|
|
7f93bc2 |
From 5073418cdf3687cded374b8f77042473ad5873e7 Mon Sep 17 00:00:00 2001
|
|
|
a59965a |
From: Will Woods <wwoods@redhat.com>
|
|
|
a59965a |
Date: Fri, 25 Apr 2014 18:26:33 -0400
|
|
|
a59965a |
Subject: [PATCH] core: reindent {selinux, ima, smack}-setup.c
|
|
|
a59965a |
|
|
|
a59965a |
7-space indentation is just too weird to leave alone.
|
|
|
a59965a |
Make it 8 spaces, as per CODING_STYLE. No other changes.
|
|
|
a59965a |
|
|
|
a59965a |
(cherry picked from commit 4ab72d6fb499c2b4d8baced9fa94a8bbfa5a4b3d)
|
|
|
a59965a |
|
|
|
a59965a |
Conflicts:
|
|
|
a59965a |
src/core/ima-setup.c
|
|
|
a59965a |
|
|
|
a59965a |
[zj: just selinux-setup.c, as needed for futher commits.]
|
|
|
a59965a |
|
|
|
a59965a |
(cherry picked from commit 31b1d7a4f7358cdbc632e4cd2b61bef8fa34d281)
|
|
|
a59965a |
---
|
|
|
a59965a |
src/core/selinux-setup.c | 152 +++++++++++++++++++++++------------------------
|
|
|
a59965a |
1 file changed, 76 insertions(+), 76 deletions(-)
|
|
|
a59965a |
|
|
|
a59965a |
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
|
|
|
1cc3df3 |
index 9a5d6b2a9d..6d8bc89965 100644
|
|
|
a59965a |
--- a/src/core/selinux-setup.c
|
|
|
a59965a |
+++ b/src/core/selinux-setup.c
|
|
|
a59965a |
@@ -46,82 +46,82 @@ static int null_log(int type, const char *fmt, ...) {
|
|
|
a59965a |
int selinux_setup(bool *loaded_policy) {
|
|
|
a59965a |
|
|
|
a59965a |
#ifdef HAVE_SELINUX
|
|
|
a59965a |
- int enforce = 0;
|
|
|
a59965a |
- usec_t before_load, after_load;
|
|
|
a59965a |
- security_context_t con;
|
|
|
a59965a |
- int r;
|
|
|
a59965a |
- union selinux_callback cb;
|
|
|
a59965a |
-
|
|
|
a59965a |
- assert(loaded_policy);
|
|
|
a59965a |
-
|
|
|
a59965a |
- /* Turn off all of SELinux' own logging, we want to do that */
|
|
|
a59965a |
- cb.func_log = null_log;
|
|
|
a59965a |
- selinux_set_callback(SELINUX_CB_LOG, cb);
|
|
|
a59965a |
-
|
|
|
a59965a |
- /* Don't load policy in the initrd if we don't appear to have
|
|
|
a59965a |
- * it. For the real root, we check below if we've already
|
|
|
a59965a |
- * loaded policy, and return gracefully.
|
|
|
a59965a |
- */
|
|
|
a59965a |
- if (in_initrd() && access(selinux_path(), F_OK) < 0)
|
|
|
a59965a |
- return 0;
|
|
|
a59965a |
-
|
|
|
a59965a |
- /* Already initialized by somebody else? */
|
|
|
a59965a |
- r = getcon_raw(&con);
|
|
|
a59965a |
- if (r == 0) {
|
|
|
a59965a |
- bool initialized;
|
|
|
a59965a |
-
|
|
|
a59965a |
- initialized = !streq(con, "kernel");
|
|
|
a59965a |
- freecon(con);
|
|
|
a59965a |
-
|
|
|
a59965a |
- if (initialized)
|
|
|
a59965a |
- return 0;
|
|
|
a59965a |
- }
|
|
|
a59965a |
-
|
|
|
a59965a |
- /* Make sure we have no fds open while loading the policy and
|
|
|
a59965a |
- * transitioning */
|
|
|
a59965a |
- log_close();
|
|
|
a59965a |
-
|
|
|
a59965a |
- /* Now load the policy */
|
|
|
a59965a |
- before_load = now(CLOCK_MONOTONIC);
|
|
|
a59965a |
- r = selinux_init_load_policy(&enforce);
|
|
|
a59965a |
- if (r == 0) {
|
|
|
a59965a |
- char timespan[FORMAT_TIMESPAN_MAX];
|
|
|
a59965a |
- char *label;
|
|
|
a59965a |
-
|
|
|
a59965a |
- retest_selinux();
|
|
|
a59965a |
-
|
|
|
a59965a |
- /* Transition to the new context */
|
|
|
a59965a |
- r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
|
|
|
a59965a |
- if (r < 0 || label == NULL) {
|
|
|
a59965a |
- log_open();
|
|
|
a59965a |
- log_error("Failed to compute init label, ignoring.");
|
|
|
a59965a |
- } else {
|
|
|
a59965a |
- r = setcon(label);
|
|
|
a59965a |
-
|
|
|
a59965a |
- log_open();
|
|
|
a59965a |
- if (r < 0)
|
|
|
a59965a |
- log_error("Failed to transition into init label '%s', ignoring.", label);
|
|
|
a59965a |
-
|
|
|
a59965a |
- label_free(label);
|
|
|
a59965a |
- }
|
|
|
a59965a |
