if test "$with_selinux" = "yes"; then
SELINUX_LIBS="-lselinux"
AC_DEFINE_UNQUOTED([HAVE_SELINUX], 1, [whether basic SELinux functionality is available])
+ dnl We prefer to use <selinux/label.h> and selabel_open, but can fall
+ dnl back to matchpathcon for the sake of RHEL 5's version of libselinux.
+ AC_CHECK_HEADERS([selinux/label.h])
fi
AM_CONDITIONAL([HAVE_SELINUX], [test "$with_selinux" != "no"])
AC_SUBST([SELINUX_CFLAGS])
*/
#include <config.h>
#include <selinux/selinux.h>
-#include <selinux/label.h>
#include <selinux/context.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
+#if HAVE_SELINUX_LABEL_H
+# include <selinux/label.h>
+#endif
#include "security_driver.h"
#include "security_selinux.h"
return 0;
}
+/* Set fcon to the appropriate label for path and mode, or return -1. */
+static int
+getContext(const char *newpath, mode_t mode, security_context_t *fcon)
+{
+#if HAVE_SELINUX_LABEL_H
+ struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ int ret;
+
+ if (handle == NULL)
+ return -1;
+
+ ret = selabel_lookup(handle, fcon, newpath, mode);
+ selabel_close(handle);
+ return ret;
+#else
+ return matchpathcon(newpath, mode, fcon);
+#endif
+}
+
/* This method shouldn't raise errors, since they'll overwrite
* errors that the caller(s) are already dealing with */
{
struct stat buf;
security_context_t fcon = NULL;
- struct selabel_handle *handle = NULL;
int rc = -1;
char *newpath = NULL;
char ebuf[1024];
goto err;
}
- if ((handle = selabel_open(SELABEL_CTX_FILE, NULL, 0)) == NULL ||
- selabel_lookup(handle, &fcon, newpath, buf.st_mode) < 0) {
+ if (getContext(newpath, buf.st_mode, &fcon) < 0) {
VIR_WARN("cannot lookup default selinux label for %s", newpath);
} else {
rc = SELinuxSetFilecon(newpath, fcon);
}
err:
- if (handle)
- selabel_close(handle);
freecon(fcon);
VIR_FREE(newpath);
return rc;
projects / thirdparty / libvirt.git / commitdiff
