1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
|
From 9638af24a1e890d673549f0b25d854458e07032e Mon Sep 17 00:00:00 2001
From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Date: Thu, 2 Jul 2015 09:27:36 -0400
Subject: [PATCH] libsemanage: Add policy binary and file_contexts.local to the
store
This patch writes policy.kern and file_contexts.local to the policy store as
well as /etc/selinux/. Additionally, policy.kern and file_contexts.local
are now parsed from the store rather than the final directory which was
the old behavior. This allows all policy related files to be kept in the
policy store.
This patch also renames /var/lib/selinux/tmp to 'final' and changes
policy.kern in the store to longer be a symlink.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
---
libsemanage/src/booleans_policydb.c | 6 ++--
libsemanage/src/direct_api.c | 33 +++++++++++++++----
libsemanage/src/interfaces_policydb.c | 6 ++--
libsemanage/src/nodes_policydb.c | 6 ++--
libsemanage/src/ports_policydb.c | 6 ++--
libsemanage/src/semanage_store.c | 55 ++++++++++++++++++++++++--------
libsemanage/src/semanage_store.h | 5 +++
libsemanage/src/users_base_policydb.c | 6 ++--
libsemanage/utils/semanage_migrate_store | 3 +-
9 files changed, 86 insertions(+), 40 deletions(-)
diff --git a/libsemanage/src/booleans_policydb.c b/libsemanage/src/booleans_policydb.c
index 74af2a3..6869d6c 100644
--- a/libsemanage/src/booleans_policydb.c
+++ b/libsemanage/src/booleans_policydb.c
@@ -55,10 +55,8 @@ int bool_policydb_dbase_init(semanage_handle_t * handle,
{
if (dbase_policydb_init(handle,
- semanage_final_path(SEMANAGE_FINAL_SELINUX,
- SEMANAGE_KERNEL),
- semanage_final_path(SEMANAGE_FINAL_TMP,
- SEMANAGE_KERNEL),
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
&SEMANAGE_BOOL_RTABLE,
&SEMANAGE_BOOL_POLICYDB_RTABLE,
&dconfig->dbase) < 0)
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index d57f934..3c6b168 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -196,10 +196,8 @@ int semanage_direct_connect(semanage_handle_t * sh)
goto err;
if (fcontext_file_dbase_init(sh,
- semanage_final_path(SEMANAGE_FINAL_SELINUX,
- SEMANAGE_FC_LOCAL),
- semanage_final_path(SEMANAGE_FINAL_TMP,
- SEMANAGE_FC_LOCAL),
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_LOCAL),
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
semanage_fcontext_dbase_local(sh)) < 0)
goto err;
@@ -1041,7 +1039,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
size_t fc_buffer_len = 0;
const char *ofilename = NULL;
const char *path;
- int retval = -1, num_modinfos = 0, i;
+ int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0;
sepol_policydb_t *out = NULL;
struct cil_db *cildb = NULL;
semanage_module_info_t *modinfos = NULL;
@@ -1143,8 +1141,20 @@ static int semanage_direct_commit(semanage_handle_t * sh)
modified |= dontaudit_modified;
modified |= preserve_tunables_modified;
+ /* This is for systems that have already migrated with an older version
+ * of semanage_migrate_store. The older version did not copy policy.kern so
+ * the policy binary must be rebuilt here.
+ */
+ if (!sh->do_rebuild && !modified) {
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
+
+ if (access(path, F_OK) != 0) {
+ missing_policy_kern = 1;
+ }
+ }
+
/* If there were policy changes, or explicitly requested, rebuild the policy */
- if (sh->do_rebuild || modified) {
+ if (sh->do_rebuild || modified || missing_policy_kern) {
/* =================== Module expansion =============== */
retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos);
@@ -1302,6 +1312,17 @@ static int semanage_direct_commit(semanage_handle_t * sh)
if (retval < 0)
goto cleanup;
+ retval = semanage_copy_policydb(sh);
+ if (retval < 0)
+ goto cleanup;
+
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
+ if (access(path, F_OK) == 0) {
+ retval = semanage_copy_fc_local(sh);
+ if (retval < 0)
+ goto cleanup;
+ }
+
/* run genhomedircon if its enabled, this should be the last operation
* which requires the out policydb */
if (!sh->conf->disable_genhomedircon) {
diff --git a/libsemanage/src/interfaces_policydb.c b/libsemanage/src/interfaces_policydb.c
index 6a42eed..552ce7d 100644
--- a/libsemanage/src/interfaces_policydb.c
+++ b/libsemanage/src/interfaces_policydb.c
@@ -51,10 +51,8 @@ int iface_policydb_dbase_init(semanage_handle_t * handle,
{
if (dbase_policydb_init(handle,
- semanage_final_path(SEMANAGE_FINAL_SELINUX,
- SEMANAGE_KERNEL),
- semanage_final_path(SEMANAGE_FINAL_TMP,
- SEMANAGE_KERNEL),
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
&SEMANAGE_IFACE_RTABLE,
&SEMANAGE_IFACE_POLICYDB_RTABLE,
&dconfig->dbase) < 0)
diff --git a/libsemanage/src/nodes_policydb.c b/libsemanage/src/nodes_policydb.c
index 56012fb..7224f00 100644
--- a/libsemanage/src/nodes_policydb.c
+++ b/libsemanage/src/nodes_policydb.c
@@ -50,10 +50,8 @@ int node_policydb_dbase_init(semanage_handle_t * handle,
{
if (dbase_policydb_init(handle,
- semanage_final_path(SEMANAGE_FINAL_SELINUX,
- SEMANAGE_KERNEL),
- semanage_final_path(SEMANAGE_FINAL_TMP,
- SEMANAGE_KERNEL),
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
&SEMANAGE_NODE_RTABLE,
&SEMANAGE_NODE_POLICYDB_RTABLE,
&dconfig->dbase) < 0)
diff --git a/libsemanage/src/ports_policydb.c b/libsemanage/src/ports_policydb.c
index b9600f0..37d7deb 100644
--- a/libsemanage/src/ports_policydb.c
+++ b/libsemanage/src/ports_policydb.c
@@ -50,10 +50,8 @@ int port_policydb_dbase_init(semanage_handle_t * handle,
{
if (dbase_policydb_init(handle,
- semanage_final_path(SEMANAGE_FINAL_SELINUX,
- SEMANAGE_KERNEL),
- semanage_final_path(SEMANAGE_FINAL_TMP,
- SEMANAGE_KERNEL),
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
&SEMANAGE_PORT_RTABLE,
&SEMANAGE_PORT_POLICYDB_RTABLE,
&dconfig->dbase) < 0)
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 6051691..2856aaf 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -110,10 +110,12 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
"/disable_dontaudit",
"/preserve_tunables",
"/modules/disabled",
+ "/policy.kern",
+ "/file_contexts.local"
};
static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = {
- "/tmp",
+ "/final",
"",
};
@@ -943,9 +945,7 @@ int semanage_make_final(semanage_handle_t *sh)
goto cleanup;
}
- /* Copy in exported databases.
