systemd/src/selinux-setup.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>

#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#endif

#include "selinux-setup.h"
#include "macro.h"
#include "util.h"
#include "log.h"

int selinux_setup(char *const argv[]) {
#ifdef HAVE_SELINUX
       int enforce = 0;

       /* Already initialized? */
       if (path_is_mount_point("/sys/fs/selinux") > 0 ||
           path_is_mount_point("/selinux") > 0)
               return 0;

       /* Before we load the policy we create a flag file to ensure
        * that after the reexec we iterate through /run and /dev to
        * relabel things. */
       touch("/dev/.systemd-relabel-run-dev");

       if (selinux_init_load_policy(&enforce) == 0) {
               log_debug("Successfully loaded SELinux policy, reexecuting.");

               /* FIXME: Ideally we'd just call setcon() here instead
                * of having to reexecute ourselves here. */

               execv(SYSTEMD_BINARY_PATH, argv);
               log_error("Failed to reexecute: %m");
               return -errno;

       } else {
               log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy.");

               unlink("/dev/.systemd-relabel-run-dev");

               if (enforce > 0)
                       return -EIO;
       }
#endif

       return 0;
}
selinux: automatically load policy if the initrd hasn't done this for us yet 2010-10-27 07:47:02 +04:00			`/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/`

			`/***`
			`This file is part of systemd.`

			`Copyright 2010 Lennart Poettering`

			`systemd is free software; you can redistribute it and/or modify it`
			`under the terms of the GNU General Public License as published by`
			`the Free Software Foundation; either version 2 of the License, or`
			`(at your option) any later version.`

			`systemd is distributed in the hope that it will be useful, but`
			`WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with systemd; If not, see <http://www.gnu.org/licenses/>.`
			`***/`

			`#include <unistd.h>`
			`#include <stdio.h>`
			`#include <errno.h>`
			`#include <string.h>`
			`#include <stdlib.h>`

			`#ifdef HAVE_SELINUX`
			`#include <selinux/selinux.h>`
			`#endif`

			`#include "selinux-setup.h"`
			`#include "macro.h"`
			`#include "util.h"`
			`#include "log.h"`

			`int selinux_setup(char *const argv[]) {`
			`#ifdef HAVE_SELINUX`
			`int enforce = 0;`

			`/* Already initialized? */`
selinux: selinuxfs can be mounted on /sys/fs/selinux The kernel now provides the /sys/fs/selinux mountpoint and libselinux prefers it if it's available. systemd currently tests only for /selinux and this leads to an infinite loop of policy reloads in the latest Rawhide. Fix it by checking both possible mountpoints. Also add the new path to ignore_paths[]. /selinux appears also in nspawn.c. I don't think it's necessary to change it there at this point. https://bugzilla.redhat.com/show_bug.cgi?id=711015 2011-06-07 02:48:16 +04:00			`if (path_is_mount_point("/sys/fs/selinux") > 0 \|\|`
			`path_is_mount_point("/selinux") > 0)`
selinux: automatically load policy if the initrd hasn't done this for us yet 2010-10-27 07:47:02 +04:00			`return 0;`

selinux: relabel /dev after loading policy 2010-11-08 06:59:39 +03:00			`/* Before we load the policy we create a flag file to ensure`
selinux: relabel /run the same way as /dev after loading the policy since they both come pre-filled and unlabelled 2011-04-04 18:56:51 +04:00			`* that after the reexec we iterate through /run and /dev to`
			`* relabel things. */`
			`touch("/dev/.systemd-relabel-run-dev");`
selinux: relabel /dev after loading policy 2010-11-08 06:59:39 +03:00
selinux: automatically load policy if the initrd hasn't done this for us yet 2010-10-27 07:47:02 +04:00			`if (selinux_init_load_policy(&enforce) == 0) {`
selinux: relabel /dev after loading policy 2010-11-08 06:59:39 +03:00			`log_debug("Successfully loaded SELinux policy, reexecuting.");`
selinux: automatically load policy if the initrd hasn't done this for us yet 2010-10-27 07:47:02 +04:00
			`/* FIXME: Ideally we'd just call setcon() here instead`
			`* of having to reexecute ourselves here. */`

			`execv(SYSTEMD_BINARY_PATH, argv);`
			`log_error("Failed to reexecute: %m");`
			`return -errno;`

			`} else {`
selinux: bump up error level when in non-enforcing mode 2011-03-09 22:12:30 +03:00			`log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy.");`
selinux: automatically load policy if the initrd hasn't done this for us yet 2010-10-27 07:47:02 +04:00
selinux: relabel /run the same way as /dev after loading the policy since they both come pre-filled and unlabelled 2011-04-04 18:56:51 +04:00			`unlink("/dev/.systemd-relabel-run-dev");`
selinux: relabel /dev after loading policy 2010-11-08 06:59:39 +03:00
selinux: automatically load policy if the initrd hasn't done this for us yet 2010-10-27 07:47:02 +04:00			`if (enforce > 0)`
			`return -EIO;`
			`}`
			`#endif`

			`return 0;`
			`}`