Merge pull request #815 from pebenito/validate-appconfig

Add tool for validating contexts in appconfig files.
SELinuxProject · Oct 1, 2024 · 226a1be · 226a1be
2 parents 4b23616 + a3c5f06
commit 226a1be
Show file tree

Hide file tree

Showing 10 changed files with 411 additions and 38 deletions.
diff --git a/.github/workflows/build-userspace.yml b/.github/workflows/build-userspace.yml
@@ -11,6 +11,10 @@ on:
         description: "Userspace version (a git commit ID, tag, or branch)"
         required: false
         type: string
+      python-version:
+        description: "Python version to use"
+        required: true
+        type: string
     outputs:
       source-id:
         description: "Userspace source artifact ID"
@@ -34,6 +38,11 @@ jobs:
         ref: "${{ inputs.version }}"
         path: "${{ env.SELINUX_SRC }}"
 
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: "${{ inputs.python-version }}"
+
     - name: Install dependencies
       shell: bash
       run: |
@@ -62,7 +71,7 @@ jobs:
         # Drop sandbox to break libcap-ng dependence
         sed -i -e 's/ sandbox//' policycoreutils/Makefile
         # Compile and install SELinux toolchain
-        make OPT_SUBDIRS=semodule-utils install
+        make OPT_SUBDIRS=semodule-utils install install-pywrap
         # set output directory on successful/pre-existing compile
         echo "DESTDIR=\"${DESTDIR}\"" >> $GITHUB_OUTPUT
       env:

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -24,6 +24,7 @@ jobs:
     needs: lint_branch_policy
     with:
       version: "3.2"
+      python-version: "3.10"
 
   build_setools:
     uses: ./.github/workflows/build-setools.yml

diff --git a/Makefile b/Makefile
@@ -54,28 +54,33 @@ python_path := $(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_pa
 else
 python_path := $(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure)
 endif
-tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(BINDIR)
-tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(SBINDIR)
-tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)/sbin
+tc_env := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)"
+tc_usrbindir := $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := $(TEST_TOOLCHAIN)/sbin
 else
+tc_env :=
 tc_usrbindir := $(BINDIR)
 tc_usrsbindir := $(SBINDIR)
 tc_sbindir := /sbin
 endif
-CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
-CHECKMODULE ?= $(tc_usrbindir)/checkmodule
-SEMODULE ?= $(tc_usrsbindir)/semodule
-SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
-SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
-SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
-LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+CHECKPOLICY ?= $(tc_env) $(tc_usrbindir)/checkpolicy
+CHECKMODULE ?= $(tc_env) $(tc_usrbindir)/checkmodule
+SEMODULE ?= $(tc_env) $(tc_usrsbindir)/semodule
+SEMOD_PKG ?= $(tc_env) $(tc_usrbindir)/semodule_package
+SEMOD_LNK ?= $(tc_env) $(tc_usrbindir)/semodule_link
+SEMOD_EXP ?= $(tc_env) $(tc_usrbindir)/semodule_expand
+LOADPOLICY ?= $(tc_env) $(tc_usrsbindir)/load_policy
+# chkcon is not directly run by makefiles; the path is used by the validate-appconfig
+# tool.  The tc_env is added below in the validateappconfig var
+CHKCON ?= $(tc_usrbindir)/chkcon
 ifdef TEST_TOOLCHAIN
-SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen --attr-helper $(TEST_TOOLCHAIN)$(BINDIR)/sepolgen-ifgen-attr-helper
+SEPOLGEN_IFGEN ?= $(tc_env) $(tc_usrbindir)/sepolgen-ifgen --attr-helper $(TEST_TOOLCHAIN)$(BINDIR)/sepolgen-ifgen-attr-helper
 else
-SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen
+SEPOLGEN_IFGEN ?= $(tc_env) $(tc_usrbindir)/sepolgen-ifgen
 endif
-SETFILES ?= $(tc_sbindir)/setfiles
-SEFCONTEXT_COMPILE ?= $(tc_usrsbindir)/sefcontext_compile
+SETFILES ?= $(tc_env) $(tc_sbindir)/setfiles
+SEFCONTEXT_COMPILE ?= $(tc_env) $(tc_usrsbindir)/sefcontext_compile
 XMLLINT ?= $(BINDIR)/xmllint
 SECHECK ?= $(BINDIR)/sechecker
 
@@ -123,6 +128,7 @@ m4terminate := $(support)/fatal_error.m4
 # so policycoreutils updates are not required (RHEL4)
 genhomedircon := $(PYTHON) $(support)/genhomedircon.py
 gentemplates := $(support)/gentemplates.sh
+validateappconfig := $(tc_env) $(PYTHON) $(support)/validate-appconfig.py -c $(CHKCON)
 
 # documentation paths
 docs := doc
@@ -275,7 +281,10 @@ seusers := $(appconf)/seusers
 appdir := $(contextpath)
 user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
 user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types lxc_contexts openrc_contexts virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+appfiles_names := default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types lxc_contexts openrc_contexts virtual_domain_context virtual_image_context
+appfiles := $(addprefix $(appdir)/,$(appfiles_names)) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+builtappconf := $(tmpdir)/appconfig
+builtappfiles := $(addprefix $(builtappconf)/,$(appfiles_names) $(notdir $(user_default_contexts)) media) $(fcsubspath)
 net_contexts := $(builddir)net_contexts
 net_contexts_nft := $(builddir)net_contexts.nft
 docfiles += $(net_contexts) $(net_contexts_nft)
@@ -335,6 +344,23 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
 # add modules not in modules.conf to the off list
 off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
 
