static int semanage_direct_begintrans(semanage_handle_t *sh) { if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) { return -1; } if (semanage_get_trans_lock(sh) < 0) { return -1; } if ((semanage_make_sandbox(sh)) < 0) { return -1; } return 0; }
static int sss_semanage_init(semanage_handle_t **_handle) { int ret; semanage_handle_t *handle = NULL; handle = semanage_handle_create(); if (!handle) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); ret = EIO; goto done; } semanage_msg_set_callback(handle, sss_semanage_error_callback, NULL); ret = sss_is_selinux_managed(handle); if (ret != EOK) { goto done; } ret = semanage_access_check(handle); if (ret < SEMANAGE_CAN_READ) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n"); ret = EACCES; goto done; } ret = semanage_connect(handle); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot estabilish SELinux management connection\n"); ret = EIO; goto done; } ret = EOK; done: if (ret != EOK) { sss_semanage_close(handle); } else { *_handle = handle; } return ret; }
int semanage_direct_is_managed(semanage_handle_t *sh) { char polpath[PATH_MAX]; snprintf(polpath, PATH_MAX, "%s%s", selinux_path(), sh->conf->store_path); if (semanage_check_init(polpath)) goto err; if (semanage_access_check(sh) < 0) return 0; return 1; err: ERR(sh, "could not check whether policy is managed"); return STATUS_ERR; }
static semanage_handle_t *semanage_init (void) { int ret; semanage_handle_t *handle = NULL; handle = semanage_handle_create (); if (NULL == handle) { fprintf (stderr, _("Cannot create SELinux management handle\n")); return NULL; } semanage_msg_set_callback (handle, semanage_error_callback, NULL); ret = semanage_is_managed (handle); if (ret != 1) { fprintf (stderr, _("SELinux policy not managed\n")); goto fail; } ret = semanage_access_check (handle); if (ret < SEMANAGE_CAN_READ) { fprintf (stderr, _("Cannot read SELinux policy store\n")); goto fail; } ret = semanage_connect (handle); if (ret != 0) { fprintf (stderr, _("Cannot establish SELinux management connection\n")); goto fail; } ret = semanage_begin_transaction (handle); if (ret != 0) { fprintf (stderr, _("Cannot begin SELinux transaction\n")); goto fail; } return handle; fail: semanage_handle_destroy (handle); return NULL; }
static semanage_handle_t *sss_semanage_init(void) { int ret; semanage_handle_t *handle = NULL; handle = semanage_handle_create(); if (!handle) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); return NULL; } semanage_msg_set_callback(handle, sss_semanage_error_callback, NULL); ret = semanage_is_managed(handle); if (ret != 1) { DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n"); goto fail; } ret = semanage_access_check(handle); if (ret < SEMANAGE_CAN_READ) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n"); goto fail; } ret = semanage_connect(handle); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot estabilish SELinux management connection\n"); goto fail; } return handle; fail: sss_semanage_close(handle); return NULL; }
int main(int argc, char *argv[]) { int i, commit = 0; int result; int status = EXIT_FAILURE; char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" }; create_signal_handlers(); if (strcmp(basename(argv[0]), "genhomedircon") == 0) { argc = 3; argv=genhomedirconargv; } parse_command_line(argc, argv); if (build) commit = 1; sh = semanage_handle_create(); if (!sh) { fprintf(stderr, "%s: Could not create semanage handle\n", argv[0]); goto cleanup_nohandle; } if (store) { /* Set the store we want to connect to, before connecting. * this will always set a direct connection now, an additional * option will need to be used later to specify a policy server * location */ semanage_select_store(sh, store, SEMANAGE_CON_DIRECT); } /* if installing base module create store if necessary, for bootstrapping */ semanage_set_create_store(sh, create_store); if (!create_store) { if (!semanage_is_managed(sh)) { fprintf(stderr, "%s: SELinux policy is not managed or store cannot be accessed.\n", argv[0]); goto cleanup; } if (semanage_access_check(sh) < SEMANAGE_CAN_READ) { fprintf(stderr, "%s: Cannot read policy store.