|
Packit Service |
102278 |
/* Copyright (C) 2005 Red Hat, Inc. */
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
struct semanage_seuser;
|
|
Packit Service |
102278 |
struct semanage_seuser_key;
|
|
Packit Service |
102278 |
typedef struct semanage_seuser_key record_key_t;
|
|
Packit Service |
102278 |
typedef struct semanage_seuser record_t;
|
|
Packit Service |
102278 |
#define DBASE_RECORD_DEFINED
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
#include <sepol/policydb.h>
|
|
Packit Service |
102278 |
#include <sepol/context.h>
|
|
Packit Service |
102278 |
#include <libaudit.h>
|
|
Packit Service |
102278 |
#include <errno.h>
|
|
Packit Service |
102278 |
#include "user_internal.h"
|
|
Packit Service |
102278 |
#include "seuser_internal.h"
|
|
Packit Service |
102278 |
#include "handle.h"
|
|
Packit Service |
102278 |
#include "database.h"
|
|
Packit Service |
102278 |
#include "debug.h"
|
|
Packit Service |
102278 |
#include "string.h"
|
|
Packit Service |
102278 |
#include <stdlib.h>
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
static char *semanage_user_roles(semanage_handle_t * handle, const char *sename) {
|
|
Packit Service |
102278 |
char *roles = NULL;
|
|
Packit Service |
102278 |
unsigned int num_roles;
|
|
Packit Service |
102278 |
size_t i;
|
|
Packit Service |
102278 |
size_t size = 0;
|
|
Packit Service |
102278 |
const char **roles_arr;
|
|
Packit Service |
102278 |
semanage_user_key_t *key = NULL;
|
|
Packit Service |
102278 |
semanage_user_t * user;
|
|
Packit Service |
102278 |
if (semanage_user_key_create(handle, sename, &key) >= 0) {
|
|
Packit Service |
102278 |
if (semanage_user_query(handle, key, &user) >= 0) {
|
|
Packit Service |
102278 |
if (semanage_user_get_roles(handle,
|
|
Packit Service |
102278 |
user,
|
|
Packit Service |
102278 |
&roles_arr,
|
|
Packit Service |
102278 |
&num_roles) >= 0) {
|
|
Packit Service |
102278 |
for (i = 0; i
|
|
Packit Service |
102278 |
size += (strlen(roles_arr[i]) + 1);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
if (num_roles == 0) {
|
|
Packit Service |
102278 |
roles = strdup("");
|
|
Packit Service |
102278 |
} else {
|
|
Packit Service |
102278 |
roles = malloc(size);
|
|
Packit Service |
102278 |
if (roles) {
|
|
Packit Service |
102278 |
strcpy(roles,roles_arr[0]);
|
|
Packit Service |
102278 |
for (i = 1; i
|
|
Packit Service |
102278 |
strcat(roles,",");
|
|
Packit Service |
102278 |
strcat(roles,roles_arr[i]);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
semanage_user_free(user);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
semanage_user_key_free(key);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
return roles;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
static int semanage_seuser_audit(semanage_handle_t * handle,
|
|
Packit Service |
102278 |
const semanage_seuser_t * seuser,
|
|
Packit Service |
102278 |
const semanage_seuser_t * previous,
|
|
Packit Service |
102278 |
int audit_type,
|
|
Packit Service |
102278 |
int success) {
|
|
Packit Service |
102278 |
const char *name = NULL;
|
|
Packit Service |
102278 |
const char *sename = NULL;
|
|
Packit Service |
102278 |
char *roles = NULL;
|
|
Packit Service |
102278 |
const char *mls = NULL;
|
|
Packit Service |
102278 |
const char *psename = NULL;
|
|
Packit Service |
102278 |
const char *pmls = NULL;
|
|
Packit Service |
102278 |
char *proles = NULL;
|
|
Packit Service |
102278 |
char msg[1024];
|
|
Packit Service |
102278 |
const char *sep = "-";
|
|
Packit Service |
102278 |
int rc = -1;
|
|
Packit Service |
102278 |
strcpy(msg, "login");
|
|
Packit Service |
102278 |
if (previous) {
|
|
Packit Service |
102278 |
name = semanage_seuser_get_name(previous);
|
|
Packit Service |
102278 |
psename = semanage_seuser_get_sename(previous);
|
|
Packit Service |
102278 |
pmls = semanage_seuser_get_mlsrange(previous);
|
|
Packit Service |
102278 |
proles = semanage_user_roles(handle, psename);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
if (seuser) {
|
|
Packit Service |
102278 |
name = semanage_seuser_get_name(seuser);
|
|
Packit Service |
102278 |
sename = semanage_seuser_get_sename(seuser);
|
|
Packit Service |
