site.py not compatible with python 2.7 #355
Comments
|
can you give an example of what is not working for you? |
|
site.getsitepackages() doesn't work. |
|
Reproduced on OS X: Running outside venv works for me - $ ./ve/bin/python -c 'import site; print(site.file)' |
|
Consider updating (and ensuring backwardly compat) site.py |
|
I don't think this should be marked as a release blocker. although it would be great to support feature-compatible site.py files, this shortcoming has been like this for years. |
|
" this shortcoming has been like this for years". And hell yeah, it still hurts... :( |
|
This bit me today; it would be really, really nice to get an updated |
|
It bit me too, and it caught me off guard. Now I'm even wondering what other files differ from the system python (especially when using |
mtholder
added a commit
to jeetsukumaran/DendroPy
that referenced
this issue
Jun 5, 2015
Running via virtualenv requires a workaround for pypa/virtualenv#355 Here, I just omit issuing info about the site-packages dir if the call to getsitepackages() fails.
|
Still valid using virtualenv 13.1.2 with Python 2.7.6, and it's getting in the way of some dev work I'm doing. Here's some interactive fiddling: getsitepackages is not present in virtualenvgetsitepackages is present in system Python |
|
Edit: woah...... I just read: #697 Original Comment: please consider updating |
This was referenced Jan 5, 2016
|
Hit this issue with #555, which can cause different behaviour in a virtual environment if you run with -Werror because of the deprecation warning. Since tox depends on this package to work internally, don't see much of a way around it. |
13 tasks
kernc
added a commit
to kernc/orange3
that referenced
this issue
May 27, 2016
site.getsitepackages() doesn't work inside virtualenv: pypa/virtualenv#228 pypa/virtualenv#355
koichirok
added a commit
to koichirok/ansible-module-authconfig
that referenced
this issue
Nov 30, 2016
site module in travis' virtualenv has no getsitepackages(). Maybe this issue pypa/virtualenv#355
fishilico
added a commit
to fishilico/selinux
that referenced
this issue
Feb 21, 2018
libselinux and libsemanage Makefiles use site.getsitepackages() in order to get the path to /usr/lib/pythonX.Y/site-packages relevant to the Python interpreter selected with $(PYTHON). This method is incompatible with Python virtual environments, as described in pypa/virtualenv#355 (comment) which has been opened for more than 5 years. On the contrary python/semanage and python/sepolgen Makefiles use distutils.sysconfig.get_python_lib() in order to get the site-packages path into a variable named PYTHONLIBDIR. This way of computing PYTHONLIBDIR is compatible with virtual environments and gives the same result as PYSITEDIR. As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and libsemanage Makefiles use it. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this issue
Mar 4, 2018
libselinux and libsemanage Makefiles use site.getsitepackages() in order to get the path to /usr/lib/pythonX.Y/site-packages relevant to the Python interpreter selected with $(PYTHON). This method is incompatible with Python virtual environments, as described in pypa/virtualenv#355 (comment) which has been opened for more than 5 years. On the contrary python/semanage and python/sepolgen Makefiles use distutils.sysconfig.get_python_lib() in order to get the site-packages path into a variable named PYTHONLIBDIR. This way of computing PYTHONLIBDIR is compatible with virtual environments and gives the same result as PYSITEDIR. As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and libsemanage Makefiles use it. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this issue
Mar 5, 2018
libselinux and libsemanage Makefiles invoke site.getsitepackages() in order to get the path to the directory /usr/lib/pythonX.Y/site-packages that matches the Python interpreter chosen with $(PYTHON). This method is incompatible with Python virtual environments, as described in pypa/virtualenv#355 (comment) . This issue has been opened for more than 5 years. On the contrary python/semanage/ and python/sepolgen/ Makefiles use distutils.sysconfig.get_python_lib() in order to get the site-packages path into a variable named PYTHONLIBDIR. This way of computing PYTHONLIBDIR is compatible with virtual environments and gives the same result as PYSITEDIR. As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and libsemanage Makefiles use it. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this issue
Mar 11, 2018
libselinux and libsemanage Makefiles invoke site.getsitepackages() in order to get the path to the directory /usr/lib/pythonX.Y/site-packages that matches the Python interpreter chosen with $(PYTHON). This method is incompatible with Python virtual environments, as described in pypa/virtualenv#355 (comment) . This issue has been opened for more than 5 years. On the contrary python/semanage/ and python/sepolgen/ Makefiles use distutils.sysconfig.get_python_lib() in order to get the site-packages path into a variable named PYTHONLIBDIR. This way of computing PYTHONLIBDIR is compatible with virtual environments and gives the same result as PYSITEDIR. As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and libsemanage Makefiles use it. And as native code is installed (as part of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64 on systems which distinguish /usr/lib64 from /usr/lib. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
bachradsusi
pushed a commit
to bachradsusi/SELinuxProject-selinux
that referenced
this issue
Mar 14, 2018
libselinux and libsemanage Makefiles invoke site.getsitepackages() in order to get the path to the directory /usr/lib/pythonX.Y/site-packages that matches the Python interpreter chosen with $(PYTHON). This method is incompatible with Python virtual environments, as described in pypa/virtualenv#355 (comment) . This issue has been opened for more than 5 years. On the contrary python/semanage/ and python/sepolgen/ Makefiles use distutils.sysconfig.get_python_lib() in order to get the site-packages path into a variable named PYTHONLIBDIR. This way of computing PYTHONLIBDIR is compatible with virtual environments and gives the same result as PYSITEDIR. As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and libsemanage Makefiles use it. And as native code is installed (as part of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64 on systems which distinguish /usr/lib64 from /usr/lib. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to SELinuxProject/selinux
that referenced
this issue
Mar 17, 2018
libselinux and libsemanage Makefiles invoke site.getsitepackages() in order to get the path to the directory /usr/lib/pythonX.Y/site-packages that matches the Python interpreter chosen with $(PYTHON). This method is incompatible with Python virtual environments, as described in pypa/virtualenv#355 (comment) . This issue has been opened for more than 5 years. On the contrary python/semanage/ and python/sepolgen/ Makefiles use distutils.sysconfig.get_python_lib() in order to get the site-packages path into a variable named PYTHONLIBDIR. This way of computing PYTHONLIBDIR is compatible with virtual environments and gives the same result as PYSITEDIR. As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and libsemanage Makefiles use it. And as native code is installed (as part of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64 on systems which distinguish /usr/lib64 from /usr/lib. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
+1 bite, is there some update? Thanks. i'm using virtualenv 15.0.1 on Ubuntu 16.04 64bit |
|
+1 bite |
|
Ever since moving on to py3, I've stopped using So, no more |
|
@RemiCardona I use Python 3's |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Just add a comment if you want to keep it open. Thank you for your contributions. |
This was referenced Jan 23, 2019
mehulagg
pushed a commit
to mehulagg/superproject
that referenced
this issue
Dec 21, 2019
* Update external/selinux from branch 'master'
to 3dcffda336ef475734dda19455d3c22b73f3283c
- Merge "update OWNERS"
- update OWNERS
Test: none
Change-Id: I31b3ae013b2863e8f05b1e2c04d36c022966b24f
- Export more symbols for init
am: 5340684e43
Change-Id: I795197cd2daef1a2dd5f6241dda8c0956e3d04ab
- Export more symbols for init
Following symbols from libselinux are used by init. They need to be
exposed in order for the init to dynamically link to libselinux.
Note that this does not affect symbols visibility to vendor, which is
controlled by other map file, exported_vendor.map.
