98fd24d6b4
In case there are errors when committing changes to booleans, the errors may not be reported to user except by nonzero exit status. With "setsebool -V" it's possible to see errors from commit phase, but otherwise the unfixed command is silent: # setsebool -V -P secure_mode_insmod=off libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system). libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system). Fixed version alerts the user about problems even without -V: # setsebool -P secure_mode_insmod=off Failed to commit changes to booleans: Read-only file system Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
311 lines
6.7 KiB
C
311 lines
6.7 KiB
C
#include <unistd.h>
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
#include <errno.h>
|
|
#include <syslog.h>
|
|
#include <getopt.h>
|
|
#include <pwd.h>
|
|
#include <selinux/selinux.h>
|
|
#include <semanage/handle.h>
|
|
#include <semanage/debug.h>
|
|
#include <semanage/booleans_policy.h>
|
|
#include <semanage/booleans_local.h>
|
|
#include <semanage/booleans_active.h>
|
|
#include <semanage/boolean_record.h>
|
|
#include <errno.h>
|
|
|
|
int permanent = 0;
|
|
int no_reload = 0;
|
|
int verbose = 0;
|
|
|
|
int setbool(char **list, size_t start, size_t end);
|
|
|
|
static __attribute__((__noreturn__)) void usage(void)
|
|
{
|
|
fputs
|
|
("\nUsage: setsebool [ -NPV ] boolean value | bool1=val1 bool2=val2...\n\n",
|
|
stderr);
|
|
exit(1);
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
size_t rc;
|
|
int clflag; /* holds codes for command line flags */
|
|
if (argc < 2)
|
|
usage();
|
|
|
|
while (1) {
|
|
clflag = getopt(argc, argv, "PNV");
|
|
if (clflag == -1)
|
|
break;
|
|
|
|
switch (clflag) {
|
|
case 'P':
|
|
permanent = 1;
|
|
break;
|
|
case 'N':
|
|
no_reload = 1;
|
|
break;
|
|
case 'V':
|
|
verbose = 1;
|
|
break;
|
|
default:
|
|
usage();
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (argc - optind < 1) {
|
|
fprintf(stderr, "Error: boolean name required\n");
|
|
usage();
|
|
}
|
|
|
|
/* Check to see which way we are being called. If a '=' is passed,
|
|
we'll enforce the list syntax. If not we'll enforce the original
|
|
syntax for backward compatibility. */
|
|
if (strchr(argv[optind], '=') == 0) {
|
|
int len;
|
|
char *bool_list[1];
|
|
|
|
if ((argc - optind) != 2)
|
|
usage();
|
|
|
|
/* Add 1 for the '=' */
|
|
len = strlen(argv[optind]) + strlen(argv[optind + 1]) + 2;
|
|
bool_list[0] = (char *)malloc(len);
|
|
if (bool_list[0] == NULL) {
|
|
fputs("Out of memory - aborting\n", stderr);
|
|
return 1;
|
|
}
|
|
snprintf(bool_list[0], len, "%s=%s", argv[optind],
|
|
argv[optind + 1]);
|
|
rc = setbool(bool_list, 0, 1);
|
|
free(bool_list[0]);
|
|
} else
|
|
rc = setbool(argv, optind, argc);
|
|
|
|
return rc;
|
|
}
|
|
|
|
/* Apply temporal boolean changes to policy via libselinux */
|
|
static int selinux_set_boolean_list(size_t boolcnt,
|
|
SELboolean * boollist)
|
|
{
|
|
|
|
if (security_set_boolean_list(boolcnt, boollist, 0)) {
|
|
if (errno == ENOENT)
|
|
fprintf(stderr, "Could not change active booleans: "
|
|
"Invalid boolean\n");
|
|
else if (errno) {
|
|
if (getuid() == 0) {
|
|
perror("Could not change active booleans");
|
|
} else {
|
|
perror("Could not change active booleans. Please try as root");
|
|
}
|
|
}
|
|
|
|
return -1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Apply permanent boolean changes to policy via libsemanage */
|
|
static int semanage_set_boolean_list(size_t boolcnt,
|
|
SELboolean * boollist)
|
|
{
|
|
|
|
size_t j;
|
|
semanage_handle_t *handle = NULL;
|
|
semanage_bool_t *boolean = NULL;
|
|
semanage_bool_key_t *bool_key = NULL;
|
|
int managed;
|
|
int result;
|
|
int enabled = is_selinux_enabled();
|
|
|
|
handle = semanage_handle_create();
|
|
if (handle == NULL) {
|
|
fprintf(stderr, "Could not create semanage library handle\n");
|
|
goto err;
|
|
}
|
|
|
|
if (!verbose) {
|
|
semanage_msg_set_callback(handle, NULL, NULL);
|
|
}
|
|
|
|
managed = semanage_is_managed(handle);
|
|
if (managed < 0) {
|
|
fprintf(stderr,
|
|
"Error when checking whether policy is managed\n");
