Currently any changes made to the policy which require committing a handle cause dontaudit rules to be disabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is created. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created the dontaudit rules dont change and errors are set.
Signed-off-by: Christopher Pardy <cpardy@xxxxxxxxxx>
---
libsemanage/include/semanage/handle.h | 8 +++++-
libsemanage/src/direct_api.c | 40 ++++++++++++++++++++++++++++++++++
libsemanage/src/direct_api.h | 5 ++++
libsemanage/src/handle.c | 21 ++++++++++++++++-
libsemanage/src/libsemanage.map | 2 -
libsemanage/src/semanage_store.c | 1
libsemanage/src/semanage_store.h | 1
7 files changed, 74 insertions(+), 4 deletions(-)
diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h 2009-07-01 21:15:17.224235939 -0400
+++ selinux.orig3/libsemanage/include/semanage/handle.h 2009-07-07 09:37:35.888570766 -0400
@@ -69,7 +69,13 @@ void semanage_set_rebuild(semanage_handl
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
-/* Set whether or not to disable dontaudits upon commit */
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
+/* Set whether or not to disable dontaudits upon commit
+ * Sets errno to 0 if successful. Otherwise sets errno
+ * to any of the errors specified by fopen,fclose, or remove.
+ */
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
/* Check whether policy is managed via libsemanage on this system.
diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
--- selinux.orig2/libsemanage/src/direct_api.c 2009-07-01 21:15:17.264236347 -0400
+++ selinux.orig3/libsemanage/src/direct_api.c 2009-07-07 09:19:28.174321784 -0400
@@ -293,6 +293,46 @@ static int semanage_direct_begintrans(se
return 0;
}
+/*********Dont audit functions*************/
+
+/* Creates, removes, and tests for the existance of a dont audit flag.
+ */
+
+int get_disable_dontaudit_flag(void)
+{
+ const char *path;
+
+ path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+ if(access(path,F_OK) == 0)
+ return 1;
+ else
+ return 0;
+}
+
+int set_disable_dontaudit_flag(int setting)
+{
+ const char *path;
+ int retcode;
+
+ retcode = 0;
+
+ path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+ if(setting == 1){
+ FILE *touch;
+ touch = fopen(path,"w");
+ if (touch != NULL)
+ if(fclose(touch) != 0)
+ retcode = -1;
+ else
+ retcode = -1;
+ }else
+ if(remove(path) == -1 && errno != ENOENT)
+ retcode = -1
+
+ return retcode;
+}
+
+
/********************* utility functions *********************/
/* Takes a module stored in 'module_data' and parses its headers.
diff -urpN selinux.orig2/libsemanage/src/direct_api.h selinux.orig3/libsemanage/src/direct_api.h
--- selinux.orig2/libsemanage/src/direct_api.h 2009-07-01 21:15:17.270235734 -0400
+++ selinux.orig3/libsemanage/src/direct_api.h 2009-07-07 08:50:24.620326359 -0400
@@ -39,6 +39,11 @@ int semanage_direct_access_check(struct
int semanage_direct_mls_enabled(struct semanage_handle *sh);
+int get_disable_dontaudit_flag(void);
+
+/*returns a 0 on success*/
+int set_disable_dontaudit_flag(int setting);
+
#include <stdio.h>
#include <unistd.h>
ssize_t bunzip(FILE *f, char **data);
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c 2009-07-01 21:15:17.288238017 -0400
+++ selinux.orig3/libsemanage/src/handle.c 2009-07-07 09:44:23.677572218 -0400
@@ -23,6 +23,7 @@
#include <selinux/selinux.h>
+#include <errno.h>
#include <stdarg.h>
#include <assert.h>
#include <stdlib.h>
@@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
goto err;
sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
+ /*set the disable dontaudit flag to system defaults*/
+ sepol_set_disable_dontaudit(sh->sepolh,get_disable_dontaudit_flag());
+
/* By default do not rebuild the policy on commit
* If any changes are made, this flag is ignored */
sh->do_rebuild = 0;
@@ -66,6 +70,7 @@ semanage_handle_t *semanage_handle_creat
/* By default always reload policy after commit if SELinux is enabled. */
sh->do_reload = (is_selinux_enabled() > 0);
