#include "log.h"
#include "strv.h"
-#if HAVE_SELINUX
+#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
static struct selabel_handle *label_hnd = NULL;
-static inline int use_selinux(void) {
+static inline bool use_selinux(void) {
static int use_selinux_ind = -1;
- if (use_selinux_ind == -1)
- use_selinux_ind = (is_selinux_enabled() == 1);
+ if (use_selinux_ind < 0)
+ use_selinux_ind = is_selinux_enabled() > 0;
return use_selinux_ind;
}
r = getfilecon(path, &dir_con);
if (r >= 0) {
r = -1;
+ errno = EINVAL;
+
if ((sclass = string_to_security_class(class)) != 0)
r = security_compute_create((security_context_t) label, dir_con, sclass, fcon);
}
int label_init(void) {
int r = 0;
-#if HAVE_SELINUX
- if (use_selinux()) {
- label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
- if (!label_hnd) {
- log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, "Failed to initialize SELinux context: %m");
- r = (security_getenforce() == 1) ? -errno : 0;
- }
+#ifdef HAVE_SELINUX
+
+ if (!use_selinux())
+ return 0;
+
+ label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (!label_hnd) {
+ log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
+ "Failed to initialize SELinux context: %m");
+ r = (security_getenforce() == 1) ? -errno : 0;
}
#endif
int label_fix(const char *path) {
int r = 0;
-#if HAVE_SELINUX
+
+#ifdef HAVE_SELINUX
struct stat st;
security_context_t fcon;
- if (use_selinux()) {
- r = lstat(path, &st);
- if (r == 0) {
- r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
+ if (!use_selinux() || !label_hnd)
+ return 0;
- if (r == 0) {
- r = setfilecon(path, fcon);
- freecon(fcon);
- }
- }
- if (r < 0) {
- log_error("Unable to fix label of %s: %m", path);
- r = (security_getenforce() == 1) ? -errno : 0;
+ r = lstat(path, &st);
+ if (r == 0) {
+ r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
+
+ if (r == 0) {
+ r = setfilecon(path, fcon);
+ freecon(fcon);
}
}
+ if (r < 0) {
+ log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
+ "Unable to fix label of %s: %m", path);
+ r = (security_getenforce() == 1) ? -errno : 0;
+ }
#endif
+
return r;
}
void label_finish(void) {
-#if HAVE_SELINUX
- if (use_selinux())
+#ifdef HAVE_SELINUX
+ if (use_selinux() && label_hnd)
selabel_close(label_hnd);
#endif
-
}
-int label_get_socket_label_from_exe(
- const char *exe,
- char **label) {
+int label_get_socket_label_from_exe(const char *exe, char **label) {
+
int r = 0;
-#if HAVE_SELINUX
+#ifdef HAVE_SELINUX
security_context_t mycon = NULL, fcon = NULL;
security_class_t sclass;
+ if (!use_selinux()) {
+ *label = NULL;
+ return 0;
+ }
+
r = getcon(&mycon);
if (r < 0)
goto fail;
log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
fail:
- if (r< 0 && security_getenforce() == 1)
+ if (r < 0 && security_getenforce() == 1)
r = -errno;
freecon(mycon);
int label_fifofile_set(const char *label, const char *path) {
int r = 0;
-#if HAVE_SELINUX
+#ifdef HAVE_SELINUX
security_context_t filecon = NULL;
- if (use_selinux() && label) {
- if (((r = label_get_file_label_from_path(label, path, "fifo_file", &filecon)) == 0)) {
- if ((r = setfscreatecon(filecon)) < 0) {
- log_error("Failed to set SELinux file context (%s) on %s: %m", label, path);
- r = -errno;
- }
- freecon(filecon);
+ if (!use_selinux() || !label)
+ return 0;
+
+ if (((r = label_get_file_label_from_path(label, path, "fifo_file", &filecon)) == 0)) {
+ if ((r = setfscreatecon(filecon)) < 0) {
+ log_error("Failed to set SELinux file context (%s) on %s: %m", label, path);
+ r = -errno;
}
- if (r < 0 && security_getenforce() == 0)
- r = 0;
+ freecon(filecon);
}
+
+ if (r < 0 && security_getenforce() == 0)
+ r = 0;
#endif
return r;
int label_socket_set(const char *label) {
-#if HAVE_SELINUX
- if (use_selinux() && setsockcreatecon((security_context_t) label) < 0) {
- log_error("Failed to set SELinux context (%s) on socket: %m", label);
+#ifdef HAVE_SELINUX
+ if (!use_selinux())
+ return 0;
+
+ if (setsockcreatecon((security_context_t) label) < 0) {
+ log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
+ "Failed to set SELinux context (%s) on socket: %m", label);
+
if (security_getenforce() == 1)
return -errno;
}
void label_file_clear(void) {
-#if HAVE_SELINUX
- if (use_selinux())
- setfscreatecon(NULL);
-#endif
+#ifdef HAVE_SELINUX
+ if (!use_selinux())
+ return;
- return;
+ setfscreatecon(NULL);
+#endif
}
-void label_free(const char *label) {
+void label_socket_clear(void) {
-#if HAVE_SELINUX
- if (use_selinux())
- freecon((security_context_t) label);
-#endif
+#ifdef HAVE_SELINUX
+ if (!use_selinux())
+ return;
- return;
+ setsockcreatecon(NULL);
+#endif
}
-void label_socket_clear(void) {
+void label_free(const char *label) {
-#if HAVE_SELINUX
- if (use_selinux())
- setsockcreatecon(NULL);
-#endif
+#ifdef HAVE_SELINUX
+ if (!use_selinux())
+ return;
- return;
+ freecon((security_context_t) label);
+#endif
}
static int label_mkdir(
const char *path,
mode_t mode) {
-#if HAVE_SELINUX
+#ifdef HAVE_SELINUX
int r;
security_context_t fcon = NULL;
- if (use_selinux()) {
+ if (use_selinux() && label_hnd) {
if (path[0] == '/') {
r = selabel_lookup_raw(label_hnd, &fcon, path, mode);
}
r = mkdir(path, mode);
finish:
- if (use_selinux()) {
+ if (use_selinux() && label_hnd) {
setfscreatecon(NULL);
freecon(fcon);
}