/* * selinux_process_label_set: Set SELinux context of a process * * @label : label string * @conf : the container configuration to use @label is NULL * @default : use the default context if label is NULL * @on_exec : the new context will take effect on exec(2) not immediately * * Returns 0 on success, < 0 on failure * * Notes: This relies on /proc being available. */ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf, int use_default, int on_exec) { const char *label = inlabel ? inlabel : conf->lsm_se_context; if (!label) { if (use_default) label = DEFAULT_LABEL; else return -1; } if (!strcmp(label, "unconfined_t")) return 0; if (on_exec) { if (setexeccon_raw((char *)label) < 0) { SYSERROR("failed to set new SELinux exec context %s", label); return -1; } } else { if (setcon_raw((char *)label) < 0) { SYSERROR("failed to set new SELinux context %s", label); return -1; } } INFO("changed SELinux%s context to %s", on_exec ? " exec" : "", label); return 0; }
static int testSELinuxGenLabel(const void *opaque) { const struct testSELinuxGenLabelData *data = opaque; int ret = -1; virDomainDefPtr def; context_t con = NULL; context_t imgcon = NULL; if (setcon_raw((security_context_t)data->pidcon) < 0) { perror("Cannot set process security context"); return -1; } if (!(def = testBuildDomainDef(data->dynamic, data->label, data->baselabel))) goto cleanup; if (virSecurityManagerGenLabel(data->mgr, def) < 0) { virErrorPtr err = virGetLastError(); fprintf(stderr, "Cannot generate label: %s\n", err->message); goto cleanup; } VIR_DEBUG("label=%s imagelabel=%s", def->seclabels[0]->label, def->seclabels[0]->imagelabel); if (!(con = context_new(def->seclabels[0]->label))) goto cleanup; if (!(imgcon = context_new(def->seclabels[0]->imagelabel))) goto cleanup; if (!testSELinuxCheckCon(con, data->user, data->role, data->type, data->sensMin, data->sensMax, data->catMin, data->catMax)) goto cleanup; if (!testSELinuxCheckCon(imgcon, data->user, data->imagerole, data->imagetype, data->sensMin, data->sensMax, data->catMin, data->catMax)) goto cleanup; ret = 0; cleanup: context_free(con); context_free(imgcon); virDomainDefFree(def); return ret; }
int mac_selinux_setup(bool *loaded_policy) { #ifdef HAVE_SELINUX int enforce = 0; usec_t before_load, after_load; security_context_t con; int r; union selinux_callback cb; bool initialized = false; assert(loaded_policy); /* Turn off all of SELinux' own logging, we want to do that */ cb.func_log = null_log; selinux_set_callback(SELINUX_CB_LOG, cb); /* Don't load policy in the initrd if we don't appear to have * it. For the real root, we check below if we've already * loaded policy, and return gracefully. */ if (in_initrd() && access(selinux_path(), F_OK) < 0) return 0; /* Already initialized by somebody else? */ r = getcon_raw(&con); if (r == 0) { initialized = !streq(con, "kernel"); freecon(con); } /* Make sure we have no fds open while loading the policy and * transitioning */ log_close(); /* Now load the policy */ before_load = now(CLOCK_MONOTONIC); r = selinux_init_load_policy(&enforce); if (r == 0) { _cleanup_(mac_selinux_freep) char *label = NULL; char timespan[FORMAT_TIMESPAN_MAX]; mac_selinux_retest(); /* Transition to the new context */ r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label); if (r < 0 || !label) { log_open(); log_error("Failed to compute init label, ignoring."); } else { r = setcon_raw(label); log_open(); if (r < 0) log_error("Failed to transition into init label '%s', ignoring.", label); } after_load = now(CLOCK_MONOTONIC); log_info("Successfully loaded SELinux policy in %s.", format_timespan(timespan, sizeof(timespan), after_load - before_load, 0)); *loaded_policy = true; } else {
/* * do_set_domain * It tries to replace the domain/range of the current context. */ static int do_set_domain(security_context_t old_context, char *domain, server_rec *s) { security_context_t new_context; security_context_t raw_context; context_t context; char *range; /* * Compute the new security context */ context = context_new(old_context); if (!context) { ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, "SELinux: context_new(\"%s\") failed", old_context); return -1; } range = strchr(domain, ':'); if (range) *range++ = '\0'; if (domain && strcmp(domain, "*") != 0) context_type_set(context, domain); if (range && strcmp(range, "*") != 0) context_range_set(context, range); if (range) *--range = ':'; /* fixup */ new_context = context_str(context); if (!new_context) { ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, "SELinux: context_str(\"%s:%s:%s:%s\") failed", context_user_get(context), context_role_get(context), context_type_get(context), context_range_get(context)); context_free(context); return -1; } /* * If old_context == new_context, we don't need to do anything */ if (selinux_trans_to_raw_context(new_context, &raw_context) < 0) { ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, "SELinux: selinux_trans_to_raw_context(\"%s\") failed", new_context); context_free(context); return -1; } context_free(context); if (!strcmp(old_context, raw_context)) { freecon(raw_context); return 1; } if (setcon_raw(raw_context) < 0) { ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, "SELinux: setcon_raw(\"%s\") failed", raw_context); freecon(raw_context); return -1; } freecon(raw_context); return 0; }
int setcon(security_context_t context) { return setcon_raw(context); }