7 files changed, 300 insertions, 0 deletions
diff --git a/selinux/Config.in b/selinux/Config.in
new file mode 100644
index 000000000..b078ee59e
--- /dev/null
+++ b/selinux/Config.in
@@ -0,0 +1,47 @@
+#
+# For a description of the syntax of this configuration file,
+# see scripts/kbuild/config-language.txt.
+#
+menu "Selinux Utilities"
+        depends on SELINUX
+config GETENFORCE
+        bool "getenforce"
+        default n
+        depends on SELINUX
+        help
+          Enable support to get the current mode of SELinux.
+config GETSEBOOL
+        bool "getsebool"
+        default n
+        depends on SELINUX
+        help
+          Enable support to get SELinux boolean values.
+config MATCHPATHCON
+        bool "matchpathcon"
+        default n
+        depends on SELINUX
+        help
+          Enable support to get default security context of the
+          specified path from the file contexts configuration.
+config SELINUXENABLED
+        bool "selinuxenabled"
+        default n
+        depends on SELINUX
+        help
+          Enable support for this command to be used within shell scripts
+          to determine if selinux is enabled.
+config SETENFORCE
+        bool "setenforce"
+        default n
+        depends on SELINUX
+        help
+          Enable support to modify the mode SELinux is running in.
+endmenu
diff --git a/selinux/Kbuild b/selinux/Kbuild
new file mode 100644
index 000000000..8371df8e4
--- /dev/null
+++ b/selinux/Kbuild
@@ -0,0 +1,13 @@
+# Makefile for busybox
+#
+# Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org>
+# Copyright (C) 2007 by KaiGai Kohei <kaigai@kaigai.gr.jp>
+#
+# Licensed under the GPL v2, see the file LICENSE in this tarball.
+lib-y:=
+lib-$(CONFIG_GETENFORCE)        += getenforce.o
+lib-$(CONFIG_GETSEBOOL)         += getsebool.o
+lib-$(CONFIG_MATCHPATHCON)      += matchpathcon.o
+lib-$(CONFIG_SELINUXENABLED)    += selinuxenabled.o
+lib-$(CONFIG_SETENFORCE)        += setenforce.o
diff --git a/selinux/getenforce.c b/selinux/getenforce.c
new file mode 100644
index 000000000..e240e4dca
--- /dev/null
+++ b/selinux/getenforce.c
@@ -0,0 +1,33 @@
+/*
+ * getenforce
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+#include "busybox.h"
+int getenforce_main(int argc, char **argv)
+{
+        int rc;
+        rc = is_selinux_enabled();
+        if (rc < 0)
+                bb_error_msg_and_die("is_selinux_enabled() failed");
+        if (rc == 1) {
+                rc = security_getenforce();
+                if (rc < 0)
+                        bb_error_msg_and_die("getenforce() failed");
+                if (rc)
+                        puts("Enforcing");
+                else
+                        puts("Permissive");
+        } else {
+                puts("Disabled");
+        }
+        return 0;
+}
diff --git a/selinux/getsebool.c b/selinux/getsebool.c
new file mode 100644
index 000000000..d593937ba
--- /dev/null
+++ b/selinux/getsebool.c
@@ -0,0 +1,65 @@
+/*
+ * getsebool
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+#include "busybox.h"
+int getsebool_main(int argc, char **argv)
+{
+        int i, rc = 0, active, pending, len = 0;
+        char **names;
+        unsigned opt;
+        selinux_or_die();
+        opt = getopt32(argc, argv, "a");
+        if (opt) { /* -a */
+                if (argc > 2)
+                        bb_show_usage();
+                rc = security_get_boolean_names(&names, &len);
+                if (rc)
+                        bb_perror_msg_and_die("cannot get boolean names");
+                if (!len) {
+                        puts("No booleans");
+                        return 0;
+                }
+        }
+        if (!len) {
+                if (argc < 2)
+                        bb_show_usage();
+                len = argc - 1;
+                names = xmalloc(sizeof(char *) * len);
+                for (i = 0; i < len; i++)
+                        names[i] = xstrdup(argv[i + 1]);
+        }
+        for (i = 0; i < len; i++) {
+                active = security_get_boolean_active(names[i]);
+                if (active < 0) {
+                        bb_error_msg_and_die("error getting active value for %s", names[i]);
+                }
+                pending = security_get_boolean_pending(names[i]);
+                if (pending < 0) {
+                        bb_error_msg_and_die("error getting pending value for %s", names[i]);
+                }
+                printf("%s --> %s", names[i], (active ? "on" : "off"));
+                if (pending != active)
+                        printf(" pending: %s", (pending ? "on" : "off"));
+                putchar('\n');
+        }
+        if (ENABLE_FEATURE_CLEAN_UP) {
+                for (i = 0; i < len; i++)
+                        free(names[i]);
+                free(names);
+        }
+        return rc;
+}
diff --git a/selinux/matchpathcon.c b/selinux/matchpathcon.c
new file mode 100644
index 000000000..4fa95b0ef
--- /dev/null
+++ b/selinux/matchpathcon.c
@@ -0,0 +1,85 @@
+/* matchpathcon  -  get the default security context for the specified
+ *                  path from the file contexts configuration.
