1 files changed, 111 insertions, 0 deletions
diff --git a/selinux.c b/selinux.c
new file mode 100644
index 000000000..697c2910a
--- /dev/null
+++ b/selinux.c
@@ -0,0 +1,111 @@
+#include "includes.h"
+#include "auth.h"
+#include "log.h"
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/context.h>
+#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+extern Authctxt *the_authctxt;
+static const security_context_t
+selinux_get_user_context(const char *name)
+{
+        security_context_t user_context = NULL;
+        char *role = NULL;
+        int ret = 0;
+        if (the_authctxt)
+                role = the_authctxt->role;
+        if (role != NULL && role[0])
+                ret = get_default_context_with_role(name, role, NULL,
+                    &user_context);
+        else
+                ret = get_default_context(name, NULL, &user_context);
+        if (ret < 0) {
+                if (security_getenforce() > 0)
+                        fatal("Failed to get default security context for %s.",
+                            name);
+                else
+                        error("Failed to get default security context for %s. "
+                            "Continuing in permissive mode",
+                            name);
+        }
+        return user_context;
+}
+void
+setup_selinux_pty(const char *name, const char *tty)
+{
+        security_context_t new_tty_context, user_context, old_tty_context;
+        if (is_selinux_enabled() <= 0)
+                return;
+        new_tty_context = old_tty_context = NULL;
+        user_context = selinux_get_user_context(name);
+        if (getfilecon(tty, &old_tty_context) < 0) {
+                error("getfilecon(%.100s) failed: %.100s",
+                    tty, strerror(errno));
+        } else {
+                if (security_compute_relabel(user_context, old_tty_context,
+                    SECCLASS_CHR_FILE, &new_tty_context) != 0) {
+                        error("security_compute_relabel(%.100s) failed: "
+                            "%.100s", tty, strerror(errno));
+                } else {
+                        if (setfilecon(tty, new_tty_context) != 0)
+                                error("setfilecon(%.100s, %s) failed: %.100s",
+                                    tty, new_tty_context, strerror(errno));
+                        freecon(new_tty_context);
+                }
+                freecon(old_tty_context);
+        }
+        if (user_context)
+                freecon(user_context);
+}
+void
+setup_selinux_exec_context(const char *name)
+{
+        security_context_t user_context;
+        if (is_selinux_enabled() <= 0)
+                return;
+        user_context = selinux_get_user_context(name);
+        if (setexeccon(user_context)) {
+                if (security_getenforce() > 0)
+                        fatal("Failed to set exec security context %s for %s.",
+                            user_context, name);
+                else
+                        error("Failed to set exec security context %s for %s. "
+                            "Continuing in permissive mode",
+                            user_context, name);
+        }
+        if (user_context)
+                freecon(user_context);
+}
+#else /* WITH_SELINUX */
+void
+setup_selinux_pty(const char *name, const char *tty)
+{
+        (void) name;
+        (void) tty;
+}
+void
+setup_selinux_exec_context(const char *name)
+{
+        (void) name;
+}
+#endif /* WITH_SELINUX */

diff --git a/selinux.c b/selinux.c new file mode 100644 index 000000000..697c2910a --- /dev/null +++ b/selinux.c
@@ -0,0 +1,111 @@
	1	#include "includes.h"
	2
	3	#include "auth.h"
	4	#include "log.h"
	5
	6	#ifdef WITH_SELINUX
	7
	8	#include <selinux/selinux.h>
	9	#include <selinux/flask.h>
	10	#include <selinux/context.h>
	11	#include <selinux/get_context_list.h>
	12	#include <selinux/get_default_type.h>
	13
	14	extern Authctxt *the_authctxt;
	15
	16	static const security_context_t
	17	selinux_get_user_context(const char *name)
	18	{
	19	security_context_t user_context = NULL;
	20	char *role = NULL;
	21	int ret = 0;
	22
	23	if (the_authctxt)
	24	role = the_authctxt->role;
	25	if (role != NULL && role[0])
	26	ret = get_default_context_with_role(name, role, NULL,
	27	&user_context);
	28	else
	29	ret = get_default_context(name, NULL, &user_context);
	30	if (ret < 0) {
	31	if (security_getenforce() > 0)
	32	fatal("Failed to get default security context for %s.",
	33	name);
	34	else
	35	error("Failed to get default security context for %s. "
	36	"Continuing in permissive mode",
	37	name);
	38	}
	39	return user_context;
	40	}
	41
	42	void
	43	setup_selinux_pty(const char name, const char tty)
	44	{
	45	security_context_t new_tty_context, user_context, old_tty_context;
	46
	47	if (is_selinux_enabled() <= 0)
	48	return;
	49
	50	new_tty_context = old_tty_context = NULL;
	51	user_context = selinux_get_user_context(name);
	52
	53	if (getfilecon(tty, &old_tty_context) < 0) {
	54	error("getfilecon(%.100s) failed: %.100s",
	55	tty, strerror(errno));
	56	} else {
	57	if (security_compute_relabel(user_context, old_tty_context,
	58	SECCLASS_CHR_FILE, &new_tty_context) != 0) {
	59	error("security_compute_relabel(%.100s) failed: "
	60	"%.100s", tty, strerror(errno));
	61	} else {
	62	if (setfilecon(tty, new_tty_context) != 0)
	63	error("setfilecon(%.100s, %s) failed: %.100s",
	64	tty, new_tty_context, strerror(errno));
	65	freecon(new_tty_context);
	66	}
	67	freecon(old_tty_context);
	68	}
	69	if (user_context)
	70	freecon(user_context);
	71	}
	72
	73	void
	74	setup_selinux_exec_context(const char *name)
	75	{
	76	security_context_t user_context;
	77
	78	if (is_selinux_enabled() <= 0)
	79	return;
	80
	81	user_context = selinux_get_user_context(name);
	82
	83	if (setexeccon(user_context)) {
	84	if (security_getenforce() > 0)
	85	fatal("Failed to set exec security context %s for %s.",
	86	user_context, name);
	87	else
	88	error("Failed to set exec security context %s for %s. "
	89	"Continuing in permissive mode",
	90	user_context, name);
	91	}
	92	if (user_context)
	93	freecon(user_context);
	94	}
	95
	96	#else /* WITH_SELINUX */
	97
	98	void
	99	setup_selinux_pty(const char name, const char tty)
	100	{
	101	(void) name;
	102	(void) tty;
	103	}
	104
	105	void
	106	setup_selinux_exec_context(const char *name)
	107	{
	108	(void) name;
	109	}
	110
	111	#endif /* WITH_SELINUX */