From de33fcf4dae81535504de91930f2913b264ee2fd Mon Sep 17 00:00:00 2001 From: Robert "arachnist" Gerus Date: Sat, 24 Jul 2010 01:02:25 +0200 Subject: [PATCH] Make selinux support optional --- configure.ac | 21 ++++++++++++++++----- src/socket-util.c | 10 +++++++++- src/socket-util.h | 7 ++++++- src/socket.c | 31 ++++++++++++++++++++++++++++++- 4 files changed, 61 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index 14622e4..e17f129 100644 --- a/configure.ac +++ b/configure.ac @@ -105,15 +105,26 @@ PKG_CHECK_MODULES(DBUS, [ dbus-1 >= 1.3.2 ]) AC_SUBST(DBUS_CFLAGS) AC_SUBST(DBUS_LIBS) -PKG_CHECK_MODULES(SELINUX, [ libselinux ]) -AC_SUBST(SELINUX_CFLAGS) -AC_SUBST(SELINUX_LIBS) -AC_SEARCH_LIBS([is_selinux_enabled], [selinux], [], [AC_MSG_ERROR([*** libselinux library not found])]) - PKG_CHECK_MODULES(DBUSGLIB, [ dbus-glib-1 ]) AC_SUBST(DBUSGLIB_CFLAGS) AC_SUBST(DBUSGLIB_LIBS) +have_selinux=no +AC_ARG_ENABLE(selinux, AS_HELP_STRING([--disable-selinux], [disable SELINUX support])) +if test "x$enable_selinux" != "xno"; then + # not using PKG_CHECK_MODULES as for some reason libselinux didn't + # install any pkg-config modules here + AC_SEARCH_LIBS([getcon], [selinux], + [AC_DEFINE(HAVE_SELINUX, 1, [Define if SELINUX is available]) have_selinux=yes], + have_selinux=no) + AC_SUBST(SELINUX_CFLAGS) + AC_SUBST(SELINUX_LIBS) + if test "x$have_selinux" = xno -a "x$enable_selinux" = xyes; then + AC_MSG_ERROR([*** selinux support requested but libraries not found]) + fi +fi +AM_CONDITIONAL(HAVE_SELINUX, [test "$have_selinux" = "yes"]) + AC_ARG_ENABLE([tcpwrap], AS_HELP_STRING([--disable-tcpwrap],[Disable optional TCP wrappers support]), [case "${enableval}" in diff --git a/src/socket-util.c b/src/socket-util.c index 3a00fcf..13128f0 100644 --- a/src/socket-util.c +++ b/src/socket-util.c @@ -29,7 +29,9 @@ #include #include #include -#include +#ifdef HAVE_SELINUX +# include +#endif #include "macro.h" #include "util.h" @@ -306,7 +308,9 @@ int socket_address_listen( bool free_bind, mode_t directory_mode, mode_t socket_mode, +#ifdef HAVE_SELINUX security_context_t scon, +#endif int *ret) { int r, fd, one; @@ -316,16 +320,20 @@ int socket_address_listen( if ((r = socket_address_verify(a)) < 0) return r; +#ifdef HAVE_SELINUX if (setsockcreatecon(scon) < 0) { log_error("Failed to set SELinux context (%s) on socket: %m", scon); if (security_getenforce() == 1) return -errno; } +#endif fd = socket(socket_address_family(a), a->type | SOCK_NONBLOCK | SOCK_CLOEXEC, 0); r = fd < 0 ? -errno : 0; +#ifdef HAVE_SELINUX setsockcreatecon(NULL); +#endif if (r < 0) return r; diff --git a/src/socket-util.h b/src/socket-util.h index 841570f..4855dd1 100644 --- a/src/socket-util.h +++ b/src/socket-util.h @@ -26,7 +26,10 @@ #include #include #include -#include + +#ifdef HAVE_SELINUX +# include +#endif #include "macro.h" #include "util.h" @@ -72,7 +75,9 @@ int socket_address_listen( bool free_bind, mode_t directory_mode, mode_t socket_mode, +#ifdef HAVE_SELINUX security_context_t scon, +#endif int *ret); bool socket_address_is(const SocketAddress *a, const char *s, int type); diff --git a/src/socket.c b/src/socket.c index 82a9348..8d06c2f 100644 --- a/src/socket.c +++ b/src/socket.c @@ -27,7 +27,10 @@ #include #include #include -#include + +#ifdef HAVE_SELINUX +# include +#endif #include "unit.h" #include "socket.h" @@ -643,6 +646,7 @@ static void socket_apply_fifo_options(Socket *s, int fd) { log_warning("F_SETPIPE_SZ: %m"); } +#ifdef HAVE_SELINUX static int selinux_getconfromexe( const char *exe, security_context_t *newcon) { @@ -670,7 +674,9 @@ fail: freecon(fcon); return r; } +#endif +#ifdef HAVE_SELINUX static int selinux_getfileconfrompath( const security_context_t scon, const char *path, @@ -693,24 +699,30 @@ static int selinux_getfileconfrompath( freecon(dir_con); return r; } +#endif static int fifo_address_create( const char *path, mode_t directory_mode, mode_t socket_mode, +#ifdef HAVE_SELINUX security_context_t scon, +#endif int *_fd) { int fd = -1, r = 0; struct stat st; mode_t old_mask; +#ifdef HAVE_SELINUX security_context_t filecon = NULL; +#endif assert(path); assert(_fd); mkdir_parents(path, directory_mode); +#ifdef HAVE_SELINUX if (scon) { if (scon && ((r = selinux_getfileconfrompath(scon, path, "fifo_file", &filecon)) == 0)) { r = setfscreatecon(filecon); @@ -726,6 +738,7 @@ static int fifo_address_create( if (r < 0 && security_getenforce() == 1) goto fail; } +#endif /* Enforce the right access mode for the fifo */ old_mask = umask(~ socket_mode); @@ -746,7 +759,9 @@ static int fifo_address_create( goto fail; } +#ifdef HAVE_SELINUX setfscreatecon(NULL); +#endif if (fstat(fd, &st) < 0) { r = -errno; @@ -766,7 +781,9 @@ static int fifo_address_create( return 0; fail: +#ifdef HAVE_SELINUX setfscreatecon(NULL); +#endif if (fd >= 0) close_nointr_nofail(fd); @@ -776,13 +793,16 @@ fail: static int socket_open_fds(Socket *s) { SocketPort *p; int r; +#ifdef HAVE_SELINUX security_context_t scon = NULL; +#endif assert(s); if ((r = socket_instantiate_service(s)) < 0) return r; +#ifdef HAVE_SELINUX if (selinux_getconfromexe(s->service->exec_command[SERVICE_EXEC_START]->path, &scon) < 0) { log_error("Failed to get SELinux exec context for %s \n", s->service->exec_command[SERVICE_EXEC_START]->path); if (security_getenforce() == 1) @@ -790,6 +810,7 @@ static int socket_open_fds(Socket *s) { } log_debug("SELinux Socket context for %s set to %s\n", s->service->exec_command[SERVICE_EXEC_START]->path, scon); +#endif LIST_FOREACH(port, p, s->ports) { if (p->fd >= 0) @@ -805,7 +826,9 @@ static int socket_open_fds(Socket *s) { s->free_bind, s->directory_mode, s->socket_mode, +#ifdef HAVE_SELINUX scon, +#endif &p->fd)) < 0) goto rollback; @@ -817,7 +840,9 @@ static int socket_open_fds(Socket *s) { p->path, s->directory_mode, s->socket_mode, +#ifdef HAVE_SELINUX scon, +#endif &p->fd)) < 0) goto rollback; @@ -827,12 +852,16 @@ static int socket_open_fds(Socket *s) { assert_not_reached("Unknown port type"); } +#ifdef HAVE_SELINUX freecon(scon); +#endif return 0; rollback: socket_close_fds(s); +#ifdef HAVE_SELINUX freecon(scon); +#endif return r; } -- 1.7.2