int main(int argc, char **argv)
{
char *seuser = NULL, *level = NULL;
security_context_t *contextlist;
int rc, n, i;
if (argc != 3) {
fprintf(stderr, "usage: %s linuxuser fromcon\n", argv[0]);
exit(1);
}
rc = getseuserbyname(argv[1], &seuser, &level);
if (rc) {
fprintf(stderr, "getseuserbyname failed: %s\n", strerror(errno));
exit(2);
}
printf("seuser: %s, level %s\n", seuser, level);
n = get_ordered_context_list_with_level(seuser, level, argv[2], &contextlist);
if (n <= 0) {
fprintf(stderr, "get_ordered_context_list_with_level failed: %s\n", strerror(errno));
exit(3);
}
free(seuser);
free(level);
for (i = 0; i < n; i++)
printf("Context %d\t%s\n", i, contextlist[i]);
freeconary(contextlist);
exit(0);
}
int main(int argc, char **argv)
{
security_context_t *list, usercon = NULL, cur_context = NULL;
char *user = NULL, *level = NULL;
int ret, i, opt;
while ((opt = getopt(argc, argv, "l:")) > 0) {
switch (opt) {
case 'l':
level = strdup(optarg);
break;
default:
usage(argv[0], "invalid option", 1);
}
}
if (((argc - optind) < 1) || ((argc - optind) > 2))
usage(argv[0], "invalid number of arguments", 2);
/* If selinux isn't available, bail out. */
if (!is_selinux_enabled()) {
fprintf(stderr,
"getconlist may be used only on a SELinux kernel.\n");
return 1;
}
user = argv[optind];
/* If a context wasn't passed, use the current context. */
if (((argc - optind) < 2)) {
if (getcon(&cur_context) < 0) {
fprintf(stderr, "Couldn't get current context.\n");
return 2;
}
} else
cur_context = argv[optind + 1];
/* Get the list and print it */
if (level)
ret =
get_ordered_context_list_with_level(user, level,
cur_context, &list);
else
ret = get_ordered_context_list(user, cur_context, &list);
if (ret != -1) {
for (i = 0; list[i]; i++)
puts(list[i]);
freeconary(list);
}
free(usercon);
return 0;
}
int get_default_context_with_level(const char *user,
const char *level,
security_context_t fromcon,
security_context_t * newcon)
{
security_context_t *conary;
int rc;
rc = get_ordered_context_list_with_level(user, level, fromcon, &conary);
if (rc <= 0)
return -1;
*newcon = strdup(conary[0]);
freeconary(conary);
if (!(*newcon))
return -1;
return 0;
}
static int get_security_context(char *name, int crontab_fd, security_context_t
*rcontext, char *tabname) {
security_context_t *context_list = NULL;
security_context_t current_con;
int list_count = 0;
security_context_t file_context=NULL;
struct av_decision avd;
int retval=0;
char *seuser = NULL;
char *level = NULL;
int i;
if (name != NULL) {
if (getseuserbyname(name, &seuser, &level)) {
log_it(name, getpid(), "getseuserbyname FAILED", tabname);
return (security_getenforce() > 0);
}
}
else
{
seuser = strdup("system_u");
}
*rcontext = NULL;
if(getcon(¤t_con)) {
log_it(name, getpid(), "Can't get current context", tabname);
return -1;
}
list_count = get_ordered_context_list_with_level(seuser, level, current_con, &context_list);
freecon(current_con);
free(seuser);
free(level);
if (list_count == -1) {
if (security_getenforce() > 0) {
log_it(name, getpid(), "No SELinux security context", tabname);
return -1;
} else {
log_it(name, getpid(),
"No security context but SELinux in permissive mode,"
" continuing", tabname);
return 0;
}
}
if (fgetfilecon(crontab_fd, &file_context) < OK) {
if (security_getenforce() > 0) {
log_it(name, getpid(), "getfilecon FAILED", tabname);
freeconary(context_list);
return -1;
} else {
log_it(name, getpid(), "getfilecon FAILED but SELinux in "
"permissive mode, continuing", tabname);
*rcontext = strdup(context_list[0]);
freeconary(context_list);
return 0;
}
}
/*
* Since crontab files are not directly executed,
* crond must ensure that the crontab file has
* a context that is appropriate for the context of
* the user cron job. It performs an entrypoint
* permission check for this purpose.
*/
for(i = 0; i < list_count; i++)
{
retval = security_compute_av(context_list[i],
file_context,
SECCLASS_FILE,
FILE__ENTRYPOINT,
&avd);
if(!retval && ((FILE__ENTRYPOINT & avd.allowed) == FILE__ENTRYPOINT)) {
*rcontext = strdup(context_list[i]);
freecon(file_context);
freeconary(context_list);
return 0;
}
}
freecon(file_context);
if (security_getenforce() > 0) {
log_it(name, getpid(), "ENTRYPOINT FAILED", tabname);
freeconary(context_list);
return -1;
} else {
log_it(name, getpid(), "ENTRYPOINT FAILED but SELinux in permissive mode, continuing", tabname);
*rcontext = strdup(context_list[0]);
freeconary(context_list);
}
return 0;
}
