Esempio n. 1
0
int sss_seuser_exists(const char *linuxuser)
{
    int ret;
    int exists;
    semanage_seuser_key_t *sm_key = NULL;
    semanage_handle_t *sm_handle = NULL;

    ret = sss_semanage_init(&sm_handle);
    if (ret != EOK) {
        return ret;
    }

    ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
    if (ret < 0) {
        sss_semanage_close(sm_handle);
        return EIO;
    }

    ret = semanage_seuser_exists(sm_handle, sm_key, &exists);
    semanage_seuser_key_free(sm_key);
    sss_semanage_close(sm_handle);
    if (ret < 0) {
        return EIO;
    }

    DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");

    return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
}
Esempio n. 2
0
int del_seuser(const char *login_name)
{
    semanage_handle_t *handle = NULL;
    semanage_seuser_key_t *key = NULL;
    int ret;
    int exists = 0;

    handle = sss_semanage_init();
    if (!handle) {
        DEBUG(1, ("Cannot init SELinux management\n"));
        ret = EIO;
        goto done;
    }

    ret = semanage_seuser_key_create(handle, login_name, &key);
    if (ret != 0) {
        DEBUG(1, ("Cannot create SELinux user key\n"));
        ret = EIO;
        goto done;
    }

    ret = semanage_seuser_exists(handle, key, &exists);
    if (ret < 0) {
        DEBUG(1, ("Cannot verify the SELinux user\n"));
        ret = EIO;
        goto done;
    }

    if (!exists) {
        DEBUG(5, ("Login mapping for %s is not defined, OK if default mapping "
                  "was used\n", login_name));
        ret = EOK;  /* probably default mapping */
        goto done;
    }

    ret = semanage_seuser_exists_local(handle, key, &exists);
    if (ret < 0) {
        DEBUG(1, ("Cannot verify the SELinux user\n"));
        ret = EIO;
        goto done;
    }

    if (!exists) {
        DEBUG(1, ("Login mapping for %s is defined in policy, "
                  "cannot be deleted", login_name));
        ret = ENOENT;
        goto done;
    }

    ret = semanage_seuser_del_local(handle, key);
    if (ret != 0) {
        DEBUG(1, ("Could not delete login mapping for %s", login_name));
        ret = EIO;
        goto done;
    }

    ret = semanage_commit(handle);
    if (ret < 0) {
        DEBUG(1, ("Cannot commit SELinux transaction\n"));
        ret = EIO;
        goto done;
    }

    ret = EOK;
done:
    semanage_handle_destroy(handle);
    return ret;
}
Esempio n. 3
0
int set_seuser(const char *login_name, const char *seuser_name)
{
    semanage_handle_t *handle = NULL;
    semanage_seuser_key_t *key = NULL;
    int ret;
    int seuser_exists = 0;

    if (seuser_name == NULL) {
        /* don't care, just let system pick the defaults */
        return EOK;
    }

    handle = sss_semanage_init();
    if (!handle) {
        DEBUG(1, ("Cannot init SELinux management\n"));
        ret = EIO;
        goto done;
    }

    ret = semanage_seuser_key_create(handle, login_name, &key);
    if (ret != 0) {
        DEBUG(1, ("Cannot create SELinux user key\n"));
        ret = EIO;
        goto done;
    }

    ret = semanage_seuser_exists(handle, key, &seuser_exists);
    if (ret < 0) {
        DEBUG(1, ("Cannot verify the SELinux user\n"));
        ret = EIO;
        goto done;
    }

    if (seuser_exists) {
        ret = sss_semanage_user_mod(handle, key, login_name, seuser_name);
        if (ret != 0) {
            DEBUG(1, ("Cannot modify SELinux user mapping\n"));
            ret = EIO;
            goto done;
        }
    } else {
        ret = sss_semanage_user_add(handle, key, login_name, seuser_name);
        if (ret != 0) {
            DEBUG(1, ("Cannot add SELinux user mapping\n"));
            ret = EIO;
            goto done;
        }
    }

    ret = semanage_commit(handle);
    if (ret < 0) {
        DEBUG(1, ("Cannot commit SELinux transaction\n"));
        ret = EIO;
        goto done;
    }

    ret = EOK;
done:
    semanage_seuser_key_free(key);
    semanage_handle_destroy(handle);
    return ret;
}
Esempio n. 4
0
int del_seuser (const char *login_name)
{
	semanage_handle_t *handle = NULL;
	semanage_seuser_key_t *key = NULL;
	int ret;
	int exists = 0;

	handle = semanage_init ();
	if (NULL == handle) {
		fprintf (stderr, _("Cannot init SELinux management\n"));
		ret = 1;
		goto done;
	}

	ret = semanage_seuser_key_create (handle, login_name, &key);
	if (ret != 0) {
		fprintf (stderr, _("Cannot create SELinux user key\n"));
		ret = 1;
		goto done;
	}

