From: James Carter <jwcart2@tycho.nsa.gov>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Caleb Case <ccase@tresys.com>,
selinux@tycho.nsa.gov, csellers@tresys.com,
kmacmillan@tresys.com, jbrindle@tresys.com
Subject: Re: [PATCH 03/13] libsemanage: move the module store to /var/lib/selinux
Date: Fri, 08 Jan 2010 09:50:35 -0500 [thread overview]
Message-ID: <1262962235.11210.25.camel@localhost> (raw)
In-Reply-To: <1262960902.13162.1.camel@moss-pluto.epoch.ncsc.mil>
On Fri, 2010-01-08 at 09:28 -0500, Stephen Smalley wrote:
> On Wed, 2009-12-23 at 18:25 -0500, Caleb Case wrote:
> > This patch moves the module store from /etc/selinux/<store>/modules to
> > /var/lib/selinux/<store>.
>
> Can the path prefix (i.e. /var/lib/selinux) be made configurable?
>
There would be no other prefixes other than /var/lib/selinux
or /etc/selinux, or do you have something else in mind?
I guess that you are thinking of backwards compatibility, but you still
won't have it even if you change the prefix because the directory
structure is different (priority directories and such). I don't see
what you would gain with changing the prefix.
> > This move will allow for the use of a read-only /etc/selinux. Currently
> > that is not possible with semanage because of the lock files.
> >
> > A consequence of this move is that packagers of libsemanage should
> > create the /var/lib/selinux directory.
> > ---
> > libsemanage/src/direct_api.c | 20 ++----------------
> > libsemanage/src/semanage_store.c | 39 ++++++++++++++++++++++++-------------
> > libsemanage/src/semanage_store.h | 5 +++-
> > 3 files changed, 32 insertions(+), 32 deletions(-)
> >
> > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> > index f09c7cf..5fb4523 100644
> > --- a/libsemanage/src/direct_api.c
> > +++ b/libsemanage/src/direct_api.c
> > @@ -89,12 +89,7 @@ static struct semanage_policy_table direct_funcs = {
> >
> > int semanage_direct_is_managed(semanage_handle_t * sh)
> > {
> > - char polpath[PATH_MAX];
> > -
> > - snprintf(polpath, PATH_MAX, "%s%s", selinux_path(),
> > - sh->conf->store_path);
> > -
> > - if (semanage_check_init(polpath))
> > + if (semanage_check_init(sh, semanage_root_path()))
> > goto err;
> >
> > if (semanage_access_check(sh) < 0)
> > @@ -111,13 +106,9 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
> > */
> > int semanage_direct_connect(semanage_handle_t * sh)
> > {
> > - char polpath[PATH_MAX];
> > const char *path;
> >
> > - snprintf(polpath, PATH_MAX, "%s%s", selinux_path(),
> > - sh->conf->store_path);
> > -
> > - if (semanage_check_init(polpath))
> > + if (semanage_check_init(sh, semanage_root_path()))
> > goto err;
> >
> > if (sh->create_store)
> > @@ -1416,12 +1407,7 @@ static int semanage_direct_list(semanage_handle_t * sh,
> >
> > int semanage_direct_access_check(semanage_handle_t * sh)
> > {
> > - char polpath[PATH_MAX];
> > -
> > - snprintf(polpath, PATH_MAX, "%s%s", selinux_path(),
> > - sh->conf->store_path);
> > -
> > - if (semanage_check_init(polpath))
> > + if (semanage_check_init(sh, semanage_root_path()))
> > return -1;
> >
> > return semanage_store_access_check(sh);
> > diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
> > index 0a55ce0..049818a 100644
> > --- a/libsemanage/src/semanage_store.c
> > +++ b/libsemanage/src/semanage_store.c
> > @@ -3,8 +3,9 @@
> > * Jason Tang <jtang@tresys.com>
> > * Christopher Ashworth <cashworth@tresys.com>
> > * Chris PeBenito <cpebenito@tresys.com>
> > + * Caleb Case <ccase@tresys.com>
> > *
> > - * Copyright (C) 2004-2006 Tresys Technology, LLC
> > + * Copyright (C) 2004-2006,2009 Tresys Technology, LLC
> > * Copyright (C) 2005 Red Hat, Inc.