+ *                  based on libselinux-1.32
+ * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
+ *
+ */
+#include "busybox.h"
+static int print_matchpathcon(char *path, int noprint)
+{
+        char *buf;
+        int rc = matchpathcon(path, 0, &buf);
+        if (rc < 0) {
+                bb_perror_msg("matchpathcon(%s) failed", path);
+                return 1;
+        }
+        if (!noprint)
+                printf("%s\t%s\n", path, buf);
+        else
+                printf("%s\n", buf);
+        freecon(buf);
+        return 0;
+}
+#define OPT_NOT_PRINT   (1<<0)  /* -n */
+#define OPT_NOT_TRANS   (1<<1)  /* -N */
+#define OPT_FCONTEXT    (1<<2)  /* -f */
+#define OPT_PREFIX      (1<<3)  /* -p */
+#define OPT_VERIFY      (1<<4)  /* -V */
+int matchpathcon_main(int argc, char **argv)
+{
+        int error = 0;
+        unsigned opts;
+        char *fcontext, *prefix, *path;
+        opt_complementary = "-1:" /* at least one param reqd */
+                "f--p:p--f"; /* mutually exclusive */
+        opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
+        argv += optind;
+        if (opts & OPT_NOT_TRANS) {
+                set_matchpathcon_flags(NOTRANS);
+        }
+        if (opts & OPT_FCONTEXT) {
+                if (matchpathcon_init(fcontext))
+                        bb_perror_msg_and_die("error while processing %s", fcontext);
+        }
+        if (opts & OPT_PREFIX) {
+                if (matchpathcon_init_prefix(NULL, prefix))
+                        bb_perror_msg_and_die("error while processing %s", prefix);
+        }
+        while((path = *argv++) != NULL) {
+                security_context_t con;
+                int rc;
+                if (!(opts & OPT_VERIFY)) {
+                        error += print_matchpathcon(path, opt & OPT_NOT_PRINT);
+                        continue;
+                }
+                if (selinux_file_context_verify(path, 0)) {
+                        printf("%s verified\n", path);
+                        continue;
+                }
+                if (opts & OPT_NOT_TRANS)
+                        rc = lgetfilecon_raw(path, &con);
+                else
+                        rc = lgetfilecon(path, &con);
+                if (rc >= 0) {
+                        printf("%s has context %s, should be ", path, con);
+                        error += print_matchpathcon(path, 1);
+                        freecon(con);
+                        continue;
+                }
+                printf("actual context unknown: %s, should be ", strerror(errno));
+                error += print_matchpathcon(path, 1);
+        }
+        matchpathcon_fini();
+        return error;
+}
diff --git a/selinux/selinuxenabled.c b/selinux/selinuxenabled.c
new file mode 100644
index 000000000..b34228098
--- /dev/null
+++ b/selinux/selinuxenabled.c
