static rpmRC sepoltransCommit(sepoltrans * pt)
{
rpmRC rc = RPMRC_OK;
if (pt->changes == 0) {
return rc;
}
if (pt->execsemodule) {
int status;
pid_t pid = fork();
int fd;
switch (pid) {
case -1:
rpmlog(RPMLOG_ERR, _("Failed to fork process: %s\n"),
strerror(errno));
rc = RPMRC_FAIL;
break;
case 0:
fd = open("/dev/null", O_RDWR);
dup2(fd, STDIN_FILENO);
dup2(fd, STDOUT_FILENO);
dup2(fd, STDERR_FILENO);
execv(pt->semodulepath, pt->semodargs);
rpmlog(RPMLOG_ERR, _("Failed to execute %s: %s\n"),
pt->semodulepath, strerror(errno));
exit(1);
default:
waitpid(pid, &status, 0);
if (!WIFEXITED(status)) {
rpmlog(RPMLOG_ERR, _("%s terminated abnormally\n"),
pt->semodulepath);
rc = RPMRC_FAIL;
} else if (WEXITSTATUS(status)) {
rpmlog(RPMLOG_ERR, _("%s failed with exit code %i\n"),
pt->semodulepath, WEXITSTATUS(status));
rc = RPMRC_FAIL;
}
}
} else {
if (semanage_commit(pt->sh) < 0) {
rpmlog(RPMLOG_ERR, _("Failed to commit policy changes\n"));
rc = RPMRC_FAIL;
}
}
return rc;
}
int del_seuser(const char *login_name)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int exists = 0;
handle = sss_semanage_init();
if (!handle) {
DEBUG(1, ("Cannot init SELinux management\n"));
ret = EIO;
goto done;
}
ret = semanage_seuser_key_create(handle, login_name, &key);
if (ret != 0) {
DEBUG(1, ("Cannot create SELinux user key\n"));
ret = EIO;
goto done;
}
ret = semanage_seuser_exists(handle, key, &exists);
if (ret < 0) {
DEBUG(1, ("Cannot verify the SELinux user\n"));
ret = EIO;
goto done;
}
if (!exists) {
DEBUG(5, ("Login mapping for %s is not defined, OK if default mapping "
"was used\n", login_name));
ret = EOK; /* probably default mapping */
goto done;
}
ret = semanage_seuser_exists_local(handle, key, &exists);
if (ret < 0) {
DEBUG(1, ("Cannot verify the SELinux user\n"));
ret = EIO;
goto done;
}
if (!exists) {
DEBUG(1, ("Login mapping for %s is defined in policy, "
"cannot be deleted", login_name));
ret = ENOENT;
goto done;
}
ret = semanage_seuser_del_local(handle, key);
if (ret != 0) {
DEBUG(1, ("Could not delete login mapping for %s", login_name));
ret = EIO;
goto done;
}
ret = semanage_commit(handle);
if (ret < 0) {
DEBUG(1, ("Cannot commit SELinux transaction\n"));
ret = EIO;
goto done;
}
ret = EOK;
done:
semanage_handle_destroy(handle);
return ret;
}
int set_seuser(const char *login_name, const char *seuser_name)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int seuser_exists = 0;
if (seuser_name == NULL) {
/* don't care, just let system pick the defaults */
return EOK;
}
handle = sss_semanage_init();
if (!handle) {
DEBUG(1, ("Cannot init SELinux management\n"));
ret = EIO;
goto done;
}
ret = semanage_seuser_key_create(handle, login_name, &key);
if (ret != 0) {
DEBUG(1, ("Cannot create SELinux user key\n"));
ret = EIO;
goto done;
}
ret = semanage_seuser_exists(handle, key, &seuser_exists);
if (ret < 0) {
DEBUG(1, ("Cannot verify the SELinux user\n"));
ret = EIO;
goto done;
}
if (seuser_exists) {
ret = sss_semanage_user_mod(handle, key, login_name, seuser_name);
if (ret != 0) {
DEBUG(1, ("Cannot modify SELinux user mapping\n"));
ret = EIO;
goto done;
}
} else {
ret = sss_semanage_user_add(handle, key, login_name, seuser_name);
if (ret != 0) {
DEBUG(1, ("Cannot add SELinux user mapping\n"));
ret = EIO;
goto done;
}
}
ret = semanage_commit(handle);
if (ret < 0) {
DEBUG(1, ("Cannot commit SELinux transaction\n"));
ret = EIO;
goto done;
}
ret = EOK;
done:
semanage_seuser_key_free(key);
semanage_handle_destroy(handle);
return ret;
}
/* Apply permanent boolean changes to policy via libsemanage */
static int semanage_set_boolean_list(size_t boolcnt,
SELboolean * boollist)
{
size_t j;
semanage_handle_t *handle = NULL;
semanage_bool_t *boolean = NULL;
semanage_bool_key_t *bool_key = NULL;
int managed;
handle = semanage_handle_create();
if (handle == NULL) {
fprintf(stderr, "Could not create semanage library handle\n");
goto err;
}
managed = semanage_is_managed(handle);
if (managed < 0) {
fprintf(stderr,
"Error when checking whether policy is managed\n");
goto err;
} else if (managed == 0) {
if (getuid() == 0) {
fprintf(stderr,
"Cannot set persistent booleans without managed policy.\n");
} else {
fprintf(stderr,
"Cannot set persistent booleans, please try as root.\n");
}
goto err;
}
if (semanage_connect(handle) < 0)
goto err;
if (semanage_begin_transaction(handle) < 0)
goto err;
for (j = 0; j < boolcnt; j++) {
if (semanage_bool_create(handle, &boolean) < 0)
goto err;
if (semanage_bool_set_name(handle, boolean, boollist[j].name) <
0)
goto err;
semanage_bool_set_value(boolean, boollist[j].value);
if (semanage_bool_key_extract(handle, boolean, &bool_key) < 0)
goto err;
if (semanage_bool_modify_local(handle, bool_key,
boolean) < 0)
goto err;
if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
