selinux-util.c revision cf0fbc49e67b55f8d346fc94de28c90113505297
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster This file is part of systemd.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster Copyright 2010 Lennart Poettering
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster systemd is free software; you can redistribute it and/or modify it
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster under the terms of the GNU Lesser General Public License as published by
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster the Free Software Foundation; either version 2.1 of the License, or
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster (at your option) any later version.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster systemd is distributed in the hope that it will be useful, but
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster WITHOUT ANY WARRANTY; without even the implied warranty of
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster Lesser General Public License for more details.
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster You should have received a copy of the GNU Lesser General Public License
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster along with systemd; If not, see <http://www.gnu.org/licenses/>.
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterDEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
0a99555401a033704f1f171baab6db11fb5528f2Allan FosterDEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster#define _cleanup_security_context_free_ _cleanup_(freeconp)
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster#define _cleanup_context_free_ _cleanup_(context_freep)
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster return false;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster struct mallinfo before_mallinfo, after_mallinfo;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster { .type = SELABEL_OPT_SUBSET, .value = prefix },
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster log_enforcing("Failed to initialize SELinux context: %m");
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterint mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster /* if mac_selinux_init() wasn't called before we are a NOOP */
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster if (r >= 0) {
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster _cleanup_security_context_free_ security_context_t fcon = NULL;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster /* If there's no label to set, then exit without warning */
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster if (r >= 0) {
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster /* If the FS doesn't support labels, then exit without warning */
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster if (r < 0) {
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster /* Ignore ENOENT in some cases */
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster log_enforcing("Unable to fix SELinux security context of %s: %m", path);
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterint mac_selinux_apply(const char *path, const char *label) {
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster if (setfilecon(path, (security_context_t) label) < 0) {
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterint mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
0a99555401a033704f1f171baab6db11fb5528f2Allan Fosterint mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster /* If there is no context set for next exec let's use context
0a99555401a033704f1f171baab6db11fb5528f2Allan Foster of target executable */
return -errno;
if (!bcon)
return -ENOMEM;
if (!pcon)
return -ENOMEM;
if (!range)
return -errno;
return -errno;
if (!mycon)
return -ENOMEM;
return -errno;
#ifdef HAVE_SELINUX
if (!label)
return NULL;
if (!mac_selinux_use())
return NULL;
return NULL;
#ifdef HAVE_SELINUX
if (!label_hnd)
if (security_getenforce() > 0)
return -errno;
void mac_selinux_create_file_clear(void) {
#ifdef HAVE_SELINUX
if (!mac_selinux_use())
#ifdef HAVE_SELINUX
if (!mac_selinux_use())
return -errno;
void mac_selinux_create_socket_clear(void) {
#ifdef HAVE_SELINUX
if (!mac_selinux_use())
#ifdef HAVE_SELINUX
bool context_changed = false;
char *path;
if (!label_hnd)
goto skipped;
goto skipped;
goto skipped;
goto skipped;
goto skipped;
if (security_getenforce() > 0)
return -errno;
if (security_getenforce() > 0)
return -errno;
context_changed = true;
if (context_changed)
return -errno;