RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-12 08:29:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsemanage: Add policy binary and file_contexts.local to the store

Browse Source 
This patch writes policy.kern and file_contexts.local to the policy store as
well as /etc/selinux/. Additionally, policy.kern and file_contexts.local
are now parsed from the store rather than the final directory which was
the old behavior. This allows all policy related files to be kept in the
policy store.

This patch also renames /var/lib/selinux/tmp to 'final' and changes
policy.kern in the store to longer be a symlink.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
This commit is contained in:
Yuli Khodorkovskiy 2015-07-02 09:27:36 -04:00 committed by Stephen Smalley
parent 36938c293e
commit 9638af24a1
9 changed files with 86 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libsemanage/src/booleans_policydb.c
View File

@ -55,10 +55,8 @@ int bool_policydb_dbase_init(semanage_handle_t * handle,
{ {
if (dbase_policydb_init(handle, if (dbase_policydb_init(handle,
semanage_final_path(SEMANAGE_FINAL_SELINUX, semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
SEMANAGE_KERNEL), semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
semanage_final_path(SEMANAGE_FINAL_TMP,
SEMANAGE_KERNEL),
&SEMANAGE_BOOL_RTABLE, &SEMANAGE_BOOL_RTABLE,
&SEMANAGE_BOOL_POLICYDB_RTABLE, &SEMANAGE_BOOL_POLICYDB_RTABLE,
&dconfig->dbase) < 0) &dconfig->dbase) < 0)

33
libsemanage/src/direct_api.c
View File

@ -196,10 +196,8 @@ int semanage_direct_connect(semanage_handle_t * sh)
goto err; goto err;
if (fcontext_file_dbase_init(sh, if (fcontext_file_dbase_init(sh,
semanage_final_path(SEMANAGE_FINAL_SELINUX, semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_LOCAL),
SEMANAGE_FC_LOCAL), semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
semanage_final_path(SEMANAGE_FINAL_TMP,
SEMANAGE_FC_LOCAL),
semanage_fcontext_dbase_local(sh)) < 0) semanage_fcontext_dbase_local(sh)) < 0)
goto err; goto err;
@ -1041,7 +1039,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
size_t fc_buffer_len = 0; size_t fc_buffer_len = 0;
const char *ofilename = NULL; const char *ofilename = NULL;
const char *path; const char *path;
int retval = -1, num_modinfos = 0, i; int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0;
sepol_policydb_t *out = NULL; sepol_policydb_t *out = NULL;
struct cil_db *cildb = NULL; struct cil_db *cildb = NULL;
semanage_module_info_t *modinfos = NULL; semanage_module_info_t *modinfos = NULL;
@ -1143,8 +1141,20 @@ static int semanage_direct_commit(semanage_handle_t * sh)
modified |= dontaudit_modified; modified |= dontaudit_modified;
modified |= preserve_tunables_modified; modified |= preserve_tunables_modified;
/* This is for systems that have already migrated with an older version
* of semanage_migrate_store. The older version did not copy policy.kern so
* the policy binary must be rebuilt here.
*/
if (!sh->do_rebuild && !modified) {
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
if (access(path, F_OK) != 0) {
missing_policy_kern = 1;
}
}
/* If there were policy changes, or explicitly requested, rebuild the policy */ /* If there were policy changes, or explicitly requested, rebuild the policy */
if (sh->do_rebuild || modified) { if (sh->do_rebuild || modified || missing_policy_kern) {
/* =================== Module expansion =============== */ /* =================== Module expansion =============== */
retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos);
@ -1302,6 +1312,17 @@ static int semanage_direct_commit(semanage_handle_t * sh)
if (retval < 0) if (retval < 0)
goto cleanup; goto cleanup;
retval = semanage_copy_policydb(sh);
if (retval < 0)
goto cleanup;
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
if (access(path, F_OK) == 0) {
retval = semanage_copy_fc_local(sh);
if (retval < 0)
goto cleanup;
}
/* run genhomedircon if its enabled, this should be the last operation /* run genhomedircon if its enabled, this should be the last operation
* which requires the out policydb */ * which requires the out policydb */
if (!sh->conf->disable_genhomedircon) { if (!sh->conf->disable_genhomedircon) {

