diff options
author | Colin Watson <cjwatson@debian.org> | 2005-06-17 12:44:30 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2005-06-17 12:44:30 +0000 |
commit | 4c2d1c67cea075107aadaa6d81fe456687c69e67 (patch) | |
tree | 4f31813c8306491c908948bd75254912385ed651 /selinux.c | |
parent | bed4bb0fe9380912ecb90e5f918bce8825ec0a38 (diff) |
Manoj Srivastava:
- Added SELinux capability, and turned it on be default. Added
restorecon calls in preinst and postinst (should not matter if the
machine is not SELinux aware). By and large, the changes made should
have no effect unless the rules file calls --with-selinux; and even
then there should be no performance hit for machines not actively
running SELinux.
- Modified the preinst and postinst to call restorecon to set the
security context for the generated public key files.
- Added a comment to /etc/pam.d/ssh to indicate that an SELinux system
may want to also include pam_selinux.so.
Diffstat (limited to 'selinux.c')
-rw-r--r-- | selinux.c | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/selinux.c b/selinux.c new file mode 100644 index 000000000..697c2910a --- /dev/null +++ b/selinux.c | |||
@@ -0,0 +1,111 @@ | |||
1 | #include "includes.h" | ||
2 | |||
3 | #include "auth.h" | ||
4 | #include "log.h" | ||
5 | |||
6 | #ifdef WITH_SELINUX | ||
7 | |||
8 | #include <selinux/selinux.h> | ||
9 | #include <selinux/flask.h> | ||
10 | #include <selinux/context.h> | ||
11 | #include <selinux/get_context_list.h> | ||
12 | #include <selinux/get_default_type.h> | ||
13 | |||
14 | extern Authctxt *the_authctxt; | ||
15 | |||
16 | static const security_context_t | ||
17 | selinux_get_user_context(const char *name) | ||
18 | { | ||
19 | security_context_t user_context = NULL; | ||
20 | char *role = NULL; | ||
21 | int ret = 0; | ||
22 | |||
23 | if (the_authctxt) | ||
24 | role = the_authctxt->role; | ||
25 | if (role != NULL && role[0]) | ||
26 | ret = get_default_context_with_role(name, role, NULL, | ||
27 | &user_context); | ||
28 | else | ||
29 | ret = get_default_context(name, NULL, &user_context); | ||
30 | if (ret < 0) { | ||
31 | if (security_getenforce() > 0) | ||
32 | fatal("Failed to get default security context for %s.", | ||
33 | name); | ||
34 | else | ||
35 | error("Failed to get default security context for %s. " | ||
36 | "Continuing in permissive mode", | ||
37 | name); | ||
38 | } | ||
39 | return user_context; | ||
40 | } | ||
41 | |||
42 | void | ||
43 | setup_selinux_pty(const char *name, const char *tty) | ||
44 | { | ||
45 | security_context_t new_tty_context, user_context, old_tty_context; | ||
46 | |||
47 | if (is_selinux_enabled() <= 0) | ||
48 | return; | ||
49 | |||
50 | new_tty_context = old_tty_context = NULL; | ||
51 | user_context = selinux_get_user_context(name); | ||
52 | |||
53 | if (getfilecon(tty, &old_tty_context) < 0) { | ||
54 | error("getfilecon(%.100s) failed: %.100s", | ||
55 | tty, strerror(errno)); | ||
56 | } else { | ||
57 | if (security_compute_relabel(user_context, old_tty_context, | ||
58 | SECCLASS_CHR_FILE, &new_tty_context) != 0) { | ||
59 | error("security_compute_relabel(%.100s) failed: " | ||
60 | "%.100s", tty, strerror(errno)); | ||
61 | } else { | ||
62 | if (setfilecon(tty, new_tty_context) != 0) | ||
63 | error("setfilecon(%.100s, %s) failed: %.100s", | ||
64 | tty, new_tty_context, strerror(errno)); | ||
65 | freecon(new_tty_context); | ||
66 | } | ||
67 | freecon(old_tty_context); | ||
68 | } | ||
69 | if (user_context) | ||
70 | freecon(user_context); | ||
71 | } | ||
72 | |||
73 | void | ||
74 | setup_selinux_exec_context(const char *name) | ||
75 | { | ||
76 | security_context_t user_context; | ||
77 | |||
78 | if (is_selinux_enabled() <= 0) | ||
79 | return; | ||
80 | |||
81 | user_context = selinux_get_user_context(name); | ||
82 | |||
83 | if (setexeccon(user_context)) { | ||
84 | if (security_getenforce() > 0) | ||
85 | fatal("Failed to set exec security context %s for %s.", | ||
86 | user_context, name); | ||
87 | else | ||
88 | error("Failed to set exec security context %s for %s. " | ||
89 | "Continuing in permissive mode", | ||
90 | user_context, name); | ||
91 | } | ||
92 | if (user_context) | ||
93 | freecon(user_context); | ||
94 | } | ||
95 | |||
96 | #else /* WITH_SELINUX */ | ||
97 | |||
98 | void | ||
99 | setup_selinux_pty(const char *name, const char *tty) | ||
100 | { | ||
101 | (void) name; | ||
102 | (void) tty; | ||
103 | } | ||
104 | |||
105 | void | ||
106 | setup_selinux_exec_context(const char *name) | ||
107 | { | ||
108 | (void) name; | ||
109 | } | ||
110 | |||
111 | #endif /* WITH_SELINUX */ | ||