void dpkg_selabel_set_context(const char *matchpath, const char *path, mode_t mode) { #ifdef WITH_LIBSELINUX security_context_t scontext = NULL; int ret; /* If SELinux is not enabled just do nothing. */ if (sehandle == NULL) return; /* * We use the _raw function variants here so that no translation * happens from computer to human readable forms, to avoid issues * when mcstransd has disappeared during the unpack process. */ /* Do nothing if we can't figure out what the context is, or if it has * no context; in which case the default context shall be applied. */ ret = selabel_lookup_raw(sehandle, &scontext, matchpath, mode & S_IFMT); if (ret == -1 || (ret == 0 && scontext == NULL)) return; ret = lsetfilecon_raw(path, scontext); if (ret < 0 && errno != ENOTSUP) ohshite(_("cannot set security context for file object '%s'"), path); freecon(scontext); #endif /* WITH_LIBSELINUX */ }
int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { #ifdef HAVE_SELINUX struct stat st; int r; assert(path); /* if mac_selinux_init() wasn't called before we are a NOOP */ if (!label_hnd) return 0; r = lstat(path, &st); if (r >= 0) { _cleanup_freecon_ char* fcon = NULL; r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode); /* If there's no label to set, then exit without warning */ if (r < 0 && errno == ENOENT) return 0; if (r >= 0) { r = lsetfilecon_raw(path, fcon); /* If the FS doesn't support labels, then exit without warning */ if (r < 0 && errno == EOPNOTSUPP) return 0; } } if (r < 0) { /* Ignore ENOENT in some cases */ if (ignore_enoent && errno == ENOENT) return 0; if (ignore_erofs && errno == EROFS) return 0; log_enforcing("Unable to fix SELinux security context of %s: %m", path); if (security_getenforce() == 1) return -errno; } #endif return 0; }