From patchwork Mon Jun 20 11:09:51 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petr Lautrbach <plautrba@redhat.com>
X-Patchwork-Id: 9187257
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9FE516075E for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 20 Jun 2016 11:12:32 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 804B3265B9
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 20 Jun 2016 11:12:32 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 72B6F26861; Mon, 20 Jun 2016 11:12:32 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 417D7265B9
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 20 Jun 2016 11:12:30 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.26,498,1459814400"; d="scan'208";a="17028921"
IronPort-PHdr: =?us-ascii?q?9a23=3A2CN7YBBhKJnwc+Al5Bl8UyQJP3N1i/DPJgcQr6Af?=
	=?us-ascii?q?oPdwSP7+ocbcNUDSrc9gkEXOFd2CrakU2qyH7uu5BSQp2tWojjMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?=
	=?us-ascii?q?POO9QteU1JTmkbHvsMSPKyxzxxODIppKZC2sqgvQssREyaBDEY0WjiXzn31TZu?=
	=?us-ascii?q?5NznlpL1/A1zz158O34YIxu38I46FpytREGZneU+x4COUATWduD2dg/8DvtB/e?=
	=?us-ascii?q?XSOT93AcVSMQiRMODA/bvz/gWZKkiibmrKJZ0TSGJ8f/RrB8DSym5rp3UhXhoD?=
	=?us-ascii?q?0KOz4w7Cfcjckm3/ETmw6ouxEqm92cW4qSLvcrO/qFcA=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2EJBgDUzmdX/wHyM5Bdgz5WfbYxhiYfC4clTAEBAQEBAQI?=
	=?us-ascii?q?CYieCMQ85EFUCDWYCNxQgDgMJAhcpCAgDAS0MCR8LBRgEiA8OwAABHwWGJ4hdA?=
	=?us-ascii?q?hEBhXcFmHaGBogkAolahUQCSI8vVIIIHIFObAGJAw8XgR4BAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 20 Jun 2016 11:12:28 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5KBA4DF027463;
	Mon, 20 Jun 2016 07:11:32 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u5KBA052087565 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 20 Jun 2016 07:10:00 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5KBA09C027171
	for <selinux@tycho.nsa.gov>; Mon, 20 Jun 2016 07:10:00 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1CeAACYzmdXhxy3hNFdHoN2fadvggIBjD+CJYQJEhCFdYEwTAEBAQEBARMBAQEKCwkJIYV6gR4ziDAOwCEFhieIXYYLBZh2hgaIJAKPHgJIjy+CC1ERC4FOOjIBiQOBRAEBAQ
X-IPAS-Result: 
 A1CeAACYzmdXhxy3hNFdHoN2fadvggIBjD+CJYQJEhCFdYEwTAEBAQEBARMBAQEKCwkJIYV6gR4ziDAOwCEFhieIXYYLBZh2hgaIJAKPHgJIjy+CC1ERC4FOOjIBiQOBRAEBAQ
X-IronPort-AV: E=Sophos;i="5.26,498,1459828800"; d="scan'208";a="5526170"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 20 Jun 2016 07:09:59 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AryT8mx++31vmO/9uRHKM819IXTAuvvDOBiVQ1KB9?=
	=?us-ascii?q?1+scTK2v8tzYMVDF4r011RmSDdSduq8P0raempujcFJDyK7JiGoFfp1IWk1Nou?=
	=?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIs?=
	=?us-ascii?q?YL+lS8iD0o/ui6ibwN76XUZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu?=
	=?us-ascii?q?5blitCLFOXmAvgtI/rpMYwu3cYh/V07MNEUKPnb4wkXLdYC3IgKGlz68r15jfZ?=
	=?us-ascii?q?Sg7a3nYASC0ymwdUGQLM5xGyCo/1uzbmrOB08DOXMc3/UfY/XjH0vPQjcwPhlC?=
	=?us-ascii?q?pSb21xy2rQkMEl1K8=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FjAQDqzWdXhxy3hNFdHoN2fadvggIBj?=
	=?us-ascii?q?D+CJYQJEhCFdYEwTAEBAQEBAQICDwEBAQoLCQkhL4IxDzkQVQINgV6BHjOIMA7?=
	=?us-ascii?q?AIAWGJ4hdhgsFmHaGBogkAo8eAkiPL4JcEQuBTjoyAYkDgUQBAQE?=
X-IPAS-Result: =?us-ascii?q?A0FjAQDqzWdXhxy3hNFdHoN2fadvggIBjD+CJYQJEhCFdYE?=
	=?us-ascii?q?wTAEBAQEBAQICDwEBAQoLCQkhL4IxDzkQVQINgV6BHjOIMA7AIAWGJ4hdhgsFm?=
	=?us-ascii?q?HaGBogkAo8eAkiPL4JcEQuBTjoyAYkDgUQBAQE?=
X-IronPort-AV: E=Sophos;i="5.26,498,1459814400"; d="scan'208";a="17028869"
Received: from mx1.redhat.com ([209.132.183.28])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	20 Jun 2016 11:09:58 +0000
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
	(int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id CB68EC0578C7
	for <selinux@tycho.nsa.gov>; Mon, 20 Jun 2016 11:09:56 +0000 (UTC)
Received: from hulk.com ([10.40.3.79])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id u5KB9t5A009604; Mon, 20 Jun 2016 07:09:56 -0400
From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH] libselinux: add selinux_snapperd_contexts_path()
Date: Mon, 20 Jun 2016 13:09:51 +0200
Message-Id: <1466420991-7209-1-git-send-email-plautrba@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.31]); Mon, 20 Jun 2016 11:09:56 +0000 (UTC)
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Snapper needs a way how to set a proper selinux context on btrfs
subvolumes originating in snapshot create command. Fs can't handle it on
its own so snapper will enforce .snapshots subvolume relabeling
according to a file returned by selinux_snapperd_contexts_path().

