[thirdparty/systemd.git] / src / core / selinux-setup.c

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <stdio.h>
#include <unistd.h>

#if HAVE_SELINUX
#include <selinux/selinux.h>
#endif

#include "log.h"
#include "macro.h"
#include "selinux-setup.h"
#include "selinux-util.h"
#include "string-util.h"
#include "util.h"

#if HAVE_SELINUX
_printf_(2,3)
static int null_log(int type, const char *fmt, ...) {
        return 0;
}
#endif

int mac_selinux_setup(bool *loaded_policy) {

#if HAVE_SELINUX
        int enforce = 0;
        usec_t before_load, after_load;
        char *con;
        int r;
        union selinux_callback cb;
        bool initialized = false;

        assert(loaded_policy);

        /* Turn off all of SELinux' own logging, we want to do that */
        cb.func_log = null_log;
        selinux_set_callback(SELINUX_CB_LOG, cb);

        /* Don't load policy in the initrd if we don't appear to have
         * it.  For the real root, we check below if we've already
         * loaded policy, and return gracefully.
         */
        if (in_initrd() && access(selinux_path(), F_OK) < 0)
                return 0;

        /* Already initialized by somebody else? */
        r = getcon_raw(&con);
        if (r == 0) {
                initialized = !streq(con, "kernel");
                freecon(con);
        }

        /* Make sure we have no fds open while loading the policy and
         * transitioning */
        log_close();

        /* Now load the policy */
        before_load = now(CLOCK_MONOTONIC);
        r = selinux_init_load_policy(&enforce);
        if (r == 0) {
                _cleanup_(mac_selinux_freep) char *label = NULL;
                char timespan[FORMAT_TIMESPAN_MAX];

                mac_selinux_retest();

                /* Transition to the new context */
                r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
                if (r < 0 || !label) {
                        log_open();
                        log_error("Failed to compute init label, ignoring.");
                } else {
                        r = setcon_raw(label);

                        log_open();
                        if (r < 0)
                                log_error("Failed to transition into init label '%s', ignoring.", label);
                }

                after_load = now(CLOCK_MONOTONIC);

                log_info("Successfully loaded SELinux policy in %s.",
                         format_timespan(timespan, sizeof(timespan), after_load - before_load, 0));

                *loaded_policy = true;

        } else {
                log_open();

                if (enforce > 0) {
                        if (!initialized) {
                                log_emergency("Failed to load SELinux policy.");
                                return -EIO;
                        }

                        log_warning("Failed to load new SELinux policy. Continuing with old policy.");
                } else
                        log_debug("Unable to load SELinux policy. Ignoring.");
        }
#endif

        return 0;
}
Commit	Line	Data
c4dcdb9f LP	1	/***
	2	This file is part of systemd.
	3
	4	Copyright 2010 Lennart Poettering
	5
	6	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	7	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	8	the Free Software Foundation; either version 2.1 of the License, or
c4dcdb9f LP	9	(at your option) any later version.
	10
	11	systemd is distributed in the hope that it will be useful, but
	12	WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	14	Lesser General Public License for more details.
c4dcdb9f	15
5430f7f2	16	You should have received a copy of the GNU Lesser General Public License
c4dcdb9f LP	17	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	18	***/
	19
c4dcdb9f	20	#include <errno.h>
07630cea LP	21	#include <stdio.h>
07630cea LP	22	#include <unistd.h>
c4dcdb9f	23
349cc4a5	24	#if HAVE_SELINUX
c4dcdb9f LP	25	#include <selinux/selinux.h>
	26	#endif
	27
07630cea	28	#include "log.h"
c4dcdb9f	29	#include "macro.h"
cf0fbc49	30	#include "selinux-setup.h"
07630cea LP	31	#include "selinux-util.h"
07630cea LP	32	#include "string-util.h"
c4dcdb9f	33	#include "util.h"
0b3325e7	34
349cc4a5	35	#if HAVE_SELINUX
82613b14	36	_printf_(2,3)
dbc655d5 LP	37	static int null_log(int type, const char *fmt, ...) {
	38	return 0;
	39	}
f8e9f2cc	40	#endif
dbc655d5	41
8a188de9	42	int mac_selinux_setup(bool *loaded_policy) {
c4dcdb9f	43
349cc4a5	44	#if HAVE_SELINUX
4ab72d6f WW	45	int enforce = 0;
4ab72d6f WW	46	usec_t before_load, after_load;
2ed96880	47	char *con;
4ab72d6f WW	48	int r;
4ab72d6f WW	49	union selinux_callback cb;
68d3acac	50	bool initialized = false;
4ab72d6f WW	51
	52	assert(loaded_policy);
	53
	54	/* Turn off all of SELinux' own logging, we want to do that */
	55	cb.func_log = null_log;
	56	selinux_set_callback(SELINUX_CB_LOG, cb);
	57
	58	/* Don't load policy in the initrd if we don't appear to have
	59	* it. For the real root, we check below if we've already
	60	* loaded policy, and return gracefully.
	61	*/
	62	if (in_initrd() && access(selinux_path(), F_OK) < 0)
	63	return 0;
	64
	65	/* Already initialized by somebody else? */
	66	r = getcon_raw(&con);
	67	if (r == 0) {
4ab72d6f WW	68	initialized = !streq(con, "kernel");
4ab72d6f WW	69	freecon(con);
4ab72d6f WW	70	}
	71
	72	/* Make sure we have no fds open while loading the policy and
	73	* transitioning */
	74	log_close();
	75
	76	/* Now load the policy */
	77	before_load = now(CLOCK_MONOTONIC);
	78	r = selinux_init_load_policy(&enforce);
	79	if (r == 0) {
710a6b50	80	_cleanup_(mac_selinux_freep) char *label = NULL;
4ab72d6f	81	char timespan[FORMAT_TIMESPAN_MAX];
4ab72d6f	82
6baa7db0	83	mac_selinux_retest();
4ab72d6f WW	84
4ab72d6f WW	85	/* Transition to the new context */
cc56fafe	86	r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
710a6b50	87	if (r < 0 \|\| !label) {
4ab72d6f WW	88	log_open();
	89	log_error("Failed to compute init label, ignoring.");
	90	} else {
a1d2de07	91	r = setcon_raw(label);
4ab72d6f WW	92
	93	log_open();
	94	if (r < 0)
	95	log_error("Failed to transition into init label '%s', ignoring.", label);
4ab72d6f WW	96	}
	97
	98	after_load = now(CLOCK_MONOTONIC);
	99
	100	log_info("Successfully loaded SELinux policy in %s.",
	101	format_timespan(timespan, sizeof(timespan), after_load - before_load, 0));
	102
	103	*loaded_policy = true;
	104
	105	} else {
	106	log_open();
	107
	108	if (enforce > 0) {
68d3acac	109	if (!initialized) {
cb6531be	110	log_emergency("Failed to load SELinux policy.");
68d3acac WW	111	return -EIO;
	112	}
	113
	114	log_warning("Failed to load new SELinux policy. Continuing with old policy.");
4ab72d6f WW	115	} else
	116	log_debug("Unable to load SELinux policy. Ignoring.");
	117	}
c4dcdb9f LP	118	#endif
c4dcdb9f LP	119
4ab72d6f	120	return 0;
c4dcdb9f	121	}