From: Ivan Kruglov Date: Thu, 10 Jul 2025 13:47:29 +0000 (-0700) Subject: selinux-utils: rename and expose log_selinux_enforcing_errno() X-Git-Tag: v258-rc1~106^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a1cb174f8e5f5d359748ce4f961b289b489ec52;p=thirdparty%2Fsystemd.git selinux-utils: rename and expose log_selinux_enforcing_errno() --- diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index 439494f82b5..f7c4c7d2f8d 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -41,21 +41,6 @@ static int last_policyload = 0; static struct selabel_handle *label_hnd = NULL; static bool have_status_page = false; -#define log_enforcing(...) \ - log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__) - -#define log_enforcing_errno(error, ...) \ - ({ \ - bool _enforcing = mac_selinux_enforcing(); \ - int _level = _enforcing ? LOG_ERR : LOG_WARNING; \ - int _e = (error); \ - \ - int _r = (log_get_max_level() >= LOG_PRI(_level)) \ - ? log_internal(_level, _e, PROJECT_FILE, __LINE__, __func__, __VA_ARGS__) \ - : -ERRNO_VALUE(_e); \ - _enforcing ? _r : 0; \ - }) - static int mac_selinux_label_pre(int dir_fd, const char *path, mode_t mode) { return mac_selinux_create_file_prepare_at(dir_fd, path, mode); } @@ -115,7 +100,7 @@ static int open_label_db(void) { hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); if (!hnd) - return log_enforcing_errno(errno, "Failed to initialize SELinux labeling handle: %m"); + return log_selinux_enforcing_errno(errno, "Failed to initialize SELinux labeling handle: %m"); if (DEBUG_LOGGING) { after_timestamp = now(CLOCK_MONOTONIC); @@ -160,7 +145,7 @@ static int selinux_init(bool force) { r = selinux_status_open(/* netlink fallback= */ 1); if (r < 0) { if (!ERRNO_IS_PRIVILEGE(errno)) - return log_enforcing_errno(errno, "Failed to open SELinux status page: %m"); + return log_selinux_enforcing_errno(errno, "Failed to open SELinux status page: %m"); log_warning_errno(errno, "selinux_status_open() with netlink fallback failed, not checking for policy reloads: %m"); } else if (r == 1) log_warning("selinux_status_open() failed to open the status page, using the netlink fallback."); @@ -294,7 +279,7 @@ static int selinux_fix_fd( if (errno == ENOENT) return 0; - return log_enforcing_errno(errno, "Unable to lookup intended SELinux security context of %s: %m", label_path); + return log_selinux_enforcing_errno(errno, "Unable to lookup intended SELinux security context of %s: %m", label_path); } if (setfilecon_raw(FORMAT_PROC_FD_PATH(fd), fcon) < 0) { @@ -314,7 +299,7 @@ static int selinux_fix_fd( if (getfilecon_raw(FORMAT_PROC_FD_PATH(fd), &oldcon) >= 0 && streq_ptr(fcon, oldcon)) return 0; - return log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", label_path); + return log_selinux_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", label_path); } return 0; @@ -387,7 +372,7 @@ int mac_selinux_apply(const char *path, const char *label) { assert(label); if (setfilecon(path, label) < 0) - return log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path); + return log_selinux_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path); #endif return 0; } @@ -406,7 +391,7 @@ int mac_selinux_apply_fd(int fd, const char *path, const char *label) { assert(label); if (setfilecon(FORMAT_PROC_FD_PATH(fd), label) < 0) - return log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, strna(path)); + return log_selinux_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, strna(path)); #endif return 0; } @@ -584,11 +569,11 @@ static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) if (errno == ENOENT) return 0; - return log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath); + return log_selinux_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath); } if (setfscreatecon_raw(filecon) < 0) - return log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath); + return log_selinux_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath); return 0; } @@ -641,7 +626,7 @@ int mac_selinux_create_file_prepare_label(const char *path, const char *label) { return r; if (setfscreatecon_raw(label) < 0) - return log_enforcing_errno(errno, "Failed to set specified SELinux security context '%s' for '%s': %m", label, strna(path)); + return log_selinux_enforcing_errno(errno, "Failed to set specified SELinux security context '%s' for '%s': %m", label, strna(path)); #endif return 0; } @@ -670,7 +655,7 @@ int mac_selinux_create_socket_prepare(const char *label) { return r; if (setsockcreatecon(label) < 0) - return log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label); + return log_selinux_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label); #endif return 0; @@ -750,12 +735,12 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { if (errno == ENOENT) goto skipped; - r = log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path); + r = log_selinux_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path); if (r < 0) return r; } else { if (setfscreatecon_raw(fcon) < 0) { - r = log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path); + r = log_selinux_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path); if (r < 0) return r; } else diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h index 1ba1ad1407b..d8df89d79ec 100644 --- a/src/shared/selinux-util.h +++ b/src/shared/selinux-util.h @@ -17,6 +17,21 @@ static inline void freeconp(char **p) { #define _cleanup_freecon_ _cleanup_(freeconp) +#define log_selinux_enforcing(...) \ + log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__) + +#define log_selinux_enforcing_errno(error, ...) \ + ({ \ + bool _enforcing = mac_selinux_enforcing(); \ + int _level = _enforcing ? LOG_ERR : LOG_WARNING; \ + int _e = (error); \ + \ + int _r = (log_get_max_level() >= LOG_PRI(_level)) \ + ? log_internal(_level, _e, PROJECT_FILE, __LINE__, __func__, __VA_ARGS__) \ + : -ERRNO_VALUE(_e); \ + _enforcing ? _r : 0; \ + }) + bool mac_selinux_use(void); void mac_selinux_retest(void); bool mac_selinux_enforcing(void);