static sepoltrans *sepoltransFree(sepoltrans * pt) { ARGV_t file; if (!pt) { return NULL; } for (file = pt->filelist; file && *file; file++) { if (unlink(*file) < 0) { rpmlog(RPMLOG_WARNING, _("Failed to remove temporary policy file %s: %s\n"), *file, strerror(errno)); } } argvFree(pt->filelist); if (pt->execsemodule) { argvFree(pt->semodargs); } else { semanage_disconnect(pt->sh); semanage_handle_destroy(pt->sh); } free(pt->semodulepath); memset(pt, 0, sizeof(*pt)); /* trash and burn */ free(pt); return NULL; }
/* The suite cleanup function. * Returns zero on success, non-zero otherwise. */ int semanage_store_test_cleanup(void) { int err; /* remove the test policy directories */ err = rmdir(modpath); if (err != 0) return -1; err = rmdir(actpath); if (err != 0) return -1; err = rmdir(lockpath); if (err != 0) return -1; err = rmdir(polpath); if (err != 0) return -1; /* cleanup the handle */ semanage_handle_destroy(sh); return 0; }
static rpmRC sepolGo(void) { semanage_handle_t *sh; int existingPolicy; char *policytype = NULL; rpmRC rc = RPMRC_FAIL; static int performed = 0; if (performed) { return RPMRC_OK; } performed = 1; if (rpmChrootIn()) { goto exit; } if (selinux_getpolicytype(&policytype) < 0) { goto exit; } sepolPreparePolicies(policiesHead, policytype); /* determine if this is the first time installing policy */ sh = semanage_handle_create(); existingPolicy = (semanage_is_managed(sh) == 1); semanage_handle_destroy(sh); /* now load the policies */ rc = sepolLoadPolicies(policiesHead); /* re-init selinux and re-read the files contexts, since things may have changed */ selinux_reset_config(); if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) { if (rpmtsSELabelInit(ts, selinux_file_context_path()) == RPMRC_OK) { /* if this was the first time installing policy, every package before * policy was installed will be mislabeled (e.g. semodule). So, relabel * the entire filesystem if this is the case */ if (!existingPolicy) { if (sepolRelabelFiles() != RPMRC_OK) { rpmlog(RPMLOG_WARNING, _("Failed to relabel filesystem. Files may be mislabeled\n")); } } } else { rpmlog(RPMLOG_WARNING, _("Failed to reload file contexts. Files may be mislabeled\n")); } } exit: if (rpmChrootOut()) { rc = RPMRC_FAIL; } _free(policytype); return rc; }
static void sss_semanage_close(semanage_handle_t *handle) { if (handle == NULL) { return; /* semanage uses asserts */ } if (semanage_is_connected(handle)) { semanage_disconnect(handle); } semanage_handle_destroy(handle); }
semanage_handle_t *semanage_handle_create(void) { semanage_handle_t *sh = NULL; const char *conf_name = NULL; /* Allocate handle */ if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL) goto err; if ((conf_name = semanage_conf_path()) == NULL) goto err; if ((sh->conf = semanage_conf_parse(conf_name)) == NULL) goto err; /* Link to sepol handle */ sh->sepolh = sepol_handle_create(); if (!sh->sepolh) goto err; sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh); /* By default do not rebuild the policy on commit * If any changes are made, this flag is ignored */ sh->do_rebuild = 0; /* By default always reload policy after commit if SELinux is enabled. */ sh->do_reload = (is_selinux_enabled() > 0); /* By default always check the file contexts file. */ sh->do_check_contexts = 1; /* By default do not create store */ sh->create_store = 0; /* Set timeout: some default value for now, later use config */ sh->timeout = SEMANAGE_COMMIT_READ_WAIT; /* Set callback */ sh->msg_callback = semanage_msg_default_handler; sh->msg_callback_arg = NULL; return sh; err: semanage_handle_destroy(sh); return NULL; }
