diff options
-rw-r--r-- | src/Makefile.am | 1 | ||||
-rw-r--r-- | src/tools/files.c | 57 | ||||
-rw-r--r-- | src/tools/selinux.c | 81 | ||||
-rw-r--r-- | src/tools/tools_util.h | 7 |
4 files changed, 86 insertions, 60 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index c3b1fe7b..e5c12df8 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -247,6 +247,7 @@ SSSD_TOOLS_OBJ = \ tools/sss_sync_ops.c \ tools/tools_util.c \ tools/files.c \ + tools/selinux.c \ tools/nscd.c SSSD_RESOLV_OBJ = \ diff --git a/src/tools/files.c b/src/tools/files.c index 90920b6c..b3b516ea 100644 --- a/src/tools/files.c +++ b/src/tools/files.c @@ -66,10 +66,6 @@ #include "util/util.h" #include "tools/tools_util.h" -#ifdef HAVE_SELINUX -#include <selinux/selinux.h> -#endif - int copy_tree(const char *src_root, const char *dst_root, uid_t uid, gid_t gid); @@ -79,59 +75,6 @@ struct copy_ctx { dev_t src_dev; }; -#ifdef HAVE_SELINUX -/* - * selinux_file_context - Set the security context before any file or - * directory creation. - * - * selinux_file_context () should be called before any creation of file, - * symlink, directory, ... - * - * Callers may have to Reset SELinux to create files with default - * contexts: - * reset_selinux_file_context(); - */ -int selinux_file_context(const char *dst_name) -{ - security_context_t scontext = NULL; - - if (is_selinux_enabled() == 1) { - /* Get the default security context for this file */ - if (matchpathcon(dst_name, 0, &scontext) < 0) { - if (security_getenforce () != 0) { - return 1; - } - } - /* Set the security context for the next created file */ - if (setfscreatecon(scontext) < 0) { - if (security_getenforce() != 0) { - return 1; - } - } - freecon(scontext); - } - - return 0; -} - -int reset_selinux_file_context(void) -{ - setfscreatecon(NULL); - return EOK; -} - -#else /* HAVE_SELINUX */ -int selinux_file_context(const char *dst_name) -{ - return EOK; -} - -int reset_selinux_file_context(void) -{ - return EOK; -} -#endif /* HAVE_SELINUX */ - /* wrapper in order not to create a temporary context in * every iteration */ static int remove_tree_with_ctx(TALLOC_CTX *mem_ctx, diff --git a/src/tools/selinux.c b/src/tools/selinux.c new file mode 100644 index 00000000..9fa660c6 --- /dev/null +++ b/src/tools/selinux.c @@ -0,0 +1,81 @@ +/* + SSSD + + selinux.c + + Copyright (C) Jakub Hrozek <jhrozek@redhat.com> 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "config.h" + +#ifdef HAVE_SELINUX +#include <selinux/selinux.h> +#endif + +#include "util/util.h" + +#ifdef HAVE_SELINUX +/* + * selinux_file_context - Set the security context before any file or + * directory creation. + * + * selinux_file_context () should be called before any creation of file, + * symlink, directory, ... + * + * Callers may have to Reset SELinux to create files with default + * contexts: + * reset_selinux_file_context(); + */ +int selinux_file_context(const char *dst_name) +{ + security_context_t scontext = NULL; + + if (is_selinux_enabled() == 1) { + /* Get the default security context for this file */ + if (matchpathcon(dst_name, 0, &scontext) < 0) { + if (security_getenforce () != 0) { + return 1; + } + } + /* Set the security context for the next created file */ + if (setfscreatecon(scontext) < 0) { + if (security_getenforce() != 0) { + return 1; + } + } + freecon(scontext); + } + + return 0; +} + +int reset_selinux_file_context(void) +{ + setfscreatecon(NULL); + return EOK; +} + +#else /* HAVE_SELINUX */ +int selinux_file_context(const char *dst_name) +{ + return EOK; +} + +int reset_selinux_file_context(void) +{ + return EOK; +} +#endif /* HAVE_SELINUX */ diff --git a/src/tools/tools_util.h b/src/tools/tools_util.h index fccec146..2ac18535 100644 --- a/src/tools/tools_util.h +++ b/src/tools/tools_util.h @@ -104,9 +104,6 @@ int copy_tree(const char *src_root, const char *dst_root, uid_t uid, gid_t gid); -int selinux_file_context(const char *dst_name); -int reset_selinux_file_context(void); - /* from nscd.c */ enum nscd_db { NSCD_DB_PASSWD, @@ -115,4 +112,8 @@ enum nscd_db { int flush_nscd_cache(TALLOC_CTX *mem_ctx, enum nscd_db flush_db); +/* from selinux.c */ +int selinux_file_context(const char *dst_name); +int reset_selinux_file_context(void); + #endif /* __TOOLS_UTIL_H__ */ |