2013-03-21 19:07:10 +08:00
|
|
|
#include "system.h"
|
|
|
|
|
|
|
|
#include <selinux/selinux.h>
|
|
|
|
#include <selinux/context.h>
|
|
|
|
#include <selinux/flask.h>
|
|
|
|
#include <selinux/label.h>
|
|
|
|
#include <selinux/avc.h>
|
|
|
|
#include <rpm/rpmlog.h>
|
|
|
|
#include <rpm/rpmts.h>
|
2013-04-03 16:36:09 +08:00
|
|
|
#include "lib/rpmplugin.h"
|
2013-03-21 19:07:10 +08:00
|
|
|
|
|
|
|
#include "debug.h"
|
|
|
|
|
|
|
|
static struct selabel_handle * sehandle = NULL;
|
|
|
|
|
|
|
|
static void sehandle_fini(int close_status)
|
|
|
|
{
|
|
|
|
if (sehandle) {
|
|
|
|
selabel_close(sehandle);
|
|
|
|
sehandle = NULL;
|
|
|
|
}
|
|
|
|
if (close_status) {
|
|
|
|
selinux_status_close();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static rpmRC sehandle_init(int open_status)
|
|
|
|
{
|
|
|
|
const char * path = selinux_file_context_path();
|
|
|
|
struct selinux_opt opts[] = {
|
|
|
|
{ .type = SELABEL_OPT_PATH, .value = path }
|
|
|
|
};
|
|
|
|
|
|
|
|
if (path == NULL)
|
|
|
|
return RPMRC_FAIL;
|
|
|
|
|
|
|
|
if (open_status) {
|
|
|
|
selinux_status_close();
|
|
|
|
if (selinux_status_open(0) < 0) {
|
|
|
|
return RPMRC_FAIL;
|
|
|
|
}
|
|
|
|
} else if (!selinux_status_updated() && sehandle) {
|
|
|
|
return RPMRC_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sehandle)
|
|
|
|
sehandle_fini(0);
|
|
|
|
|
|
|
|
sehandle = selabel_open(SELABEL_CTX_FILE, opts, 1);
|
|
|
|
|
|
|
|
return (sehandle != NULL) ? RPMRC_OK : RPMRC_FAIL;
|
|
|
|
}
|
|
|
|
|
2013-04-05 14:06:49 +08:00
|
|
|
static rpmRC selinux_tsm_pre(rpmPlugin plugin, rpmts ts)
|
2013-03-21 19:07:10 +08:00
|
|
|
{
|
|
|
|
rpmRC rc = RPMRC_OK;
|
|
|
|
|
|
|
|
/* If SELinux isn't enabled on the system, dont mess with it */
|
|
|
|
if (!is_selinux_enabled()) {
|
|
|
|
rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
|
|
|
|
}
|
|
|
|
|
|
|
|
/* If not enabled or a test-transaction, dont bother with labels */
|
|
|
|
if (!(rpmtsFlags(ts) & (RPMTRANS_FLAG_NOCONTEXTS|RPMTRANS_FLAG_TEST))) {
|
|
|
|
rc = sehandle_init(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2013-04-05 14:06:49 +08:00
|
|
|
static rpmRC selinux_tsm_post(rpmPlugin plugin, rpmts ts, int rc)
|
2013-03-21 19:07:10 +08:00
|
|
|
{
|
|
|
|
if (sehandle) {
|
|
|
|
sehandle_fini(1);
|
|
|
|
}
|
|
|
|
return RPMRC_OK;
|
|
|
|
}
|
|
|
|
|
2013-04-05 14:06:49 +08:00
|
|
|
static rpmRC selinux_psm_pre(rpmPlugin plugin, rpmte te)
|
2013-03-21 19:07:10 +08:00
|
|
|
{
|
|
|
|
rpmRC rc = RPMRC_OK;
|
|
|
|
|
|
|
|
if (sehandle) {
|
|
|
|
/* reload the labels if policy changed underneath */
|
|
|
|
rc = sehandle_init(0);
|
|
|
|
}
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2013-04-05 14:06:49 +08:00
|
|
|
static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
|
2013-04-03 16:57:53 +08:00
|
|
|
const char *path, int type)
|
2013-03-21 19:07:10 +08:00
|
|
|
{
|
|
|
|
rpmRC rc = RPMRC_FAIL;
|
|
|
|
security_context_t mycon = NULL, fcon = NULL, newcon = NULL;
