Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using vendor defined directories for configuration files besides user… #415

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,12 @@ This may render your system unusable if the upstream SELinux userspace
lacks library functions or other dependencies relied upon by your
distribution. If it breaks, you get to keep both pieces.

A directory for distribution provided configuration files (in e.g. /usr/etc) can be set by:

make VENDORDIR=/usr/etc

If distribution provided configuration files are used, the library libeconf is
needed for parsing these files in the correct order.

## Setting CFLAGS

Expand Down
8 changes: 8 additions & 0 deletions policycoreutils/sestatus/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
ETCDIR ?= /etc
LIBECONFH ?= $(shell test -f /usr/include/libeconf.h && echo y)

CFLAGS ?= -Werror -Wall -W
override CFLAGS += -D_FILE_OFFSET_BITS=64
Expand All @@ -13,6 +14,13 @@ override LDLIBS += -lselinux
all: sestatus

sestatus: sestatus.o
ifdef VENDORDIR
ifneq ($(LIBECONFH), y)
(echo "VENDORDIR defined but libeconf not available."; exit 1)
endif
override CFLAGS += -DVENDORDIR='"${VENDORDIR}"'
override LDLIBS += -leconf
endif

install: all
[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
Expand Down
79 changes: 75 additions & 4 deletions policycoreutils/sestatus/sestatus.c
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,16 @@

#define PROC_BASE "/proc"
#define MAX_CHECK 50
#define CONF "/etc/sestatus.conf"
#define CONFDIR "/etc"
#define CONFNAME "sestatus"
#define CONFPOST "conf"
#define CONF CONFDIR "/" CONFNAME "." CONFPOST

/* conf file sections */
#define PROCS "[process]"
#define FILES "[files]"
#define SECTIONPROCS "process"
#define SECTIONFILES "files"
#define PROCS "[" SECTIONPROCS "]"
#define FILES "[" SECTIONFILES "]"

/* buffer size for cmp_cmdline */
#define BUFSIZE 255
Expand Down Expand Up @@ -92,9 +97,75 @@ static int pidof(const char *command)
return ret;
}

static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
#ifdef VENDORDIR
#include <libeconf.h>

static void load_checks_with_vendor_settings(char *pc[], int *npc, char *fc[], int *nfc)
{
econf_file *key_file = NULL;
econf_err error;
char **keys;
size_t key_number;

error = econf_readDirs (&key_file,
VENDORDIR,
CONFDIR,
CONFNAME,
CONFPOST,
"", "#");
if (error != ECONF_SUCCESS) {
printf("\nCannot read settings %s.%s: %s\n",
CONFNAME,
CONFPOST,
econf_errString( error ));
return;
}

error = econf_getKeys(key_file, SECTIONPROCS, &key_number, &keys);
if (error != ECONF_SUCCESS) {
printf("\nCannot read group %s: %s\n",
SECTIONPROCS,
econf_errString( error ));
} else {
for (size_t i = 0; i < key_number; i++) {
if (*npc >= MAX_CHECK)
break;
pc[*npc] = strdup(keys[i]);
if (!pc[*npc])
break;
(*npc)++;
}
econf_free (keys);
}

error = econf_getKeys(key_file, SECTIONFILES, &key_number, &keys);
if (error != ECONF_SUCCESS) {
printf("\nCannot read group %s: %s\n",
SECTIONFILES,
econf_errString( error ));
} else {
for (size_t i = 0; i < key_number; i++) {
if (*nfc >= MAX_CHECK)
break;
fc[*nfc] = strdup(keys[i]);
if (!fc[*nfc])
break;
(*nfc)++;
}
econf_free (keys);
}

econf_free (key_file);
return;
}
#endif

static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
{
#ifdef VENDORDIR
load_checks_with_vendor_settings(pc, npc, fc, nfc);
return;
#endif
FILE *fp = fopen(CONF, "r");
char buf[255], *bufp;
int buf_len, section = -1;
Expand Down
2 changes: 1 addition & 1 deletion policycoreutils/sestatus/sestatus.conf.5
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The \fIsestatus.conf\fR file is used by the \fBsestatus\fR(8) command with the \
.sp
The fully qualified path name of the configuration file is:
.RS
\fI/etc/sestatus.conf\fR
\fI/etc/sestatus.conf\fR or \fI<vendordir>/sestatus.conf\fR if it is not available
.RE
.RE
.sp
Expand Down