From: atlant2011 <4iter-yes@rambler.ru>
Date: Mon, 9 Aug 2021 17:12:18 +0000 (+0700)
Subject: remove old link to header selinux/flask.h and selinux/av_permissions.h and depend... 
X-Git-Tag: ver3_3_1~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5f55e76fc1ab10a42b6407d7472811e1ee14440e;p=thirdparty%2Ffcron.git

remove old link to header selinux/flask.h and selinux/av_permissions.h and depend (#12)

* 1. remove link to header selinux/flask.h and selinux/av_permissions.h
2. simple move from constant's SECCLASS_FILE and FILE__ENTRYPOINT to functions string_to_security_class("file") and string_to_av_perm(tclass, "entrypoint")
3. NEED CHECK CORRECT RETURN AFTER FAILED RETURN FROM FUNCTION string_to_security_class ADN string_to_av_perm !
Link to info from libselinux
https://github.com/SELinuxProject/selinux/commit/76913d8adb61b5#diff-046564229793ada24798dac3d2e479f07651ac9020d43938f3aa1fa9c9c24c9e

* read_conf() selinux: renamed vars and added error return

Co-authored-by: Thibault Godouet <yo8192@users.noreply.github.com>
---

diff --git a/conf.c b/conf.c
index eb43b54..2517475 100644
--- a/conf.c
+++ b/conf.c
@@ -453,7 +453,7 @@ read_file(const char *file_name, cf_t * cf, int is_system_startup)
     int has_read_cl_first = 0;  /* have we read S_FIRST_T? */
 #ifdef WITH_SELINUX
     int flask_enabled = is_selinux_enabled();
-    int retval;
+    int retval = -1;
     struct av_decision avd;
     char *user_name = NULL;
 #endif
@@ -540,19 +540,34 @@ read_file(const char *file_name, cf_t * cf, int is_system_startup)
         if (get_default_context(user_name, NULL, &cf->cf_user_context))
             error_e("NO CONTEXT for Linux user '%s' (SELinux user '%s')",
                     cf->cf_user, user_name);
-        retval =
-            security_compute_av(cf->cf_user_context, cf->cf_file_context,
-                                SECCLASS_FILE, FILE__ENTRYPOINT, &avd);
 
-        if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+        /* we no longer need those - clean them up */
+        Free_safe(sename);
+        Free_safe(selevl);
+
+        security_class_t sec_class = string_to_security_class("file");
+        if (!sec_class) {
+            error_e("Failed to translate security class 'file'\n");
+            goto err;
+        }
+
+        access_vector_t access_vec = string_to_av_perm(sec_class, "entrypoint");
+        if (!access_vec) {
+            error_e("Failed to translate security class file\n");
+            goto err;
+        }
+
+        /* if we get here, sec_class and access_vec are both defined */
+        retval = security_compute_av(cf->cf_user_context, cf->cf_file_context,
+                                sec_class, access_vec, &avd);
+
+        if (retval || ((access_vec & avd.allowed) != access_vec)) {
             syslog(LOG_ERR, "ENTRYPOINT FAILED for Linux user '%s' "
                    "(CONTEXT %s) for file CONTEXT %s", cf->cf_user,
                    cf->cf_user_context, cf->cf_file_context);
             goto err;
         }
 
-        Free_safe(sename);
-        Free_safe(selevl);
     }
 #endif
 
diff --git a/global.h b/global.h
index ce1d269..9421dcf 100644
--- a/global.h
+++ b/global.h
@@ -45,8 +45,6 @@
 #ifdef WITH_SELINUX
 #include <selinux.h>
 #include <get_context_list.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
 #endif
 
 #ifdef HAVE_GETOPT_H