|
|
|
|
context_t con = NULL;
|
|
|
|
int xx;
|
|
|
|
|
|
|
|
if (sehandle == NULL)
|
|
|
|
return RPMRC_OK;
|
|
|
|
|
|
|
|
/* Figure the context to for next exec() */
|
|
|
|
if (getcon(&mycon) < 0)
|
|
|
|
goto exit;
|
|
|
|
if (getfilecon(path, &fcon) < 0)
|
|
|
|
goto exit;
|
|
|
|
if (security_compute_create(mycon, fcon, SECCLASS_PROCESS, &newcon) < 0)
|
|
|
|
goto exit;
|
|
|
|
|
|
|
|
if (rstreq(mycon, newcon)) {
|
|
|
|
/* No default transition, use rpm_script_t for now. */
|
|
|
|
const char * script_type = "rpm_script_t";
|
|
|
|
|
|
|
|
con = context_new(mycon);
|
|
|
|
if (!con)
|
|
|
|
goto exit;
|
|
|
|
if (context_type_set(con, script_type))
|
|
|
|
goto exit;
|
|
|
|
freecon(newcon);
|
|
|
|
newcon = xstrdup(context_str(con));
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((xx = setexeccon(newcon)) == 0)
|
|
|
|
rc = RPMRC_OK;
|
|
|
|
|
|
|
|
if (rpmIsDebug()) {
|
|
|
|
rpmlog(RPMLOG_DEBUG, "setexeccon: (%s, %s) %s\n",
|
|
|
|
path, newcon, (xx < 0 ? strerror(errno) : ""));
|
|
|
|
}
|
|
|
|
|
|
|
|
exit:
|
|
|
|
context_free(con);
|
|
|
|
freecon(newcon);
|
|
|
|
freecon(fcon);
|
|
|
|
freecon(mycon);
|
|
|
|
|
2013-04-05 15:49:24 +08:00
|
|
|
/* If selinux is not enforcing, we don't care either */
|
|
|
|
if (rc && security_getenforce() < 1)
|
|
|
|
rc = RPMRC_OK;
|
|
|
|
|
2013-03-21 19:07:10 +08:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2014-03-05 20:30:59 +08:00
|
|
|
static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
2013-04-03 16:57:53 +08:00
|
|
|
const char *path, const char *dest,
|
|
|
|
mode_t file_mode, rpmFsmOp op)
|
2013-03-21 19:07:10 +08:00
|
|
|
{
|
|
|
|
rpmRC rc = RPMRC_FAIL; /* assume failure */
|
|
|
|
rpmFileAction action = XFO_ACTION(op);
|
|
|
|
|
2013-03-27 11:52:20 +08:00
|
|
|
if (sehandle && !XFA_SKIPPING(action)) {
|
2013-03-21 19:07:10 +08:00
|
|
|
security_context_t scon = NULL;
|
|
|
|
if (selabel_lookup_raw(sehandle, &scon, dest, file_mode) == 0) {
|
|
|
|
int conrc = lsetfilecon(path, scon);
|
|
|
|
|
|
|
|
if (rpmIsDebug()) {
|
|
|
|
rpmlog(RPMLOG_DEBUG, "lsetfilecon: (%s, %s) %s\n",
|
|
|
|
path, scon, (rc < 0 ? strerror(errno) : ""));
|
|
|
|
}
|
|
|
|
|
|
|
|
if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
|
|
|
|
rc = RPMRC_OK;
|
2013-04-02 16:20:01 +08:00
|
|
|
freecon(scon);
|
|
|
|
} else {
|
|
|
|
/* No context for dest is not our headache */
|
|
|
|
if (errno == ENOENT)
|
|
|
|
rc = RPMRC_OK;
|
2013-03-21 19:07:10 +08:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
rc = RPMRC_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
}
|
2013-03-31 17:51:31 +08:00
|
|
|
|
|
|
|
struct rpmPluginHooks_s selinux_hooks = {
|
2013-04-05 14:06:49 +08:00
|
|
|
.tsm_pre = selinux_tsm_pre,
|
|
|
|
.tsm_post = selinux_tsm_post,
|
|
|
|
.psm_pre = selinux_psm_pre,
|
|
|
|
.scriptlet_fork_post = selinux_scriptlet_fork_post,
|
|
|
|
.fsm_file_prepare = selinux_fsm_file_prepare,
|
2013-03-31 17:51:31 +08:00
|
|
|
};
|