Bug: 63673171
Test: m -j
Test: adb reboot recovery
Change-Id: Ic149801b60fc739ab99f29711a522d460001a293
- Merge "Mark as recovery_available: true" am: 2fdbabc6e9
am: bf315c9a02
Change-Id: I2c9fa08ecb757955655cbcbca138a85a633e36e8
- Merge "Mark as recovery_available: true"
am: 2fdbabc6e9
Change-Id: Ibd1065e5f8750e30be6c5fc6716bf7a7d071cd63
- Merge "Mark as recovery_available: true"
- [automerger skipped] secilc: statically link libsepol to secilc. am: 4f539e7222
am: 479075ebb9 -s ours
Change-Id: I72aeff69022217aa8f235b15087c4f1e2f544ab2
- secilc: statically link libsepol to secilc.
am: 4f539e7222
Change-Id: I8a4d20dcc1666d1060197e6daa6d3d51cc00af1c
- Mark as recovery_available: true
Libraries that are direct or indirect dependencies of modules installed
to recovery partition (e.g. toybox) are marked as recovery_available:
true. This allows a recovery variant of the lib is created when it is
depended by other recovery or recovery_available modules.
Bug: 67916654
Bug: 64960723
Test: m -j
Change-Id: I63d83278c0f80e1053e92d076e78d41e10270ba4
- secilc: statically link libsepol to secilc.
We do this to package secilc in CTS without the need to handle its
dependencies.
Bug: 37999212
Test: cts-tradefed run commandAndExit cts --skip-all-system-status-check
--primary-abi-only --skip-preconditions -m CtsSecurityHostTestCases
-t android.cts.security.SELinuxNeverallowRulesTest
Change-Id: I0eed2aa37670f6604447e529de32265072e8435c
Merged-In: I0eed2aa37670f6604447e529de32265072e8435c
(cherry picked from commit b6714423154c0584c03d508faf0c19dfc48f4d59)
- Merge "secilc: statically link libsepol to secilc." into pi-dev
am: ea4e5184d2
Change-Id: Iae0032641356ab0d98e8dbbfd94111d1740366b3
- Merge "secilc: statically link libsepol to secilc." into pi-dev
- libselinux: android: allow dup *_context entries
am: 770b35373f
Change-Id: I060304413f6f2a4e382a46bf756f5d0f9496cf57
- Merge "libselinux: android: allow dup *_context entries" am: 638e19a885
am: 8ae84481f4
Change-Id: Ic1493e058b479c4d3e69ad715d978e0f62e9dcdc
- Merge "libselinux: android: allow dup *_context entries"
am: 638e19a885
Change-Id: I73f7425a236585a26c8c27c916c8eb2208857f77
- libselinux: android: allow dup *_context entries
Similar to upstream commit 742a350d "libsepol/cil: Improve processing
of context rules", allow multiple-same mappings, but make this the
default for android-specific *_contexts files. Continue to print a
warning. This is useful for Treble where some device-specific
mappings may be moved to core policy. e.g.
https://android-review.googlesource.com/c/platform/system/sepolicy/+/663068.
Old vendor images must continue to work with new system images even
when they contain the same mapping.
Bug: 78134108
Test: Verify multiple same mappings load correctly, and multiple
different specs continue to fail.
Change-Id: I80e81814b7ce213489a7820a12be3fb297150e7d
(cherry picked from commit 5f6217efcfa3e84a9bb65351516d0b0a574b8cc0)
- Merge "libselinux: android: allow dup *_context entries"
- libselinux: android: allow dup *_context entries
Similar to upstream commit 742a350d "libsepol/cil: Improve processing
of context rules", allow multiple-same mappings, but make this the
default for android-specific *_contexts files. Continue to print a
warning. This is useful for Treble where some device-specific
mappings may be moved to core policy. e.g.
https://android-review.googlesource.com/c/platform/system/sepolicy/+/663068.
Old vendor images must continue to work with new system images even
when they contain the same mapping.
Bug: 78134108
Test: Verify multiple same mappings load correctly, and multiple
different specs continue to fail.
Change-Id: I80e81814b7ce213489a7820a12be3fb297150e7d
- Merge "Add security_get_initial_context to the exported.map." am: c9806e8562
am: e3bfd50d7c
Change-Id: I19f93a5dd2d55003db15c59df4879bd781c4847c
- Merge "Add security_get_initial_context to the exported.map."
am: c9806e8562
Change-Id: Ie8baa31e775916f15194de7ba86b94818d59aceb
- Merge "Add security_get_initial_context to the exported.map."
- secilc: statically link libsepol to secilc.
We do this to package secilc in CTS without the need to handle its
dependencies.
Bug: 37999212
Test: cts-tradefed run commandAndExit cts --skip-all-system-status-check
--primary-abi-only --skip-preconditions -m CtsSecurityHostTestCases
-t android.cts.security.SELinuxNeverallowRulesTest
Change-Id: I0eed2aa37670f6604447e529de32265072e8435c
- Log setxattr(RESTORECON_LAST) failures am: 1e9c093e13
am: 5b782f95a9
Change-Id: Iae2509797b0b78113180b104dd5d7a532a9479d2
- Log setxattr(RESTORECON_LAST) failures
am: 1e9c093e13
Change-Id: If43388f8ea383df760a045a4de459c500453a5d7
- Log setxattr(RESTORECON_LAST) failures
Setting the attribute may actually fail with EPERM when Android
is running inside a container. The log is useful at least for
such an environment.
Bug: 62417973
Test: Run the OS inside a container, then check logcat logs.
Change-Id: I5e4243ee545dfaa486f85d7d691e32d7f1c2a303
- Add security_get_initial_context to the exported.map.
This will be used by ss(8) in platform/external/iproute2.
Test: With topic merged, `m` and `adb shell ss -Z` shows SELinux labels.
Change-Id: I30d5e180fee1c9d99ba8d31586468f83ffd3e177
- libsepol/cil: Improve processing of context rules
am: 742a350d29
Change-Id: Ia161555724a1e8ec1853a37829bc564fe6e3f8b7
- libsepol/cil: Improve processing of context rules
Improve the processing of netifcon, genfscon, ibpkeycon, ibendportcon,
portcon, nodecon, fsuse, filecon, iomemcon, ioportcon, pcidevicecon,
and devicetreecon rules.
If the multiple-decls option is not used then report errors if duplicate
context rules are found. If it is used then remove duplicate context rules
and report errors when two rules are identical except for the context.
This also changes the ordering of portcon and filecon rules. The protocol
of portcon rules will be compared if the port numbers are the same and the
path strings of filecon rules will be compared if the number of meta
characters, the stem length, string length and file types are the same.
Based on an initial patch by Pierre-Hugues Husson (phh@phh.me)
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
(cherry picked from commit 4ba19b541d066d9b0aa104deefc093f468d3d8a2)
Bug: 72878750
Test: build and boot taimen-userdebug to verify the compiler changes
during build time.
Test: build and boot aosp_sailfish-userdebug to verify the compiler
changes during boot.
Change-Id: Id9e6feee3b3a6cbbf628085633af8ca343861c08
- Merge remote-tracking branch 'aosp/upstream-master' into merge_dup_genfs am: 44a83d5bef
am: 72c3188752
Change-Id: I0da4d3bc4065c2733e5e27d94459de6cb75c669e
- Merge remote-tracking branch 'aosp/upstream-master' into merge_dup_genfs
am: 44a83d5bef
Change-Id: I138d7f1e1d62b0911ec43d34c4e2903cb3c3c582
- Merge remote-tracking branch 'aosp/upstream-master' into merge_dup_genfs
Includes 'libsepol/cil: Improve processing of context rules'
which gracefully handles duplicate genfs_contexts entries.
Bug: 72878750
Test: build/boot aosp_sailfish-userdebug
Change-Id: I1e94265dea56c52effb3281a9c88e94b47116416
- libsepol/cil: Improve processing of context rules
Improve the processing of netifcon, genfscon, ibpkeycon, ibendportcon,
portcon, nodecon, fsuse, filecon, iomemcon, ioportcon, pcidevicecon,
and devicetreecon rules.
