Skip to content

Commit ecabcf8

Browse files
poetteringpoettering
committed
selinux: clean up selinux label function naming
1 parent 66cedb3 commit ecabcf8

File tree

10 files changed

+117
-102
lines changed

10 files changed

+117
-102
lines changed

src/core/namespace.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -225,9 +225,9 @@ static int mount_dev(BindMount *m) {
225225
goto fail;
226226
}
227227

228-
mac_selinux_context_set(d, st.st_mode);
228+
mac_selinux_create_file_prepare(d, st.st_mode);
229229
r = mknod(dn, st.st_mode, st.st_rdev);
230-
mac_selinux_context_clear();
230+
mac_selinux_create_file_clear();
231231

232232
if (r < 0) {
233233
r = -errno;

src/core/socket.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -967,7 +967,7 @@ static int fifo_address_create(
967967

968968
mkdir_parents_label(path, directory_mode);
969969

970-
r = mac_selinux_context_set(path, S_IFIFO);
970+
r = mac_selinux_create_file_prepare(path, S_IFIFO);
971971
if (r < 0)
972972
goto fail;
973973

@@ -990,7 +990,7 @@ static int fifo_address_create(
990990
goto fail;
991991
}
992992

993-
mac_selinux_context_clear();
993+
mac_selinux_create_file_clear();
994994

995995
if (fstat(fd, &st) < 0) {
996996
r = -errno;
@@ -1010,7 +1010,7 @@ static int fifo_address_create(
10101010
return 0;
10111011

10121012
fail:
1013-
mac_selinux_context_clear();
1013+
mac_selinux_create_file_clear();
10141014
safe_close(fd);
10151015

10161016
return r;

src/shared/dev-setup.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,14 +38,14 @@ static int symlink_and_label(const char *old_path, const char *new_path) {
3838
assert(old_path);
3939
assert(new_path);
4040

41-
r = mac_selinux_context_set(new_path, S_IFLNK);
41+
r = mac_selinux_create_file_prepare(new_path, S_IFLNK);
4242
if (r < 0)
4343
return r;
4444

4545
if (symlink(old_path, new_path) < 0)
4646
r = -errno;
4747

48-
mac_selinux_context_clear();
48+
mac_selinux_create_file_clear();
4949

5050
return r;
5151
}

src/shared/fileio-label.c

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,27 +30,27 @@
3030
int write_string_file_atomic_label(const char *fn, const char *line) {
3131
int r;
3232

33-
r = mac_selinux_context_set(fn, S_IFREG);
33+
r = mac_selinux_create_file_prepare(fn, S_IFREG);
3434
if (r < 0)
3535
return r;
3636

3737
r = write_string_file_atomic(fn, line);
3838

39-
mac_selinux_context_clear();
39+
mac_selinux_create_file_clear();
4040

4141
return r;
4242
}
4343

4444
int write_env_file_label(const char *fname, char **l) {
4545
int r;
4646

47-
r = mac_selinux_context_set(fname, S_IFREG);
47+
r = mac_selinux_create_file_prepare(fname, S_IFREG);
4848
if (r < 0)
4949
return r;
5050

5151
r = write_env_file(fname, l);
5252

53-
mac_selinux_context_clear();
53+
mac_selinux_create_file_clear();
5454

5555
return r;
5656
}
@@ -59,13 +59,13 @@ int fopen_temporary_label(const char *target,
5959
const char *path, FILE **f, char **temp_path) {
6060
int r;
6161

62-
r = mac_selinux_context_set(target, S_IFREG);
62+
r = mac_selinux_create_file_prepare(target, S_IFREG);
6363
if (r < 0)
6464
return r;
6565

6666
r = fopen_temporary(path, f, temp_path);
6767

68-
mac_selinux_context_clear();
68+
mac_selinux_create_file_clear();
6969

7070
return r;
7171
}

src/shared/selinux-util.c

Lines changed: 71 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -109,11 +109,21 @@ int mac_selinux_init(const char *prefix) {
109109
return r;
110110
}
111111

112+
void mac_selinux_finish(void) {
113+
114+
#ifdef HAVE_SELINUX
115+
if (!label_hnd)
116+
return;
117+
118+
selabel_close(label_hnd);
119+
#endif
120+
}
121+
112122
int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
113-
int r = 0;
114123

