void
map_decision(security_class_t tclass, struct av_decision *avd)
{
if (tclass < current_mapping_size) {
bool allow_unknown = (security_deny_unknown() == 0);
struct selinux_mapping *mapping = ¤t_mapping[tclass];
unsigned int i, n = mapping->num_perms;
access_vector_t result;
for (i = 0, result = 0; i < n; i++) {
if (avd->allowed & mapping->perms[i])
result |= 1<<i;
else if (allow_unknown && !mapping->perms[i])
result |= 1<<i;
}
avd->allowed = result;
for (i = 0, result = 0; i < n; i++) {
if (avd->decided & mapping->perms[i])
result |= 1<<i;
else if (allow_unknown && !mapping->perms[i])
result |= 1<<i;
}
avd->decided = result;
for (i = 0, result = 0; i < n; i++)
if (avd->auditallow & mapping->perms[i])
result |= 1<<i;
avd->auditallow = result;
for (i = 0, result = 0; i < n; i++) {
if (avd->auditdeny & mapping->perms[i])
result |= 1<<i;
else if (!allow_unknown && !mapping->perms[i])
result |= 1<<i;
}
/*
* Make sure we audit denials for any permission check
* beyond the mapping->num_perms since this indicates
* a bug in the object manager.
*/
for (; i < (sizeof(result)*8); i++)
result |= 1<<i;
avd->auditdeny = result;
}
}
/*
* selinux_status_deny_unknown
*
* It returns a guideline to handle undefined object classes or permissions.
* 0 means SELinux treats policy queries on undefined stuff being allowed,
* however, 1 means such queries are denied.
*/
int selinux_status_deny_unknown(void)
{
uint32_t seqno;
uint32_t deny_unknown;
if (selinux_status == NULL) {
errno = EINVAL;
return -1;
}
if (selinux_status == MAP_FAILED)
return security_deny_unknown();
/* sequence must not be changed during references */
do {
seqno = read_sequence(selinux_status);
deny_unknown = selinux_status->deny_unknown;
} while (seqno != read_sequence(selinux_status));
return deny_unknown ? 1 : 0;
}
int main(int argc, char **argv)
{
/* these vars are reused several times */
int rc, opt, i, c;
char *context, *root_path;
/* files that need context checks */
char *fc[MAX_CHECK];
char *cterm = ttyname(0);
int nfc = 0;
struct stat m;
/* processes that need context checks */
char *pc[MAX_CHECK];
int npc = 0;
/* booleans */
char **bools;
int nbool;
int verbose = 0;
int show_bools = 0;
/* policy */
const char *pol_name, *root_dir;
char *pol_path;
while (1) {
opt = getopt(argc, argv, "vb");
if (opt == -1)
break;
switch (opt) {
case 'v':
verbose = 1;
break;
case 'b':
show_bools = 1;
break;
default:
/* invalid option */
printf("\nUsage: %s [OPTION]\n\n", basename(argv[0]));
printf(" -v Verbose check of process and file contexts.\n");
printf(" -b Display current state of booleans.\n");
printf("\nWithout options, show SELinux status.\n");
return -1;
}
}
printf_tab("SELinux status:");
rc = is_selinux_enabled();
switch (rc) {
case 1:
printf("enabled\n");
break;
case 0:
printf("disabled\n");
return 0;
break;
default:
printf("unknown (%s)\n", strerror(errno));
return 0;
break;
}
printf_tab("SELinuxfs mount:");
if (selinux_mnt != NULL) {
printf("%s\n", selinux_mnt);
} else {
printf("not mounted\n\n");
printf("Please mount selinuxfs for proper results.\n");
return -1;
}
printf_tab("SELinux root directory:");
root_dir = selinux_path();
if (root_dir == NULL) {
printf("error (%s)\n", strerror(errno));
return -1;
}
/* The path has a trailing '/' so duplicate to edit */
root_path = strdup(root_dir);
if (!root_path) {
printf("malloc error (%s)\n", strerror(errno));
return -1;
}
/* actually blank the '/' */
root_path[strlen(root_path) - 1] = '\0';
printf("%s\n", root_path);
free(root_path);
/* Dump all the path information */
printf_tab("Loaded policy name:");
