Use selabel interfaces instead of matchpathcon

This replaces the old matchpathcon interfaces with the new selabel
interfaces for relabeling files, storing an selabel handle in the
transaction set.

With this change, also comes an added distinction between --nocontexts
being specified and a failure to read the load file contexts.
Previously, there was no distinction, and both cases used the
RPMTRANS_FLAG_NOCONTEXTS flag.

However, with the new policy plugin, it is necessary to make such a
distinction. This is because matchpathcon_init (now selabel interfaces)
can fail at the beginning of the transaction, but succeed later after
new policy is installed. Because of this, we may need to enable/disable
RPMTRANS_FLAG_NOCONTEXTS multiple times. However, because this flag
could also mean --nocontexts, we cannot do that. By storing the selabel
handle in the rpmts, we can easily keep track if the handle has been
successfully created, rather than overloading RPMTRANS_FLAG_NOCONTEXTS
with two meanings.

diff --git a/configure.ac b/configure.ac
index a33d8be..c593b6c 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -577,6 +577,19 @@ AS_IF([test "$with_selinux" = yes],[
   ],[
     AC_MSG_ERROR([--with-selinux given, but selinux/selinux.h not found])
   ])
+
+  AC_CHECK_HEADER([selinux/label.h],[
+    save_LIBS="$LIBS"
+    AC_CHECK_LIB([selinux],[selabel_close],[],[
+      AC_MSG_ERROR([--with-selinux given, but selabel_close not found in libselinux])])
+    AC_CHECK_LIB([selinux],[selabel_lookup_raw],[],[
+      AC_MSG_ERROR([--with-selinux given, but selabel_lookup_raw not found in libselinux])])
+    AC_CHECK_LIB([selinux],[selabel_open],[],[
+      AC_MSG_ERROR([--with-selinux given, but selabel_open not found in libselinux])])
+    LIBS="$save_LIBS"
+  ],[
+    AC_MSG_ERROR([--with-selinux given, but selinux/label.h not found])
+  ])
 ])
 
 AS_IF([test "$with_selinux" = yes],[

diff --git a/lib/fsm.c b/lib/fsm.c
index 1a345fb..d1e0adb 100644 (file)
--- a/lib/fsm.c
+++ b/lib/fsm.c
@@ -693,10 +693,10 @@ static int fsmMapFContext(FSM_t fsm)
      * Find file security context (if not disabled).
      */
     fsm->fcontext = NULL;
-    if (ts != NULL && !(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
+    if (ts != NULL && !(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsSELabelHandle(ts)) {
        security_context_t scon = NULL;
 
-       if (matchpathcon(fsm->path, st->st_mode, &scon) == 0 && scon != NULL) {
+       if (selabel_lookup_raw(rpmtsSELabelHandle(ts), &scon, fsm->path, st->st_mode) == 0 && scon != NULL) {
            fsm->fcontext = scon;
        }
     }
@@ -1263,8 +1263,8 @@ static int fsmMkdirs(FSM_t fsm)
                if (!rc) {
                    /* XXX FIXME? only new dir will have context set. */
                    /* Get file security context from patterns. */
-                   if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
-                       if (matchpathcon(fsm->path, st->st_mode, &scon) == 0 &&
+                   if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsSELabelHandle(ts)) {
+                       if (selabel_lookup_raw(rpmtsSELabelHandle(ts), &scon, fsm->path, st->st_mode) == 0 &&
                            scon != NULL) {
                            fsm->fcontext = scon;
                            rc = fsmLsetfcon(fsm);

diff --git a/lib/rpmts.c b/lib/rpmts.c
index 506742e..d225f83 100644 (file)
--- a/lib/rpmts.c
+++ b/lib/rpmts.c
@@ -688,6 +688,49 @@ void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd)
     }
 }
 
+struct selabel_handle * rpmtsSELabelHandle(rpmts ts)
+{
+#if WITH_SELINUX
+    if (ts != NULL) {
+       return ts->selabelHandle;
+    }
+#endif
+    return NULL;
+}
+
+rpmRC rpmtsSELabelInit(rpmts ts, const char *path)
+{
+#if WITH_SELINUX
+    if (ts == NULL || path == NULL) {
+       return RPMRC_FAIL;
+    }
+
+    struct selinux_opt opts[] = {
+       {SELABEL_OPT_PATH, path}
+    };
+
+    if (ts->selabelHandle) {
+       rpmtsSELabelFini(ts);
+    }
+    ts->selabelHandle = selabel_open(SELABEL_CTX_FILE, opts, 1);
+
+    if (!ts->selabelHandle) {
+       return RPMRC_FAIL;
+    }
+#endif
+    return RPMRC_OK;
+}
+
+void rpmtsSELabelFini(rpmts ts)
+{
+#if WITH_SELINUX
+    if (ts && ts->selabelHandle) {
+       selabel_close(ts->selabelHandle);
+       ts->selabelHandle = NULL;
+    }
+#endif
+}
+
 rpm_tid_t rpmtsGetTid(rpmts ts)
 {
     rpm_tid_t tid = (rpm_tid_t)-1;  /* XXX -1 is time(2) error return. */
@@ -906,6 +949,8 @@ rpmts rpmtsCreate(void)
     ts->rootDir = NULL;
     ts->keyring = NULL;
 