@@ -0,0 +1,13 @@
+/*
+ * selinuxenabled
+ * 
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+#include "busybox.h"
+int selinuxenabled_main(int argc, char **argv)
+{
+        return !is_selinux_enabled();
+}
diff --git a/selinux/setenforce.c b/selinux/setenforce.c
new file mode 100644
index 000000000..670e30086
--- /dev/null
+++ b/selinux/setenforce.c
@@ -0,0 +1,44 @@
+/*
+ * setenforce
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+#include "busybox.h"
+static const smallint setenforce_mode[] = {
+        0,
+        1,
+        0,
+        1,
+};
+static const char *const setenforce_cmd[] = {
+        "0",
+        "1",
+        "permissive",
+        "enforcing",
+        NULL,
+};
+int setenforce_main(int argc, char **argv)
+{
+        int i, rc;
+        if (argc != 2)
+                bb_show_usage();
+        selinux_or_die();
+        for (i = 0; setenforce_cmd[i]; i++) {
+                if (strcasecmp(argv[1], setenforce_cmd[i]) != 0)
+                        continue;
+                rc = security_setenforce(setenforce_mode[i]);
+                if (rc < 0)
+                        bb_perror_msg_and_die("setenforce() failed");
+                return 0;
+        }
+        bb_show_usage();
+}

diff --git a/selinux/Config.in b/selinux/Config.in new file mode 100644 index 000000000..b078ee59e --- /dev/null +++ b/selinux/Config.in
@@ -0,0 +1,47 @@
	1	#
	2	# For a description of the syntax of this configuration file,
	3	# see scripts/kbuild/config-language.txt.
	4	#
	5
	6	menu "Selinux Utilities"
	7	depends on SELINUX
	8
	9	config GETENFORCE
	10	bool "getenforce"
	11	default n
	12	depends on SELINUX
	13	help
	14	Enable support to get the current mode of SELinux.
	15
	16	config GETSEBOOL
	17	bool "getsebool"
	18	default n
	19	depends on SELINUX
	20	help
	21	Enable support to get SELinux boolean values.
	22
	23	config MATCHPATHCON
	24	bool "matchpathcon"
	25	default n
	26	depends on SELINUX
	27	help
	28	Enable support to get default security context of the
	29	specified path from the file contexts configuration.
	30
	31	config SELINUXENABLED
	32	bool "selinuxenabled"
	33	default n
	34	depends on SELINUX
	35	help
	36	Enable support for this command to be used within shell scripts
	37	to determine if selinux is enabled.
	38
	39	config SETENFORCE
	40	bool "setenforce"
	41	default n
	42	depends on SELINUX
	43	help
	44	Enable support to modify the mode SELinux is running in.
	45
	46	endmenu
	47


diff --git a/selinux/Kbuild b/selinux/Kbuild new file mode 100644 index 000000000..8371df8e4 --- /dev/null +++ b/selinux/Kbuild
@@ -0,0 +1,13 @@
	1	# Makefile for busybox
	2	#
	3	# Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org>
	4	# Copyright (C) 2007 by KaiGai Kohei <kaigai@kaigai.gr.jp>
	5	#
	6	# Licensed under the GPL v2, see the file LICENSE in this tarball.
