You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
266 lines
8.6 KiB
266 lines
8.6 KiB
From d56c2b434e99f60612c1290e82021ecbcbfaf5e6 Mon Sep 17 00:00:00 2001
|
|
From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
|
|
Date: Tue, 21 Jul 2015 15:08:15 -0400
|
|
Subject: [PATCH] libsemanage: Add file_contexts and seusers to the store
|
|
|
|
This patch writes file_contexts and seusers to the policy store as well as
|
|
/etc/selinux/. Additionally, file_contexts and seusers are now parsed from the
|
|
store rather than the final directory which was the old behavior. This allows
|
|
all policy related files to be kept in the policy store.
|
|
|
|
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
|
|
---
|
|
libsemanage/src/direct_api.c | 69 +++++++++++++++++++++++++-------
|
|
libsemanage/src/semanage_store.c | 49 ++++-------------------
|
|
libsemanage/src/semanage_store.h | 5 ++-
|
|
libsemanage/utils/semanage_migrate_store | 3 +-
|
|
4 files changed, 66 insertions(+), 60 deletions(-)
|
|
|
|
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
|
|
index 3c6b168..b11f2ba 100644
|
|
--- a/libsemanage/src/direct_api.c
|
|
+++ b/libsemanage/src/direct_api.c
|
|
@@ -248,18 +248,14 @@ int semanage_direct_connect(semanage_handle_t * sh)
|
|
goto err;
|
|
|
|
if (fcontext_file_dbase_init(sh,
|
|
- semanage_final_path(SEMANAGE_FINAL_SELINUX,
|
|
- SEMANAGE_FC),
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP,
|
|
- SEMANAGE_FC),
|
|
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC),
|
|
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
|
|
semanage_fcontext_dbase_policy(sh)) < 0)
|
|
goto err;
|
|
|
|
if (seuser_file_dbase_init(sh,
|
|
- semanage_final_path(SEMANAGE_FINAL_SELINUX,
|
|
- SEMANAGE_SEUSERS),
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP,
|
|
- SEMANAGE_SEUSERS),
|
|
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_SEUSERS),
|
|
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
|
|
semanage_seuser_dbase_policy(sh)) < 0)
|
|
goto err;
|
|
|
|
@@ -602,7 +598,7 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb
|
|
}
|
|
|
|
if (size > 0) {
|
|
- ofilename = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS);
|
|
+ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
|
|
if (ofilename == NULL) {
|
|
return -1;
|
|
}
|
|
@@ -1039,7 +1035,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
size_t fc_buffer_len = 0;
|
|
const char *ofilename = NULL;
|
|
const char *path;
|
|
- int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0;
|
|
+ int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0,
|
|
+ missing_seusers = 0, missing_fc = 0, missing = 0;
|
|
sepol_policydb_t *out = NULL;
|
|
struct cil_db *cildb = NULL;
|
|
semanage_module_info_t *modinfos = NULL;
|
|
@@ -1151,10 +1148,26 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
if (access(path, F_OK) != 0) {
|
|
missing_policy_kern = 1;
|
|
}
|
|
+
|
|
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
|
|
+
|
|
+ if (access(path, F_OK) != 0) {
|
|
+ missing_fc = 1;
|
|
+ }
|
|
+
|
|
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
|
|
+
|
|
+ if (access(path, F_OK) != 0) {
|
|
+ missing_seusers = 1;
|
|
+ }
|
|
}
|
|
|
|
+ missing |= missing_policy_kern;
|
|
+ missing |= missing_fc;
|
|
+ missing |= missing_seusers;
|
|
+
|
|
/* If there were policy changes, or explicitly requested, rebuild the policy */
|
|
- if (sh->do_rebuild || modified || missing_policy_kern) {
|
|
+ if (sh->do_rebuild || modified || missing) {
|
|
/* =================== Module expansion =============== */
|
|
|
|
retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos);
|
|
@@ -1312,15 +1325,41 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
if (retval < 0)
|
|
goto cleanup;
|
|
|
|
- retval = semanage_copy_policydb(sh);
|
|
- if (retval < 0)
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL),
|
|
+ sh->conf->file_mode);
|
|
+ if (retval < 0) {
|
|
goto cleanup;
|
|
+ }
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
|
|
if (access(path, F_OK) == 0) {
|
|
- retval = semanage_copy_fc_local(sh);
|
|
- if (retval < 0)
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
|
|
+ sh->conf->file_mode);
|
|
+ if (retval < 0) {
|
|
goto cleanup;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
|
|
+ if (access(path, F_OK) == 0) {
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
|
|
+ sh->conf->file_mode);
|
|
+ if (retval < 0) {
|
|
+ goto cleanup;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
|
|
+ if (access(path, F_OK) == 0) {
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
|
|
+ sh->conf->file_mode);
|
|
+ if (retval < 0) {
|
|
+ goto cleanup;
|
|
+ }
|
|
}
|
|
|
|
/* run genhomedircon if its enabled, this should be the last operation
|
|
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
|
|
index 2856aaf..fa0876f 100644
|
|
--- a/libsemanage/src/semanage_store.c
|
|
+++ b/libsemanage/src/semanage_store.c
|
|
@@ -111,7 +111,9 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
|
|
"/preserve_tunables",
|
|
"/modules/disabled",
|
|
"/policy.kern",
|
|
- "/file_contexts.local"
|
|
+ "/file_contexts.local",
|
|
+ "/file_contexts",
|
|
+ "/seusers"
|
|
};
|
|
|
|
static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = {
|
|
@@ -666,7 +668,7 @@ static int semanage_filename_select(const struct dirent *d)
|
|
|
|
/* Copies a file from src to dst. If dst already exists then
|
|
* overwrite it. Returns 0 on success, -1 on error. */
|
|
-static int semanage_copy_file(const char *src, const char *dst, mode_t mode)
|
|
+int semanage_copy_file(const char *src, const char *dst, mode_t mode)
|
|
{
|
|
int in, out, retval = 0, amount_read, n, errsv = errno;
|
|
char tmp[PATH_MAX];
|
|
@@ -1425,11 +1427,11 @@ int semanage_split_fc(semanage_handle_t * sh)
|
|
goto cleanup;
|
|
}
|
|
|
|
- fc = open(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
|
|
+ fc = open(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
|
|
O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
|
|
if (fc < 0) {
|
|
ERR(sh, "Could not open %s for writing.",
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC));
|
|
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC));
|
|
goto cleanup;
|
|
}
|
|
hd = open(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL),
|
|
@@ -1454,8 +1456,7 @@ int semanage_split_fc(semanage_handle_t * sh)
|
|
} else {
|
|
if (write(fc, buf, strlen(buf)) < 0) {
|
|
ERR(sh, "Write to %s failed.",
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP,
|
|
- SEMANAGE_FC));
|
|
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC));
|
|
goto cleanup;
|
|
}
|
|
}
|
|
@@ -2914,39 +2915,3 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
|
|
|
|
return 0;
|
|
}
|
|
-
|
|
-int semanage_copy_policydb(semanage_handle_t *sh)
|
|
-{
|
|
- const char *src = NULL;
|
|
- const char *dst = NULL;
|
|
- int rc = -1;
|
|
-
|
|
- src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
|
|
- dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
|
|
-
|
|
- rc = semanage_copy_file(src, dst, sh->conf->file_mode);
|
|
- if (rc != 0) {
|
|
- goto cleanup;
|
|
- }
|
|
-
|
|
-cleanup:
|
|
- return rc;
|
|
-}
|
|
-
|
|
-int semanage_copy_fc_local(semanage_handle_t *sh)
|
|
-{
|
|
- const char *src = NULL;
|
|
- const char *dst = NULL;
|
|
- int rc = -1;
|
|
-
|
|
- src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
|
|
- dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL);
|
|
-
|
|
- rc = semanage_copy_file(src, dst, sh->conf->file_mode);
|
|
- if (rc != 0) {
|
|
- goto cleanup;
|
|
- }
|
|
-
|
|
-cleanup:
|
|
- return rc;
|
|
-}
|
|
diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
|
|
index ade43f2..acb6e3f 100644
|
|
--- a/libsemanage/src/semanage_store.h
|
|
+++ b/libsemanage/src/semanage_store.h
|
|
@@ -57,6 +57,8 @@ enum semanage_sandbox_defs {
|
|
SEMANAGE_MODULES_DISABLED,
|
|
SEMANAGE_STORE_KERNEL,
|
|
SEMANAGE_STORE_FC_LOCAL,
|
|
+ SEMANAGE_STORE_FC,
|
|
+ SEMANAGE_STORE_SEUSERS,
|
|
SEMANAGE_STORE_NUM_PATHS
|
|
};
|
|
|
|
@@ -150,7 +152,6 @@ int semanage_nc_sort(semanage_handle_t * sh,
|
|
size_t buf_len,
|
|
char **sorted_buf, size_t * sorted_buf_len);
|
|
|
|
-int semanage_copy_policydb(semanage_handle_t *sh);
|
|
-int semanage_copy_fc_local(semanage_handle_t *sh);
|
|
+int semanage_copy_file(const char *src, const char *dst, mode_t mode);
|
|
|
|
#endif
|
|
diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
|
|
index b170eda..6443002 100755
|
|
--- a/libsemanage/utils/semanage_migrate_store
|
|
+++ b/libsemanage/utils/semanage_migrate_store
|
|
@@ -244,7 +244,8 @@ if __name__ == "__main__":
|
|
"users_extra.local",
|
|
"disable_dontaudit",
|
|
"preserve_tunables",
|
|
- "policy.kern" ]
|
|
+ "policy.kern",
|
|
+ "file_contexts"]
|
|
|
|
|
|
create_dir(newroot_path(), 0o755)
|
|
--
|
|
2.4.6
|
|
|