Merge pull request #105 from pebenito/4.4

pebenito · web-flow · commit d3dbddb4e162 · 2023-07-27T14:59:07.000-04:00
Backport fixes for 4.4.3.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -27,12 +27,12 @@ jobs:
 
       matrix:
         build-opts:
-          - {python: '3.6', tox: py36}
-          - {python: '3.7', tox: py37}
-          - {python: '3.8', tox: py38}
-          - {python: '3.9', tox: py39}
-          - {python: '3.10', tox: py310}
-          - {python: '3.11', tox: py311}
+          - {python: '3.6', tox: python3.6}
+          - {python: '3.7', tox: python3.7}
+          - {python: '3.8', tox: python3.8}
+          - {python: '3.9', tox: python3.9}
+          - {python: '3.10', tox: python3.10}
+          - {python: '3.11', tox: python3.11}
           - {python: '3.6', tox: pep8}
           - {python: '3.6', tox: lint}
           - {python: '3.6', tox: mypy}
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,10 @@
+*setools-4-4.3 (27 Jul 2023)
+  * Fix compilation with Cython 3.0.0.
+  * Improve man pages.
+  * Remove neverallow options in sediff.
+  * Add -r option to seinfoflow to get flows into the source type.
+  * Reject a rule with no permissions as invalid policy.
+
 *setools-4-4.2 (19 Apr 2023)
 
   * Make NetworkX optional.  sedta and seinfoflow tools, along with the
diff --git a/man/ru/sediff.1 b/man/ru/sediff.1
@@ -57,16 +57,12 @@ sediff \- утилита выявления различий политик SELi
 Найти различия правил включения журналирования событий.
 .IP "--dontaudit"
 Найти различия правил запрета журналирования событий.
-.IP "--neverallow"
-Найти различия запрещающих правил.
 .IP "--allowxperm"
 Найти различия расширенных разрешительных правил.
 .IP "--auditallowxperm"
 Найти различия расширенных правил включения журналирования событий.
 .IP "--dontauditxperm"
 Найти различия расширенных правил запрета журналирования событий.
-.IP "--neverallowxperm"
-Найти различия расширенных запрещающих правил.
 .IP "-T, --type_trans"
 Найти различия правил перехода типов.
 .IP "--type_member"
diff --git a/man/sechecker.1 b/man/sechecker.1
@@ -81,7 +81,7 @@ A space-separated list of object class criteria for the query.
 A space-separated list of permissions for the query.
 
 .PP
-\fBA least one of the above options must be set in this check.\fR
+\fBAt least one of the above options must be set in this check.\fR
 
 .PP
 Additional Options:
@@ -123,7 +123,7 @@ The source role criteria for the query.
 The target role criteria for the query.
 
 .PP
-\fBA least one of the above options must be set in this check.\fR
+\fBAt least one of the above options must be set in this check.\fR
 
 .PP
 Additional Options:
@@ -205,7 +205,7 @@ executable types are read-only.\fR
 .\}
 .nf
 [ro_execs]
-check_type = empty_typeattr
+check_type = ro_execs
 desc = Verify that the all executables and libraries are read-only.
 .fi
 .if n \{\
diff --git a/man/sediff.1 b/man/sediff.1
@@ -50,16 +50,12 @@ Find differences in allow rules.
 Find differences in auditallow rules.
 .IP "--dontaudit"
 Find differences in dontaudit rules.
-.IP "--neverallow"
-Find differences in neverallow rules.
 .IP "--allowxperm"
 Find differences in allowxperm rules.
 .IP "--auditallowxperm"
 Find differences in auditallowxperm rules.
 .IP "--dontauditxperm"
 Find differences in dontauditxperm rules.
-.IP "--neverallowxperm"
-Find differences in neverallowxperm rules.
 .IP "-T, --type_trans"
 Find differences in type_transition rules.
 .IP "--type_member"
@@ -88,6 +84,10 @@ Find differences in validatetrans rules.
 Find differences in mlsvalidatetrans rules.
 
