From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Fri, 22 Feb 2008 20:33:00 +0000 (+0000)
Subject: Ignore setexeccon() failing in permissive mode.  Also add a
X-Git-Tag: SUDO_1_7_0~176
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9c3a47892bcf5c3417916592f67432d695472b71;p=sudo

Ignore setexeccon() failing in permissive mode.  Also add a
call to setkeycreatecon() (though this is probably insufficient).
From Dan Walsh.
---

diff --git a/selinux.c b/selinux.c
index 202e233e3..a8fec790e 100644
--- a/selinux.c
+++ b/selinux.c
@@ -103,21 +103,16 @@ skip_relabel:
  */
 static int
 relabel_tty(const char *ttyn, security_context_t new_context,
-    security_context_t * tty_context, security_context_t * new_tty_context)
+    security_context_t * tty_context, security_context_t * new_tty_context,
+    int enforcing)
 {
     int fd;
-    int enforcing = security_getenforce();
     security_context_t tty_con = NULL;
     security_context_t new_tty_con = NULL;
 
     if (!ttyn)
 	return(0);
 
-    if (enforcing < 0) {
-	warningx("unable to determine enforcing mode.");
-	return(-1);
-    }
-
     /* Re-open TTY descriptor */
     fd = open(ttyn, O_RDWR | O_NONBLOCK);
     if (fd == -1) {
@@ -238,7 +233,7 @@ selinux_exec(char *role, char *type, char **argv, int login_shell)
     security_context_t tty_context = NULL;
     security_context_t new_tty_context = NULL;
     pid_t childPid;
-    int ttyfd;
+    int enforcing, ttyfd;
 
     /* Must have a tty. */
     if (user_ttypath == NULL || *user_ttypath == '\0')
@@ -247,6 +242,11 @@ selinux_exec(char *role, char *type, char **argv, int login_shell)
     /* Store the caller's SID in old_context. */
     if (getprevcon(&old_context))
 	error(EXIT_FAILURE, "failed to get old_context");
+
+    enforcing = security_getenforce();
+    if (enforcing < 0)
+	error(EXIT_FAILURE, "unable to determine enforcing mode.");
+
     
 #ifdef DEBUG
     warningx("your old context was %s", old_context);
@@ -256,7 +256,7 @@ selinux_exec(char *role, char *type, char **argv, int login_shell)
 	exit(EXIT_FAILURE);
     
     ttyfd = relabel_tty(user_ttypath, new_context, &tty_context,
-	&new_tty_context);
+	&new_tty_context, enforcing);
     if (ttyfd < 0)
 	error(EXIT_FAILURE, "unable to setup tty context for %s", new_context);
 
@@ -313,7 +313,14 @@ selinux_exec(char *role, char *type, char **argv, int login_shell)
 
     if (setexeccon(new_context)) {
 	warning("unable to set exec context to %s", new_context);
-	goto error;
+	if (enforcing)
+	    goto error;
+    }
+
+    if (setkeycreatecon(new_context)) {
+	warning("unable to set key creation context to %s", new_context);
+	if (enforcing)
+	    goto error;
     }
 
 #ifdef WITH_AUDIT