static rpmRC sepoltransCommit(sepoltrans * pt) { rpmRC rc = RPMRC_OK; if (pt->changes == 0) { return rc; } if (pt->execsemodule) { int status; pid_t pid = fork(); int fd; switch (pid) { case -1: rpmlog(RPMLOG_ERR, _("Failed to fork process: %s\n"), strerror(errno)); rc = RPMRC_FAIL; break; case 0: fd = open("/dev/null", O_RDWR); dup2(fd, STDIN_FILENO); dup2(fd, STDOUT_FILENO); dup2(fd, STDERR_FILENO); execv(pt->semodulepath, pt->semodargs); rpmlog(RPMLOG_ERR, _("Failed to execute %s: %s\n"), pt->semodulepath, strerror(errno)); exit(1); default: waitpid(pid, &status, 0); if (!WIFEXITED(status)) { rpmlog(RPMLOG_ERR, _("%s terminated abnormally\n"), pt->semodulepath); rc = RPMRC_FAIL; } else if (WEXITSTATUS(status)) { rpmlog(RPMLOG_ERR, _("%s failed with exit code %i\n"), pt->semodulepath, WEXITSTATUS(status)); rc = RPMRC_FAIL; } } } else { if (semanage_commit(pt->sh) < 0) { rpmlog(RPMLOG_ERR, _("Failed to commit policy changes\n")); rc = RPMRC_FAIL; } } return rc; }
int del_seuser(const char *login_name) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int exists = 0; handle = sss_semanage_init(); if (!handle) { DEBUG(1, ("Cannot init SELinux management\n")); ret = EIO; goto done; } ret = semanage_seuser_key_create(handle, login_name, &key); if (ret != 0) { DEBUG(1, ("Cannot create SELinux user key\n")); ret = EIO; goto done; } ret = semanage_seuser_exists(handle, key, &exists); if (ret < 0) { DEBUG(1, ("Cannot verify the SELinux user\n")); ret = EIO; goto done; } if (!exists) { DEBUG(5, ("Login mapping for %s is not defined, OK if default mapping " "was used\n", login_name)); ret = EOK; /* probably default mapping */ goto done; } ret = semanage_seuser_exists_local(handle, key, &exists); if (ret < 0) { DEBUG(1, ("Cannot verify the SELinux user\n")); ret = EIO; goto done; } if (!exists) { DEBUG(1, ("Login mapping for %s is defined in policy, " "cannot be deleted", login_name)); ret = ENOENT; goto done; } ret = semanage_seuser_del_local(handle, key); if (ret != 0) { DEBUG(1, ("Could not delete login mapping for %s", login_name)); ret = EIO; goto done; } ret = semanage_commit(handle); if (ret < 0) { DEBUG(1, ("Cannot commit SELinux transaction\n")); ret = EIO; goto done; } ret = EOK; done: semanage_handle_destroy(handle); return ret; }
int set_seuser(const char *login_name, const char *seuser_name) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int seuser_exists = 0; if (seuser_name == NULL) { /* don't care, just let system pick the defaults */ return EOK; } handle = sss_semanage_init(); if (!handle) { DEBUG(1, ("Cannot init SELinux management\n")); ret = EIO; goto done; } ret = semanage_seuser_key_create(handle, login_name, &key); if (ret != 0) { DEBUG(1, ("Cannot create SELinux user key\n")); ret = EIO; goto done; } ret = semanage_seuser_exists(handle, key, &seuser_exists); if (ret < 0) { DEBUG(1, ("Cannot verify the SELinux user\n")); ret = EIO; goto done; } if (seuser_exists) { ret = sss_semanage_user_mod(handle, key, login_name, seuser_name); if (ret != 0) { DEBUG(1, ("Cannot modify SELinux user mapping\n")); ret = EIO; goto done; } } else { ret = sss_semanage_user_add(handle, key, login_name, seuser_name); if (ret != 0) { DEBUG(1, ("Cannot add SELinux user mapping\n")); ret = EIO; goto done; } } ret = semanage_commit(handle); if (ret < 0) { DEBUG(1, ("Cannot commit SELinux transaction\n")); ret = EIO; goto done; } ret = EOK; done: semanage_seuser_key_free(key); semanage_handle_destroy(handle); return ret; }
/* Apply permanent boolean changes to policy via libsemanage */ static int semanage_set_boolean_list(size_t boolcnt, SELboolean * boollist) { size_t j; semanage_handle_t *handle = NULL; semanage_bool_t *boolean = NULL; semanage_bool_key_t *bool_key = NULL; int managed; handle = semanage_handle_create(); if (handle == NULL) { fprintf(stderr, "Could not create semanage library handle\n"); goto err; } managed = semanage_is_managed(handle); if (managed < 0) { fprintf(stderr, "Error when checking whether policy is managed\n"); goto err; } else if (managed == 0) { if (getuid() == 0) { fprintf(stderr, "Cannot set persistent booleans without managed policy.\n"); } else { fprintf(stderr, "Cannot set persistent booleans, please try as root.\n"); } goto err; } if (semanage_connect(handle) < 0) goto err; if (semanage_begin_transaction(handle) < 0) goto err; for (j = 0; j < boolcnt; j++) { if (semanage_bool_create(handle, &boolean) < 0) goto err; if (semanage_bool_set_name(handle, boolean, boollist[j].name) < 0) goto err; semanage_bool_set_value(boolean, boollist[j].value); if (semanage_bool_key_extract(handle, boolean, &bool_key) < 0) goto err; if (semanage_bool_modify_local(handle, bool_key, boolean) < 0) goto err; if (semanage_bool_set_active(handle, bool_key, boolean) < 0) { fprintf(stderr, "Could not change boolean %s\n", boollist[j].name); goto err; } semanage_bool_key_free(bool_key); semanage_bool_free(boolean); bool_key = NULL; boolean = NULL; } semanage_set_reload(handle, reload); if (semanage_commit(handle) < 0) goto err; semanage_disconnect(handle); semanage_handle_destroy(handle); return 0; err: semanage_bool_key_free(bool_key); semanage_bool_free(boolean); semanage_handle_destroy(handle); fprintf(stderr, "Could not change policy booleans\n"); return -1; }