 .SS Labeling Statement Differences
+.IP "--ibendportcon"
+Find differences in ibendportcon (InfiniBand endport context) statements.
+.IP "--ibpkeycon"
+Find differences in ibpkeycon (InfiniBand parition key context) statements.
 .IP "--initialsid"
 Find differences in initial SID statements.
 .IP "--fs_use"
@@ -140,6 +140,14 @@ For example, a class is modified if one or more permissions are added or removed
 .RE
 .PP
 
+.SH EXAMPLE
+.nf
+Show differences in boolean settings
+# sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33
+Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified)
+#sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33
+
+
 .SH AUTHOR
 Chris PeBenito <pebenito@ieee.org>
 
diff --git a/man/sedta.1 b/man/sedta.1
@@ -49,6 +49,8 @@ Specify the maximum number of domain transitions to output. The default is unlim
 A space-separated list of types to exclude from the analysis.
 
 .SS General Options
+.IP "--full"
+Print rule lists for transitions.
 .IP "--stats"
 Print domain transition graph statistics at the end of the analysis.
 .IP "-h, --help"
@@ -60,6 +62,13 @@ Print additional informational messages.
 .IP "--debug"
 Enable debugging output.
 
+.SH EXAMPLE
+.nf
+Show the shortest transition paths from httpd_t to unconfined_t, while not using container_runtime_t
+# sedta -s httpd_t -t unconfined_t -S container_runtime_t
+List all domain transition paths shorter than 3 steps from init_t to smbd_t
+# sedta -s init_t -t smbd_t -A 3
+
 .SH AUTHOR
 Chris PeBenito <pebenito@ieee.org>
 
diff --git a/man/seinfo.1 b/man/seinfo.1
@@ -56,6 +56,10 @@ There is no expanded information for this component.
 .IP "--genfscon [FS_TYPE]"
 Print a list of genfscon statements or, if FS_TYPE is provided, print the statement for the named filesystem type.
 There is no expanded information for this component.
+.IP "--ibpkeycon [PKEY[-PKEY]]"
+Print a list of InfiniBand parition key contexts.
+.IP "--ibendportcon [NAME]"
+Print a list of InfiniBand endport contexts.
 .IP "--initialsid [NAME]"
 Print a list of initial SIDs or, if NAME is provided, print the named initial SID.
 With \fI-x\fR, print the context assigned to each displayed SID.
@@ -86,6 +90,18 @@ There is no expanded information for this component.
 .IP "--all"
 Print all components.
 
+.IP "\fB Xen Component Queries: \fR"
+.IP "--ioportcon"
+Print all ioportcon statements.
+.IP "--iomemcon"
+Print all iomemcon statements.
+.IP "--pcidevicecon"
+Print all pcidevicecon statements.
+.IP "--pirqcon"
+Print all pirqcon statements.
+.IP "--devicetreecon"
+Print all devicetreecon statements.
+
 .SH OPTIONS
 .IP "-x, --expand"
 Print additional details for each component matching the expression.
@@ -101,6 +117,15 @@ Print additional informational messages.
 .IP "--debug"
 Enable debugging output.
 
+.SH EXAMPLE
+.nf
+List aliases of and attributes assigned to type httpd_t
+# seinfo -t httpd_t -x
+List all executable types (all types assigned to "exec_type" attribute)
+# seinfo -a exec_type -x
+List all constrains and mlsconstrains for class "file"
+# seinfo --constrain file
+
 .SH AUTHOR
 Chris PeBenito <pebenito@ieee.org>
 
diff --git a/man/seinfoflow.1 b/man/seinfoflow.1
@@ -50,17 +50,28 @@ Specify the maximum number of information flows to output. The default is unlimi
 A space-separated list of types to exclude from the analysis.
 
