folkslinux
/
rpm
mirror of https://github.com/rpm-software-management/rpm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use selabel interfaces instead of matchpathcon 

This replaces the old matchpathcon interfaces with the new selabel
interfaces for relabeling files, storing an selabel handle in the
transaction set.

With this change, also comes an added distinction between --nocontexts
being specified and a failure to read the load file contexts.
Previously, there was no distinction, and both cases used the
RPMTRANS_FLAG_NOCONTEXTS flag.

However, with the new policy plugin, it is necessary to make such a
distinction. This is because matchpathcon_init (now selabel interfaces)
can fail at the beginning of the transaction, but succeed later after
new policy is installed. Because of this, we may need to enable/disable
RPMTRANS_FLAG_NOCONTEXTS multiple times. However, because this flag
could also mean --nocontexts, we cannot do that. By storing the selabel
handle in the rpmts, we can easily keep track if the handle has been
successfully created, rather than overloading RPMTRANS_FLAG_NOCONTEXTS
with two meanings.
This commit is contained in:
Steve Lawrence 2010-08-30 16:32:30 -04:00 committed by Panu Matilainen
parent 383e275648
commit 34b5d67c2d
7 changed files with 92 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
configure.ac
View File

@ -577,6 +577,19 @@ AS_IF([test "$with_selinux" = yes],[
],[ ],[
AC_MSG_ERROR([--with-selinux given, but selinux/selinux.h not found]) AC_MSG_ERROR([--with-selinux given, but selinux/selinux.h not found])
]) ])
AC_CHECK_HEADER([selinux/label.h],[
save_LIBS="$LIBS"
AC_CHECK_LIB([selinux],[selabel_close],[],[
AC_MSG_ERROR([--with-selinux given, but selabel_close not found in libselinux])])
AC_CHECK_LIB([selinux],[selabel_lookup_raw],[],[
AC_MSG_ERROR([--with-selinux given, but selabel_lookup_raw not found in libselinux])])
AC_CHECK_LIB([selinux],[selabel_open],[],[
AC_MSG_ERROR([--with-selinux given, but selabel_open not found in libselinux])])
LIBS="$save_LIBS"
],[
AC_MSG_ERROR([--with-selinux given, but selinux/label.h not found])
])
]) ])
AS_IF([test "$with_selinux" = yes],[ AS_IF([test "$with_selinux" = yes],[

8
lib/fsm.c
View File

@ -693,10 +693,10 @@ static int fsmMapFContext(FSM_t fsm)
* Find file security context (if not disabled). * Find file security context (if not disabled).
*/ */
fsm->fcontext = NULL; fsm->fcontext = NULL;
if (ts != NULL && !(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) { if (ts != NULL && !(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsSELabelHandle(ts)) {
security_context_t scon = NULL; security_context_t scon = NULL;
if (matchpathcon(fsm->path, st->st_mode, &scon) == 0 && scon != NULL) { if (selabel_lookup_raw(rpmtsSELabelHandle(ts), &scon, fsm->path, st->st_mode) == 0 && scon != NULL) {
fsm->fcontext = scon; fsm->fcontext = scon;
} }
} }
@ -1263,8 +1263,8 @@ static int fsmMkdirs(FSM_t fsm)
if (!rc) { if (!rc) {
/* XXX FIXME? only new dir will have context set. */ /* XXX FIXME? only new dir will have context set. */
/* Get file security context from patterns. */ /* Get file security context from patterns. */
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) { if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsSELabelHandle(ts)) {
if (matchpathcon(fsm->path, st->st_mode, &scon) == 0 && if (selabel_lookup_raw(rpmtsSELabelHandle(ts), &scon, fsm->path, st->st_mode) == 0 &&
scon != NULL) { scon != NULL) {
fsm->fcontext = scon; fsm->fcontext = scon;
rc = fsmLsetfcon(fsm); rc = fsmLsetfcon(fsm);

