int setfilecon_raw(const char *path, security_context_t context)
{
mac_t mac;
char tmp[strlen(context) + strlen("sebsd/0")];
int r;
if (mac_prepare(&mac, "sebsd"))
return -1;
strcpy(tmp, "sebsd/");
strcat(tmp, context);
if (mac_from_text(&mac, tmp)) {
mac_free(mac);
return -1;
}
r = mac_set_file(path, mac);
mac_free(mac);
return r;
}
/*****************************************************************************
*
* NAME
* check_file - Make sure the specified file exists as specified.
*
* SYNOPSIS
* check_file_retval = check_file( file, own, grp, mode );
*
* file r The name of the file to be verified, changed
* or created.
* own r The file's owner.
* grp r The file's group.
* mode r The file's mode.
*
* DESCRIPTION
* This routine determines whether <file> exists -and- is a regular file.
* If the file doesn't exist, this routine will create it.
*
* In either case, the file's owner will be set to <own>, group will be
* set to <grp>, mode will be set to <mode>, and MAC label will be set
* to dbadmin (for Trusted IRIX only).
*
* NOTES: If the owner cannot be changed to <own> because the executing
* user does NOT have permission, the error is ignored and this
* routine will return a successful indication.
*
* Only the -low order- 9 bits of <mode> are expected to be used.
*
* All file descriptors opened by the processing contained in
* this routine are closed -before- control is returned.
*
* If an error occurs and the file was NOT created, this routine
* attempts to put the file back to the way it existed upon entry
* to this routine.
*
* If an error occurs and the file was created by this routine,
* it is removed -before- control is returned to the caller.
*
* RETURNS
* 0 - If the file exists as requested.
* 1 - If <own> is NOT a valid user name.
* 2 - If <grp> is NOT a valid group name.
* 3 - If <mode> has more than the -low order- 9 bits set.
* 4 - If the file could NOT be creat()'d.
* 5 - If the stat() system call failed.
* 6 - If the file's mode could NOT be set as requested.
* 7 - If the file's group could NOT be set as requested.
* 8 - If the file's owner could NOT be set as requested.
* 9 - If <file> exists -and- is NOT a regular file.
* 10 - If we cannot get the mac_t structure for dbadmin.
* 11 - If the file's MAC label could NOT be set as requested.
*
*****************************************************************************/
check_file_retval
check_file( char *file, char *own, char *grp, mode_t mode )
{
uid_t uid;
gid_t gid;
#ifdef HAVE_MAC_H
mac_t mac_label;
#endif /* HAVE_MAC_H */
int we_created_it = 0;
check_file_retval rc = CHK_SUCCESS;
int fd;
struct stat stbuf;
if ( ( mode & ~0777 ) != 0 )
return( CHK_BAD_MODE );
uid = name_to_uid( own );
if ( uid < 0 )
return( CHK_BAD_OWNER );
gid = name_to_gid( grp );
if ( gid < 0 )
return( CHK_BAD_GROUP );
if ( stat( file, &stbuf ) < 0 )
{
if ( ( fd = creat( file, mode ) ) < 0 )
return( CHK_NOT_CREATED );
(void) close( fd );
we_created_it = 1;
if ( stat( file, &stbuf ) < 0 )
rc = CHK_STAT_FAILED;
}
if ( rc == CHK_SUCCESS && ! ( stbuf.st_mode & S_IFREG ) )
rc = CHK_FILE_NOT_REGULAR;
if ( rc == CHK_SUCCESS && stbuf.st_gid != gid )
{
if ( chown( file, stbuf.st_uid, gid ) < 0 )
rc = CHK_CANNOT_SET_GROUP;
}
if ( rc == CHK_SUCCESS && ( stbuf.st_mode & 0777 ) != mode )
{
if ( chmod( file, mode ) < 0 )
rc = CHK_CANNOT_SET_MODE;
}
if ( rc == CHK_SUCCESS && stbuf.st_uid != uid )
{
if ( chown( file, uid, gid ) < 0 )
{
if ( errno != EPERM )
rc = CHK_CANNOT_SET_OWNER;
}
}
#ifdef HAVE_MAC_H
if ( rc == CHK_SUCCESS && sysconf(_SC_MAC) )
{
/*
* Set the MAC label of the accounting file to dbadmin.
*/
if (( mac_label = mac_from_text( "dbadmin" ) ) == NULL)
rc = CHK_CANNOT_GET_MAC;
else if ( mac_set_file( file, mac_label ) < 0 )
rc = CHK_CANNOT_SET_MAC;
mac_free( mac_label );
}
#endif /* HAVE_MAC_H */
if ( rc != CHK_SUCCESS )
{
if ( we_created_it == 1 )
(void) unlink( file );
else
{
(void) chown( file, stbuf.st_uid, stbuf.st_gid );
(void) chmod( file, ( stbuf.st_mode & 0777 ) );
}
}
return( rc );
}