-
|
|
|
a59965a |
- after_load = now(CLOCK_MONOTONIC);
|
|
|
a59965a |
-
|
|
|
a59965a |
- log_info("Successfully loaded SELinux policy in %s.",
|
|
|
a59965a |
- format_timespan(timespan, sizeof(timespan), after_load - before_load, 0));
|
|
|
a59965a |
-
|
|
|
a59965a |
- *loaded_policy = true;
|
|
|
a59965a |
-
|
|
|
a59965a |
- } else {
|
|
|
a59965a |
- log_open();
|
|
|
a59965a |
-
|
|
|
a59965a |
- if (enforce > 0) {
|
|
|
a59965a |
- log_error("Failed to load SELinux policy. Freezing.");
|
|
|
a59965a |
- return -EIO;
|
|
|
a59965a |
- } else
|
|
|
a59965a |
- log_debug("Unable to load SELinux policy. Ignoring.");
|
|
|
a59965a |
- }
|
|
|
a59965a |
+ int enforce = 0;
|
|
|
a59965a |
+ usec_t before_load, after_load;
|
|
|
a59965a |
+ security_context_t con;
|
|
|
a59965a |
+ int r;
|
|
|
a59965a |
+ union selinux_callback cb;
|
|
|
a59965a |
+
|
|
|
a59965a |
+ assert(loaded_policy);
|
|
|
a59965a |
+
|
|
|
a59965a |
+ /* Turn off all of SELinux' own logging, we want to do that */
|
|
|
a59965a |
+ cb.func_log = null_log;
|
|
|
a59965a |
+ selinux_set_callback(SELINUX_CB_LOG, cb);
|
|
|
a59965a |
+
|
|
|
a59965a |
+ /* Don't load policy in the initrd if we don't appear to have
|
|
|
a59965a |
+ * it. For the real root, we check below if we've already
|
|
|
a59965a |
+ * loaded policy, and return gracefully.
|
|
|
a59965a |
+ */
|
|
|
a59965a |
+ if (in_initrd() && access(selinux_path(), F_OK) < 0)
|
|
|
a59965a |
+ return 0;
|
|
|
a59965a |
+
|
|
|
a59965a |
+ /* Already initialized by somebody else? */
|
|
|
a59965a |
+ r = getcon_raw(&con);
|
|
|
a59965a |
+ if (r == 0) {
|
|
|
a59965a |
+ bool initialized;
|
|
|
a59965a |
+
|
|
|
a59965a |
+ initialized = !streq(con, "kernel");
|
|
|
a59965a |
+ freecon(con);
|
|
|
a59965a |
+
|
|
|
a59965a |
+ if (initialized)
|
|
|
a59965a |
+ return 0;
|
|
|
a59965a |
+ }
|
|
|
a59965a |
+
|
|
|
a59965a |
+ /* Make sure we have no fds open while loading the policy and
|
|
|
a59965a |
+ * transitioning */
|
|
|
a59965a |
+ log_close();
|
|
|
a59965a |
+
|
|
|
a59965a |
+ /* Now load the policy */
|
|
|
a59965a |
+ before_load = now(CLOCK_MONOTONIC);
|
|
|
a59965a |
+ r = selinux_init_load_policy(&enforce);
|
|
|
a59965a |
+ if (r == 0) {
|
|
|
a59965a |
+ char timespan[FORMAT_TIMESPAN_MAX];
|
|
|
a59965a |
+ char *label;
|
|
|
a59965a |
+
|
|
|
a59965a |
+ retest_selinux();
|
|
|
a59965a |
+
|
|
|
a59965a |
+ /* Transition to the new context */
|
|
|
a59965a |
+ r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
|
|
|
a59965a |
+ if (r < 0 || label == NULL) {
|
|
|
a59965a |
+ log_open();
|
|
|
a59965a |
+ log_error("Failed to compute init label, ignoring.");
|
|
|
a59965a |
+ } else {
|
|
|
a59965a |
+ r = setcon(label);
|
|
|
a59965a |
+
|
|
|
a59965a |
+ log_open();
|
|
|
a59965a |
+ if (r < 0)
|
|
|
a59965a |
+ log_error("Failed to transition into init label '%s', ignoring.", label);
|
|
|
a59965a |
+
|
|
|
a59965a |
+ label_free(label);
|
|
|
a59965a |
+ }
|
|
|
a59965a |
+
|
|
|
a59965a |
+ after_load = now(CLOCK_MONOTONIC);
|
|
|
a59965a |
+
|
|
|
a59965a |
+ log_info("Successfully loaded SELinux policy in %s.",
|
|
|
a59965a |
+ format_timespan(timespan, sizeof(timespan), after_load - before_load, 0));
|
|
|
a59965a |
+
|
|
|
a59965a |
+ *loaded_policy = true;
|
|
|
a59965a |
+
|
|
|
a59965a |
+ } else {
|
|
|
a59965a |
+ log_open();
|
|
|
a59965a |
+
|
|
|
a59965a |
+ if (enforce > 0) {
|
|
|
a59965a |
+ log_error("Failed to load SELinux policy. Freezing.");
|
|
|
a59965a |
+ return -EIO;
|
|
|
a59965a |
+ } else
|
|
|
a59965a |
+ log_debug("Unable to load SELinux policy. Ignoring.");
|
|
|
a59965a |
+ }
|
|
|
a59965a |
#endif
|
|
|
a59965a |
|
|
|
a59965a |
- return 0;
|
|
|
a59965a |
+ return 0;
|
|
|
a59965a |
}
|