1#include <errno.h> 2#include <stdio.h> 3#include <stdlib.h> 4#include <string.h> 5 6#include <sepol/policydb/services.h> 7#include <sepol/sepol.h> 8 9 10int main(int argc, char *argv[]) 11{ 12 FILE *fp; 13 sepol_security_id_t oldsid, newsid, tasksid; 14 sepol_security_class_t tclass; 15 char *reason = NULL; 16 int ret; 17 18 if (argc != 6) { 19 printf("usage: %s policy oldcontext newcontext tclass taskcontext\n", argv[0]); 20 return 1; 21 } 22 23 fp = fopen(argv[1], "r"); 24 if (!fp) { 25 fprintf(stderr, "Can't open policy %s: %s\n", argv[1], strerror(errno)); 26 return 1; 27 } 28 if (sepol_set_policydb_from_file(fp) < 0) { 29 fprintf(stderr, "Error while processing policy %s: %s\n", argv[1], strerror(errno)); 30 fclose(fp); 31 return 1; 32 } 33 fclose(fp); 34 35 if (sepol_context_to_sid(argv[2], strlen(argv[2]), &oldsid) < 0) { 36 fprintf(stderr, "Invalid old context %s\n", argv[2]); 37 return 1; 38 } 39 40 if (sepol_context_to_sid(argv[3], strlen(argv[3]), &newsid) < 0) { 41 fprintf(stderr, "Invalid new context %s\n", argv[3]); 42 return 1; 43 } 44 45 if (sepol_string_to_security_class(argv[4], &tclass) < 0) { 46 fprintf(stderr, "Invalid security class %s\n", argv[4]); 47 return 1; 48 } 49 50 if (sepol_context_to_sid(argv[5], strlen(argv[5]), &tasksid) < 0) { 51 fprintf(stderr, "Invalid task context %s\n", argv[5]); 52 return 1; 53 } 54 55 ret = sepol_validate_transition_reason_buffer(oldsid, newsid, tasksid, tclass, &reason, SHOW_GRANTED); 56 switch (ret) { 57 case 0: 58 printf("allowed\n"); 59 ret = 0; 60 break; 61 case -EPERM: 62 printf("denied\n"); 63 printf("%s\n", reason ? reason : "unknown - possible BUG()"); 64 ret = 7; 65 break; 66 default: 67 printf("sepol_validate_transition_reason_buffer returned %d errno: %s\n", ret, strerror(errno)); 68 ret = 1; 69 } 70 71 free(reason); 72 73 return ret; 74} 75