- enable SELinux (and allow to disable via conditional build)
(bsc#1209515)
+- avoid some extra checks if SELinux is compile-time disabled
-------------------------------------------------------------------
Thu Feb 23 11:14:58 CET 2023 - aschnell@suse.com
#include <dirent.h>
#include <unistd.h>
#include <cerrno>
-#include <stdlib.h>
+#include <cstdlib>
#include <cassert>
#include <algorithm>
bool retval = true;
#ifdef ENABLE_SELINUX
- if (_is_selinux_enabled())
- {
- assert(selabel_handle);
-
- struct stat buf;
- if (stat(name, &buf, AT_SYMLINK_NOFOLLOW))
- {
- y2err("Failed to stat " << fullname() << "/" << name);
- return false;
- }
+ assert(selabel_handle);
- char* con = selabel_handle->selabel_lookup(fullname() + "/" + name, buf.st_mode);
- if (con)
- {
- retval = fsetfilecon(name, con);
- }
- else
- {
- retval = false;
- }
+ struct stat buf;
+ if (stat(name, &buf, AT_SYMLINK_NOFOLLOW))
+ {
+ y2err("Failed to stat " << fullname() << "/" << name);
+ return false;
+ }
- freecon(con);
+ char* con = selabel_handle->selabel_lookup(fullname() + "/" + name, buf.st_mode);
+ if (con)
+ {
+ retval = fsetfilecon(name, con);
}
+ else
+ {
+ retval = false;
+ }
+
+ freecon(con);
#endif
return retval;
bool retval = true;
#ifdef ENABLE_SELINUX
- if (_is_selinux_enabled())
- {
- assert(selabel_handle);
+ assert(selabel_handle);
- struct stat buf;
-
- if (stat(&buf))
- {
- y2err("Failed to stat " << fullname());
- return false;
- }
+ struct stat buf;
- char* con = selabel_handle->selabel_lookup(fullname(), buf.st_mode);
- if (con)
- {
- retval = fsetfilecon(con);
- }
- else
- {
- y2war("can't get proper label for path:" << fullname());
- retval = false;
- }
+ if (stat(&buf))
+ {
+ y2err("Failed to stat " << fullname());
+ return false;
+ }
- freecon(con);
+ char* con = selabel_handle->selabel_lookup(fullname(), buf.st_mode);
+ if (con)
+ {
+ retval = fsetfilecon(con);
}
+ else
+ {
+ y2war("can't get proper label for path:" << fullname());
+ retval = false;
+ }
+
+ freecon(con);
#endif
return retval;
/*
* Copyright (c) [2011-2014] Novell, Inc.
- * Copyright (c) [2020-2022] SUSE LLC
+ * Copyright (c) [2020-2023] SUSE LLC
*
* All Rights Reserved.
*
mount_options.push_back("nouuid");
mount_options.push_back("norecovery");
}
-
-#ifdef ENABLE_SELINUX
- try
- {
- selabel_handle = SelinuxLabelHandle::get_selinux_handle();
- }
- catch (const SelinuxException& e)
- {
- SN_RETHROW(e);
- }
-#endif
-
}
#ifdef ENABLE_SELINUX
if (_is_selinux_enabled())
{
- assert(selabel_handle);
+ SelinuxLabelHandle* selabel_handle = SelinuxLabelHandle::get_selinux_handle();
char* con = NULL;
}
}
#endif
+
createLvmConfig(subvolume_dir, mode);
}
bool time_support = false;
};
- class SelinuxLabelHandle;
class Lvm : public Filesystem
{
const string mount_type;
const LvmCapabilities* caps;
LvmCache* cache;
- SelinuxLabelHandle* selabel_handle = nullptr;
bool detectThinVolumeNames(const MtabData& mtab_data);
void activateSnapshot(const string& vg_name, const string& lv_name) const;
}
-
#endif
/*
* Copyright (c) [2016] Red Hat, Inc.
+ * Copyright (c) 2023 SUSE LLC
*
* All Rights Reserved.
*
else
{
if (errno == ENOENT)
- y2deb("Selinux context not defined for path " << path);
+ y2deb("SELinux context not defined for path " << path);
return NULL;
}
{
selinux_enabled = (is_selinux_enabled() == 1); // may return -1 on error
selinux_checked = true;
- y2mil("Selinux support " << (selinux_enabled ? "enabled" : "disabled"));
+ y2mil("SELinux support " << (selinux_enabled ? "enabled" : "disabled"));
}
return selinux_enabled;
SelinuxLabelHandle*
SelinuxLabelHandle::get_selinux_handle()
{
- if (_is_selinux_enabled())
- {
- static SelinuxLabelHandle handle;
- return &handle;
- }
+ static SelinuxLabelHandle handle;
- return nullptr;
+ return &handle;
}
}
class SelinuxLabelHandle : public boost::noncopyable
{
public:
+
+ /**
+ * Will most likely throw if SELinux is not enabled.
