void
dpkg_selabel_set_context(const char *matchpath, const char *path, mode_t mode)
{
#ifdef WITH_LIBSELINUX
security_context_t scontext = NULL;
int ret;
/* If SELinux is not enabled just do nothing. */
if (sehandle == NULL)
return;
/*
* We use the _raw function variants here so that no translation
* happens from computer to human readable forms, to avoid issues
* when mcstransd has disappeared during the unpack process.
*/
/* Do nothing if we can't figure out what the context is, or if it has
* no context; in which case the default context shall be applied. */
ret = selabel_lookup_raw(sehandle, &scontext, matchpath, mode & S_IFMT);
if (ret == -1 || (ret == 0 && scontext == NULL))
return;
ret = lsetfilecon_raw(path, scontext);
if (ret < 0 && errno != ENOTSUP)
ohshite(_("cannot set security context for file object '%s'"),
path);
freecon(scontext);
#endif /* WITH_LIBSELINUX */
}
int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
#ifdef HAVE_SELINUX
struct stat st;
int r;
assert(path);
/* if mac_selinux_init() wasn't called before we are a NOOP */
if (!label_hnd)
return 0;
r = lstat(path, &st);
if (r >= 0) {
_cleanup_freecon_ char* fcon = NULL;
r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
/* If there's no label to set, then exit without warning */
if (r < 0 && errno == ENOENT)
return 0;
if (r >= 0) {
r = lsetfilecon_raw(path, fcon);
/* If the FS doesn't support labels, then exit without warning */
if (r < 0 && errno == EOPNOTSUPP)
return 0;
}
}
if (r < 0) {
/* Ignore ENOENT in some cases */
if (ignore_enoent && errno == ENOENT)
return 0;
if (ignore_erofs && errno == EROFS)
return 0;
log_enforcing("Unable to fix SELinux security context of %s: %m", path);
if (security_getenforce() == 1)
return -errno;
}
#endif
return 0;
}
