pam_unix2-2.9.1/src/selinux_utils.c

1. /* Copyright (C) 2003, 2004, 2006 Thorsten Kukuk
2. Author: Thorsten Kukuk <kukuk@suse.de>
3.  
4. This program is free software; you can redistribute it and/or modify
5. it under the terms of the GNU General Public License version 2 as
6. published by the Free Software Foundation.
7.  
8. This program is distributed in the hope that it will be useful,
9. but WITHOUT ANY WARRANTY; without even the implied warranty of
10. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11. GNU General Public License for more details.
12.  
13. You should have received a copy of the GNU General Public License
14. along with this program; if not, write to the Free Software Foundation,
15. Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
16.  
17.  
18. #ifdef HAVE_CONFIG_H
19. #include <config.h>
20. #endif
21.  
22. #ifdef WITH_SELINUX
23.  
24.  
25. #include <errno.h>
26. #include <stdio.h>
27. #include <string.h>
28. #include <syslog.h>
29. #include <sys/types.h>
30. #include <selinux/flask.h>
31. #include <selinux/selinux.h>
32. #include <selinux/context.h>
33.  
34. #if defined (HAVE_SECURITY_PAM_EXT_H)
35. #include <security/pam_ext.h>
36. #endif
37.  
38. #include "public.h"
39.  
40. int
41. selinux_check_access (const char *chuser, unsigned int access)
42. {
43. int status = -1;
44. security_context_t user_context;
45.  
46. if (getprevcon (&user_context) == 0)
47. {
48. context_t c = context_new (user_context);
49. const char *user = context_user_get (c);
50.  
51. if (strcmp (chuser, user) == 0)
52. status = 0;
53. else
54. {
55. struct av_decision avd;
56. int retval = security_compute_av (user_context,
57. user_context,
58. SECCLASS_PASSWD,
59. access,
60. &avd);
61.  
62. if ((retval == 0) &&
63. ((access & avd.allowed) == access))
64. status = 0;
65. }
66. context_free (c);
67. freecon (user_context);
68. }
69. return status;
70. }
71.  
72. int
73. set_default_context (pam_handle_t *pamh, const char *filename,
74. char **prev_context)
75. {
76. security_context_t scontext = NULL;
77.  
78. if (is_selinux_enabled () <= 0)
79. return 0;
80.  
81. if (prev_context == NULL)
82. return -1;
83.  
84. if (getfilecon (filename, &scontext) < 0)
85. {
86. pam_syslog (pamh, LOG_ERR, "couldn't get security context `%s': %s",
87. filename, strerror (errno));
88. return -1;
89. }
90.  
91. if (getfscreatecon (prev_context) < 0)
92. {
93. freecon (scontext);
94. pam_syslog (pamh, LOG_ERR, "couldn't get default security context: %s",
95. strerror (errno));
96. return -1;
97. }
98.  
99. if (setfscreatecon (scontext) < 0 )
100. {
101. freecon (scontext);
102. pam_syslog (pamh, LOG_ERR,
103. "couldn't set default security context to `%s': %s",
104. scontext, strerror (errno));
105. return -1;
106. }
107.  
108. freecon (scontext);
109.  
110. return 0;
111. }
112.  
113. int
114. restore_default_context (pam_handle_t *pamh,
115. security_context_t prev_context)
116. {
117. int retval = 0;
118.  
119. if (is_selinux_enabled () <= 0)
120. return 0;
121.  
122. if (setfscreatecon (prev_context) < 0 )
123. {
124. pam_syslog (pamh, LOG_ERR,
125. "couldn't reset default security context to `%s': %s",
126. prev_context, strerror (errno));
127. retval = -1;
128. }
129.  
130. if (prev_context)
131. {
132. freecon (prev_context);
133. prev_context = NULL;
134. }
135.  
136. return retval;
137. }
138.  
139. #endif