The format of the file will be similar to other contexts file:

snapperd_data = system_u:object_r:snapperd_data_t:s0

Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1247530
https://bugzilla.redhat.com/show_bug.cgi?id=1247532

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 libselinux/include/selinux/selinux.h |  1 +
 libselinux/src/file_path_suffixes.h  |  1 +
 libselinux/src/selinux_config.c      | 10 +++++++++-
 libselinux/src/selinux_internal.h    |  1 +
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 2262086..3d8673f 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -544,6 +544,7 @@ extern const char *selinux_lxc_contexts_path(void);
 extern const char *selinux_x_context_path(void);
 extern const char *selinux_sepgsql_context_path(void);
 extern const char *selinux_openssh_contexts_path(void);
+extern const char *selinux_snapperd_contexts_path(void);
 extern const char *selinux_systemd_contexts_path(void);
 extern const char *selinux_contexts_path(void);
 extern const char *selinux_securetty_types_path(void);
diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
index d1f9b48..95b228b 100644
--- a/libselinux/src/file_path_suffixes.h
+++ b/libselinux/src/file_path_suffixes.h
@@ -24,6 +24,7 @@ S_(BINPOLICY, "/policy/policy")
     S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
     S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
     S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
+    S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts")
     S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
     S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
     S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index bec5f3b..c519a77 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -50,7 +50,8 @@
 #define BOOLEAN_SUBS      27
 #define OPENSSH_CONTEXTS  28
 #define SYSTEMD_CONTEXTS  29
-#define NEL               30
+#define SNAPPERD_CONTEXTS 30
+#define NEL               31
 
 /* Part of one-time lazy init */
 static pthread_once_t once = PTHREAD_ONCE_INIT;
@@ -499,6 +500,13 @@ const char *selinux_openssh_contexts_path(void)
 
 hidden_def(selinux_openssh_contexts_path)
 
+const char *selinux_snapperd_contexts_path(void)
+{
+    return get_path(SNAPPERD_CONTEXTS);
+}
+
+hidden_def(selinux_snapperd_contexts_path)
+
 const char *selinux_systemd_contexts_path(void)
 {
 	return get_path(SYSTEMD_CONTEXTS);
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 46566f6..9b9145c 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -84,6 +84,7 @@ hidden_proto(selinux_mkload_policy)
     hidden_proto(selinux_x_context_path)
     hidden_proto(selinux_sepgsql_context_path)
     hidden_proto(selinux_openssh_contexts_path)
+    hidden_proto(selinux_snapperd_contexts_path)
     hidden_proto(selinux_systemd_contexts_path)
     hidden_proto(selinux_path)
     hidden_proto(selinux_check_passwd_access)