return NULL;
}
-rpmRC rpmtsSELabelInit(rpmts ts, const char *path)
+rpmRC rpmtsSELabelInit(rpmts ts, int open_status, const char *path)
{
#if WITH_SELINUX
if (ts == NULL || path == NULL) {
return RPMRC_FAIL;
}
+ if (open_status) {
+ selinux_status_close();
+ if (selinux_status_open(0) < 0) {
+ return RPMRC_FAIL;
+ }
+ } else if (!selinux_status_updated() && ts->selabelHandle) {
+ return RPMRC_OK;
+ }
+
struct selinux_opt opts[] = {
{SELABEL_OPT_PATH, path}
};
if (ts->selabelHandle) {
- rpmtsSELabelFini(ts);
+ rpmtsSELabelFini(ts, 0);
}
ts->selabelHandle = selabel_open(SELABEL_CTX_FILE, opts, 1);
return RPMRC_OK;
}
-void rpmtsSELabelFini(rpmts ts)
+void rpmtsSELabelFini(rpmts ts, int close_status)
{
#if WITH_SELINUX
if (ts && ts->selabelHandle) {
selabel_close(ts->selabelHandle);
ts->selabelHandle = NULL;
}
+ if (close_status) {
+ selinux_status_close();
+ }
#endif
}
#ifdef __cplusplus
extern "C" {
#endif
-
+
RPM_GNUC_INTERNAL
tsMembers rpmtsMembers(rpmts ts);
/** \ingroup rpmts
* Initialize selabel
* @param ts transaction set
+ * @param open_status if the func should open selinux status or just check it
* @param path path to contexts file
* @return RPMRC_OK on success, RPMRC_FAIL otherwise
*/
-rpmRC rpmtsSELabelInit(rpmts ts, const char * path);
+rpmRC rpmtsSELabelInit(rpmts ts, int open_status, const char * path);
/** \ingroup rpmts
* Clean up selabel
* @param ts transaction set
+ * @param close_status whether we should close selinux status
*/
-void rpmtsSELabelFini(rpmts ts);
+void rpmtsSELabelFini(rpmts ts, int close_status);
#ifdef __cplusplus
}
if (rpmtsFlags(ts) & (RPMTRANS_FLAG_JUSTDB | RPMTRANS_FLAG_TEST))
(void) rpmtsSetFlags(ts, (rpmtsFlags(ts) | _noTransScripts | _noTransTriggers | RPMTRANS_FLAG_NOCOLLECTIONS));
- /* if SELinux isn't enabled, init fails or test run, don't bother... */
+ /* if SELinux isn't enabled or it is a test run, don't bother... */
if (!is_selinux_enabled() || (rpmtsFlags(ts) & RPMTRANS_FLAG_TEST)) {
rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
}
- if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
- rpmtsSELabelInit(ts, selinux_file_context_path());
+ if (rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) {
+ rpmlog(RPMLOG_DEBUG, "Selinux disabled.\n");
+ } else {
+ if (rpmtsSELabelInit(ts, 1, selinux_file_context_path())) {
+ rpmlog(RPMLOG_WARNING, "Failed to open SELinux handle.\n");
+ rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
+ }
}
/*
static int rpmtsFinish(rpmts ts)
{
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
- rpmtsSELabelFini(ts);
+ rpmtsSELabelFini(ts, 1);
}
return rpmChrootSet(NULL);
}
rpmlog(RPMLOG_DEBUG, "========== +++ %s %s-%s 0x%x\n",
rpmteNEVR(p), rpmteA(p), rpmteO(p), rpmteColor(p));
+ if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
+ rpmtsSELabelInit(ts, 0, selinux_file_context_path());
+ }
+
failed = rpmteProcess(p, rpmteType(p));
if (failed) {
rpmlog(RPMLOG_ERR, "%s: %s %s\n", rpmteNEVRA(p),
/* re-init selinux and re-read the files contexts, since things may have changed */
selinux_reset_config();
if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
- if (rpmtsSELabelInit(ts, selinux_file_context_path()) == RPMRC_OK) {
+ if (rpmtsSELabelInit(ts, 0, selinux_file_context_path()) == RPMRC_OK) {
/* if this was the first time installing policy, every package before
* policy was installed will be mislabeled (e.g. semodule). So, relabel
* the entire filesystem if this is the case */
#if WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
+#include <selinux/avc.h>
#else
typedef char * security_context_t;