selinux: split up mac_selinux_have() from mac_selinux_use()

author Lennart Poettering <lennart@poettering.net>

Fri, 27 Nov 2015 19:22:56 +0000 (20:22 +0100)

committer Lennart Poettering <lennart@poettering.net>

Fri, 27 Nov 2015 19:28:13 +0000 (20:28 +0100)
author Lennart Poettering <lennart@poettering.net>
Fri, 27 Nov 2015 19:22:56 +0000 (20:22 +0100)
committer Lennart Poettering <lennart@poettering.net>
Fri, 27 Nov 2015 19:28:13 +0000 (20:28 +0100)
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c

index e8ce5cfd96dba201d39637aebe87f8663a65c73a..7e4ae33efe0589e332d9e9d01bacca09190cb1fd 100644 (file)
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@@ -47,7 +47,7 @@ static struct selabel_handle *label_hnd = NULL;
  #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
  #endif
  
-bool mac_selinux_use(void) {
+bool mac_selinux_have(void) {
  #ifdef HAVE_SELINUX
          if (cached_use < 0)
                  cached_use = is_selinux_enabled() > 0;
@@ -58,6 +58,16 @@ bool mac_selinux_use(void) {
  #endif
  }
  
+bool mac_selinux_use(void) {
+        if (!mac_selinux_have())
+                return false;
+
+        /* Never try to configure SELinux features if we aren't
+         * root */
+
+        return getuid() == 0;
+}
+
  void mac_selinux_retest(void) {
  #ifdef HAVE_SELINUX
          cached_use = -1;
@@ -197,7 +207,7 @@ int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
          assert(exe);
          assert(label);
  
-        if (!mac_selinux_use())
+        if (!mac_selinux_have())
                  return -EOPNOTSUPP;
  
          r = getcon_raw(&mycon);
@@ -223,7 +233,7 @@ int mac_selinux_get_our_label(char **label) {
          assert(label);
  
  #ifdef HAVE_SELINUX
-        if (!mac_selinux_use())
+        if (!mac_selinux_have())
                  return -EOPNOTSUPP;
  
          r = getcon_raw(label);
@@ -247,7 +257,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
          assert(exe);
          assert(label);
  
-        if (!mac_selinux_use())
+        if (!mac_selinux_have())
                  return -EOPNOTSUPP;
  
          r = getcon_raw(&mycon);
@@ -302,7 +312,7 @@ char* mac_selinux_free(char *label) {
          if (!label)
                  return NULL;
  
-        if (!mac_selinux_use())
+        if (!mac_selinux_have())
                  return NULL;
  
  
diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h

index d19984c5fe84fd13dcc0e5c915213d67f53558b7..95a2fcdbcae96ae529e12202411593fc39b1d113 100644 (file)
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@@ -27,6 +27,7 @@
  #include "macro.h"
  
  bool mac_selinux_use(void);
+bool mac_selinux_have(void);
  void mac_selinux_retest(void);
  
  int mac_selinux_init(const char *prefix);
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c

index 69a685c06f26201139049ff9c295375595de6722..371df5b37f7bedd0f3e8baae25105cb8fc633888 100644 (file)
--- a/src/journal/journald-native.c
+++ b/src/journal/journald-native.c
@@ -480,7 +480,7 @@ int server_open_native_socket(Server*s) {
                  return log_error_errno(errno, "SO_PASSCRED failed: %m");
  
  #ifdef HAVE_SELINUX
-        if (mac_selinux_use()) {
+        if (mac_selinux_have()) {
                  r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
                  if (r < 0)
                          log_warning_errno(errno, "SO_PASSSEC failed: %m");
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c

index 7d11a568aa1ce42463317e7550667f5eedf807d2..eb17f413f2cfcc384c198e030bb374bb1d7a32b0 100644 (file)
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -707,7 +707,7 @@ static void dispatch_message_real(
                  }
  
