libsemanage: Add semanage_mls_enabled interface

Add a semanage_mls_enabled() interface to libsemanage so that semanage/seobject can be rewritten to use it to test whether MLS is enabled for a given policy store rather than checking the runtime MLS enabled status, which can be misleading when using semanage on a SELinux-disabled host or when using semanage on a store other than the active one. Sample usage: from semanage import * handle = semanage_handle_create() rc = semanage_connect(handle) rc = semanage_mls_enabled(handle) Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2024-12-27 08:22:07 +00:00 · 2008-11-10 15:32:56 -05:00 · 2008-11-10 15:32:56 -05:00 · 0a515c4610
commit 0a515c4610
parent 223bb406d8
7 changed files with 63 additions and 0 deletions
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@ -117,6 +117,9 @@ int semanage_access_check(semanage_handle_t * sh);
 /* returns 0 if not connected, 1 if connected */
 int semanage_is_connected(semanage_handle_t * sh);

+/* returns 1 if policy is MLS, 0 otherwise. */
+int semanage_mls_enabled(semanage_handle_t *sh);
+
 /* META NOTES
 *
 * For all functions a non-negative number indicates success. For some
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@ -1050,3 +1050,22 @@ int semanage_direct_access_check(semanage_handle_t * sh)

 	return semanage_store_access_check(sh);
 }
+
+int semanage_direct_mls_enabled(semanage_handle_t * sh)
+{
+	sepol_policydb_t *p = NULL;
+	int retval;
+
+	retval = sepol_policydb_create(&p);
+	if (retval < 0)
+		goto cleanup;
+
+	retval = semanage_read_policydb(sh, p);
+	if (retval < 0)
+		goto cleanup;
+
+	retval = sepol_policydb_mls_enabled(p);
+cleanup:
+	sepol_policydb_free(p);
+	return retval;
+}
--- a/libsemanage/src/direct_api.h
+++ b/libsemanage/src/direct_api.h
@ -37,4 +37,6 @@ int semanage_direct_is_managed(struct semanage_handle *sh);

 int semanage_direct_access_check(struct semanage_handle *sh);

+int semanage_direct_mls_enabled(struct semanage_handle *sh);
+
 #endif
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@ -157,6 +157,20 @@ int semanage_is_managed(semanage_handle_t * sh)
 	return -1;
 }

+int semanage_mls_enabled(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+	switch (sh->conf->store_type) {
+	case SEMANAGE_CON_DIRECT:
+		return semanage_direct_mls_enabled(sh);
+	default:
+		ERR(sh,
+		    "The connection type specified within your semanage.conf file has not been implemented yet.");
+		/* fall through */
+	}
+	return -1;
+}
+
 int semanage_connect(semanage_handle_t * sh)
 {
 	assert(sh != NULL);
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@ -14,5 +14,6 @@ LIBSEMANAGE_1.0 {
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
 	  semanage_is_connected; semanage_set_disable_dontaudit;
+	  semanage_mls_enabled;
  local: *;
 };
--- a/libsemanage/src/semanage.py
+++ b/libsemanage/src/semanage.py
@ -76,6 +76,7 @@ SEMANAGE_CAN_READ = _semanage.SEMANAGE_CAN_READ
 SEMANAGE_CAN_WRITE = _semanage.SEMANAGE_CAN_WRITE
 semanage_access_check = _semanage.semanage_access_check
 semanage_is_connected = _semanage.semanage_is_connected
+semanage_mls_enabled = _semanage.semanage_mls_enabled
 semanage_module_install = _semanage.semanage_module_install
 semanage_module_upgrade = _semanage.semanage_module_upgrade
 semanage_module_install_base = _semanage.semanage_module_install_base
--- a/libsemanage/src/semanageswig_wrap.c
+++ b/libsemanage/src/semanageswig_wrap.c
@ -3400,6 +3400,28 @@ fail:
 }


+SWIGINTERN PyObject *_wrap_semanage_mls_enabled(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  semanage_handle_t *arg1 = (semanage_handle_t *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject * obj0 = 0 ;
+
+  if (!PyArg_ParseTuple(args,(char *)"O:semanage_mls_enabled",&obj0)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_semanage_handle, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "semanage_mls_enabled" "', argument " "1"" of type '" "semanage_handle_t *""'");
+  }
+  arg1 = (semanage_handle_t *)(argp1);
+  result = (int)semanage_mls_enabled(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
 SWIGINTERN PyObject *_wrap_semanage_module_install(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
  PyObject *resultobj = 0;
  semanage_handle_t *arg1 = (semanage_handle_t *) 0 ;
@ -11391,6 +11413,7 @@ static PyMethodDef SwigMethods[] = {
 	 { (char *)"semanage_commit", _wrap_semanage_commit, METH_VARARGS, NULL},
 	 { (char *)"semanage_access_check", _wrap_semanage_access_check, METH_VARARGS, NULL},
 	 { (char *)"semanage_is_connected", _wrap_semanage_is_connected, METH_VARARGS, NULL},
+	 { (char *)"semanage_mls_enabled", _wrap_semanage_mls_enabled, METH_VARARGS, NULL},
 	 { (char *)"semanage_module_install", _wrap_semanage_module_install, METH_VARARGS, NULL},
 	 { (char *)"semanage_module_upgrade", _wrap_semanage_module_upgrade, METH_VARARGS, NULL},
 	 { (char *)"semanage_module_install_base", _wrap_semanage_module_install_base, METH_VARARGS, NULL},