On Thu, 21.08.14 12:58, WaLyong Cho (walyong....@samsung.com) wrote:
> move selinux label APIs to selinux-label.ch
> And label_{selinxu/smack}_ prefix are changed to mac_{selinux/smack}_
> respectively.
Doesn#t apply to current git. Would like to apply, but can't! Please
rebase and resend!
> ---
> src/core/main.c | 4 +-
> src/core/namespace.c | 4 +-
> src/core/selinux-setup.c | 4 +-
> src/core/socket.c | 24 +--
> src/hostname/hostnamed.c | 2 +-
> src/locale/localed.c | 2 +-
> src/login/logind-dbus.c | 2 +-
> src/shared/dev-setup.c | 4 +-
> src/shared/fileio-label.c | 12 +-
> src/shared/label.c | 445
> +-----------------------------------------
> src/shared/label.h | 26 +--
> src/shared/mkdir-label.c | 26 +++
> src/shared/mkdir.h | 2 +-
> src/shared/selinux-util.c | 365 +++++++++++++++++++++++++++++++++-
> src/shared/selinux-util.h | 14 ++
> src/shared/smack-util.c | 53 ++++-
> src/shared/smack-util.h | 10 +-
> src/shared/socket-label.c | 6 +-
> src/sysusers/sysusers.c | 2 +-
> src/test/test-udev.c | 4 +-
> src/timedate/timedated.c | 2 +-
> src/tmpfiles/tmpfiles.c | 32 +--
> src/udev/udev-node.c | 14 +-
> src/udev/udevadm.c | 4 +-
> src/udev/udevd.c | 4 +-
> src/update-done/update-done.c | 6 +-
> 26 files changed, 526 insertions(+), 547 deletions(-)
>
> diff --git a/src/core/main.c b/src/core/main.c
> index 792b316..0c4a8a1 100644
> --- a/src/core/main.c
> +++ b/src/core/main.c
> @@ -1301,7 +1301,7 @@ int main(int argc, char *argv[]) {
> dual_timestamp_get(&security_finish_timestamp);
> }
>
> - if (label_init(NULL) < 0)
> + if (mac_selinux_init(NULL) < 0)
> goto finish;
>
> if (!skip_setup) {
> @@ -1816,7 +1816,7 @@ finish:
> set_free(arg_syscall_archs);
> arg_syscall_archs = NULL;
>
> - label_finish();
> + mac_selinux_finish();
>
> if (reexecute) {
> const char **args;
> diff --git a/src/core/namespace.c b/src/core/namespace.c
> index fe95377..d17f41d 100644
> --- a/src/core/namespace.c
> +++ b/src/core/namespace.c
> @@ -224,9 +224,9 @@ static int mount_dev(BindMount *m) {
> goto fail;
> }
>
> - label_context_set(d, st.st_mode);
> + mac_selinux_context_set(d, st.st_mode);
> r = mknod(dn, st.st_mode, st.st_rdev);
> - label_context_clear();
> + mac_selinux_context_clear();
>
> if (r < 0) {
> r = -errno;
> diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
> index b419a27..8be97fc 100644
> --- a/src/core/selinux-setup.c
> +++ b/src/core/selinux-setup.c
> @@ -87,7 +87,7 @@ int selinux_setup(bool *loaded_policy) {
> retest_selinux();
>
> /* Transition to the new context */
> - r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH,
> &label);
> + r =
> mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
> if (r < 0 || label == NULL) {
> log_open();
> log_error("Failed to compute init label, ignoring.");
> @@ -98,7 +98,7 @@ int selinux_setup(bool *loaded_policy) {
> if (r < 0)
> log_error("Failed to transition into init
> label '%s', ignoring.", label);
>
> - label_free(label);
> + mac_selinux_free(label);
> }
>
> after_load = now(CLOCK_MONOTONIC);
> diff --git a/src/core/socket.c b/src/core/socket.c
> index 1189f45..b52ec81 100644
> --- a/src/core/socket.c
> +++ b/src/core/socket.c
> @@ -918,12 +918,12 @@ static void socket_apply_socket_options(Socket *s, int
> fd) {
> }
>
> if (s->smack_ip_in)
> - if (smack_label_ip_in_fd(fd, s->smack_ip_in) < 0)
> - log_error_unit(UNIT(s)->id, "smack_label_ip_in_fd:
> %m");
> + if (mac_smack_ip_in_fd(fd, s->smack_ip_in) < 0)
> + log_error_unit(UNIT(s)->id, "mac_smack_ip_in_fd:
> %m");
>
> if (s->smack_ip_out)
> - if (smack_label_ip_out_fd(fd, s->smack_ip_out) < 0)
> - log_error_unit(UNIT(s)->id, "smack_label_ip_out_fd:
> %m");
> + if (mac_smack_ip_out_fd(fd, s->smack_ip_out) < 0)
> + log_error_unit(UNIT(s)->id, "mac_smack_ip_out_fd:
> %m");
> }
>
> static void socket_apply_fifo_options(Socket *s, int fd) {
> @@ -936,8 +936,8 @@ static void socket_apply_fifo_options(Socket *s, int fd) {
> "F_SETPIPE_SZ: %m");
>
> if (s->smack)
> - if (smack_label_fd(fd, s->smack) < 0)
> - log_error_unit(UNIT(s)->id, "smack_label_fd: %m");
> + if (mac_smack_fd(fd, s->smack) < 0)
> + log_error_unit(UNIT(s)->id, "mac_smack_fd: %m");
> }
>
> static int fifo_address_create(
> @@ -955,7 +955,7 @@ static int fifo_address_create(
>
> mkdir_parents_label(path, directory_mode);
>
> - r = label_context_set(path, S_IFIFO);
> + r = mac_selinux_context_set(path, S_IFIFO);
> if (r < 0)
> goto fail;
>
> @@ -978,7 +978,7 @@ static int fifo_address_create(
> goto fail;
> }
>
> - label_context_clear();
> + mac_selinux_context_clear();
>
> if (fstat(fd, &st) < 0) {
> r = -errno;
> @@ -998,7 +998,7 @@ static int fifo_address_create(
> return 0;
>
> fail:
> - label_context_clear();
> + mac_selinux_context_clear();
> safe_close(fd);
>
> return r;
> @@ -1136,7 +1136,7 @@ static int socket_open_fds(Socket *s) {
>
> if (UNIT_ISSET(s->service) &&
>
> SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]) {
> - r =
> label_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path,
> &label);
> + r =
> mac_selinux_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path,
> &label);
> if (r < 0 && r != -EPERM)
> return r;
> }
> @@ -1197,12 +1197,12 @@ static int socket_open_fds(Socket *s) {
> assert_not_reached("Unknown port type");
> }
>
> - label_free(label);
> + mac_selinux_free(label);
> return 0;
>
> rollback:
> socket_close_fds(s);
> - label_free(label);
> + mac_selinux_free(label);
> return r;
> }
>
> diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
> index d31fef7..6febb85 100644
> --- a/src/hostname/hostnamed.c