	7
	8	lib-y:=
	9	lib-$(CONFIG_GETENFORCE) += getenforce.o
	10	lib-$(CONFIG_GETSEBOOL) += getsebool.o
	11	lib-$(CONFIG_MATCHPATHCON) += matchpathcon.o
	12	lib-$(CONFIG_SELINUXENABLED) += selinuxenabled.o
	13	lib-$(CONFIG_SETENFORCE) += setenforce.o


diff --git a/selinux/getenforce.c b/selinux/getenforce.c new file mode 100644 index 000000000..e240e4dca --- /dev/null +++ b/selinux/getenforce.c
@@ -0,0 +1,33 @@
	1	/*
	2	* getenforce
	3	*
	4	* Based on libselinux 1.33.1
	5	* Port to BusyBox Hiroshi Shinji <shiroshi@my.email.ne.jp>
	6	*
	7	*/
	8
	9	#include "busybox.h"
	10
	11	int getenforce_main(int argc, char **argv)
	12	{
	13	int rc;
	14
	15	rc = is_selinux_enabled();
	16	if (rc < 0)
	17	bb_error_msg_and_die("is_selinux_enabled() failed");
	18
	19	if (rc == 1) {
	20	rc = security_getenforce();
	21	if (rc < 0)
	22	bb_error_msg_and_die("getenforce() failed");
	23
	24	if (rc)
	25	puts("Enforcing");
	26	else
	27	puts("Permissive");
	28	} else {
	29	puts("Disabled");
	30	}
	31
	32	return 0;
	33	}


diff --git a/selinux/getsebool.c b/selinux/getsebool.c new file mode 100644 index 000000000..d593937ba --- /dev/null +++ b/selinux/getsebool.c
@@ -0,0 +1,65 @@
	1	/*
	2	* getsebool
	3	*
	4	* Based on libselinux 1.33.1
	5	* Port to BusyBox Hiroshi Shinji <shiroshi@my.email.ne.jp>
	6	*
	7	*/
	8
	9	#include "busybox.h"
	10
	11	int getsebool_main(int argc, char **argv)
	12	{
	13	int i, rc = 0, active, pending, len = 0;
	14	char **names;
	15	unsigned opt;
	16
	17	selinux_or_die();
	18	opt = getopt32(argc, argv, "a");
	19
	20	if (opt) { /* -a */
	21	if (argc > 2)
	22	bb_show_usage();
	23
	24	rc = security_get_boolean_names(&names, &len);
	25	if (rc)
	26	bb_perror_msg_and_die("cannot get boolean names");
	27
	28	if (!len) {
	29	puts("No booleans");
	30	return 0;
	31	}
	32	}
	33
	34	if (!len) {
	35	if (argc < 2)
	36	bb_show_usage();
	37	len = argc - 1;
	38	names = xmalloc(sizeof(char ) len);
	39	for (i = 0; i < len; i++)
	40	names[i] = xstrdup(argv[i + 1]);
	41	}
	42
	43	for (i = 0; i < len; i++) {
	44	active = security_get_boolean_active(names[i]);
	45	if (active < 0) {
	46	bb_error_msg_and_die("error getting active value for %s", names[i]);
	47	}
	48	pending = security_get_boolean_pending(names[i]);
	49	if (pending < 0) {
	50	bb_error_msg_and_die("error getting pending value for %s", names[i]);
	51	}
	52	printf("%s --> %s", names[i], (active ? "on" : "off"));
	53	if (pending != active)
	54	printf(" pending: %s", (pending ? "on" : "off"));
	55	putchar('\n');
	56	}
	57
	58	if (ENABLE_FEATURE_CLEAN_UP) {
	59	for (i = 0; i < len; i++)
	60	free(names[i]);
	61	free(names);
	62	}
	63
	64	return rc;
	65	}


diff --git a/selinux/matchpathcon.c b/selinux/matchpathcon.c new file mode 100644 index 000000000..4fa95b0ef --- /dev/null +++ b/selinux/matchpathcon.c
@@ -0,0 +1,85 @@
	1	/* matchpathcon - get the default security context for the specified
	2	* path from the file contexts configuration.
	3	* based on libselinux-1.32
	4	* Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
	5	*
	6	*/
	7	#include "busybox.h"
	8
	9	static int print_matchpathcon(char *path, int noprint)
	10	{
	11	char *buf;
	12	int rc = matchpathcon(path, 0, &buf);
	13	if (rc < 0) {
	14	bb_perror_msg("matchpathcon(%s) failed", path);
	15	return 1;
	16	}
	17	if (!noprint)
	18	printf("%s\t%s\n", path, buf);
	19	else
	20	printf("%s\n", buf);
	21
	22	freecon(buf);
	23	return 0;
	24	}
	25
	26	#define OPT_NOT_PRINT (1<<0) /* -n */
	27	#define OPT_NOT_TRANS (1<<1) /* -N */
	28	#define OPT_FCONTEXT (1<<2) /* -f */
	29	#define OPT_PREFIX (1<<3) /* -p */
	30	#define OPT_VERIFY (1<<4) /* -V */
	31
	32	int matchpathcon_main(int argc, char **argv)
	33	{
	34	int error = 0;
	35	unsigned opts;
	36	char fcontext, prefix, *path;
	37
	38	opt_complementary = "-1:" /* at least one param reqd */
	39	"f--p:p--f"; /* mutually exclusive */
	40	opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
	41	argv += optind;
	42
	43	if (opts & OPT_NOT_TRANS) {
	44	set_matchpathcon_flags(NOTRANS);
	45	}
	46	if (opts & OPT_FCONTEXT) {
	47	if (matchpathcon_init(fcontext))
	48	bb_perror_msg_and_die("error while processing %s", fcontext);
	49	}
	50	if (opts & OPT_PREFIX) {
	51	if (matchpathcon_init_prefix(NULL, prefix))
	52	bb_perror_msg_and_die("error while processing %s", prefix);
	53	}
	54
	55	while((path = *argv++) != NULL) {
	56	security_context_t con;
	57	int rc;
	58
	59	if (!(opts & OPT_VERIFY)) {
	60	error += print_matchpathcon(path, opt & OPT_NOT_PRINT);
	61	continue;
	62	}
	63
	64	if (selinux_file_context_verify(path, 0)) {
	65	printf("%s verified\n", path);
	66	continue;
	67	}
	68
	69	if (opts & OPT_NOT_TRANS)
	70	rc = lgetfilecon_raw(path, &con);
	71	else
	72	rc = lgetfilecon(path, &con);
	73
	74	if (rc >= 0) {
	75	printf("%s has context %s, should be ", path, con);
	76	error += print_matchpathcon(path, 1);
	77	freecon(con);
	78	continue;
	79	}
	80	printf("actual context unknown: %s, should be ", strerror(errno));
	81	error += print_matchpathcon(path, 1);
	82	}
	83	matchpathcon_fini();
	84	return error;
	85	}


diff --git a/selinux/selinuxenabled.c b/selinux/selinuxenabled.c new file mode 100644 index 000000000..b34228098 --- /dev/null +++ b/selinux/selinuxenabled.c
@@ -0,0 +1,13 @@
	1	/*
	2	* selinuxenabled
	3	*
	4	* Based on libselinux 1.33.1
	5	* Port to BusyBox Hiroshi Shinji <shiroshi@my.email.ne.jp>
	6	*
	7	*/
	8	#include "busybox.h"
	9
	10	int selinuxenabled_main(int argc, char **argv)
	11	{
	12	return !is_selinux_enabled();
	13	}


diff --git a/selinux/setenforce.c b/selinux/setenforce.c new file mode 100644 index 000000000..670e30086 --- /dev/null +++ b/selinux/setenforce.c
@@ -0,0 +1,44 @@
	1	/*
	2	* setenforce
	3	*
	4	* Based on libselinux 1.33.1
	5	* Port to BusyBox Hiroshi Shinji <shiroshi@my.email.ne.jp>
	6	*
	7	*/
	8
	9	#include "busybox.h"
	10
	11	static const smallint setenforce_mode[] = {
	12	0,
	13	1,
	14	0,
	15	1,
	16	};
	17	static const char *const setenforce_cmd[] = {
	18	"0",
	19	"1",
	20	"permissive",
	21	"enforcing",
	22	NULL,
	23	};
	24
	25	int setenforce_main(int argc, char **argv)
	26	{
	27	int i, rc;
	28
	29	if (argc != 2)
	30	bb_show_usage();
	31
	32	selinux_or_die();
	33
	34	for (i = 0; setenforce_cmd[i]; i++) {
	35	if (strcasecmp(argv[1], setenforce_cmd[i]) != 0)
	36	continue;
	37	rc = security_setenforce(setenforce_mode[i]);
	38	if (rc < 0)
	39	bb_perror_msg_and_die("setenforce() failed");
	40	return 0;
	41	}
	42
	43	bb_show_usage();
	44	}