6
libsemanage/src/interfaces_policydb.c
View File

@ -51,10 +51,8 @@ int iface_policydb_dbase_init(semanage_handle_t * handle,
{ {
if (dbase_policydb_init(handle, if (dbase_policydb_init(handle,
semanage_final_path(SEMANAGE_FINAL_SELINUX, semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
SEMANAGE_KERNEL), semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
semanage_final_path(SEMANAGE_FINAL_TMP,
SEMANAGE_KERNEL),
&SEMANAGE_IFACE_RTABLE, &SEMANAGE_IFACE_RTABLE,
&SEMANAGE_IFACE_POLICYDB_RTABLE, &SEMANAGE_IFACE_POLICYDB_RTABLE,
&dconfig->dbase) < 0) &dconfig->dbase) < 0)

6
libsemanage/src/nodes_policydb.c
View File

@ -50,10 +50,8 @@ int node_policydb_dbase_init(semanage_handle_t * handle,
{ {
if (dbase_policydb_init(handle, if (dbase_policydb_init(handle,
semanage_final_path(SEMANAGE_FINAL_SELINUX, semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
SEMANAGE_KERNEL), semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
semanage_final_path(SEMANAGE_FINAL_TMP,
SEMANAGE_KERNEL),
&SEMANAGE_NODE_RTABLE, &SEMANAGE_NODE_RTABLE,
&SEMANAGE_NODE_POLICYDB_RTABLE, &SEMANAGE_NODE_POLICYDB_RTABLE,
&dconfig->dbase) < 0) &dconfig->dbase) < 0)

6
libsemanage/src/ports_policydb.c
View File

@ -50,10 +50,8 @@ int port_policydb_dbase_init(semanage_handle_t * handle,
{ {
if (dbase_policydb_init(handle, if (dbase_policydb_init(handle,
semanage_final_path(SEMANAGE_FINAL_SELINUX, semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
SEMANAGE_KERNEL), semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
semanage_final_path(SEMANAGE_FINAL_TMP,
SEMANAGE_KERNEL),
&SEMANAGE_PORT_RTABLE, &SEMANAGE_PORT_RTABLE,
&SEMANAGE_PORT_POLICYDB_RTABLE, &SEMANAGE_PORT_POLICYDB_RTABLE,
&dconfig->dbase) < 0) &dconfig->dbase) < 0)

55
libsemanage/src/semanage_store.c
View File

@ -110,10 +110,12 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
"/disable_dontaudit", "/disable_dontaudit",
"/preserve_tunables", "/preserve_tunables",
"/modules/disabled", "/modules/disabled",
"/policy.kern",
"/file_contexts.local"
}; };
static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = { static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = {
"/tmp", "/final",
"", "",
}; };
@ -943,9 +945,7 @@ int semanage_make_final(semanage_handle_t *sh)
goto cleanup; goto cleanup;
} }
/* Copy in exported databases. // Build final directory structure
* i = 1 to avoid copying the top level directory.
*/
int i; int i;
for (i = 1; i < SEMANAGE_FINAL_PATH_NUM; i++) { for (i = 1; i < SEMANAGE_FINAL_PATH_NUM; i++) {
if (strlen(semanage_final_path(SEMANAGE_FINAL_TMP, i)) >= sizeof(fn)) { if (strlen(semanage_final_path(SEMANAGE_FINAL_TMP, i)) >= sizeof(fn)) {
@ -959,12 +959,6 @@ int semanage_make_final(semanage_handle_t *sh)
status = -1; status = -1;
goto cleanup; goto cleanup;
} }
semanage_copy_file(
semanage_final_path(SEMANAGE_FINAL_SELINUX, i),
semanage_final_path(SEMANAGE_FINAL_TMP, i),
sh->conf->file_mode);
/* ignore errors, these files may not exist */
} }
cleanup: cleanup:
@ -2019,8 +2013,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
FILE *infile = NULL; FILE *infile = NULL;
if ((kernel_filename = if ((kernel_filename =
semanage_final_path(SEMANAGE_FINAL_SELINUX, semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) {
SEMANAGE_KERNEL)) == NULL) {
goto cleanup; goto cleanup;
} }
if ((infile = fopen(kernel_filename, "r")) == NULL) { if ((infile = fopen(kernel_filename, "r")) == NULL) {
@ -2061,7 +2054,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
FILE *outfile = NULL; FILE *outfile = NULL;
if ((kernel_filename = if ((kernel_filename =
semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL)) == NULL) { semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) {
goto cleanup; goto cleanup;
} }
if ((outfile = fopen(kernel_filename, "wb")) == NULL) { if ((outfile = fopen(kernel_filename, "wb")) == NULL) {
@ -2921,3 +2914,39 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
return 0; return 0;
} }
int semanage_copy_policydb(semanage_handle_t *sh)
{
const char *src = NULL;
const char *dst = NULL;
int rc = -1;
src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
rc = semanage_copy_file(src, dst, sh->conf->file_mode);
if (rc != 0) {
goto cleanup;
}
cleanup:
return rc;
}
int semanage_copy_fc_local(semanage_handle_t *sh)
{
const char *src = NULL;
const char *dst = NULL;
int rc = -1;
src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL);
rc = semanage_copy_file(src, dst, sh->conf->file_mode);
if (rc != 0) {
goto cleanup;
}
cleanup:
return rc;
}

5
libsemanage/src/semanage_store.h
View File

@ -55,6 +55,8 @@ enum semanage_sandbox_defs {
SEMANAGE_DISABLE_DONTAUDIT, SEMANAGE_DISABLE_DONTAUDIT,
SEMANAGE_PRESERVE_TUNABLES, SEMANAGE_PRESERVE_TUNABLES,
SEMANAGE_MODULES_DISABLED, SEMANAGE_MODULES_DISABLED,
SEMANAGE_STORE_KERNEL,
SEMANAGE_STORE_FC_LOCAL,
SEMANAGE_STORE_NUM_PATHS SEMANAGE_STORE_NUM_PATHS
}; };
@ -148,4 +150,7 @@ int semanage_nc_sort(semanage_handle_t * sh,
size_t buf_len, size_t buf_len,
char **sorted_buf, size_t * sorted_buf_len); char **sorted_buf, size_t * sorted_buf_len);
int semanage_copy_policydb(semanage_handle_t *sh);
int semanage_copy_fc_local(semanage_handle_t *sh);
#endif #endif

6
libsemanage/src/users_base_policydb.c
View File

@ -50,10 +50,8 @@ int user_base_policydb_dbase_init(semanage_handle_t * handle,
{ {
if (dbase_policydb_init(handle, if (dbase_policydb_init(handle,
semanage_final_path(SEMANAGE_FINAL_SELINUX, semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
SEMANAGE_KERNEL), semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
semanage_final_path(SEMANAGE_FINAL_TMP,
SEMANAGE_KERNEL),
&SEMANAGE_USER_BASE_RTABLE, &SEMANAGE_USER_BASE_RTABLE,
&SEMANAGE_USER_BASE_POLICYDB_RTABLE, &SEMANAGE_USER_BASE_POLICYDB_RTABLE,
&dconfig->dbase) < 0) &dconfig->dbase) < 0)

3
libsemanage/utils/semanage_migrate_store
View File

@ -243,7 +243,8 @@ if __name__ == "__main__":
"users.local", "users.local",
"users_extra.local", "users_extra.local",
"disable_dontaudit", "disable_dontaudit",
"preserve_tunables" ] "preserve_tunables",
"policy.kern" ]
create_dir(newroot_path(), 0o755) create_dir(newroot_path(), 0o755)