int sss_seuser_exists(const char *linuxuser) { int ret; int exists; semanage_seuser_key_t *sm_key = NULL; semanage_handle_t *sm_handle = NULL; ret = sss_semanage_init(&sm_handle); if (ret != EOK) { return ret; } ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key); if (ret < 0) { sss_semanage_close(sm_handle); return EIO; } ret = semanage_seuser_exists(sm_handle, sm_key, &exists); semanage_seuser_key_free(sm_key); sss_semanage_close(sm_handle); if (ret < 0) { return EIO; } DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no"); return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND; }
int sss_get_seuser(const char *linuxuser, char **selinuxuser, char **level) { int ret; semanage_handle_t *handle; handle = semanage_handle_create(); if (handle == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); return EIO; } semanage_msg_set_callback(handle, sss_semanage_error_callback, NULL); /* We only needed the handle for this call. Close the handle right * after it */ ret = sss_is_selinux_managed(handle); sss_semanage_close(handle); if (ret != EOK) { return ret; } return getseuserbyname(linuxuser, selinuxuser, level); }
static int sss_semanage_init(semanage_handle_t **_handle) { int ret; semanage_handle_t *handle = NULL; handle = semanage_handle_create(); if (!handle) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); ret = EIO; goto done; } semanage_msg_set_callback(handle, sss_semanage_error_callback, NULL); ret = sss_is_selinux_managed(handle); if (ret != EOK) { goto done; } ret = semanage_access_check(handle); if (ret < SEMANAGE_CAN_READ) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n"); ret = EACCES; goto done; } ret = semanage_connect(handle); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot estabilish SELinux management connection\n"); ret = EIO; goto done; } ret = EOK; done: if (ret != EOK) { sss_semanage_close(handle); } else { *_handle = handle; } return ret; }
static semanage_handle_t *sss_semanage_init(void) { int ret; semanage_handle_t *handle = NULL; handle = semanage_handle_create(); if (!handle) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); return NULL; } semanage_msg_set_callback(handle, sss_semanage_error_callback, NULL); ret = semanage_is_managed(handle); if (ret != 1) { DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n"); goto fail; } ret = semanage_access_check(handle); if (ret < SEMANAGE_CAN_READ) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n"); goto fail; } ret = semanage_connect(handle); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot estabilish SELinux management connection\n"); goto fail; } return handle; fail: sss_semanage_close(handle); return NULL; }
int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name, char **_seuser, char **_mls_range) { errno_t ret; const char *seuser; const char *mls_range; semanage_handle_t *sm_handle = NULL; semanage_seuser_t *sm_user = NULL; semanage_seuser_key_t *sm_key = NULL; sm_handle = sss_semanage_init(); if (sm_handle == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); ret = EIO; goto done; } ret = semanage_seuser_key_create(sm_handle, login_name, &sm_key); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create key for %s\n", login_name); ret = EIO; goto done; } ret = semanage_seuser_query(sm_handle, sm_key, &sm_user); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot query for %s\n", login_name); ret = EIO; goto done; } seuser = semanage_seuser_get_sename(sm_user); if (seuser != NULL) { *_seuser = talloc_strdup(mem_ctx, seuser); if (*_seuser == NULL) { ret = ENOMEM; goto done; } DEBUG(SSSDBG_OP_FAILURE, "SELinux user for %s: %s\n", login_name, *_seuser); } else { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get sename for %s\n", login_name); } mls_range = semanage_seuser_get_mlsrange(sm_user); if (mls_range != NULL) { *_mls_range = talloc_strdup(mem_ctx, mls_range); if (*_mls_range == NULL) { ret = ENOMEM; goto done; } DEBUG(SSSDBG_OP_FAILURE, "SELinux range for %s: %s\n", login_name, *_mls_range); } else { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get mlsrange for %s\n", login_name); } ret = EOK; done: semanage_seuser_key_free(sm_key); semanage_seuser_free(sm_user); sss_semanage_close(sm_handle); return ret; }
int del_seuser(const char *login_name) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int exists = 0; handle = sss_semanage_init(); if (!handle) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); ret = EIO; goto done; } ret = semanage_begin_transaction(handle); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n"); ret = EIO; goto done; } ret = semanage_seuser_key_create(handle, login_name, &key); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); ret = EIO; goto done; } ret = semanage_seuser_exists(handle, key, &exists); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); ret = EIO; goto done; } if (!exists) { DEBUG(SSSDBG_FUNC_DATA, "Login mapping for %s is not defined, OK if default mapping " "was used\n", login_name); ret = EOK; /* probably default mapping */ goto done; } ret = semanage_seuser_exists_local(handle, key, &exists); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); ret = EIO; goto done; } if (!exists) { DEBUG(SSSDBG_CRIT_FAILURE, "Login mapping for %s is defined in policy, cannot be deleted\n", login_name); ret = ENOENT; goto done; } ret = semanage_seuser_del_local(handle, key); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not delete login mapping for %s\n", login_name); ret = EIO; goto done; } ret = semanage_commit(handle); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); ret = EIO; goto done; } ret = EOK; done: sss_semanage_close(handle); return ret; }
int set_seuser(const char *login_name, const char *seuser_name, const char *mls) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int seuser_exists = 0; if (seuser_name == NULL) { /* don't care, just let system pick the defaults */ return EOK; } handle = sss_semanage_init(); if (!handle) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); ret = EIO; goto done; } ret = semanage_begin_transaction(handle); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n"); ret = EIO; goto done; } ret = semanage_seuser_key_create(handle, login_name, &key); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); ret = EIO; goto done; } ret = semanage_seuser_exists(handle, key, &seuser_exists); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); ret = EIO; goto done; } if (seuser_exists) { ret = sss_semanage_user_mod(handle, key, login_name, seuser_name, mls); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n"); ret = EIO; goto done; } } else { ret = sss_semanage_user_add(handle, key, login_name, seuser_name, mls); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n"); ret = EIO; goto done; } } ret = semanage_commit(handle); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); ret = EIO; goto done; } ret = EOK; done: semanage_seuser_key_free(key); sss_semanage_close(handle); return ret; }