set_selinux_file_context(): prepare context for actual file type
Search the SELinux selabel database for the file type to be created. Not specifying the file mode can cause an incorrect file context to be returned. Also prepare contexts in commonio_close() for the generic database filename, not with the backup suffix appended, to ensure the desired file context after the final rename. Closes: #322 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
parent
5f7649fb37
commit
eb1d2de0e9
@ -974,7 +974,7 @@ int commonio_close (struct commonio_db *db)
|
|||||||
snprintf (buf, sizeof buf, "%s-", db->filename);
|
snprintf (buf, sizeof buf, "%s-", db->filename);
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
if (set_selinux_file_context (buf) != 0) {
|
if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
|
||||||
errors++;
|
errors++;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@ -1007,7 +1007,7 @@ int commonio_close (struct commonio_db *db)
|
|||||||
snprintf (buf, sizeof buf, "%s+", db->filename);
|
snprintf (buf, sizeof buf, "%s+", db->filename);
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
if (set_selinux_file_context (buf) != 0) {
|
if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
|
||||||
errors++;
|
errors++;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
@ -403,7 +403,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
|
|||||||
|
|
||||||
/* selinux.c */
|
/* selinux.c */
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
extern int set_selinux_file_context (const char *dst_name);
|
extern int set_selinux_file_context (const char *dst_name, mode_t mode);
|
||||||
extern int reset_selinux_file_context (void);
|
extern int reset_selinux_file_context (void);
|
||||||
extern int check_selinux_permit (const char *perm_name);
|
extern int check_selinux_permit (const char *perm_name);
|
||||||
#endif
|
#endif
|
||||||
|
@ -51,7 +51,7 @@ static bool selinux_enabled;
|
|||||||
* Callers may have to Reset SELinux to create files with default
|
* Callers may have to Reset SELinux to create files with default
|
||||||
* contexts with reset_selinux_file_context
|
* contexts with reset_selinux_file_context
|
||||||
*/
|
*/
|
||||||
int set_selinux_file_context (const char *dst_name)
|
int set_selinux_file_context (const char *dst_name, mode_t mode)
|
||||||
{
|
{
|
||||||
if (!selinux_checked) {
|
if (!selinux_checked) {
|
||||||
selinux_enabled = is_selinux_enabled () > 0;
|
selinux_enabled = is_selinux_enabled () > 0;
|
||||||
@ -70,7 +70,7 @@ int set_selinux_file_context (const char *dst_name)
|
|||||||
return security_getenforce () != 0;
|
return security_getenforce () != 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, 0);
|
r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, mode);
|
||||||
selabel_close(hnd);
|
selabel_close(hnd);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
/* No context specified for the searched path */
|
/* No context specified for the searched path */
|
||||||
|
@ -484,7 +484,7 @@ static int copy_dir (const char *src, const char *dst,
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
if (set_selinux_file_context (dst) != 0) {
|
if (set_selinux_file_context (dst, S_IFDIR) != 0) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
#endif /* WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
@ -605,7 +605,7 @@ static int copy_symlink (const char *src, const char *dst,
|
|||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
if (set_selinux_file_context (dst) != 0) {
|
if (set_selinux_file_context (dst, S_IFLNK) != 0) {
|
||||||
free (oldlink);
|
free (oldlink);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -684,7 +684,7 @@ static int copy_special (const char *src, const char *dst,
|
|||||||
int err = 0;
|
int err = 0;
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
if (set_selinux_file_context (dst) != 0) {
|
if (set_selinux_file_context (dst, statp->st_mode & S_IFMT) != 0) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
#endif /* WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
@ -744,7 +744,7 @@ static int copy_file (const char *src, const char *dst,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
if (set_selinux_file_context (dst) != 0) {
|
if (set_selinux_file_context (dst, S_IFREG) != 0) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
#endif /* WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
|
@ -2177,7 +2177,7 @@ static void create_home (void)
|
|||||||
++bhome;
|
++bhome;
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
if (set_selinux_file_context (prefix_user_home) != 0) {
|
if (set_selinux_file_context (prefix_user_home, S_IFDIR) != 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
_("%s: cannot set SELinux context for home directory %s\n"),
|
_("%s: cannot set SELinux context for home directory %s\n"),
|
||||||
Prog, user_home);
|
Prog, user_home);
|
||||||
@ -2305,7 +2305,7 @@ static void create_mail (void)
|
|||||||
sprintf (file, "%s/%s", spool, user_name);
|
sprintf (file, "%s/%s", spool, user_name);
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
if (set_selinux_file_context (file) != 0) {
|
if (set_selinux_file_context (file, S_IFREG) != 0) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
_("%s: cannot set SELinux context for mailbox file %s\n"),
|
_("%s: cannot set SELinux context for mailbox file %s\n"),
|
||||||
Prog, file);
|
Prog, file);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user