+    ts->selabelHandle = NULL;
+
     ts->nrefs = 0;
 
     ts->plugins = rpmpluginsNew(ts);

diff --git a/lib/rpmts.h b/lib/rpmts.h
index 50fdd01..a3d1cf6 100644 (file)
--- a/lib/rpmts.h
+++ b/lib/rpmts.h
@@ -390,6 +390,27 @@ FD_t rpmtsScriptFd(rpmts ts);
 void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd);
 
 /** \ingroup rpmts
+ * Get the selabel handle from the transaction set
+ * @param ts           transaction set
+ * @return             rpm selabel handle, or NULL if it hasn't been initialized yet
+ */
+struct selabel_handle * rpmtsSELabelHandle(rpmts ts);
+
+/** \ingroup rpmts
+ * Initialize selabel
+ * @param ts           transaction set
+ * @param path         path to contexts file
+ * @return             RPMRC_OK on success, RPMRC_FAIL otherwise
+ */
+rpmRC rpmtsSELabelInit(rpmts ts, const char * path);
+
+/** \ingroup rpmts
+ * Clean up selabel
+ * @param ts           transaction set
+ */
+void rpmtsSELabelFini(rpmts ts);
+
+/** \ingroup rpmts
  * Get transaction id, i.e. transaction time stamp.
  * @param ts           transaction set
  * @return             transaction id

diff --git a/lib/rpmts_internal.h b/lib/rpmts_internal.h
index 4a4de45..42c3c27 100644 (file)
--- a/lib/rpmts_internal.h
+++ b/lib/rpmts_internal.h
@@ -43,6 +43,8 @@ struct rpmts_s {
 
     tsMembers members;         /*!< Transaction set member info (order etc) */
 
+    struct selabel_handle * selabelHandle;     /*!< Handle to selabel */
+
     char * rootDir;            /*!< Path to top of install tree. */
     char * lockPath;           /*!< Transaction lock path */
     FD_t scriptFd;             /*!< Scriptlet stdout/stderr. */

diff --git a/lib/transaction.c b/lib/transaction.c
index 7e1d42d..e394454 100644 (file)
--- a/lib/transaction.c
+++ b/lib/transaction.c
@@ -1269,11 +1269,7 @@ static int rpmtsSetup(rpmts ts, rpmprobFilterFlags ignoreSet)
     }
 
     if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
-       char *fn = rpmGetPath("%{?_install_file_context_path}", NULL);
-       if (matchpathcon_init(fn) == -1) {
-           rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
-       }
-       free(fn);
+       rpmtsSELabelInit(ts, selinux_file_context_path());
     }
 
     /* XXX Make sure the database is open RDWR for package install/erase. */
@@ -1292,7 +1288,7 @@ static int rpmtsSetup(rpmts ts, rpmprobFilterFlags ignoreSet)
 static int rpmtsFinish(rpmts ts)
 {
     if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
-       matchpathcon_fini();
+       rpmtsSELabelFini(ts);
     }
     return rpmChrootSet(NULL);
 }

diff --git a/system.h b/system.h
index e34f6d6..9b23e45 100644 (file)
--- a/system.h
+++ b/system.h
@@ -78,6 +78,7 @@ char * stpncpy(char * dest, const char * src, size_t n);
 
 #if WITH_SELINUX
 #include <selinux/selinux.h>
+#include <selinux/label.h>
 #else
 typedef        char * security_context_t;
 
@@ -92,6 +93,10 @@ typedef      char * security_context_t;
 #define matchpathcon_fini()                    (0)
 #define matchpathcon(_fn, _fm, _c)             (-1)
 
+#define selabel_lookup_raw(_hnd, _scon, _key,_type)    (-1)
+
+#define selinux_file_context_path() (0)
+
 #define rpm_execcon(_v, _fn, _av, _envp)       (0)
 #endif