pol_path = strdup(selinux_policy_root());
if (pol_path) {
pol_name = basename(pol_path);
puts(pol_name);
free(pol_path);
} else {
printf("error (%s)\n", strerror(errno));
}
printf_tab("Current mode:");
rc = security_getenforce();
switch (rc) {
case 1:
printf("enforcing\n");
break;
case 0:
printf("permissive\n");
break;
default:
printf("unknown (%s)\n", strerror(errno));
break;
}
printf_tab("Mode from config file:");
if (selinux_getenforcemode(&rc) == 0) {
switch (rc) {
case 1:
printf("enforcing\n");
break;
case 0:
printf("permissive\n");
break;
case -1:
printf("disabled\n");
break;
}
} else {
printf("error (%s)\n", strerror(errno));
}
printf_tab("Policy MLS status:");
rc = is_selinux_mls_enabled();
switch (rc) {
case 0:
printf("disabled\n");
break;
case 1:
printf("enabled\n");
break;
default:
printf("error (%s)\n", strerror(errno));
break;
}
printf_tab("Policy deny_unknown status:");
rc = security_deny_unknown();
switch (rc) {
case 0:
printf("allowed\n");
break;
case 1:
printf("denied\n");
break;
default:
printf("error (%s)\n", strerror(errno));
break;
}
rc = security_policyvers();
printf_tab("Max kernel policy version:");
if (rc < 0)
printf("unknown (%s)\n", strerror(errno));
else
printf("%d\n", rc);
if (show_bools) {
/* show booleans */
if (security_get_boolean_names(&bools, &nbool) >= 0) {
printf("\nPolicy booleans:\n");
for (i = 0; i < nbool; i++) {
if (strlen(bools[i]) + 1 > COL)
COL = strlen(bools[i]) + 1;
}
for (i = 0; i < nbool; i++) {
printf_tab(bools[i]);
rc = security_get_boolean_active(bools[i]);
switch (rc) {
case 1:
printf("on");
break;
case 0:
printf("off");
break;
default:
printf("unknown (%s)", strerror(errno));
break;
}
c = security_get_boolean_pending(bools[i]);
if (c != rc)
switch (c) {
case 1:
printf(" (activate pending)");
break;
case 0:
printf(" (inactivate pending)");
break;
default:
printf(" (pending error: %s)",
strerror(errno));
break;
}
printf("\n");
/* free up the booleans */
free(bools[i]);
}
free(bools);
}
}
/* only show contexts if -v is given */
if (!verbose)
return 0;
load_checks(pc, &npc, fc, &nfc);
printf("\nProcess contexts:\n");
printf_tab("Current context:");
if (getcon(&context) >= 0) {
printf("%s\n", context);
freecon(context);
} else
printf("unknown (%s)\n", strerror(errno));
printf_tab("Init context:");
if (getpidcon(1, &context) >= 0) {
printf("%s\n", context);
freecon(context);
} else
printf("unknown (%s)\n", strerror(errno));
for (i = 0; i < npc; i++) {
rc = pidof(pc[i]);
if (rc > 0) {
if (getpidcon(rc, &context) < 0)
continue;
printf_tab(pc[i]);
printf("%s\n", context);
freecon(context);
}
}
printf("\nFile contexts:\n");
/* controlling term */
printf_tab("Controlling terminal:");
if (lgetfilecon(cterm, &context) >= 0) {
printf("%s\n", context);
freecon(context);
} else {
printf("unknown (%s)\n", strerror(errno));
}
for (i = 0; i < nfc; i++) {
if (lgetfilecon(fc[i], &context) >= 0) {
printf_tab(fc[i]);
/* check if this is a symlink */
if (lstat(fc[i], &m)) {
printf
("%s (could not check link status (%s)!)\n",
context, strerror(errno));
freecon(context);
continue;
}
if (S_ISLNK(m.st_mode)) {
/* print link target context */
printf("%s -> ", context);
freecon(context);
if (getfilecon(fc[i], &context) >= 0) {
printf("%s\n", context);
freecon(context);
} else {
printf("unknown (%s)\n",
strerror(errno));
}
} else {
printf("%s\n", context);
freecon(context);
}
}
}
return 0;
}
/*
* sepgsql_compute_avd
*
* It actually asks SELinux what permissions are allowed on a pair of
* the security contexts and object class. It also returns what permissions
* should be audited on access violation or allowed.
