summaryrefslogtreecommitdiff
blob: 24e9778015aba1c3f8edb258efee0325959144e9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
From d56c2b434e99f60612c1290e82021ecbcbfaf5e6 Mon Sep 17 00:00:00 2001
From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Date: Tue, 21 Jul 2015 15:08:15 -0400
Subject: [PATCH] libsemanage: Add file_contexts and seusers to the store

This patch writes file_contexts and seusers to the policy store as well as
/etc/selinux/. Additionally, file_contexts and seusers are now parsed from the
store rather than the final directory which was the old behavior. This allows
all policy related files to be kept in the policy store.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
---
 libsemanage/src/direct_api.c             | 69 +++++++++++++++++++++++++-------
 libsemanage/src/semanage_store.c         | 49 ++++-------------------
 libsemanage/src/semanage_store.h         |  5 ++-
 libsemanage/utils/semanage_migrate_store |  3 +-
 4 files changed, 66 insertions(+), 60 deletions(-)

diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index 3c6b168..b11f2ba 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -248,18 +248,14 @@ int semanage_direct_connect(semanage_handle_t * sh)
 		goto err;
 
 	if (fcontext_file_dbase_init(sh,
-				     semanage_final_path(SEMANAGE_FINAL_SELINUX,
-							 SEMANAGE_FC),
-				     semanage_final_path(SEMANAGE_FINAL_TMP,
-							 SEMANAGE_FC),
+				     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC),
+				     semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
 				     semanage_fcontext_dbase_policy(sh)) < 0)
 		goto err;
 
 	if (seuser_file_dbase_init(sh,
-				   semanage_final_path(SEMANAGE_FINAL_SELINUX,
-						       SEMANAGE_SEUSERS),
-				   semanage_final_path(SEMANAGE_FINAL_TMP,
-						       SEMANAGE_SEUSERS),
+				   semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_SEUSERS),
+				   semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
 				   semanage_seuser_dbase_policy(sh)) < 0)
 		goto err;
 
@@ -602,7 +598,7 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb
 	}
 
 	if (size > 0) {
-		ofilename = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS);
+		ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
 		if (ofilename == NULL) {
 			return -1;
 		}
@@ -1039,7 +1035,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
 	size_t fc_buffer_len = 0;
 	const char *ofilename = NULL;
 	const char *path;
-	int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0;
+	int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0,
+		missing_seusers = 0, missing_fc = 0, missing = 0;
 	sepol_policydb_t *out = NULL;
 	struct cil_db *cildb = NULL;
 	semanage_module_info_t *modinfos = NULL;
@@ -1151,10 +1148,26 @@ static int semanage_direct_commit(semanage_handle_t * sh)
 		if (access(path, F_OK) != 0) {
 			missing_policy_kern = 1;
 		}
+
+		path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
+
+		if (access(path, F_OK) != 0) {
+			missing_fc = 1;
+		}
+
+		path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
+
+		if (access(path, F_OK) != 0) {
+			missing_seusers = 1;
+		}
 	}
 
+	missing |= missing_policy_kern;
+	missing |= missing_fc;
+	missing |= missing_seusers;
+
 	/* If there were policy changes, or explicitly requested, rebuild the policy */
-	if (sh->do_rebuild || modified || missing_policy_kern) {
+	if (sh->do_rebuild || modified || missing) {
 		/* =================== Module expansion =============== */
 
 		retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos);
@@ -1312,15 +1325,41 @@ static int semanage_direct_commit(semanage_handle_t * sh)
 	if (retval < 0)
 		goto cleanup;
 
-	retval = semanage_copy_policydb(sh);
-	if (retval < 0)
+	retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
+			semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL),
+			sh->conf->file_mode);
+	if (retval < 0) {
 		goto cleanup;
+	}
 
 	path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
 	if (access(path, F_OK) == 0) {
-		retval = semanage_copy_fc_local(sh);
-		if (retval < 0)
+		retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
+							semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
+							sh->conf->file_mode);
+		if (retval < 0) {
 			goto cleanup;
+		}
+	}
+
+	path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
+	if (access(path, F_OK) == 0) {
+		retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
+							semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
+							sh->conf->file_mode);
+		if (retval < 0) {
+			goto cleanup;
+		}
+	}
+
+	path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
+	if (access(path, F_OK) == 0) {
+		retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
+							semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
+							sh->conf->file_mode);
+		if (retval < 0) {
+			goto cleanup;
+		}
 	}
 