115124
#ifdef HAVE_SELINUX
116125
struct stat st;
126+
int r;
117127

118128
assert(path);
119129

@@ -148,22 +158,31 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
148158
if (ignore_erofs && errno == EROFS)
149159
return 0;
150160

151-
log_enforcing("Unable to fix SELinux label of %s: %m", path);
152-
r = security_getenforce() == 1 ? -errno : 0;
161+
log_enforcing("Unable to fix SELinux security context of %s: %m", path);
162+
if (security_getenforce() == 1)
163+
return -errno;
153164
}
154165
#endif
155166

156-
return r;
167+
return 0;
157168
}
158169

159-
void mac_selinux_finish(void) {
170+
int mac_selinux_apply(const char *path, const char *label) {
160171

161172
#ifdef HAVE_SELINUX
162-
if (!label_hnd)
163-
return;
173+
assert(path);
174+
assert(label);
164175

165-
selabel_close(label_hnd);
176+
if (!mac_selinux_use())
177+
return 0;
178+
179+
if (setfilecon(path, (security_context_t) label) < 0) {
180+
log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
181+
if (security_getenforce() == 1)
182+
return -errno;
183+
}
166184
#endif
185+
return 0;
167186
}
168187

169188
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
@@ -279,12 +298,24 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label
279298
return r;
280299
}
281300

282-
int mac_selinux_context_set(const char *path, mode_t mode) {
301+
void mac_selinux_free(char *label) {
302+
303+
#ifdef HAVE_SELINUX
304+
if (!mac_selinux_use())
305+
return;
306+
307+
freecon((security_context_t) label);
308+
#endif
309+
}
310+
311+
int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
283312
int r = 0;
284313

285314
#ifdef HAVE_SELINUX
286315
_cleanup_security_context_free_ security_context_t filecon = NULL;
287316

317+
assert(path);
318+
288319
if (!label_hnd)
289320
return 0;
290321

@@ -294,7 +325,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
294325
else if (r == 0) {
295326
r = setfscreatecon(filecon);
296327
if (r < 0) {
297-
log_enforcing("Failed to set SELinux file context on %s: %m", path);
328+
log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
298329
r = -errno;
299330
}
300331
}
@@ -306,24 +337,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
306337
return r;
307338
}
308339

309-
int mac_selinux_socket_set(const char *label) {
310-
311-
#ifdef HAVE_SELINUX
312-
if (!mac_selinux_use())
313-
return 0;
314-
315-
if (setsockcreatecon((security_context_t) label) < 0) {
316-
log_enforcing("Failed to set SELinux context (%s) on socket: %m", label);
317-
318-
if (security_getenforce() == 1)
319-
return -errno;
320-
}
321-
#endif
322-
323-
return 0;
324-
}
325-
326-
void mac_selinux_context_clear(void) {
340+
void mac_selinux_create_file_clear(void) {
327341

328342
#ifdef HAVE_SELINUX
329343
PROTECT_ERRNO;
@@ -335,37 +349,49 @@ void mac_selinux_context_clear(void) {
335349
#endif
336350
}
337351

338-
void mac_selinux_socket_clear(void) {
352+
int mac_selinux_create_socket_prepare(const char *label) {
339353

340354
#ifdef HAVE_SELINUX
341-
PROTECT_ERRNO;
342-
343355
if (!mac_selinux_use())
344-
return;
356+
return 0;
345357

346-
setsockcreatecon(NULL);
358+
assert(label);
359+
360+
if (setsockcreatecon((security_context_t) label) < 0) {
361+
log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
362+
363+
if (security_getenforce() == 1)
364+
return -errno;
365+
}
347366
#endif
367+
368+
return 0;
348369
}
349370

350-
void mac_selinux_free(const char *label) {
371+
void mac_selinux_create_socket_clear(void) {
351372

352373
#ifdef HAVE_SELINUX
374+
PROTECT_ERRNO;
375+
353376
if (!mac_selinux_use())
354377
return;
355378

356-
freecon((security_context_t) label);
379+
setsockcreatecon(NULL);
357380
#endif
358381
}
359382

