Re: selinux_file_context_verify function returns wrong value.

[Stephen Smalley <sds@tycho.nsa.gov>]

On Mon, 2011-02-14 at 15:56 +0000, Richard Haines wrote:
> The selinux_file_context_verify seems to return the wrong value when I
> know the context of the file and that in the file_contexts file are
> the same (returns '1' but according to man page should be '0').
>  
> Looking at the libselinux source code (matchpathcon.c) the line:
>  
>        rc = (selinux_file_context_cmp(fcontext, con) == 0);
>  
> seems the problem.
>  
> I'm using libselinux 2.0.96
>  
> So should it return 0 on match, 1 if contexts are different (or if the
> file / file_contexts entries do not exist) and -1 on error.
>  
> And just to clarify the selinux_file_context_cmp function return
> values:
>  
>      Should it return 0 on match (after the 'user:' portion), 1 if
> contexts do not match and -1 on error.
>  
> Thanks
> Richard
>  

Looks like a bug in the man page, combined with inconsistent return
values on certain error paths within the code.  It looks like the intent
was for selinux_file_context_verify() to return 1 if they match, 0 if
they do not match, and -1 on error.  However:
a) that isn't what the man page says,
b) there is some special case handling of ENOTSUP and ENOENT internally
that looks suspect to me, and
c) utils/matchpathcon.c doesn't check for < 0

selinux_file_context_cmp is a bit simpler - it just follows strcmp
conventions, i.e. -1 for "less than", 0 for equal, and 1 for "greater
than".

Dan?


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.