  #ifdef HAVE_SELINUX
-                if (mac_selinux_use()) {
+                if (mac_selinux_have()) {
                          if (label) {
                                  x = alloca(strlen("_SELINUX_CONTEXT=") + label_len + 1);
  
diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c

index 07a0f1bf41a74151729627dd3b7a637362ca62e9..131fcdac423aee7f7fd16bac469cfe88bd654b74 100644 (file)
--- a/src/journal/journald-stream.c
+++ b/src/journal/journald-stream.c
@@ -493,7 +493,7 @@ static int stdout_stream_install(Server *s, int fd, StdoutStream **ret) {
          if (r < 0)
                  return log_error_errno(r, "Failed to determine peer credentials: %m");
  
-        if (mac_selinux_use()) {
+        if (mac_selinux_have()) {
                  r = getpeersec(fd, &stream->label);
                  if (r < 0 && r != -EOPNOTSUPP)
                          (void) log_warning_errno(r, "Failed to determine peer security context: %m");
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c

index f3ac1a7ae061b4a9315e2e8c891517fef1cf21ec..cfc50d889ba91a53ecf887afb904c3ecab28cd80 100644 (file)
--- a/src/journal/journald-syslog.c
+++ b/src/journal/journald-syslog.c
@@ -415,7 +415,7 @@ int server_open_syslog_socket(Server *s) {
                  return log_error_errno(errno, "SO_PASSCRED failed: %m");
  
  #ifdef HAVE_SELINUX
-        if (mac_selinux_use()) {
+        if (mac_selinux_have()) {
                  r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
                  if (r < 0)
                          log_warning_errno(errno, "SO_PASSSEC failed: %m");
diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c

index 25873dea1ecd30ad5111000a1e7408e614759fa2..1df571ac926da415280cf13d49f35bdd90e283f0 100644 (file)
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -609,7 +609,7 @@ static void bus_get_peercred(sd_bus *b) {
          b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
  
          /* Get the SELinux context of the peer */
-        if (mac_selinux_use()) {
+        if (mac_selinux_have()) {
                  r = getpeersec(b->input_fd, &b->label);
                  if (r < 0 && r != -EOPNOTSUPP)
                          log_debug_errno(r, "Failed to determine peer security context: %m");
diff --git a/src/shared/condition.c b/src/shared/condition.c

index a69719116c9907e06f8fa5b3845c0a4147090bad..14d18429b6fc60c947b95381bf1c98b2e35ced36 100644 (file)
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -231,7 +231,7 @@ static int condition_test_security(Condition *c) {
          assert(c->type == CONDITION_SECURITY);
  
          if (streq(c->parameter, "selinux"))
-                return mac_selinux_use();
+                return mac_selinux_have();
          if (streq(c->parameter, "smack"))
                  return mac_smack_use();
          if (streq(c->parameter, "apparmor"))
diff --git a/src/test/test-condition.c b/src/test/test-condition.c

index f224c6cdd8c11ab3cd19b39bb822748dbbe0f44e..8903d10db72524511a785bbc220a0200bf6245ae 100644 (file)
--- a/src/test/test-condition.c
+++ b/src/test/test-condition.c
@@ -203,7 +203,7 @@ static void test_condition_test_security(void) {
          condition_free(condition);
  
          condition = condition_new(CONDITION_SECURITY, "selinux", false, true);
-        assert_se(condition_test(condition) != mac_selinux_use());
+        assert_se(condition_test(condition) != mac_selinux_have());
          condition_free(condition);
  
          condition = condition_new(CONDITION_SECURITY, "ima", false, false);
author	Lennart Poettering <lennart@poettering.net>
	Fri, 27 Nov 2015 19:22:56 +0000 (20:22 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 27 Nov 2015 19:28:13 +0000 (20:28 +0100)
src/basic/selinux-util.c		patch \| blob \| blame \| history
src/basic/selinux-util.h		patch \| blob \| blame \| history
src/journal/journald-native.c		patch \| blob \| blame \| history
src/journal/journald-server.c		patch \| blob \| blame \| history
src/journal/journald-stream.c		patch \| blob \| blame \| history
src/journal/journald-syslog.c		patch \| blob \| blame \| history
src/libsystemd/sd-bus/bus-socket.c		patch \| blob \| blame \| history
src/shared/condition.c		patch \| blob \| blame \| history
src/test/test-condition.c		patch \| blob \| blame \| history