[Rpm-maint] [PATCH 4/6] Use selabel interfaces instead of matchpathcon

Steve Lawrence slawrence at tresys.com
Mon Aug 30 20:32:30 UTC 2010 

This replaces the old matchpathcon interfaces with the new selabel
interfaces for relabeling files, storing an selabel handle in the
transaction set.

With this change, also comes an added distinction between --nocontexts
being specified and a failure to read the load file contexts.
Previously, there was no distinction, and both cases used the
RPMTRANS_FLAG_NOCONTEXTS flag.

However, with the new policy plugin, it is necessary to make such a
distinction. This is because matchpathcon_init (now selabel interfaces)
can fail at the beginning of the transaction, but succeed later after
new policy is installed. Because of this, we may need to enable/disable
RPMTRANS_FLAG_NOCONTEXTS multiple times. However, because this flag
could also mean --nocontexts, we cannot do that. By storing the selabel
handle in the rpmts, we can easily keep track if the handle has been
successfully created, rather than overloading RPMTRANS_FLAG_NOCONTEXTS
with two meanings.
---
 configure.ac         |   13 +++++++++++++
 lib/fsm.c            |    8 ++++----
 lib/rpmts.c          |   45 +++++++++++++++++++++++++++++++++++++++++++++
 lib/rpmts.h          |   21 +++++++++++++++++++++
 lib/rpmts_internal.h |    2 ++
 lib/transaction.c    |    8 ++------
 system.h             |    7 +++++++
 7 files changed, 94 insertions(+), 10 deletions(-)

diff --git a/configure.ac b/configure.ac
index a33d8be..c593b6c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -577,6 +577,19 @@ AS_IF([test "$with_selinux" = yes],[
   ],[
     AC_MSG_ERROR([--with-selinux given, but selinux/selinux.h not found])
   ])
+
+  AC_CHECK_HEADER([selinux/label.h],[
+    save_LIBS="$LIBS"
+    AC_CHECK_LIB([selinux],[selabel_close],[],[
+      AC_MSG_ERROR([--with-selinux given, but selabel_close not found in libselinux])])
+    AC_CHECK_LIB([selinux],[selabel_lookup_raw],[],[
+      AC_MSG_ERROR([--with-selinux given, but selabel_lookup_raw not found in libselinux])])
+    AC_CHECK_LIB([selinux],[selabel_open],[],[
+      AC_MSG_ERROR([--with-selinux given, but selabel_open not found in libselinux])])
+    LIBS="$save_LIBS"
+  ],[
+    AC_MSG_ERROR([--with-selinux given, but selinux/label.h not found])
+  ])
 ])
 
 AS_IF([test "$with_selinux" = yes],[
diff --git a/lib/fsm.c b/lib/fsm.c
index 1a345fb..2e3771d 100644
--- a/lib/fsm.c
+++ b/lib/fsm.c
@@ -693,10 +693,10 @@ static int fsmMapFContext(FSM_t fsm)
      * Find file security context (if not disabled).
      */
     fsm->fcontext = NULL;
-    if (ts != NULL && !(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
+    if (ts != NULL && !(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsSELabelHandle(ts)) {
 	security_context_t scon = NULL;
 
-	if (matchpathcon(fsm->path, st->st_mode, &scon) == 0 && scon != NULL) {
+	if (selabel_lookup_raw((struct selabel_handle *)rpmtsSELabelHandle(ts), &scon, fsm->path, st->st_mode) == 0 && scon != NULL) {
 	    fsm->fcontext = scon;
 	}
     }
@@ -1263,8 +1263,8 @@ static int fsmMkdirs(FSM_t fsm)
 		if (!rc) {
 		    /* XXX FIXME? only new dir will have context set. */
 		    /* Get file security context from patterns. */
-		    if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
-			if (matchpathcon(fsm->path, st->st_mode, &scon) == 0 &&
+		    if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsSELabelHandle(ts)) {
+			if (selabel_lookup_raw((struct selabel_handle *)rpmtsSELabelHandle(ts), &scon, fsm->path, st->st_mode) == 0 &&
 			    scon != NULL) {
             		    fsm->fcontext = scon;
 			    rc = fsmLsetfcon(fsm);
diff --git a/lib/rpmts.c b/lib/rpmts.c
index 506742e..8784d74 100644
--- a/lib/rpmts.c
+++ b/lib/rpmts.c
@@ -688,6 +688,49 @@ void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd)
     }
 }
 
