int main(int argc, char **argv) { char *seuser = NULL, *level = NULL; security_context_t *contextlist; int rc, n, i; if (argc != 3) { fprintf(stderr, "usage: %s linuxuser fromcon\n", argv[0]); exit(1); } rc = getseuserbyname(argv[1], &seuser, &level); if (rc) { fprintf(stderr, "getseuserbyname failed: %s\n", strerror(errno)); exit(2); } printf("seuser: %s, level %s\n", seuser, level); n = get_ordered_context_list_with_level(seuser, level, argv[2], &contextlist); if (n <= 0) { fprintf(stderr, "get_ordered_context_list_with_level failed: %s\n", strerror(errno)); exit(3); } free(seuser); free(level); for (i = 0; i < n; i++) printf("Context %d\t%s\n", i, contextlist[i]); freeconary(contextlist); exit(0); }
int main(int argc, char **argv) { security_context_t *list, usercon = NULL, cur_context = NULL; char *user = NULL, *level = NULL; int ret, i, opt; while ((opt = getopt(argc, argv, "l:")) > 0) { switch (opt) { case 'l': level = strdup(optarg); break; default: usage(argv[0], "invalid option", 1); } } if (((argc - optind) < 1) || ((argc - optind) > 2)) usage(argv[0], "invalid number of arguments", 2); /* If selinux isn't available, bail out. */ if (!is_selinux_enabled()) { fprintf(stderr, "getconlist may be used only on a SELinux kernel.\n"); return 1; } user = argv[optind]; /* If a context wasn't passed, use the current context. */ if (((argc - optind) < 2)) { if (getcon(&cur_context) < 0) { fprintf(stderr, "Couldn't get current context.\n"); return 2; } } else cur_context = argv[optind + 1]; /* Get the list and print it */ if (level) ret = get_ordered_context_list_with_level(user, level, cur_context, &list); else ret = get_ordered_context_list(user, cur_context, &list); if (ret != -1) { for (i = 0; list[i]; i++) puts(list[i]); freeconary(list); } free(usercon); return 0; }
int get_default_context_with_level(const char *user, const char *level, security_context_t fromcon, security_context_t * newcon) { security_context_t *conary; int rc; rc = get_ordered_context_list_with_level(user, level, fromcon, &conary); if (rc <= 0) return -1; *newcon = strdup(conary[0]); freeconary(conary); if (!(*newcon)) return -1; return 0; }
static int get_security_context(char *name, int crontab_fd, security_context_t *rcontext, char *tabname) { security_context_t *context_list = NULL; security_context_t current_con; int list_count = 0; security_context_t file_context=NULL; struct av_decision avd; int retval=0; char *seuser = NULL; char *level = NULL; int i; if (name != NULL) { if (getseuserbyname(name, &seuser, &level)) { log_it(name, getpid(), "getseuserbyname FAILED", tabname); return (security_getenforce() > 0); } } else { seuser = strdup("system_u"); } *rcontext = NULL; if(getcon(¤t_con)) { log_it(name, getpid(), "Can't get current context", tabname); return -1; } list_count = get_ordered_context_list_with_level(seuser, level, current_con, &context_list); freecon(current_con); free(seuser); free(level); if (list_count == -1) { if (security_getenforce() > 0) { log_it(name, getpid(), "No SELinux security context", tabname); return -1; } else { log_it(name, getpid(), "No security context but SELinux in permissive mode," " continuing", tabname); return 0; } } if (fgetfilecon(crontab_fd, &file_context) < OK) { if (security_getenforce() > 0) { log_it(name, getpid(), "getfilecon FAILED", tabname); freeconary(context_list); return -1; } else { log_it(name, getpid(), "getfilecon FAILED but SELinux in " "permissive mode, continuing", tabname); *rcontext = strdup(context_list[0]); freeconary(context_list); return 0; } } /* * Since crontab files are not directly executed, * crond must ensure that the crontab file has * a context that is appropriate for the context of * the user cron job. It performs an entrypoint * permission check for this purpose. */ for(i = 0; i < list_count; i++) { retval = security_compute_av(context_list[i], file_context, SECCLASS_FILE, FILE__ENTRYPOINT, &avd); if(!retval && ((FILE__ENTRYPOINT & avd.allowed) == FILE__ENTRYPOINT)) { *rcontext = strdup(context_list[i]); freecon(file_context); freeconary(context_list); return 0; } } freecon(file_context); if (security_getenforce() > 0) { log_it(name, getpid(), "ENTRYPOINT FAILED", tabname); freeconary(context_list); return -1; } else { log_it(name, getpid(), "ENTRYPOINT FAILED but SELinux in permissive mode, continuing", tabname); *rcontext = strdup(context_list[0]); freeconary(context_list); } return 0; }