[libselinux] Add selinux_check_access function. Needed for passwd, chfn, chsh

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 20 19:44:53 UTC 2011 

commit a8fa8756a94df25af43a72e28999bf932723de6e
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Thu Oct 20 15:44:39 2011 -0400

    Add selinux_check_access function. Needed for passwd, chfn, chsh

 libselinux-rhat.patch |  119 +++++++++++++++++++++++++++++++++++++++++++++++++
 libselinux.spec       |    5 ++-
 2 files changed, 123 insertions(+), 1 deletions(-)
---
diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch
index 6fd8710..43559e6 100644
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@@ -1,3 +1,33 @@
+diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
+index d29b0c1..792e68e 100644
+--- a/libselinux/include/selinux/selinux.h
++++ b/libselinux/include/selinux/selinux.h
+@@ -500,6 +500,25 @@ extern const char *selinux_colors_path(void);
+ extern const char *selinux_netfilter_context_path(void);
+ extern const char *selinux_path(void);
+ 
++/**
++ * selinux_check_access - Check permissions and perform appropriate auditing.
++ * @scon: source security context
++ * @tcon: target security context
++ * @tclass: target security class string
++ * @perm: requested permissions string, interpreted based on @tclass
++ * @auditdata: auxiliary audit data
++ *
++ * Check the AVC to determine whether the @perm permissions are granted
++ * for the SID pair (@scon, @tcon), interpreting the permissions
++ * based on @tclass.
++ * Return %0 if all @perm permissions are granted, -%1 with 
++ * @errno set to %EACCES if any permissions are denied or to another 
++ * value upon other errors.
++ * If auditing or logging is configured the appropriate callbacks will be called
++ * and passed the auditdata field
++ */
++extern int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *tclass, const char *perm, void *auditdata);
++
+ /* Check a permission in the passwd class.
+    Return 0 if granted or -1 otherwise. */
+ extern int selinux_check_passwd_access(access_vector_t requested);
 diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3
 index cdbb252..e2a4371 100644
 --- a/libselinux/man/man3/matchpathcon.3
@@ -20,6 +50,29 @@ index cdbb252..e2a4371 100644
  .sp
  .B matchpathcon_fini
  frees the memory allocated by a prior call to
+diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
+index f2d9f30..1e36952 100644
+--- a/libselinux/man/man3/security_compute_av.3
++++ b/libselinux/man/man3/security_compute_av.3
+@@ -24,6 +24,8 @@ the SELinux policy database in the kernel.
+ .BI "int security_get_initial_context(const char *" name ", security_context_t
+ "con );
+ .sp
++.BI "int selinux_check_access(const security_context_t " scon, " const security_context_t " tcon, " const char *" class, " const char *" perm, "void *" auditdata);
++.sp
+ .BI "int selinux_check_passwd_access(access_vector_t " requested );
+ .sp
+ .BI "int checkPasswdAccess(access_vector_t " requested );
+@@ -74,6 +76,9 @@ source context. It is mainly used by
+ is used to get the context of a kernel initial security identifier specified by 
+ .I name
+ 
++.B selinux_check_access
++is used to check if the source context has the access permission for the specified class on the target context.
++
+ .B selinux_check_passwd_access
+ is used to check for a permission in the
+ .I passwd
 diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
 index 8674e37..89bb4d3 100644
 --- a/libselinux/man/man3/selabel_open.3
@@ -43,6 +96,27 @@ index 8674e37..89bb4d3 100644
  .BR selinux_set_callback (3),
  .BR selinux (8)
 -
+diff --git a/libselinux/man/man3/selinux_check_access.3 b/libselinux/man/man3/selinux_check_access.3
+new file mode 100644
+index 0000000..a60bca4
+--- /dev/null
++++ b/libselinux/man/man3/selinux_check_access.3
+@@ -0,0 +1 @@
++.so man3/security_compute_av.3
+diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
+index 74591b4..e7ad31d 100644
+--- a/libselinux/src/avc.c
++++ b/libselinux/src/avc.c
+@@ -165,6 +165,9 @@ int avc_init(const char *prefix,
+ 	struct avc_node *new;
+ 	int i, rc = 0;
+ 
++	if (avc_running)
++		return 0;
++
+ 	if (prefix)
+ 		strncpy(avc_prefix, prefix, AVC_PREFIX_SIZE - 1);
+ 
 diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
 index b245364..7c47222 100644
 --- a/libselinux/src/callbacks.c
@@ -55,6 +129,51 @@ index b245364..7c47222 100644
  	va_start(ap, fmt);
  	rc = vfprintf(stderr, fmt, ap);
  	va_end(ap);
+diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
+index c1982c7..37ccc15 100644
+--- a/libselinux/src/checkAccess.c
++++ b/libselinux/src/checkAccess.c
+@@ -4,8 +4,40 @@
+ #include <errno.h>
+ #include "selinux_internal.h"
+ #include <selinux/flask.h>
++#include <selinux/avc.h>
+ #include <selinux/av_permissions.h>
+ 
++static pthread_once_t once = PTHREAD_ONCE_INIT;
++
++static void avc_init_once(void)
++{
++	avc_open(NULL, 0);
++}
++
++int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *class, const char *perm, void *aux) {
++	int status = -1;
++	int rc = -1;
++	security_id_t scon_id;
++	security_id_t tcon_id;
++	security_class_t sclass;
++	access_vector_t av;
++
++	if (is_selinux_enabled() == 0)
++		return 0;
++
++	__selinux_once(once, avc_init_once);
++
++	if ((rc = avc_context_to_sid(scon, &scon_id)) < 0)  return rc;
++
++	if ((rc = avc_context_to_sid(tcon, &tcon_id)) < 0)  return rc;
++
++	if ((sclass = string_to_security_class(class)) == 0) return status;
++
++	if ((av = string_to_av_perm(sclass, perm)) == 0) return status;
++
++	return (avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
++}
++
+ int selinux_check_passwd_access(access_vector_t requested)
+ {
+ 	int status = -1;
 diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
 index 3b8346d..02f3f98 100644
 --- a/libselinux/src/label_file.c
diff --git a/libselinux.spec b/libselinux.spec
index fb4c1e5..e46ab06 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -7,7 +7,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.1.6
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
@@ -231,6 +231,9 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so
 
 %changelog
+* Wed Oct 19 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-3
+- Add selinux_check_access function. Needed for passwd, chfn, chsh
+
 * Thu Sep 22 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-2
 - Handle situation where selinux=0 passed to the kernel and both /selinux and

More information about the scm-commits mailing list