* In most cases, subject's security context (scontext) is a client, and
* target security context (tcontext) is a database object.
*
* The access control decision shall be set on the given av_decision.
* The av_decision.allowed has a bitmask of SEPG_<class>__<perms>
* to suggest a set of allowed actions in this object class.
*/
void
sepgsql_compute_avd(const char *scontext,
const char *tcontext,
uint16 tclass,
struct av_decision *avd)
{
const char *tclass_name;
security_class_t tclass_ex;
struct av_decision avd_ex;
int i, deny_unknown = security_deny_unknown();
/* Get external code of the object class*/
Assert(tclass < SEPG_CLASS_MAX);
Assert(tclass == selinux_catalog[tclass].class_code);
tclass_name = selinux_catalog[tclass].class_name;
tclass_ex = string_to_security_class(tclass_name);
if (tclass_ex == 0)
{
/*
* If the current security policy does not support permissions
* corresponding to database objects, we fill up them with dummy
* data.
* If security_deny_unknown() returns positive value, undefined
* permissions should be denied. Otherwise, allowed
*/
avd->allowed = (security_deny_unknown() > 0 ? 0 : ~0);
avd->auditallow = 0U;
avd->auditdeny = ~0U;
avd->flags = 0;
return;
}
/*
* Ask SELinux what is allowed set of permissions on a pair of the
* security contexts and the given object class.
*/
if (security_compute_av_flags_raw((security_context_t)scontext,
(security_context_t)tcontext,
tclass_ex, 0, &avd_ex) < 0)
ereport(ERROR,
(errcode(ERRCODE_INTERNAL_ERROR),
errmsg("SELinux could not compute av_decision: "
"scontext=%s tcontext=%s tclass=%s",
scontext, tcontext, tclass_name)));
/*
* SELinux returns its access control decision as a set of permissions
* represented in external code which depends on run-time environment.
* So, we need to translate it to the internal representation before
* returning results for the caller.
*/
memset(avd, 0, sizeof(struct av_decision));
for (i=0; selinux_catalog[tclass].av[i].av_name; i++)
{
access_vector_t av_code_ex;
const char *av_name = selinux_catalog[tclass].av[i].av_name;
uint32 av_code = selinux_catalog[tclass].av[i].av_code;
av_code_ex = string_to_av_perm(tclass_ex, av_name);
if (av_code_ex == 0)
{
/* fill up undefined permissions */
if (!deny_unknown)
avd->allowed |= av_code;
avd->auditdeny |= av_code;
continue;
}
if (avd_ex.allowed & av_code_ex)
avd->allowed |= av_code;
if (avd_ex.auditallow & av_code_ex)
avd->auditallow |= av_code;
if (avd_ex.auditdeny & av_code_ex)
avd->auditdeny |= av_code;
}
return;
}
/* Check the permission from the caller (via getpeercon) to nscd.
Returns 0 if access is allowed, 1 if denied, and -1 on error.