int del_seuser (const char *login_name) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int exists = 0; handle = semanage_init (); if (NULL == handle) { fprintf (stderr, _("Cannot init SELinux management\n")); ret = 1; goto done; } ret = semanage_seuser_key_create (handle, login_name, &key); if (ret != 0) { fprintf (stderr, _("Cannot create SELinux user key\n")); ret = 1; goto done; } ret = semanage_seuser_exists (handle, key, &exists); if (ret < 0) { fprintf (stderr, _("Cannot verify the SELinux user\n")); ret = 1; goto done; } if (0 == exists) { fprintf (stderr, _("Login mapping for %s is not defined, OK if default mapping was used\n"), login_name); ret = 0; /* probably default mapping */ goto done; } ret = semanage_seuser_exists_local (handle, key, &exists); if (ret < 0) { fprintf (stderr, _("Cannot verify the SELinux user\n")); ret = 1; goto done; } if (0 == exists) { fprintf (stderr, _("Login mapping for %s is defined in policy, cannot be deleted\n"), login_name); ret = 0; /* Login mapping defined in policy can't be deleted */ goto done; } ret = semanage_seuser_del_local (handle, key); if (ret != 0) { fprintf (stderr, _("Could not delete login mapping for %s"), login_name); ret = 1; goto done; } ret = semanage_commit (handle); if (ret < 0) { fprintf (stderr, _("Cannot commit SELinux transaction\n")); ret = 1; goto done; } ret = 0; done: semanage_handle_destroy (handle); return ret; }
int sss_del_seuser(const char *login_name) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int exists = 0; ret = sss_semanage_init(&handle); if (ret == ERR_SELINUX_NOT_MANAGED) { goto done; } else if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); goto done; } ret = semanage_begin_transaction(handle); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n"); ret = EIO; goto done; } ret = semanage_seuser_key_create(handle, login_name, &key); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); ret = EIO; goto done; } ret = semanage_seuser_exists(handle, key, &exists); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); ret = EIO; goto done; } if (!exists) { DEBUG(SSSDBG_FUNC_DATA, "Login mapping for %s is not defined, OK if default mapping " "was used\n", login_name); ret = EOK; /* probably default mapping */ goto done; } ret = semanage_seuser_exists_local(handle, key, &exists); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); ret = EIO; goto done; } if (!exists) { DEBUG(SSSDBG_CRIT_FAILURE, "Login mapping for %s is defined in policy, cannot be deleted\n", login_name); ret = ENOENT; goto done; } ret = semanage_seuser_del_local(handle, key); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not delete login mapping for %s\n", login_name); ret = EIO; goto done; } ret = semanage_commit(handle); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); ret = EIO; goto done; } ret = EOK; done: sss_semanage_close(handle); return ret; }
int sss_set_seuser(const char *login_name, const char *seuser_name, const char *mls) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int seuser_exists = 0; if (seuser_name == NULL) { /* don't care, just let system pick the defaults */ return EOK; } ret = sss_semanage_init(&handle); if (ret == ERR_SELINUX_NOT_MANAGED) { goto done; } else if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); goto done; } ret = semanage_begin_transaction(handle); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n"); ret = EIO; goto done; } ret = semanage_seuser_key_create(handle, login_name, &key); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); ret = EIO; goto done; } ret = semanage_seuser_exists(handle, key, &seuser_exists); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); ret = EIO; goto done; } if (seuser_exists) { ret = sss_semanage_user_mod(handle, key, login_name, seuser_name, mls); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n"); ret = EIO; goto done; } } else { ret = sss_semanage_user_add(handle, key, login_name, seuser_name, mls); if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n"); ret = EIO; goto done; } } ret = semanage_commit(handle); if (ret < 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); ret = EIO; goto done; } ret = EOK; done: if (key != NULL) { semanage_seuser_key_free(key); } sss_semanage_close(handle); return ret; }