102278 |
mls = semanage_seuser_get_mlsrange(seuser);
|
|
Packit Service |
102278 |
roles = semanage_user_roles(handle, sename);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
if (audit_type != AUDIT_ROLE_REMOVE) {
|
|
Packit Service |
102278 |
if (sename && (!psename || strcmp(psename, sename) != 0)) {
|
|
Packit Service |
102278 |
strcat(msg,sep);
|
|
Packit Service |
102278 |
strcat(msg,"sename");
|
|
Packit Service |
102278 |
sep = ",";
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
if (roles && (!proles || strcmp(proles, roles) != 0)) {
|
|
Packit Service |
102278 |
strcat(msg,sep);
|
|
Packit Service |
102278 |
strcat(msg,"role");
|
|
Packit Service |
102278 |
sep = ",";
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
if (mls && (!pmls || strcmp(pmls, mls) != 0)) {
|
|
Packit Service |
102278 |
strcat(msg,sep);
|
|
Packit Service |
102278 |
strcat(msg,"range");
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
int fd = audit_open();
|
|
Packit Service |
102278 |
if (fd < 0)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
/* If kernel doesn't support audit, bail out */
|
|
Packit Service |
102278 |
if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) {
|
|
Packit Service |
102278 |
rc = 0;
|
|
Packit Service |
102278 |
goto err;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
rc = fd;
|
|
Packit Service |
102278 |
goto err;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
audit_log_semanage_message(fd, audit_type, NULL, msg, name, 0, sename, roles, mls, psename, proles, pmls, NULL, NULL,NULL, success);
|
|
Packit Service |
102278 |
rc = 0;
|
|
Packit Service |
102278 |
err:
|
|
Packit Service |
102278 |
audit_close(fd);
|
|
Packit Service |
102278 |
free(roles);
|
|
Packit Service |
102278 |
free(proles);
|
|
Packit Service |
102278 |
return rc;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
int semanage_seuser_modify_local(semanage_handle_t * handle,
|
|
Packit Service |
102278 |
const semanage_seuser_key_t * key,
|
|
Packit Service |
102278 |
const semanage_seuser_t * data)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
int rc;
|
|
Packit Service |
102278 |
void *callback = (void *) handle->msg_callback;
|
|
Packit Service |
102278 |
dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
|
|
Packit Service |
102278 |
const char *sename = semanage_seuser_get_sename(data);
|
|
Packit Service |
102278 |
const char *mls_range = semanage_seuser_get_mlsrange(data);
|
|
Packit Service |
102278 |
semanage_seuser_t *previous = NULL;
|
|
Packit Service |
102278 |
semanage_seuser_t *new = NULL;
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
if (!sename) {
|
|
Packit Service |
102278 |
errno=EINVAL;
|
|
Packit Service |
102278 |
return -1;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
rc = semanage_seuser_clone(handle, data, &new;;
|
|
Packit Service |
102278 |
if (rc < 0) {
|
|
Packit Service |
102278 |
goto err;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
if (!mls_range && semanage_mls_enabled(handle)) {
|
|
Packit Service |
102278 |
semanage_user_key_t *ukey = NULL;
|
|
Packit Service |
102278 |
semanage_user_t *u = NULL;
|
|
Packit Service |
102278 |
rc = semanage_user_key_create(handle, sename, &ukey);
|
|
Packit Service |
102278 |
if (rc < 0)
|
|
Packit Service |
102278 |
goto err;
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
rc = semanage_user_query(handle, ukey, &u);
|
|
Packit Service |
102278 |
semanage_user_key_free(ukey);
|
|
Packit Service |
102278 |
if (rc >= 0 ) {
|
|
Packit Service |
102278 |
mls_range = semanage_user_get_mlsrange(u);
|
|
Packit Service |
102278 |
rc = semanage_seuser_set_mlsrange(handle, new, mls_range);
|
|
Packit Service |
102278 |
semanage_user_free(u);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
if (rc < 0)
|
|
Packit Service |
102278 |
goto err;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
handle->msg_callback = NULL;
|
|
Packit Service |
102278 |
(void) semanage_seuser_query(handle, key, &previous);
|
|
Packit Service |
102278 |
handle->msg_callback = callback;
|
|
Packit Service |
102278 |
rc = dbase_modify(handle, dconfig, key, new);
|
|
Packit Service |
102278 |