If the multiple-decls option is not used then report errors if duplicate
context rules are found. If it is used then remove duplicate context rules
and report errors when two rules are identical except for the context.
This also changes the ordering of portcon and filecon rules. The protocol
of portcon rules will be compared if the port numbers are the same and the
path strings of filecon rules will be compared if the number of meta
characters, the stem length, string length and file types are the same.
Based on an initial patch by Pierre-Hugues Husson (phh@phh.me)
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
- Resolve conflicts in expandattribute.
am: f947ce012d
Change-Id: Iec7d14cad14b417d93e6bd5782f2f229d4eb00c3
- Resolve conflicts in expandattribute.
This commit resolves conflicts in values of expandattribute statements
in policy language and expandtypeattribute in CIL.
For example, these statements resolve to false in policy language:
expandattribute hal_audio true;
expandattribute hal_audio false;
Similarly, in CIL these also resolve to false.
(expandtypeattribute (hal_audio) true)
(expandtypeattribute (hal_audio) false)
A warning will be issued on this conflict.
Motivation
When Android combines multiple .cil files from system.img and vendor.img
it's possible to have conflicting expandattribute statements.
This change deals with this scenario by resolving the value of the
corresponding expandtypeattribute to false. The rationale behind this
override is that true is used for reduce run-time lookups, while
false is used for tests which must pass.
Signed-off-by: Tri Vo <trong@android.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
Bug: 72757373
Test: build and run aosp_taimen-userdebugaa
Change-Id: I4c9c36006db61c95da2c94eec33fb4d526b74243
(cherry picked from commit ea8d689b533ac498c8ab37bca04aaf4f81e2ee71)
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: bfe7a7cb53
am: 186d88b99e
Change-Id: Ie5b65e7412bfea206b760289d22b59d62b679662
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge
am: bfe7a7cb53
Change-Id: I7bfab76d684a578e70c6579be5d7f6ea0fa17f17
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge
Bug: 72757373
Test: build and run aosp_taimen-userdebug
Change-Id: I1ea08e95205d0aba661b7251c790e153f128f4cf
- Resolve conflicts in expandattribute.
This commit resolves conflicts in values of expandattribute statements
in policy language and expandtypeattribute in CIL.
For example, these statements resolve to false in policy language:
expandattribute hal_audio true;
expandattribute hal_audio false;
Similarly, in CIL these also resolve to false.
(expandtypeattribute (hal_audio) true)
(expandtypeattribute (hal_audio) false)
A warning will be issued on this conflict.
Motivation
When Android combines multiple .cil files from system.img and vendor.img
it's possible to have conflicting expandattribute statements.
This change deals with this scenario by resolving the value of the
corresponding expandtypeattribute to false. The rationale behind this
override is that true is used for reduce run-time lookups, while
false is used for tests which must pass.
Signed-off-by: Tri Vo <trong@android.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
- policycoreutils/semodule: Allow enabling/disabling multiple modules at once
Unify behaviour for all module actions.
The same behaviour is already present for -i/-u/-r/-e switches.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1545218
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- policycoreutils/semodule: Improve man page and unify it with --help
Unify the way parameters are described in man pages and --help message.
Explain special syntax allowing the user to specify multiple modules when using
-i/u/r/E mods.
Point out that priority has to be specified in order to remove module at
different priority than 400 and that "-d" disables all instances of
given module across priorities.
Resolves: rhbz#1320565, rhbz#1337192
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Allow odm_file_contexts to be empty
am: 5a11cea812 -s ours
Change-Id: I164509d203fbc42397dba5ab99857d876bdbab89
- Allow odm_file_contexts to be empty
There might be an empty odm_file_contexts when BOARD_ODM_SEPOLICY_DIRS
is defined. Skip reading empty file_contexts files in function
compute_file_contexts_hash(), instead of returning an error, which makes
device doesn't boot.
Bug: 64240127
Test: boot a device having an empty odm_file_contexts
Change-Id: I359da5fce17eedb65ce288bb2781e61e8ade3cf9
Merged-In: I359da5fce17eedb65ce288bb2781e61e8ade3cf9
(cherry picked from commit f7071895b15f584f55781448b58359071fea33e1)
- libsepol: Prevent freeing unitialized value in ibendport handling
Nicolas Iooss reports:
In sepol_ibendport_key_create(), if sepol_ibendport_alloc_ibdev_name()
fails to allocate tmp_key->ibdev_name, sepol_ibendport_key_free() is
called to free the memory associated with tmp_key, which results in
free() being called on uninitialized tmp_key->ibdev_name.
This issue is reported by clang's static analyzer with the following
message:
ibendport_record.c:115:2: warning: 1st function call argument is an
uninitialized value
free(key->ibdev_name);
^~~~~~~~~~~~~~~~~~~~~
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
- selinux: Add support for the SCTP portcon keyword
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
- libsemanage/direct_api.c: Fix iterating over array
Fix sizeof calculation in array iteration introduced by commit
6bb8282c4cf66e93daa9684dbe9c75bb6b1e09a7
"libsemanage: replace access() checks to make setuid programs work"
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Allow odm_file_contexts to be empty am: f7071895b1
am: 1a94b4e4ff
Change-Id: I85c895d31848580e02a79d9cf72ebfeb4e0229c2
- Allow odm_file_contexts to be empty
am: f7071895b1
Change-Id: Iebb005e43503bdef739b9585cc643fc878e1a709
- libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libselinux and libsemanage Makefiles invoke site.getsitepackages() in
order to get the path to the directory /usr/lib/pythonX.Y/site-packages
that matches the Python interpreter chosen with $(PYTHON). This method
is incompatible with Python virtual environments, as described in
https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
This issue has been opened for more than 5 years.
On the contrary python/semanage/ and python/sepolgen/ Makefiles use
distutils.sysconfig.get_python_lib() in order to get the site-packages
path into a variable named PYTHONLIBDIR. This way of computing
PYTHONLIBDIR is compatible with virtual environments and gives the same
result as PYSITEDIR.
As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and
libsemanage Makefiles use it. And as native code is installed (as part
of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64
on systems which distinguish /usr/lib64 from /usr/lib.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
- Allow odm_file_contexts to be empty
There might be an empty odm_file_contexts when BOARD_ODM_SEPOLICY_DIRS
is defined. Skip reading empty file_contexts files in function
compute_file_contexts_hash(), instead of returning an error, which makes
device doesn't boot.
Bug: 64240127
Test: boot a device having an empty odm_file_contexts
Change-Id: I359da5fce17eedb65ce288bb2781e61e8ade3cf9
- libsepol: Export sepol_polcap_getnum/name functions
Export the sepol_polcap_getnum/name() functions to users of
the shared library. This will enable SETools to stop depending
on the static library.
Note that we may want to move polcaps.h up one level since
the convention is that headers directly under include/sepol are
shared library APIs while headers under include/sepol/policydb
are limited to static users. However, this will unnecessarily
break the build for existing static users so it is deferred.
Suggested-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
- libsemanage: replace access() checks to make setuid programs work
access() uses real UID instead of effective UID which causes false
negative checks in setuid programs.
Replace access() calls (mostly tests for file existence) by stat().
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- python/sepolgen: fix typo in PolicyGenerator
- libsemanage: remove access() check to make setuid programs work
F_OK access checks only work properly as long as all directories along
the path are accessible to real user running the program.
