projects / packages / nss_db.git / blame
| Commit | Line | Data |
|---|---|---|
| 14a3d93c JR |
1 | Set the SELinux file creation context when opening databases for write access. |
| 2 | Note that this does *not* change the context of existing files. | |
| 3 | ||
| 4 | --- nss_db-2.2/configure.in 2004-10-20 13:41:04.301436568 -0400 | |
| 5 | +++ nss_db-2.2/configure.in 2004-10-20 13:51:52.913832496 -0400 | |
| 6 | @@ -73,6 +73,43 @@ | |
| 7 | *** Unsupported Berkeley DB version detected.]) | |
| 8 | fi | |
| 9 | ||
| 10 | +AC_ARG_WITH(selinux,AC_HELP_STRING(--with-selinux,[enable SELinux support [[default=auto]]]), | |
| 11 | +selinux=$withval, | |
| 12 | +selinux=auto) | |
| 13 | + | |
| 14 | +libsave="$LIBS" | |
| 15 | +if test x$selinux != no ; then | |
| 16 | + AC_CHECK_HEADERS(selinux/selinux.h) | |
| 17 | + if test x$ac_cv_header_selinux_selinux_h = xno ; then | |
| 18 | + if test x$selinux = xyes ; then | |
| 19 | + AC_MSG_ERROR([SELinux not detected]) | |
| 20 | + else | |
| 21 | + AC_MSG_WARN([SELinux not detected]) | |
| 22 | + selinux=no | |
| 23 | + fi | |
| 24 | + fi | |
| 25 | +fi | |
| 26 | + | |
| 27 | +if test x$selinux != no ; then | |
| 28 | + AC_CHECK_FUNC(setfscreatecon,,[AC_CHECK_LIB(selinux,setfscreatecon)]) | |
| 29 | + if test x$ac_cv_func_setfscreatecon = xno ; then | |
| 30 | + if test x$ac_cv_lib_selinux_setfscreatecon = xno ; then | |
| 31 | + if test x$selinux = xyes ; then | |
| 32 | + AC_MSG_ERROR([SELinux not detected]) | |
| 33 | + else | |
| 34 | + AC_MSG_WARN([SELinux not detected]) | |
| 35 | + selinux=no | |
| 36 | + fi | |
| 37 | + fi | |
| 38 | + fi | |
| 39 | +fi | |
| 40 | +if test x$selinux != no ; then | |
| 41 | + AC_DEFINE(SELINUX,1,[Define to have makedb set SELinux file contexts on created files.]) | |
| 42 | +fi | |
| 43 | + | |
| 44 | +SELINUX_LIBS="$LIBS" | |
| 45 | +LIBS="$libsave" | |
| 46 | + | |
| 47 | AC_CANONICAL_HOST | |
| 48 | slibdir=NONE | |
| 49 | case "$host" in | |
| 50 | @@ -100,5 +137,6 @@ | |
| 51 | ||
| 52 | AC_SUBST(DB_CFLAGS) | |
| 53 | AC_SUBST(DB_LIBS) | |
| 54 | +AC_SUBST(SELINUX_LIBS) | |
| 55 | AC_SUBST(slibdir) | |
| 56 | AC_OUTPUT(Makefile) | |
| 57 | --- nss_db-2.2/src/Makefile.am 2004-10-20 13:47:22.207986040 -0400 | |
| 58 | +++ nss_db-2.2/src/Makefile.am 2004-10-20 13:48:46.242210896 -0400 | |
| 59 | @@ -28,7 +28,7 @@ | |
| 60 | ||
| 61 | bin_PROGRAMS = makedb | |
| 62 | makedb_SOURCES = makedb.c | |
| 63 | -makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@ | |
| 64 | +makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@ @SELINUX_LIBS@ | |
| 65 | ||
| 66 | # To mimmick the old glibc installation as closely as possible, we | |
| 67 | # shuffle the installed library and the links to it around a bit, | |
| 68 | --- nss_db-2.2/src/makedb.c 2004-10-20 13:52:02.814327392 -0400 | |
