int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level)
{
int ret;
semanage_handle_t *handle;
handle = semanage_handle_create();
if (handle == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
return EIO;
}
semanage_msg_set_callback(handle,
sss_semanage_error_callback,
NULL);
/* We only needed the handle for this call. Close the handle right
* after it */
ret = sss_is_selinux_managed(handle);
sss_semanage_close(handle);
if (ret != EOK) {
return ret;
}
return getseuserbyname(linuxuser, selinuxuser, level);
}
static rpmRC sepolGo(void)
{
semanage_handle_t *sh;
int existingPolicy;
char *policytype = NULL;
rpmRC rc = RPMRC_FAIL;
static int performed = 0;
if (performed) {
return RPMRC_OK;
}
performed = 1;
if (rpmChrootIn()) {
goto exit;
}
if (selinux_getpolicytype(&policytype) < 0) {
goto exit;
}
sepolPreparePolicies(policiesHead, policytype);
/* determine if this is the first time installing policy */
sh = semanage_handle_create();
existingPolicy = (semanage_is_managed(sh) == 1);
semanage_handle_destroy(sh);
/* now load the policies */
rc = sepolLoadPolicies(policiesHead);
/* re-init selinux and re-read the files contexts, since things may have changed */
selinux_reset_config();
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
if (rpmtsSELabelInit(ts, selinux_file_context_path()) == RPMRC_OK) {
/* if this was the first time installing policy, every package before
* policy was installed will be mislabeled (e.g. semodule). So, relabel
* the entire filesystem if this is the case */
if (!existingPolicy) {
if (sepolRelabelFiles() != RPMRC_OK) {
rpmlog(RPMLOG_WARNING, _("Failed to relabel filesystem. Files may be mislabeled\n"));
}
}
} else {
rpmlog(RPMLOG_WARNING, _("Failed to reload file contexts. Files may be mislabeled\n"));
}
}
exit:
if (rpmChrootOut()) {
rc = RPMRC_FAIL;
}
_free(policytype);
return rc;
}
static int sss_semanage_init(semanage_handle_t **_handle)
{
int ret;
semanage_handle_t *handle = NULL;
handle = semanage_handle_create();
if (!handle) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
ret = EIO;
goto done;
}
semanage_msg_set_callback(handle,
sss_semanage_error_callback,
NULL);
ret = sss_is_selinux_managed(handle);
if (ret != EOK) {
goto done;
}
ret = semanage_access_check(handle);
if (ret < SEMANAGE_CAN_READ) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
ret = EACCES;
goto done;
}
ret = semanage_connect(handle);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot estabilish SELinux management connection\n");
ret = EIO;
goto done;
}
ret = EOK;
done:
if (ret != EOK) {
sss_semanage_close(handle);
} else {
*_handle = handle;
}
return ret;
}
static semanage_handle_t *semanage_init (void)
{
int ret;
semanage_handle_t *handle = NULL;
handle = semanage_handle_create ();
if (NULL == handle) {
fprintf (stderr,
_("Cannot create SELinux management handle\n"));
return NULL;
}
semanage_msg_set_callback (handle, semanage_error_callback, NULL);
ret = semanage_is_managed (handle);
if (ret != 1) {
fprintf (stderr, _("SELinux policy not managed\n"));
goto fail;
}
ret = semanage_access_check (handle);
if (ret < SEMANAGE_CAN_READ) {
fprintf (stderr, _("Cannot read SELinux policy store\n"));
goto fail;
}
ret = semanage_connect (handle);
if (ret != 0) {
fprintf (stderr,
_("Cannot establish SELinux management connection\n"));
goto fail;
}
ret = semanage_begin_transaction (handle);
if (ret != 0) {
fprintf (stderr, _("Cannot begin SELinux transaction\n"));
goto fail;
}
return handle;
fail:
semanage_handle_destroy (handle);
return NULL;
}
static sepoltrans *sepoltransNew(void)
{
sepoltrans *pt = xcalloc(1, sizeof(*pt));
pt->semodulepath = rpmExpand("%{__semodule}", NULL);
pt->execsemodule = (!rpmChrootDone() && access(pt->semodulepath, X_OK) == 0);
pt->changes = 0;
if (pt->execsemodule) {