> +++ b/src/hostname/hostnamed.c
> @@ -684,7 +684,7 @@ int main(int argc, char *argv[]) {
> log_open();
>
> umask(0022);
> - label_init("/etc");
> + mac_selinux_init("/etc");
>
> if (argc != 1) {
> log_error("This program takes no arguments.");
> diff --git a/src/locale/localed.c b/src/locale/localed.c
> index 508a000..69c0afe 100644
> --- a/src/locale/localed.c
> +++ b/src/locale/localed.c
> @@ -1122,7 +1122,7 @@ int main(int argc, char *argv[]) {
> log_open();
>
> umask(0022);
> - label_init("/etc");
> + mac_selinux_init("/etc");
>
> if (argc != 1) {
> log_error("This program takes no arguments.");
> diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
> index acef511..9e90059 100644
> --- a/src/login/logind-dbus.c
> +++ b/src/login/logind-dbus.c
> @@ -1143,7 +1143,7 @@ static int attach_device(Manager *m, const char *seat,
> const char *sysfs) {
> return -ENOMEM;
>
> mkdir_p_label("/etc/udev/rules.d", 0755);
> - label_init("/etc");
> + mac_selinux_init("/etc");
> r = write_string_file_atomic_label(file, rule);
> if (r < 0)
> return r;
> diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c
> index 1a565d5..96934a9 100644
> --- a/src/shared/dev-setup.c
> +++ b/src/shared/dev-setup.c
> @@ -38,14 +38,14 @@ static int symlink_and_label(const char *old_path, const
> char *new_path) {
> assert(old_path);
> assert(new_path);
>
> - r = label_context_set(new_path, S_IFLNK);
> + r = mac_selinux_context_set(new_path, S_IFLNK);
> if (r < 0)
> return r;
>
> if (symlink(old_path, new_path) < 0)
> r = -errno;
>
> - label_context_clear();
> + mac_selinux_context_clear();
>
> return r;
> }
> diff --git a/src/shared/fileio-label.c b/src/shared/fileio-label.c
> index c3def3c..943e2c6 100644
> --- a/src/shared/fileio-label.c
> +++ b/src/shared/fileio-label.c
> @@ -30,13 +30,13 @@
> int write_string_file_atomic_label(const char *fn, const char *line) {
> int r;
>
> - r = label_context_set(fn, S_IFREG);
> + r = mac_selinux_context_set(fn, S_IFREG);
> if (r < 0)
> return r;
>
> write_string_file_atomic(fn, line);
>
> - label_context_clear();
> + mac_selinux_context_clear();
>
> return r;
> }
> @@ -44,13 +44,13 @@ int write_string_file_atomic_label(const char *fn, const
> char *line) {
> int write_env_file_label(const char *fname, char **l) {
> int r;
>
> - r = label_context_set(fname, S_IFREG);
> + r = mac_selinux_context_set(fname, S_IFREG);
> if (r < 0)
> return r;
>
> write_env_file(fname, l);
>
> - label_context_clear();
> + mac_selinux_context_clear();
>
> return r;
> }
> @@ -59,13 +59,13 @@ int fopen_temporary_label(const char *target,
> const char *path, FILE **f, char **temp_path) {
> int r;
>
> - r = label_context_set(target, S_IFREG);
> + r = mac_selinux_context_set(target, S_IFREG);
> if (r < 0)
> return r;
>
> r = fopen_temporary(path, f, temp_path);
>
> - label_context_clear();
> + mac_selinux_context_clear();
>
> return r;
> }
> diff --git a/src/shared/label.c b/src/shared/label.c
> index 25a8b36..b88e7c0 100644
> --- a/src/shared/label.c
> +++ b/src/shared/label.c
> @@ -19,462 +19,23 @@
> along with systemd; If not, see <http://www.gnu.org/licenses/>.
> ***/
>
> -#include <errno.h>
> -#include <unistd.h>
> -#include <malloc.h>
> -#include <sys/socket.h>
> -#include <sys/un.h>
> -#include <sys/types.h>
> -#include <sys/stat.h>
> -#include <fcntl.h>
> -#include <sys/xattr.h>
> -#ifdef HAVE_SELINUX
> -#include <selinux/selinux.h>
> -#include <selinux/label.h>
> -#endif
> -
> -#include "label.h"
> -#include "strv.h"
> #include "util.h"
> -#include "path-util.h"
> -#include "selinux-util.h"
> -#include "smack-util.h"
> -
> -#ifdef HAVE_SELINUX
> -static struct selabel_handle *label_hnd = NULL;
> -#endif
> -
> -static int smack_relabel_in_dev(const char *path) {
> - int r = 0;
> -
> -#ifdef HAVE_SMACK
> - struct stat sb;
> - const char *label;
> -
> - /*
> - * Path must be in /dev and must exist
> - */
> - if (!path_startswith(path, "/dev"))
> - return 0;
> -
> - r = lstat(path, &sb);
> - if (r < 0)
> - return -errno;
> -
> - /*
> - * Label directories and character devices "*".
> - * Label symlinks "_".
> - * Don't change anything else.
> - */
> - if (S_ISDIR(sb.st_mode))
> - label = SMACK_STAR_LABEL;
> - else if (S_ISLNK(sb.st_mode))
> - label = SMACK_FLOOR_LABEL;
> - else if (S_ISCHR(sb.st_mode))
> - label = SMACK_STAR_LABEL;
> - else
> - return 0;
> -
> - r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
> - if (r < 0) {
> - log_error("Smack relabeling \"%s\" %m", path);
> - return -errno;
> - }
> -#endif
> -
> - return r;
> -}
> -
> -int label_init(const char *prefix) {
> - int r = 0;
> -
> -#ifdef HAVE_SELINUX
> - usec_t before_timestamp, after_timestamp;
> - struct mallinfo before_mallinfo, after_mallinfo;
> -
> - if (!use_selinux())
> - return 0;
> -
> - if (label_hnd)
> - return 0;
> -
> - before_mallinfo = mallinfo();
> - before_timestamp = now(CLOCK_MONOTONIC);
> -
> - if (prefix) {
> - struct selinux_opt options[] = {
> - { .type = SELABEL_OPT_SUBSET, .value = prefix },
> - };
> -
> - label_hnd = selabel_open(SELABEL_CTX_FILE, options,
> ELEMENTSOF(options));
> - } else
> - label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
> -
> - if (!label_hnd) {
> - log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
> - "Failed to initialize SELinux context: %m");
> - r = security_getenforce() == 1 ? -errno : 0;
> - } else {
> - char timespan[FORMAT_TIMESPAN_MAX];
> - int l;
> -
> - after_timestamp = now(CLOCK_MONOTONIC);
> - after_mallinfo = mallinfo();
> -
> - l = after_mallinfo.uordblks > before_mallinfo.uordblks ?
