[Rpm-maint] [PATCH] Use setexecfilecon() from libselinux instead of ad-hoc code

Guillem Jover guillem at hadrons.org
Thu Jan 15 16:01:48 UTC 2015 

This function was factored out from rpm_execcon() upstream to make it
easier to use by its users, by making it not call execve() directly. It
is now also used by dpkg since 1.17.11.

Preserve the ad-hoc code for now so that it can be compiled against old
libselinux versions.
---
 configure.ac      |  2 ++
 plugins/selinux.c | 15 ++++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index cbb869f..1c8116a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -631,6 +631,8 @@ AS_IF([test "$with_selinux" = yes],[
       AC_MSG_ERROR([--with-selinux given, but selinux_getpolicytype not found in libselinux])])
     AC_CHECK_LIB([selinux],[selinux_reset_config],[],[
       AC_MSG_ERROR([--with-selinux given, but selinux_reset_config not found in libselinux])])
+    AC_CHECK_LIB([selinux],[setexecfilecon],[
+      AC_DEFINE([HAVE_SETEXECFILECON],[1],[Define to 1 if SELinux setexecfilecon is present])])
     LIBS="$save_LIBS"
   ],[
     AC_MSG_ERROR([--with-selinux given, but selinux/selinux.h not found])
diff --git a/plugins/selinux.c b/plugins/selinux.c
index 77083ed..ea6853b 100644
--- a/plugins/selinux.c
+++ b/plugins/selinux.c
@@ -91,9 +91,10 @@ static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
 						 const char *path, int type)
 {
     rpmRC rc = RPMRC_FAIL;
+    int xx;
+#ifndef HAVE_SETEXECFILECON
     security_context_t mycon = NULL, fcon = NULL, newcon = NULL;
     context_t con = NULL;
-    int xx;
 
     if (sehandle == NULL)
 	return RPMRC_OK;
@@ -136,6 +137,18 @@ exit:
     /* If selinux is not enforcing, we don't care either */
     if (rc && security_getenforce() < 1)
 	rc = RPMRC_OK;
+#else
+    if (sehandle == NULL)
+	return RPMRC_OK;
+
+    if ((xx = setexecfilecon(path, "rpm_script_t") == 0))
+	rc = RPMRC_OK;
+
+    if (rpmIsDebug()) {
+	rpmlog(RPMLOG_DEBUG, "setexecfilecon: (%s) %s\n",
+	       path, (xx < 0 ? strerror(errno) : ""));
+    }
+#endif
 
     return rc;
 }
-- 
2.2.1.209.g41e5f3a

More information about the Rpm-maint mailing list