- * i = 1 to avoid copying the top level directory.
- */
+ // Build final directory structure
int i;
for (i = 1; i < SEMANAGE_FINAL_PATH_NUM; i++) {
if (strlen(semanage_final_path(SEMANAGE_FINAL_TMP, i)) >= sizeof(fn)) {
@@ -959,12 +959,6 @@ int semanage_make_final(semanage_handle_t *sh)
status = -1;
goto cleanup;
}
-
- semanage_copy_file(
- semanage_final_path(SEMANAGE_FINAL_SELINUX, i),
- semanage_final_path(SEMANAGE_FINAL_TMP, i),
- sh->conf->file_mode);
- /* ignore errors, these files may not exist */
}
cleanup:
@@ -2019,8 +2013,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
FILE *infile = NULL;
if ((kernel_filename =
- semanage_final_path(SEMANAGE_FINAL_SELINUX,
- SEMANAGE_KERNEL)) == NULL) {
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) {
goto cleanup;
}
if ((infile = fopen(kernel_filename, "r")) == NULL) {
@@ -2061,7 +2054,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
FILE *outfile = NULL;
if ((kernel_filename =
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL)) == NULL) {
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) {
goto cleanup;
}
if ((outfile = fopen(kernel_filename, "wb")) == NULL) {
@@ -2921,3 +2914,39 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
return 0;
}
+
+int semanage_copy_policydb(semanage_handle_t *sh)
+{
+ const char *src = NULL;
+ const char *dst = NULL;
+ int rc = -1;
+
+ src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
+ dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
+
+ rc = semanage_copy_file(src, dst, sh->conf->file_mode);
+ if (rc != 0) {
+ goto cleanup;
+ }
+
+cleanup:
+ return rc;
+}
+
+int semanage_copy_fc_local(semanage_handle_t *sh)
+{
+ const char *src = NULL;
+ const char *dst = NULL;
+ int rc = -1;
+
+ src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
+ dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL);
+
+ rc = semanage_copy_file(src, dst, sh->conf->file_mode);
+ if (rc != 0) {
+ goto cleanup;
+ }
+
+cleanup:
+ return rc;
+}
diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
index 62c7079..ade43f2 100644
--- a/libsemanage/src/semanage_store.h
+++ b/libsemanage/src/semanage_store.h
@@ -55,6 +55,8 @@ enum semanage_sandbox_defs {
SEMANAGE_DISABLE_DONTAUDIT,
SEMANAGE_PRESERVE_TUNABLES,
SEMANAGE_MODULES_DISABLED,
+ SEMANAGE_STORE_KERNEL,
+ SEMANAGE_STORE_FC_LOCAL,
SEMANAGE_STORE_NUM_PATHS
};
@@ -148,4 +150,7 @@ int semanage_nc_sort(semanage_handle_t * sh,
size_t buf_len,
char **sorted_buf, size_t * sorted_buf_len);
+int semanage_copy_policydb(semanage_handle_t *sh);
+int semanage_copy_fc_local(semanage_handle_t *sh);
+
#endif
diff --git a/libsemanage/src/users_base_policydb.c b/libsemanage/src/users_base_policydb.c
index 0a6ab9c..b42279c 100644
--- a/libsemanage/src/users_base_policydb.c
+++ b/libsemanage/src/users_base_policydb.c
@@ -50,10 +50,8 @@ int user_base_policydb_dbase_init(semanage_handle_t * handle,
{
if (dbase_policydb_init(handle,
- semanage_final_path(SEMANAGE_FINAL_SELINUX,
- SEMANAGE_KERNEL),
- semanage_final_path(SEMANAGE_FINAL_TMP,
- SEMANAGE_KERNEL),
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
&SEMANAGE_USER_BASE_RTABLE,
&SEMANAGE_USER_BASE_POLICYDB_RTABLE,
&dconfig->dbase) < 0)
diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
index 2f85e9c..b170eda 100755
--- a/libsemanage/utils/semanage_migrate_store
+++ b/libsemanage/utils/semanage_migrate_store
@@ -243,7 +243,8 @@ if __name__ == "__main__":
"users.local",
"users_extra.local",
"disable_dontaudit",
- "preserve_tunables" ]
+ "preserve_tunables",
+ "policy.kern" ]
create_dir(newroot_path(), 0o755)
--
2.4.6
|