+
/* By default do not create store */
sh->create_store = 0;
@@ -110,11 +115,22 @@ void semanage_set_create_store(semanage_
return;
}
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+ assert(sh != NULL);
+
+ return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
{
assert(sh != NULL);
+ if(set_disable_dontaudit_flag(disable_dontaudit) == 0){
+ sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+ errno = 0;
+ }else
+ ERR(sh,"Could not set disable dontaudit flag of handle.");
- sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
return;
}
@@ -264,9 +280,10 @@ int semanage_commit(semanage_handle_t *
assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
if (!sh->is_in_transaction) {
ERR(sh,
- "Will not commit because caller does not have a tranaction lock yet.");
+ "Will not commit because caller does not have a transaction lock yet.");
return -1;
}
+ set_disable_dontaudit_flag(sepol_get_disable_dontaudit(sh->sepolh));
retval = sh->funcs->commit(sh);
sh->is_in_transaction = 0;
sh->modules_modified = 0;
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map 2009-07-01 21:15:17.290237650 -0400
+++ selinux.orig3/libsemanage/src/libsemanage.map 2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
- semanage_is_connected; semanage_set_disable_dontaudit;
+ semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
semanage_mls_enabled;
local: *;
};
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c 2009-07-01 21:15:17.271236564 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.c 2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
"/users_extra",
"/netfilter_contexts",
"/file_contexts.homedirs",
+ "/disable_dontaudit",
};
/* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h 2009-07-01 21:15:17.262235597 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.h 2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
SEMANAGE_USERS_EXTRA,
SEMANAGE_NC,
SEMANAGE_FC_HOMEDIRS,
+ SEMANAGE_DISABLE_DONTAUDIT,
SEMANAGE_STORE_NUM_PATHS
};
diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux.orig3/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h 2009-07-01 21:15:17.224235939 -0400
+++ selinux.orig3/libsemanage/include/semanage/handle.h 2009-07-07 09:37:35.888570766 -0400
@@ -69,7 +69,13 @@ void semanage_set_rebuild(semanage_handl
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
-/* Set whether or not to disable dontaudits upon commit */
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
+/* Set whether or not to disable dontaudits upon commit
+ * Sets errno to 0 if successful. Otherwise sets errno
+ * to any of the errors specified by fopen,fclose, or remove.
+ */
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
/* Check whether policy is managed via libsemanage on this system.
diff -urpN selinux.orig2/libsemanage/src/direct_api.c selinux.orig3/libsemanage/src/direct_api.c
--- selinux.orig2/libsemanage/src/direct_api.c 2009-07-01 21:15:17.264236347 -0400
+++ selinux.orig3/libsemanage/src/direct_api.c 2009-07-07 09:19:28.174321784 -0400
@@ -293,6 +293,46 @@ static int semanage_direct_begintrans(se
return 0;
}
+/*********Dont audit functions*************/
+
+/* Creates, removes, and tests for the existance of a dont audit flag.
+ */
+
+int get_disable_dontaudit_flag(void)
+{
+ const char *path;
+
+ path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+ if(access(path,F_OK) == 0)
+ return 1;
+ else
+ return 0;
+}
+
+int set_disable_dontaudit_flag(int setting)
+{
+ const char *path;
+ int retcode;
+
+ retcode = 0;
+
+ path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT);
+ if(setting == 1){
+ FILE *touch;
+ touch = fopen(path,"w");
+ if (touch != NULL)
+ if(fclose(touch) != 0)
+ retcode = -1;
+ else
+ retcode = -1;
+ }else
+ if(remove(path) == -1 && errno != ENOENT)
+ retcode = -1
+
+ return retcode;
+}
+
+
/********************* utility functions *********************/
/* Takes a module stored in 'module_data' and parses its headers.