+# enable appconfig validation based on enabled modules
+ifneq "$(filter container.te,$(base_mods) $(mod_mods))" ""
+	validateappconfig += -l
+endif
+
+ifneq "$(filter postgresql.te,$(base_mods) $(mod_mods))" ""
+	validateappconfig += -s
+endif
+
+ifneq "$(filter virt.te,$(base_mods) $(mod_mods))" ""
+	validateappconfig += -v
+endif
+
+ifneq "$(filter xserver.te,$(base_mods) $(mod_mods))" ""
+	validateappconfig += -x
+endif
+
 # filesystems to be used in labeling targets
 filesystems = $(shell mount | grep -v "context=" | $(GREP) -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
 fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
@@ -509,9 +535,12 @@ $(userpath)/local.users: config/local.users
 #
 # Build Appconfig files
 #
-$(tmpdir)/initrc_context: $(appconf)/initrc_context
-	@mkdir -p $(tmpdir)
-	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
+$(builtappconf)/%: $(appconf)/%
+	@mkdir -p $(@D)
+	@echo "Building $(@F)"
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $< > $@
+
+.SECONDARY: $(builtappfiles)
 
 ########################################
 #
@@ -526,19 +555,19 @@ $(installdir)/booleans: $(booleans)
 	@$(INSTALL) -d -m 0755 $(@D)
 	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/booleans $@
 
-$(contextpath)/files/media: $(appconf)/media
+$(contextpath)/files/media: $(builtappconf)/media
 	@$(INSTALL) -d -m 0755 $(@D)
 	$(verbose) $(INSTALL) -m 0644 $< $@
 
 $(fcsubspath): config/file_contexts.subs_dist
 	@$(INSTALL) -d -m 0755 $(@D)
 	$(verbose) $(INSTALL) -m 0644 $< $@
 
-$(contextpath)/users/%: $(appconf)/%_default_contexts
+$(contextpath)/users/%: $(builtappconf)/%_default_contexts
 	@$(INSTALL) -d -m 0755 $(@D)
 	$(verbose) $(INSTALL) -m 0644 $^ $@
 
-$(appdir)/%: $(appconf)/%
+$(appdir)/%: $(builtappconf)/%
 	$(verbose) $(M4) $(M4PARAM) $(m4support) $< > $(tmpdir)/$(@F)
 	@$(INSTALL) -d -m 0755 $(@D)
 	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/$(@F) $@

diff --git a/Rules.modular b/Rules.modular
@@ -209,21 +209,23 @@ endif
 #
 # Appconfig files
 #
-$(appdir)/customizable_types: $(base_conf)
+$(builtappconf)/customizable_types: $(base_conf)
 	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
 	@$(INSTALL) -d -m 0755 $(@D)
 	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
 
 ########################################
 #
-# Validate linking and expanding of modules
+# Validate linking and expanding of modules, file_contexts, and appconfig
 #
-validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc
-	@echo "Validating policy linking."
+validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc $(builtappfiles)
+	@echo "Validating $(NAME) linking."
 	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs)
 	$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
-	@echo "Validating policy file contexts."
+	@echo "Validating $(NAME) file contexts."
 	$(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc
+	@echo "Validating $(NAME) appconfig."
+	$(verbose) $(validateappconfig) $(builtappconf) $(tmpdir)/policy.bin
 	@echo "Success."
 
 ########################################

diff --git a/Rules.monolithic b/Rules.monolithic
@@ -241,11 +241,13 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users
 
 ########################################
 #
-# Validate file contexts
+# Validate file contexts and appconfig
 #
-validate: $(fc) $(polver)
+validate: $(fc) $(polver) $(builtappfiles)
 	@echo "Validating $(NAME) file_contexts."
 	$(verbose) $(SETFILES) -q -c $(polver) $(fc)
+	@echo "Validating $(NAME) appconfig."
+	$(verbose) $(validateappconfig) $(builtappconf) $(polver)
 	@echo "Success."
 
 ########################################
@@ -264,10 +266,9 @@ $(builddir)longcheck.res: $(policy_conf) $(fc)
 #
 # Appconfig files
 #
-$(appdir)/customizable_types: $(policy_conf)
-	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
-	@$(INSTALL) -d -m 0755 $(@D)
-	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
+$(builtappconf)/customizable_types: $(policy_conf)
+	@mkdir -p $(@D)
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $@
 
 $(installdir)/seusers: $(seusers)
 	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers

diff --git a/config/appconfig-mcs/userhelper_context b/config/appconfig-mcs/userhelper_context
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+sysadm_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/userhelper_context b/config/appconfig-mls/userhelper_context
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+sysadm_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-standard/lxc_contexts b/config/appconfig-standard/lxc_contexts
@@ -1,5 +1,5 @@
 process = "system_u:system_r:container_t"
 content = "system_u:object_r:virt_var_lib_t"
 file = "system_u:object_r:container_file_t"
-ro_file = "system_u:object_r:container_ro_file_t:s0"
-sandbox_lxc_process = "system_u:system_r:container_t:s0"
+ro_file = "system_u:object_r:container_ro_file_t"
+sandbox_lxc_process = "system_u:system_r:container_t"
diff --git a/config/appconfig-standard/userhelper_context b/config/appconfig-standard/userhelper_context
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t
+sysadm_u:sysadm_r:sysadm_t
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		system_u:sysadm_r:sysadm_t:s0
		sysadm_u:sysadm_r:sysadm_t:s0
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		system_u:sysadm_r:sysadm_t
		sysadm_u:sysadm_r:sysadm_t