static rpmRC sepolGo(void)
{
semanage_handle_t *sh;
int existingPolicy;
char *policytype = NULL;
rpmRC rc = RPMRC_FAIL;
static int performed = 0;
if (performed) {
return RPMRC_OK;
}
performed = 1;
if (rpmChrootIn()) {
goto exit;
}
if (selinux_getpolicytype(&policytype) < 0) {
goto exit;
}
sepolPreparePolicies(policiesHead, policytype);
/* determine if this is the first time installing policy */
sh = semanage_handle_create();
existingPolicy = (semanage_is_managed(sh) == 1);
semanage_handle_destroy(sh);
/* now load the policies */
rc = sepolLoadPolicies(policiesHead);
/* re-init selinux and re-read the files contexts, since things may have changed */
selinux_reset_config();
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
if (rpmtsSELabelInit(ts, selinux_file_context_path()) == RPMRC_OK) {
/* if this was the first time installing policy, every package before
* policy was installed will be mislabeled (e.g. semodule). So, relabel
* the entire filesystem if this is the case */
if (!existingPolicy) {
if (sepolRelabelFiles() != RPMRC_OK) {
rpmlog(RPMLOG_WARNING, _("Failed to relabel filesystem. Files may be mislabeled\n"));
}
}
} else {
rpmlog(RPMLOG_WARNING, _("Failed to reload file contexts. Files may be mislabeled\n"));
}
}
exit:
if (rpmChrootOut()) {
rc = RPMRC_FAIL;
}
_free(policytype);
return rc;
}
/*
* Mount point for selinuxfs.
* This definition is private to the function below.
* Everything else uses the location determined during
* libselinux startup via /proc/mounts (see init_selinuxmnt).
* We only need the hardcoded definition for the initial mount
* required for the initial policy load.
*/
int selinux_init_load_policy(int *enforce)
{
int rc = 0, orig_enforce = 0, seconfig = -2, secmdline = -1;
FILE *cfg;
char *buf;
/*
* Reread the selinux configuration in case it has changed.
* Example: Caller has chroot'd and is now loading policy from
* chroot'd environment.
*/
selinux_reset_config();
/*
* Get desired mode (disabled, permissive, enforcing) from
* /etc/selinux/config.
*/
selinux_getenforcemode(&seconfig);
/* Check for an override of the mode via the kernel command line. */
rc = mount("proc", "/proc", "proc", 0, 0);
cfg = fopen("/proc/cmdline", "r");
if (cfg) {
char *tmp;
buf = malloc(selinux_page_size);
if (!buf) {
fclose(cfg);
return -1;
}
if (fgets(buf, selinux_page_size, cfg) &&
(tmp = strstr(buf, "enforcing="))) {
if (tmp == buf || isspace(*(tmp - 1))) {
secmdline =
atoi(tmp + sizeof("enforcing=") - 1);
}
}
fclose(cfg);
free(buf);
}
#ifndef MNT_DETACH
#define MNT_DETACH 2
#endif
if (rc == 0)
umount2("/proc", MNT_DETACH);
/*
* Determine the final desired mode.
* Command line argument takes precedence, then config file.
*/
if (secmdline >= 0)
*enforce = secmdline;
else if (seconfig >= 0)
*enforce = seconfig;
else
*enforce = 0; /* unspecified or disabled */
/*
* Check for the existence of SELinux via selinuxfs, and
* mount it if present for use in the calls below.
*/
if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
if (errno == ENODEV) {
/*
* SELinux was disabled in the kernel, either
* omitted entirely or disabled at boot via selinux=0.
* This takes precedence over any config or
* commandline enforcing setting.
*/
*enforce = 0;
} else {
/* Only emit this error if selinux was not disabled */
fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno));
}
goto noload;
}
set_selinuxmnt(SELINUXMNT);
/*
* Note: The following code depends on having selinuxfs
* already mounted and selinuxmnt set above.
*/
if (seconfig == -1) {
/* Runtime disable of SELinux. */
rc = security_disable();
if (rc == 0) {
/* Successfully disabled, so umount selinuxfs too. */
umount(SELINUXMNT);
fini_selinuxmnt();
}
/*
* If we failed to disable, SELinux will still be
* effectively permissive, because no policy is loaded.
* No need to call security_setenforce(0) here.
*/
goto noload;
}
/*
* If necessary, change the kernel enforcing status to match
* the desired mode.
*/
orig_enforce = rc = security_getenforce();
if (rc < 0)
goto noload;
if (orig_enforce != *enforce) {
rc = security_setenforce(*enforce);
if (rc < 0) {
fprintf(stderr, "SELinux: Unable to switch to %s mode: %s\n", (*enforce ? "enforcing" : "permissive"), strerror(errno));
if (*enforce)
goto noload;
}
}
/* Load the policy. */
return selinux_mkload_policy(0);
noload:
/*
* Only return 0 on a successful completion of policy load.
* In any other case, we want to return an error so that init
* knows not to proceed with the re-exec for the domain transition.
* Depending on the *enforce setting, init will halt (> 0) or proceed
* normally (otherwise).
*/
return -1;
}