static semanage_handle_t *semanage_init (void) { int ret; semanage_handle_t *handle = NULL; handle = semanage_handle_create (); if (NULL == handle) { fprintf (stderr, _("Cannot create SELinux management handle\n")); return NULL; } semanage_msg_set_callback (handle, semanage_error_callback, NULL); ret = semanage_is_managed (handle); if (ret != 1) { fprintf (stderr, _("SELinux policy not managed\n")); goto fail; } ret = semanage_access_check (handle); if (ret < SEMANAGE_CAN_READ) { fprintf (stderr, _("Cannot read SELinux policy store\n")); goto fail; } ret = semanage_connect (handle); if (ret != 0) { fprintf (stderr, _("Cannot establish SELinux management connection\n")); goto fail; } ret = semanage_begin_transaction (handle); if (ret != 0) { fprintf (stderr, _("Cannot begin SELinux transaction\n")); goto fail; } return handle; fail: semanage_handle_destroy (handle); return NULL; }
static sepoltrans *sepoltransNew(void) { sepoltrans *pt = xcalloc(1, sizeof(*pt)); pt->semodulepath = rpmExpand("%{__semodule}", NULL); pt->execsemodule = (!rpmChrootDone() && access(pt->semodulepath, X_OK) == 0); pt->changes = 0; if (pt->execsemodule) { argvAdd(&pt->semodargs, "semodule"); } else { pt->sh = semanage_handle_create(); if (!pt->sh) { rpmlog(RPMLOG_ERR, _("Failed to create semanage handle\n")); goto err; } semanage_set_create_store(pt->sh, 1); semanage_set_check_contexts(pt->sh, 0); if (semanage_connect(pt->sh) < 0) { rpmlog(RPMLOG_ERR, _("Failed to connect to policy handler\n")); goto err; } if (semanage_begin_transaction(pt->sh) < 0) { rpmlog(RPMLOG_ERR, _("Failed to begin policy transaction: %s\n"), errno ? strerror(errno) : ""); goto err; } semanage_set_reload(pt->sh, !rpmChrootDone()); } return pt; err: if (pt->sh) { if (semanage_is_connected(pt->sh)) { semanage_disconnect(pt->sh); } semanage_handle_destroy(pt->sh); } free(pt); return NULL; }
int del_seuser(const char *login_name) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int exists = 0; handle = sss_semanage_init(); if (!handle) { DEBUG(1, ("Cannot init SELinux management\n")); ret = EIO; goto done; } ret = semanage_seuser_key_create(handle, login_name, &key); if (ret != 0) { DEBUG(1, ("Cannot create SELinux user key\n")); ret = EIO; goto done; } ret = semanage_seuser_exists(handle, key, &exists); if (ret < 0) { DEBUG(1, ("Cannot verify the SELinux user\n")); ret = EIO; goto done; } if (!exists) { DEBUG(5, ("Login mapping for %s is not defined, OK if default mapping " "was used\n", login_name)); ret = EOK; /* probably default mapping */ goto done; } ret = semanage_seuser_exists_local(handle, key, &exists); if (ret < 0) { DEBUG(1, ("Cannot verify the SELinux user\n")); ret = EIO; goto done; } if (!exists) { DEBUG(1, ("Login mapping for %s is defined in policy, " "cannot be deleted", login_name)); ret = ENOENT; goto done; } ret = semanage_seuser_del_local(handle, key); if (ret != 0) { DEBUG(1, ("Could not delete login mapping for %s", login_name)); ret = EIO; goto done; } ret = semanage_commit(handle); if (ret < 0) { DEBUG(1, ("Cannot commit SELinux transaction\n")); ret = EIO; goto done; } ret = EOK; done: semanage_handle_destroy(handle); return ret; }
int set_seuser(const char *login_name, const char *seuser_name) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int seuser_exists = 0; if (seuser_name == NULL) { /* don't care, just let system pick the defaults */ return EOK; } handle = sss_semanage_init(); if (!handle) { DEBUG(1, ("Cannot init SELinux management\n")); ret = EIO; goto done; } ret = semanage_seuser_key_create(handle, login_name, &key); if (ret != 0) { DEBUG(1, ("Cannot create SELinux user key\n")); ret = EIO; goto done; } ret = semanage_seuser_exists(handle, key, &seuser_exists); if (ret < 0) { DEBUG(1, ("Cannot verify the SELinux user\n")); ret = EIO; goto done; } if (seuser_exists) { ret = sss_semanage_user_mod(handle, key, login_name, seuser_name); if (ret != 0) { DEBUG(1, ("Cannot modify SELinux user mapping\n")); ret = EIO; goto done; } } else { ret = sss_semanage_user_add(handle, key, login_name, seuser_name); if (ret != 0) { DEBUG(1, ("Cannot add SELinux user mapping\n")); ret = EIO; goto done; } } ret = semanage_commit(handle); if (ret < 0) { DEBUG(1, ("Cannot commit SELinux transaction\n")); ret = EIO; goto done; } ret = EOK; done: semanage_seuser_key_free(key); semanage_handle_destroy(handle); return ret; }