 	/* run genhomedircon if its enabled, this should be the last operation
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 2856aaf..fa0876f 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -111,7 +111,9 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
 	"/preserve_tunables",
 	"/modules/disabled",
 	"/policy.kern",
-	"/file_contexts.local"
+	"/file_contexts.local",
+	"/file_contexts",
+	"/seusers"
 };
 
 static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = {
@@ -666,7 +668,7 @@ static int semanage_filename_select(const struct dirent *d)
 
 /* Copies a file from src to dst.  If dst already exists then
  * overwrite it.  Returns 0 on success, -1 on error. */
-static int semanage_copy_file(const char *src, const char *dst, mode_t mode)
+int semanage_copy_file(const char *src, const char *dst, mode_t mode)
 {
 	int in, out, retval = 0, amount_read, n, errsv = errno;
 	char tmp[PATH_MAX];
@@ -1425,11 +1427,11 @@ int semanage_split_fc(semanage_handle_t * sh)
 		goto cleanup;
 	}
 
-	fc = open(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
+	fc = open(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
 		  O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
 	if (fc < 0) {
 		ERR(sh, "Could not open %s for writing.",
-		    semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC));
+		    semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC));
 		goto cleanup;
 	}
 	hd = open(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL),
@@ -1454,8 +1456,7 @@ int semanage_split_fc(semanage_handle_t * sh)
 		} else {
 			if (write(fc, buf, strlen(buf)) < 0) {
 				ERR(sh, "Write to %s failed.",
-				    semanage_final_path(SEMANAGE_FINAL_TMP,
-							SEMANAGE_FC));
+				    semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC));
 				goto cleanup;
 			}
 		}
@@ -2914,39 +2915,3 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
 
 	return 0;
 }
-
-int semanage_copy_policydb(semanage_handle_t *sh)
-{
-	const char *src = NULL;
-	const char *dst = NULL;
-	int rc = -1;
-
-	src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
-	dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
-
-	rc = semanage_copy_file(src, dst, sh->conf->file_mode);
-	if (rc != 0) {
-		goto cleanup;
-	}
-
-cleanup:
-	return rc;
-}
-
-int semanage_copy_fc_local(semanage_handle_t *sh)
-{
-	const char *src = NULL;
-	const char *dst = NULL;
-	int rc = -1;
-
-	src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
-	dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL);
-
-	rc = semanage_copy_file(src, dst, sh->conf->file_mode);
-	if (rc != 0) {
-		goto cleanup;
-	}
-
-cleanup:
-	return rc;
-}
diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
index ade43f2..acb6e3f 100644
--- a/libsemanage/src/semanage_store.h
+++ b/libsemanage/src/semanage_store.h
@@ -57,6 +57,8 @@ enum semanage_sandbox_defs {
 	SEMANAGE_MODULES_DISABLED,
 	SEMANAGE_STORE_KERNEL,
 	SEMANAGE_STORE_FC_LOCAL,
+	SEMANAGE_STORE_FC,
+	SEMANAGE_STORE_SEUSERS,
 	SEMANAGE_STORE_NUM_PATHS
 };
 
@@ -150,7 +152,6 @@ int semanage_nc_sort(semanage_handle_t * sh,
 		     size_t buf_len,
 		     char **sorted_buf, size_t * sorted_buf_len);
 
-int semanage_copy_policydb(semanage_handle_t *sh);
-int semanage_copy_fc_local(semanage_handle_t *sh);
+int semanage_copy_file(const char *src, const char *dst, mode_t mode);
 
 #endif
diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
index b170eda..6443002 100755
--- a/libsemanage/utils/semanage_migrate_store
+++ b/libsemanage/utils/semanage_migrate_store
@@ -244,7 +244,8 @@ if __name__ == "__main__":
 		"users_extra.local",
 		"disable_dontaudit",
 		"preserve_tunables",
-		"policy.kern" ]
+		"policy.kern",
+		"file_contexts"]
 
 
 	create_dir(newroot_path(), 0o755)
-- 
2.4.6