> > *
> > * This library is free software; you can redistribute it and/or
> > @@ -88,8 +89,6 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = {
> > "/tmp"
> > };
> >
> > -/* this is the module store path relative to selinux_policy_root() */
> > -#define SEMANAGE_MOD_DIR "/modules"
> > /* relative path names to enum sandbox_paths for special files within
> > * a sandbox */
> > static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
> > @@ -157,14 +156,14 @@ static int semanage_init_paths(const char *root)
> > if (!root)
> > return -1;
> >
> > - prefix_len = (strlen(root) + strlen(SEMANAGE_MOD_DIR));
> > + prefix_len = strlen(root);
> >
> > for (i = 0; i < SEMANAGE_NUM_FILES; i++) {
> > len = (strlen(semanage_relative_files[i]) + prefix_len);
> > semanage_files[i] = calloc(len + 1, sizeof(char));
> > if (!semanage_files[i])
> > return -1;
> > - sprintf(semanage_files[i], "%s%s%s", root, SEMANAGE_MOD_DIR,
> > + sprintf(semanage_files[i], "%s%s", root,
> > semanage_relative_files[i]);
> > }
> >
> > @@ -186,16 +185,11 @@ static int semanage_init_store_paths(const char *root)
> > int i, j;
> > size_t len;
> > size_t prefix_len;
> > - char *prefix;
> >
> > if (!root)
> > return -1;
> >
> > - prefix_len = (strlen(root) + strlen(SEMANAGE_MOD_DIR));
> > - prefix = calloc(prefix_len + 1, sizeof(char));
> > - if (!prefix)
> > - return -1;
> > - sprintf(prefix, "%s%s", root, SEMANAGE_MOD_DIR);
> > + prefix_len = strlen(root);
> >
> > for (i = 0; i < SEMANAGE_NUM_STORES; i++) {
> > for (j = 0; j < SEMANAGE_STORE_NUM_PATHS; j++) {
> > @@ -204,14 +198,13 @@ static int semanage_init_store_paths(const char *root)
> > semanage_paths[i][j] = calloc(len + 1, sizeof(char));
> > if (!semanage_paths[i][j])
> > goto cleanup;
> > - sprintf(semanage_paths[i][j], "%s%s%s", prefix,
> > + sprintf(semanage_paths[i][j], "%s%s%s", root,
> > semanage_store_paths[i],
> > semanage_sandbox_paths[j]);
> > }
> > }
> >
> > cleanup:
> > - free(prefix);
> > return 0;
> > }
> >
> > @@ -223,16 +216,28 @@ static int semanage_init_store_paths(const char *root)
> > *
> > * Note that this function is NOT thread-safe.
> > */
> > -int semanage_check_init(const char *root)
> > +int semanage_check_init(semanage_handle_t *sh, const char *prefix)
> > {
> > int rc;
> > if (semanage_paths_initialized == 0) {
> > + char root[PATH_MAX];
> > +
> > + rc = snprintf(root,
> > + sizeof(root),
> > + "%s/%s",
> > + prefix,
> > + sh->conf->store_path);
> > + if (rc < 0 || rc >= (int)sizeof(root))
> > + return -1;
> > +
> > rc = semanage_init_paths(root);
> > if (rc)
> > return rc;
> > +
> > rc = semanage_init_store_paths(root);
> > if (rc)
> > return rc;
> > +
> > semanage_paths_initialized = 1;
> > }
> > return 0;
> > @@ -259,6 +264,12 @@ const char *semanage_path(enum semanage_store_defs store,
> > return semanage_paths[store][path_name];
> > }
> >
> > +/* Return the root of the semanage store. */
> > +const char *semanage_root_path(void)
> > +{
> > + return "/var/lib/selinux";
> > +}
> > +
> > /* Return a fully-qualified path + filename to the semanage
> > * configuration file. The caller must not alter the string returned
> > * (and hence why this function return type is const).
> > diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
> > index 112edb6..c76ecfe 100644
> > --- a/libsemanage/src/semanage_store.h
> > +++ b/libsemanage/src/semanage_store.h
> > @@ -62,11 +62,14 @@ enum semanage_sandbox_defs {
> > SEMANAGE_STORE_NUM_PATHS
> > };
> >
> > +const char *semanage_root_path(void);
> > +
> > /* FIXME: this needs to be made a module store specific init and the
> > * global configuration moved to another file.
> > */
> > const char *semanage_conf_path(void);
> > -int semanage_check_init(const char *root);
> > +
> > +int semanage_check_init(semanage_handle_t *sh, const char *prefix);
> >
> > extern const char *semanage_fname(enum semanage_sandbox_defs file_enum);
> >
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-01-08 14:50 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-23 23:25 [PATCH 00/13] RFC libsemanage move to var, enable/disable module, and priority support Caleb Case
2009-12-23 23:25 ` [PATCH 01/13] libsemanage: fix typo in tests makefile -o -> -O Caleb Case
2009-12-23 23:25 ` [PATCH 02/13] semanage: move permissive module creation to /tmp Caleb Case
2009-12-23 23:25 ` [PATCH 03/13] libsemanage: move the module store to /var/lib/selinux Caleb Case
2009-12-23 23:25 ` [PATCH 04/13] libsemanage: split final files into /var/lib/selinux/tmp Caleb Case
2009-12-23 23:25 ` [PATCH 05/13] libsemanage: update unit tests for move to /var/lib/selinux Caleb Case
2009-12-23 23:25 ` [PATCH 06/13] libsemanage: add default priority to semanage_handle_t Caleb Case
2009-12-23 23:25 ` [PATCH 07/13] libsemanage: augment semanage_module_info_t and provide semanage_module_key_t Caleb Case
2009-12-23 23:25 ` [PATCH 08/13] libsemanage: get/set module info and enabled status Caleb Case
2009-12-23 23:25 ` [PATCH 09/13] libsemanage: provide function to get new base module path Caleb Case
2009-12-23 23:25 ` [PATCH 10/13] libsemanage: installing/upgrading/removing modules via info and key Caleb Case
2009-12-23 23:25 ` [PATCH 11/13] libsemanage: new private api for unstable functions Caleb Case
2009-12-23 23:25 ` [PATCH 12/13] semodule: add priority, enabled, and extended listing Caleb Case
2009-12-23 23:26 ` [PATCH 13/13] semanage store migration script Caleb Case
2010-01-08 15:34 ` Stephen Smalley
2010-01-08 20:59 ` James Carter
2010-01-08 21:05 ` Stephen Smalley
2010-01-08 21:27 ` Caleb Case
2010-01-11 19:53 ` James Carter
2010-01-11 19:57 ` Joshua Brindle
2010-01-11 20:45 ` James Carter
2010-01-08 14:30 ` [PATCH 04/13] libsemanage: split final files into /var/lib/selinux/tmp Stephen Smalley
2010-01-08 15:07 ` James Carter
2010-01-08 15:28 ` Stephen Smalley
2010-01-08 18:25 ` Caleb Case
2010-01-08 20:19 ` Joshua Brindle
2010-01-08 20:25 ` Stephen Smalley
2010-01-08 20:30 ` Joshua Brindle
2010-01-08 20:51 ` Joshua Brindle
2010-01-08 20:58 ` Stephen Smalley
2010-01-08 21:02 ` Joshua Brindle
2010-01-08 21:04 ` Stephen Smalley
2010-01-08 21:12 ` James Carter
2010-01-08 14:28 ` [PATCH 03/13] libsemanage: move the module store to /var/lib/selinux Stephen Smalley
2010-01-08 14:50 ` James Carter [this message]
2010-01-08 15:19 ` Stephen Smalley
2010-01-07 22:28 ` [PATCH 00/13] RFC libsemanage move to var, enable/disable module, and priority support Chad Sellers
2010-01-08 14:30 ` James Carter
2010-01-21 21:06 ` Chad Sellers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1262962235.11210.25.camel@localhost \
--to=jwcart2@tycho.nsa.gov \
--cc=ccase@tresys.com \
--cc=csellers@tresys.com \
--cc=jbrindle@tresys.com \
--cc=kmacmillan@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.