static sepoltrans *sepoltransFree(sepoltrans * pt)
{
ARGV_t file;
if (!pt) {
return NULL;
}
for (file = pt->filelist; file && *file; file++) {
if (unlink(*file) < 0) {
rpmlog(RPMLOG_WARNING, _("Failed to remove temporary policy file %s: %s\n"),
*file, strerror(errno));
}
}
argvFree(pt->filelist);
if (pt->execsemodule) {
argvFree(pt->semodargs);
} else {
semanage_disconnect(pt->sh);
semanage_handle_destroy(pt->sh);
}
free(pt->semodulepath);
memset(pt, 0, sizeof(*pt)); /* trash and burn */
free(pt);
return NULL;
}
/* The suite cleanup function.
* Returns zero on success, non-zero otherwise.
*/
int semanage_store_test_cleanup(void)
{
int err;
/* remove the test policy directories */
err = rmdir(modpath);
if (err != 0)
return -1;
err = rmdir(actpath);
if (err != 0)
return -1;
err = rmdir(lockpath);
if (err != 0)
return -1;
err = rmdir(polpath);
if (err != 0)
return -1;
/* cleanup the handle */
semanage_handle_destroy(sh);
return 0;
}
static rpmRC sepolGo(void)
{
semanage_handle_t *sh;
int existingPolicy;
char *policytype = NULL;
rpmRC rc = RPMRC_FAIL;
static int performed = 0;
if (performed) {
return RPMRC_OK;
}
performed = 1;
if (rpmChrootIn()) {
goto exit;
}
if (selinux_getpolicytype(&policytype) < 0) {
goto exit;
}
sepolPreparePolicies(policiesHead, policytype);
/* determine if this is the first time installing policy */
sh = semanage_handle_create();
existingPolicy = (semanage_is_managed(sh) == 1);
semanage_handle_destroy(sh);
/* now load the policies */
rc = sepolLoadPolicies(policiesHead);
/* re-init selinux and re-read the files contexts, since things may have changed */
selinux_reset_config();
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
if (rpmtsSELabelInit(ts, selinux_file_context_path()) == RPMRC_OK) {
/* if this was the first time installing policy, every package before
* policy was installed will be mislabeled (e.g. semodule). So, relabel
* the entire filesystem if this is the case */
if (!existingPolicy) {
if (sepolRelabelFiles() != RPMRC_OK) {
rpmlog(RPMLOG_WARNING, _("Failed to relabel filesystem. Files may be mislabeled\n"));
}
}
} else {
rpmlog(RPMLOG_WARNING, _("Failed to reload file contexts. Files may be mislabeled\n"));
}
}
exit:
if (rpmChrootOut()) {
rc = RPMRC_FAIL;
}
_free(policytype);
return rc;
}
static void sss_semanage_close(semanage_handle_t *handle)
{
if (handle == NULL) {
return; /* semanage uses asserts */
}
if (semanage_is_connected(handle)) {
semanage_disconnect(handle);
}
semanage_handle_destroy(handle);
}
semanage_handle_t *semanage_handle_create(void)
{
semanage_handle_t *sh = NULL;
const char *conf_name = NULL;
/* Allocate handle */
if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
goto err;
if ((conf_name = semanage_conf_path()) == NULL)
goto err;
if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
goto err;
/* Link to sepol handle */
sh->sepolh = sepol_handle_create();
if (!sh->sepolh)
goto err;
sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
/* By default do not rebuild the policy on commit
* If any changes are made, this flag is ignored */
sh->do_rebuild = 0;
/* By default always reload policy after commit if SELinux is enabled. */
sh->do_reload = (is_selinux_enabled() > 0);
/* By default always check the file contexts file. */
sh->do_check_contexts = 1;
/* By default do not create store */
sh->create_store = 0;
/* Set timeout: some default value for now, later use config */
sh->timeout = SEMANAGE_COMMIT_READ_WAIT;
/* Set callback */
sh->msg_callback = semanage_msg_default_handler;
sh->msg_callback_arg = NULL;
return sh;
err:
semanage_handle_destroy(sh);
return NULL;
}
static semanage_handle_t *semanage_init (void)
{
int ret;
semanage_handle_t *handle = NULL;
handle = semanage_handle_create ();
