int setfilecon_raw(const char *path, security_context_t context) { mac_t mac; char tmp[strlen(context) + strlen("sebsd/0")]; int r; if (mac_prepare(&mac, "sebsd")) return -1; strcpy(tmp, "sebsd/"); strcat(tmp, context); if (mac_from_text(&mac, tmp)) { mac_free(mac); return -1; } r = mac_set_file(path, mac); mac_free(mac); return r; }
/***************************************************************************** * * NAME * check_file - Make sure the specified file exists as specified. * * SYNOPSIS * check_file_retval = check_file( file, own, grp, mode ); * * file r The name of the file to be verified, changed * or created. * own r The file's owner. * grp r The file's group. * mode r The file's mode. * * DESCRIPTION * This routine determines whether <file> exists -and- is a regular file. * If the file doesn't exist, this routine will create it. * * In either case, the file's owner will be set to <own>, group will be * set to <grp>, mode will be set to <mode>, and MAC label will be set * to dbadmin (for Trusted IRIX only). * * NOTES: If the owner cannot be changed to <own> because the executing * user does NOT have permission, the error is ignored and this * routine will return a successful indication. * * Only the -low order- 9 bits of <mode> are expected to be used. * * All file descriptors opened by the processing contained in * this routine are closed -before- control is returned. * * If an error occurs and the file was NOT created, this routine * attempts to put the file back to the way it existed upon entry * to this routine. * * If an error occurs and the file was created by this routine, * it is removed -before- control is returned to the caller. * * RETURNS * 0 - If the file exists as requested. * 1 - If <own> is NOT a valid user name. * 2 - If <grp> is NOT a valid group name. * 3 - If <mode> has more than the -low order- 9 bits set. * 4 - If the file could NOT be creat()'d. * 5 - If the stat() system call failed. * 6 - If the file's mode could NOT be set as requested. * 7 - If the file's group could NOT be set as requested. * 8 - If the file's owner could NOT be set as requested. * 9 - If <file> exists -and- is NOT a regular file. * 10 - If we cannot get the mac_t structure for dbadmin. * 11 - If the file's MAC label could NOT be set as requested. * *****************************************************************************/ check_file_retval check_file( char *file, char *own, char *grp, mode_t mode ) { uid_t uid; gid_t gid; #ifdef HAVE_MAC_H mac_t mac_label; #endif /* HAVE_MAC_H */ int we_created_it = 0; check_file_retval rc = CHK_SUCCESS; int fd; struct stat stbuf; if ( ( mode & ~0777 ) != 0 ) return( CHK_BAD_MODE ); uid = name_to_uid( own ); if ( uid < 0 ) return( CHK_BAD_OWNER ); gid = name_to_gid( grp ); if ( gid < 0 ) return( CHK_BAD_GROUP ); if ( stat( file, &stbuf ) < 0 ) { if ( ( fd = creat( file, mode ) ) < 0 ) return( CHK_NOT_CREATED ); (void) close( fd ); we_created_it = 1; if ( stat( file, &stbuf ) < 0 ) rc = CHK_STAT_FAILED; } if ( rc == CHK_SUCCESS && ! ( stbuf.st_mode & S_IFREG ) ) rc = CHK_FILE_NOT_REGULAR; if ( rc == CHK_SUCCESS && stbuf.st_gid != gid ) { if ( chown( file, stbuf.st_uid, gid ) < 0 ) rc = CHK_CANNOT_SET_GROUP; } if ( rc == CHK_SUCCESS && ( stbuf.st_mode & 0777 ) != mode ) { if ( chmod( file, mode ) < 0 ) rc = CHK_CANNOT_SET_MODE; } if ( rc == CHK_SUCCESS && stbuf.st_uid != uid ) { if ( chown( file, uid, gid ) < 0 ) { if ( errno != EPERM ) rc = CHK_CANNOT_SET_OWNER; } } #ifdef HAVE_MAC_H if ( rc == CHK_SUCCESS && sysconf(_SC_MAC) ) { /* * Set the MAC label of the accounting file to dbadmin. */ if (( mac_label = mac_from_text( "dbadmin" ) ) == NULL) rc = CHK_CANNOT_GET_MAC; else if ( mac_set_file( file, mac_label ) < 0 ) rc = CHK_CANNOT_SET_MAC; mac_free( mac_label ); } #endif /* HAVE_MAC_H */ if ( rc != CHK_SUCCESS ) { if ( we_created_it == 1 ) (void) unlink( file ); else { (void) chown( file, stbuf.st_uid, stbuf.st_gid ); (void) chmod( file, ( stbuf.st_mode & 0777 ) ); } } return( rc ); }