From: Ivan Gyurdiev <ivg2@cornell.edu>
To: selinux@tycho.nsa.gov
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Subject: [ SEMANAGE ] Move seuser validation to proper place
Date: Wed, 09 Nov 2005 18:12:15 -0500 [thread overview]
Message-ID: <4372824F.7050904@cornell.edu> (raw)
[-- Attachment #1: Type: text/plain, Size: 573 bytes --]
Moves seuser validation from commit_components into merge_components.
This is the logical place for it - it's:
1) after modules are loaded and all components merged
2) inside the attach-detach section where policy has not been written
back to disk
3) still in policy_components.c, which is supposedly backend-independent
code.
This should result in a speedup, because the policy does not need to be
re-read in for the sake of seuser validation, which was occuring in
commit(). Note that seuser validation is incomplete at this point, since
MLS checks are not done.
[-- Attachment #2: libsemanage.move_seuser_vcheck.diff --]
[-- Type: text/x-patch, Size: 1712 bytes --]
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION old/libsemanage/src/policy_components.c new/libsemanage/src/policy_components.c
--- old/libsemanage/src/policy_components.c 2005-11-08 12:10:26.000000000 -0500
+++ new/libsemanage/src/policy_components.c 2005-11-09 17:48:32.000000000 -0500
@@ -63,6 +63,9 @@ typedef struct load_table {
int mode;
} load_table_t;
+/* This function must be called AFTER all modules are loaded.
+ * Modules could be represented as a database, in which case
+ * they should be loaded first, before the other components. */
int semanage_base_merge_components(
semanage_handle_t* handle) {
@@ -88,6 +91,7 @@ int semanage_base_merge_components(
load_handler_arg_t load_arg;
load_arg.handle = handle;
+ /* Merge components into policy (and validate) */
for (i = 0; i < CCOUNT; i++) {
dbase_config_t* from = components[i].from;
dbase_config_t* to = components[i].to;
@@ -106,6 +110,10 @@ int semanage_base_merge_components(
handle, from->dbase, load_handler, &load_arg) < 0)
goto err;
}
+
+ /* Validate seusers against policy */
+ if (semanage_seuser_validate(handle) < 0)
+ goto err;
return STATUS_SUCCESS;
@@ -128,10 +136,6 @@ int semanage_commit_components(
};
const int CCOUNT = sizeof(components)/sizeof(components[0]);
- /* Validate seusers */
- if (semanage_seuser_validate(handle) < 0)
- goto err;
-
for (i = 0; i < CCOUNT; i++) {
/* Flush to disk */
if (components[i]->dtable->flush(
@@ -139,7 +143,6 @@ int semanage_commit_components(
goto err;
}
-
/* Drop cache, because we're leaving transaction soon */
for (i=0; i < CCOUNT; i++)
components[i]->dtable->drop_cache(components[i]->dbase);
next reply other threads:[~2005-11-09 23:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-09 23:12 Ivan Gyurdiev [this message]
2005-11-10 13:43 ` [ SEMANAGE ] Move seuser validation to proper place Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4372824F.7050904@cornell.edu \
--to=ivg2@cornell.edu \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.