Replace the SELinux avc_* calls with selinux_check_access(3) that combines all those services, plus: Checks if SELinux enabled. Supports reordering of classes/permissions at runtime. Handles unknown classes/permissions (allow|deny|reject).
Requires libselinux 2.1.9 or greater. Signed-off-by: Richard Haines <[email protected]> --- programs/pluto/ikev1_spdb_struct.c | 2 +- programs/pluto/plutomain.c | 2 +- programs/pluto/security_selinux.c | 68 +++++++++----------------------------- programs/pluto/security_selinux.h | 6 ++-- 4 files changed, 20 insertions(+), 58 deletions(-) diff --git a/programs/pluto/ikev1_spdb_struct.c b/programs/pluto/ikev1_spdb_struct.c index 53aed7f..6fee5ef 100644 --- a/programs/pluto/ikev1_spdb_struct.c +++ b/programs/pluto/ikev1_spdb_struct.c @@ -126,7 +126,7 @@ static bool parse_secctx_attr(pb_stream *pbs, struct state *st) st->st_connection->policy_label)) { DBG_log("security context verification succeeded"); } else { - libreswan_log("security context verification failed (perhaps policy_label is not confgured for this connection)"); + libreswan_log("security context verification failed (perhaps policy-label is not confgured for this connection)"); return FALSE; } /* diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c index 33c139c..a5097e0 100644 --- a/programs/pluto/plutomain.c +++ b/programs/pluto/plutomain.c @@ -1700,7 +1700,7 @@ int main(int argc, char **argv) init_fetch(); #endif #ifdef HAVE_LABELED_IPSEC - init_avc(); + init_selinux(); #endif daily_log_event(); #ifdef USE_SYSTEMD_WATCHDOG diff --git a/programs/pluto/security_selinux.c b/programs/pluto/security_selinux.c index ac5028e..865f7c8 100644 --- a/programs/pluto/security_selinux.c +++ b/programs/pluto/security_selinux.c @@ -13,72 +13,36 @@ * */ +#include <errno.h> + #include "security_selinux.h" #include "lswlog.h" -static int selinux_ready = 0; - -void init_avc(void) +void init_selinux(void) { - if (!is_selinux_enabled()) { - DBG_log("selinux support is NOT enabled."); - return; - } else { - DBG_log("selinux support is enabled."); - } - - if (avc_init("libreswan", NULL, NULL, NULL, NULL) == 0) - selinux_ready = 1; + if (!is_selinux_enabled()) + DBG_log("SELinux support is NOT enabled."); else - DBG_log("selinux: could not initialize avc."); + DBG_log("SELinux support is enabled in %s mode.", + security_getenforce() ? "ENFORCING" : "PERMISSIVE"); } -int within_range(security_context_t sl, security_context_t range) +int within_range(const char *sl, const char *range) { - int rtn = 1; - security_id_t slsid; - security_id_t rangesid; - struct av_decision avd; - security_class_t tclass; - access_vector_t av; - - if (!selinux_ready) { - /* mls may not be enabled */ - DBG_log("selinux check failed"); - return 0; - } - - /* - * * Get the sids for the sl and range contexts - */ - rtn = avc_context_to_sid(sl, &slsid); - if (rtn != 0) { - DBG_log("within_range: Unable to retrieve sid for sl context (%s)", - sl); - return 0; - } - rtn = avc_context_to_sid(range, &rangesid); - if (rtn != 0) { - DBG_log("within_range: Unable to retrieve sid for range context (%s)", - range); - sidput(slsid); - return 0; - } + int rtn; /* - ** Straight up test between sl and range + ** Check access permission for sl (connection policy label from SAD) + ** and range (connection flow label from SPD but initially the + ** conn policy-label= entry of the ipsec.conf(5) configuration file). **/ - tclass = string_to_security_class("association"); - av = string_to_av_perm(tclass, "polmatch"); - rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd); + rtn = selinux_check_access(sl, range, "association", "polmatch", NULL); if (rtn != 0) { - DBG_log("within_range: The sl (%s) is not within range of (%s)", sl, - range); - sidput(slsid); - sidput(rangesid); + DBG_log("within_range: sl (%s) - range (%s) error: %s\n", + sl, range, strerror(errno)); return 0; } - DBG_log("within_range: The sl (%s) is within range of (%s)", sl, + DBG_log("within_range: Permission granted sl (%s) - range (%s)", sl, range); return 1; } diff --git a/programs/pluto/security_selinux.h b/programs/pluto/security_selinux.h index cccd60f..554b75e 100644 --- a/programs/pluto/security_selinux.h +++ b/programs/pluto/security_selinux.h @@ -16,10 +16,8 @@ #define _SECURITY_SELINUX_H #include <selinux/selinux.h> -#include <selinux/avc.h> -#include <selinux/context.h> -void init_avc(void); -int within_range(security_context_t sl, security_context_t range); +void init_selinux(void); +int within_range(const char *sl, const char *range); #endif /* _SECURITY_SELINUX_H */ -- 2.9.3 _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