fprintf(stderr, "Could not change boolean %s\n",
boollist[j].name);
goto err;
}
semanage_bool_key_free(bool_key);
semanage_bool_free(boolean);
bool_key = NULL;
boolean = NULL;
}
semanage_set_reload(handle, reload);
if (semanage_commit(handle) < 0)
goto err;
semanage_disconnect(handle);
semanage_handle_destroy(handle);
return 0;
err:
semanage_bool_key_free(bool_key);
semanage_bool_free(boolean);
semanage_handle_destroy(handle);
fprintf(stderr, "Could not change policy booleans\n");
return -1;
}
int del_seuser (const char *login_name)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int exists = 0;
handle = semanage_init ();
if (NULL == handle) {
fprintf (stderr, _("Cannot init SELinux management\n"));
ret = 1;
goto done;
}
ret = semanage_seuser_key_create (handle, login_name, &key);
if (ret != 0) {
fprintf (stderr, _("Cannot create SELinux user key\n"));
ret = 1;
goto done;
}
ret = semanage_seuser_exists (handle, key, &exists);
if (ret < 0) {
fprintf (stderr, _("Cannot verify the SELinux user\n"));
ret = 1;
goto done;
}
if (0 == exists) {
fprintf (stderr,
_("Login mapping for %s is not defined, OK if default mapping was used\n"),
login_name);
ret = 0; /* probably default mapping */
goto done;
}
ret = semanage_seuser_exists_local (handle, key, &exists);
if (ret < 0) {
fprintf (stderr, _("Cannot verify the SELinux user\n"));
ret = 1;
goto done;
}
if (0 == exists) {
fprintf (stderr,
_("Login mapping for %s is defined in policy, cannot be deleted\n"),
login_name);
ret = 0; /* Login mapping defined in policy can't be deleted */
goto done;
}
ret = semanage_seuser_del_local (handle, key);
if (ret != 0) {
fprintf (stderr,
_("Could not delete login mapping for %s"),
login_name);
ret = 1;
goto done;
}
ret = semanage_commit (handle);
if (ret < 0) {
fprintf (stderr, _("Cannot commit SELinux transaction\n"));
ret = 1;
goto done;
}
ret = 0;
done:
semanage_handle_destroy (handle);
return ret;
}
int sss_del_seuser(const char *login_name)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int exists = 0;
ret = sss_semanage_init(&handle);
if (ret == ERR_SELINUX_NOT_MANAGED) {
goto done;
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
goto done;
}
ret = semanage_begin_transaction(handle);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
ret = EIO;
goto done;
}
ret = semanage_seuser_key_create(handle, login_name, &key);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
ret = EIO;
goto done;
}
ret = semanage_seuser_exists(handle, key, &exists);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
ret = EIO;
goto done;
}
if (!exists) {
DEBUG(SSSDBG_FUNC_DATA,
"Login mapping for %s is not defined, OK if default mapping "
"was used\n", login_name);
ret = EOK; /* probably default mapping */
goto done;
}
ret = semanage_seuser_exists_local(handle, key, &exists);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
ret = EIO;
goto done;
}
if (!exists) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Login mapping for %s is defined in policy, cannot be deleted\n",
login_name);
ret = ENOENT;
goto done;
}
ret = semanage_seuser_del_local(handle, key);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not delete login mapping for %s\n", login_name);
ret = EIO;
goto done;
}
ret = semanage_commit(handle);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
ret = EIO;
goto done;
}
ret = EOK;
done:
sss_semanage_close(handle);
return ret;
}
int sss_set_seuser(const char *login_name, const char *seuser_name,
const char *mls)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int seuser_exists = 0;
if (seuser_name == NULL) {
/* don't care, just let system pick the defaults */
return EOK;
}
ret = sss_semanage_init(&handle);
if (ret == ERR_SELINUX_NOT_MANAGED) {
goto done;
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
goto done;
}
ret = semanage_begin_transaction(handle);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
ret = EIO;
goto done;
}
ret = semanage_seuser_key_create(handle, login_name, &key);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
ret = EIO;
goto done;
}
ret = semanage_seuser_exists(handle, key, &seuser_exists);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
ret = EIO;
goto done;
}
if (seuser_exists) {
ret = sss_semanage_user_mod(handle, key, login_name, seuser_name,
mls);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n");
ret = EIO;
goto done;
}
} else {
ret = sss_semanage_user_add(handle, key, login_name, seuser_name,
mls);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n");
ret = EIO;
goto done;
}
}
ret = semanage_commit(handle);
if (ret < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
ret = EIO;
goto done;
}
ret = EOK;
done:
if (key != NULL) {
semanage_seuser_key_free(key);
}
sss_semanage_close(handle);
return ret;
}
