Merge pull request #86 from pebenito/4.4

Backport fixes for 4.4.2.

.github/workflows/tests.yml

@@ -3,8 +3,21 @@ name: Build tests
 on: [push, pull_request]
 
 env:
+  # This should be the minimum version required to run setools:
   SELINUX_USERSPACE_VERSION: 3.2
 
+  # GitHub doesn't support building env
+  # vars from others in this block.
+  USERSPACE_SRC: /tmp/selinux-src
+  #SEPOL_SRC: ${USERSPACE_SRC}/libsepol
+  SEPOL_SRC: /tmp/selinux-src/libsepol
+  #LIBSEPOLA: ${SEPOL_SRC}/src/libsepol.a
+  LIBSEPOLA: /tmp/selinux-src/libsepol/src/libsepol.a
+  #SELINUX_SRC: ${USERSPACE_SRC}/libselinux
+  SELINUX_SRC: /tmp/selinux-src/libselinux
+  #CHECKPOLICY_SRC: ${USERSPACE_SRC}/checkpolicy
+  CHECKPOLICY_SRC: /tmp/selinux-src/checkpolicy
+
 jobs:
   build:
     runs-on: ubuntu-20.04
@@ -23,7 +36,8 @@ jobs:
           - {python: '3.6', tox: pep8}
           - {python: '3.6', tox: lint}
           - {python: '3.6', tox: mypy}
-          #- {python: '3.6', tox: coverage}
+          - {python: '3.6', tox: coverage}
+          - {python: '3.6', tox: install}
 
     steps:
     - uses: actions/checkout@v2
@@ -43,26 +57,20 @@ jobs:
             gettext \
             libaudit-dev \
             libbz2-dev \
-            libpcre3-dev \
-            python3-pip
+            libpcre3-dev
 
-        sudo pip3 install \
-            cython \
-            setuptools \
+        sudo python -m pip install -U \
             tox
 
-    - name: Configure environment
-      run: |
-        USERSPACE_SRC=/tmp/selinux-src
-        SEPOL_SRC=${USERSPACE_SRC}/libsepol
-        LIBSEPOLA=${SEPOL_SRC}/src/libsepol.a
-        echo "USERSPACE_SRC=$USERSPACE_SRC" >> $GITHUB_ENV
-        echo "SEPOL_SRC=${SEPOL_SRC}" >> $GITHUB_ENV
-        echo "LIBSEPOLA=${LIBSEPOLA}" >> $GITHUB_ENV
-        echo "SELINUX_SRC=${USERSPACE_SRC}/libselinux" >> $GITHUB_ENV
-        echo "CHECKPOLICY_SRC=${USERSPACE_SRC}/checkpolicy" >> $GITHUB_ENV
+    - name: Cache SELinux userspace
+      uses: actions/cache@v3
+      id: cache-userspace
+      with:
+        path: ${{ env.USERSPACE_SRC }}
+        key: ${{ runner.os }}-selinux-userspace-${{ env.SELINUX_USERSPACE_VERSION }}
 
-    - name: Build toolchain
+    - name: Build SELinux userspace
+      if: ${{ steps.cache-userspace.outputs.cache-hit != 'true' }}
       run: |
         # Download current SELinux userspace tools and libraries
         git clone https://github.com/SELinuxProject/selinux.git ${USERSPACE_SRC} -b ${SELINUX_USERSPACE_VERSION}
@@ -72,14 +80,7 @@ jobs:
         make CFLAGS="-O2 -pipe -fPIC -Wall -I${SEPOL_SRC}/include" LDFLAGS="-L${SEPOL_SRC}/src" -C ${SELINUX_SRC}
         make CFLAGS="-O2 -pipe -fPIC -Wall -I${SEPOL_SRC}/include" -C ${CHECKPOLICY_SRC}
 
-    - name: Set up setools for CI build
-      run: |
-        sed -i \
-          -e "/Wwrite-strings/s/,/, '-Wno-maybe-uninitialized',/" \
-          -e "s/-Wno-cast-function-type/-Wno-missing-include-dirs/" \
-          setup.py
-
     - name: Run test
       run: |
         export LD_LIBRARY_PATH="${SEPOL_SRC}/src:${SELINUX_SRC}/src:${LD_LIBRARY_PATH}"
-        tox -vv -e ${{ matrix.build-opts.tox }}
+        tox -e ${{ matrix.build-opts.tox }}

.pylintrc

@@ -30,14 +30,6 @@ unsafe-load-any-extension=no
 # run arbitrary code
 extension-pkg-whitelist=setools.policyrep
 
-# Allow optimization of some AST trees. This will activate a peephole AST
-# optimizer, which will apply various small optimizations. For instance, it can
-# be used to obtain the result of joining multiple strings with the addition
-# operator. Joining a lot of strings can lead to a maximum recursion error in
-# Pylint and this flag can prevent that. It has one side effect, the resulting
-# AST will be different than the one from reality.
-optimize-ast=no
-
 
 [MESSAGES CONTROL]
 
