int label_mkdir(
const char *path,
mode_t mode) {
/* Creates a directory and labels it according to the SELinux policy */
#ifdef HAVE_SELINUX
int r;
security_context_t fcon = NULL;
if (use_selinux() && label_hnd) {
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, mode);
else {
char *newpath = NULL;
if (!(newpath = path_make_absolute_cwd(path)))
return -ENOMEM;
r = selabel_lookup_raw(label_hnd, &fcon, newpath, mode);
free(newpath);
}
if (r == 0)
r = setfscreatecon(fcon);
if (r < 0 && errno != ENOENT) {
log_error("Failed to set security context %s for %s: %m", fcon, path);
r = -errno;
if (security_getenforce() == 1)
goto finish;
}
}
if ((r = mkdir(path, mode)) < 0)
r = -errno;
finish:
if (use_selinux() && label_hnd) {
setfscreatecon(NULL);
freecon(fcon);
}
return r;
#else
return mkdir(path, mode);
#endif
}
void label_finish(void) {
#ifdef HAVE_SELINUX
if (use_selinux() && label_hnd)
selabel_close(label_hnd);
#endif
}
void label_free(const char *label) {
#ifdef HAVE_SELINUX
if (!use_selinux())
return;
freecon((security_context_t) label);
#endif
}
void label_socket_clear(void) {
#ifdef HAVE_SELINUX
if (!use_selinux())
return;
setsockcreatecon(NULL);
#endif
}
void label_file_clear(void) {
#ifdef HAVE_SELINUX
if (!use_selinux())
return;
setfscreatecon(NULL);
#endif
}
static int selinux_access_init(sd_bus_error *error) {
int r;
if (initialized)
return 0;
if (!use_selinux())
return 0;
r = access_init();
if (r < 0)
return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
initialized = true;
return 0;
}
static int selinux_access_init(DBusError *error) {
int r;
if (initialized)
return 0;
if (use_selinux()) {
r = access_init();
if (r < 0) {
dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
return r;
}
}
initialized = true;
return 0;
}
int label_socket_set(const char *label) {
#ifdef HAVE_SELINUX
if (!use_selinux())
return 0;
if (setsockcreatecon((security_context_t) label) < 0) {
log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
"Failed to set SELinux context (%s) on socket: %m", label);
if (security_getenforce() == 1)
return -errno;
}
#endif
return 0;
}
int label_fix(const char *path, bool ignore_enoent) {
int r = 0;
#ifdef HAVE_SELINUX
struct stat st;
security_context_t fcon;
if (!use_selinux() || !label_hnd)
return 0;
r = lstat(path, &st);
if (r == 0) {
r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
/* If there's no label to set, then exit without warning */
if (r < 0 && errno == ENOENT)
return 0;
if (r == 0) {
r = setfilecon(path, fcon);
freecon(fcon);
/* If the FS doesn't support labels, then exit without warning */
if (r < 0 && errno == ENOTSUP)
return 0;
}
}
if (r < 0) {
/* Ignore ENOENT in some cases */
if (ignore_enoent && errno == ENOENT)
return 0;
log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
"Unable to fix label of %s: %m", path);
r = security_getenforce() == 1 ? -errno : 0;
}
#endif
return r;
}
int label_init(void) {
int r = 0;
#ifdef HAVE_SELINUX
if (!use_selinux())
return 0;
if (label_hnd)
return 0;
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
if (!label_hnd) {
log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
"Failed to initialize SELinux context: %m");
r = security_getenforce() == 1 ? -errno : 0;
}
#endif
return r;
}
int label_init(const char *prefix) {
int r = 0;
#ifdef HAVE_SELINUX
usec_t before_timestamp, after_timestamp;
struct mallinfo before_mallinfo, after_mallinfo;
if (!use_selinux())
return 0;
if (label_hnd)
return 0;
before_mallinfo = mallinfo();
before_timestamp = now(CLOCK_MONOTONIC);
if (prefix) {
struct selinux_opt options[] = {
{ .type = SELABEL_OPT_SUBSET, .value = prefix },
};
label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
} else
int label_symlinkfile_set(const char *path) {
int r = 0;
#ifdef HAVE_SELINUX
security_context_t filecon = NULL;
if (!use_selinux() || !label_hnd)
return 0;
if ((r = selabel_lookup_raw(label_hnd, &filecon, path, S_IFLNK)) == 0) {
if ((r = setfscreatecon(filecon)) < 0) {
log_error("Failed to set SELinux file context on %s: %m", path);
r = -errno;
}
freecon(filecon);
}
if (r < 0 && security_getenforce() == 0)
r = 0;
#endif
return r;
}
int label_get_socket_label_from_exe(const char *exe, char **label) {
int r = 0;
#ifdef HAVE_SELINUX
security_context_t mycon = NULL, fcon = NULL;
security_class_t sclass;
if (!use_selinux()) {
*label = NULL;
return 0;
}
r = getcon(&mycon);
if (r < 0)
goto fail;
r = getfilecon(exe, &fcon);
if (r < 0)
goto fail;
sclass = string_to_security_class("process");
r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
if (r == 0)
log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
fail:
if (r < 0 && security_getenforce() == 1)
r = -errno;
freecon(mycon);
freecon(fcon);
#endif
return r;
}
/*
This function communicates with the kernel to check whether or not it should
allow the access.