if (NULL == handle) {
fprintf (stderr,
_("Cannot create SELinux management handle\n"));
return NULL;
}
semanage_msg_set_callback (handle, semanage_error_callback, NULL);
ret = semanage_is_managed (handle);
if (ret != 1) {
fprintf (stderr, _("SELinux policy not managed\n"));
goto fail;
}
ret = semanage_access_check (handle);
if (ret < SEMANAGE_CAN_READ) {
fprintf (stderr, _("Cannot read SELinux policy store\n"));
goto fail;
}
ret = semanage_connect (handle);
if (ret != 0) {
fprintf (stderr,
_("Cannot establish SELinux management connection\n"));
goto fail;
}
ret = semanage_begin_transaction (handle);
if (ret != 0) {
fprintf (stderr, _("Cannot begin SELinux transaction\n"));
goto fail;
}
return handle;
fail:
semanage_handle_destroy (handle);
return NULL;
}
static sepoltrans *sepoltransNew(void)
{
sepoltrans *pt = xcalloc(1, sizeof(*pt));
pt->semodulepath = rpmExpand("%{__semodule}", NULL);
pt->execsemodule = (!rpmChrootDone() && access(pt->semodulepath, X_OK) == 0);
pt->changes = 0;
if (pt->execsemodule) {
argvAdd(&pt->semodargs, "semodule");
} else {
pt->sh = semanage_handle_create();
if (!pt->sh) {
rpmlog(RPMLOG_ERR, _("Failed to create semanage handle\n"));
goto err;
}
semanage_set_create_store(pt->sh, 1);
semanage_set_check_contexts(pt->sh, 0);
if (semanage_connect(pt->sh) < 0) {
rpmlog(RPMLOG_ERR, _("Failed to connect to policy handler\n"));
goto err;
}
if (semanage_begin_transaction(pt->sh) < 0) {
rpmlog(RPMLOG_ERR, _("Failed to begin policy transaction: %s\n"),
errno ? strerror(errno) : "");
goto err;
}
semanage_set_reload(pt->sh, !rpmChrootDone());
}
return pt;
err:
if (pt->sh) {
if (semanage_is_connected(pt->sh)) {
semanage_disconnect(pt->sh);
}
semanage_handle_destroy(pt->sh);
}
free(pt);
return NULL;
}
int del_seuser(const char *login_name)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int exists = 0;
handle = sss_semanage_init();
if (!handle) {
DEBUG(1, ("Cannot init SELinux management\n"));
ret = EIO;
goto done;
}
ret = semanage_seuser_key_create(handle, login_name, &key);
if (ret != 0) {
DEBUG(1, ("Cannot create SELinux user key\n"));
ret = EIO;
goto done;
}
ret = semanage_seuser_exists(handle, key, &exists);
if (ret < 0) {
DEBUG(1, ("Cannot verify the SELinux user\n"));
ret = EIO;
goto done;
}
if (!exists) {
DEBUG(5, ("Login mapping for %s is not defined, OK if default mapping "
"was used\n", login_name));
ret = EOK; /* probably default mapping */
goto done;
}
ret = semanage_seuser_exists_local(handle, key, &exists);
if (ret < 0) {
DEBUG(1, ("Cannot verify the SELinux user\n"));
ret = EIO;
goto done;
}
if (!exists) {
DEBUG(1, ("Login mapping for %s is defined in policy, "
"cannot be deleted", login_name));
ret = ENOENT;
goto done;
}
ret = semanage_seuser_del_local(handle, key);
if (ret != 0) {
DEBUG(1, ("Could not delete login mapping for %s", login_name));
ret = EIO;
goto done;
}
ret = semanage_commit(handle);
if (ret < 0) {
DEBUG(1, ("Cannot commit SELinux transaction\n"));
ret = EIO;
goto done;
}
ret = EOK;
done:
semanage_handle_destroy(handle);
return ret;
}
int set_seuser(const char *login_name, const char *seuser_name)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int seuser_exists = 0;
if (seuser_name == NULL) {
/* don't care, just let system pick the defaults */
return EOK;
}
handle = sss_semanage_init();
if (!handle) {
DEBUG(1, ("Cannot init SELinux management\n"));
ret = EIO;
goto done;
}
ret = semanage_seuser_key_create(handle, login_name, &key);
if (ret != 0) {
DEBUG(1, ("Cannot create SELinux user key\n"));
ret = EIO;
goto done;
}
ret = semanage_seuser_exists(handle, key, &seuser_exists);
if (ret < 0) {
DEBUG(1, ("Cannot verify the SELinux user\n"));
ret = EIO;
goto done;
}
if (seuser_exists) {
ret = sss_semanage_user_mod(handle, key, login_name, seuser_name);
