int sss_seuser_exists(const char *linuxuser)
{
int ret;
int exists;
semanage_seuser_key_t *sm_key = NULL;
semanage_handle_t *sm_handle = NULL;
ret = sss_semanage_init(&sm_handle);
if (ret != EOK) {
return ret;
}
ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
if (ret < 0) {
sss_semanage_close(sm_handle);
return EIO;
}
ret = semanage_seuser_exists(sm_handle, sm_key, &exists);
semanage_seuser_key_free(sm_key);
sss_semanage_close(sm_handle);
if (ret < 0) {
return EIO;
}
DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");
return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
}
int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level)
{
int ret;
semanage_handle_t *handle;
handle = semanage_handle_create();
if (handle == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
return EIO;
}
semanage_msg_set_callback(handle,
sss_semanage_error_callback,
NULL);
/* We only needed the handle for this call. Close the handle right
* after it */
ret = sss_is_selinux_managed(handle);
sss_semanage_close(handle);
if (ret != EOK) {
return ret;
}
return getseuserbyname(linuxuser, selinuxuser, level);
}
static int sss_semanage_init(semanage_handle_t **_handle)
{
int ret;
semanage_handle_t *handle = NULL;
handle = semanage_handle_create();
if (!handle) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
ret = EIO;
goto done;
}
semanage_msg_set_callback(handle,
sss_semanage_error_callback,
NULL);
ret = sss_is_selinux_managed(handle);
if (ret != EOK) {
goto done;
}
ret = semanage_access_check(handle);
if (ret < SEMANAGE_CAN_READ) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
ret = EACCES;
goto done;
}
ret = semanage_connect(handle);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot estabilish SELinux management connection\n");
ret = EIO;
goto done;
}
ret = EOK;
done:
if (ret != EOK) {
sss_semanage_close(handle);
} else {
*_handle = handle;
}
return ret;
}
static semanage_handle_t *sss_semanage_init(void)
{
int ret;
semanage_handle_t *handle = NULL;
handle = semanage_handle_create();
if (!handle) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
return NULL;
}
semanage_msg_set_callback(handle,
sss_semanage_error_callback,
NULL);
ret = semanage_is_managed(handle);
if (ret != 1) {
DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");
goto fail;
}
ret = semanage_access_check(handle);
if (ret < SEMANAGE_CAN_READ) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
goto fail;
}
ret = semanage_connect(handle);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot estabilish SELinux management connection\n");
goto fail;
}
return handle;
fail:
sss_semanage_close(handle);
return NULL;
}
int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
char **_seuser, char **_mls_range)
{
errno_t ret;
const char *seuser;
const char *mls_range;
semanage_handle_t *sm_handle = NULL;
semanage_seuser_t *sm_user = NULL;
semanage_seuser_key_t *sm_key = NULL;
sm_handle = sss_semanage_init();
if (sm_handle == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
ret = EIO;
goto done;
}
ret = semanage_seuser_key_create(sm_handle, login_name, &sm_key);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create key for %s\n", login_name);
ret = EIO;
goto done;
}
ret = semanage_seuser_query(sm_handle, sm_key, &sm_user);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot query for %s\n", login_name);
ret = EIO;
goto done;
}
seuser = semanage_seuser_get_sename(sm_user);
if (seuser != NULL) {
*_seuser = talloc_strdup(mem_ctx, seuser);
if (*_seuser == NULL) {
ret = ENOMEM;
goto done;
}
DEBUG(SSSDBG_OP_FAILURE,
"SELinux user for %s: %s\n", login_name, *_seuser);
} else {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get sename for %s\n", login_name);
}
mls_range = semanage_seuser_get_mlsrange(sm_user);
if (mls_range != NULL) {
*_mls_range = talloc_strdup(mem_ctx, mls_range);
if (*_mls_range == NULL) {
ret = ENOMEM;
goto done;
}
DEBUG(SSSDBG_OP_FAILURE,
"SELinux range for %s: %s\n", login_name, *_mls_range);
} else {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get mlsrange for %s\n", login_name);
}
ret = EOK;
done:
semanage_seuser_key_free(sm_key);
semanage_seuser_free(sm_user);
sss_semanage_close(sm_handle);
return ret;
}
int del_seuser(const char *login_name)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int exists = 0;
handle = sss_semanage_init();
if (!handle) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
ret = EIO;
goto done;
}
ret = semanage_begin_transaction(handle);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
ret = EIO;
goto done;
}
ret = semanage_seuser_key_create(handle, login_name, &key);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
ret = EIO;
goto done;
}
ret = semanage_seuser_exists(handle, key, &exists);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
ret = EIO;
goto done;
}
if (!exists) {
DEBUG(SSSDBG_FUNC_DATA,
"Login mapping for %s is not defined, OK if default mapping "
"was used\n", login_name);
ret = EOK; /* probably default mapping */
goto done;
}
ret = semanage_seuser_exists_local(handle, key, &exists);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
ret = EIO;
goto done;
}
if (!exists) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Login mapping for %s is defined in policy, cannot be deleted\n",
login_name);
ret = ENOENT;
goto done;
}
ret = semanage_seuser_del_local(handle, key);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not delete login mapping for %s\n", login_name);
ret = EIO;
goto done;
}
ret = semanage_commit(handle);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
ret = EIO;
goto done;
}
ret = EOK;
done:
sss_semanage_close(handle);
return ret;
}
int set_seuser(const char *login_name, const char *seuser_name,
const char *mls)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int seuser_exists = 0;
if (seuser_name == NULL) {
/* don't care, just let system pick the defaults */
return EOK;
}
handle = sss_semanage_init();
if (!handle) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
ret = EIO;
goto done;
}
ret = semanage_begin_transaction(handle);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
ret = EIO;
goto done;
}
ret = semanage_seuser_key_create(handle, login_name, &key);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
ret = EIO;
goto done;
}
ret = semanage_seuser_exists(handle, key, &seuser_exists);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
ret = EIO;
goto done;
}
if (seuser_exists) {
ret = sss_semanage_user_mod(handle, key, login_name, seuser_name,
mls);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n");
ret = EIO;
goto done;
}
} else {
ret = sss_semanage_user_add(handle, key, login_name, seuser_name,
mls);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n");
ret = EIO;
goto done;
}
}
ret = semanage_commit(handle);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
ret = EIO;
goto done;
}
ret = EOK;
done:
semanage_seuser_key_free(key);
sss_semanage_close(handle);
return ret;
}