	ret = semanage_seuser_exists (handle, key, &exists);
	if (ret < 0) {
		fprintf (stderr, _("Cannot verify the SELinux user\n"));
		ret = 1;
		goto done;
	}

	if (0 == exists) {
		fprintf (stderr,
		         _("Login mapping for %s is not defined, OK if default mapping was used\n"), 
		         login_name);
		ret = 0;  /* probably default mapping */
		goto done;
	}

	ret = semanage_seuser_exists_local (handle, key, &exists);
	if (ret < 0) {
		fprintf (stderr, _("Cannot verify the SELinux user\n"));
		ret = 1;
		goto done;
	}

	if (0 == exists) {
		fprintf (stderr,
		         _("Login mapping for %s is defined in policy, cannot be deleted\n"), 
		         login_name);
		ret = 0; /* Login mapping defined in policy can't be deleted */
		goto done;
	}

	ret = semanage_seuser_del_local (handle, key);
	if (ret != 0) {
		fprintf (stderr,
		         _("Could not delete login mapping for %s"),
		         login_name);
		ret = 1;
		goto done;
	}

	ret = semanage_commit (handle);
	if (ret < 0) {
		fprintf (stderr, _("Cannot commit SELinux transaction\n"));
		ret = 1;
		goto done;
	}

	ret = 0;
done:
	semanage_handle_destroy (handle);
	return ret;
}
Esempio n. 5
0
int sss_del_seuser(const char *login_name)
{
    semanage_handle_t *handle = NULL;
    semanage_seuser_key_t *key = NULL;
    int ret;
    int exists = 0;

    ret = sss_semanage_init(&handle);
    if (ret == ERR_SELINUX_NOT_MANAGED) {
        goto done;
    } else if (ret != EOK) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
        goto done;
    }

    ret = semanage_begin_transaction(handle);
    if (ret != 0) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
        ret = EIO;
        goto done;
    }

    ret = semanage_seuser_key_create(handle, login_name, &key);
    if (ret != 0) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
        ret = EIO;
        goto done;
    }

    ret = semanage_seuser_exists(handle, key, &exists);
    if (ret < 0) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
        ret = EIO;
        goto done;
    }

    if (!exists) {
        DEBUG(SSSDBG_FUNC_DATA,
              "Login mapping for %s is not defined, OK if default mapping "
                  "was used\n", login_name);
        ret = EOK;  /* probably default mapping */
        goto done;
    }

    ret = semanage_seuser_exists_local(handle, key, &exists);
    if (ret < 0) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
        ret = EIO;
        goto done;
    }

    if (!exists) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Login mapping for %s is defined in policy, cannot be deleted\n",
              login_name);
        ret = ENOENT;
        goto done;
    }

    ret = semanage_seuser_del_local(handle, key);
    if (ret != 0) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Could not delete login mapping for %s\n", login_name);
        ret = EIO;
        goto done;
    }

    ret = semanage_commit(handle);
    if (ret < 0) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
        ret = EIO;
        goto done;
    }

    ret = EOK;
done:
    sss_semanage_close(handle);
    return ret;
}
Esempio n. 6
0
int sss_set_seuser(const char *login_name, const char *seuser_name,
                   const char *mls)
{
    semanage_handle_t *handle = NULL;
    semanage_seuser_key_t *key = NULL;
    int ret;
    int seuser_exists = 0;

    if (seuser_name == NULL) {
        /* don't care, just let system pick the defaults */
        return EOK;
    }

    ret = sss_semanage_init(&handle);
    if (ret == ERR_SELINUX_NOT_MANAGED) {
        goto done;
    } else if (ret != EOK) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
        goto done;
    }

    ret = semanage_begin_transaction(handle);
    if (ret != 0) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
        ret = EIO;
        goto done;
    }

    ret = semanage_seuser_key_create(handle, login_name, &key);
    if (ret != 0) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
        ret = EIO;
        goto done;
    }

    ret = semanage_seuser_exists(handle, key, &seuser_exists);
    if (ret < 0) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
        ret = EIO;
        goto done;
    }

    if (seuser_exists) {
        ret = sss_semanage_user_mod(handle, key, login_name, seuser_name,
                                    mls);
        if (ret != 0) {
            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n");
            ret = EIO;
            goto done;
        }
    } else {
        ret = sss_semanage_user_add(handle, key, login_name, seuser_name,
                                    mls);
        if (ret != 0) {
            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n");
            ret = EIO;
            goto done;
        }
    }

    ret = semanage_commit(handle);
    if (ret < 0) {
        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
        ret = EIO;
        goto done;
    }

    ret = EOK;
done:
    if (key != NULL) {
        semanage_seuser_key_free(key);
    }
    sss_semanage_close(handle);
    return ret;
}