Replace F_OK access checks by testing return value of open, write, etc.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- libsemanage: remove access() check to make setuid programs work
access() uses real UID instead of effective UID which causes false
negative checks in setuid programs. Remove redundant access() checks
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- libsemanage: silence clang static analyzer report
clang's static analyzer reports an out-of-bound array access in
semanage_user_roles() when num_roles is zero, with the following
statement:
strcpy(roles,roles_arr[0]);
When num_roles is zero, roles_arr[0] is not uninitialized and roles is
the result of malloc(0) so this strcpy is dangerous. Make
semanage_user_roles() return an empty string instead.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- libsepol: cil: show an error when cil_expr_to_string() fails
cil_tree_print_expr() calls cil_expr_to_string() in order to compute a
string expression into expr_str. If this function fails, expr_str is
left unitialized but its value is dereferenced with:
cil_log(CIL_INFO, "%s)", expr_str);
Prevent such an issue by checking cil_expr_to_string()'s return value
before using expr_str.
This issue has been found with clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- gui/fcontextPage: Set default object class in addDialog
This ensures that user cannot leave the object class selection blank.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- gui/semanagePage: Close "edit" and "add" dialogues when successfull
"Edit" and "add" dialogues weren't closed after successful transaction
("add" and "edit" methods return "None" if successful).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- libsemanage: Improve warning for installing disabled module
Resolves: rhbz#1337199
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- remove nnk from OWNERS am: d9b1bcc299 am: 209dc58ac4
am: 7d50059828
Change-Id: I87256d39dbd17fe0f4e9a2c604f24e9ac221b049
- remove nnk from OWNERS am: d9b1bcc299
am: 209dc58ac4
Change-Id: I19c573a186a6275c8203131867fc96788b7a4df7
- remove nnk from OWNERS
am: d9b1bcc299
Change-Id: I9dfe430c0fd72398d3a7d33f8867d47f60323fcd
- remove nnk from OWNERS
See https://android-review.googlesource.com/c/platform/system/sepolicy/+/626014
Test: none
Change-Id: I7951c109d7cf1ec5c8234ebf1e3fc067d1686228
- secilc: Fix documentation build for OS X systems
Since Darwin systems do not have GNU sed installed, the Darwin sed is
missing the "regexp-extended" flag needed to modify the secilc markdown
files before processing with pandoc.
A quick fix for Mac users is to `brew install gnu-sed` and to use gsed.
Signed-off-by: Yuli Khodorkovskiy <ykhodo@gmail.com>
- semodule-utils/semodule_package: fix semodule_unpackage man page
Fix command line arguments and description in man page.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1334834
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Minor update for bash completion. Bash completion for ports is missing '-' for type. Based on documentation, it should be --type, not -type.
- gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
Fixes:
/usr/share/system-config-selinux/polgengui.py:679: PyGIDeprecationWarning: Deprecated, please use stop_emission_by_name.
entry.emit_stop_by_name("insert_text")
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- python/sepolicy: Initialize policy.ports as a dict in generate.py
in class policy, ports is usually initialized with the result of
get_all_ports(), which is a dict. If this function failed, the error was
not fatal but ports was left initialized as a list, which would trigger
other errors when accessing it.
Initialize ports as an empty dict in order to fix this issue.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- python/sepolicy: Support non-MLS policy
When using sepolgen GUI on a system with a non-MLS policy,
sepolicy.info(sepolicy.PORT) does not define "range" attributes (since
commit 908340e8e7a9 ("sepolicy: support non-MLS policy in manpage")).
Replace them with None in get_all_ports() result.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- python/sepolicy: Fix translated strings with parameters
When a translated string takes parameters with %, the % and the
parameters need to be after the call to the underline function in order
to work properly.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- python/sepolicy: Do not use types.BooleanType
It was removed from Python 3
Fixes:
File "polgengui.py", line 390, in forward
self.generate_policy()
File "polgengui.py", line 491, in generate_policy
my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1)
File "/home/plautrba/devel/github/bachradsusi/SELinuxProject-selinux/python/sepolicy/sepolicy/generate.py", line 468, in set_use_syslog
if not isinstance(val, types.BooleanType):
AttributeError: module 'types' has no attribute 'BooleanType'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- python/sepolicy: Use list instead of map
map() returns an iterator in python3, list in python2
Fixes:
File "/usr/lib/python3.6/site-packages/sepolicy/generate.py", line 114, in get_all_users
users.remove("system_u")
AttributeError: 'map' object has no attribute 'remove'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
- $ gtk-builder-convert polgen.glade polgen.ui
- use get_object instead of get_widget
- use connect_signals instead of signal_connect
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
b43991f9 added direct import of sepolicy but it forgot to import
sepolicy.generate and didn't change use of generate to sepolicy.generate
Fixes:
Traceback (most recent call last):
File "/usr/bin/selinux-polgengui", line 778, in <module>
app = childWindow()
File "/usr/bin/selinux-polgengui", line 205, in __init__
self.all_types = sepolicy.generate.get_all_types()
AttributeError: 'module' object has no attribute 'generate'
Traceback (most recent call last):
File "/usr/share/system-config-selinux/polgengui.py", line 365, in forward
if self.on_in_net_page_next():
File "/usr/share/system-config-selinux/polgengui.py", line 701, in on_in_net_page_next
generate.verify_ports(self.in_tcp_entry.get_text())
NameError: global name 'generate' is not defined
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- Describe multiple-decls in secilc.8.xml
Signed-off-by: Dominick Grift <dac.override@gmail.com>
- Travis-CI: do not duplicate $DESTDIR in $PYSITEDIR
Recent commits removed $DESTDIR from $PYSITEDIR in libselinux and
libsemanage:
-PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site;
print(site.getsitepackages()[0])')
+PYSITEDIR ?= $(shell $(PYTHON) -c 'import site;
print(site.getsitepackages()[0])')
As "site.getsitepackages()" does not work within virtualenvs,
.travis.yml defines PYSITEDIR's value in it and this definition needs to
be updated too.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- build: setup buildpaths if DESTDIR is specified
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- dbus: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- semodule-utils: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- secilc: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- sandbox: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- restorecond: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- python: build: move modules from platform-specific to platform-shared
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- python: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- mcstrans: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- gui: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- DESTDIR is needed during compile time to compute library
and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- libsemanage: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- libselinux: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- libsepol: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
- libsemanage: Allow tmp files to be kept if a compile fails
Allow the tmp build files to be kept for debugging when a policy
build fails.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
- libsemanage: Return commit number if save-previous false
Stop overwriting the commit number for the default save-previous flag
setting (false) in semanage.conf.
Allows semodule -v -i <policy> to show the correct commit number.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
- python/semanage: Remove redundant and broken moduleRecords.modify()
moduleRecords.modify() calls nonexistent function
semanage_module_update_file (maybe it should have been
semanage_module_upgrade_file which is now obsolete and calls
semanage_module_install_file) and the job of updating a module is done
by moduleRecords.add().
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- python/semanage: bring semanageRecords.set_reload back
It's used by third parties, e.g. Ansible modules
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1527745
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- libselinux: Correct manpages regarding removable_context
The selabel_media(5) man page incorrectly stated that the
removable_context(5) would be read if an selabel_lookup(3)
failed. Correct the man pages that fixes [1].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1395621
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
- Merge "libselinux: fix build warning" am: 31a6155a15 am: f9279b9fca
am: 67dc0e32d7
Change-Id: Ie0faa6b5ebb46664e4e39e4a8dc2a6b9161baefd
- Merge "libselinux: fix build warning" am: 31a6155a15
am: f9279b9fca
Change-Id: I7de9f2866e00ba0c7c9bb610f00bdef599449c08
- Merge "libselinux: fix build warning"
am: 31a6155a15
Change-Id: Ibb77ab24a7745940ed4c7b45064aa57f70384a2d
- Merge "libselinux: fix build warning"
- Consolidate Treble vs. Non-Treble difference. am: 2b0f03187a am: 6589f73d2a
am: 7c98980c7c
Change-Id: I5baaad306a7651e3f563b3fd0de99fdff3df7ac2
- Consolidate Treble vs. Non-Treble difference. am: 2b0f03187a
am: 6589f73d2a
Change-Id: Id50d74ca2887dc6e6dd2d1f59e930bd1320365e6
- Consolidate Treble vs. Non-Treble difference.
am: 2b0f03187a
Change-Id: I2c04254b668d34188102c7d355bef8bb2c3d42fe
- libselinux: fix build warning
Fix build warning -Wunused-function & -Wunused-variable
Test: Build Test
Change-Id: I7f949709309163e81e9d1133c5103be92cc14de8
- Consolidate Treble vs. Non-Treble difference.