> after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
> -
> - log_debug("Successfully loaded SELinux database in %s, size
> on heap is %iK.",
> - format_timespan(timespan, sizeof(timespan),
> after_timestamp - before_timestamp, 0),
> - (l+1023)/1024);
> - }
> -#endif
> -
> - return r;
> -}
> -
> -static int label_fix_selinux(const char *path, bool ignore_enoent, bool
> ignore_erofs) {
> - int r = 0;
> -
> -#ifdef HAVE_SELINUX
> - struct stat st;
> - security_context_t fcon;
> -
> - if (!label_hnd)
> - return 0;
> -
> - r = lstat(path, &st);
> - if (r == 0) {
> - r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
> -
> - /* If there's no label to set, then exit without warning */
> - if (r < 0 && errno == ENOENT)
> - return 0;
> -
> - if (r == 0) {
> - r = lsetfilecon(path, fcon);
> - freecon(fcon);
> -
> - /* If the FS doesn't support labels, then exit
> without warning */
> - if (r < 0 && errno == ENOTSUP)
> - return 0;
> - }
> - }
> -
> - if (r < 0) {
> - /* Ignore ENOENT in some cases */
> - if (ignore_enoent && errno == ENOENT)
> - return 0;
> -
> - if (ignore_erofs && errno == EROFS)
> - return 0;
> -
> - log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
> - "Unable to fix label of %s: %m", path);
> - r = security_getenforce() == 1 ? -errno : 0;
> - }
> -#endif
> -
> - return r;
> -}
> +#include "label.h"
>
> int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
> int r = 0;
>
> if (use_selinux()) {
> - r = label_fix_selinux(path, ignore_enoent, ignore_erofs);
> - if (r < 0)
> - return r;
> - }
> -
> - if (use_smack()) {
> - r = smack_relabel_in_dev(path);
> - if (r < 0)
> - return r;
> - }
> -
> - return r;
> -}
> -
> -void label_finish(void) {
> -
> -#ifdef HAVE_SELINUX
> - if (!use_selinux())
> - return;
> -
> - if (label_hnd)
> - selabel_close(label_hnd);
> -#endif
> -}
> -
> -int label_get_create_label_from_exe(const char *exe, char **label) {
> -
> - int r = 0;
> -
> -#ifdef HAVE_SELINUX
> - security_context_t mycon = NULL, fcon = NULL;
> - security_class_t sclass;
> -
> - if (!use_selinux()) {
> - *label = NULL;
> - return 0;
> - }
> -
> - r = getcon(&mycon);
> - if (r < 0)
> - goto fail;
> -
> - r = getfilecon(exe, &fcon);
> - if (r < 0)
> - goto fail;
> -
> - sclass = string_to_security_class("process");
> - r = security_compute_create(mycon, fcon, sclass, (security_context_t
> *) label);
> - if (r == 0)
> - log_debug("SELinux Socket context for %s will be set to %s",
> exe, *label);
> -
> -fail:
> - if (r < 0 && security_getenforce() == 1)
> - r = -errno;
> -
> - freecon(mycon);
> - freecon(fcon);
> -#endif
> -
> - return r;
> -}
> -
> -int label_context_set(const char *path, mode_t mode) {
> - int r = 0;
> -
> -#ifdef HAVE_SELINUX
> - security_context_t filecon = NULL;
> -
> - if (!use_selinux() || !label_hnd)
> - return 0;
> -
> - r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
> - if (r < 0 && errno != ENOENT)
> - r = -errno;
> - else if (r == 0) {
> - r = setfscreatecon(filecon);
> - if (r < 0) {
> - log_error("Failed to set SELinux file context on %s:
> %m", path);
> - r = -errno;
> - }
> -
> - freecon(filecon);
> - }
> -
> - if (r < 0 && security_getenforce() == 0)
> - r = 0;
> -#endif
> -
> - return r;
> -}
> -
> -int label_socket_set(const char *label) {
> -
> -#ifdef HAVE_SELINUX
> - if (!use_selinux())
> - return 0;
> -
> - if (setsockcreatecon((security_context_t) label) < 0) {
> - log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
> - "Failed to set SELinux context (%s) on socket: %m",
> label);
> -
> - if (security_getenforce() == 1)
> - return -errno;
> - }
> -#endif
> -
> - return 0;
> -}
> -
> -void label_context_clear(void) {
> -
> -#ifdef HAVE_SELINUX
> - PROTECT_ERRNO;
> -
> - if (!use_selinux())
> - return;
> -
> - setfscreatecon(NULL);
> -#endif
> -}
> -
> -void label_socket_clear(void) {
> -
> -#ifdef HAVE_SELINUX
> - PROTECT_ERRNO;
> -
> - if (!use_selinux())
> - return;
> -
> - setsockcreatecon(NULL);
> -#endif
> -}
> -
> -void label_free(const char *label) {
> -
> -#ifdef HAVE_SELINUX
> - if (!use_selinux())
> - return;
> -
> - freecon((security_context_t) label);
> -#endif
> -}
> -
> -static int label_mkdir_selinux(const char *path, mode_t mode) {
> - int r = 0;
> -
> -#ifdef HAVE_SELINUX
> - /* Creates a directory and labels it according to the SELinux policy
> */
> - security_context_t fcon = NULL;
> -
> - if (!label_hnd)
> - return 0;
> -
> - if (path_is_absolute(path))
> - r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
> - else {
> - _cleanup_free_ char *newpath;
> -
> - newpath = path_make_absolute_cwd(path);
> - if (!newpath)
> - return -ENOMEM;
> -
> - r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
> - }
> -
> - if (r == 0)
> - r = setfscreatecon(fcon);
> -
> - if (r < 0 && errno != ENOENT) {
> - log_error("Failed to set security context %s for %s: %m",
> fcon, path);
> -
> - if (security_getenforce() == 1) {
> - r = -errno;
> - goto finish;
> - }
> - }
> -
> - r = mkdir(path, mode);
> - if (r < 0)
> - r = -errno;
> -
> -finish:
> - setfscreatecon(NULL);
> - freecon(fcon);
> -#endif
> -
> - return r;
> -}
> -
> -int label_mkdir(const char *path, mode_t mode) {