|
|
goto err;
|
|
|
|
} else if (managed == 0) {
|
|
if (getuid() == 0) {
|
|
fprintf(stderr,
|
|
"Cannot set persistent booleans without managed policy.\n");
|
|
} else {
|
|
fprintf(stderr,
|
|
"Cannot set persistent booleans, please try as root.\n");
|
|
}
|
|
goto err;
|
|
}
|
|
|
|
if (semanage_connect(handle) < 0)
|
|
goto err;
|
|
|
|
if (semanage_begin_transaction(handle) < 0)
|
|
goto err;
|
|
|
|
for (j = 0; j < boolcnt; j++) {
|
|
|
|
if (semanage_bool_create(handle, &boolean) < 0)
|
|
goto err;
|
|
|
|
if (semanage_bool_set_name(handle, boolean, boollist[j].name) <
|
|
0)
|
|
goto err;
|
|
|
|
semanage_bool_set_value(boolean, boollist[j].value);
|
|
|
|
if (semanage_bool_key_extract(handle, boolean, &bool_key) < 0)
|
|
goto err;
|
|
|
|
semanage_bool_exists(handle, bool_key, &result);
|
|
if (!result) {
|
|
semanage_bool_exists_local(handle, bool_key, &result);
|
|
if (!result) {
|
|
fprintf(stderr, "Boolean %s is not defined\n", boollist[j].name);
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
if (semanage_bool_modify_local(handle, bool_key,
|
|
boolean) < 0)
|
|
goto err;
|
|
|
|
if (enabled && semanage_bool_set_active(handle, bool_key, boolean) < 0) {
|
|
fprintf(stderr, "Failed to change boolean %s: %m\n",
|
|
boollist[j].name);
|
|
goto err;
|
|
}
|
|
semanage_bool_key_free(bool_key);
|
|
semanage_bool_free(boolean);
|
|
bool_key = NULL;
|
|
boolean = NULL;
|
|
}
|
|
|
|
if (no_reload)
|
|
semanage_set_reload(handle, 0);
|
|
if (semanage_commit(handle) < 0) {
|
|
fprintf(stderr, "Failed to commit changes to booleans: %m\n");
|
|
goto err;
|
|
}
|
|
|
|
semanage_disconnect(handle);
|
|
semanage_handle_destroy(handle);
|
|
return 0;
|
|
|
|
err:
|
|
semanage_bool_key_free(bool_key);
|
|
semanage_bool_free(boolean);
|
|
semanage_handle_destroy(handle);
|
|
return -1;
|
|
}
|
|
|
|
/* Given an array of strings in the form "boolname=value", a start index,
|
|
and a finish index...walk the list and set the bool. */
|
|
int setbool(char **list, size_t start, size_t end)
|
|
{
|
|
char *name, *value_ptr;
|
|
int j = 0, value;
|
|
size_t i = start;
|
|
size_t boolcnt = end - start;
|
|
struct passwd *pwd;
|
|
SELboolean *vallist = calloc(boolcnt, sizeof(SELboolean));
|
|
if (!vallist)
|
|
goto omem;
|
|
|
|
while (i < end) {
|
|
name = list[i];
|
|
value_ptr = strchr(list[i], '=');
|
|
if (value_ptr == NULL) {
|
|
fprintf(stderr,
|
|
"setsebool: '=' not found in boolean expression %s\n",
|
|
list[i]);
|
|
goto err;
|
|
}
|
|
*value_ptr = '\0';
|
|
value_ptr++;
|
|
if (strcmp(value_ptr, "1") == 0 ||
|
|
strcasecmp(value_ptr, "true") == 0 ||
|
|
strcasecmp(value_ptr, "on") == 0)
|
|
value = 1;
|
|
else if (strcmp(value_ptr, "0") == 0 ||
|
|
strcasecmp(value_ptr, "false") == 0 ||
|
|
strcasecmp(value_ptr, "off") == 0)
|
|
value = 0;
|
|
else {
|
|
fprintf(stderr, "setsebool: illegal value "
|
|
"%s for boolean %s\n", value_ptr, name);
|
|
goto err;
|
|
}
|
|
|
|
vallist[j].value = value;
|
|
vallist[j].name = strdup(name);
|
|
if (!vallist[j].name)
|
|
goto omem;
|
|
i++;
|
|
j++;
|
|
|
|
/* Now put it back */
|
|
value_ptr--;
|
|
*value_ptr = '=';
|
|
}
|
|
|
|
if (permanent) {
|
|
if (semanage_set_boolean_list(boolcnt, vallist) < 0)
|
|
goto err;
|
|
} else {
|
|
if (selinux_set_boolean_list(boolcnt, vallist) < 0)
|
|
goto err;
|
|
}
|
|
|
|
/* Now log what was done */
|
|
pwd = getpwuid(getuid());
|
|
i = start;
|
|
while (i < end) {
|
|
name = list[i];
|
|
value_ptr = strchr(name, '=');
|
|
*value_ptr = '\0';
|
|
value_ptr++;
|
|
if (pwd && pwd->pw_name)
|
|
syslog(LOG_NOTICE,
|
|
"The %s policy boolean was changed to %s by %s",
|
|
name, value_ptr, pwd->pw_name);
|
|
else
|
|
syslog(LOG_NOTICE,
|
|
"The %s policy boolean was changed to %s by uid:%d",
|
|
name, value_ptr, getuid());
|
|
i++;
|
|
}
|
|
|
|
for (i = 0; i < boolcnt; i++)
|
|
free(vallist[i].name);
|
|
free(vallist);
|
|
return 0;
|
|
|
|
omem:
|
|
fprintf(stderr, "setsebool: out of memory");
|
|
|
|
err:
|
|
if (vallist) {
|
|
for (i = 0; i < boolcnt; i++)
|
|
free(vallist[i].name);
|
|
free(vallist);
|
|
}
|
|
return -1;
|
|
}
|