 .SS General Options
+.IP "-r, --reverse"
+Display information flows into the source type. No effect if a target type is specified.
 .IP "--stats"
 Print information flow graph statistics at the end of the analysis.
 .IP "-h, --help"
 Print help information and exit.
+.IP "--full"
+Print full rule lists for information flows.
 .IP "--version"
 Print version information and exit.
 .IP "-v, --verbose"
 Print additional informational messages.
 .IP "--debug"
 Enable debugging output.
 
+.SH EXAMPLE
+.nf
+Show the shortest paths for process running as httpd_t to access user home files, using the default permission map:
+# seinfoflow -s httpd_t -t user_home_t -S
+List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled
+# seinfoflow -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"
+
 .SH AUTHOR
 Chris PeBenito <pebenito@ieee.org>
 
diff --git a/man/sesearch.1 b/man/sesearch.1
@@ -48,6 +48,7 @@ Find type_change rules.
 Find role allow rules.
 .IP "--role_trans"
 Find role_transition rules.
+.IP "Note: TE/MLS rule searches cannot be mixed with RBAC rule searches"
 
 .SS MLS Rule Types
 .IP "--range_trans"
@@ -80,6 +81,8 @@ A matching rule must have the specified target attribute/type/role explicitly, i
 A matching rule must have all specified Booleans, instead of matching any of the specified Boolean.
 .IP "-ep"
 A matching rule must have exactly the specified permissions, instead of matching any of the specified permission.
+.IP "-ex"
+A matching rule must have exactly the specified extended permissions, instead of matching any listed extended permission.
 .IP "-Sp"
 A matching rule must have permissions where are a superset of the specified permissions, instead of matching any of the permissions.
 .IP "-rs"
@@ -103,6 +106,15 @@ Print additional informational messages.
 .IP "--debug"
 Enable debugging output.
 
+.SH EXAMPLE
+.nf
+List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain
+# sesearch -A -s container_domain -t container_file_t -c file
+List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices
+# sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices
+List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded)
+# sesearch --dontaudit -s application_domain_type -ds
+
 .SH AUTHOR
 Chris PeBenito <pebenito@ieee.org>
 
diff --git a/sediff b/sediff
@@ -45,12 +45,12 @@ comp.add_argument("--level", action="store_true", help="Print MLS level definiti
 terule = parser.add_argument_group("type enforcement rule differences")
 terule.add_argument("-A", action="store_true", help="Print allow and allowxperm rule differences")
 terule.add_argument("--allow", action="store_true", help="Print allow rule differences")
-terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
+# terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
 terule.add_argument("--auditallow", action="store_true", help="Print auditallow rule differences")
 terule.add_argument("--dontaudit", action="store_true", help="Print dontaudit rule differences")
 terule.add_argument("--allowxperm", action="store_true", help="Print allowxperm rule differences")
-terule.add_argument("--neverallowxperm", action="store_true",
-                    help="Print neverallowxperm rule differences")
+# terule.add_argument("--neverallowxperm", action="store_true",
+#                     help="Print neverallowxperm rule differences")
 terule.add_argument("--auditallowxperm", action="store_true",
                     help="Print auditallowxperm rule differences")
 terule.add_argument("--dontauditxperm", action="store_true",
@@ -97,6 +97,10 @@ other.add_argument("--typebounds", action="store_true", help="Print typebounds d
 
 args = parser.parse_args()
 
