libsemanage: Add function to turn off file contexts validation
This patch adds a function to turn off file contexts validation. We need this for cross-installs in rpm, where we install policy into a chroot that has binaries of a different architecture which cannot be executed on the build system. So, we would like to use this function to disable executing setfiles. This of course means the file contexts could be invalid, but we're willing to take that risk. Signed-off-by: Chad Sellers <csellers@tresys.com>
This commit is contained in:
Chad Sellers
parent
7d19f9df51
commit
bd74c23c7b
5 changed files with 18 additions and 1 deletions
|
|
@ -75,6 +75,9 @@ int semanage_get_disable_dontaudit(semanage_handle_t * handle);
|
|||
/* Set whether or not to disable dontaudits upon commit */
|
||||
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
|
||||
|
||||
/* Set whether or not to execute setfiles to check file contexts upon commit */
|
||||
void semanage_set_check_contexts(semanage_handle_t * sh, int do_check_contexts);
|
||||
|
||||
/* Check whether policy is managed via libsemanage on this system.
|
||||
* Must be called prior to trying to connect.
|
||||
* Return 1 if policy is managed via libsemanage on this system,
|
||||
|
|
|
|||
|
|
@ -66,6 +66,9 @@ semanage_handle_t *semanage_handle_create(void)
|
|||
/* By default always reload policy after commit if SELinux is enabled. */
|
||||
sh->do_reload = (is_selinux_enabled() > 0);
|
||||
|
||||
/* By default always check the file contexts file. */
|
||||
sh->do_check_contexts = 1;
|
||||
|
||||
/* By default do not create store */
|
||||
sh->create_store = 0;
|
||||
|
||||
|
|
@ -125,6 +128,15 @@ void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudi
|
|||
return;
|
||||
}
|
||||
|
||||
void semanage_set_check_contexts(semanage_handle_t * sh, int do_check_contexts)
|
||||
{
|
||||
|
||||
assert(sh != NULL);
|
||||
|
||||
sh->do_check_contexts = do_check_contexts;
|
||||
return;
|
||||
}
|
||||
|
||||
int semanage_is_connected(semanage_handle_t * sh)
|
||||
{
|
||||
assert(sh != NULL);
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ struct semanage_handle {
|
|||
int modules_modified;
|
||||
int create_store; /* whether to create the store if it does not exist
|
||||
* this will only have an effect on direct connections */
|
||||
int do_check_contexts; /* whether to run setfiles check the file contexts file */
|
||||
|
||||
/* This timeout is used for transactions and waiting for lock
|
||||
-1 means wait indefinetely
|
||||
|
|
|
|||
|
|
@ -17,5 +17,6 @@ LIBSEMANAGE_1.0 {
|
|||
semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
|
||||
semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
|
||||
semanage_mls_enabled;
|
||||
semanage_set_check_contexts;
|
||||
local: *;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1149,7 +1149,7 @@ static int semanage_install_active(semanage_handle_t * sh)
|
|||
|
||||
skip_reload:
|
||||
|
||||
if ((r =
|
||||
if (sh->do_check_contexts && (r =
|
||||
semanage_exec_prog(sh, sh->conf->setfiles, store_pol,
|
||||
store_fc)) != 0) {
|
||||
ERR(sh, "setfiles returned error code %d.", r);
|
||||
|
|
|
|||
Loading…
Reference in a new issue