2010-10-27 07:47:02 +04:00
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd .
Copyright 2010 Lennart Poettering
systemd is free software ; you can redistribute it and / or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
systemd is distributed in the hope that it will be useful , but
WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
General Public License for more details .
You should have received a copy of the GNU General Public License
along with systemd ; If not , see < http : //www.gnu.org/licenses/>.
* * */
# include <unistd.h>
# include <stdio.h>
# include <errno.h>
# include <string.h>
# include <stdlib.h>
# ifdef HAVE_SELINUX
# include <selinux/selinux.h>
# endif
# include "selinux-setup.h"
2011-07-29 03:48:18 +04:00
# include "mount-setup.h"
2010-10-27 07:47:02 +04:00
# include "macro.h"
# include "util.h"
# include "log.h"
2011-07-29 01:52:23 +04:00
# include "label.h"
int selinux_setup ( bool * loaded_policy ) {
2010-10-27 07:47:02 +04:00
# ifdef HAVE_SELINUX
int enforce = 0 ;
2011-07-29 01:52:23 +04:00
usec_t before_load , after_load ;
2011-07-25 23:59:05 +04:00
security_context_t con ;
2011-07-29 01:52:23 +04:00
int r ;
assert ( loaded_policy ) ;
2010-10-27 07:47:02 +04:00
2011-07-29 03:48:18 +04:00
/* Make sure getcon() works, which needs /proc and /sys */
mount_setup_early ( ) ;
2011-07-29 01:52:23 +04:00
/* Already initialized by somebody else? */
r = getcon_raw ( & con ) ;
if ( r = = 0 ) {
2011-07-25 23:59:05 +04:00
bool initialized ;
initialized = ! streq ( con , " kernel " ) ;
freecon ( con ) ;
if ( initialized )
return 0 ;
}
2010-10-27 07:47:02 +04:00
2011-07-29 01:52:23 +04:00
/* Make sure we have no fds open while loading the policy and
* transitioning */
log_close ( ) ;
2010-11-08 06:59:39 +03:00
2011-07-29 01:52:23 +04:00
/* Now load the policy */
before_load = now ( CLOCK_MONOTONIC ) ;
r = selinux_init_load_policy ( & enforce ) ;
2011-07-25 23:22:57 +04:00
2011-07-29 01:52:23 +04:00
if ( r = = 0 ) {
char timespan [ FORMAT_TIMESPAN_MAX ] ;
char * label ;
2010-10-27 07:47:02 +04:00
2011-07-29 01:52:23 +04:00
/* Transition to the new context */
r = label_get_create_label_from_exe ( SYSTEMD_BINARY_PATH , & label ) ;
2011-07-29 03:48:18 +04:00
if ( r < 0 | | label = = NULL ) {
2011-07-29 01:52:23 +04:00
log_open ( ) ;
log_error ( " Failed to compute init label, ignoring. " ) ;
} else {
r = setcon ( label ) ;
2010-10-27 07:47:02 +04:00
2011-07-29 01:52:23 +04:00
log_open ( ) ;
if ( r < 0 )
log_error ( " Failed to transition into init label '%s', ignoring. " , label ) ;
2010-10-27 07:47:02 +04:00
2011-07-29 01:52:23 +04:00
label_free ( label ) ;
}
after_load = now ( CLOCK_MONOTONIC ) ;
2010-11-08 06:59:39 +03:00
2011-07-29 01:52:23 +04:00
log_info ( " Successfully loaded SELinux policy in %s. " ,
format_timespan ( timespan , sizeof ( timespan ) , after_load - before_load ) ) ;
* loaded_policy = true ;
} else {
2011-07-01 07:55:57 +04:00
if ( enforce > 0 ) {
2011-07-29 01:52:23 +04:00
log_error ( " Failed to load SELinux policy. " ) ;
2010-10-27 07:47:02 +04:00
return - EIO ;
2011-07-29 01:52:23 +04:00
} else
log_debug ( " Unable to load SELinux policy. " ) ;
2010-10-27 07:47:02 +04:00
}
# endif
return 0 ;
}
