aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAvatar Stephen P. Bennett <spb@exherbo.org> 2007-02-12 20:23:35 +0000
committerAvatar Stephen P. Bennett <spb@exherbo.org> 2007-02-12 20:23:35 +0000
commit033ffce97b67e90ebfb7455f673e59b6d5b83045 (patch)
treef3a67e42831697aab8ab11cb03464e71c5f0d13c
parentd40a96fec17f8adb2ed6ae25cc9113c7efbadc9c (diff)
downloadpaludis-033ffce97b67e90ebfb7455f673e59b6d5b83045.tar.gz
paludis-033ffce97b67e90ebfb7455f673e59b6d5b83045.tar.xz
SELinux support for the new merger
-rw-r--r--configure.ac23
-rw-r--r--paludis/merger/Makefile.am3
-rw-r--r--paludis/merger/merger.cc4
-rw-r--r--paludis/repositories/gentoo/ebuild/merge.cc16
-rw-r--r--paludis/selinux/security_context.cc7
-rw-r--r--paludis/selinux/security_context.hh5
-rw-r--r--src/clients/adjutrix/Makefile.am1
-rw-r--r--src/clients/qualudis/Makefile.am1
8 files changed, 22 insertions, 38 deletions
diff --git a/configure.ac b/configure.ac
index 2d13f55..dba05d2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -547,29 +547,6 @@ AC_SUBST(DYNAMIC_LD_LIBS)
dnl }}}
-dnl {{{ selinux support
-AC_MSG_CHECKING([whether to enable selinux support])
-AC_ARG_ENABLE([selinux],
- AS_HELP_STRING([--enable-selinux], [Enable selinux support (default: check)]),
- enable_selinux=$enableval,
- enable_selinux=autodetect)
-AC_MSG_RESULT($enable_selinux)
-
-if test "x$enable_selinux" != "xno"; then
- AC_CHECK_LIB([selinux],
- [is_selinux_enabled],
- found_selinux=yes,
- found_selinux=no)
- if test "x$enable_selinux" = "xyes" && test "x$found_selinux" != "xyes"; then
- AC_MSG_ERROR([SElinux support requested but not found])
- fi
-fi
-
-if test "x$found_selinux" = "xyes"; then
- AC_DEFINE([HAVE_SELINUX], [1], [Build selinux support])
-fi
-dnl }}}
-
dnl {{{ gtk support
AC_MSG_CHECKING([whether to build the gtk+ client])
AC_ARG_ENABLE([gtk],
diff --git a/paludis/merger/Makefile.am b/paludis/merger/Makefile.am
index cf88f66..c3d336a 100644
--- a/paludis/merger/Makefile.am
+++ b/paludis/merger/Makefile.am
@@ -26,7 +26,8 @@ libpaludismerger_la_LDFLAGS = -version-info @VERSION_LIB_CURRENT@:@VERSION_LIB_R
libpaludismerger_la_LIBADD = \
$(top_builddir)/paludis/util/libpaludisutil.la \
- $(top_builddir)/paludis/libpaludis.la
+ $(top_builddir)/paludis/libpaludis.la \
+ $(top_builddir)/paludis/selinux/libpaludisselinux.la
lib_LTLIBRARIES = libpaludismerger.la
diff --git a/paludis/merger/merger.cc b/paludis/merger/merger.cc
index cb1bf0e..eba3a26 100644
--- a/paludis/merger/merger.cc
+++ b/paludis/merger/merger.cc
@@ -21,6 +21,7 @@
#include <paludis/util/dir_iterator.hh>
#include <paludis/util/stringify.hh>
#include <paludis/util/fd_holder.hh>
+#include <paludis/selinux/security_context.hh>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
@@ -442,6 +443,7 @@ Merger::on_sym_over_misc(bool is_check, const FSEntry & src, const FSEntry & dst
void
Merger::install_file(const FSEntry & src, const FSEntry & dst_dir, const std::string & dst_name)
{
+ FSCreateCon createcon(MatchPathCon::get_instance()->match(stringify(dst_dir/dst_name), src.permissions()));
FDHolder input_fd(::open(stringify(src).c_str(), O_RDONLY), false);
if (-1 == input_fd)
throw MergerError("Cannot read '" + stringify(src) + "'");
@@ -469,6 +471,7 @@ Merger::install_dir(const FSEntry & src, const FSEntry & dst_dir)
{
mode_t mode(src.permissions());
FSEntry dst(dst_dir / src.basename());
+ FSCreateCon createcon(MatchPathCon::get_instance()->match(stringify(dst), mode));
dst.mkdir(mode);
dst.chown(src.owner(), src.group());
/* pick up set*id bits */
@@ -478,6 +481,7 @@ Merger::install_dir(const FSEntry & src, const FSEntry & dst_dir)
void
Merger::install_sym(const FSEntry & src, const FSEntry & dst_dir)
{
+ FSCreateCon createcon(MatchPathCon::get_instance()->match(stringify(dst_dir / src.basename()), S_IFLNK));
if (0 != ::symlink(stringify(src.readlink()).c_str(), stringify(dst_dir / src.basename()).c_str()))
throw MergerError("Couldn't create symlink at '" + stringify(dst_dir / src.basename()) + "'");
}
diff --git a/paludis/repositories/gentoo/ebuild/merge.cc b/paludis/repositories/gentoo/ebuild/merge.cc
index 1b1781e..2908205 100644
--- a/paludis/repositories/gentoo/ebuild/merge.cc
+++ b/paludis/repositories/gentoo/ebuild/merge.cc
@@ -141,7 +141,7 @@ namespace
mode_t mode(src_dir.permissions());
-#ifdef HAVE_SELINUX
+//#ifdef HAVE_SELINUX
std::tr1::shared_ptr<FSCreateCon> createcon;
if (MatchPathCon::get_instance()->good())
{
@@ -149,7 +149,7 @@ namespace
mode));
createcon.reset(p);
}
-#endif
+//#endif
FSEntry dst_dir_copy(dst_dir);
dst_dir_copy.mkdir(mode);
@@ -246,13 +246,13 @@ namespace
/* FDHolder must be destroyed before we do the md5 thing, or the
* disk write may not have synced. */
{
-#ifdef HAVE_SELINUX
+//#ifdef HAVE_SELINUX
std::tr1::shared_ptr<FSCreateCon> createcon;
if (MatchPathCon::get_instance()->good())
createcon.reset(new
FSCreateCon(MatchPathCon::get_instance()->match(dst_dir_str.substr(root_str.length()) + "/"
+ dst.basename(), src.permissions())));
-#endif
+//#endif
FDHolder fd(::open(stringify(real_dst).c_str(), O_WRONLY | O_CREAT, src.permissions()));
if (-1 == fd)
throw Failure("Cannot open '" + stringify(real_dst) + "' for write");
@@ -325,7 +325,7 @@ namespace
else
cout << " <new>" << endl;
-#ifdef HAVE_SELINUX
+//#ifdef HAVE_SELINUX
// permissions() on a symlink does weird things, but matchpathcon only cares about the file type,
// so just pass S_IFLNK.
