summaryrefslogtreecommitdiff
path: root/src/shared/selinux-util.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/shared/selinux-util.c')
-rw-r--r--src/shared/selinux-util.c63
1 files changed, 12 insertions, 51 deletions
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 0d8c6c2f1c..4332c916fa 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -319,7 +319,18 @@ int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
if (!label_hnd)
return 0;
- r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
+ if (path_is_absolute(path))
+ r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
+ else {
+ _cleanup_free_ char *newpath;
+
+ newpath = path_make_absolute_cwd(path);
+ if (!newpath)
+ return -ENOMEM;
+
+ r = selabel_lookup_raw(label_hnd, &filecon, newpath, S_IFDIR);
+ }
+
if (r < 0 && errno != ENOENT)
r = -errno;
else if (r == 0) {
@@ -380,56 +391,6 @@ void mac_selinux_create_socket_clear(void) {
#endif
}
-int mac_selinux_mkdir(const char *path, mode_t mode) {
-
- /* Creates a directory and labels it according to the SELinux policy */
-
-#ifdef HAVE_SELINUX
- _cleanup_security_context_free_ security_context_t fcon = NULL;
- int r;
-
- assert(path);
-
- if (!label_hnd)
- goto skipped;
-
- if (path_is_absolute(path))
- r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
- else {
- _cleanup_free_ char *newpath;
-
- newpath = path_make_absolute_cwd(path);
- if (!newpath)
- return -ENOMEM;
-
- r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
- }
-
- if (r == 0)
- r = setfscreatecon(fcon);
-
- if (r < 0 && errno != ENOENT) {
- log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
-
- if (security_getenforce() == 1) {
- r = -errno;
- goto finish;
- }
- }
-
- r = mkdir(path, mode);
- if (r < 0)
- r = -errno;
-
-finish:
- setfscreatecon(NULL);
- return r;
-
-skipped:
-#endif
- return mkdir(path, mode) < 0 ? -errno : 0;
-}
-
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
/* Binds a socket and label its file system object according to the SELinux policy */