\n", argv[0]); goto cleanup; } } if ((result = semanage_connect(sh)) < 0) { fprintf(stderr, "%s: Could not connect to policy handler\n", argv[0]); goto cleanup; } if (reload) { if ((result = semanage_reload_policy(sh)) < 0) { fprintf(stderr, "%s: Could not reload policy\n", argv[0]); goto cleanup; } } if (build) { if ((result = semanage_begin_transaction(sh)) < 0) { fprintf(stderr, "%s: Could not begin transaction: %s\n", argv[0], errno ? strerror(errno) : ""); goto cleanup; } } for (i = 0; i < num_commands; i++) { enum client_modes mode = commands[i].mode; char *mode_arg = commands[i].arg; switch (mode) { case INSTALL_M:{ if (verbose) { printf ("Attempting to install module '%s':\n", mode_arg); } result = semanage_module_install_file(sh, mode_arg); break; } case UPGRADE_M:{ if (verbose) { printf ("Attempting to upgrade module '%s':\n", mode_arg); } result = semanage_module_upgrade_file(sh, mode_arg); break; } case BASE_M:{ if (verbose) { printf ("Attempting to install base module '%s':\n", mode_arg); } result = semanage_module_install_base_file(sh, mode_arg); break; } case ENABLE_M:{ if (verbose) { printf ("Attempting to enable module '%s':\n", mode_arg); } result = semanage_module_enable(sh, mode_arg); if ( result == -2 ) { continue; } break; } case DISABLE_M:{ if (verbose) { printf ("Attempting to disable module '%s':\n", mode_arg); } result = semanage_module_disable(sh, mode_arg); if ( result == -2 ) { continue; } break; } case REMOVE_M:{ if (verbose) { printf ("Attempting to remove module '%s':\n", mode_arg); } result = semanage_module_remove(sh, mode_arg); if ( result == -2 ) { continue; } break; } case LIST_M:{ semanage_module_info_t *modinfo; int num_modules; if (verbose) { printf ("Attempting to list active modules:\n"); } if ((result = semanage_module_list(sh, &modinfo, &num_modules)) >= 0) { int j; if (num_modules == 0) { printf("No modules.\n"); } for (j = 0; j < num_modules; j++) { semanage_module_info_t *m = semanage_module_list_nth (modinfo, j); printf("%s\t%s\t%s\n", semanage_module_get_name (m), semanage_module_get_version (m), (semanage_module_get_enabled(m) ? "" : "Disabled")); semanage_module_info_datum_destroy (m); } free(modinfo); } break; } default:{ fprintf(stderr, "%s: Unknown mode specified.\n", argv[0]); usage(argv[0]); goto cleanup; } } commit += do_commit[mode]; if (result < 0) { fprintf(stderr, "%s: Failed on %s!\n", argv[0], mode_arg ? : "list"); goto cleanup; } else if (verbose) {
/* Check that the module store exists, creating it if necessary. */ int semanage_direct_connect(semanage_handle_t *sh) { char polpath[PATH_MAX]; snprintf(polpath, PATH_MAX, "%s%s", selinux_path(), sh->conf->store_path); if (semanage_check_init(polpath)) goto err; if (sh->create_store) if (semanage_create_store(sh, 1)) goto err; if (semanage_access_check(sh) < SEMANAGE_CAN_READ) goto err; sh->u.direct.translock_file_fd = -1; sh->u.direct.activelock_file_fd = -1; /* set up function pointers */ sh->funcs = &direct_funcs; /* Object databases: local modifications */ if (user_base_file_dbase_init(sh, semanage_fname(SEMANAGE_USERS_BASE_LOCAL), semanage_user_base_dbase_local(sh)) < 0) goto err; if (user_extra_file_dbase_init(sh, semanage_fname(SEMANAGE_USERS_EXTRA_LOCAL), semanage_user_extra_dbase_local(sh)) < 0) goto err; if (user_join_dbase_init(sh, semanage_user_base_dbase_local(sh), semanage_user_extra_dbase_local(sh), semanage_user_dbase_local(sh)) < 0) goto err; if (port_file_dbase_init(sh, semanage_fname(SEMANAGE_PORTS_LOCAL), semanage_port_dbase_local(sh)) < 0) goto err; if (iface_file_dbase_init(sh, semanage_fname(SEMANAGE_INTERFACES_LOCAL), semanage_iface_dbase_local(sh)) < 0) goto err; if (bool_file_dbase_init(sh, semanage_fname(SEMANAGE_BOOLEANS_LOCAL), semanage_bool_dbase_local(sh)) < 0) goto err; if (fcontext_file_dbase_init(sh, semanage_fname(SEMANAGE_FC_LOCAL), semanage_fcontext_dbase_local(sh)) < 0) goto err; if (seuser_file_dbase_init(sh, semanage_fname(SEMANAGE_SEUSERS_LOCAL), semanage_seuser_dbase_local(sh)) < 0) goto err; if (node_file_dbase_init(sh, semanage_fname(SEMANAGE_NODES_LOCAL), semanage_node_dbase_local(sh)) < 0) goto err; /* Object databases: local modifications + policy */ if (user_base_policydb_dbase_init(sh, semanage_user_base_dbase_policy(sh)) < 0) goto err; if (user_extra_file_dbase_init(sh, semanage_fname(SEMANAGE_USERS_EXTRA), semanage_user_extra_dbase_policy(sh)) < 0) goto err; if (user_join_dbase_init(sh, semanage_user_base_dbase_policy(sh), semanage_user_extra_dbase_policy(sh), semanage_user_dbase_policy(sh)) < 0) goto err; if (port_policydb_dbase_init(sh, semanage_port_dbase_policy(sh)) < 0) goto err; if (iface_policydb_dbase_init(sh, semanage_iface_dbase_policy(sh)) < 0) goto err; if (bool_policydb_dbase_init(sh, semanage_bool_dbase_policy(sh)) < 0) goto err; if (fcontext_file_dbase_init(sh, semanage_fname(SEMANAGE_FC), semanage_fcontext_dbase_policy(sh)) < 0) goto err; if (seuser_file_dbase_init(sh, semanage_fname(SEMANAGE_SEUSERS), semanage_seuser_dbase_policy(sh)) < 0) goto err; if (node_policydb_dbase_init(sh, semanage_node_dbase_policy(sh)) < 0) goto err; /* Active kernel policy */ if (bool_activedb_dbase_init(sh, semanage_bool_dbase_active(sh)) < 0) goto err; return STATUS_SUCCESS; err: ERR(sh, "could not establish direct connection"); sepol_handle_destroy(sh->sepolh); return STATUS_ERR; }