360383
int mac_selinux_mkdir(const char *path, mode_t mode) {
361-
int r = 0;
362384

363-
#ifdef HAVE_SELINUX
364385
/* Creates a directory and labels it according to the SELinux policy */
386+
387+
#ifdef HAVE_SELINUX
365388
_cleanup_security_context_free_ security_context_t fcon = NULL;
389+
int r;
390+
391+
assert(path);
366392

367393
if (!label_hnd)
368-
return 0;
394+
goto skipped;
369395

370396
if (path_is_absolute(path))
371397
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
@@ -383,7 +409,7 @@ int mac_selinux_mkdir(const char *path, mode_t mode) {
383409
r = setfscreatecon(fcon);
384410

385411
if (r < 0 && errno != ENOENT) {
386-
log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
412+
log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
387413

388414
if (security_getenforce() == 1) {
389415
r = -errno;
@@ -397,9 +423,11 @@ int mac_selinux_mkdir(const char *path, mode_t mode) {
397423

398424
finish:
399425
setfscreatecon(NULL);
400-
#endif
401-
402426
return r;
427+
428+
skipped:
429+
#endif
430+
return mkdir(path, mode) < 0 ? -errno : 0;
403431
}
404432

405433
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
@@ -416,7 +444,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
416444
assert(addr);
417445
assert(addrlen >= sizeof(sa_family_t));
418446

419-
if (!mac_selinux_use() || !label_hnd)
447+
if (!label_hnd)
420448
goto skipped;
421449

422450
/* Filter out non-local sockets */
@@ -450,7 +478,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
450478
r = setfscreatecon(fcon);
451479

452480
if (r < 0 && errno != ENOENT) {
453-
log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
481+
log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
454482

455483
if (security_getenforce() == 1) {
456484
r = -errno;
@@ -470,15 +498,3 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
470498
#endif
471499
return bind(fd, addr, addrlen) < 0 ? -errno : 0;
472500
}
473-
474-
int mac_selinux_apply(const char *path, const char *label) {
475-
int r = 0;
476-
477-
#ifdef HAVE_SELINUX
478-
if (!mac_selinux_use())
479-
return 0;
480-
481-
r = setfilecon(path, (char *)label);
482-
#endif
483-
return r;
484-
}

src/shared/selinux-util.h

Lines changed: 9 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -32,20 +32,18 @@ int mac_selinux_init(const char *prefix);
3232
void mac_selinux_finish(void);
3333

3434
int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
35-
36-
int mac_selinux_socket_set(const char *label);
37-
void mac_selinux_socket_clear(void);
38-
39-
int mac_selinux_context_set(const char *path, mode_t mode);
40-
void mac_selinux_context_clear(void);
41-
42-
int mac_selinux_mkdir(const char *path, mode_t mode);
35+
int mac_selinux_apply(const char *path, const char *label);
4336

4437
int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
4538
int mac_selinux_get_our_label(char **label);
4639
int mac_selinux_get_child_mls_label(int socket_fd, const char *exec, char **label);
47-
void mac_selinux_free(const char *label);
40+
void mac_selinux_free(char *label);
4841

49-
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
42+
int mac_selinux_create_file_prepare(const char *path, mode_t mode);
43+
void mac_selinux_create_file_clear(void);
5044

51-
int mac_selinux_apply(const char *path, const char *label);
45+
int mac_selinux_create_socket_prepare(const char *label);
46+
void mac_selinux_create_socket_clear(void);
47+
48+
int mac_selinux_mkdir(const char *path, mode_t mode);
49+
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);

src/shared/socket-label.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ int socket_address_listen(
6464
return -EAFNOSUPPORT;
6565

6666
if (label) {
67-
r = mac_selinux_socket_set(label);
67+
r = mac_selinux_create_socket_prepare(label);
6868
if (r < 0)
6969
return r;
7070
}
@@ -73,7 +73,7 @@ int socket_address_listen(
7373
r = fd < 0 ? -errno : 0;
7474

7575
if (label)
76-
mac_selinux_socket_clear();
76+
mac_selinux_create_socket_clear();
7777

7878
if (r < 0)
7979
return r;

0 commit comments

Comments
 (0)