if (semanage_seuser_audit(handle, new, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0)
|
|
Packit Service |
102278 |
rc = -1;
|
|
Packit Service |
102278 |
err:
|
|
Packit Service |
102278 |
if (previous)
|
|
Packit Service |
102278 |
semanage_seuser_free(previous);
|
|
Packit Service |
102278 |
semanage_seuser_free(new);
|
|
Packit Service |
102278 |
return rc;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
int semanage_seuser_del_local(semanage_handle_t * handle,
|
|
Packit Service |
102278 |
const semanage_seuser_key_t * key)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
int rc;
|
|
Packit Service |
102278 |
semanage_seuser_t *seuser = NULL;
|
|
Packit Service |
102278 |
dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
|
|
Packit Service |
102278 |
rc = dbase_del(handle, dconfig, key);
|
|
Packit Service |
102278 |
semanage_seuser_query(handle, key, &seuser);
|
|
Packit Service |
102278 |
if (semanage_seuser_audit(handle, NULL, seuser, AUDIT_ROLE_REMOVE, rc == 0) < 0)
|
|
Packit Service |
102278 |
rc = -1;
|
|
Packit Service |
102278 |
if (seuser)
|
|
Packit Service |
102278 |
semanage_seuser_free(seuser);
|
|
Packit Service |
102278 |
return rc;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
int semanage_seuser_query_local(semanage_handle_t * handle,
|
|
Packit Service |
102278 |
const semanage_seuser_key_t * key,
|
|
Packit Service |
102278 |
semanage_seuser_t ** response)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
|
|
Packit Service |
102278 |
return dbase_query(handle, dconfig, key, response);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
int semanage_seuser_exists_local(semanage_handle_t * handle,
|
|
Packit Service |
102278 |
const semanage_seuser_key_t * key,
|
|
Packit Service |
102278 |
int *response)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
|
|
Packit Service |
102278 |
return dbase_exists(handle, dconfig, key, response);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
int semanage_seuser_count_local(semanage_handle_t * handle,
|
|
Packit Service |
102278 |
unsigned int *response)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
|
|
Packit Service |
102278 |
return dbase_count(handle, dconfig, response);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
int semanage_seuser_iterate_local(semanage_handle_t * handle,
|
|
Packit Service |
102278 |
int (*handler) (const semanage_seuser_t *
|
|
Packit Service |
102278 |
record, void *varg),
|
|
Packit Service |
102278 |
void *handler_arg)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
|
|
Packit Service |
102278 |
return dbase_iterate(handle, dconfig, handler, handler_arg);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
hidden_def(semanage_seuser_iterate_local)
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
int semanage_seuser_list_local(semanage_handle_t * handle,
|
|
Packit Service |
102278 |
semanage_seuser_t *** records,
|
|
Packit Service |
102278 |
unsigned int *count)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
|
|
Packit Service |
102278 |
return dbase_list(handle, dconfig, records, count);
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
struct validate_handler_arg {
|
|
Packit Service |
102278 |
semanage_handle_t *handle;
|
|
Packit Service |
102278 |
const sepol_policydb_t *policydb;
|
|
Packit Service |
102278 |
};
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
static int validate_handler(const semanage_seuser_t * seuser, void *varg)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
semanage_user_t *user = NULL;
|
|
Packit Service |
102278 |
semanage_user_key_t *key = NULL;
|
|
Packit Service |
102278 |
int exists, mls_ok;
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
/* Unpack varg */
|
|
Packit Service |
102278 |
struct validate_handler_arg *arg = (struct validate_handler_arg *)varg;
|
|
Packit Service |
102278 |
semanage_handle_t *handle = arg->handle;
|
|
Packit Service |
102278 |
const sepol_policydb_t *policydb = arg->policydb;
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
/* Unpack seuser */
|
|
Packit Service |
102278 |
const char *name = semanage_seuser_get_name(seuser);
|
|
Packit Service |
102278 |
