|
Lines 46-51
Link Here
|
| 46 |
#include "einfo.h" |
46 |
#include "einfo.h" |
| 47 |
#include "rc-misc.h" |
47 |
#include "rc-misc.h" |
| 48 |
|
48 |
|
|
|
49 |
#define SELINUX 1 |
| 50 |
#ifdef SELINUX |
| 51 |
#include <selinux/selinux.h> |
| 52 |
#endif |
| 53 |
|
| 49 |
typedef enum { |
54 |
typedef enum { |
| 50 |
inode_unknown = 0, |
55 |
inode_unknown = 0, |
| 51 |
inode_file = 1, |
56 |
inode_file = 1, |
|
Lines 55-64
typedef enum {
Link Here
|
| 55 |
|
60 |
|
| 56 |
extern const char *applet; |
61 |
extern const char *applet; |
| 57 |
|
62 |
|
| 58 |
/* TODO: SELinux |
63 |
#ifdef SELINUX |
| 59 |
* This needs a LOT of SELinux loving |
64 |
static int selinux_set_file_context(char* path, mode_t mode) { |
| 60 |
* See systemd's src/label.c:label_mkdir |
65 |
security_context_t context = NULL; |
| 61 |
*/ |
66 |
|
|
|
67 |
if (is_selinux_enabled() > 0) { |
| 68 |
if (matchpathcon(path, mode, &context) < 0) { |
| 69 |
if (security_getenforce() != 0) { |
| 70 |
eerror("%s: can't get default SELinux file context", path); |
| 71 |
return -1; |
| 72 |
} |
| 73 |
ewarn("%s: can't get default SELinux file context", path); |
| 74 |
} |
| 75 |
if (setfscreatecon(context) < 0) { |
| 76 |
if (security_getenforce() != 0) { |
| 77 |
eerror("%s: can't set SELinux file creation context", path); |
| 78 |
return -1; |
| 79 |
} |
| 80 |
ewarn("%s: can't set SELinux file creation context", path); |
| 81 |
} |
| 82 |
freecon(context); |
| 83 |
} |
| 84 |
return 0; |
| 85 |
} |
| 86 |
|
| 87 |
static int selinux_reset_file_context() { |
| 88 |
if (is_selinux_enabled() > 0) { |
| 89 |
if (setfscreatecon(NULL) < 0) { |
| 90 |
if (security_getenforce() != 0) { |
| 91 |
eerror("can't reset SELinux context"); |
| 92 |
return -1; |
| 93 |
} |
| 94 |
ewarn("can't reset SELinux context"); |
| 95 |
} |
| 96 |
} |
| 97 |
return 0; |
| 98 |
} |
| 99 |
#endif |
| 100 |
|
| 62 |
static int |
101 |
static int |
| 63 |
do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type, bool trunc) |
102 |
do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type, bool trunc) |
| 64 |
{ |
103 |
{ |
|
Lines 82-88
do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type, bool trunc
Link Here
|
| 82 |
if (trunc) |
121 |
if (trunc) |
| 83 |
flags |= O_TRUNC; |
122 |
flags |= O_TRUNC; |
| 84 |
u = umask(0); |
123 |
u = umask(0); |
|
|
124 |
#ifdef SELINUX |
| 125 |
selinux_set_file_context(path, mode); |
| 126 |
#endif |
| 85 |
fd = open(path, flags, mode); |
127 |
fd = open(path, flags, mode); |
|
|
128 |
#ifdef SELINUX |
| 129 |
selinux_reset_file_context(); |
| 130 |
#endif |
| 86 |
umask(u); |
131 |
umask(u); |
| 87 |
if (fd == -1) { |
132 |
if (fd == -1) { |
| 88 |
eerror("%s: open: %s", applet, strerror(errno)); |
133 |
eerror("%s: open: %s", applet, strerror(errno)); |
|
Lines 95-101
do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type, bool trunc
Link Here
|
| 95 |
mode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH; |
140 |
mode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH; |
| 96 |
u = umask(0); |
141 |
u = umask(0); |
| 97 |
/* We do not recursively create parents */ |
142 |
/* We do not recursively create parents */ |
|
|
143 |
#ifdef SELINUX |
| 144 |
selinux_set_file_context(path, mode); |
| 145 |
#endif |
| 98 |
r = mkdir(path, mode); |
146 |
r = mkdir(path, mode); |
|
|
147 |
#ifdef SELINUX |
| 148 |
selinux_reset_file_context(); |
| 149 |
#endif |
| 99 |
umask(u); |
150 |
umask(u); |
| 100 |
if (r == -1 && errno != EEXIST) { |
151 |
if (r == -1 && errno != EEXIST) { |
| 101 |
eerror("%s: mkdir: %s", applet, |
152 |
eerror("%s: mkdir: %s", applet, |
|
Lines 108-114
do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type, bool trunc
Link Here
|
| 108 |
if (!mode) /* 600 */ |
159 |
if (!mode) /* 600 */ |
| 109 |
mode = S_IRUSR | S_IWUSR; |
160 |
mode = S_IRUSR | S_IWUSR; |
| 110 |
u = umask(0); |
161 |
u = umask(0); |
|
|
162 |
#ifdef SELINUX |
| 163 |
selinux_set_file_context(path, mode); |
| 164 |
#endif |
| 111 |
r = mkfifo(path, mode); |
165 |
r = mkfifo(path, mode); |
|
|
166 |
#ifdef SELINUX |
| 167 |
selinux_reset_file_context(); |
| 168 |
#endif |
| 112 |
umask(u); |
169 |
umask(u); |
| 113 |
if (r == -1 && errno != EEXIST) { |
170 |
if (r == -1 && errno != EEXIST) { |
| 114 |
eerror("%s: mkfifo: %s", applet, |
171 |
eerror("%s: mkfifo: %s", applet, |