Just always read and process vendor policies if they are there.
Bug: 62019611
Test: marlin boots (which is Treble)
Test: bullhead boots (which is non-Treble)
Change-Id: I0483b8c911558c920d55c77a9b4f59d6074ed264
- python/semanage: make seobject.py backward compatible
Commit 985753f changed behavior of seobject class constructors. While
semanage itself was fixed, there are other tools like
system-config-selinux and chcat which depend on the original behavior.
This change make the constructors backward compatible.
Fixes: $ system-config-selinux
Traceback (most recent call last):
File "/usr/share/system-config-selinux/system-config-selinux.py", line 196, in <module>
app = childWindow()
File "/usr/share/system-config-selinux/system-config-selinux.py", line 100, in __init__
self.add_page(booleansPage.booleansPage(xml))
File "/usr/share/system-config-selinux/booleansPage.py", line 142, in __init__
self.load(self.filter)
File "/usr/share/system-config-selinux/booleansPage.py", line 212, in load
self.booleans = seobject.booleanRecords()
TypeError: __init__() missing 1 required positional argument: 'args'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- Use sepolicy_split instead of treble. am: ffe1116192 am: 9ee3927b40
am: d71325b281
Change-Id: I657c2e4276622f4b8e5b41b5c2f607fc7d38403b
- Use sepolicy_split instead of treble. am: ffe1116192
am: 9ee3927b40
Change-Id: Ie0a392bc34984e917bc485a86756b9c3ae1e0211
- Use sepolicy_split instead of treble.
am: ffe1116192
Change-Id: Idf2e811f4af185f442c0c752e369c2ee628aadad
- Use sepolicy_split instead of treble.
It's more specific.
Bug: 62019611
Test: manual
Change-Id: I27a25f39ee7b2e0f5a6e759f2d4da0b6bbeba2c2
- Manually merge changes from giant AOSP topic
Change-Id: I50772da89aad631a30c739f9d44160a8d0fc7d12
- DO NOT MERGE: Merge Oreo MR1 into master am: 220e17d0a2 -s ours
am: 0fbee238d1
Change-Id: Idd58e145ef7e02fb6d28d2d95a42a68eb3cee2fe
- DO NOT MERGE: Merge Oreo MR1 into master
am: 220e17d0a2 -s ours
Change-Id: Icbf23cf0b7f417723eb7eab25ccf252edc998635
- DO NOT MERGE: Merge Oreo MR1 into master
Exempt-From-Owner-Approval: Changes already landed internally
Change-Id: I255d62a537579ff74c6302a796ecdf0f7223656d
- libsemanage: Use umask(0077) for fopen() write operations
When a calling process uses umask(0) some files in the SELinux module
store can be created to be world writeable. With this patch, libsemanage
sets umask(0077) before fopen() operations and restores the original
umask value when it's done.
Fixes:
drwx------. /var/lib/selinux/targeted/active
-rw-rw-rw-. /var/lib/selinux/targeted/active/booleans.local
-rw-rw-rw-. /var/lib/selinux/targeted/active/policy.linked
-rw-rw-rw-. /var/lib/selinux/targeted/active/seusers.local
drwx------. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/cil
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/400/permissive_sshd_t/lang_ext
drwx------. /var/lib/selinux/targeted/active/modules/disabled
-rw-rw-rw-. /var/lib/selinux/targeted/active/modules/disabled/zosremote
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- Add odm sepolicy support to libselinux am: ba9e4623a1 am: b01b59e735
am: f5c3029bb6
Change-Id: Ib3c9dd1d5d51056a9e7c519a3f3415bffba91219
- Add odm sepolicy support to libselinux am: ba9e4623a1
am: b01b59e735
Change-Id: I5c03d77bddfe4e6d2cc7f5dfaa399de2dc54832b
- Add odm sepolicy support to libselinux
am: ba9e4623a1
Change-Id: I3c0fed728cc690b557351b5528f9297b37a2b5ea
- Add odm sepolicy support to libselinux
Also renames nonplat_* to vendor_*.
We declare three arrays for each type of context file, and select at
most one file for each array.
- {type}_plat[]
- {type}_vendor[]
- {type}_odm[]
With this, it's possible to support backward compatibility.
- treble / pre-treble (files under root or system/vendor/odm)
- nonplat / vendor (old and new filenames)
- odm partition exists or not
Bug: 64240127
Test: boot sailfish normally without odm
Test: boot another device having odm
Change-Id: I9963118f8d4c87d0a520ec3d10db7a3e8411df53
- libsemanage: properly check return value of iterate function
Function dbase_llist_iterate iterates over records and checks return
value of iterate function. According to a manpage semanage_iterate(3),
handler can return value 1 for early exit. dbase_llist_iterate
currently checks for return value > 1, which does not include
expected value 1. This affects most of the semanage_*_iterate
and semanage_*_local functions.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: 68ea5ce1fe am: d5bd8f1081
am: ccac2617d2
Change-Id: Ic7374f7cdb9362779e0574cf2b9a1a088b3a7751
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: 68ea5ce1fe
am: d5bd8f1081
Change-Id: I68ba85103388b26c547f3d4877d2bd099069c431
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge
am: 68ea5ce1fe
Change-Id: If5ea9e6fefa4f861a6dcff316b4f83971dc320d4
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge
Bug: 69566734
Bug: 68133473
Test: build and boot aosp_marlin
Test: sepolicy-analyze <aosp_taimen policy> attributes -l
Verify socket_between_core_and_vendor_violators is still in policy
Change-Id: Id77bfc049e74cc7041a9876b06347b08fa5eeaf8
- libsepol/cil: Create new keep field for type attribute sets
Daniel Cashman <dcashman@android.com> discovered the following:
When using cil_db multiple_decls, the different cil_attribute nodes
all point to the same underlying cil_attribute struct. This leads
to problems, though, when modifying the used value in the struct.
__cil_post_db_attr() changes the value of the field to based on
the output of cil_typeattribute_used(), for use later in
cil_typeattribute_to_policydb and cil_typeattribute_to_bitmap, but
due to the multiple declarations, cil_typeattribute_used() could be
called again by a second node. In this second call, the value used
is the modifed value of CIL_TRUE or CIL_FALSE, not the flags actually
needed. This could result in the field being reset again, to an
incorrect CIL_FALSE value.
Add the field "keep" to struct cil_typeattributeset, set its value
using cil_typeattribute_used(), and use it when determining whether
the attribute is to be kept or if it should be expanded.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
- python/sepolicy: Fix sepolicy manpage.
Arguments generate and gui was mixed together and information didn't make sense. This fix split gui and generate sections.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
- Mark libselinux as VNDK in Android.bp am: 122c68c862 am: c5461760e3
am: a92f5e72eb
Change-Id: I208f04cab6b5205f175bc186b1523bd4a893d5a8
- Mark libselinux as VNDK in Android.bp am: 122c68c862
am: c5461760e3
Change-Id: I8a1f1ac4d35a0f1e951f1decec7438d22e7cee11
- Mark libselinux as VNDK in Android.bp
am: 122c68c862
Change-Id: Ife2d8057f06647f447351e3aae7ca75e537c98df
- Mark libselinux as VNDK in Android.bp
This commit marks libselinux.so as VNDK, so that vendor variant of
libselinux.so can be installed into /system/lib[64]/vndk instead of
/vendor/lib[64]. This makes it easier to apply security patches
through system-only OTAs.