> - int r;
> -
> - if (use_selinux()) {
> - r = label_mkdir_selinux(path, mode);
> + r = mac_selinux_fix(path, ignore_enoent, ignore_erofs);
> if (r < 0)
> return r;
> }
>
> if (use_smack()) {
> - r = mkdir(path, mode);
> - if (r < 0 && errno != EEXIST)
> - return -errno;
> -
> - r = smack_relabel_in_dev(path);
> + r = mac_smack_relabel_in_dev(path);
> if (r < 0)
> return r;
> }
>
> - r = mkdir(path, mode);
> - if (r < 0 && errno != EEXIST)
> - return -errno;
> -
> - return 0;
> -}
> -
> -int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
> -
> - /* Binds a socket and label its file system object according to the
> SELinux policy */
> -
> -#ifdef HAVE_SELINUX
> - security_context_t fcon = NULL;
> - const struct sockaddr_un *un;
> - char *path;
> - int r;
> -
> - assert(fd >= 0);
> - assert(addr);
> - assert(addrlen >= sizeof(sa_family_t));
> -
> - if (!use_selinux() || !label_hnd)
> - goto skipped;
> -
> - /* Filter out non-local sockets */
> - if (addr->sa_family != AF_UNIX)
> - goto skipped;
> -
> - /* Filter out anonymous sockets */
> - if (addrlen < sizeof(sa_family_t) + 1)
> - goto skipped;
> -
> - /* Filter out abstract namespace sockets */
> - un = (const struct sockaddr_un*) addr;
> - if (un->sun_path[0] == 0)
> - goto skipped;
> -
> - path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un,
> sun_path));
> -
> - if (path_is_absolute(path))
> - r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
> - else {
> - _cleanup_free_ char *newpath;
> -
> - newpath = path_make_absolute_cwd(path);
> - if (!newpath)
> - return -ENOMEM;
> -
> - r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
> - }
> -
> - if (r == 0)
> - r = setfscreatecon(fcon);
> -
> - if (r < 0 && errno != ENOENT) {
> - log_error("Failed to set security context %s for %s: %m",
> fcon, path);
> -
> - if (security_getenforce() == 1) {
> - r = -errno;
> - goto finish;
> - }
> - }
> -
> - r = bind(fd, addr, addrlen);
> - if (r < 0)
> - r = -errno;
> -
> -finish:
> - setfscreatecon(NULL);
> - freecon(fcon);
> -
> - return r;
> -
> -skipped:
> -#endif
> - return bind(fd, addr, addrlen) < 0 ? -errno : 0;
> -}
> -
> -int label_apply(const char *path, const char *label) {
> - int r = 0;
> -
> -#ifdef HAVE_SELINUX
> - if (!use_selinux())
> - return 0;
> -
> - r = setfilecon(path, (char *)label);
> -#endif
> return r;
> }
> diff --git a/src/shared/label.h b/src/shared/label.h
> index 7294820..cddcef0 100644
> --- a/src/shared/label.h
> +++ b/src/shared/label.h
> @@ -22,30 +22,10 @@
> ***/
>
> #include <sys/types.h>
> +#include <sys/stat.h>
> #include <stdbool.h>
> -#include <sys/socket.h>
>
> -int label_init(const char *prefix);
> -void label_finish(void);
> +#include "selinux-util.h"
> +#include "smack-util.h"
>
> int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
> -
> -int label_socket_set(const char *label);
> -void label_socket_clear(void);
> -
> -int label_context_set(const char *path, mode_t mode);
> -void label_context_clear(void);
> -
> -void label_free(const char *label);
> -
> -int label_get_create_label_from_exe(const char *exe, char **label);
> -
> -int label_mkdir(const char *path, mode_t mode);
> -
> -int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
> -
> -int label_apply(const char *path, const char *label);
> -
> -int label_write_one_line_file_atomic(const char *fn, const char *line);
> -int label_write_env_file(const char *fname, char **l);
> -int label_fopen_temporary(const char *path, FILE **_f, char **_temp_path);
> diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c
> index 4ee6251..8ea9e01 100644
> --- a/src/shared/mkdir-label.c
> +++ b/src/shared/mkdir-label.c
> @@ -32,6 +32,32 @@
> #include "path-util.h"
> #include "mkdir.h"
>
> +static int label_mkdir(const char *path, mode_t mode) {
> + int r;
> +
> + if (use_selinux()) {
> + r = mac_selinux_mkdir(path, mode);
> + if (r < 0)
> + return r;
> + }
> +
> + if (use_smack()) {
> + r = mkdir(path, mode);
> + if (r < 0 && errno != EEXIST)
> + return -errno;
> +
> + r = mac_smack_relabel_in_dev(path);
> + if (r < 0)
> + return r;
> + }
> +
> + r = mkdir(path, mode);
> + if (r < 0 && errno != EEXIST)
> + return -errno;
> +
> + return 0;
> +}
> +
> int mkdir_label(const char *path, mode_t mode) {
> return label_mkdir(path, mode);
> }
> diff --git a/src/shared/mkdir.h b/src/shared/mkdir.h
> index dd5b41e..0dc555e 100644
> --- a/src/shared/mkdir.h
> +++ b/src/shared/mkdir.h
> @@ -30,7 +30,7 @@ int mkdir_parents(const char *path, mode_t mode);
> int mkdir_p(const char *path, mode_t mode);
> int mkdir_p_prefix(const char *prefix, const char *path, mode_t mode);
>
> -/* selinux versions */
> +/* mandatory access control(MAC) versions */
> int mkdir_label(const char *path, mode_t mode);
> int mkdir_safe_label(const char *path, mode_t mode, uid_t uid, gid_t gid);
> int mkdir_parents_label(const char *path, mode_t mode);
> diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
> index 026ae5a..5b744ac 100644
> --- a/src/shared/selinux-util.c
> +++ b/src/shared/selinux-util.c
> @@ -19,6 +19,15 @@
> along with systemd; If not, see <http://www.gnu.org/licenses/>.
