summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/shared/smack-util.c67
-rw-r--r--src/udev/udev-node.c10
2 files changed, 60 insertions, 17 deletions
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index e06feb42c3..34f9c68733 100644
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -38,54 +38,86 @@ bool mac_smack_use(void) {
#else
return false;
#endif
-
}
int mac_smack_apply(const char *path, const char *label) {
+ int r = 0;
+
+ assert(path);
+
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
- return setxattr(path, "security.SMACK64", label, strlen(label), 0);
+ r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
else
- return lremovexattr(path, "security.SMACK64");
-#else
- return 0;
+ r = lremovexattr(path, "security.SMACK64");
+ if (r < 0)
+ return -errno;
#endif
+
+ return r;
}
int mac_smack_apply_fd(int fd, const char *label) {
+ int r = 0;
+
+ assert(fd >= 0);
+
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
- return fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
-#else
- return 0;
+ if (label)
+ r = fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
+ else
+ r = fremovexattr(fd, "security.SMACK64");
+ if (r < 0)
+ return -errno;
#endif
+
+ return r;
}
int mac_smack_apply_ip_out_fd(int fd, const char *label) {
+ int r = 0;
+
+ assert(fd >= 0);
+
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
- return fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
-#else
- return 0;
+ if (label)
+ r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
+ else
+ r = fremovexattr(fd, "security.SMACK64IPOUT");
+ if (r < 0)
+ return -errno;
#endif
+
+ return r;
}
int mac_smack_apply_ip_in_fd(int fd, const char *label) {
+ int r = 0;
+
+ assert(fd >= 0);
+
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
- return fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
-#else
- return 0;
+ if (label)
+ r = fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
+ else
+ r = fremovexattr(fd, "security.SMACK64IPIN");
+ if (r < 0)
+ return -errno;
#endif
+
+ return r;
}
int mac_smack_fix(const char *path) {
@@ -94,6 +126,13 @@ int mac_smack_fix(const char *path) {
#ifdef HAVE_SMACK
struct stat sb;
const char *label;
+#endif
+
+ assert(path);
+
+#ifdef HAVE_SMACK
+ if (!mac_smack_use())
+ return 0;
/*
* Path must be in /dev and must exist
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index 803d803279..8d5bada5a4 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -294,21 +294,25 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
/* apply SECLABEL{$module}=$label */
udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) {
const char *name, *label;
+ int r;
name = udev_list_entry_get_name(entry);
label = udev_list_entry_get_value(entry);
if (streq(name, "selinux")) {
selinux = true;
+
if (mac_selinux_apply(devnode, label) < 0)
- log_error("SECLABEL: failed to set SELinux label '%s'", label);
+ log_error("SECLABEL: failed to set SELinux label '%s': %s", label, strerror(-r));
else
log_debug("SECLABEL: set SELinux label '%s'", label);
} else if (streq(name, "smack")) {
smack = true;
- if (mac_smack_apply(devnode, label) < 0)
- log_error("SECLABEL: failed to set SMACK label '%s'", label);
+
+ r = mac_smack_apply(devnode, label);
+ if (r < 0)
+ log_error("SECLABEL: failed to set SMACK label '%s': %s", label, strerror(-r));
else
log_debug("SECLABEL: set SMACK label '%s'", label);