Merge pull request #82 from pebenito/4.4

Backport fixes for 4.4.1

.github/workflows/tests.yml

@@ -7,21 +7,24 @@ env:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     strategy:
       fail-fast: false
 
       matrix:
         build-opts:
-          - {python: 3.6, tox: py36}
-          - {python: 3.7, tox: py37}
-          - {python: 3.8, tox: py38}
-          - {python: 3.6, tox: pep8}
-          - {python: 3.6, tox: lint}
-          - {python: 3.6, tox: mypy}
-          #- {python: 3.6, tox: coverage}
-
+          - {python: '3.6', tox: py36}
+          - {python: '3.7', tox: py37}
+          - {python: '3.8', tox: py38}
+          - {python: '3.9', tox: py39}
+          - {python: '3.10', tox: py310}
+          - {python: '3.11', tox: py311}
+          - {python: '3.6', tox: pep8}
+          - {python: '3.6', tox: lint}
+          - {python: '3.6', tox: mypy}
+          #- {python: '3.6', tox: coverage}
+
     steps:
     - uses: actions/checkout@v2
 

.mypy.ini

@@ -14,3 +14,6 @@ ignore_missing_imports = True
 
 [mypy-sip]
 ignore_missing_imports = True
+
+[mypy-pkg_resources]
+ignore_missing_imports = True

COPYING

@@ -1,7 +1,21 @@
-The intent is to allow free use of this source code.  All programs'
-source files are copyright protected and freely distributed under the
-GNU General Public License (see COPYING.GPL).  All library source
-files are copyright under the GNU Lesser General Public License (see
-COPYING.LGPL).  All files distributed with this package indicate the
-appropriate license to use with that file.  Absolutely no warranty is
-provided or implied.
+SETools libraries are provided under:
+
+    SPDX-License-Identifier: LGPL-2.1-only
+
+Being under the terms of the GNU Lesser General Public License version 2.1
+only, according with:
+
+    COPYING.LGPL
+
+
+SETools applications and unit tests are provided under:
+
+    SPDX-License-Identifier: GPL-2.0-only
+
+Being under the terms of the GNU General Public License version 2 only,
+according with:
+
+    COPYING.GPL
+
+
+All contributions to the SETools are subject to this COPYING file.

ChangeLog

@@ -1,3 +1,18 @@
+*setools-4.4.1 (6 Feb 2023)
+
+  * Replace deprecated NetworkX function use in information flow and domain
+    transition analysis.  This function was removed in NetworkX 3.0.
+  * Fix bug in apol copy and cut functions when copying from a tree view.
+  * Fix bug with extended permission set construction when a range includes
+    0x0.
+  * Add sesearch -Sp option for permission subset match.
+  * Fix error in man page description for sesearch -ep option.
+  * Improve output stability in constraint, common, class, role, and user
+    queries.
+  * Updated permission map.
+  * Fix bug in sechecker parsing of multiline values.
+  * Other code cleanups not visible to users.
+
 *setools-4.4.0 (5 Mar 2021)
 
   * Updated policy representation to handle policydb version 33, compressed

README.md

@@ -14,7 +14,7 @@ As such it contains a setup.py script that will install the tools.
 
 To run SETools command line tools, the following packages are required:
 * Python 3.6+
-* NetworkX 2.0+
+* NetworkX 2.0+ (2.6+ for Python 3.9+)
 * setuptools
 * libselinux
 * libsepol 3.2+
@@ -27,7 +27,7 @@ To run SETools graphical tools, the following packages are also required:
 To build SETools, the following development packages are required, in
 addition to the development packages from the above list:
 * gcc
-* cython 0.27+ (0.29.14+ for Python 3.8)
+* cython 0.27+ (0.29.14+ for Python 3.8+)
 