+ */
static SelinuxLabelHandle* get_selinux_handle();
char* selabel_lookup(const string& path, int mode);
- ~SelinuxLabelHandle() { selabel_close(handle); }
-
private:
+
SelinuxLabelHandle();
+ ~SelinuxLabelHandle() { selabel_close(handle); }
struct selabel_handle* handle;
};
/*
* Copyright (c) [2011-2015] Novell, Inc.
- * Copyright (c) [2016-2022] SUSE LLC
+ * Copyright (c) [2016-2023] SUSE LLC
*
* All Rights Reserved.
*
y2mil("libsnapper version " VERSION);
y2mil("config_name:" << config_name << " disable_filters:" << disable_filters);
-#ifdef ENABLE_SELINUX
- try
- {
- selabel_handle = SelinuxLabelHandle::get_selinux_handle();
- }
- catch (const SelinuxException& e)
- {
- SN_RETHROW(e);
- }
-#endif
-
try
{
config_info = new ConfigInfo(config_name, root_prefix);
filesystem = Filesystem::create(*config_info, root_prefix);
- // With btrfs backend, it's useless try syncing snapshot RO subvolumes
- syncSelinuxContexts(filesystem->fstype() == "btrfs");
+#ifdef ENABLE_SELINUX
+ if (_is_selinux_enabled())
+ {
+ SelinuxLabelHandle* selabel_handle = SelinuxLabelHandle::get_selinux_handle();
+
+ // With btrfs backend, it's useless try syncing snapshot RO subvolumes
+ syncSelinuxContexts(selabel_handle, filesystem->fstype() == "btrfs");
+ }
+#endif
bool sync_acl;
if (config_info->get_value(KEY_SYNC_ACL, sync_acl) && sync_acl == true)
void
- Snapper::syncSelinuxContexts(bool skip_snapshot_dir) const
+ Snapper::syncSelinuxContexts(SelinuxLabelHandle* selabel_handle, bool skip_snapshot_dir) const
{
#ifdef ENABLE_SELINUX
try
if (infos_dir.restorecon(selabel_handle))
{
- syncSelinuxContextsInInfosDir(skip_snapshot_dir);
+ syncSelinuxContextsInInfosDir(selabel_handle, skip_snapshot_dir);
}
else
{
SnapperContexts scons;
if (infos_dir.fsetfilecon(scons.subvolume_context()))
- syncSelinuxContextsInInfosDir(skip_snapshot_dir);
+ syncSelinuxContextsInInfosDir(selabel_handle, skip_snapshot_dir);
}
}
catch (const SelinuxException& e)
void
- Snapper::syncSelinuxContextsInInfosDir(bool skip_snapshot_dir) const
+ Snapper::syncSelinuxContextsInInfosDir(SelinuxLabelHandle* selabel_handle, bool skip_snapshot_dir) const
{
#ifdef ENABLE_SELINUX
static const regex rx("[0-9]+", regex::extended);
/*
* Copyright (c) [2011-2015] Novell, Inc.
- * Copyright (c) [2016-2022] SUSE LLC
+ * Copyright (c) [2016-2023] SUSE LLC
*
* All Rights Reserved.
*
void syncAcl(const vector<uid_t>& uids, const vector<gid_t>& gids) const;
- void syncSelinuxContexts(bool skip_snapshot_dir) const;
- void syncSelinuxContextsInInfosDir(bool skip_snapshot_dir) const;
+ void syncSelinuxContexts(SelinuxLabelHandle* selabel_handle, bool skip_snapshot_dir) const;
+ void syncSelinuxContextsInInfosDir(SelinuxLabelHandle* selabel_handle, bool skip_snapshot_dir) const;
+
void syncInfoDir(SDir& dir) const;
ConfigInfo* config_info = nullptr;
Snapshots snapshots;
- SelinuxLabelHandle* selabel_handle = nullptr;
+ SelinuxLabelHandle* selabel_handle_unused = nullptr; // TODO remove
};
projects / thirdparty / snapper.git / commitdiff
