-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This program takes three inputs. The executable that init will exec. The directory where the executable would create the object. (fifo_file, sock_file, file ...) The "type" of the object to be created In order to test this, you need to tell setsockcon the context to run as. > runcon system_u:system_r:init_t:s0 ./setsockcon /usr/sbin/avahi-daemon /var/run/avahi-daemon sock_file /usr/sbin/avahi-daemon system_u:system_r:avahi_t:s0 system_u:object_r:avahi_var_run_t:s0 > runcon system_u:system_r:init_t:s0 ./setsockcon /usr/sbin/httpd /var/run file /usr/sbin/httpd system_u:system_r:httpd_t:s0 system_u:object_r:httpd_var_run_t:s0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxEproACgkQrlYvE4MpobOMMwCeLXC/HaUe5RAOgY2J3x3xo0if SvEAoKKnea5L8AJjFpewdOGNSDIEkhgs =x5z6 -----END PGP SIGNATURE-----
#include <selinux/selinux.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
/*
class can be
"file"
"dir"
"lnk_file"
"sock_file"
"fifo_file"
"chr_file"
"blk_file"
*/
static int getfileconfrompath(security_context_t scon, const char *path, char *class, security_context_t *newcon) {
security_context_t fcon = NULL;
security_class_t sclass;
int rc = 0;
rc = getfilecon(path, &fcon);
if (rc < 0)
goto out;
sclass = string_to_security_class(class);
rc = security_compute_create(scon, fcon, sclass, newcon);
if (rc < 0)
goto out;
out:
freecon(fcon);
return rc;
}
static int getconfromexe(const char *exe, security_context_t *newcon)
{
security_context_t mycon = NULL, fcon = NULL;
security_class_t sclass;
int rc = 0;
rc = getcon(&mycon);
if (rc < 0)
goto out;
rc = getfilecon(exe, &fcon);
if (rc < 0)
goto out;
sclass = string_to_security_class("process");
rc = security_compute_create(mycon, fcon, sclass, newcon);
if (rc < 0)
goto out;
out:
freecon(mycon);
freecon(fcon);
return rc;
}
void usage(const char *program) {
printf(
"%s exec_path listen_directory type\n\n"
"%s /usr/sbin/avahi-daemon /var/run file\n"
, program, program);
}
int main(int argc, char **argv)
{
int i;
security_context_t newcon = NULL;
security_context_t filecon = NULL;
if ( argc < 3 ) {
usage(argv[0]);
exit(1);
}
/* This function returns the context defined in policy for the
executable argv[1], after it transitions from the current context */
if (getconfromexe(argv[1], &newcon) < 0) {
perror(argv[1]);
exit(1);
}
/* This function tells the kernel to label all sockets after this call
with the newcon context, untill this function is called again */
if (setsockcreatecon(newcon) < 0) {
perror(argv[1]);
exit(1);
}
/* This function returns the file context defined in policy for the
context newcon, creating a object of type arg[2] in the directory
argv[2] */
if (getfileconfrompath(newcon, argv[2], argv[3], &filecon) < 0) {
perror(argv[2]);
exit(1);
}
printf("%s %s %s\n", argv[1], newcon, filecon);
/* This function tells the kernel to label all file system objects
created after this call with the filecon context, until this
function is called again */
if (setfscreatecon(filecon) < 0) {
perror(filecon);
exit(1);
}
freecon(newcon);
freecon(filecon);
/* calling setsockcreatecon and setfscreatecon with the NULL parameter
resets the system to the default */
setsockcreatecon(NULL);
setfscreatecon(NULL);
exit(0);
}
Attachment:
setsockcon.c.sig
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