argvAdd(&pt->semodargs, "semodule");
} else {
pt->sh = semanage_handle_create();
if (!pt->sh) {
rpmlog(RPMLOG_ERR, _("Failed to create semanage handle\n"));
goto err;
}
semanage_set_create_store(pt->sh, 1);
semanage_set_check_contexts(pt->sh, 0);
if (semanage_connect(pt->sh) < 0) {
rpmlog(RPMLOG_ERR, _("Failed to connect to policy handler\n"));
goto err;
}
if (semanage_begin_transaction(pt->sh) < 0) {
rpmlog(RPMLOG_ERR, _("Failed to begin policy transaction: %s\n"),
errno ? strerror(errno) : "");
goto err;
}
semanage_set_reload(pt->sh, !rpmChrootDone());
}
return pt;
err:
if (pt->sh) {
if (semanage_is_connected(pt->sh)) {
semanage_disconnect(pt->sh);
}
semanage_handle_destroy(pt->sh);
}
free(pt);
return NULL;
}
static semanage_handle_t *sss_semanage_init(void)
{
int ret;
semanage_handle_t *handle = NULL;
handle = semanage_handle_create();
if (!handle) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
return NULL;
}
semanage_msg_set_callback(handle,
sss_semanage_error_callback,
NULL);
ret = semanage_is_managed(handle);
if (ret != 1) {
DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");
goto fail;
}
ret = semanage_access_check(handle);
if (ret < SEMANAGE_CAN_READ) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
goto fail;
}
ret = semanage_connect(handle);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot estabilish SELinux management connection\n");
goto fail;
}
return handle;
fail:
sss_semanage_close(handle);
return NULL;
}
/* The suite initialization function.
* Returns zero on success, non-zero otherwise.
*/
int semanage_store_test_init(void)
{
int err;
/* create directories */
err = mkdir(polpath, S_IRUSR | S_IWUSR | S_IXUSR);
if (err != 0)
return -1;
err = mkdir(lockpath, S_IRUSR | S_IWUSR | S_IXUSR);
if (err != 0)
return -1;
err = mkdir(actpath, S_IRUSR | S_IWUSR | S_IXUSR);
if (err != 0)
return -1;
err = mkdir(modpath, S_IRUSR | S_IWUSR | S_IXUSR);
if (err != 0)
return -1;
/* initialize the handle */
sh = semanage_handle_create();
if (sh == NULL)
return -1;
/* hide error messages */
sh->msg_callback = test_msg_handler;
/* initialize paths */
err = semanage_check_init(polpath);
if (err != 0)
return -1;
return 0;
}
int main(int argc, char *argv[])
{
int i, commit = 0;
int result;
int status = EXIT_FAILURE;
char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" };
create_signal_handlers();
if (strcmp(basename(argv[0]), "genhomedircon") == 0) {
argc = 3;
argv=genhomedirconargv;
}
parse_command_line(argc, argv);
if (build)
commit = 1;
sh = semanage_handle_create();
if (!sh) {
fprintf(stderr, "%s: Could not create semanage handle\n",
argv[0]);
goto cleanup_nohandle;
}
if (store) {
/* Set the store we want to connect to, before connecting.
* this will always set a direct connection now, an additional
* option will need to be used later to specify a policy server
* location */
semanage_select_store(sh, store, SEMANAGE_CON_DIRECT);
}
/* if installing base module create store if necessary, for bootstrapping */
semanage_set_create_store(sh, create_store);
if (!create_store) {
if (!semanage_is_managed(sh)) {
fprintf(stderr,
"%s: SELinux policy is not managed or store cannot be accessed.\n",
argv[0]);
goto cleanup;
}
if (semanage_access_check(sh) < SEMANAGE_CAN_READ) {
fprintf(stderr, "%s: Cannot read policy store.\n",
argv[0]);
goto cleanup;
}
}
if ((result = semanage_connect(sh)) < 0) {
fprintf(stderr, "%s: Could not connect to policy handler\n",
argv[0]);
goto cleanup;
}
if (reload) {
if ((result = semanage_reload_policy(sh)) < 0) {
fprintf(stderr, "%s: Could not reload policy\n",
argv[0]);
goto cleanup;
}
}
if (build) {
if ((result = semanage_begin_transaction(sh)) < 0) {
fprintf(stderr, "%s: Could not begin transaction: %s\n",
argv[0], errno ? strerror(errno) : "");
