/*
* selinux_process_label_set: Set SELinux context of a process
*
* @label : label string
* @conf : the container configuration to use @label is NULL
* @default : use the default context if label is NULL
* @on_exec : the new context will take effect on exec(2) not immediately
*
* Returns 0 on success, < 0 on failure
*
* Notes: This relies on /proc being available.
*/
static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
int use_default, int on_exec)
{
const char *label = inlabel ? inlabel : conf->lsm_se_context;
if (!label) {
if (use_default)
label = DEFAULT_LABEL;
else
return -1;
}
if (!strcmp(label, "unconfined_t"))
return 0;
if (on_exec) {
if (setexeccon_raw((char *)label) < 0) {
SYSERROR("failed to set new SELinux exec context %s", label);
return -1;
}
} else {
if (setcon_raw((char *)label) < 0) {
SYSERROR("failed to set new SELinux context %s", label);
return -1;
}
}
INFO("changed SELinux%s context to %s", on_exec ? " exec" : "", label);
return 0;
}
static int
testSELinuxGenLabel(const void *opaque)
{
const struct testSELinuxGenLabelData *data = opaque;
int ret = -1;
virDomainDefPtr def;
context_t con = NULL;
context_t imgcon = NULL;
if (setcon_raw((security_context_t)data->pidcon) < 0) {
perror("Cannot set process security context");
return -1;
}
if (!(def = testBuildDomainDef(data->dynamic,
data->label,
data->baselabel)))
goto cleanup;
if (virSecurityManagerGenLabel(data->mgr, def) < 0) {
virErrorPtr err = virGetLastError();
fprintf(stderr, "Cannot generate label: %s\n", err->message);
goto cleanup;
}
VIR_DEBUG("label=%s imagelabel=%s",
def->seclabels[0]->label, def->seclabels[0]->imagelabel);
if (!(con = context_new(def->seclabels[0]->label)))
goto cleanup;
if (!(imgcon = context_new(def->seclabels[0]->imagelabel)))
goto cleanup;
if (!testSELinuxCheckCon(con,
data->user, data->role, data->type,
data->sensMin, data->sensMax,
data->catMin, data->catMax))
goto cleanup;
if (!testSELinuxCheckCon(imgcon,
data->user, data->imagerole, data->imagetype,
data->sensMin, data->sensMax,
data->catMin, data->catMax))
goto cleanup;
ret = 0;
cleanup:
context_free(con);
context_free(imgcon);
virDomainDefFree(def);
return ret;
}
int mac_selinux_setup(bool *loaded_policy) {
#ifdef HAVE_SELINUX
int enforce = 0;
usec_t before_load, after_load;
security_context_t con;
int r;
union selinux_callback cb;
bool initialized = false;
assert(loaded_policy);
/* Turn off all of SELinux' own logging, we want to do that */
cb.func_log = null_log;
selinux_set_callback(SELINUX_CB_LOG, cb);
/* Don't load policy in the initrd if we don't appear to have
* it. For the real root, we check below if we've already
* loaded policy, and return gracefully.
*/
if (in_initrd() && access(selinux_path(), F_OK) < 0)
return 0;
/* Already initialized by somebody else? */
r = getcon_raw(&con);
if (r == 0) {
initialized = !streq(con, "kernel");
freecon(con);
}
/* Make sure we have no fds open while loading the policy and
* transitioning */
log_close();
/* Now load the policy */
before_load = now(CLOCK_MONOTONIC);
r = selinux_init_load_policy(&enforce);
if (r == 0) {
_cleanup_(mac_selinux_freep) char *label = NULL;
char timespan[FORMAT_TIMESPAN_MAX];
mac_selinux_retest();
/* Transition to the new context */
r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
if (r < 0 || !label) {
log_open();
log_error("Failed to compute init label, ignoring.");
} else {
r = setcon_raw(label);
log_open();
if (r < 0)
log_error("Failed to transition into init label '%s', ignoring.", label);
}
after_load = now(CLOCK_MONOTONIC);
log_info("Successfully loaded SELinux policy in %s.",
format_timespan(timespan, sizeof(timespan), after_load - before_load, 0));
*loaded_policy = true;
} else {
/*
* do_set_domain
* It tries to replace the domain/range of the current context.
*/
static int
do_set_domain(security_context_t old_context, char *domain, server_rec *s)
{
security_context_t new_context;
security_context_t raw_context;
context_t context;
char *range;
/*
* Compute the new security context
*/
context = context_new(old_context);
if (!context) {
ap_log_error(APLOG_MARK, APLOG_ERR, errno, s,
"SELinux: context_new(\"%s\") failed",
old_context);
return -1;
}
range = strchr(domain, ':');
if (range)
*range++ = '\0';
if (domain && strcmp(domain, "*") != 0)
context_type_set(context, domain);
if (range && strcmp(range, "*") != 0)
context_range_set(context, range);
if (range)
*--range = ':'; /* fixup */
new_context = context_str(context);
if (!new_context) {
ap_log_error(APLOG_MARK, APLOG_ERR, errno, s,
"SELinux: context_str(\"%s:%s:%s:%s\") failed",
context_user_get(context),
context_role_get(context),
context_type_get(context),
context_range_get(context));
context_free(context);
return -1;
}
/*
* If old_context == new_context, we don't need to do anything
*/
if (selinux_trans_to_raw_context(new_context, &raw_context) < 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, errno, s,
"SELinux: selinux_trans_to_raw_context(\"%s\") failed",
new_context);
context_free(context);
return -1;
}
context_free(context);
if (!strcmp(old_context, raw_context)) {
freecon(raw_context);
return 1;
}
if (setcon_raw(raw_context) < 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, errno, s,
"SELinux: setcon_raw(\"%s\") failed",
raw_context);
freecon(raw_context);
return -1;
}
freecon(raw_context);
return 0;
}
int setcon(security_context_t context)
{
return setcon_raw(context);
}
