kanidm/unix_integration/src/selinux_util.rs

use std::ffi::CString;

use selinux::{
    current_mode, kernel_support, label::back_end::File, label::Labeler, KernelSupport, SELinuxMode,
};

pub fn supported() -> bool {
    // check if the running kernel has SELinux support
    if matches!(kernel_support(), KernelSupport::Unsupported) {
        return false;
    }
    // check if SELinux is actually running
    match current_mode() {
        SELinuxMode::Permissive | SELinuxMode::Enforcing => true,
        _ => false,
    }
}

pub fn get_labeler() -> Result<Labeler<File>, String> {
    if let Ok(v) = Labeler::new(&[], true) {
        Ok(v)
    } else {
        Err("Failed getting handle for SELinux labeling".to_string())
    }
}

pub fn do_setfscreatecon_for_path(
    path_raw: &String,
    labeler: &Labeler<File>,
) -> Result<(), String> {
    match labeler.look_up(&CString::new(path_raw.to_owned()).unwrap(), 0) {
        Ok(context) => {
            if let Err(_) = context.set_for_new_file_system_objects(true) {
                return Err("Failed setting creation context home directory path".to_string());
            }
            Ok(())
        }
        Err(_) => {
            return Err("Failed looking up default context for home directory path".to_string());
        }
    }
}
SELinux support for kanidm-unixd-tasks daemon (#1661) * selinux is an optional feature * unix_integration: add selinux config option On SELinux systems, this setting controls whether SELinux relabeling of newly created home directories should be performed. The default value of this is on (even on non-SELinux systems), but the tasks daemon will perform an additional runtime check for SELinux support and will disable this feature automatically if this check fails. * unix_integration: wire up home dir selinux labeling * unix_integration: create equivalence rules in SELinux policy for aliases * book: document selinux setting * Add myself to CONTRIBUTORS.md Signed-off-by: Kenton Groombridge <concord@gentoo.org> 2023-05-30 11:51:12 +02:00			`use std::ffi::CString;`

unix_integration: also check running SELinux mode (#1704) For kanidm_unixd_tasks, check the current SELinux mode in addition to kernel support. If SELinux is disabled at runtime, any attempts to query the policy will fail, so also disable SELinux features if this is the case. Signed-off-by: Kenton Groombridge <concord@gentoo.org> 2023-06-14 00:58:26 +02:00			`use selinux::{`
			`current_mode, kernel_support, label::back_end::File, label::Labeler, KernelSupport, SELinuxMode,`
			`};`
SELinux support for kanidm-unixd-tasks daemon (#1661) * selinux is an optional feature * unix_integration: add selinux config option On SELinux systems, this setting controls whether SELinux relabeling of newly created home directories should be performed. The default value of this is on (even on non-SELinux systems), but the tasks daemon will perform an additional runtime check for SELinux support and will disable this feature automatically if this check fails. * unix_integration: wire up home dir selinux labeling * unix_integration: create equivalence rules in SELinux policy for aliases * book: document selinux setting * Add myself to CONTRIBUTORS.md Signed-off-by: Kenton Groombridge <concord@gentoo.org> 2023-05-30 11:51:12 +02:00
			`pub fn supported() -> bool {`
unix_integration: also check running SELinux mode (#1704) For kanidm_unixd_tasks, check the current SELinux mode in addition to kernel support. If SELinux is disabled at runtime, any attempts to query the policy will fail, so also disable SELinux features if this is the case. Signed-off-by: Kenton Groombridge <concord@gentoo.org> 2023-06-14 00:58:26 +02:00			`// check if the running kernel has SELinux support`
			`if matches!(kernel_support(), KernelSupport::Unsupported) {`
			`return false;`
			`}`
			`// check if SELinux is actually running`
			`match current_mode() {`
			`SELinuxMode::Permissive \| SELinuxMode::Enforcing => true,`
			`_ => false,`
			`}`
SELinux support for kanidm-unixd-tasks daemon (#1661) * selinux is an optional feature * unix_integration: add selinux config option On SELinux systems, this setting controls whether SELinux relabeling of newly created home directories should be performed. The default value of this is on (even on non-SELinux systems), but the tasks daemon will perform an additional runtime check for SELinux support and will disable this feature automatically if this check fails. * unix_integration: wire up home dir selinux labeling * unix_integration: create equivalence rules in SELinux policy for aliases * book: document selinux setting * Add myself to CONTRIBUTORS.md Signed-off-by: Kenton Groombridge <concord@gentoo.org> 2023-05-30 11:51:12 +02:00			`}`

			`pub fn get_labeler() -> Result<Labeler<File>, String> {`
			`if let Ok(v) = Labeler::new(&[], true) {`
			`Ok(v)`
			`} else {`
			`Err("Failed getting handle for SELinux labeling".to_string())`
			`}`
			`}`

			`pub fn do_setfscreatecon_for_path(`
			`path_raw: &String,`
			`labeler: &Labeler<File>,`
			`) -> Result<(), String> {`
			`match labeler.look_up(&CString::new(path_raw.to_owned()).unwrap(), 0) {`
			`Ok(context) => {`
			`if let Err(_) = context.set_for_new_file_system_objects(true) {`
			`return Err("Failed setting creation context home directory path".to_string());`
			`}`
			`Ok(())`
			`}`
			`Err(_) => {`
			`return Err("Failed looking up default context for home directory path".to_string());`
			`}`
			`}`
			`}`