libselinux: new setexecon utility

This utility will tell what context a new task will have after exec based on the pathname and the context of the launching task. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2025-02-08 20:37:55 +00:00 · 2011-06-28 19:40:26 -04:00 · 2011-06-28 19:40:26 -04:00 · 5ef65fd784
commit 5ef65fd784
parent 441cf2ea92
3 changed files with 85 additions and 0 deletions
--- a/libselinux/man/man8/selinuxexeccon.8
+++ b/libselinux/man/man8/selinuxexeccon.8
@ -0,0 +1,24 @@
+.TH "selinuxexeccon" "1" "14 May 2011" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxexeccon \- report SELinux context used for this executable
+
+.SH "SYNOPSIS"
+.B selinuxexeccon command [ fromcon] o
+
+.SH "DESCRIPTION"
+.B selinuxexeccon
+reports the SELinux process context for the specified command from the specified context or the current context.
+
+.SH EXAMPLE
+# selinuxexeccon /usr/bin/passwd 
+staff_u:staff_r:passwd_t:s0-s0:c0.c1023
+
+.br
+# selinuxexeccon /usr/sbin/sendmail system_u:system_r:httpd_t:s0
+system_u:system_r:system_mail_t:s0
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8)
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@ -0,0 +1 @@
+selinuxexeccon
--- a/libselinux/utils/selinuxexeccon.c
+++ b/libselinux/utils/selinuxexeccon.c
@ -0,0 +1,60 @@
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <ctype.h>
+#include <selinux/flask.h>
+#include <selinux/selinux.h>
+
+void usage(char *name, char *detail, int rc)
+{
+	fprintf(stderr, "usage:  %s command [ fromcon ]\n", name);
+	if (detail)
+		fprintf(stderr, "%s:  %s\n", name, detail);
+	exit(rc);
+}
+
+static security_context_t get_selinux_proc_context(const char *command, security_context_t execcon) {
+	security_context_t fcon = NULL, newcon = NULL;
+
+	int ret = getfilecon(command, &fcon);
+	if (ret < 0) goto err;
+	ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon);
+	if (ret < 0) goto err;
+
+err:
+	freecon(fcon);
+	return newcon;
+}
+
+int main(int argc, char **argv)
+{
+	int ret = -1;
+	security_context_t proccon = NULL, con = NULL;
+	if (argc < 2 || argc > 3)
+		usage(argv[0], "Invalid number of arguments", -1);
+
+	if (argc == 2) {
+		if (getcon(&con) < 0) {
+			perror(argv[0]);
+			return -1;
+		}
+	} else {
+		con = strdup(argv[2]);
+	}
+
+	proccon = get_selinux_proc_context(argv[1], con);
+	if (proccon) {
+		printf("%s\n", proccon);
+		ret = 0;
+	} else {
+		perror(argv[0]);
+	}
+
+	free(proccon);
+	free(con);
+	return ret;
+}