summaryrefslogtreecommitdiff
path: root/src/shared/selinux-util.c
AgeCommit message (Collapse)Author
2015-03-13selinux: fix SEGV during switch-root if SELinux policy loadedWill Woods
If you've got SELinux policy loaded, label_hnd is your labeling handle. When systemd is shutting down, we free that handle via mac_selinux_finish(). But: switch_root() calls mkdir_p_label(), which tries to look up a label using that freed handle, and so we get a bunch of garbage and eventually SEGV in libselinux. (This doesn't happen in the switch-root from initramfs to real root because there's no SELinux policy loaded in initramfs, so label_hnd is NULL and we never attempt any lookups.) So: make sure that mac_selinux_finish() actually sets label_hnd to NULL, so nobody tries to use it after it becomes invalid. https://bugzilla.redhat.com/show_bug.cgi?id=1185604
2015-03-13tree-wide: there is no ENOTSUP on linuxDavid Herrmann
Replace ENOTSUP by EOPNOTSUPP as this is what linux actually uses.
2015-02-23remove unused includesThomas Hindoe Paaboel Andersen
This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.
2014-12-04selinux: figure out selinux context applied on exec() before closing all fdsMichal Sekletar
We need original socket_fd around otherwise mac_selinux_get_child_mls_label fails with -EINVAL return code. Also don't call setexeccon twice but rather pass context value of SELinuxContext option as an extra argument.
2014-11-06shared: create files even if the SELinux policy has no context for themMichal Schmidt
The SELinux policy defines no context for some files. E.g.: $ matchpathcon /run/lock/subsys /dev/mqueue /run/lock/subsys <<none>> /dev/mqueue <<none>> We still need to be able to create them. In this case selabel_lookup_raw() returns ENOENT. We should then skip setfscreatecon(), but still return success. It was broken since c34255bdb2 ("label: unify code to make directories, symlinks").
2014-10-24selinux: fix handling of relative paths when setting up create labelLennart Poettering
2014-10-23label: unify code to make directories, symlinksLennart Poettering
2014-10-23selinux: clean up selinux label function namingLennart Poettering
2014-10-23selinux: simplify and unify loggingLennart Poettering
Normally we shouldn#t log from "library" functions, but SELinux is weird, hence upgrade security messages uniformly to LOG_ERR when in enforcing mode.
2014-10-23selinux: rework label query APIsLennart Poettering
APIs that query and return something cannot silently fail, they must either return something useful, or an error. Fix that. Also, properly rollback socket unit fd creation when something goes wrong with the security framework.
2014-10-23smack: rework SMACK label fixing code to follow more closely the semantics ↵Lennart Poettering
of the matching selinux code
2014-10-23selinux: make use of cleanup gcc magicLennart Poettering
2014-10-23mac: also rename use_{smack,selinux,apparmor}() calls so that they share the ↵Lennart Poettering
new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-23mac: rename apis with mac_{selinux/smack}_ prefixWaLyong Cho
2014-10-23label: rearrange mandatory access control(MAC) apisWaLyong Cho
move label apis to selinux-util.ch or smack-util.ch appropriately.
2013-10-10security: rework selinux, smack, ima, apparmor detection logicLennart Poettering
Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
2012-10-03build-sys: fix !HAVE_SELINUX caseColin Walters
2012-10-02selinux: rework selinux access check logicLennart Poettering
a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-11-11 10:48:38 +0000