> ***/
>
> +#include <malloc.h>
> +#include <sys/un.h>
> +#ifdef HAVE_SELINUX
> +#include <selinux/selinux.h>
> +#include <selinux/label.h>
> +#endif
> +
> +#include "util.h"
> +#include "path-util.h"
> #include "selinux-util.h"
>
> #ifdef HAVE_SELINUX
> @@ -26,26 +35,374 @@
> #include <selinux/selinux.h>
>
> static int use_selinux_cached = -1;
> +static struct selabel_handle *label_hnd = NULL;
> +#endif
>
> bool use_selinux(void) {
>
> +#ifdef HAVE_SELINUX
> if (use_selinux_cached < 0)
> use_selinux_cached = is_selinux_enabled() > 0;
>
> return use_selinux_cached;
> +#else
> + return false;
> +#endif
> }
>
> void retest_selinux(void) {
> +
> +#ifdef HAVE_SELINUX
> use_selinux_cached = -1;
> +#endif
> }
>
> -#else
> +int mac_selinux_init(const char *prefix) {
> + int r = 0;
>
> -bool use_selinux(void) {
> - return false;
> +#ifdef HAVE_SELINUX
> + usec_t before_timestamp, after_timestamp;
> + struct mallinfo before_mallinfo, after_mallinfo;
> +
> + if (!use_selinux())
> + return 0;
> +
> + if (label_hnd)
> + return 0;
> +
> + before_mallinfo = mallinfo();
> + before_timestamp = now(CLOCK_MONOTONIC);
> +
> + if (prefix) {
> + struct selinux_opt options[] = {
> + { .type = SELABEL_OPT_SUBSET, .value = prefix },
> + };
> +
> + label_hnd = selabel_open(SELABEL_CTX_FILE, options,
> ELEMENTSOF(options));
> + } else
> + label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
> +
> + if (!label_hnd) {
> + log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
> + "Failed to initialize SELinux context: %m");
> + r = security_getenforce() == 1 ? -errno : 0;
> + } else {
> + char timespan[FORMAT_TIMESPAN_MAX];
> + int l;
> +
> + after_timestamp = now(CLOCK_MONOTONIC);
> + after_mallinfo = mallinfo();
> +
> + l = after_mallinfo.uordblks > before_mallinfo.uordblks ?
> after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
> +
> + log_debug("Successfully loaded SELinux database in %s, size
> on heap is %iK.",
> + format_timespan(timespan, sizeof(timespan),
> after_timestamp - before_timestamp, 0),
> + (l+1023)/1024);
> + }
> +#endif
> +
> + return r;
> }
>
> -void retest_selinux(void) {
> +void mac_selinux_free(const char *label) {
> +
> +#ifdef HAVE_SELINUX
> + if (!use_selinux())
> + return;
> +
> + freecon((security_context_t) label);
> +#endif
> +}
> +
> +void mac_selinux_finish(void) {
> +
> +#ifdef HAVE_SELINUX
> + if (!use_selinux())
> + return;
> +
> + if (label_hnd)
> + selabel_close(label_hnd);
> +#endif
> +}
> +
> +int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs)
> {
> + int r = 0;
> +
> +#ifdef HAVE_SELINUX
> + struct stat st;
> + security_context_t fcon;
> +
> + if (!label_hnd)
> + return 0;
> +
> + r = lstat(path, &st);
> + if (r == 0) {
> + r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
> +
> + /* If there's no label to set, then exit without warning */
> + if (r < 0 && errno == ENOENT)
> + return 0;
> +
> + if (r == 0) {
> + r = lsetfilecon(path, fcon);
> + freecon(fcon);
> +
> + /* If the FS doesn't support labels, then exit
> without warning */
> + if (r < 0 && errno == ENOTSUP)
> + return 0;
> + }
> + }
> +
> + if (r < 0) {
> + /* Ignore ENOENT in some cases */
> + if (ignore_enoent && errno == ENOENT)
> + return 0;
> +
> + if (ignore_erofs && errno == EROFS)
> + return 0;
> +
> + log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
> + "Unable to fix label of %s: %m", path);
> + r = security_getenforce() == 1 ? -errno : 0;
> + }
> +#endif
> +
> + return r;
> +}
> +
> +int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
> +
> + int r = 0;
> +
> +#ifdef HAVE_SELINUX
> + security_context_t mycon = NULL, fcon = NULL;
> + security_class_t sclass;
> +
> + if (!use_selinux()) {
> + *label = NULL;
> + return 0;
> + }
> +
> + r = getcon(&mycon);
> + if (r < 0)
> + goto fail;
> +
> + r = getfilecon(exe, &fcon);
> + if (r < 0)
> + goto fail;
> +
> + sclass = string_to_security_class("process");
> + r = security_compute_create(mycon, fcon, sclass, (security_context_t
> *) label);
> + if (r == 0)
> + log_debug("SELinux Socket context for %s will be set to %s",
> exe, *label);
> +
> +fail:
> + if (r < 0 && security_getenforce() == 1)
> + r = -errno;
> +
> + freecon(mycon);
> + freecon(fcon);
> +#endif
> +
> + return r;
> +}
> +
> +int mac_selinux_context_set(const char *path, mode_t mode) {
> + int r = 0;
> +
> +#ifdef HAVE_SELINUX
> + security_context_t filecon = NULL;
> +
> + if (!use_selinux() || !label_hnd)
> + return 0;
> +
> + r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
> + if (r < 0 && errno != ENOENT)
> + r = -errno;
> + else if (r == 0) {
> + r = setfscreatecon(filecon);
> + if (r < 0) {
> + log_error("Failed to set SELinux file context on %s:
> %m", path);
> + r = -errno;
> + }
> +
> + freecon(filecon);
> + }
> +
> + if (r < 0 && security_getenforce() == 0)
> + r = 0;
> +#endif
> +
> + return r;
> +}
> +
> +void mac_selinux_context_clear(void) {
> +
> +#ifdef HAVE_SELINUX
> + PROTECT_ERRNO;
> +
> + if (!use_selinux())
> + return;
> +
> + setfscreatecon(NULL);
> +#endif
> }
>
> +int mac_selinux_socket_set(const char *label) {
> +
> +#ifdef HAVE_SELINUX
> + if (!use_selinux())
> + return 0;
> +
> + if (setsockcreatecon((security_context_t) label) < 0) {
> + log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
> + "Failed to set SELinux context (%s) on socket: %m",
> label);
> +
> + if (security_getenforce() == 1)
> + return -errno;
> + }
> #endif
> +
> + return 0;
> +}
> +
> +void mac_selinux_socket_clear(void) {
> +
> +#ifdef HAVE_SELINUX
> + PROTECT_ERRNO;
> +
> + if (!use_selinux())
> + return;
> +
> + setsockcreatecon(NULL);
> +#endif
> +}
> +
> +int mac_selinux_mkdir(const char *path, mode_t mode) {
> + int r = 0;
> +