const char *sename = semanage_seuser_get_sename(seuser);
|
|
Packit Service |
102278 |
const char *mls_range = semanage_seuser_get_mlsrange(seuser);
|
|
Packit Service |
102278 |
const char *user_mls_range;
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
/* Make sure the (SElinux) user exists */
|
|
Packit Service |
102278 |
if (semanage_user_key_create(handle, sename, &key) < 0)
|
|
Packit Service |
102278 |
goto err;
|
|
Packit Service |
102278 |
if (semanage_user_exists(handle, key, &exists) < 0)
|
|
Packit Service |
102278 |
goto err;
|
|
Packit Service |
102278 |
if (!exists) {
|
|
Packit Service |
102278 |
ERR(handle, "selinux user %s does not exist", sename);
|
|
Packit Service |
102278 |
goto invalid;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
/* Verify that the mls range is valid, and that it's contained
|
|
Packit Service |
102278 |
* within the (SELinux) user mls range. This range is optional */
|
|
Packit Service |
102278 |
if (mls_range && sepol_policydb_mls_enabled(policydb)) {
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
if (semanage_user_query(handle, key, &user) < 0)
|
|
Packit Service |
102278 |
goto err;
|
|
Packit Service |
102278 |
user_mls_range = semanage_user_get_mlsrange(user);
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
if (sepol_mls_check(handle->sepolh, policydb, mls_range) < 0)
|
|
Packit Service |
102278 |
goto invalid;
|
|
Packit Service |
102278 |
if (sepol_mls_contains(handle->sepolh, policydb,
|
|
Packit Service |
102278 |
user_mls_range, mls_range, &mls_ok) < 0)
|
|
Packit Service |
102278 |
goto err;
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
if (!mls_ok) {
|
|
Packit Service |
102278 |
ERR(handle, "MLS range %s for Unix user %s "
|
|
Packit Service |
102278 |
"exceeds allowed range %s for SELinux user %s",
|
|
Packit Service |
102278 |
mls_range, name, user_mls_range, sename);
|
|
Packit Service |
102278 |
goto invalid;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
} else if (mls_range) {
|
|
Packit Service |
102278 |
ERR(handle, "MLS is disabled, but MLS range %s "
|
|
Packit Service |
102278 |
"was found for Unix user %s", mls_range, name);
|
|
Packit Service |
102278 |
goto invalid;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
semanage_user_key_free(key);
|
|
Packit Service |
102278 |
semanage_user_free(user);
|
|
Packit Service |
102278 |
return 0;
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
err:
|
|
Packit Service |
102278 |
ERR(handle, "could not check if seuser mapping for %s is valid", name);
|
|
Packit Service |
102278 |
semanage_user_key_free(key);
|
|
Packit Service |
102278 |
semanage_user_free(user);
|
|
Packit Service |
102278 |
return -1;
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
invalid:
|
|
Packit Service |
102278 |
if (mls_range)
|
|
Packit Service |
102278 |
ERR(handle, "seuser mapping [%s -> (%s, %s)] is invalid",
|
|
Packit Service |
102278 |
name, sename, mls_range);
|
|
Packit Service |
102278 |
else
|
|
Packit Service |
102278 |
ERR(handle, "seuser mapping [%s -> %s] is invalid",
|
|
Packit Service |
102278 |
name, sename);
|
|
Packit Service |
102278 |
semanage_user_key_free(key);
|
|
Packit Service |
102278 |
semanage_user_free(user);
|
|
Packit Service |
102278 |
return -1;
|
|
Packit Service |
102278 |
}
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
/* This function may not be called outside a transaction, or
|
|
Packit Service |
102278 |
* it will (1) deadlock, because iterate is not reentrant outside
|
|
Packit Service |
102278 |
* a transaction, and (2) be racy, because it makes multiple dbase calls */
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
int hidden semanage_seuser_validate_local(semanage_handle_t * handle,
|
|
Packit Service |
102278 |
const sepol_policydb_t * policydb)
|
|
Packit Service |
102278 |
{
|
|
Packit Service |
102278 |
|
|
Packit Service |
102278 |
struct validate_handler_arg arg;
|
|
Packit Service |
102278 |
arg.handle = handle;
|
|
Packit Service |
102278 |
arg.policydb = policydb;
|
|
Packit Service |
102278 |
return semanage_seuser_iterate_local(handle, validate_handler, &arg;;
|
|
Packit Service |
102278 |
}
|