diff --git a/README.md b/README.md index 765b5626f..dcb472378 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,12 @@ This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. +A directory for distribution provided configuration files (in e.g. /usr/etc) can be set by: + + make VENDORDIR=/usr/etc + +If distribution provided configuration files are used, the library libeconf is +needed for parsing these files in the correct order. ## Setting CFLAGS diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile index aebf050c2..bb1f6bda0 100644 --- a/policycoreutils/sestatus/Makefile +++ b/policycoreutils/sestatus/Makefile @@ -5,6 +5,7 @@ BINDIR ?= $(PREFIX)/bin SBINDIR ?= $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man ETCDIR ?= /etc +LIBECONFH ?= $(shell test -f /usr/include/libeconf.h && echo y) CFLAGS ?= -Werror -Wall -W override CFLAGS += -D_FILE_OFFSET_BITS=64 @@ -13,6 +14,13 @@ override LDLIBS += -lselinux all: sestatus sestatus: sestatus.o +ifdef VENDORDIR +ifneq ($(LIBECONFH), y) + (echo "VENDORDIR defined but libeconf not available."; exit 1) +endif +override CFLAGS += -DVENDORDIR='"${VENDORDIR}"' +override LDLIBS += -leconf +endif install: all [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 diff --git a/policycoreutils/sestatus/sestatus.c b/policycoreutils/sestatus/sestatus.c index 6c95828ed..f80612dcd 100644 --- a/policycoreutils/sestatus/sestatus.c +++ b/policycoreutils/sestatus/sestatus.c @@ -21,11 +21,16 @@ #define PROC_BASE "/proc" #define MAX_CHECK 50 -#define CONF "/etc/sestatus.conf" +#define CONFDIR "/etc" +#define CONFNAME "sestatus" +#define CONFPOST "conf" +#define CONF CONFDIR "/" CONFNAME "." CONFPOST /* conf file sections */ -#define PROCS "[process]" -#define FILES "[files]" +#define SECTIONPROCS "process" +#define SECTIONFILES "files" +#define PROCS "[" SECTIONPROCS "]" +#define FILES "[" SECTIONFILES "]" /* buffer size for cmp_cmdline */ #define BUFSIZE 255 @@ -92,9 +97,75 @@ static int pidof(const char *command) return ret; } -static void load_checks(char *pc[], int *npc, char *fc[], int *nfc) +#ifdef VENDORDIR +#include + +static void load_checks_with_vendor_settings(char *pc[], int *npc, char *fc[], int *nfc) { + econf_file *key_file = NULL; + econf_err error; + char **keys; + size_t key_number; + + error = econf_readDirs (&key_file, + VENDORDIR, + CONFDIR, + CONFNAME, + CONFPOST, + "", "#"); + if (error != ECONF_SUCCESS) { + printf("\nCannot read settings %s.%s: %s\n", + CONFNAME, + CONFPOST, + econf_errString( error )); + return; + } + + error = econf_getKeys(key_file, SECTIONPROCS, &key_number, &keys); + if (error != ECONF_SUCCESS) { + printf("\nCannot read group %s: %s\n", + SECTIONPROCS, + econf_errString( error )); + } else { + for (size_t i = 0; i < key_number; i++) { + if (*npc >= MAX_CHECK) + break; + pc[*npc] = strdup(keys[i]); + if (!pc[*npc]) + break; + (*npc)++; + } + econf_free (keys); + } + + error = econf_getKeys(key_file, SECTIONFILES, &key_number, &keys); + if (error != ECONF_SUCCESS) { + printf("\nCannot read group %s: %s\n", + SECTIONFILES, + econf_errString( error )); + } else { + for (size_t i = 0; i < key_number; i++) { + if (*nfc >= MAX_CHECK) + break; + fc[*nfc] = strdup(keys[i]); + if (!fc[*nfc]) + break; + (*nfc)++; + } + econf_free (keys); + } + econf_free (key_file); + return; +} +#endif + +static void load_checks(char *pc[], int *npc, char *fc[], int *nfc) +{ +#ifdef VENDORDIR + load_checks_with_vendor_settings(pc, npc, fc, nfc); + return; +#endif FILE *fp = fopen(CONF, "r"); char buf[255], *bufp; int buf_len, section = -1; diff --git a/policycoreutils/sestatus/sestatus.conf.5 b/policycoreutils/sestatus/sestatus.conf.5 index acfedf6f5..01f8051d2 100644 --- a/policycoreutils/sestatus/sestatus.conf.5 +++ b/policycoreutils/sestatus/sestatus.conf.5 @@ -8,7 +8,7 @@ The \fIsestatus.conf\fR file is used by the \fBsestatus\fR(8) command with the \ .sp The fully qualified path name of the configuration file is: .RS -\fI/etc/sestatus.conf\fR +\fI/etc/sestatus.conf\fR or \fI/sestatus.conf\fR if it is not available .RE .RE .sp