> +#ifdef HAVE_SELINUX
> + /* Creates a directory and labels it according to the SELinux policy
> */
> + security_context_t fcon = NULL;
> +
> + if (!label_hnd)
> + return 0;
> +
> + if (path_is_absolute(path))
> + r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
> + else {
> + _cleanup_free_ char *newpath;
> +
> + newpath = path_make_absolute_cwd(path);
> + if (!newpath)
> + return -ENOMEM;
> +
> + r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
> + }
> +
> + if (r == 0)
> + r = setfscreatecon(fcon);
> +
> + if (r < 0 && errno != ENOENT) {
> + log_error("Failed to set security context %s for %s: %m",
> fcon, path);
> +
> + if (security_getenforce() == 1) {
> + r = -errno;
> + goto finish;
> + }
> + }
> +
> + r = mkdir(path, mode);
> + if (r < 0)
> + r = -errno;
> +
> +finish:
> + setfscreatecon(NULL);
> + freecon(fcon);
> +#endif
> +
> + return r;
> +}
> +
> +int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen)
> {
> +
> + /* Binds a socket and label its file system object according to the
> SELinux policy */
> +
> +#ifdef HAVE_SELINUX
> + security_context_t fcon = NULL;
> + const struct sockaddr_un *un;
> + char *path;
> + int r;
> +
> + assert(fd >= 0);
> + assert(addr);
> + assert(addrlen >= sizeof(sa_family_t));
> +
> + if (!use_selinux() || !label_hnd)
> + goto skipped;
> +
> + /* Filter out non-local sockets */
> + if (addr->sa_family != AF_UNIX)
> + goto skipped;
> +
> + /* Filter out anonymous sockets */
> + if (addrlen < sizeof(sa_family_t) + 1)
> + goto skipped;
> +
> + /* Filter out abstract namespace sockets */
> + un = (const struct sockaddr_un*) addr;
> + if (un->sun_path[0] == 0)
> + goto skipped;
> +
> + path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un,
> sun_path));
> +
> + if (path_is_absolute(path))
> + r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
> + else {
> + _cleanup_free_ char *newpath;
> +
> + newpath = path_make_absolute_cwd(path);
> + if (!newpath)
> + return -ENOMEM;
> +
> + r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
> + }
> +
> + if (r == 0)
> + r = setfscreatecon(fcon);
> +
> + if (r < 0 && errno != ENOENT) {
> + log_error("Failed to set security context %s for %s: %m",
> fcon, path);
> +
> + if (security_getenforce() == 1) {
> + r = -errno;
> + goto finish;
> + }
> + }
> +
> + r = bind(fd, addr, addrlen);
> + if (r < 0)
> + r = -errno;
> +
> +finish:
> + setfscreatecon(NULL);
> + freecon(fcon);
> +
> + return r;
> +
> +skipped:
> +#endif
> + return bind(fd, addr, addrlen) < 0 ? -errno : 0;
> +}
> +
> +int mac_selinux_apply(const char *path, const char *label) {
> + int r = 0;
> +
> +#ifdef HAVE_SELINUX
> + if (!use_selinux())
> + return 0;
> +
> + r = setfilecon(path, (char *)label);
> +#endif
> + return r;
> +}
> diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
> index 4b81202..7c0e5c1 100644
> --- a/src/shared/selinux-util.h
> +++ b/src/shared/selinux-util.h
> @@ -21,7 +21,21 @@
> along with systemd; If not, see <http://www.gnu.org/licenses/>.
> ***/
>
> +#include <sys/types.h>
> #include <stdbool.h>
> +#include <sys/socket.h>
>
> bool use_selinux(void);
> void retest_selinux(void);
> +int mac_selinux_init(const char *prefix);
> +void mac_selinux_free(const char *label);
> +void mac_selinux_finish(void);
> +int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
> +int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
> +int mac_selinux_context_set(const char *path, mode_t mode);
> +void mac_selinux_context_clear(void);
> +int mac_selinux_socket_set(const char *label);
> +void mac_selinux_socket_clear(void);
> +int mac_selinux_mkdir(const char *path, mode_t mode);
> +int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
> +int mac_selinux_apply(const char *path, const char *label);
> diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
> index 8f83562..4697aa1 100644
> --- a/src/shared/smack-util.c
> +++ b/src/shared/smack-util.c
> @@ -21,10 +21,10 @@
> along with systemd; If not, see <http://www.gnu.org/licenses/>.
> ***/
>
> -#include <unistd.h>
> -#include <string.h>
> #include <sys/xattr.h>
>
> +#include "util.h"
> +#include "path-util.h"
> #include "smack-util.h"
>
> bool use_smack(void) {
> @@ -41,7 +41,7 @@ bool use_smack(void) {
>
> }
>
> -int smack_label_path(const char *path, const char *label) {
> +int mac_smack_path(const char *path, const char *label) {
> #ifdef HAVE_SMACK
> if (!use_smack())
> return 0;
> @@ -55,7 +55,7 @@ int smack_label_path(const char *path, const char *label) {
> #endif
> }
>
> -int smack_label_fd(int fd, const char *label) {
> +int mac_smack_fd(int fd, const char *label) {
> #ifdef HAVE_SMACK
> if (!use_smack())
> return 0;
> @@ -66,7 +66,7 @@ int smack_label_fd(int fd, const char *label) {
> #endif
> }
>
> -int smack_label_ip_out_fd(int fd, const char *label) {
> +int mac_smack_ip_out_fd(int fd, const char *label) {
> #ifdef HAVE_SMACK
> if (!use_smack())
> return 0;
> @@ -77,7 +77,7 @@ int smack_label_ip_out_fd(int fd, const char *label) {
> #endif
> }
>
> -int smack_label_ip_in_fd(int fd, const char *label) {
> +int mac_smack_ip_in_fd(int fd, const char *label) {
> #ifdef HAVE_SMACK
> if (!use_smack())
> return 0;
> @@ -87,3 +87,44 @@ int smack_label_ip_in_fd(int fd, const char *label) {
> return 0;
> #endif
> }
> +
> +int mac_smack_relabel_in_dev(const char *path) {
> + int r = 0;
> +
> +#ifdef HAVE_SMACK
> + struct stat sb;
> + const char *label;
> +
> + /*
> + * Path must be in /dev and must exist
> + */
> + if (!path_startswith(path, "/dev"))
> + return 0;
> +
> + r = lstat(path, &sb);
> + if (r < 0)
> + return -errno;
> +
> + /*
> + * Label directories and character devices "*".
> + * Label symlinks "_".
> + * Don't change anything else.