std::tr1::shared_ptr<FSCreateCon> createcon;
@@ -333,7 +333,7 @@ namespace
createcon.reset(new
FSCreateCon(MatchPathCon::get_instance()->match(dst_dir_str.substr(root_str.length()) + "/"
+ dst.basename(), S_IFLNK)));
-#endif
+//#endif
if (0 != ::symlink(src.readlink().c_str(), stringify(dst).c_str()))
{
@@ -383,12 +383,12 @@ main(int argc, char * argv[])
{
Context context("In main program:");
-#ifdef HAVE_SELINUX
+//#ifdef HAVE_SELINUX
// If the MatchPathCon initialisation fails, don't attempt to match contexts when merging.
if (! MatchPathCon::get_instance()->good())
Log::get_instance()->message(ll_warning, lc_no_context,
"matchpathcon_init failed; not setting security contexts");
-#endif
+//#endif
exit_status = 0;
try
diff --git a/paludis/selinux/security_context.cc b/paludis/selinux/security_context.cc
index e08737d..9cda4ba 100644
--- a/paludis/selinux/security_context.cc
+++ b/paludis/selinux/security_context.cc
@@ -23,16 +23,17 @@
#include "config.h"
-#ifdef HAVE_SELINUX
#include <dlfcn.h>
-#include <selinux/selinux.h>
// I think the name explains it. C++ is picky about casting to function pointers.
#define STUPID_CAST(type, val) reinterpret_cast<type>(reinterpret_cast<uintptr_t>(val))
namespace
{
+ // Declared here to remove dep on <selinux/selinux.h>
+ typedef char *security_context_t;
+
class LibSELinux
{
private:
@@ -237,5 +238,3 @@ std::tr1::shared_ptr<const SecurityContext> MatchPathCon::match(const std::strin
}
return p;
}
-
-#endif
diff --git a/paludis/selinux/security_context.hh b/paludis/selinux/security_context.hh
index ba87556..1a07791 100644
--- a/paludis/selinux/security_context.hh
+++ b/paludis/selinux/security_context.hh
@@ -106,8 +106,9 @@ namespace paludis
* Create an FSCreateCon object to set the security context of newly created file objects.
* When destroyed, it will revert to the previous creation context.
*
- * Note that this operation is not thread-safe. Any multi-threaded code calling it must use a
- * critical section to ensure the desired behaviour.
+ * Note that with older versions of libselinux this operation is not thread-safe. Any
+ * multi-threaded code calling it must use a critical section to ensure the desired
+ * behaviour on all systems.
*
* \ingroup grplibpaludisselinux
*/
diff --git a/src/clients/adjutrix/Makefile.am b/src/clients/adjutrix/Makefile.am
index 5f8c561..fa32ca3 100644
--- a/src/clients/adjutrix/Makefile.am
+++ b/src/clients/adjutrix/Makefile.am
@@ -56,6 +56,7 @@ adjutrix_LDADD = \
$(top_builddir)/paludis/util/libpaludisutil.la \
$(top_builddir)/paludis/dep_list/libpaludisdeplist.la \
$(top_builddir)/paludis/repositories/libpaludisrepositories.la \
+ $(top_builddir)/paludis/selinux/libpaludisselinux.la \
$(top_builddir)/src/output/liboutput.a \
$(top_builddir)/src/common_args/libcommonargs.a \
$(DYNAMIC_LD_LIBS)
diff --git a/src/clients/qualudis/Makefile.am b/src/clients/qualudis/Makefile.am
index 7cfa30f..3b26dd6 100644
--- a/src/clients/qualudis/Makefile.am
+++ b/src/clients/qualudis/Makefile.am
@@ -41,6 +41,7 @@ qualudis_LDADD = \
$(top_builddir)/paludis/libpaludis.la \
$(top_builddir)/paludis/args/libpaludisargs.la \
$(top_builddir)/paludis/util/libpaludisutil.la \
+ $(top_builddir)/paludis/selinux/libpaludisselinux.la \
$(top_builddir)/src/output/liboutput.a \
$(top_builddir)/src/common_args/libcommonargs.a \
$(PCREPLUSPLUS_LIBS) \