+rpm_sehandle_t rpmtsSELabelHandle(rpmts ts)
+{
+#if WITH_SELINUX
+    if (ts != NULL) {
+	return ts->selabelHandle;
+    }
+#endif
+    return NULL;
+}
+
+rpmRC rpmtsSELabelInit(rpmts ts, const char *path)
+{
+#if WITH_SELINUX
+    if (ts == NULL || path == NULL) {
+	return RPMRC_FAIL;
+    }
+
+    struct selinux_opt opts[] = {
+	{SELABEL_OPT_PATH, path}
+    };
+
+    if (ts->selabelHandle) {
+	rpmtsSELabelFini(ts);
+    }
+    ts->selabelHandle = (rpm_sehandle_t)selabel_open(SELABEL_CTX_FILE, opts, 1);
+
+    if (!ts->selabelHandle) {
+	return RPMRC_FAIL;
+    }
+#endif
+    return RPMRC_OK;
+}
+
+void rpmtsSELabelFini(rpmts ts)
+{
+#if WITH_SELINUX
+    if (ts && ts->selabelHandle) {
+	selabel_close((struct selabel_handle *)ts->selabelHandle);
+	ts->selabelHandle = NULL;
+    }
+#endif
+}
+
 rpm_tid_t rpmtsGetTid(rpmts ts)
 {
     rpm_tid_t tid = (rpm_tid_t)-1;  /* XXX -1 is time(2) error return. */
@@ -906,6 +949,8 @@ rpmts rpmtsCreate(void)
     ts->rootDir = NULL;
     ts->keyring = NULL;
 
+    ts->selabelHandle = NULL;
+
     ts->nrefs = 0;
 
     ts->plugins = rpmpluginsNew(ts);
diff --git a/lib/rpmts.h b/lib/rpmts.h
index 50fdd01..d450f45 100644
--- a/lib/rpmts.h
+++ b/lib/rpmts.h
@@ -390,6 +390,27 @@ FD_t rpmtsScriptFd(rpmts ts);
 void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd);
 
 /** \ingroup rpmts
+ * Get the selabel handle from the transaction set
+ * @param ts		transaction set
+ * @return		rpm selabel handle, or NULL if it hasn't been initialized yet
+ */
+rpm_sehandle_t rpmtsSELabelHandle(rpmts ts);
+
+/** \ingroup rpmts
+ * Initialize selabel
+ * @param ts		transaction set
+ * @param path		path to contexts file
+ * @return		RPMRC_OK on success, RPMRC_FAIL otherwise
+ */
+rpmRC rpmtsSELabelInit(rpmts ts, const char * path);
+
+/** \ingroup rpmts
+ * Clean up selabel
+ * @param ts		transaction set
+ */
+void rpmtsSELabelFini(rpmts ts);
+
+/** \ingroup rpmts
  * Get transaction id, i.e. transaction time stamp.
  * @param ts		transaction set
  * @return		transaction id
diff --git a/lib/rpmts_internal.h b/lib/rpmts_internal.h
index 4a4de45..3df03f7 100644
--- a/lib/rpmts_internal.h
+++ b/lib/rpmts_internal.h
@@ -43,6 +43,8 @@ struct rpmts_s {
 
     tsMembers members;		/*!< Transaction set member info (order etc) */
 
+    rpm_sehandle_t selabelHandle;		/*!< Handle to selabel */
+
     char * rootDir;		/*!< Path to top of install tree. */
     char * lockPath;		/*!< Transaction lock path */
     FD_t scriptFd;		/*!< Scriptlet stdout/stderr. */
diff --git a/lib/transaction.c b/lib/transaction.c
index 7e1d42d..e394454 100644
--- a/lib/transaction.c
+++ b/lib/transaction.c
@@ -1269,11 +1269,7 @@ static int rpmtsSetup(rpmts ts, rpmprobFilterFlags ignoreSet)
     }
 
     if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
-	char *fn = rpmGetPath("%{?_install_file_context_path}", NULL);
-	if (matchpathcon_init(fn) == -1) {
-	    rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
-	}
-	free(fn);
+	rpmtsSELabelInit(ts, selinux_file_context_path());
     }
 
     /* XXX Make sure the database is open RDWR for package install/erase. */
@@ -1292,7 +1288,7 @@ static int rpmtsSetup(rpmts ts, rpmprobFilterFlags ignoreSet)
 static int rpmtsFinish(rpmts ts)
 {
     if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
-	matchpathcon_fini();
+	rpmtsSELabelFini(ts);
     }
     return rpmChrootSet(NULL);
 }
diff --git a/system.h b/system.h
index e34f6d6..94c5253 100644
--- a/system.h
+++ b/system.h
@@ -78,7 +78,10 @@ char * stpncpy(char * dest, const char * src, size_t n);
 
 #if WITH_SELINUX
 #include <selinux/selinux.h>
+#include <selinux/label.h>
+typedef struct selable_handle * rpm_sehandle_t;
 #else
+typedef	void * rpm_sehandle_t;
 typedef	char * security_context_t;
 
 #define	freecon(_c)
@@ -92,6 +95,10 @@ typedef	char * security_context_t;
 #define matchpathcon_fini()			(0)
 #define matchpathcon(_fn, _fm, _c)		(-1)
 
+#define selabel_lookup_raw(_hnd, _scon, _key,_type)	(-1)
+
+#define selinux_file_context_path() (0)
+
 #define rpm_execcon(_v, _fn, _av, _envp)	(0)
 #endif
 
-- 
1.6.2.5

More information about the Rpm-maint mailing list