goto cleanup;
}
}
for (i = 0; i < num_commands; i++) {
enum client_modes mode = commands[i].mode;
char *mode_arg = commands[i].arg;
switch (mode) {
case INSTALL_M:{
if (verbose) {
printf
("Attempting to install module '%s':\n",
mode_arg);
}
result =
semanage_module_install_file(sh, mode_arg);
break;
}
case UPGRADE_M:{
if (verbose) {
printf
("Attempting to upgrade module '%s':\n",
mode_arg);
}
result =
semanage_module_upgrade_file(sh, mode_arg);
break;
}
case BASE_M:{
if (verbose) {
printf
("Attempting to install base module '%s':\n",
mode_arg);
}
result =
semanage_module_install_base_file(sh, mode_arg);
break;
}
case ENABLE_M:{
if (verbose) {
printf
("Attempting to enable module '%s':\n",
mode_arg);
}
result = semanage_module_enable(sh, mode_arg);
if ( result == -2 ) {
continue;
}
break;
}
case DISABLE_M:{
if (verbose) {
printf
("Attempting to disable module '%s':\n",
mode_arg);
}
result = semanage_module_disable(sh, mode_arg);
if ( result == -2 ) {
continue;
}
break;
}
case REMOVE_M:{
if (verbose) {
printf
("Attempting to remove module '%s':\n",
mode_arg);
}
result = semanage_module_remove(sh, mode_arg);
if ( result == -2 ) {
continue;
}
break;
}
case LIST_M:{
semanage_module_info_t *modinfo;
int num_modules;
if (verbose) {
printf
("Attempting to list active modules:\n");
}
if ((result =
semanage_module_list(sh, &modinfo,
&num_modules)) >= 0) {
int j;
if (num_modules == 0) {
printf("No modules.\n");
}
for (j = 0; j < num_modules; j++) {
semanage_module_info_t *m =
semanage_module_list_nth
(modinfo, j);
printf("%s\t%s\t%s\n",
semanage_module_get_name
(m),
semanage_module_get_version
(m),
(semanage_module_get_enabled(m) ? "" : "Disabled"));
semanage_module_info_datum_destroy
(m);
}
free(modinfo);
}
break;
}
default:{
fprintf(stderr,
"%s: Unknown mode specified.\n",
argv[0]);
usage(argv[0]);
goto cleanup;
}
}
commit += do_commit[mode];
if (result < 0) {
fprintf(stderr, "%s: Failed on %s!\n", argv[0],
mode_arg ? : "list");
goto cleanup;
} else if (verbose) {
/* Apply permanent boolean changes to policy via libsemanage */
static int semanage_set_boolean_list(size_t boolcnt,
SELboolean * boollist)
{
size_t j;
semanage_handle_t *handle = NULL;
semanage_bool_t *boolean = NULL;
semanage_bool_key_t *bool_key = NULL;
int managed;
handle = semanage_handle_create();
if (handle == NULL) {
fprintf(stderr, "Could not create semanage library handle\n");
goto err;
}
managed = semanage_is_managed(handle);
if (managed < 0) {
fprintf(stderr,
"Error when checking whether policy is managed\n");
goto err;
} else if (managed == 0) {
if (getuid() == 0) {
fprintf(stderr,
"Cannot set persistent booleans without managed policy.\n");
} else {
fprintf(stderr,
"Cannot set persistent booleans, please try as root.\n");
}
goto err;
}
if (semanage_connect(handle) < 0)
goto err;
if (semanage_begin_transaction(handle) < 0)
goto err;
for (j = 0; j < boolcnt; j++) {
if (semanage_bool_create(handle, &boolean) < 0)
goto err;
if (semanage_bool_set_name(handle, boolean, boollist[j].name) <
0)
goto err;
semanage_bool_set_value(boolean, boollist[j].value);
if (semanage_bool_key_extract(handle, boolean, &bool_key) < 0)
goto err;
if (semanage_bool_modify_local(handle, bool_key,
boolean) < 0)
goto err;
if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
fprintf(stderr, "Could not change boolean %s\n",
boollist[j].name);
goto err;
}
semanage_bool_key_free(bool_key);
semanage_bool_free(boolean);
bool_key = NULL;
boolean = NULL;
}
semanage_set_reload(handle, reload);
if (semanage_commit(handle) < 0)
goto err;
semanage_disconnect(handle);
semanage_handle_destroy(handle);
return 0;
err:
semanage_bool_key_free(bool_key);
semanage_bool_free(boolean);
semanage_handle_destroy(handle);
fprintf(stderr, "Could not change policy booleans\n");
return -1;
}