],[
AC_MSG_ERROR([--with-selinux given, but selinux/selinux.h not found])
])
+
+ AC_CHECK_HEADER([selinux/label.h],[
+ save_LIBS="$LIBS"
+ AC_CHECK_LIB([selinux],[selabel_close],[],[
+ AC_MSG_ERROR([--with-selinux given, but selabel_close not found in libselinux])])
+ AC_CHECK_LIB([selinux],[selabel_lookup_raw],[],[
+ AC_MSG_ERROR([--with-selinux given, but selabel_lookup_raw not found in libselinux])])
+ AC_CHECK_LIB([selinux],[selabel_open],[],[
+ AC_MSG_ERROR([--with-selinux given, but selabel_open not found in libselinux])])
+ LIBS="$save_LIBS"
+ ],[
+ AC_MSG_ERROR([--with-selinux given, but selinux/label.h not found])
+ ])
])
AS_IF([test "$with_selinux" = yes],[
* Find file security context (if not disabled).
*/
fsm->fcontext = NULL;
- if (ts != NULL && !(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
+ if (ts != NULL && !(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsSELabelHandle(ts)) {
security_context_t scon = NULL;
- if (matchpathcon(fsm->path, st->st_mode, &scon) == 0 && scon != NULL) {
+ if (selabel_lookup_raw(rpmtsSELabelHandle(ts), &scon, fsm->path, st->st_mode) == 0 && scon != NULL) {
fsm->fcontext = scon;
}
}
if (!rc) {
/* XXX FIXME? only new dir will have context set. */
/* Get file security context from patterns. */
- if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
- if (matchpathcon(fsm->path, st->st_mode, &scon) == 0 &&
+ if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsSELabelHandle(ts)) {
+ if (selabel_lookup_raw(rpmtsSELabelHandle(ts), &scon, fsm->path, st->st_mode) == 0 &&
scon != NULL) {
fsm->fcontext = scon;
rc = fsmLsetfcon(fsm);
}
}
+struct selabel_handle * rpmtsSELabelHandle(rpmts ts)
+{
+#if WITH_SELINUX
+ if (ts != NULL) {
+ return ts->selabelHandle;
+ }
+#endif
+ return NULL;
+}
+
+rpmRC rpmtsSELabelInit(rpmts ts, const char *path)
+{
+#if WITH_SELINUX
+ if (ts == NULL || path == NULL) {
+ return RPMRC_FAIL;
+ }
+
+ struct selinux_opt opts[] = {
+ {SELABEL_OPT_PATH, path}
+ };
+
+ if (ts->selabelHandle) {
+ rpmtsSELabelFini(ts);
+ }
+ ts->selabelHandle = selabel_open(SELABEL_CTX_FILE, opts, 1);
+
+ if (!ts->selabelHandle) {
+ return RPMRC_FAIL;
+ }
+#endif
+ return RPMRC_OK;
+}
+
+void rpmtsSELabelFini(rpmts ts)
+{
+#if WITH_SELINUX
+ if (ts && ts->selabelHandle) {
+ selabel_close(ts->selabelHandle);
+ ts->selabelHandle = NULL;
+ }
+#endif
+}
+
rpm_tid_t rpmtsGetTid(rpmts ts)
{
rpm_tid_t tid = (rpm_tid_t)-1; /* XXX -1 is time(2) error return. */
ts->rootDir = NULL;
ts->keyring = NULL;
+ ts->selabelHandle = NULL;
+
ts->nrefs = 0;
ts->plugins = rpmpluginsNew(ts);
void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd);
/** \ingroup rpmts
+ * Get the selabel handle from the transaction set
+ * @param ts transaction set
+ * @return rpm selabel handle, or NULL if it hasn't been initialized yet
+ */
+struct selabel_handle * rpmtsSELabelHandle(rpmts ts);
+
+/** \ingroup rpmts
+ * Initialize selabel
+ * @param ts transaction set
+ * @param path path to contexts file
+ * @return RPMRC_OK on success, RPMRC_FAIL otherwise
+ */
+rpmRC rpmtsSELabelInit(rpmts ts, const char * path);
+
+/** \ingroup rpmts
+ * Clean up selabel
+ * @param ts transaction set
+ */
+void rpmtsSELabelFini(rpmts ts);
+
+/** \ingroup rpmts
* Get transaction id, i.e. transaction time stamp.
* @param ts transaction set
* @return transaction id
tsMembers members; /*!< Transaction set member info (order etc) */
+ struct selabel_handle * selabelHandle; /*!< Handle to selabel */
+
char * rootDir; /*!< Path to top of install tree. */
char * lockPath; /*!< Transaction lock path */
FD_t scriptFd; /*!< Scriptlet stdout/stderr. */
}
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
- char *fn = rpmGetPath("%{?_install_file_context_path}", NULL);
- if (matchpathcon_init(fn) == -1) {
- rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
- }
- free(fn);
+ rpmtsSELabelInit(ts, selinux_file_context_path());
}
/* XXX Make sure the database is open RDWR for package install/erase. */
static int rpmtsFinish(rpmts ts)
{
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
- matchpathcon_fini();
+ rpmtsSELabelFini(ts);
}
return rpmChrootSet(NULL);
}
#if WITH_SELINUX
#include <selinux/selinux.h>
+#include <selinux/label.h>
#else
typedef char * security_context_t;
#define matchpathcon_fini() (0)
#define matchpathcon(_fn, _fm, _c) (-1)
+#define selabel_lookup_raw(_hnd, _scon, _key,_type) (-1)
+
+#define selinux_file_context_path() (0)
+
#define rpm_execcon(_v, _fn, _av, _envp) (0)
#endif