> + */
> + if (S_ISDIR(sb.st_mode))
> + label = SMACK_STAR_LABEL;
> + else if (S_ISLNK(sb.st_mode))
> + label = SMACK_FLOOR_LABEL;
> + else if (S_ISCHR(sb.st_mode))
> + label = SMACK_STAR_LABEL;
> + else
> + return 0;
> +
> + r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
> + if (r < 0) {
> + log_error("Smack relabeling \"%s\" %m", path);
> + return -errno;
> + }
> +#endif
> +
> + return r;
> +}
> diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h
> index 7370ae3..2c04a65 100644
> --- a/src/shared/smack-util.h
> +++ b/src/shared/smack-util.h
> @@ -29,8 +29,8 @@
> #define SMACK_STAR_LABEL "*"
>
> bool use_smack(void);
> -
> -int smack_label_path(const char *path, const char *label);
> -int smack_label_fd(int fd, const char *label);
> -int smack_label_ip_in_fd(int fd, const char *label);
> -int smack_label_ip_out_fd(int fd, const char *label);
> +int mac_smack_path(const char *path, const char *label);
> +int mac_smack_fd(int fd, const char *label);
> +int mac_smack_ip_in_fd(int fd, const char *label);
> +int mac_smack_ip_out_fd(int fd, const char *label);
> +int mac_smack_relabel_in_dev(const char *path);
> diff --git a/src/shared/socket-label.c b/src/shared/socket-label.c
> index 83ea1a9..a59f9a0 100644
> --- a/src/shared/socket-label.c
> +++ b/src/shared/socket-label.c
> @@ -64,7 +64,7 @@ int socket_address_listen(
> return -EAFNOSUPPORT;
>
> if (label) {
> - r = label_socket_set(label);
> + r = mac_selinux_socket_set(label);
> if (r < 0)
> return r;
> }
> @@ -73,7 +73,7 @@ int socket_address_listen(
> r = fd < 0 ? -errno : 0;
>
> if (label)
> - label_socket_clear();
> + mac_selinux_socket_clear();
>
> if (r < 0)
> return r;
> @@ -119,7 +119,7 @@ int socket_address_listen(
> /* Include the original umask in our mask */
> umask(~socket_mode | old_mask);
>
> - r = label_bind(fd, &a->sockaddr.sa, a->size);
> + r = mac_selinux_bind(fd, &a->sockaddr.sa, a->size);
>
> if (r < 0 && errno == EADDRINUSE) {
> /* Unlink and try again */
> diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
> index b889ed0..0d784fe 100644
> --- a/src/sysusers/sysusers.c
> +++ b/src/sysusers/sysusers.c
> @@ -1835,7 +1835,7 @@ int main(int argc, char *argv[]) {
>
> umask(0022);
>
> - r = label_init(NULL);
> + r = mac_selinux_init(NULL);
> if (r < 0) {
> log_error("SELinux setup failed: %s", strerror(-r));
> goto finish;
> diff --git a/src/test/test-udev.c b/src/test/test-udev.c
> index 566a73a..f064824 100644
> --- a/src/test/test-udev.c
> +++ b/src/test/test-udev.c
> @@ -99,7 +99,7 @@ int main(int argc, char *argv[]) {
> return EXIT_FAILURE;
>
> log_debug("version %s", VERSION);
> - label_init("/dev");
> + mac_selinux_init("/dev");
>
> sigprocmask(SIG_SETMASK, NULL, &sigmask_orig);
>
> @@ -158,7 +158,7 @@ int main(int argc, char *argv[]) {
> out:
> if (event != NULL && event->fd_signal >= 0)
> close(event->fd_signal);
> - label_finish();
> + mac_selinux_finish();
>
> return err ? EXIT_FAILURE : EXIT_SUCCESS;
> }
> diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
> index fa3f947..8880812 100644
> --- a/src/timedate/timedated.c
> +++ b/src/timedate/timedated.c
> @@ -176,7 +176,7 @@ static int context_write_data_local_rtc(Context *c) {
> }
> }
>
> - label_init("/etc");
> + mac_selinux_init("/etc");
> return write_string_file_atomic_label("/etc/adjtime", w);
> }
>
> diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
> index 3bab7ac..7574ba5 100644
> --- a/src/tmpfiles/tmpfiles.c
> +++ b/src/tmpfiles/tmpfiles.c
> @@ -509,9 +509,9 @@ static int write_one_file(Item *i, const char *path) {
> i->type == TRUNCATE_FILE ? O_CREAT|O_TRUNC|O_NOFOLLOW : 0;
>
> RUN_WITH_UMASK(0000) {
> - label_context_set(path, S_IFREG);
> + mac_selinux_context_set(path, S_IFREG);
> fd = open(path, flags|O_NDELAY|O_CLOEXEC|O_WRONLY|O_NOCTTY,
> i->mode);
> - label_context_clear();
> + mac_selinux_context_clear();
> }
>
> if (fd < 0) {
> @@ -743,9 +743,9 @@ static int create_item(Item *i) {
> case CREATE_FIFO:
>
> RUN_WITH_UMASK(0000) {
> - label_context_set(i->path, S_IFIFO);
> + mac_selinux_context_set(i->path, S_IFIFO);
> r = mkfifo(i->path, i->mode);
> - label_context_clear();
> + mac_selinux_context_clear();
> }
>
> if (r < 0) {
> @@ -764,9 +764,9 @@ static int create_item(Item *i) {
> if (i->force) {
>
> RUN_WITH_UMASK(0000) {
> - label_context_set(i->path,
> S_IFIFO);
> +
> mac_selinux_context_set(i->path, S_IFIFO);
> r = mkfifo_atomic(i->path,
> i->mode);
> - label_context_clear();
> + mac_selinux_context_clear();
> }
>
> if (r < 0) {
> @@ -788,9 +788,9 @@ static int create_item(Item *i) {
>
> case CREATE_SYMLINK:
>
> - label_context_set(i->path, S_IFLNK);
> + mac_selinux_context_set(i->path, S_IFLNK);
> r = symlink(i->argument, i->path);
> - label_context_clear();
> + mac_selinux_context_clear();
>
> if (r < 0) {
> _cleanup_free_ char *x = NULL;
> @@ -804,9 +804,9 @@ static int create_item(Item *i) {
> if (r < 0 || !streq(i->argument, x)) {
>
> if (i->force) {
> - label_context_set(i->path, S_IFLNK);
> + mac_selinux_context_set(i->path,
> S_IFLNK);
> r = symlink_atomic(i->argument,
> i->path);
> - label_context_clear();
> + mac_selinux_context_clear();
>
> if (r < 0) {
> log_error("symlink(%s, %s)
> failed: %s", i->argument, i->path, strerror(-r));
> @@ -838,9 +838,9 @@ static int create_item(Item *i) {
> file_type = i->type == CREATE_BLOCK_DEVICE ? S_IFBLK :
> S_IFCHR;
>
> RUN_WITH_UMASK(0000) {
> - label_context_set(i->path, file_type);