@@ -69,11 +61,6 @@ disable=I,logging-format-interpolation,format,similarities
 # mypackage.mymodule.MyReporterClass.
 output-format=text
 
-# Put messages in a separate file for each module / package specified on the
-# command line instead of printing them on stdout. Reports (if any) will be
-# written in a file name "pylint_global.[txt|html]".
-files-output=no
-
 # Tells whether to display a full report or only the messages
 reports=no
 
@@ -110,21 +97,12 @@ include-naming-hint=no
 # Regular expression matching correct constant names
 const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$
 
-# Naming hint for constant names
-const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$
-
 # Regular expression matching correct method names
 method-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for method names
-method-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct function names
 function-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for function names
-function-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct class attribute names
 class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
 
@@ -134,39 +112,21 @@ class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
 # Regular expression matching correct attribute names
 attr-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for attribute names
-attr-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct class names
 class-rgx=[A-Z_][a-zA-Z0-9]+$
 
-# Naming hint for class names
-class-name-hint=[A-Z_][a-zA-Z0-9]+$
-
 # Regular expression matching correct module names
 module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
 
-# Naming hint for module names
-module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
-
 # Regular expression matching correct inline iteration names
 inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
 
-# Naming hint for inline iteration names
-inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$
-
 # Regular expression matching correct argument names
 argument-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for argument names
-argument-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct variable names
 variable-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for variable names
-variable-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression which should only match function or class names that do
 # not require a docstring.
 no-docstring-rgx=^_
@@ -224,12 +184,6 @@ ignore-long-lines=^\s*(# )?<?https?://\S+>?$
 # else.
 single-line-if-stmt=no
 
-# List of optional constructs for which whitespace checking is disabled. `dict-
-# separator` is used to allow tabulation in dicts, etc.: {1  : 1,\n222: 2}.
-# `trailing-comma` allows a space between comma and closing bracket: (a, ).
-# `empty-line` allows space-only lines.
-no-space-check=trailing-comma,dict-separator
-
 # Maximum number of lines in a module
 max-module-lines=1000
 
@@ -375,4 +329,4 @@ exclude-protected=_asdict,_fields,_replace,_source,_make
 
 # Exceptions that will emit a warning when being caught. Defaults to
 # "Exception"
-overgeneral-exceptions=Exception
+overgeneral-exceptions=builtins.Exception

ChangeLog

@@ -1,3 +1,13 @@
+*setools-4-4.2 (19 Apr 2023)
+
+  * Make NetworkX optional.  sedta and seinfoflow tools, along with the
+    equivalent analyses in apol require NetworkX.
+  * Changed unit test runner to pytest, as setuptools' test command is
+    deprecated.
+  * Remove neverallow options in sesearch and apol.  These are not usable
+    since they are removed in the final binary policy.
+  * Unit tests and CI tests improvements.
+
 *setools-4.4.1 (6 Feb 2023)
 
   * Replace deprecated NetworkX function use in information flow and domain

README.md

@@ -31,6 +31,7 @@ addition to the development packages from the above list:
 
 To run SETools unit tests, the following packages are required, in
 addition to the above dependencies:
+* pytest
 * tox (optional)
 
 ### Obtaining SETools
@@ -129,9 +130,11 @@ for up-to-date information on build and install options, respectively.
 
 One goal for SETools is to provide confidence in the validity of the
 output for the tools.  The unit tests for SETools can be run with
-the following command
+the following commands:
+
 ```
-  $ python setup.py test
+  $ python setup.py build_ext -i
+  $ pytest tests
 ```
 
 ## Features

man/ru/sesearch.1

@@ -35,16 +35,12 @@ sesearch \- утилита опроса политики SELinux
 Найти правила включения журналирования событий.
 .IP "--dontaudit"
 Найти правила запрета журналирования событий.
-.IP "--neverallow"
-Найти запрещающие правила.
 .IP "--allowxperm"
 Найти расширенные разрешительные правила.
 .IP "--auditallowxperm"
 Найти расширенные правила включения журналирования событий.
 .IP "--dontauditxperm"
 Найти расширенные правила запрета журналирования событий.
-.IP "--neverallowxperm"
-Найти расширенные запрещающие правила.
 .IP "-T, --type_trans"
 Найти правила перехода типов.
 .IP "--type_member"

man/sesearch.1

@@ -30,16 +30,12 @@ Find allow rules.
 Find auditallow rules.
 .IP "--dontaudit"
 Find dontaudit rules.
-.IP "--neverallow"
-Find neverallow rules.
 .IP "--allowxperm"
 Find allowxperm rules.
 .IP "--auditallowxperm"
 Find auditallowxperm rules.
 .IP "--dontauditxperm"
 Find dontauditxperm rules.
-.IP "--neverallowxperm"
-Find neverallowxperm rules.
 .IP "-T, --type_trans"
 Find type_transition rules.
 .IP "--type_member"

pyproject.toml

@@ -1,3 +1,7 @@
 [build-system]
 requires = ["setuptools", "Cython>=0.27"]
 build-backend = "setuptools.build_meta"
+
+[tool.pytest.ini_options]
+addopts = ["--import-mode=importlib",]
+pythonpath = "."