The SELinux policy, enablement, and permission bits are all dynamic and the
caching done by glibc is not entirely correct. This nscd support should be
rewritten to use selinux_check_permission. A rewrite is risky though and
requires some refactoring. Currently we use symbolic mappings instead of
compile time constants (which SELinux upstream says are going away), and we
use security_deny_unknown to determine what to do if selinux-policy* doesn't
have a definition for the the permission or object class we are looking
up. */
int
nscd_request_avc_has_perm (int fd, request_type req)
{
/* Initialize to NULL so we know what to free in case of failure. */
security_context_t scon = NULL;
security_context_t tcon = NULL;
security_id_t ssid = NULL;
security_id_t tsid = NULL;
int rc = -1;
security_class_t sc_nscd;
access_vector_t perm;
int avc_deny_unknown;
/* Check if SELinux denys or allows unknown object classes
and permissions. It is 0 if they are allowed, 1 if they
are not allowed and -1 on error. */
if ((avc_deny_unknown = security_deny_unknown ()) == -1)
dbg_log (_("Error querying policy for undefined object classes "
"or permissions."));
/* Get the security class for nscd. If this fails we will likely be
unable to do anything unless avc_deny_unknown is 0. */
sc_nscd = string_to_security_class ("nscd");
if (sc_nscd == 0 && avc_deny_unknown == 1)
dbg_log (_("Error getting security class for nscd."));
/* Convert permission to AVC bits. */
perm = string_to_av_perm (sc_nscd, perms[req]);
if (perm == 0 && avc_deny_unknown == 1)
dbg_log (_("Error translating permission name "
"\"%s\" to access vector bit."), perms[req]);
/* If the nscd security class was not found or perms were not
found and AVC does not deny unknown values then allow it. */
if ((sc_nscd == 0 || perm == 0) && avc_deny_unknown == 0)
return 0;
if (getpeercon (fd, &scon) < 0)
{
dbg_log (_("Error getting context of socket peer"));
goto out;
}
if (getcon (&tcon) < 0)
{
dbg_log (_("Error getting context of nscd"));
goto out;
}
if (avc_context_to_sid (scon, &ssid) < 0
|| avc_context_to_sid (tcon, &tsid) < 0)
{
dbg_log (_("Error getting sid from context"));
goto out;
}
/* The SELinux API for avc_has_perm conflates access denied and error into
the return code -1, while nscd_request_avs_has_perm has distinct error
(-1) and denied (1) return codes. We map the avc_has_perm access denied or
error into an access denied at the nscd interface level (we do accurately
report error for the getpeercon, getcon, and avc_context_to_sid interfaces
used above). */
rc = avc_has_perm (ssid, tsid, sc_nscd, perm, &aeref, NULL) < 0;
out:
if (scon)
freecon (scon);
if (tcon)
freecon (tcon);
if (ssid)
sidput (ssid);
if (tsid)
sidput (tsid);
return rc;
}
int
selinux_set_mapping(struct security_class_mapping *map)
{
size_t size = sizeof(struct selinux_mapping);
security_class_t i, j;
unsigned k;
bool print_unknown_handle = false;
bool reject = (security_reject_unknown() == 1);
bool deny = (security_deny_unknown() == 1);
free(current_mapping);
current_mapping = NULL;
current_mapping_size = 0;
if (avc_reset() < 0)
goto err;
/* Find number of classes in the input mapping */
if (!map) {
errno = EINVAL;
goto err;
}
i = 0;
while (map[i].name)
i++;
/* Allocate space for the class records, plus one for class zero */
current_mapping = (struct selinux_mapping *)calloc(++i, size);
if (!current_mapping)
goto err;
/* Store the raw class and permission values */
j = 0;
while (map[j].name) {
struct security_class_mapping *p_in = map + (j++);
struct selinux_mapping *p_out = current_mapping + j;
p_out->value = string_to_security_class(p_in->name);
if (!p_out->value) {
selinux_log(SELINUX_INFO,
"SELinux: Class %s not defined in policy.\n",
p_in->name);
if (reject)
goto err2;
p_out->num_perms = 0;
print_unknown_handle = true;
continue;
}
k = 0;
while (p_in->perms[k]) {