> + mac_selinux_context_set(i->path, file_type);
> r = mknod(i->path, i->mode | file_type,
> i->major_minor);
> - label_context_clear();
> + mac_selinux_context_clear();
> }
>
> if (r < 0) {
> @@ -865,9 +865,9 @@ static int create_item(Item *i) {
> if (i->force) {
>
> RUN_WITH_UMASK(0000) {
> - label_context_set(i->path,
> file_type);
> +
> mac_selinux_context_set(i->path, file_type);
> r = mknod_atomic(i->path,
> i->mode | file_type, i->major_minor);
> - label_context_clear();
> + mac_selinux_context_clear();
> }
>
> if (r < 0) {
> @@ -1606,7 +1606,7 @@ int main(int argc, char *argv[]) {
>
> umask(0022);
>
> - label_init(NULL);
> + mac_selinux_init(NULL);
>
> items = hashmap_new(string_hash_func, string_compare_func);
> globs = hashmap_new(string_hash_func, string_compare_func);
> @@ -1666,7 +1666,7 @@ finish:
>
> set_free_free(unix_sockets);
>
> - label_finish();
> + mac_selinux_finish();
>
> return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
> }
> diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
> index d42af9a..6a9788b 100644
> --- a/src/udev/udev-node.c
> +++ b/src/udev/udev-node.c
> @@ -88,11 +88,11 @@ static int node_symlink(struct udev_device *dev, const
> char *node, const char *s
> err = mkdir_parents_label(slink, 0755);
> if (err != 0 && err != -ENOENT)
> break;
> - label_context_set(slink, S_IFLNK);
> + mac_selinux_context_set(slink, S_IFLNK);
> err = symlink(target, slink);
> if (err != 0)
> err = -errno;
> - label_context_clear();
> + mac_selinux_context_clear();
> } while (err == -ENOENT);
> if (err == 0)
> goto exit;
> @@ -105,11 +105,11 @@ static int node_symlink(struct udev_device *dev, const
> char *node, const char *s
> err = mkdir_parents_label(slink_tmp, 0755);
> if (err != 0 && err != -ENOENT)
> break;
> - label_context_set(slink_tmp, S_IFLNK);
> + mac_selinux_context_set(slink_tmp, S_IFLNK);
> err = symlink(target, slink_tmp);
> if (err != 0)
> err = -errno;
> - label_context_clear();
> + mac_selinux_context_clear();
> } while (err == -ENOENT);
> if (err != 0) {
> log_error("symlink '%s' '%s' failed: %m", target, slink_tmp);
> @@ -297,14 +297,14 @@ static int node_permissions_apply(struct udev_device
> *dev, bool apply,
>
> if (streq(name, "selinux")) {
> selinux = true;
> - if (label_apply(devnode, label) < 0)
> + if (mac_selinux_apply(devnode, label) < 0)
> log_error("SECLABEL: failed to set
> SELinux label '%s'", label);
> else
> log_debug("SECLABEL: set SELinux
> label '%s'", label);
>
> } else if (streq(name, "smack")) {
> smack = true;
> - if (smack_label_path(devnode, label) < 0)
> + if (mac_smack_path(devnode, label) < 0)
> log_error("SECLABEL: failed to set
> SMACK label '%s'", label);
> else
> log_debug("SECLABEL: set SMACK label
> '%s'", label);
> @@ -317,7 +317,7 @@ static int node_permissions_apply(struct udev_device
> *dev, bool apply,
> if (!selinux)
> label_fix(devnode, true, false);
> if (!smack)
> - smack_label_path(devnode, NULL);
> + mac_smack_path(devnode, NULL);
> }
>
> /* always update timestamp when we re-use the node, like on media
> change events */
> diff --git a/src/udev/udevadm.c b/src/udev/udevadm.c
> index 2c11550..b2d1c62 100644
> --- a/src/udev/udevadm.c
> +++ b/src/udev/udevadm.c
> @@ -99,7 +99,7 @@ int main(int argc, char *argv[]) {
> log_parse_environment();
> log_open();
> udev_set_log_fn(udev, udev_main_log);
> - label_init("/dev");
> + mac_selinux_init("/dev");
>
> while ((c = getopt_long(argc, argv, "+dhV", options, NULL)) >= 0)
> switch (c) {
> @@ -137,7 +137,7 @@ int main(int argc, char *argv[]) {
> fprintf(stderr, "%s: missing or unknown command",
> program_invocation_short_name);
> rc = 2;
> out:
> - label_finish();
> + mac_selinux_finish();
> udev_unref(udev);
> log_close();
> return rc;
> diff --git a/src/udev/udevd.c b/src/udev/udevd.c
> index f882cfb..775ea68 100644
> --- a/src/udev/udevd.c
> +++ b/src/udev/udevd.c
> @@ -1032,7 +1032,7 @@ int main(int argc, char *argv[]) {
> log_set_max_level(udev_get_log_priority(udev));
>
> log_debug("version %s", VERSION);
> - label_init("/dev");
> + mac_selinux_init("/dev");
>
> for (;;) {
> int option;
> @@ -1514,7 +1514,7 @@ exit_daemonize:
> udev_monitor_unref(monitor);
> udev_ctrl_connection_unref(ctrl_conn);
> udev_ctrl_unref(udev_ctrl);
> - label_finish();
> + mac_selinux_finish();
> udev_unref(udev);
> log_close();
> return rc;
> diff --git a/src/update-done/update-done.c b/src/update-done/update-done.c
> index db106b5..d48e4f7 100644
> --- a/src/update-done/update-done.c
> +++ b/src/update-done/update-done.c
> @@ -61,7 +61,7 @@ static int apply_timestamp(const char *path, struct
> timespec *ts) {
>
> /* The timestamp file doesn't exist yet? Then let's create
> it. */
>
> - r = label_context_set(path, S_IFREG);
> + r = mac_selinux_context_set(path, S_IFREG);
> if (r < 0) {
> log_error("Failed to set SELinux context for %s: %s",
> path, strerror(-r));
> @@ -69,7 +69,7 @@ static int apply_timestamp(const char *path, struct
> timespec *ts) {
> }
>
> fd = open(path,
> O_CREAT|O_EXCL|O_WRONLY|O_TRUNC|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0644);
> - label_context_clear();
> + mac_selinux_context_clear();
>
> if (fd < 0) {
>
> @@ -112,7 +112,7 @@ int main(int argc, char *argv[]) {
> return EXIT_FAILURE;
> }
>
> - r = label_init(NULL);
> + r = mac_selinux_init(NULL);
> if (r < 0) {
> log_error("SELinux setup failed: %s", strerror(-r));
> goto finish;
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