45
lib/rpmts.c
View File

@ -688,6 +688,49 @@ void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd)
} }
} }
struct selabel_handle * rpmtsSELabelHandle(rpmts ts)
{
#if WITH_SELINUX
if (ts != NULL) {
return ts->selabelHandle;
}
#endif
return NULL;
}
rpmRC rpmtsSELabelInit(rpmts ts, const char *path)
{
#if WITH_SELINUX
if (ts == NULL || path == NULL) {
return RPMRC_FAIL;
}
struct selinux_opt opts[] = {
{SELABEL_OPT_PATH, path}
};
if (ts->selabelHandle) {
rpmtsSELabelFini(ts);
}
ts->selabelHandle = selabel_open(SELABEL_CTX_FILE, opts, 1);
if (!ts->selabelHandle) {
return RPMRC_FAIL;
}
#endif
return RPMRC_OK;
}
void rpmtsSELabelFini(rpmts ts)
{
#if WITH_SELINUX
if (ts && ts->selabelHandle) {
selabel_close(ts->selabelHandle);
ts->selabelHandle = NULL;
}
#endif
}
rpm_tid_t rpmtsGetTid(rpmts ts) rpm_tid_t rpmtsGetTid(rpmts ts)
{ {
rpm_tid_t tid = (rpm_tid_t)-1; /* XXX -1 is time(2) error return. */ rpm_tid_t tid = (rpm_tid_t)-1; /* XXX -1 is time(2) error return. */
@ -906,6 +949,8 @@ rpmts rpmtsCreate(void)
ts->rootDir = NULL; ts->rootDir = NULL;
ts->keyring = NULL; ts->keyring = NULL;
ts->selabelHandle = NULL;
ts->nrefs = 0; ts->nrefs = 0;
ts->plugins = rpmpluginsNew(ts); ts->plugins = rpmpluginsNew(ts);

21
lib/rpmts.h
View File

@ -389,6 +389,27 @@ FD_t rpmtsScriptFd(rpmts ts);
*/ */
void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd); void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd);
/** \ingroup rpmts
* Get the selabel handle from the transaction set
* @param ts transaction set
* @return rpm selabel handle, or NULL if it hasn't been initialized yet
*/
struct selabel_handle * rpmtsSELabelHandle(rpmts ts);
/** \ingroup rpmts
* Initialize selabel
* @param ts transaction set
* @param path path to contexts file
* @return RPMRC_OK on success, RPMRC_FAIL otherwise
*/
rpmRC rpmtsSELabelInit(rpmts ts, const char * path);
/** \ingroup rpmts
* Clean up selabel
* @param ts transaction set
*/
void rpmtsSELabelFini(rpmts ts);
/** \ingroup rpmts /** \ingroup rpmts
* Get transaction id, i.e. transaction time stamp. * Get transaction id, i.e. transaction time stamp.
* @param ts transaction set * @param ts transaction set

2
lib/rpmts_internal.h
View File

@ -43,6 +43,8 @@ struct rpmts_s {
tsMembers members; /*!< Transaction set member info (order etc) */ tsMembers members; /*!< Transaction set member info (order etc) */
struct selabel_handle * selabelHandle; /*!< Handle to selabel */
char * rootDir; /*!< Path to top of install tree. */ char * rootDir; /*!< Path to top of install tree. */
char * lockPath; /*!< Transaction lock path */ char * lockPath; /*!< Transaction lock path */
FD_t scriptFd; /*!< Scriptlet stdout/stderr. */ FD_t scriptFd; /*!< Scriptlet stdout/stderr. */

8
lib/transaction.c
View File

@ -1269,11 +1269,7 @@ static int rpmtsSetup(rpmts ts, rpmprobFilterFlags ignoreSet)
} }
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) { if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
char *fn = rpmGetPath("%{?_install_file_context_path}", NULL); rpmtsSELabelInit(ts, selinux_file_context_path());
if (matchpathcon_init(fn) == -1) {
rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
}
free(fn);
} }
/* XXX Make sure the database is open RDWR for package install/erase. */ /* XXX Make sure the database is open RDWR for package install/erase. */
@ -1292,7 +1288,7 @@ static int rpmtsSetup(rpmts ts, rpmprobFilterFlags ignoreSet)
static int rpmtsFinish(rpmts ts) static int rpmtsFinish(rpmts ts)
{ {
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) { if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
matchpathcon_fini(); rpmtsSELabelFini(ts);
} }
return rpmChrootSet(NULL); return rpmChrootSet(NULL);
} }

5
system.h
View File

@ -78,6 +78,7 @@ char * stpncpy(char * dest, const char * src, size_t n);
#if WITH_SELINUX #if WITH_SELINUX
#include <selinux/selinux.h> #include <selinux/selinux.h>
#include <selinux/label.h>
#else #else
typedef char * security_context_t; typedef char * security_context_t;
@ -92,6 +93,10 @@ typedef char * security_context_t;
#define matchpathcon_fini() (0) #define matchpathcon_fini() (0)
#define matchpathcon(_fn, _fm, _c) (-1) #define matchpathcon(_fn, _fm, _c) (-1)
#define selabel_lookup_raw(_hnd, _scon, _key,_type) (-1)
#define selinux_file_context_path() (0)
#define rpm_execcon(_v, _fn, _av, _envp) (0) #define rpm_execcon(_v, _fn, _av, _envp) (0)
#endif #endif