mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

unix_integration: also check running SELinux mode (#1704)

Browse source 
For kanidm_unixd_tasks, check the current SELinux mode in addition to
kernel support. If SELinux is disabled at runtime, any attempts to query
the policy will fail, so also disable SELinux features if this is the
case.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
This commit is contained in:
Kenton Groombridge 2023-06-13 18:58:26 -04:00 committed by GitHub
parent cc5f21eee5
commit 3c421c240d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
unix_integration/src/selinux_util.rs
View file

@ -1,9 +1,19 @@
use std::ffi::CString; use std::ffi::CString;
use selinux::{kernel_support, label::back_end::File, label::Labeler, KernelSupport}; use selinux::{
current_mode, kernel_support, label::back_end::File, label::Labeler, KernelSupport, SELinuxMode,
};
pub fn supported() -> bool { pub fn supported() -> bool {
return !matches!(kernel_support(), KernelSupport::Unsupported); // check if the running kernel has SELinux support
if matches!(kernel_support(), KernelSupport::Unsupported) {
return false;
}
// check if SELinux is actually running
match current_mode() {
SELinuxMode::Permissive | SELinuxMode::Enforcing => true,
_ => false,
}
} }
pub fn get_labeler() -> Result<Labeler<File>, String> { pub fn get_labeler() -> Result<Labeler<File>, String> {