/* Apply permanent boolean changes to policy via libsemanage */ static int semanage_set_boolean_list(size_t boolcnt, SELboolean * boollist) { size_t j; semanage_handle_t *handle = NULL; semanage_bool_t *boolean = NULL; semanage_bool_key_t *bool_key = NULL; int managed; handle = semanage_handle_create(); if (handle == NULL) { fprintf(stderr, "Could not create semanage library handle\n"); goto err; } managed = semanage_is_managed(handle); if (managed < 0) { fprintf(stderr, "Error when checking whether policy is managed\n"); goto err; } else if (managed == 0) { if (getuid() == 0) { fprintf(stderr, "Cannot set persistent booleans without managed policy.\n"); } else { fprintf(stderr, "Cannot set persistent booleans, please try as root.\n"); } goto err; } if (semanage_connect(handle) < 0) goto err; if (semanage_begin_transaction(handle) < 0) goto err; for (j = 0; j < boolcnt; j++) { if (semanage_bool_create(handle, &boolean) < 0) goto err; if (semanage_bool_set_name(handle, boolean, boollist[j].name) < 0) goto err; semanage_bool_set_value(boolean, boollist[j].value); if (semanage_bool_key_extract(handle, boolean, &bool_key) < 0) goto err; if (semanage_bool_modify_local(handle, bool_key, boolean) < 0) goto err; if (semanage_bool_set_active(handle, bool_key, boolean) < 0) { fprintf(stderr, "Could not change boolean %s\n", boollist[j].name); goto err; } semanage_bool_key_free(bool_key); semanage_bool_free(boolean); bool_key = NULL; boolean = NULL; } semanage_set_reload(handle, reload); if (semanage_commit(handle) < 0) goto err; semanage_disconnect(handle); semanage_handle_destroy(handle); return 0; err: semanage_bool_key_free(bool_key); semanage_bool_free(boolean); semanage_handle_destroy(handle); fprintf(stderr, "Could not change policy booleans\n"); return -1; }
int del_seuser (const char *login_name) { semanage_handle_t *handle = NULL; semanage_seuser_key_t *key = NULL; int ret; int exists = 0; handle = semanage_init (); if (NULL == handle) { fprintf (stderr, _("Cannot init SELinux management\n")); ret = 1; goto done; } ret = semanage_seuser_key_create (handle, login_name, &key); if (ret != 0) { fprintf (stderr, _("Cannot create SELinux user key\n")); ret = 1; goto done; } ret = semanage_seuser_exists (handle, key, &exists); if (ret < 0) { fprintf (stderr, _("Cannot verify the SELinux user\n")); ret = 1; goto done; } if (0 == exists) { fprintf (stderr, _("Login mapping for %s is not defined, OK if default mapping was used\n"), login_name); ret = 0; /* probably default mapping */ goto done; } ret = semanage_seuser_exists_local (handle, key, &exists); if (ret < 0) { fprintf (stderr, _("Cannot verify the SELinux user\n")); ret = 1; goto done; } if (0 == exists) { fprintf (stderr, _("Login mapping for %s is defined in policy, cannot be deleted\n"), login_name); ret = 0; /* Login mapping defined in policy can't be deleted */ goto done; } ret = semanage_seuser_del_local (handle, key); if (ret != 0) { fprintf (stderr, _("Could not delete login mapping for %s"), login_name); ret = 1; goto done; } ret = semanage_commit (handle); if (ret < 0) { fprintf (stderr, _("Cannot commit SELinux transaction\n")); ret = 1; goto done; } ret = 0; done: semanage_handle_destroy (handle); return ret; }