From: Ivan Gyurdiev <ivg2@cornell.edu>
To: selinux@tycho.nsa.gov
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Subject: [ SEPOL ] [ SEMANAGE ] Fix record interfaces
Date: Mon, 31 Oct 2005 01:47:54 -0500 [thread overview]
Message-ID: <4365BE1A.20102@cornell.edu> (raw)
[-- Attachment #1: Type: text/plain, Size: 2614 bytes --]
Okay, I can't justify not passing the handle into the records.
I said that all those errors are simple OMEM errors, but that may not
remain the case in the future, and it's not even true right now -
there's already a bunch of functions in the record files that really
should emit a more informative error message when they fail (not omem).
Second, if the caller wants to use callbacks, then it wants _all_ errors
routed to the callback, regardless of whether they're omem, or something
else. It doesn't make sense to split the API in two - half using
callbacks, and the other using status codes. The handle should be used
everywhere.
=============================
So, this patch fixes a number of important issues:
- SEPOL: passes handle into all records
- SEPOL: removes DEBUG completely
- SEMANAGE: passes handle into all semanage records
- SEMANAGE: this requires the handle to be passed into parse/print -
pass the handle where appropriate.
- SEMANAGE: this also breaks the database, which only works with a
semanage handle, and uses sepol records directly. To correct this issue
I've made the database only work with semanage records. This means the
[object]_policydb databases are now configured to use the semanage
records instead of the sepol ones.
This shifts the place where binary compatibility is assumed from the
relay function ([object]_policy.c) to the ([object]_policydb.c) files,
which are responsible for configuring which functions the database
should use. This is a very good idea, because now policy_components.c no
longer requires binary compatibility, since both the source and target
databases work with semanage records - so compatibility is assumed in
exactly one place, and not two.
I've removed the casts from the ([object]_policy.c) files, since they
are no longer required.
I have not added new casts into ([object]_policydb.c), because I want
this issue to remain visible, until we decide what to do about it. If we
add convert functions, they would go into ([object]_policydb.c).
- SEMANAGE: I've removed the SEPOL_[object]_RTABLE record tables, since
they are not needed after the change above. I've moved the
SEMANAGE_[object]_RTABLE record tables out of the local case, and into
their corresponding record files, where they should have been in the
first place.
- SEPOL and SEMANAGE: I've dropped the status code for several functions
which never fail:
- port_set_port, port_set_range, port_set_proto, port_set_con
- iface_set_ifcon, iface_set_msgcon
- SEMANAGE: various include cleanups in [object]_file.c and
[object]_policydb.c
[-- Attachment #2: libsepol.libsemanage.records_fix.diff.bz2 --]
[-- Type: application/x-bzip, Size: 12120 bytes --]
reply other threads:[~2005-10-31 6:47 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4365BE1A.20102@cornell.edu \
--to=ivg2@cornell.edu \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.