int semanage_direct_access_check(semanage_handle_t *sh) { char polpath[PATH_MAX]; snprintf(polpath, PATH_MAX, "%s%s", selinux_path(), sh->conf->store_path); if (semanage_check_init(polpath)) return -1; return semanage_store_access_check(sh); }
/* Tests the semanage_store_access_check function in semanage_store.c */ void test_semanage_store_access_check(void) { int err; /* create lock file */ err = mknod(readlockpath, S_IRUSR | S_IWUSR, S_IFREG); /* check with permissions 000 */ err = chmod(modpath, 0); CU_ASSERT(err == 0); err = chmod(readlockpath, 0); CU_ASSERT(err == 0); err = chmod(polpath, 0); CU_ASSERT(err == 0); err = semanage_store_access_check(sh); CU_ASSERT(err == -1); /* check with permissions 500 */ err = chmod(polpath, S_IRUSR | S_IXUSR); CU_ASSERT(err == 0); err = chmod(readlockpath, S_IRUSR); CU_ASSERT(err == 0); err = chmod(modpath, S_IRUSR | S_IXUSR); CU_ASSERT(err == 0); err = semanage_store_access_check(sh); CU_ASSERT(err == SEMANAGE_CAN_READ); /* check with permissions 700 */ err = chmod(polpath, S_IRUSR | S_IWUSR | S_IXUSR); CU_ASSERT(err == 0); err = chmod(readlockpath, S_IRUSR | S_IWUSR); CU_ASSERT(err == 0); err = chmod(modpath, S_IRUSR | S_IWUSR | S_IXUSR); CU_ASSERT(err == 0); err = semanage_store_access_check(sh); CU_ASSERT(err == SEMANAGE_CAN_WRITE); /* check with lock file 000 and others 500 */ err = chmod(polpath, S_IRUSR | S_IXUSR); CU_ASSERT(err == 0); err = chmod(readlockpath, 0); CU_ASSERT(err == 0); err = chmod(modpath, S_IRUSR | S_IXUSR); CU_ASSERT(err == 0); err = semanage_store_access_check(sh); CU_ASSERT(err == 0); /* check with lock file 000 and others 700 */ err = chmod(polpath, S_IRUSR | S_IWUSR | S_IXUSR); CU_ASSERT(err == 0); err = chmod(readlockpath, 0); CU_ASSERT(err == 0); err = chmod(modpath, S_IRUSR | S_IWUSR | S_IXUSR); CU_ASSERT(err == 0); err = semanage_store_access_check(sh); CU_ASSERT(err == 0); /* remove lock file */ err = remove(readlockpath); CU_ASSERT(err == 0); /* check with no lock file and 000 */ err = chmod(modpath, 0); CU_ASSERT(err == 0); err = chmod(lockpath, 0); CU_ASSERT(err == 0); err = chmod(polpath, 0); CU_ASSERT(err == 0); err = semanage_store_access_check(sh); CU_ASSERT(err == -1); /* check with no lock file and 500 */ err = chmod(polpath, S_IRUSR | S_IXUSR); CU_ASSERT(err == 0); err = chmod(lockpath, S_IRUSR | S_IXUSR); CU_ASSERT(err == 0); err = chmod(modpath, S_IRUSR | S_IXUSR); CU_ASSERT(err == 0); err = semanage_store_access_check(sh); CU_ASSERT(err == 0); /* check with no lock file but write in lockpath */ err = chmod(lockpath, S_IRUSR | S_IWUSR | S_IXUSR); CU_ASSERT(err == 0); err = semanage_store_access_check(sh); CU_ASSERT(err == SEMANAGE_CAN_READ); /* check with no lock file and 700 */ err = chmod(polpath, S_IRUSR | S_IWUSR | S_IXUSR); CU_ASSERT(err == 0); err = chmod(modpath, S_IRUSR | S_IWUSR | S_IXUSR); CU_ASSERT(err == 0); err = semanage_store_access_check(sh); CU_ASSERT(err == SEMANAGE_CAN_WRITE); }