src/util/selinux.c

c25356d5978632df6203437e1953bcb29e0c736fTimo Sirainen/*
c25356d5978632df6203437e1953bcb29e0c736fTimo Sirainen   SSSD
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
ca5b42cad97beba7c4765a607d46fd4745a6fda8Josef 'Jeff' Sipek   selinux.c
ca5b42cad97beba7c4765a607d46fd4745a6fda8Josef 'Jeff' Sipek
e7ca5f820d6a1a8fe549a2966ac707a60e055ef4Timo Sirainen   Copyright (C) Jakub Hrozek <jhrozek@redhat.com>        2010
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
02a54da28f376dd66d7939d8546a196a0045b486Timo Sirainen   This program is free software; you can redistribute it and/or modify
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen   it under the terms of the GNU General Public License as published by
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen   the Free Software Foundation; either version 3 of the License, or
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen   (at your option) any later version.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen   This program is distributed in the hope that it will be useful,
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen   but WITHOUT ANY WARRANTY; without even the implied warranty of
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen   GNU General Public License for more details.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen   You should have received a copy of the GNU General Public License
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen   along with this program.  If not, see <http://www.gnu.org/licenses/>.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen*/
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen#include "config.h"
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
04870054863757edf048c81dcce3c5e7dec453cdTimo Sirainen#include <stdio.h>
04870054863757edf048c81dcce3c5e7dec453cdTimo Sirainen
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen#ifdef HAVE_SELINUX
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen#include <selinux/selinux.h>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen#endif
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen#include "tools/tools_util.h"
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen#ifdef HAVE_SELINUX
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen/*
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen * selinux_file_context - Set the security context before any file or
eb4d4f557fa75aa2a47639e9deb75a21f44eb42aTimo Sirainen *                        directory creation.
eb4d4f557fa75aa2a47639e9deb75a21f44eb42aTimo Sirainen *
eb4d4f557fa75aa2a47639e9deb75a21f44eb42aTimo Sirainen *  selinux_file_context () should be called before any creation of file,
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen *  symlink, directory, ...
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen *
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen *  Callers may have to Reset SELinux to create files with default
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen *  contexts:
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen *      reset_selinux_file_context();
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen */
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainenint selinux_file_context(const char *dst_name)
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen{
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen    security_context_t scontext = NULL;
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen    if (is_selinux_enabled() == 1) {
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen        /* Get the default security context for this file */
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen        if (matchpathcon(dst_name, 0, &scontext) < 0) {
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen            if (security_getenforce () != 0) {
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen                return 1;
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen            }
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen        }
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen        /* Set the security context for the next created file */
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen        if (setfscreatecon(scontext) < 0) {
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen            if (security_getenforce() != 0) {
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen                return 1;
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen            }
02a54da28f376dd66d7939d8546a196a0045b486Timo Sirainen        }
02a54da28f376dd66d7939d8546a196a0045b486Timo Sirainen        freecon(scontext);
02a54da28f376dd66d7939d8546a196a0045b486Timo Sirainen    }
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
02a54da28f376dd66d7939d8546a196a0045b486Timo Sirainen    return 0;
02a54da28f376dd66d7939d8546a196a0045b486Timo Sirainen}
02a54da28f376dd66d7939d8546a196a0045b486Timo Sirainen
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainenint reset_selinux_file_context(void)
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen{
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen    setfscreatecon(NULL);
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen    return EOK;
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen}
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen#else   /* HAVE_SELINUX */
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainenint selinux_file_context(const char *dst_name)
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen{
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen    return EOK;
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen}
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainenint reset_selinux_file_context(void)
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen{
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen    return EOK;
0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen}
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen#endif  /* HAVE_SELINUX */
4c158400b046fefefce0194603951a6587f51867Timo Sirainen