Before this commit, libselinux was not an VNDK library because there
was a concern with selabel database file format. This is no longer a
concern because the file backend is disabled in vendor variant.
Bug: 69587962
Bug: 63866913
Test: /system/lib64/vndk/libselinux.so shows up in GSI
Change-Id: I9d3be760bb5b3f8bf50b96ce6d8b938bf75c620a
- Merge remote-tracking branch 'goog/stage-aosp-master' into HEAD
am: d6ade5c35d
Change-Id: I4f78cdba8159cbb2b6f3181afbcdf5d13ddfd3dd
- Merge remote-tracking branch 'goog/stage-aosp-master' into HEAD
Change-Id: Id7c3d9fa68097f48727b6bb5ad55c7233bdd2cbf
- python/semanage: Update Infiniband code to work on python3
Update Infiniband "port" and "key" listing and export to work on
python3.
{}.keys() does not support .sort() operation on Py3.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- python/semanage: Fix export of ibendport entries
Replace nonexistent switch "-x" by "-z" (entry name).
Fix invalid index (the dictionary key is a 2-tuple).
Add MLS/MCS range (present in all entries).
Fixes:
#semanage ibendport -E
File "/usr/sbin/semanage", line 1049, in <module>
do_parser()
File "/usr/sbin/semanage", line 1028, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 605, in handleIbendport
for i in OBJECT.customized():
File "/usr/lib64/python2.7/site-packages/seobject/__init__.py", line 1806, in customized
l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
IndexError: tuple index out of range
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Merge commit '5aab90b2e9496d5b12f4c46968bd08291122dd13' into HEAD
Change-Id: I1f478dbc70d8bdca3200f8f37f06f2c2a69b9bd9
- python/semanage: Enforce noreload only if it's requested by -N option
We want to call semanage_set_reload() only if -N option is used.
Fixes:
$ sudo umount /sys/fs/selinux
$ sudo semanage fcontext -a --type=postfix_local_tmp_t /var/opt/01789667
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- python/semanage: Don't use global setup variable
In order to do that we need to propagate args into seobject objects and
use args.store to get a store name.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- python/semanage: drop *_ini functions
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- libsemanage: free genhomedircon fallback user
Function semanage_genhomedircon() adds fallback user and function
setup_fallback_user() may add another one. But only one fallback
user is freed. Make sure to free all fallback users in
semanage_genhomedircon().
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
- Travis-CI: try working around network issues by retrying downloads
Some Travis-CI builds failed because of issues when downloading
refpolicy files for sepolgen tests. Use curl's option --retry to make
the downloads work when the networking issues are only transient.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- libsepol: free ibendport device names
When reading policy, ibendport device names are allocated in
ocontext_read_selinux() but they are not freed when calling
sepol_policydb_free();
Fix this by freeing them in ocontext_selinux_free().
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
- Remove libselinux_vendor am: 57071adff4 am: adec3cd8b3 am: 292277bff9
am: 1f9dcd7230
Change-Id: Ia20f264216b99f191969d39d3b6725096a09fad7
- Remove libselinux_vendor am: 57071adff4 am: adec3cd8b3
am: 292277bff9
Change-Id: Ic9bac908de6daa57c5c3240bc1a368116bb21352
- Remove libselinux_vendor am: 57071adff4
am: adec3cd8b3
Change-Id: Iae331748f8da8eb9f4bdf59022fa64cc69542834
- Remove libselinux_vendor
am: 57071adff4
Change-Id: Ia3db2e542b63b92bfd8b23fffe8364db13fda4fa
- Remove libselinux_vendor
libselinux_vendor is removed and merged to libselinux by using
vendor_available:true.
Bug: 66914194
Test: lunch aosp_arm64_ab-userdebug; m libselinux.vendor
Change-Id: Idc04eccf8a9803b9acf6277a9d078a1528ed29c9
- Merge "libsepol: cil: Keep type[attribute] declarations when attributizing." am: 970199321d am: aa604d7ad5 am: 989cc6127f
am: 5aab90b2e9
Change-Id: If9c2c84c25f9496f85de53332d0c4a30443b6253
- Merge "libsepol: cil: Keep type[attribute] declarations when attributizing." am: 970199321d am: aa604d7ad5
am: 989cc6127f
Change-Id: I5074b548b864c276ed4cb7197511c6723e24e438
- Merge "libsepol: cil: Keep type[attribute] declarations when attributizing." am: 970199321d
am: aa604d7ad5
Change-Id: Id642c1c557aea8042e574314b4a7c8d5ede44f4c
- Merge "libsepol: cil: Keep type[attribute] declarations when attributizing."
am: 970199321d
Change-Id: I5bcfbd00f4d4ec38718142a98720007d2b0b2632
- Merge "Use -Werror in external/selinux" into oc-mr1-dev-plus-aosp
am: 67581f7fa2
Change-Id: I97860fa84b4b146ce0f5661b07f39bc8bd1c0630
- resolve merge conflicts of 74770629 to stage-aosp-master am: c14edd65d9 am: 756e14e471 -s ours
am: a57881fe48
Change-Id: Icf87f6bcfaedb98c434a8cfc0b460fc7257733d2
- Merge "libsepol: cil: Keep type[attribute] declarations when attributizing."
- libselinux: Add support for pcre2 to pkgconfig definition
When libselinux is built using USE_PCRE2 libselinux.pc needs to require
libpcre2-8 instead of libpcre.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1487521
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
- Merge "Use -Werror in external/selinux" into oc-mr1-dev-plus-aosp
- resolve merge conflicts of 74770629 to stage-aosp-master am: c14edd65d9
am: 756e14e471 -s ours
Change-Id: I6588c69786e7113d1e437d4d69179429897c4c98
- Use -Werror in external/selinux
* Use -Wno-error= to keep existing warnings to fix later.
Bug: 66996870
Test: build with WITH_TIDY=1
Change-Id: Id7d641c73f396c37c1fb8c5228919c722e2bedd3
(cherry picked from commit f48068e8dc466ef2d8f01cda98c0ed4efcc9055e)
- resolve merge conflicts of 74770629 to stage-aosp-master
am: c14edd65d9
Change-Id: Ifa6a0dd01509ed13ec8acc0c90aeb54bc54a1545
- Use -Werror in external/selinux
* Use -Wno-error= to keep existing warnings to fix later.
Bug: 66996870
Test: build with WITH_TIDY=1
Change-Id: Id7d641c73f396c37c1fb8c5228919c722e2bedd3
- resolve merge conflicts of 74770629 to stage-aosp-master
Test: I solemnly swear I tested this conflict resolution.
Exempt-From-Owner-Approval: fix merge conflict
Change-Id: I7af3ed74c62c9004c17fcb080acfff7ff408945c
- Merge "Use -Werror in external/selinux"
- semodule-utils: remove semodule_deps
As discussed in https://github.com/SELinuxProject/selinux/issues/64,
semodule_deps has apparently been broken for a very long time for
binary modules and is completely irrelevant for CIL modules. If there
are any users of it, they ought to be rewritten anyway since it is
not producing correct dependency information, and the ultimate goal
is to stop using binary modules altogether so it is not worth fixing.
