summaryrefslogtreecommitdiff
path: root/selinux.c
blob: 6625c71d8a5b5af87d048b09bca6c1f21bbe2d4f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#include "includes.h"

#include "auth.h"
#include "log.h"

#ifdef WITH_SELINUX

#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/context.h>
#include <selinux/get_context_list.h>
#include <selinux/get_default_type.h>

extern Authctxt *the_authctxt;

static security_context_t
selinux_get_user_context(const char *name)
{
	security_context_t user_context = NULL;
	char *role = NULL;
	int ret = 0;

	if (the_authctxt)
		role = the_authctxt->role;
	if (role != NULL && role[0])
		ret = get_default_context_with_role(name, role, NULL,
		    &user_context);
	else
		ret = get_default_context(name, NULL, &user_context);
	if (ret < 0) {
		if (security_getenforce() > 0)
			fatal("Failed to get default security context for %s.",
			    name);
		else
			error("Failed to get default security context for %s. "
			    "Continuing in permissive mode",
			    name);
	}
	return user_context;
}

void
setup_selinux_pty(const char *name, const char *tty)
{
	security_context_t new_tty_context, user_context, old_tty_context;

	if (is_selinux_enabled() <= 0)
		return;

	new_tty_context = old_tty_context = NULL;
	user_context = selinux_get_user_context(name);

	if (getfilecon(tty, &old_tty_context) < 0) {
		error("getfilecon(%.100s) failed: %.100s",
		    tty, strerror(errno));
	} else {
		if (security_compute_relabel(user_context, old_tty_context,
		    SECCLASS_CHR_FILE, &new_tty_context) != 0) {
			error("security_compute_relabel(%.100s) failed: "
			    "%.100s", tty, strerror(errno));
		} else {
			if (setfilecon(tty, new_tty_context) != 0)
				error("setfilecon(%.100s, %s) failed: %.100s",
				    tty, new_tty_context, strerror(errno));
			freecon(new_tty_context);
		}
		freecon(old_tty_context);
	}
	if (user_context)
		freecon(user_context);
}

void
setup_selinux_exec_context(const char *name)
{
	security_context_t user_context;

	if (is_selinux_enabled() <= 0)
		return;

	user_context = selinux_get_user_context(name);

	if (setexeccon(user_context)) {
		if (security_getenforce() > 0)
			fatal("Failed to set exec security context %s for %s.",
			    user_context, name);
		else
			error("Failed to set exec security context %s for %s. "
			    "Continuing in permissive mode",
			    user_context, name);
	}
	if (user_context)
		freecon(user_context);
}

#else /* WITH_SELINUX */

void
setup_selinux_pty(const char *name, const char *tty)
{
	(void) name;
	(void) tty;
}

void
setup_selinux_exec_context(const char *name)
{
	(void) name;
}

#endif /* WITH_SELINUX */