Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Guido Trentalancia <guido@trentalancia.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov
Subject: Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
Date: Tue, 02 Feb 2010 19:28:01 +0100	[thread overview]
Message-ID: <1265135281.3003.68.camel@tesla.lan> (raw)
In-Reply-To: <1265129074.3114.20.camel@moss-pluto.epoch.ncsc.mil>

Stephen,

did you mean something like the code below when mentioning about the
initial SID issue ? I remember you mentioned about matching oc->sid[0]
with the argument key of convert_context, so we can first scan for the
"unlabeled" SID and copy the MLS range only (as done in the previous
patch) and then afterwards if we find a match with the key argument, we
can copy the whole context over.

On Tue, 2010-02-02 at 11:44 -0500, Stephen Smalley wrote:
> On Tue, 2010-02-02 at 15:22 +0100, Guido Trentalancia wrote:
> Did you give up on addressing the initial SID issue or are you saving
> that for a later, separate patch?

	/*
	 * Switching between non-MLS and MLS policy:
	 * ensure that the MLS fields of the context for all
	 * existing entries in the sidtab are filled in with a
	 * suitable default value, likely taken from one of the
	 * initial SIDs.
	 */
	else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
		int number_of_isids = 0;
		int matching_key = 0;
		oc = args->newp->ocontexts[OCON_ISID];
		while (oc) {
			if (oc->sid[0] == key)
				matching_key = 1;
			oc = oc->next;
			number_of_isids = number_of_isids + 1;
		}
		oc = args->newp->ocontexts[OCON_ISID];
		if (!matching_key) {
			while (oc && oc->sid[0] != SECINITSID_UNLABELED)
				oc = oc->next;
			if (!oc) {
				printk(KERN_ERR "SELinux:  unable to look up"
					" the initial SIDs list\n");
				goto bad;
			}
			range = &oc->context[0].range;
			/* set only the MLS range from "unlabeled" */
			rc = mls_range_set(c, range);
			if (rc)
				goto bad;
		} else {
			while (oc && oc->sid[0] != key)
				oc = oc->next;
			/* copy the whole context */
			rc = context_cpy(c, oc->context[0]);
			if (rc)
				goto bad;
		}
	}

I look forward to hearing from you about the above issue.

Regards,

Guido


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2010-02-02 18:28 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-02-02 14:22 [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload Guido Trentalancia
2010-02-02 16:44 ` Stephen Smalley
2010-02-02 16:58   ` Guido Trentalancia
2010-02-02 17:34     ` Stephen Smalley
2010-02-02 17:49       ` Guido Trentalancia
2010-02-02 19:01         ` Stephen Smalley
2010-02-02 18:28   ` Guido Trentalancia [this message]
2010-02-02 19:03     ` Stephen Smalley
2010-02-02 19:11       ` Stephen Smalley
  -- strict thread matches above, loose matches on Subject: below --
2010-02-04 19:27 Guido Trentalancia
2010-02-04 19:37 ` Eric Paris
2010-02-03 15:40 Guido Trentalancia
2010-02-03 15:53 ` Stephen Smalley
2010-02-03 22:07 ` James Morris
2010-02-02 16:29 Guido Trentalancia
2010-02-02 16:52 ` Christopher J. PeBenito
2010-02-01 22:36 Guido Trentalancia
2010-02-04 19:12 ` Eric Paris
2010-02-01 21:56 Guido Trentalancia
2010-02-01 21:49 Guido Trentalancia
2010-02-01 22:09 ` Stephen Smalley
2010-02-01 19:59 Guido Trentalancia
2010-02-01 20:22 ` Stephen Smalley
2010-02-01 18:25 Guido Trentalancia
2010-02-01 19:15 ` Stephen Smalley
2010-02-01 16:36 Guido Trentalancia
2010-02-01 17:41 ` Stephen Smalley
2010-01-31 22:43 Guido Trentalancia
2010-02-01 15:28 ` Stephen Smalley
2010-02-01 15:37   ` Stephen Smalley
2010-02-01 18:16 ` Stephen Smalley
2010-02-02 22:28   ` Guido Trentalancia
2010-02-03 15:48     ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1265135281.3003.68.camel@tesla.lan \
    --to=guido@trentalancia.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.