diff options
Diffstat (limited to 'selinux.c')
-rw-r--r-- | selinux.c | 150 |
1 files changed, 67 insertions, 83 deletions
@@ -1,10 +1,8 @@ | |||
1 | #include "includes.h" | 1 | #include "includes.h" |
2 | |||
3 | #include "auth.h" | 2 | #include "auth.h" |
4 | #include "log.h" | 3 | #include "log.h" |
5 | 4 | ||
6 | #ifdef WITH_SELINUX | 5 | #ifdef WITH_SELINUX |
7 | |||
8 | #include <selinux/selinux.h> | 6 | #include <selinux/selinux.h> |
9 | #include <selinux/flask.h> | 7 | #include <selinux/flask.h> |
10 | #include <selinux/context.h> | 8 | #include <selinux/context.h> |
@@ -13,99 +11,85 @@ | |||
13 | 11 | ||
14 | extern Authctxt *the_authctxt; | 12 | extern Authctxt *the_authctxt; |
15 | 13 | ||
16 | static security_context_t | 14 | static const security_context_t |
17 | selinux_get_user_context(const char *name) | 15 | selinux_get_user_context(const char *name) |
18 | { | 16 | { |
19 | security_context_t user_context = NULL; | 17 | security_context_t user_context=NULL; |
20 | char *role = NULL; | 18 | char *role=NULL; |
21 | int ret = 0; | 19 | int ret = -1; |
22 | 20 | char *seuser=NULL; | |
23 | if (the_authctxt) | 21 | char *level=NULL; |
24 | role = the_authctxt->role; | 22 | |
25 | if (role != NULL && role[0]) | 23 | if (the_authctxt) |
26 | ret = get_default_context_with_role(name, role, NULL, | 24 | role=the_authctxt->role; |
27 | &user_context); | 25 | if (getseuserbyname(name, &seuser, &level)==0) { |
28 | else | 26 | if (role != NULL && role[0]) |
29 | ret = get_default_context(name, NULL, &user_context); | 27 | ret=get_default_context_with_rolelevel(seuser, role, level,NULL, |
30 | if (ret < 0) { | 28 | &user_context); |
31 | if (security_getenforce() > 0) | 29 | else |
32 | fatal("Failed to get default security context for %s.", | 30 | ret=get_default_context_with_level(seuser, level, NULL,&user_context); |
33 | name); | 31 | } |
34 | else | 32 | if ( ret < 0 ) { |
35 | error("Failed to get default security context for %s. " | 33 | if (security_getenforce() > 0) |
36 | "Continuing in permissive mode", | 34 | fatal("Failed to get default security context for %s.", |
37 | name); | 35 | name); |
36 | else | ||
37 | error("Failed to get default security context for %s." | ||
38 | "Continuing in permissive mode", | ||
39 | name); | ||
38 | } | 40 | } |
39 | return user_context; | 41 | return user_context; |
40 | } | 42 | } |
41 | 43 | ||
42 | void | 44 | void |
43 | setup_selinux_pty(const char *name, const char *tty) | 45 | setup_selinux_pty(const char *name, const char *tty) |
44 | { | 46 | { |
45 | security_context_t new_tty_context, user_context, old_tty_context; | 47 | if (is_selinux_enabled() > 0) { |
46 | 48 | security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; | |
47 | if (is_selinux_enabled() <= 0) | 49 | |
48 | return; | 50 | user_context=selinux_get_user_context(name); |
49 | 51 | ||
50 | new_tty_context = old_tty_context = NULL; | 52 | if (getfilecon(tty, &old_tty_context) < 0) { |
51 | user_context = selinux_get_user_context(name); | 53 | error("getfilecon(%.100s) failed: %.100s", |
52 | 54 | tty, strerror(errno)); | |
53 | if (getfilecon(tty, &old_tty_context) < 0) { | 55 | } else { |
54 | error("getfilecon(%.100s) failed: %.100s", | 56 | if (security_compute_relabel(user_context,old_tty_context, |
55 | tty, strerror(errno)); | 57 | SECCLASS_CHR_FILE, &new_tty_context) != 0) { |
56 | } else { | 58 | error("security_compute_relabel(%.100s) failed: " |
57 | if (security_compute_relabel(user_context, old_tty_context, | 59 | "%.100s", tty, strerror(errno)); |
58 | SECCLASS_CHR_FILE, &new_tty_context) != 0) { | 60 | } else { |
59 | error("security_compute_relabel(%.100s) failed: " | 61 | if (setfilecon (tty, new_tty_context) != 0) |
60 | "%.100s", tty, strerror(errno)); | 62 | error("setfilecon(%.100s, %s) failed: %.100s", |
61 | } else { | 63 | tty, new_tty_context, strerror(errno)); |
62 | if (setfilecon(tty, new_tty_context) != 0) | 64 | freecon(new_tty_context); |
63 | error("setfilecon(%.100s, %s) failed: %.100s", | 65 | } |
64 | tty, new_tty_context, strerror(errno)); | 66 | freecon(old_tty_context); |
65 | freecon(new_tty_context); | 67 | } |
66 | } | 68 | if (user_context) { |
67 | freecon(old_tty_context); | 69 | freecon(user_context); |
68 | } | 70 | } |
69 | if (user_context) | 71 | } |
70 | freecon(user_context); | ||
71 | } | ||
72 | |||
73 | void | ||
74 | setup_selinux_exec_context(const char *name) | ||
75 | { | ||
76 | security_context_t user_context; | ||
77 | |||
78 | if (is_selinux_enabled() <= 0) | ||
79 | return; | ||
80 | |||
81 | user_context = selinux_get_user_context(name); | ||
82 | |||
83 | if (setexeccon(user_context)) { | ||
84 | if (security_getenforce() > 0) | ||
85 | fatal("Failed to set exec security context %s for %s.", | ||
86 | user_context, name); | ||
87 | else | ||
88 | error("Failed to set exec security context %s for %s. " | ||
89 | "Continuing in permissive mode", | ||
90 | user_context, name); | ||
91 | } | ||
92 | if (user_context) | ||
93 | freecon(user_context); | ||
94 | } | 72 | } |
95 | 73 | ||
96 | #else /* WITH_SELINUX */ | 74 | void |
97 | 75 | setup_selinux_exec_context(char *name) | |
98 | void | ||
99 | setup_selinux_pty(const char *name, const char *tty) | ||
100 | { | 76 | { |
101 | (void) name; | ||
102 | (void) tty; | ||
103 | } | ||
104 | 77 | ||
105 | void | 78 | if (is_selinux_enabled() > 0) { |
106 | setup_selinux_exec_context(const char *name) | 79 | security_context_t user_context=selinux_get_user_context(name); |
107 | { | 80 | if (setexeccon(user_context)) { |
108 | (void) name; | 81 | if (security_getenforce() > 0) |
82 | fatal("Failed to set exec security context %s for %s.", | ||
83 | user_context, name); | ||
84 | else | ||
85 | error("Failed to set exec security context %s for %s. " | ||
86 | "Continuing in permissive mode", | ||
87 | user_context, name); | ||
88 | } | ||
89 | if (user_context) { | ||
90 | freecon(user_context); | ||
91 | } | ||
92 | } | ||
109 | } | 93 | } |
110 | 94 | ||
111 | #endif /* WITH_SELINUX */ | 95 | #endif /* WITH_SELINUX */ |