summaryrefslogtreecommitdiff
path: root/selinux.c
blob: 2811a9b80ba6a3a2607af9a8fcc70d61a4d13493 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#include "includes.h"
#include "auth.h"
#include "log.h"

#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/context.h>
#include <selinux/get_context_list.h>
#include <selinux/get_default_type.h>

extern Authctxt *the_authctxt;

static const security_context_t 
selinux_get_user_context(const char *name)
{
	security_context_t user_context=NULL;
	char *role=NULL;
	int ret = -1;
	char *seuser=NULL;
	char *level=NULL;

	if (the_authctxt) 
          role=the_authctxt->role;
        if (getseuserbyname(name, &seuser, &level)==0) {
          if (role != NULL && role[0])
            ret=get_default_context_with_rolelevel(seuser, role, level,NULL,
                                                   &user_context);
          else
            ret=get_default_context_with_level(seuser, level, NULL,&user_context);
        }
	if ( ret < 0 ) {
          if (security_getenforce() > 0)
            fatal("Failed to get default security context for %s.",
                  name);
          else
            error("Failed to get default security context for %s."
                  "Continuing in permissive mode",
                  name);
	}
	return user_context;
}

void 
setup_selinux_pty(const char *name, const char *tty)
{
  if (is_selinux_enabled() > 0) {
    security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;

    user_context=selinux_get_user_context(name);

    if (getfilecon(tty, &old_tty_context) < 0) {
      error("getfilecon(%.100s) failed: %.100s",
            tty, strerror(errno));
    } else {
      if (security_compute_relabel(user_context,old_tty_context,
                                   SECCLASS_CHR_FILE, &new_tty_context) != 0) {
        error("security_compute_relabel(%.100s) failed: "
              "%.100s", tty, strerror(errno));
      } else {
        if (setfilecon (tty, new_tty_context) != 0)
          error("setfilecon(%.100s, %s) failed: %.100s",
                tty, new_tty_context, strerror(errno));
        freecon(new_tty_context);
      }
      freecon(old_tty_context);
    }
    if (user_context) {
      freecon(user_context);
    }
  }
}

void 
setup_selinux_exec_context(char *name)
{

  if (is_selinux_enabled() > 0) {
    security_context_t user_context=selinux_get_user_context(name);
    if (setexeccon(user_context)) {
      if (security_getenforce() > 0)
        fatal("Failed to set exec security context %s for %s.",
              user_context, name);
      else
        error("Failed to set exec security context %s for %s. "
              "Continuing in permissive mode",
              user_context, name);
    }
    if (user_context) {
      freecon(user_context);
    }
  }
}

#endif /* WITH_SELINUX */