diff -urpN selinux.orig2/libsemanage/src/direct_api.h selinux.orig3/libsemanage/src/direct_api.h
--- selinux.orig2/libsemanage/src/direct_api.h 2009-07-01 21:15:17.270235734 -0400
+++ selinux.orig3/libsemanage/src/direct_api.h 2009-07-07 08:50:24.620326359 -0400
@@ -39,6 +39,11 @@ int semanage_direct_access_check(struct
int semanage_direct_mls_enabled(struct semanage_handle *sh);
+int get_disable_dontaudit_flag(void);
+
+/*returns a 0 on success*/
+int set_disable_dontaudit_flag(int setting);
+
#include <stdio.h>
#include <unistd.h>
ssize_t bunzip(FILE *f, char **data);
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux.orig3/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c 2009-07-01 21:15:17.288238017 -0400
+++ selinux.orig3/libsemanage/src/handle.c 2009-07-07 09:44:23.677572218 -0400
@@ -23,6 +23,7 @@
#include <selinux/selinux.h>
+#include <errno.h>
#include <stdarg.h>
#include <assert.h>
#include <stdlib.h>
@@ -59,6 +60,9 @@ semanage_handle_t *semanage_handle_creat
goto err;
sepol_msg_set_callback(sh->sepolh, semanage_msg_relay_handler, sh);
+ /*set the disable dontaudit flag to system defaults*/
+ sepol_set_disable_dontaudit(sh->sepolh,get_disable_dontaudit_flag());
+
/* By default do not rebuild the policy on commit
* If any changes are made, this flag is ignored */
sh->do_rebuild = 0;
@@ -66,6 +70,7 @@ semanage_handle_t *semanage_handle_creat
/* By default always reload policy after commit if SELinux is enabled. */
sh->do_reload = (is_selinux_enabled() > 0);
+
/* By default do not create store */
sh->create_store = 0;
@@ -110,11 +115,22 @@ void semanage_set_create_store(semanage_
return;
}
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+ assert(sh != NULL);
+
+ return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
{
assert(sh != NULL);
+ if(set_disable_dontaudit_flag(disable_dontaudit) == 0){
+ sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+ errno = 0;
+ }else
+ ERR(sh,"Could not set disable dontaudit flag of handle.");
- sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
return;
}
@@ -264,9 +280,10 @@ int semanage_commit(semanage_handle_t *
assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
if (!sh->is_in_transaction) {
ERR(sh,
- "Will not commit because caller does not have a tranaction lock yet.");
+ "Will not commit because caller does not have a transaction lock yet.");
return -1;
}
+ set_disable_dontaudit_flag(sepol_get_disable_dontaudit(sh->sepolh));
retval = sh->funcs->commit(sh);
sh->is_in_transaction = 0;
sh->modules_modified = 0;
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux.orig3/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map 2009-07-01 21:15:17.290237650 -0400
+++ selinux.orig3/libsemanage/src/libsemanage.map 2009-07-06 13:26:53.591167982 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
- semanage_is_connected; semanage_set_disable_dontaudit;
+ semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
semanage_mls_enabled;
local: *;
};
diff -urpN selinux.orig2/libsemanage/src/semanage_store.c selinux.orig3/libsemanage/src/semanage_store.c
--- selinux.orig2/libsemanage/src/semanage_store.c 2009-07-01 21:15:17.271236564 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.c 2009-07-06 13:26:53.598164077 -0400
@@ -114,6 +114,7 @@ static const char *semanage_sandbox_path
"/users_extra",
"/netfilter_contexts",
"/file_contexts.homedirs",
+ "/disable_dontaudit",
};
/* A node used in a linked list of file contexts; used for sorting.
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux.orig3/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h 2009-07-01 21:15:17.262235597 -0400
+++ selinux.orig3/libsemanage/src/semanage_store.h 2009-07-06 13:26:53.626166474 -0400
@@ -58,6 +58,7 @@ enum semanage_sandbox_defs {
SEMANAGE_USERS_EXTRA,
SEMANAGE_NC,
SEMANAGE_FC_HOMEDIRS,
+ SEMANAGE_DISABLE_DONTAUDIT,
SEMANAGE_STORE_NUM_PATHS
};