If the machine is in permissive mode it will return ok. Audit messages will
still be generated if the access would be denied in enforcing mode.
*/
int selinux_access_check(
DBusConnection *connection,
DBusMessage *message,
const char *path,
const char *permission,
DBusError *error) {
security_context_t scon = NULL, fcon = NULL;
int r = 0;
const char *tclass = NULL;
struct auditstruct audit;
assert(connection);
assert(message);
assert(permission);
assert(error);
if (!use_selinux())
return 0;
r = selinux_access_init(error);
if (r < 0)
return r;
log_debug("SELinux access check for path=%s permission=%s", strna(path), permission);
audit.uid = audit.loginuid = (uid_t) -1;
audit.gid = (gid_t) -1;
audit.cmdline = NULL;
audit.path = path;
r = get_calling_context(connection, message, &scon, error);
if (r < 0) {
log_error("Failed to get caller's security context on: %m");
goto finish;
}
if (path) {
tclass = "service";
/* get the file context of the unit file */
r = getfilecon(path, &fcon);
if (r < 0) {
dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
r = -errno;
log_error("Failed to get security context on %s: %m",path);
goto finish;
}
} else {
tclass = "system";
r = getcon(&fcon);
if (r < 0) {
dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
r = -errno;
log_error("Failed to get current process context on: %m");
goto finish;
}
}
(void) get_audit_data(connection, message, &audit, error);
errno = 0;
r = selinux_check_access(scon, fcon, tclass, permission, &audit);
if (r < 0) {
dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
r = -errno;
log_error("SELinux policy denies access.");
}
log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, audit.cmdline, r);
finish:
free(audit.cmdline);
freecon(scon);
freecon(fcon);
if (r && security_getenforce() != 1) {
dbus_error_init(error);
r = 0;
}
return r;
}
/*
This function communicates with the kernel to check whether or not it should
allow the access.
If the machine is in permissive mode it will return ok. Audit messages will
still be generated if the access would be denied in enforcing mode.
*/
int selinux_generic_access_check(
sd_bus *bus,
sd_bus_message *message,
const char *path,
const char *permission,
sd_bus_error *error) {
_cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
const char *tclass = NULL, *scon = NULL;
struct audit_info audit_info = {};
_cleanup_free_ char *cl = NULL;
security_context_t fcon = NULL;
char **cmdline = NULL;
int r = 0;
assert(bus);
assert(message);
assert(permission);
assert(error);
if (!use_selinux())
return 0;
r = selinux_access_init(error);
if (r < 0)
return r;
r = sd_bus_query_sender_creds(
message,
SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|
SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
SD_BUS_CREDS_SELINUX_CONTEXT,
&creds);
if (r < 0)
goto finish;
r = sd_bus_creds_get_selinux_context(creds, &scon);
if (r < 0)
goto finish;
if (path) {
/* Get the file context of the unit file */
r = getfilecon(path, &fcon);
if (r < 0) {
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
goto finish;
}
tclass = "service";
} else {
r = getcon(&fcon);
if (r < 0) {
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
goto finish;
}
tclass = "system";
}
sd_bus_creds_get_cmdline(creds, &cmdline);
cl = strv_join(cmdline, " ");
audit_info.creds = creds;
audit_info.path = path;
audit_info.cmdline = cl;
r = selinux_check_access((security_context_t) scon, fcon, tclass, permission, &audit_info);
if (r < 0)
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
finish:
freecon(fcon);
if (r < 0 && security_getenforce() != 1) {
sd_bus_error_free(error);
r = 0;
}
return r;
}