/* An empty permission string skips ahead */
if (!*p_in->perms[k]) {
k++;
continue;
}
p_out->perms[k] = string_to_av_perm(p_out->value,
p_in->perms[k]);
if (!p_out->perms[k]) {
selinux_log(SELINUX_INFO,
"SELinux: Permission %s in class %s not defined in policy.\n",
p_in->perms[k], p_in->name);
if (reject)
goto err2;
print_unknown_handle = true;
}
k++;
}
p_out->num_perms = k;
}
if (print_unknown_handle)
selinux_log(SELINUX_INFO,
"SELinux: the above unknown classes and permissions will be %s\n",
deny ? "denied" : "allowed");
/* Set the mapping size here so the above lookups are "raw" */
current_mapping_size = i;
return 0;
err2:
free(current_mapping);
current_mapping = NULL;
current_mapping_size = 0;
err:
return -1;
}
static JSBool
rpmsx_getprop(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
{
void * ptr = JS_GetInstancePrivate(cx, obj, &rpmsxClass, NULL);
jsint tiny = JSVAL_TO_INT(id);
#if defined(WITH_SELINUX)
security_context_t con = NULL;
#endif
/* XXX the class has ptr == NULL, instances have ptr != NULL. */
if (ptr == NULL)
return JS_TRUE;
switch (tiny) {
case _DEBUG:
*vp = INT_TO_JSVAL(_debug);
break;
#if defined(WITH_SELINUX)
case _CURRENT: *vp = _GET_CON(!getcon(&con)); break;
case _PID: *vp = _GET_CON(!getpidcon(getpid(), &con)); break;
case _PPID: *vp = _GET_CON(!getpidcon(getppid(), &con)); break;
case _PREV: *vp = _GET_CON(!getprevcon(&con)); break;
case _EXEC: *vp = _GET_CON(!getexeccon(&con)); break;
case _FSCREATE: *vp = _GET_CON(!getfscreatecon(&con)); break;
case _KEYCREATE: *vp = _GET_CON(!getkeycreatecon(&con)); break;
case _SOCKCREATE: *vp = _GET_CON(!getsockcreatecon(&con)); break;
case _ENFORCE: *vp = INT_TO_JSVAL(security_getenforce()); break;
case _DENY: *vp = INT_TO_JSVAL(security_deny_unknown()); break;
case _POLICYVERS: *vp = INT_TO_JSVAL(security_policyvers()); break;
case _ENABLED: *vp = INT_TO_JSVAL(is_selinux_enabled()); break;
case _MLSENABLED: *vp = INT_TO_JSVAL(is_selinux_mls_enabled()); break;
#ifdef NOTYET
case _BOOLS: *vp = ; break;
#endif
case _ROOT: *vp = _GET_STR(selinux_policy_root()); break;
case _BINARY: *vp = _GET_STR(selinux_binary_policy_path()); break;
case _FAILSAFE: *vp = _GET_STR(selinux_failsafe_context_path());break;
case _REMOVABLE: *vp = _GET_STR(selinux_removable_context_path());break;
case _DEFAULT: *vp = _GET_STR(selinux_default_context_path()); break;
case _USER: *vp = _GET_STR(selinux_user_contexts_path()); break;
case _FCON: *vp = _GET_STR(selinux_file_context_path()); break;
case _FCONHOME: *vp = _GET_STR(selinux_file_context_homedir_path());break;
case _FCONLOCAL: *vp = _GET_STR(selinux_file_context_local_path());break;
case _FCONSUBS: *vp = _GET_STR(selinux_file_context_subs_path());break;
case _HOMEDIR: *vp = _GET_STR(selinux_homedir_context_path()); break;
case _MEDIA: *vp = _GET_STR(selinux_media_context_path()); break;
case _VIRTDOMAIN: *vp = _GET_STR(selinux_virtual_domain_context_path());break;
case _VIRTIMAGE: *vp = _GET_STR(selinux_virtual_image_context_path());break;
case _X: *vp = _GET_STR(selinux_x_context_path()); break;
case _CONTEXTS: *vp = _GET_STR(selinux_contexts_path()); break;
case _SECURETTY: *vp = _GET_STR(selinux_securetty_types_path()); break;
case _BOOLEANS: *vp = _GET_STR(selinux_booleans_path()); break;
case _CUSTOMTYPES: *vp = _GET_STR(selinux_customizable_types_path());break;
case _USERS: *vp = _GET_STR(selinux_users_path()); break;
case _USERSCONF: *vp = _GET_STR(selinux_usersconf_path()); break;
case _XLATIONS: *vp = _GET_STR(selinux_translations_path()); break;
case _COLORS: *vp = _GET_STR(selinux_colors_path()); break;
case _NETFILTER: *vp = _GET_STR(selinux_netfilter_context_path());break;
case _PATH: *vp = _GET_STR(selinux_path()); break;
#endif
default:
break;
}
#if defined(WITH_SELINUX)
if (con) {
freecon(con);
con = NULL;
}
#endif
return JS_TRUE;
}