+# neverallow and neverallowxperm options are disabled
+args.neverallow = False
+args.neverallowxperm = False
+
 if args.A:
     args.allow = True
     args.allowxperm = True
diff --git a/seinfoflow b/seinfoflow
@@ -42,6 +42,9 @@ alg.add_argument("-A", "--all_paths", type=int, metavar="MAX_STEPS",
                  help="Calculate all paths, with the specified maximum path length. (Expensive)")
 
 opts = parser.add_argument_group("Analysis options")
+opts.add_argument("-r", "--reverse", action="store_false",
+                  help="Display information flows into the source type. "
+                  "No effect if a target type is specified.")
 opts.add_argument("-w", "--min_weight", default=3, type=int,
                   help="Minimum permission weight.  Default is 3.")
 opts.add_argument("-l", "--limit_flows", default=0, type=int,
@@ -119,7 +122,7 @@ try:
 
     else:  # single direct info flow
         flownum = 0
-        for flownum, flow in enumerate(g.infoflows(args.source), start=1):
+        for flownum, flow in enumerate(g.infoflows(args.source, out=args.reverse), start=1):
             print("Flow {0}: {1} -> {2}".format(flownum, flow.source, flow.target))
 
             if args.full:
diff --git a/setools/policyrep/selinuxpolicy.pxi b/setools/policyrep/selinuxpolicy.pxi
@@ -668,7 +668,7 @@ cdef class SELinuxPolicy:
         if self.sh == NULL:
             raise MemoryError
 
-        sepol.sepol_msg_set_callback(self.sh, sepol_logging_callback, self.handle)
+        sepol.sepol_msg_set_callback(self.sh, <sepol.msg_callback>sepol_logging_callback, self.handle)
 
         if sepol.sepol_policydb_create(&self.handle) < 0:
             raise MemoryError
diff --git a/setools/policyrep/sepol.pxd b/setools/policyrep/sepol.pxd
@@ -16,8 +16,10 @@ cdef extern from "<sepol/handle.h>":
     void sepol_handle_destroy(sepol_handle_t *sh)
 
 
+ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...)
+
+
 cdef extern from "<sepol/debug.h>":
-    ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...)
     void sepol_msg_set_callback(sepol_handle * handle, msg_callback cb, void *cb_arg)
 
 
diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi
@@ -120,6 +120,17 @@ cdef class AVRule(BaseTERule):
         r._conditional = conditional
         r._conditional_block = conditional_block
         r.origin = None
+
+        if not r.perms:
+            rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {{ }};"
+            try:
+                rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
+            except RuleNotConditional:
+                pass
+
+            raise LowLevelPolicyError("Invalid policy: Found a rule with no permissions: "
+                                      f"{rule_string}")
+
         return r
 
     def __hash__(self):
@@ -319,6 +330,17 @@ cdef class AVRuleXperm(BaseTERule):
         r._conditional = conditional
         r._conditional_block = conditional_block
         r.origin = None
+
+        if not perms:
+            rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {r.xperm_type} {{ }};"
+            try:
+                rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
+            except RuleNotConditional:
+                pass
+
+            raise LowLevelPolicyError(
+                f"Invalid policy: Found a rule with no extended permissions: {rule_string}.")
+
         return r
 
     def __hash__(self):
diff --git a/setup.py b/setup.py
@@ -133,7 +133,7 @@ def run(self):
         installed_data.append((join('share/man', lang, 'man1'), glob.glob(join("man", lang, "*.1"))))
 
 setup(name='setools',
-      version='4.4.2',
+      version='4.4.3',
       description='SELinux policy analysis tools.',
       author='Chris PeBenito',
       author_email='pebenito@ieee.org',
diff --git a/tox.ini b/tox.ini
@@ -1,6 +1,6 @@
 [tox]
 minversion      = 1.4
-envlist         = py3, pep8, lint, mypy
+envlist         = python3, pep8, lint, mypy
 
 [pycodestyle]
 max-line-length = 100
@@ -53,8 +53,8 @@ passenv         = USERSPACE_SRC
 deps            = networkx>=2.0
                   cython>=0.27
                   pytest
-                  py38: cython>=0.29.14
-                  py39: networkx>=2.6
-                  py39: cython>=0.29.14
+                  python38: cython>=0.29.14
+                  python39: networkx>=2.6
+                  python39: cython>=0.29.14
 commands_pre    = {envpython} setup.py build_ext -i
 commands        = pytest tests
