summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/machine/machined.c1
-rw-r--r--src/shared/dev-setup.c22
-rw-r--r--src/shared/label.c41
-rw-r--r--src/shared/label.h3
-rw-r--r--src/shared/mkdir-label.c31
-rw-r--r--src/shared/mkdir.h1
-rw-r--r--src/shared/selinux-util.c63
-rw-r--r--src/shared/selinux-util.h1
8 files changed, 62 insertions, 101 deletions
diff --git a/src/machine/machined.c b/src/machine/machined.c
index 71c8189d5f..966475b242 100644
--- a/src/machine/machined.c
+++ b/src/machine/machined.c
@@ -35,6 +35,7 @@
#include "bus-util.h"
#include "bus-error.h"
#include "machined.h"
+#include "label.h"
Manager *manager_new(void) {
Manager *m;
diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c
index ae1c3d9d4e..e8b0810d23 100644
--- a/src/shared/dev-setup.c
+++ b/src/shared/dev-setup.c
@@ -32,24 +32,6 @@
#include "util.h"
#include "label.h"
-static int symlink_and_label(const char *old_path, const char *new_path) {
- int r;
-
- assert(old_path);
- assert(new_path);
-
- r = mac_selinux_create_file_prepare(new_path, S_IFLNK);
- if (r < 0)
- return r;
-
- if (symlink(old_path, new_path) < 0)
- r = -errno;
-
- mac_selinux_create_file_clear();
-
- return r;
-}
-
int dev_setup(const char *prefix) {
const char *j, *k;
@@ -75,9 +57,9 @@ int dev_setup(const char *prefix) {
if (!link_name)
return -ENOMEM;
- symlink_and_label(j, link_name);
+ symlink_label(j, link_name);
} else
- symlink_and_label(j, k);
+ symlink_label(j, k);
}
return 0;
diff --git a/src/shared/label.c b/src/shared/label.c
index 38992be153..0af41afa77 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -35,3 +35,44 @@ int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
return 0;
}
+
+int mkdir_label(const char *path, mode_t mode) {
+ int r;
+
+ assert(path);
+
+ r = mac_selinux_create_file_prepare(path, S_IFDIR);
+ if (r < 0)
+ return r;
+
+ if (mkdir(path, mode) < 0)
+ r = -errno;
+
+ mac_selinux_create_file_clear();
+
+ if (r < 0)
+ return r;
+
+ return mac_smack_fix(path, false, false);
+}
+
+int symlink_label(const char *old_path, const char *new_path) {
+ int r;
+
+ assert(old_path);
+ assert(new_path);
+
+ r = mac_selinux_create_file_prepare(new_path, S_IFLNK);
+ if (r < 0)
+ return r;
+
+ if (symlink(old_path, new_path) < 0)
+ r = -errno;
+
+ mac_selinux_create_file_clear();
+
+ if (r < 0)
+ return r;
+
+ return mac_smack_fix(new_path, false, false);
+}
diff --git a/src/shared/label.h b/src/shared/label.h
index 1859f843dc..3428a8bb7a 100644
--- a/src/shared/label.h
+++ b/src/shared/label.h
@@ -25,3 +25,6 @@
#include "smack-util.h"
int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
+
+int mkdir_label(const char *path, mode_t mode);
+int symlink_label(const char *old_path, const char *new_path);
diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c
index 8b35386706..ee11ac06ff 100644
--- a/src/shared/mkdir-label.c
+++ b/src/shared/mkdir-label.c
@@ -32,39 +32,14 @@
#include "path-util.h"
#include "mkdir.h"
-static int label_mkdir(const char *path, mode_t mode) {
- int r;
-
- if (mac_selinux_use())
- return mac_selinux_mkdir(path, mode);
-
- if (mac_smack_use()) {
- r = mkdir(path, mode);
- if (r < 0)
- return -errno;
-
- return mac_smack_fix(path, false, false);
- }
-
- r = mkdir(path, mode);
- if (r < 0)
- return -errno;
-
- return 0;
-}
-
-int mkdir_label(const char *path, mode_t mode) {
- return label_mkdir(path, mode);
-}
-
int mkdir_safe_label(const char *path, mode_t mode, uid_t uid, gid_t gid) {
- return mkdir_safe_internal(path, mode, uid, gid, label_mkdir);
+ return mkdir_safe_internal(path, mode, uid, gid, mkdir_label);
}
int mkdir_parents_label(const char *path, mode_t mode) {
- return mkdir_parents_internal(NULL, path, mode, label_mkdir);
+ return mkdir_parents_internal(NULL, path, mode, mkdir_label);
}
int mkdir_p_label(const char *path, mode_t mode) {
- return mkdir_p_internal(NULL, path, mode, label_mkdir);
+ return mkdir_p_internal(NULL, path, mode, mkdir_label);
}
diff --git a/src/shared/mkdir.h b/src/shared/mkdir.h
index 1586214a1e..d2794ead90 100644
--- a/src/shared/mkdir.h
+++ b/src/shared/mkdir.h
@@ -30,7 +30,6 @@ int mkdir_parents(const char *path, mode_t mode);
int mkdir_p(const char *path, mode_t mode);
/* mandatory access control(MAC) versions */
-int mkdir_label(const char *path, mode_t mode);
int mkdir_safe_label(const char *path, mode_t mode, uid_t uid, gid_t gid);
int mkdir_parents_label(const char *path, mode_t mode);
int mkdir_p_label(const char *path, mode_t mode);
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 0d8c6c2f1c..4332c916fa 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -319,7 +319,18 @@ int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
if (!label_hnd)
return 0;
- r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
+ if (path_is_absolute(path))
+ r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
+ else {
+ _cleanup_free_ char *newpath;
+
+ newpath = path_make_absolute_cwd(path);
+ if (!newpath)
+ return -ENOMEM;
+
+ r = selabel_lookup_raw(label_hnd, &filecon, newpath, S_IFDIR);
+ }
+
if (r < 0 && errno != ENOENT)
r = -errno;
else if (r == 0) {
@@ -380,56 +391,6 @@ void mac_selinux_create_socket_clear(void) {
#endif
}
-int mac_selinux_mkdir(const char *path, mode_t mode) {
-
- /* Creates a directory and labels it according to the SELinux policy */
-
-#ifdef HAVE_SELINUX
- _cleanup_security_context_free_ security_context_t fcon = NULL;
- int r;
-
- assert(path);
-
- if (!label_hnd)
- goto skipped;
-
- if (path_is_absolute(path))
- r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
- else {
- _cleanup_free_ char *newpath;
-
- newpath = path_make_absolute_cwd(path);
- if (!newpath)
- return -ENOMEM;
-
- r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
- }
-
- if (r == 0)
- r = setfscreatecon(fcon);
-
- if (r < 0 && errno != ENOENT) {
- log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
-
- if (security_getenforce() == 1) {
- r = -errno;
- goto finish;
- }
- }
-
- r = mkdir(path, mode);
- if (r < 0)
- r = -errno;
-
-finish:
- setfscreatecon(NULL);
- return r;
-
-skipped:
-#endif
- return mkdir(path, mode) < 0 ? -errno : 0;
-}
-
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
/* Binds a socket and label its file system object according to the SELinux policy */
diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index bce9fd5d46..7ff8c607b4 100644
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -45,5 +45,4 @@ void mac_selinux_create_file_clear(void);
int mac_selinux_create_socket_prepare(const char *label);
void mac_selinux_create_socket_clear(void);
-int mac_selinux_mkdir(const char *path, mode_t mode);
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);