if (ret != 0) {
DEBUG(1, ("Cannot modify SELinux user mapping\n"));
ret = EIO;
goto done;
}
} else {
ret = sss_semanage_user_add(handle, key, login_name, seuser_name);
if (ret != 0) {
DEBUG(1, ("Cannot add SELinux user mapping\n"));
ret = EIO;
goto done;
}
}
ret = semanage_commit(handle);
if (ret < 0) {
DEBUG(1, ("Cannot commit SELinux transaction\n"));
ret = EIO;
goto done;
}
ret = EOK;
done:
semanage_seuser_key_free(key);
semanage_handle_destroy(handle);
return ret;
}
/* Apply permanent boolean changes to policy via libsemanage */
static int semanage_set_boolean_list(size_t boolcnt,
SELboolean * boollist)
{
size_t j;
semanage_handle_t *handle = NULL;
semanage_bool_t *boolean = NULL;
semanage_bool_key_t *bool_key = NULL;
int managed;
handle = semanage_handle_create();
if (handle == NULL) {
fprintf(stderr, "Could not create semanage library handle\n");
goto err;
}
managed = semanage_is_managed(handle);
if (managed < 0) {
fprintf(stderr,
"Error when checking whether policy is managed\n");
goto err;
} else if (managed == 0) {
if (getuid() == 0) {
fprintf(stderr,
"Cannot set persistent booleans without managed policy.\n");
} else {
fprintf(stderr,
"Cannot set persistent booleans, please try as root.\n");
}
goto err;
}
if (semanage_connect(handle) < 0)
goto err;
if (semanage_begin_transaction(handle) < 0)
goto err;
for (j = 0; j < boolcnt; j++) {
if (semanage_bool_create(handle, &boolean) < 0)
goto err;
if (semanage_bool_set_name(handle, boolean, boollist[j].name) <
0)
goto err;
semanage_bool_set_value(boolean, boollist[j].value);
if (semanage_bool_key_extract(handle, boolean, &bool_key) < 0)
goto err;
if (semanage_bool_modify_local(handle, bool_key,
boolean) < 0)
goto err;
if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
fprintf(stderr, "Could not change boolean %s\n",
boollist[j].name);
goto err;
}
semanage_bool_key_free(bool_key);
semanage_bool_free(boolean);
bool_key = NULL;
boolean = NULL;
}
semanage_set_reload(handle, reload);
if (semanage_commit(handle) < 0)
goto err;
semanage_disconnect(handle);
semanage_handle_destroy(handle);
return 0;
err:
semanage_bool_key_free(bool_key);
semanage_bool_free(boolean);
semanage_handle_destroy(handle);
fprintf(stderr, "Could not change policy booleans\n");
return -1;
}
int del_seuser (const char *login_name)
{
semanage_handle_t *handle = NULL;
semanage_seuser_key_t *key = NULL;
int ret;
int exists = 0;
handle = semanage_init ();
if (NULL == handle) {
fprintf (stderr, _("Cannot init SELinux management\n"));
ret = 1;
goto done;
}
ret = semanage_seuser_key_create (handle, login_name, &key);
if (ret != 0) {
fprintf (stderr, _("Cannot create SELinux user key\n"));
ret = 1;
goto done;
}
ret = semanage_seuser_exists (handle, key, &exists);
if (ret < 0) {
fprintf (stderr, _("Cannot verify the SELinux user\n"));
ret = 1;
goto done;
}
if (0 == exists) {
fprintf (stderr,
_("Login mapping for %s is not defined, OK if default mapping was used\n"),
login_name);
ret = 0; /* probably default mapping */
goto done;
}
ret = semanage_seuser_exists_local (handle, key, &exists);
if (ret < 0) {
fprintf (stderr, _("Cannot verify the SELinux user\n"));
ret = 1;
goto done;
}
if (0 == exists) {
fprintf (stderr,
_("Login mapping for %s is defined in policy, cannot be deleted\n"),
login_name);
ret = 0; /* Login mapping defined in policy can't be deleted */
goto done;
}
ret = semanage_seuser_del_local (handle, key);
if (ret != 0) {
fprintf (stderr,
_("Could not delete login mapping for %s"),
login_name);
ret = 1;
goto done;
}
ret = semanage_commit (handle);
if (ret < 0) {
fprintf (stderr, _("Cannot commit SELinux transaction\n"));
ret = 1;
goto done;
}
ret = 0;
done:
semanage_handle_destroy (handle);
return ret;
}