 To run SETools unit tests, the following packages are required, in
 addition to the above dependencies:
@@ -108,7 +108,7 @@ be compiled.
 ```
 
 This feature assumes that the directory structure at $USERSPACE_SRC is the
-same as the SELinux userspace code checked out from GitHub. 
+same as the SELinux userspace code checked out from GitHub.
 
 Since SETools is dynamically linked to libsepol and libselinux, you must
 specify the path to the libsepol/src and libselinux/src directories by

apol

@@ -1,20 +1,7 @@
 #!/usr/bin/env python3
 # Copyright 2015, Tresys Technology, LLC
 #
-# This file is part of SETools.
-#
-# SETools is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 2 of the License, or
-# (at your option) any later version.
-#
-# SETools is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+# SPDX-License-Identifier: GPL-2.0-only
 #
 
 import sys

man/sesearch.1

@@ -83,7 +83,9 @@ A matching rule must have the specified target attribute/type/role explicitly, i
 .IP "-eb"
 A matching rule must have all specified Booleans, instead of matching any of the specified Boolean.
 .IP "-ep"
-A matching rule must have all specified permissions, instead of matching any of the specified permission.
+A matching rule must have exactly the specified permissions, instead of matching any of the specified permission.
+.IP "-Sp"
+A matching rule must have permissions where are a superset of the specified permissions, instead of matching any of the permissions.
 .IP "-rs"
 Use regular expression for matching the source type/role.
 .IP "-rt"

pyproject.toml

@@ -0,0 +1,3 @@
+[build-system]
+requires = ["setuptools", "Cython>=0.27"]
+build-backend = "setuptools.build_meta"

sechecker

@@ -1,20 +1,7 @@
 #!/usr/bin/env python3
 # Copyright 2020 Microsoft Corporation
 #
-# This file is part of SETools.
-#
-# SETools is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 2 of the License, or
-# (at your option) any later version.
-#
-# SETools is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+# SPDX-License-Identifier: GPL-2.0-only
 #
 
 import setools

sediff

@@ -1,20 +1,7 @@
 #!/usr/bin/env python3
 # Copyright 2015-2016, Tresys Technology, LLC
 #
-# This file is part of SETools.
-#
-# SETools is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 2 of the License, or
-# (at your option) any later version.
-#
-# SETools is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+# SPDX-License-Identifier: GPL-2.0-only
 #
 
 import setools

sedta

@@ -1,20 +1,7 @@
 #!/usr/bin/env python3
 # Copyright 2014-2015, Tresys Technology, LLC
 #
-# This file is part of SETools.
-#
-# SETools is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 2 of the License, or
-# (at your option) any later version.
-#
-# SETools is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+# SPDX-License-Identifier: GPL-2.0-only
 #
 
 import sys
@@ -26,6 +13,8 @@ import setools
 
 
 def print_transition(trans: setools.DomainTransition) -> None:
+    print()
+
     if trans.transition:
         print("Domain transition rule(s):")
         for t in trans.transition:
@@ -77,6 +66,7 @@ parser.add_argument("--version", action="version", version=setools.__version__)
 parser.add_argument("-p", "--policy", help="Path to SELinux policy to analyze.")
 parser.add_argument("-s", "--source", help="Source type of the analysis.", required=True)
 parser.add_argument("-t", "--target", help="Target type of the analysis.")
+parser.add_argument("--full", help="Print rule lists for transitions.", action="store_true")
 parser.add_argument("--stats", action="store_true",
                     help="Display statistics at the end of the analysis.")
 parser.add_argument("-v", "--verbose", action="store_true",
@@ -128,26 +118,32 @@ try:
 
             for stepnum, step in enumerate(path, start=1):
 
-                print("Step {0}: {1} -> {2}\n".format(stepnum, step.source, step.target))
-                print_transition(step)
+                print("Step {0}: {1} -> {2}".format(stepnum, step.source, step.target))
+
+                if args.full:
+                    print_transition(step)
 
             if args.limit_trans and i >= args.limit_trans:
                 break
 
-        print(i, "domain transition path(s) found.")
+            print()
+
+        print("\n{} domain transition path(s) found.".format(i))
 
     else:  # single transition
         transitions = g.transitions(args.source)
 
         i = 0
         for i, step in enumerate(transitions, start=1):
-            print("Transition {0}: {1} -> {2}\n".format(i, step.source, step.target))
-            print_transition(step)
+            print("Transition {0}: {1} -> {2}".format(i, step.source, step.target))
+
+            if args.full:
+                print_transition(step)
 
             if args.limit_trans and i >= args.limit_trans:
                 break
 
-        print(i, "domain transition(s) found.")
+        print("\n{} domain transition(s) found.".format(i))
 
     if args.stats:
         print("\nGraph statistics:")

seinfo

@@ -2,20 +2,7 @@
 # Copyright 2014-2015, Tresys Technology, LLC
 # Copyright 2018-2019, Chris PeBenito <[email protected]>
 #
-# This file is part of SETools.
-#
-# SETools is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 2 of the License, or
-# (at your option) any later version.
-#
-# SETools is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+# SPDX-License-Identifier: GPL-2.0-only
 #
 
 import setools

seinfoflow

@@ -1,20 +1,7 @@
 #!/usr/bin/env python3
 # Copyright 2014-2015, Tresys Technology, LLC
 #
-# This file is part of SETools.
-#
-# SETools is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 2 of the License, or
-# (at your option) any later version.
-#
-# SETools is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+# SPDX-License-Identifier: GPL-2.0-only
 #
 
 import setools
@@ -29,6 +16,8 @@ signal.signal(signal.SIGPIPE, signal.SIG_DFL)
 parser = argparse.ArgumentParser(
     description="SELinux policy information flow analysis tool.",
     epilog="If no analysis is selected, all information flow out of the source will be printed.")
+parser.add_argument("--full", help="Print full rule lists for information flows.",
+                    action="store_true")
 parser.add_argument("--version", action="version", version=setools.__version__)
 parser.add_argument("--stats", action="store_true",
                     help="Display statistics at the end of the analysis.")
@@ -39,8 +28,8 @@ parser.add_argument("--debug", action="store_true", dest="debug", help="Enable d
 settings = parser.add_argument_group("Analysis settings")
 settings.add_argument("-p", "--policy",
                       help="Path to SELinux policy to analyze.")
-settings.add_argument("-m", "--map", required=True,
-                      help="Path to permission map file.")
+settings.add_argument("-m", "--map",
+                      help="Path to alternative permission map file.")
 settings.add_argument("-s", "--source", required=True,
                       help="Source type of the analysis.")
 settings.add_argument("-t", "--target", default="",
@@ -117,10 +106,11 @@ try:
             for stepnum, step in enumerate(path, start=1):
                 print("  Step {0}: {1} -> {2}".format(stepnum, step.source, step.target))
 
-                for rule in sorted(step.rules):
-                    print("   ", rule)
+                if args.full:
+                    for rule in sorted(step.rules):
+                        print("   ", rule)
 
-                print()
+                    print()
 
             if args.limit_flows and flownum >= args.limit_flows:
                 break
@@ -131,15 +121,17 @@ try:
         flownum = 0
         for flownum, flow in enumerate(g.infoflows(args.source), start=1):
             print("Flow {0}: {1} -> {2}".format(flownum, flow.source, flow.target))
-            for rule in sorted(flow.rules):
-                print("   ", rule)
 
-            print()
+            if args.full:
+                for rule in sorted(flow.rules):
+                    print("   ", rule)
+
+                print()
 
             if args.limit_flows and flownum >= args.limit_flows:
                 break
 
-    print(flownum, "information flow(s) found.")
+    print("\n{} information flow(s) found.".format(flownum))
 
     if args.stats:
         print("\nGraph statistics:")