| 69 | +++ nss_db-2.2/src/makedb.c 2004-10-20 14:06:07.605899552 -0400 | |
| 70 | @@ -32,6 +32,10 @@ | |
| 71 | #include <string.h> | |
| 72 | #include <sys/stat.h> | |
| 73 | ||
| 74 | +#ifdef SELINUX | |
| 75 | +#include <selinux/selinux.h> | |
| 76 | +#endif | |
| 77 | + | |
| 78 | #include "db-compat.h" | |
| 79 | ||
| 80 | #define N_(Text) Text | |
| 81 | @@ -95,6 +99,12 @@ | |
| 82 | int to_lowercase, int be_quiet); | |
| 83 | static int print_database (DB *db); | |
| 84 | ||
| 85 | +#ifdef SELINUX | |
| 86 | +/* Set the SELinux file creation context for the given file. */ | |
| 87 | +static void set_file_creation_context (const char *outname, mode_t mode); | |
| 88 | +#else | |
| 89 | +#define set_file_creation_context(_outname,_mode) | |
| 90 | +#endif | |
| 91 | ||
| 92 | int | |
| 93 | main (int argc, char *argv[]) | |
| 94 | @@ -176,8 +186,10 @@ | |
| 95 | ||
| 96 | /* Open output file. This must not be standard output so we don't | |
| 97 | handle "-" and "/dev/stdout" special. */ | |
| 98 | + set_file_creation_context (output_name, mode); | |
| 99 | status = db_open (output_name, DB_BTREE, DB_CREATE | DB_TRUNCATE, mode, | |
| 100 | NULL, NULL, &db_file); | |
| 101 | + set_file_creation_context (NULL, 0); | |
| 102 | if (status) | |
| 103 | error (EXIT_FAILURE, 0, gettext ("cannot open output file `%s': %s"), | |
| 104 | output_name, db_strerror (status)); | |
| 105 | @@ -388,3 +400,44 @@ | |
| 106 | ||
| 107 | return EXIT_SUCCESS; | |
| 108 | } | |
| 109 | + | |
| 110 | + | |
| 111 | +#ifdef SELINUX | |
| 112 | +static void | |
| 113 | +set_file_creation_context (const char *outname, mode_t mode) | |
| 114 | +{ | |
| 115 | + static int enabled = -1; | |
| 116 | + security_context_t ctx; | |
| 117 | + /* Handle the "reset the context" case. */ | |
| 118 | + if (outname == NULL) | |
| 119 | + { | |
| 120 | + setfscreatecon (NULL); | |
| 121 | + return; | |
| 122 | + } | |
| 123 | + /* Check if SELinux is enabled, and remember. */ | |
| 124 | + if (enabled == -1) | |
| 125 | + { | |
| 126 | + enabled = is_selinux_enabled (); | |
| 127 | + } | |
| 128 | + if (enabled == 0) | |
| 129 | + { | |
| 130 | + return; | |
| 131 | + } | |
| 132 | + /* Determine the context which the file should have. */ | |
| 133 | + ctx = NULL; | |
| 134 | + if (matchpathcon (outname, S_IFREG | mode, &ctx) != 0) | |
| 135 | + { | |
| 136 | + error (EXIT_FAILURE, 0, | |
| 137 | + gettext ("cannot determine file context for `%s'"), outname); | |
| 138 | + } | |
| 139 | + if (ctx != NULL) | |
| 140 | + { | |
| 141 | + if (setfscreatecon (ctx) != 0) | |
| 142 | + { | |
| 143 | + error (EXIT_FAILURE, 0, | |
| 144 | + gettext ("cannot set file creation context for `%s'"), outname); | |
| 145 | + } | |
| 146 | + freecon (ctx); | |
| 147 | + } | |
| 148 | +} | |
| 149 | +#endif |