X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fselinux-access.c;h=b45a4513e28a5b40ebb03e620c5ac6a3141e3fd8;hb=652212b0c2b60b9ef9b2e24eae82401f880fa21a;hp=351d48f8a45cf026a55a703e5800cc47cea869d3;hpb=dec23413ecc90d4a547aa41f02af0482b4513495;p=elogind.git diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 351d48f8a..b45a4513e 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -112,7 +112,7 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { #endif va_start(ap, fmt); - log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt, ap); + log_internalv(LOG_AUTH | LOG_INFO, 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap); va_end(ap); return 0; @@ -126,10 +126,8 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { static int access_init(void) { int r = 0; - if (avc_open(NULL, 0)) { - log_error("avc_open() failed: %m"); - return -errno; - } + if (avc_open(NULL, 0)) + return log_error_errno(errno, "avc_open() failed: %m"); selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback); selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback); @@ -142,7 +140,7 @@ static int access_init(void) { return r; } -static int selinux_access_init(sd_bus_error *error) { +static int mac_selinux_access_init(sd_bus_error *error) { int r; if (initialized) @@ -158,14 +156,17 @@ static int selinux_access_init(sd_bus_error *error) { initialized = true; return 0; } +#endif -void selinux_access_free(void) { +void mac_selinux_access_free(void) { +#ifdef HAVE_SELINUX if (!initialized) return; avc_destroy(); initialized = false; +#endif } /* @@ -174,12 +175,13 @@ void selinux_access_free(void) { If the machine is in permissive mode it will return ok. Audit messages will still be generated if the access would be denied in enforcing mode. */ -int selinux_generic_access_check( +int mac_selinux_generic_access_check( sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error) { +#ifdef HAVE_SELINUX _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL; const char *tclass = NULL, *scon = NULL; struct audit_info audit_info = {}; @@ -195,7 +197,7 @@ int selinux_generic_access_check( if (!mac_selinux_use()) return 0; - r = selinux_access_init(error); + r = mac_selinux_access_init(error); if (r < 0) return r; @@ -203,7 +205,8 @@ int selinux_generic_access_check( message, SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|SD_BUS_CREDS_GID| SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID| - SD_BUS_CREDS_SELINUX_CONTEXT, + SD_BUS_CREDS_SELINUX_CONTEXT| + SD_BUS_CREDS_AUGMENT /* get more bits from /proc */, &creds); if (r < 0) goto finish; @@ -254,13 +257,17 @@ finish: } return r; +#else + return 0; +#endif } -int selinux_unit_access_check_strv(char **units, +int mac_selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error) { +#ifdef HAVE_SELINUX char **i; Unit *u; int r; @@ -268,35 +275,11 @@ int selinux_unit_access_check_strv(char **units, STRV_FOREACH(i, units) { u = manager_get_unit(m, *i); if (u) { - r = selinux_unit_access_check(u, message, permission, error); + r = mac_selinux_unit_access_check(u, message, permission, error); if (r < 0) return r; } } - - return 0; -} - -#else - -int selinux_generic_access_check( - sd_bus_message *message, - const char *path, - const char *permission, - sd_bus_error *error) { - - return 0; -} - -void selinux_access_free(void) { -} - -int selinux_unit_access_check_strv(char **units, - sd_bus_message *message, - Manager *m, - const char *permission, - sd_bus_error *error) { +#endif return 0; } - -#endif