Remove it to avoid any further broken usage.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
- libsepol: cil: Keep type[attribute] declarations when attributizing.
cil_android_attributize() uses a source policy to identify types and
attributes to be versioned according to the given version number, and
then proceeds to modify the provided target policy to provide this
versioning. Previously, the versioned policy relied on a base policy
for the declarations of these type[attribute]s, but with multiple_decl
support added, the declarations can be made in both places. This will
make the policy more robust and allow for greater flexibility and the
types of base policy used.
Bug: 37915794
Test: Builds 'n' boots. non_plat_sepolicy.cil now contains the public
type[attribute] declarations.
Change-Id: Iaa084211a9e2774a7ed391888fb21c4c0cf955db
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: 28749e4d40 am: 119e93fdd7 am: ec0a0c7283
am: 3495d111cc
Change-Id: I3db771eaac80f0c0998dd5cb23836f543f9667b6
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: 28749e4d40 am: 119e93fdd7
am: ec0a0c7283
Change-Id: Idb2366a430b65e2b05e73f944fdae46b5fd4526c
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: 28749e4d40
am: 119e93fdd7
Change-Id: Ie496fab76d57bc5eaf997d73d7c37f1f643d58e7
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge
am: 28749e4d40
Change-Id: Ic2b710b3ecf329d5933c10aa52c9793678d9db3d
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
repo upload .
Test: compiles/boots no problems.
Change-Id: I4e7ee3fddfe021d128ebd70a663374367914b825
- (re)declare versioned attributes in mapping file am: 1fd1f27bb3 am: 77fcc9d929 am: ccaa5b523c
am: 11c4c00f1f
Change-Id: Ia597356da7fe6019da37bf611038eb3448f0cd34
- (re)declare versioned attributes in mapping file am: 1fd1f27bb3 am: 77fcc9d929
am: ccaa5b523c
Change-Id: I3a7a2ceb4ba99f8164415ac43a6f3d50e8234459
- (re)declare versioned attributes in mapping file am: 1fd1f27bb3
am: 77fcc9d929
Change-Id: I2299a5f77b2692ac50407459ca62f882af831e25
- (re)declare versioned attributes in mapping file
am: 1fd1f27bb3
Change-Id: I1456fe993914889b1315cf20bae0d118bbb508f0
- (re)declare versioned attributes in mapping file
Public types get versioned for Treble compatibility. The versioned
attribute is declared in vendor policy. Then a mapping between the
newer system policy occurs on the system partition. This causes
on-device compilation to fail in AOSP because the vendor image stays
static and thus the mapping file references undeclared typeattributes.
This can be solved by declaring, or redeclaring all versioned types
in the mapping file. Support for this was added to secilc in commit
fafe4c212bf6c32c3021d7b69bcc0cf219e71608 'libsepol: cil: Add ability
to redeclare types[attributes]'
Bug: 67092827
Bug: 37915794
Test: build and boot aosp_sailfish with new type declared in public
policy
Change-Id: I04a884db6d0eaf42ee189b0669833dd0860b626f
- python/semanage: Enable listing file_contexts.homedirs
Include entries from file_contexts.homedirs when listing file contexts
via "semanage fcontext -l"
"semanage fcontext -l" so far ignored content of file_contexts.homedirs
file, which is confusing for users (more specific rules may be ignored in
favor of rules unseen to the user since file_contexts.homedirs has
higher priority than file_contexts).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- libsemanage: Add support for listing fcontext.homedirs file
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- libsemanage: Keep copy of file_contexts.homedirs in policy store
This will allow listing the correct file_contexts.homedirs
using libsemanage regardless of selected policy store.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Use -Werror in external/selinux
* Use -Wno-error= to keep existing warnings to fix later.
Bug: 66996870
Test: build with WITH_TIDY=1
Change-Id: I0e84d5fb2ae2ae68a687a0b6b81eb64a983db57c
- Rename target.linux[_x86[_64]] to target.linux_glibc[_x86[_64]] am: 4a89b6358f am: 786d898c51 am: 35ff57f186
am: dbbf2517df
Change-Id: I0ab4a0beedc937538fa001408bdc948cfc20771b
- Rename target.linux[_x86[_64]] to target.linux_glibc[_x86[_64]] am: 4a89b6358f am: 786d898c51
am: 35ff57f186
Change-Id: Ia879d53afd785f0cda4869fbbd8b3f28743ce13a
- Rename target.linux[_x86[_64]] to target.linux_glibc[_x86[_64]] am: 4a89b6358f
am: 786d898c51
Change-Id: I45671730891683de92f88be407b42cb21d5d7541
- Rename target.linux[_x86[_64]] to target.linux_glibc[_x86[_64]]
am: 4a89b6358f
Change-Id: I390dec68c89e5e03ec7cb5df4c714d1edeb30456
- Rename target.linux[_x86[_64]] to target.linux_glibc[_x86[_64]]
In the future, target.linux will apply to all targets running a linux kernel
(android, linux_glibc, linux_bionic). So move all current users to the specific
linux_glibc.
There will be another cleanup pass later that will move some instances back to
target.linux if the properties should be shared with target.android and
target.linux_bionic, but target.linux needs to be removed first.
Test: out/soong/build.ninja identical before/after
Change-Id: I30ea2790de2588ba0f5cfe1cd3bb6dc66f00a537
Exempt-From-Owner-Approval: build system cleanup
- gui: remove mappingsPage
This page is not used anywhere and seems to be an incomplete version of
loginsPage.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- gui: delete overridden definition of usersPage.delete()
Function delete() is defined twice in class usersPage and the first one
invoke semanagePage.delete(), which does not exist.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- gui: fix parsing of "semodule -lfull" in tab Modules
The output of "semodule -lfull" changed from "module version" to
"priority module kind". Update system-config-selinux to use this new
format in its tab "Policy Module".
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- gui: remove the status bar
The status bar of system-config-selinux's main window is not used and
takes some room. Remove it.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- sepolicy: support non-MLS policy in gui
Several "sepolic gui" tabs raise exceptions when using a policy without
MLS because some dictionaries describing users and logins lack level and
range properties. Use conditions and get() where appropriate in order
to make "sepolicy gui" usable again with a non-MLS policy.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- sepolicy: ignore comments and empty lines in file_contexts.subs_dist
In refpolicy, file_contexts.subs_dist begins with comments:
# This file can is used to configure base path aliases as in:
#
# /aliased_path /original_path_as_configured_in_file_contexts
#
The first line gets parsed in read_file_equiv even though it is not a
valid path substitution and the second line triggers an exception when
accessing f[1]:
IndexError: list index out of range
Parse substitutions only for lines which are not comment.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- Travis-CI: fix configuration after September's update
The latest update to Travis-CI build environment splitted sugilite
environment into amethyst and garnet and deprecated sugilite. As garnet
provides tools for languages C and Python, and as it is automatically
selected according to
https://travis-ci.org/fishilico/selinux/jobs/278927391 , remove "group:
sugilite" from Travis-CI configuration file.
This update introduced two issues:
- Ruby 2.1 is no longer provided. As it has reached End Of Life
according to https://www.ruby-lang.org/en/downloads/, remove it from
the tested versions
- Python 3.3, 3.4 and 3.5 are no longer installed by default. When
Travis-CI builds Python projects using these versions, it
automatically download and extract an archive from
https://s3.amazonaws.com/travis-python-archives/binaries/ubuntu/14.04/x86_64/.
Implement this process in .travis.yml directly (because Travis-CI does
not support multi-language projects which use several versions of C
compilers and Python and Ruby interpreters).
Last but not least, it is now possible to build with PyPy3. Enable this
interpreter in the build environment matrix.
More information about the Travis-CI update is available at
https://docs.travis-ci.com/user/build-environment-updates/2017-09-06/
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- gui: port to Python 3 by migrating to PyGI
PyGTK has been deprecated in favor of PyGI+GTK and thus has never been
ported to python3. Using pygi-convert.sh from
https://git.gnome.org/browse/pygobject/tree/pygi-convert.sh helps
migrating most of the API but gnome-python.
