOURCES/0004-Disable-remove-neverallow-options-in-sediff.patch new file mode 100644 index 0000000..7694428 --- /dev/null +++ b/SOURCES/0004-Disable-remove-neverallow-options-in-sediff.patch @@ -0,0 +1,91 @@ +From 158283058160f4ae40d0b215e0ff2e5045de5a28 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 9 May 2023 19:22:01 +0200 +Subject: [PATCH] Disable/remove neverallow options in sediff. + +Apply change from commit 06335957b701 ("Disable/remove neverallow +options in frontends.") to sediff + +Signed-off-by: Petr Lautrbach +--- + man/ru/sediff.1 | 4 ---- + man/sediff.1 | 4 ---- + sediff | 10 +++++++--- + 3 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/man/ru/sediff.1 b/man/ru/sediff.1 +index c6bf293..af5d8ef 100644 +--- a/man/ru/sediff.1 ++++ b/man/ru/sediff.1 +@@ -57,16 +57,12 @@ sediff \- утилита выявления различий политик SELi + Найти различия правил включения журналирования событий. + .IP "--dontaudit" + Найти различия правил запрета журналирования событий. +-.IP "--neverallow" +-Найти различия запрещающих правил. + .IP "--allowxperm" + Найти различия расширенных разрешительных правил. + .IP "--auditallowxperm" + Найти различия расширенных правил включения журналирования событий. + .IP "--dontauditxperm" + Найти различия расширенных правил запрета журналирования событий. +-.IP "--neverallowxperm" +-Найти различия расширенных запрещающих правил. + .IP "-T, --type_trans" + Найти различия правил перехода типов. + .IP "--type_member" +diff --git a/man/sediff.1 b/man/sediff.1 +index ed3b497..18466d8 100644 +--- a/man/sediff.1 ++++ b/man/sediff.1 +@@ -50,16 +50,12 @@ Find differences in allow rules. + Find differences in auditallow rules. + .IP "--dontaudit" + Find differences in dontaudit rules. +-.IP "--neverallow" +-Find differences in neverallow rules. + .IP "--allowxperm" + Find differences in allowxperm rules. + .IP "--auditallowxperm" + Find differences in auditallowxperm rules. + .IP "--dontauditxperm" + Find differences in dontauditxperm rules. +-.IP "--neverallowxperm" +-Find differences in neverallowxperm rules. + .IP "-T, --type_trans" + Find differences in type_transition rules. + .IP "--type_member" +diff --git a/sediff b/sediff +index d31fa3a..93af837 100755 +--- a/sediff ++++ b/sediff +@@ -57,12 +57,12 @@ comp.add_argument("--level", action="store_true", help="Print MLS level definiti + terule = parser.add_argument_group("type enforcement rule differences") + terule.add_argument("-A", action="store_true", help="Print allow and allowxperm rule differences") + terule.add_argument("--allow", action="store_true", help="Print allow rule differences") +-terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences") ++# terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences") + terule.add_argument("--auditallow", action="store_true", help="Print auditallow rule differences") + terule.add_argument("--dontaudit", action="store_true", help="Print dontaudit rule differences") + terule.add_argument("--allowxperm", action="store_true", help="Print allowxperm rule differences") +-terule.add_argument("--neverallowxperm", action="store_true", +- help="Print neverallowxperm rule differences") ++# terule.add_argument("--neverallowxperm", action="store_true", ++# help="Print neverallowxperm rule differences") + terule.add_argument("--auditallowxperm", action="store_true", + help="Print auditallowxperm rule differences") + terule.add_argument("--dontauditxperm", action="store_true", +@@ -109,6 +109,10 @@ other.add_argument("--typebounds", action="store_true", help="Print typebounds d + + args = parser.parse_args() + ++# neverallow and neverallowxperm options are disabled ++args.neverallow = False ++args.neverallowxperm = False ++ + if args.A: + args.allow = True + args.allowxperm = True +-- +2.41.0 + diff --git a/SOURCES/0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch b/SOURCES/0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch new file mode 100644 index 0000000..bcab3ac --- /dev/null +++ b/SOURCES/0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch @@ -0,0 +1,259 @@ +From ec4f5e19ea94e42416fda103d94118577eb18b95 Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Tue, 30 Aug 2022 13:58:54 -0400 +Subject: [PATCH] AVRuleXperm: Fix permission set creation for + AVTAB_XPERMS_IOCTLDRIVER. + +Closes #74 + +Signed-off-by: Chris PeBenito +--- + setools/policyrep/terule.pxi | 8 +- + tests/policyrep/terule.py | 26 +++++ + tests/policyrep/terule_issue74.conf | 159 ++++++++++++++++++++++++++++ + 3 files changed, 189 insertions(+), 4 deletions(-) + create mode 100644 tests/policyrep/terule_issue74.conf + +diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi +index 59aeea5..8b2659b 100644 +--- a/setools/policyrep/terule.pxi ++++ b/setools/policyrep/terule.pxi +@@ -282,22 +282,22 @@ cdef class AVRuleXperm(BaseTERule): + set perms = set() + size_t curr = 0 + size_t len = sizeof(xperms.perms) * sepol.EXTENDED_PERMS_LEN ++ size_t base_value = 0 + + # + # Build permission set + # +- while curr < len: ++ for curr in range(len): + if sepol.xperm_test(curr, xperms.perms): + if xperms.specified & sepol.AVTAB_XPERMS_IOCTLFUNCTION: + perms.add(xperms.driver << 8 | curr) + elif xperms.specified & sepol.AVTAB_XPERMS_IOCTLDRIVER: +- perms.add(curr << 8) ++ base_value = curr << 8 ++ perms.update(range(base_value, base_value + 0x100)) + else: + raise LowLevelPolicyError("Unknown extended permission: {}".format( + xperms.specified)) + +- curr += 1 +- + # + # Determine xperm type + # +diff --git a/tests/policyrep/terule.py b/tests/policyrep/terule.py +index 0f24054..30afd4b 100644 +--- a/tests/policyrep/terule.py ++++ b/tests/policyrep/terule.py +@@ -24,6 +24,8 @@ from setools import SELinuxPolicy + from setools.exception import InvalidTERuleType, RuleNotConditional, RuleUseError, \ + TERuleNoFilename + ++from .util import compile_policy ++ + + @unittest.skip("Needs to be reworked for cython") + @patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y) +@@ -262,6 +264,30 @@ class AVRuleXpermTest(unittest.TestCase): + self.assertEqual(rule.statement(), "allowxperm a b:c d { 0x0003-0x0005 0x0007-0x0009 };") + + ++class AVRuleXpermTestIssue74(unittest.TestCase): ++ ++ """ ++ Regression test for xperm ranges starting with 0x00 not being loaded. ++ https://github.com/SELinuxProject/setools/issues/74 ++ """ ++ ++ @classmethod ++ def setUpClass(cls): ++ cls.p = compile_policy("tests/policyrep/terule_issue74.conf") ++ ++ def test_issue74_regression(self): ++ """Regression test for GitHub issue 74.""" ++ rules = sorted(self.p.terules()) ++ print(rules) ++ self.assertEqual(2, len(rules)) ++ ++ # expect 2 rules: ++ # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x8910 }; ++ # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x0-0xff }; ++ self.assertSetEqual(set(range(0x100)), rules[0].perms) ++ self.assertSetEqual(set([0x8910]), rules[1].perms) ++ ++ + @unittest.skip("Needs to be reworked for cython") + @patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y) + @patch('setools.policyrep.typeattr.type_factory', lambda x, y: y) +diff --git a/tests/policyrep/terule_issue74.conf b/tests/policyrep/terule_issue74.conf +new file mode 100644 +index 0000000..158a38e +--- /dev/null ++++ b/tests/policyrep/terule_issue74.conf +@@ -0,0 +1,159 @@ ++class infoflow ++class infoflow2 ++class infoflow3 ++class infoflow4 ++class infoflow5 ++class infoflow6 ++class infoflow7 ++class infoflow8 ++class infoflow9 ++class infoflow10 ++class unix_dgram_socket ++ ++sid kernel ++sid security ++ ++common infoflow ++{ ++ low_w ++ med_w ++ hi_w ++ low_r ++ med_r ++ hi_r ++} ++ ++common com_a ++{ ++ hi_w ++ hi_r ++ super_r ++ super_w ++} ++ ++common com_b ++{ ++ send ++ recv ++} ++ ++common com_c ++{ ++ getattr ++ setattr ++ read ++ write ++} ++ ++class infoflow ++inherits infoflow ++ ++class infoflow2 ++inherits infoflow ++{ ++ super_w ++ super_r ++} ++ ++class infoflow3 ++{ ++ null ++} ++ ++class infoflow4 ++inherits infoflow ++{ ++ super_w ++ super_r ++ super_none ++ super_both ++ super_unmapped ++} ++ ++class infoflow5 ++inherits com_a ++ ++class infoflow6 ++inherits com_b ++ ++class infoflow7 ++inherits infoflow ++{ ++ unmapped ++} ++ ++class infoflow8 ++{ ++ super_w ++ super_r ++} ++ ++class infoflow9 ++inherits com_c ++ ++class infoflow10 ++{ ++ read ++ write ++} ++ ++class unix_dgram_socket ++{ ++ ioctl ++} ++ ++sensitivity low_s; ++sensitivity medium_s alias med; ++sensitivity high_s; ++ ++dominance { low_s med high_s } ++ ++category here; ++category there; ++category elsewhere alias lost; ++ ++#level decl ++level low_s:here.there; ++level med:here, elsewhere; ++level high_s:here.lost; ++ ++#some constraints ++mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); ++ ++attribute mls_exempt; ++ ++type system; ++role system; ++role system types system; ++ ++type init_type_t; ++allowxperm init_type_t self:unix_dgram_socket ioctl 0x8910; ++allowxperm init_type_t self:unix_dgram_socket ioctl { 0x0000 - 0x00ff }; ++ ++#users ++user system roles system level med range low_s - high_s:here.lost; ++ ++#normal constraints ++constrain infoflow hi_w (u1 == u2); ++ ++#isids ++sid kernel system:system:system:medium_s:here ++sid security system:system:system:high_s:lost ++ ++#fs_use ++fs_use_trans devpts system:object_r:system:low_s; ++fs_use_xattr ext3 system:object_r:system:low_s; ++fs_use_task pipefs system:object_r:system:low_s; ++ ++#genfscon ++genfscon proc / system:object_r:system:med ++genfscon proc /sys system:object_r:system:low_s ++genfscon selinuxfs / system:object_r:system:high_s:here.there ++ ++portcon tcp 80 system:object_r:system:low_s ++ ++netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s ++ ++nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here ++nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here ++ +-- +2.41.0 + diff --git a/SPECS/setools.spec b/SPECS/setools.spec index 89f55a8..79e08e4 100644 --- a/SPECS/setools.spec +++ b/SPECS/setools.spec @@ -8,7 +8,7 @@ Name: setools Version: 4.3.0 -Release: 3%{?setools_pre_ver:.%{setools_pre_ver}}%{?dist} +Release: 5%{?setools_pre_ver:.%{setools_pre_ver}}%{?dist} Summary: Policy analysis tools for SELinux License: GPLv2 @@ -18,6 +18,9 @@ Source1: setools.pam Source2: apol.desktop Patch0001: 0001-Support-old-boolean-names-in-policy-queries.patch Patch0002: 0002-Make-seinfo-output-predictable.patch +Patch0003: 0003-Disable-remove-neverallow-options-in-frontends.patch +Patch0004: 0004-Disable-remove-neverallow-options-in-sediff.patch +Patch0005: 0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch Patch1001: 1001-Do-not-use-Werror-during-build.patch Patch1002: 1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch Patch1003: 1003-Require-networkx-on-package-level.patch @@ -176,7 +179,14 @@ rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \ %endif %changelog -* Tue Nov 30 2021 Vit Mojzis - 4.3.0-3} +* Mon Aug 21 2023 Vit Mojzis - 4.3.0-5 +- Disable/remove neverallow options in sediff (#2184141) + +* Mon Jun 19 2023 Vit Mojzis - 4.3.0-4 +- Disable/remove neverallow options in frontends (#2184141) +- AVRuleXperm: Fix permission set creation for AVTAB_XPERMS_IOCTLDRIVER (#2174376) + +* Tue Nov 30 2021 Vit Mojzis - 4.3.0-3 - Make seinfo output predictable (#2019961) * Tue Jun 30 2020 Vit Mojzis - 4.3.0-2