sesearch

@@ -41,12 +41,12 @@ rtypes.add_argument("--dontaudit", action="append_const",
 rtypes.add_argument("--dontauditxperm", action="append_const",
                     const=setools.TERuletype.dontauditxperm, dest="tertypes",
                     help="Search dontauditxperm rules.")
-rtypes.add_argument("--neverallow", action="append_const",
-                    const=setools.TERuletype.neverallow, dest="tertypes",
-                    help="Search neverallow rules.")
-rtypes.add_argument("--neverallowxperm", action="append_const",
-                    const=setools.TERuletype.neverallowxperm, dest="tertypes",
-                    help="Search neverallowxperm rules.")
+# rtypes.add_argument("--neverallow", action="append_const",
+#                    const=setools.TERuletype.neverallow, dest="tertypes",
+#                    help="Search neverallow rules.")
+# rtypes.add_argument("--neverallowxperm", action="append_const",
+#                    const=setools.TERuletype.neverallowxperm, dest="tertypes",
+#                    help="Search neverallowxperm rules.")
 rtypes.add_argument("-T", "--type_trans", action="append_const",
                     const=setools.TERuletype.type_transition, dest="tertypes",
                     help="Search type_transition rules.")

setools/diff/typing.py

@@ -2,7 +2,7 @@
 #
 from typing import DefaultDict, Dict, List, Optional, TypeVar
 
-from ..policyrep import PolicyObject, SELinuxPolicy
+from ..policyrep import PolicyEnum, PolicyObject, SELinuxPolicy
 
 from .difference import Wrapper, SymbolWrapper
 
@@ -12,4 +12,5 @@
 Cache = DefaultDict[SELinuxPolicy, Dict[T, U]]
 SymbolCache = Cache[T, SymbolWrapper[T]]
 
-RuleList = Optional[DefaultDict[T, List[U]]]
+E = TypeVar("E", bound=PolicyEnum)
+RuleList = Optional[DefaultDict[E, List[T]]]

setools/dta.py

@@ -10,8 +10,11 @@
 from contextlib import suppress
 from typing import DefaultDict, Iterable, List, NamedTuple, Optional, Union
 
-import networkx as nx
-from networkx.exception import NetworkXError, NetworkXNoPath, NodeNotFound
+try:
+    import networkx as nx
+    from networkx.exception import NetworkXError, NetworkXNoPath, NodeNotFound
+except ImportError:
+    logging.getLogger(__name__).debug("NetworkX failed to import.")
 
 from .descriptors import EdgeAttrDict, EdgeAttrList
 from .policyrep import AnyTERule, SELinuxPolicy, TERuletype, Type
@@ -73,8 +76,15 @@ def __init__(self, policy: SELinuxPolicy, reverse: bool = False,
         self.reverse = reverse
         self.rebuildgraph = True
         self.rebuildsubgraph = True
-        self.G = nx.DiGraph()
-        self.subG = self.G.copy()
+
+        try:
+            self.G = nx.DiGraph()
+            self.subG = self.G.copy()
+        except NameError:
+            self.log.critical("NetworkX is not available.  This is "
+                              "requried for Domain Transition Analysis.")
+            self.log.critical("This is typically in the python3-networkx package.")
+            raise
 
     @property
     def reverse(self) -> bool:

setools/infoflow.py

@@ -7,8 +7,11 @@
 from contextlib import suppress
 from typing import cast, Iterable, List, Mapping, Optional, Union
 
-import networkx as nx
-from networkx.exception import NetworkXError, NetworkXNoPath, NodeNotFound
+try:
+    import networkx as nx
+    from networkx.exception import NetworkXError, NetworkXNoPath, NodeNotFound
+except ImportError:
+    logging.getLogger(__name__).debug("NetworkX failed to import.")
 
 from .descriptors import EdgeAttrIntMax, EdgeAttrList
 from .permmap import PermissionMap
@@ -54,8 +57,14 @@ def __init__(self, policy: SELinuxPolicy, perm_map: PermissionMap, min_weight: i
         self.rebuildgraph = True
         self.rebuildsubgraph = True
 
-        self.G = nx.DiGraph()
-        self.subG = self.G.copy()
+        try:
+            self.G = nx.DiGraph()
+            self.subG = self.G.copy()
+        except NameError:
+            self.log.critical("NetworkX is not available.  This is "
+                              "requried for Information Flow Analysis.")
+            self.log.critical("This is typically in the python3-networkx package.")
+            raise
 
     @property
     def min_weight(self) -> int:

setools/policyrep.pyi

@@ -7,7 +7,6 @@ from typing import Any, Callable, Dict, FrozenSet, Iterable, Iterator, List, Nam
 import enum
 import ipaddress
 import setools.exception
-import typing
 import weakref
 
 AnyConstraint = Union["Constraint", "Validatetrans"]