The glade file has been converted to GtkBuilder using
gtk-builder-convert system-config-selinux.glade system-config-selinux.ui
and some fixes in order to provide an application window (object
GnomeApp disappeared, GtkVBox is deprecated, etc.). The associated
Python code also needed some modifications in order to migrate to
GtkBuilder.
The result has been tested on Arch Linux with Python 3.6. There are some
bugs in the GUI itself, for which patches will be sent afterwards.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- Expand all compile-time generated attributes am: d47503f8dc am: 59e59ed1bb am: 31e5c6205d
am: 0c59f3be36
Change-Id: I1c77b764d7332286ce396895e6f6cb79276471ab
- Expand all compile-time generated attributes am: d47503f8dc am: 59e59ed1bb
am: 31e5c6205d
Change-Id: Ib19cde98db6866eed41a9a8f510852c79166a22a
- Expand all compile-time generated attributes am: d47503f8dc
am: 59e59ed1bb
Change-Id: I4fcee16a96d16223ad1eb5dd172baeebe617bae9
- Expand all compile-time generated attributes
am: d47503f8dc
Change-Id: If8653e330397aeaf0369741f3cdf53dc88f983ee
- Expand all compile-time generated attributes
Cutting down on the number of attributes associated with each type
speeds up policy lookup times when there is an access vector cache
miss.
This commit reduces the number of attributes in the policy binary from
607 to 159.
(cherry-pick of commit: 574926fe6767a725e5fcc9576f3ba1e2c1dc3796)
Bug: 36508258
Test: build and boot Marlin
Change-Id: I42c778fe9e760abf62d4ec1f7b7e748e28ac5497
- sepolicy: do not fail when file_contexts.local or .subs do not exist
On a system without any file context customizations, "sepolicy gui"
fails to load because it tries to read a non-existing file:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/selinux/refpolicy-git/contexts/files/file_contexts.local'
Once this issue is fixed, another one is triggered:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/selinux/refpolicy-git/contexts/files/file_contexts.subs
Use try/except to catch these exceptions and use OSError/errno.ENOENT to
keep the code compatible with Python 2.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- libsepol: fix memory leak in sepol_bool_query()
When sepol_bool_query() returns NULL response, variable name is not
freed. Fix this by calling free() before returning.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: 8f76b0cd3e am: 6cef90d0ee am: 3e07fa5fa2
am: 3a38dcba11
Change-Id: I425998e49f4a7989636d8aa016f31f58510ea358
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: 8f76b0cd3e am: 6cef90d0ee
am: 3e07fa5fa2
Change-Id: Idb069487b7733352f37897bb740b3f8084f78059
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: 8f76b0cd3e
am: 6cef90d0ee
Change-Id: Idcc317a11870aa489adb29370b0fe5b64e12b579
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge
am: 8f76b0cd3e
Change-Id: Ia92454d490cc9d14ecd7f07462550955fa12f1e5
- Merge remote-tracking branch 'aosp/upstream-master' into mymerge
Test: Builds.
Change-Id: I5069d965a008bb9b27a6652794ea76131949f35f
- Merge "Fix libselinux_vendor private header dependencies." am: bf3627db98 am: fa0823f66a am: 9cf8591e30 -s ours
am: aefb1f56d8 -s ours
Change-Id: Idbd7e549f9d7f0039c9afa85cff5db7827cbae48
- Merge "Fix libselinux_vendor private header dependencies." am: bf3627db98 am: fa0823f66a
am: 9cf8591e30 -s ours
Change-Id: I5ea9c527445e7e9da3d530ecbc8c440de2727c2d
- Merge "Fix libselinux_vendor private header dependencies." am: bf3627db98
am: fa0823f66a
Change-Id: I6a6502d8d4c8d85e009bf1d3e87ebb88e14e7dfc
- Merge "Fix libselinux_vendor private header dependencies."
am: bf3627db98
Change-Id: I89c9f62c744d8582ff07f6d0052ed5e2a04c26b9
- Merge "Fix libselinux_vendor private header dependencies."
- Don't load nonplat_service_contexts on full-treble. am: 57fdb1f490 am: 742d0341ad am: 859fa65d07 -s ours
am: bf057f24e9 -s ours
Change-Id: Ifa618f7955b30d541d4ba902d31effcfd48657d1
- Don't load nonplat_service_contexts on full-treble. am: 57fdb1f490 am: 742d0341ad
am: 859fa65d07 -s ours
Change-Id: Ib099da7e4f9c78122b9b8532f077be0bee4f2629
- Don't load nonplat_service_contexts on full-treble. am: 57fdb1f490
am: 742d0341ad
Change-Id: I2d50f863f2520cbd3205fb2d9bf54a7e3e0965d8
- Don't load nonplat_service_contexts on full-treble.
am: 57fdb1f490
Change-Id: Ic964603c3efff7a7127454cd4c1310721834cea9
- Fix libselinux_vendor private header dependencies.
Do not include private/android_filesystem_config.h
for libselinux_vendor.
Test: mma -j
Test: BOARD_VNDK_VERSION=current mma -j
Bug: 33241851
Change-Id: I4f4328dceaa8609d1891b4b7129669ad7040865a
Merged-In: I4f4328dceaa8609d1891b4b7129669ad7040865a
- Makefile: define a default value for CFLAGS
When building the project with "make DESTDIR=... install", the root
Makefile defines CFLAGS and LDFLAGS without any warning flags ("CFLAGS
+= -I$(DESTDIR)/usr/include" and "LDFLAGS += -L$(DESTDIR)/usr/lib"). As
the Makefiles in subdirectories do not override the flags with warning
flags, the cod…
charleseb
pushed a commit
to MotorolaMobilityLLC/external-selinux
that referenced
this issue
Jan 21, 2020
libselinux and libsemanage Makefiles invoke site.getsitepackages() in order to get the path to the directory /usr/lib/pythonX.Y/site-packages that matches the Python interpreter chosen with $(PYTHON). This method is incompatible with Python virtual environments, as described in pypa/virtualenv#355 (comment) . This issue has been opened for more than 5 years. On the contrary python/semanage/ and python/sepolgen/ Makefiles use distutils.sysconfig.get_python_lib() in order to get the site-packages path into a variable named PYTHONLIBDIR. This way of computing PYTHONLIBDIR is compatible with virtual environments and gives the same result as PYSITEDIR. As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and libsemanage Makefiles use it. And as native code is installed (as part of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64 on systems which distinguish /usr/lib64 from /usr/lib. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> Acked-by: Petr Lautrbach <plautrba@redhat.com>
adamchainz
added a commit
to adamchainz/django-rest-framework
that referenced
this issue
Oct 9, 2020
This was added in encode#6139. However it seems [tox-venv is no longer maintained](https://github.com/tox-dev/tox-venv), the related [virtualenv issue has been closed](pypa/virtualenv#355), and I suspect with the virtualenv rewrite fixed the problem with site.py and the warnings referred to for the DRF tests.
tomchristie
pushed a commit
to encode/django-rest-framework
that referenced
this issue
Oct 9, 2020
This was added in #6139. However it seems [tox-venv is no longer maintained](https://github.com/tox-dev/tox-venv), the related [virtualenv issue has been closed](pypa/virtualenv#355), and I suspect with the virtualenv rewrite fixed the problem with site.py and the warnings referred to for the DRF tests.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We use python 2.7 exclusively and it is a surprise to discover today that site.py in all virtual envs with python 2.7 use py2.6's site.py which lacks many new functions added in python 2.7.
The text was updated successfully, but these errors were encountered: