This is a little test program that will take

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This program takes three inputs.

The executable that init will exec.
The directory where the executable would create the object. (fifo_file,
sock_file, file ...)
The "type" of the object to be created

In order to test this, you need to tell setsockcon the context to run as.

> runcon system_u:system_r:init_t:s0 ./setsockcon /usr/sbin/avahi-daemon
/var/run/avahi-daemon sock_file
/usr/sbin/avahi-daemon system_u:system_r:avahi_t:s0
system_u:object_r:avahi_var_run_t:s0

> runcon system_u:system_r:init_t:s0 ./setsockcon /usr/sbin/httpd
/var/run file
/usr/sbin/httpd system_u:system_r:httpd_t:s0
system_u:object_r:httpd_var_run_t:s0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxEproACgkQrlYvE4MpobOMMwCeLXC/HaUe5RAOgY2J3x3xo0if
SvEAoKKnea5L8AJjFpewdOGNSDIEkhgs
=x5z6
-----END PGP SIGNATURE-----
#include <selinux/selinux.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
/*
  class can be
  "file"
  "dir"
  "lnk_file"
  "sock_file"
  "fifo_file"
  "chr_file"
  "blk_file"
*/

static int getfileconfrompath(security_context_t scon, const char *path, char *class, security_context_t *newcon) {
	security_context_t fcon = NULL;
	security_class_t sclass;
	int rc = 0;

	rc = getfilecon(path, &fcon);
	if (rc < 0)
		goto out;
	sclass = string_to_security_class(class);
	rc = security_compute_create(scon, fcon, sclass, newcon);
	if (rc < 0)
		goto out;
out:
	freecon(fcon);
	return rc;
}

static int getconfromexe(const char *exe, security_context_t *newcon)
{
	security_context_t mycon = NULL, fcon = NULL;
	security_class_t sclass;
	int rc = 0;

	rc = getcon(&mycon);
	if (rc < 0)
		goto out;
	rc = getfilecon(exe, &fcon);
	if (rc < 0)
		goto out;
	sclass = string_to_security_class("process");
	rc = security_compute_create(mycon, fcon, sclass, newcon);
	if (rc < 0)
		goto out;
out:
	freecon(mycon);
	freecon(fcon);
	return rc;
}

void usage(const char *program) {
	printf(
"%s exec_path listen_directory type\n\n"
"%s /usr/sbin/avahi-daemon /var/run file\n"
, program, program);
	
	
}
int main(int argc, char **argv) 
{
	int i;
	security_context_t newcon = NULL;
	security_context_t filecon = NULL;

	if ( argc < 3 ) {
		usage(argv[0]);
		exit(1);
	}

	/* This function returns the context defined in policy for the 
	   executable argv[1], after it transitions from the current context */
	if (getconfromexe(argv[1], &newcon) < 0) {
		perror(argv[1]);
		exit(1);
	}
	/* This function tells the kernel to label all sockets after this call 
	   with the newcon context, untill this function is called again */
	if (setsockcreatecon(newcon) < 0) {
		perror(argv[1]);
		exit(1);
	}
	/* This function returns the file context defined in policy for the 
	   context newcon, creating a object of type arg[2] in the directory 
	   argv[2] */
	if (getfileconfrompath(newcon, argv[2], argv[3], &filecon)  < 0) {
		perror(argv[2]);
		exit(1);
	}
	printf("%s %s %s\n", argv[1], newcon, filecon);
	/* This function tells the kernel to label all file system objects 
	   created after this call with the filecon context, until this 
	   function is called again */

	if (setfscreatecon(filecon) < 0) {
		perror(filecon);
		exit(1);
	}
	freecon(newcon);
	freecon(filecon);

	/* calling setsockcreatecon and setfscreatecon with the NULL parameter 
	   resets the system to the default */
	setsockcreatecon(NULL);
	setfscreatecon(NULL);

	exit(0);
}

Attachment: setsockcon.c.sig
Description: PGP signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux