]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
c4dcdb9f | 2 | |
c4dcdb9f | 3 | #include <errno.h> |
07630cea LP |
4 | #include <stdio.h> |
5 | #include <unistd.h> | |
c4dcdb9f | 6 | |
349cc4a5 | 7 | #if HAVE_SELINUX |
c4dcdb9f LP |
8 | #include <selinux/selinux.h> |
9 | #endif | |
10 | ||
ad5db940 OJ |
11 | #include "sd-messages.h" |
12 | ||
baa6a42d | 13 | #include "initrd-util.h" |
07630cea | 14 | #include "log.h" |
c4dcdb9f | 15 | #include "macro.h" |
cf0fbc49 | 16 | #include "selinux-setup.h" |
07630cea LP |
17 | #include "selinux-util.h" |
18 | #include "string-util.h" | |
ca78ad1d | 19 | #include "time-util.h" |
0b3325e7 | 20 | |
349cc4a5 | 21 | #if HAVE_SELINUX |
82613b14 | 22 | _printf_(2,3) |
dbc655d5 LP |
23 | static int null_log(int type, const char *fmt, ...) { |
24 | return 0; | |
25 | } | |
f8e9f2cc | 26 | #endif |
dbc655d5 | 27 | |
8a188de9 | 28 | int mac_selinux_setup(bool *loaded_policy) { |
c4dcdb9f | 29 | |
349cc4a5 | 30 | #if HAVE_SELINUX |
4ab72d6f WW |
31 | int enforce = 0; |
32 | usec_t before_load, after_load; | |
2ed96880 | 33 | char *con; |
4ab72d6f | 34 | int r; |
4a69c2c7 | 35 | bool initialized; |
4ab72d6f WW |
36 | |
37 | assert(loaded_policy); | |
38 | ||
39 | /* Turn off all of SELinux' own logging, we want to do that */ | |
4a69c2c7 | 40 | selinux_set_callback(SELINUX_CB_LOG, (const union selinux_callback) { .func_log = null_log }); |
4ab72d6f | 41 | |
4a69c2c7 LP |
42 | /* Don't load policy in the initrd if we don't appear to have it. For the real root, we check below |
43 | * if we've already loaded policy, and return gracefully. */ | |
4ab72d6f WW |
44 | if (in_initrd() && access(selinux_path(), F_OK) < 0) |
45 | return 0; | |
46 | ||
47 | /* Already initialized by somebody else? */ | |
48 | r = getcon_raw(&con); | |
4a69c2c7 LP |
49 | /* getcon_raw can return 0, and still give us a NULL pointer if /proc/self/attr/current is |
50 | * empty. SELinux guarantees this won't happen, but that file isn't specific to SELinux, and may be | |
51 | * provided by some other arbitrary LSM with different semantics. */ | |
199a8922 | 52 | if (r == 0 && con) { |
4ab72d6f WW |
53 | initialized = !streq(con, "kernel"); |
54 | freecon(con); | |
4a69c2c7 LP |
55 | } else |
56 | initialized = false; | |
4ab72d6f WW |
57 | |
58 | /* Make sure we have no fds open while loading the policy and | |
59 | * transitioning */ | |
60 | log_close(); | |
61 | ||
62 | /* Now load the policy */ | |
63 | before_load = now(CLOCK_MONOTONIC); | |
64 | r = selinux_init_load_policy(&enforce); | |
65 | if (r == 0) { | |
710a6b50 | 66 | _cleanup_(mac_selinux_freep) char *label = NULL; |
4ab72d6f | 67 | |
6baa7db0 | 68 | mac_selinux_retest(); |
4ab72d6f WW |
69 | |
70 | /* Transition to the new context */ | |
cc56fafe | 71 | r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label); |
710a6b50 | 72 | if (r < 0 || !label) { |
4ab72d6f WW |
73 | log_open(); |
74 | log_error("Failed to compute init label, ignoring."); | |
75 | } else { | |
a1d2de07 | 76 | r = setcon_raw(label); |
4ab72d6f WW |
77 | |
78 | log_open(); | |
79 | if (r < 0) | |
80 | log_error("Failed to transition into init label '%s', ignoring.", label); | |
4ab72d6f WW |
81 | } |
82 | ||
83 | after_load = now(CLOCK_MONOTONIC); | |
84 | ||
85 | log_info("Successfully loaded SELinux policy in %s.", | |
5291f26d | 86 | FORMAT_TIMESPAN(after_load - before_load, 0)); |
4ab72d6f WW |
87 | |
88 | *loaded_policy = true; | |
89 | ||
90 | } else { | |
91 | log_open(); | |
92 | ||
93 | if (enforce > 0) { | |
d7a0f1f4 | 94 | if (!initialized) |
ad5db940 OJ |
95 | return log_struct_errno(LOG_EMERG, SYNTHETIC_ERRNO(EIO), |
96 | LOG_MESSAGE("Failed to load SELinux policy :%m"), | |
97 | "MESSAGE_ID=" SD_MESSAGE_SELINUX_FAILED_STR); | |
68d3acac WW |
98 | |
99 | log_warning("Failed to load new SELinux policy. Continuing with old policy."); | |
4ab72d6f WW |
100 | } else |
101 | log_debug("Unable to load SELinux policy. Ignoring."); | |
102 | } | |
c4dcdb9f LP |
103 | #endif |
104 | ||
4ab72d6f | 105 | return 0; |
c4dcdb9f | 106 | } |