[RFC][PATCH] libselinux: refactored SWIG bindings

[RFC][PATCH] libselinux: refactored SWIG bindings

[James Athey]

[-- Attachment #1: Type: text/plain, Size: 780 bytes --]

I've attached refactored SWIG bindings for libselinux.  As
requested, I've moved the Python specific wrappers into their own file.
Here are some of the highlights:

* Should leak a lot less memory, because the wrapper handles memory
management for lists and strings automatically
* security_get_boolean_names is now usable
* Instead of whitelisting functions to be wrapped, it blacklists
functions that should not be wrapped

It's still not an ideal wrapper, partly because many functions still
return two values - a return code, and the actual returned data.  In
every language except C, the desired semantics would be just returning
the data and throwing an exception if the return code != 0.  I didn't
add this feature because it would definitely break existing code.

~James


[-- Attachment #2: new_libselinux_swig_wrapper_short.patch --]
[-- Type: text/x-patch, Size: 12618 bytes --]

Index: libselinux/src/selinuxswig.i
===================================================================
--- libselinux/src/selinuxswig.i	(revision 2470)
+++ libselinux/src/selinuxswig.i	(working copy)
@@ -1,7 +1,9 @@
-/* Author: Dan Walsh
+/* Authors: Dan Walsh
+ *          James Athey
  *
  * Copyright (C) 2004-2005 Red Hat
- * 
+ * Copyright (C) 2007 Tresys Technology, LLC
+ *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
  *  License as published by the Free Software Foundation; either
@@ -17,170 +19,78 @@
  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  */
 
-
 %module selinux
 %{
 	#include "selinux/selinux.h"
-	#include "selinux/get_context_list.h"
 %}
-%apply int *OUTPUT { int * };
+%apply int *OUTPUT { int *enforce };
 %apply int *OUTPUT { size_t * };
 
-%typemap(in, numinputs=0) security_context_t *(security_context_t temp=NULL) {
-	$1 = &temp;
-}
-%typemap(argout) security_context_t * (char *temp=NULL) {
-	if (*$1)
-		temp = *$1;
-	else
-		temp = "";
-	$result = SWIG_Python_AppendOutput($result, PyString_FromString(temp));
-}
+%typedef unsigned mode_t;
 
-%typemap(in) security_context_t {
-	$1 = (security_context_t)PyString_AsString($input);
+%typemap(in, numinputs=0) (char ***names, int *len) (char **temp1, int temp2) {
+	$1 = &temp1;
+	$2 = &temp2;
 }
 
-%typedef unsigned mode_t;
-
-%include "../include/selinux/get_context_list.h"
-
-extern int is_selinux_enabled(void);
-extern int is_selinux_mls_enabled(void);
-extern void freecon(security_context_t con);
-extern void freeconary(security_context_t * con);
-extern int getcon(security_context_t *con);
-extern int setcon(security_context_t con);
-extern int getpidcon(int pid, security_context_t *con);
-extern int getprevcon(security_context_t *con);
-extern int getexeccon(security_context_t *con);
-extern int setexeccon(security_context_t con);
-extern int getfscreatecon(security_context_t *con);
-extern int setfscreatecon(security_context_t context);
-extern int getkeycreatecon(security_context_t *con);
-extern int setkeycreatecon(security_context_t context);
-extern int getsockcreatecon(security_context_t *con);
-extern int setsockcreatecon(security_context_t context);
-extern int getfilecon(const char *path, security_context_t *con);
-extern int lgetfilecon(const char *path, security_context_t *con);
-extern int fgetfilecon(int fd, security_context_t *con);
-extern int setfilecon(const char *path, security_context_t con);
-extern int lsetfilecon(const char *path, security_context_t con);
-extern int fsetfilecon(int fd, security_context_t con);
-extern int getpeercon(int fd, security_context_t *con);
-extern int selinux_mkload_policy(int preservebools);
-extern int selinux_init_load_policy(int *enforce);
-extern int security_set_boolean_list(size_t boolcnt, 
-				     SELboolean *boollist, 
-				     int permanent);
-extern int security_load_booleans(char *path);
-extern int security_check_context(security_context_t con);
-extern int security_canonicalize_context(security_context_t con,
-					 security_context_t *canoncon);
-extern int security_getenforce(void);
-extern int security_setenforce(int value);
-extern int security_policyvers(void);
-extern int security_get_boolean_names(char ***names, int *len);
-extern int security_get_boolean_pending(const char *name);
-extern int security_get_boolean_active(const char *name);
-extern int security_set_boolean(const char *name, int value);
-extern int security_commit_booleans(void);
-
-/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
-#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
-#define MATCHPATHCON_NOTRANS  2 /* Do not perform any context translation. */
-extern void set_matchpathcon_flags(unsigned int flags);
-extern int matchpathcon_init(const char *path);
-extern int matchpathcon(const char *path,
-			mode_t mode,
-			security_context_t *con);
-
-extern int matchpathcon_init_prefix(const char *path,
-				    const char *prefix);
-extern void matchpathcon_fini(void);
-
-
-extern int matchmediacon(const char *media,
-		 security_context_t *con);
-
-extern int selinux_getenforcemode(int *enforce);
-extern const char *selinux_policy_root(void);
-extern const char *selinux_binary_policy_path(void);
-extern const char *selinux_failsafe_context_path(void);
-extern const char *selinux_removable_context_path(void);
-extern const char *selinux_default_context_path(void);
-extern const char *selinux_user_contexts_path(void);
-extern const char *selinux_file_context_path(void);
-extern const char *selinux_file_context_homedir_path(void);
-extern const char *selinux_file_context_local_path(void);
-extern const char *selinux_homedir_context_path(void);
-extern const char *selinux_media_context_path(void);
-extern const char *selinux_contexts_path(void);
-extern const char *selinux_securetty_types_path(void);
-extern const char *selinux_booleans_path(void);
-extern const char *selinux_customizable_types_path(void);
-extern const char *selinux_users_path(void);
-extern const char *selinux_usersconf_path(void);
-extern const char *selinux_translations_path(void);
-extern const char *selinux_netfilter_context_path(void);
-extern const char *selinux_path(void);
-#extern int selinux_check_passwd_access(access_vector_t requested);
-#extern int checkPasswdAccess(access_vector_t requested);
-
-extern int selinux_check_securetty_context(security_context_t tty_context);
-void set_selinuxmnt(char *mnt);
-
-#ifdef SWIGpython
-// This tells SWIG to treat char ** as a special case
-%typemap(in) char ** {
-  /* Check if is a list */
-  if (PyList_Check($input)) {
-    int size = PyList_Size($input);
-    int i = 0;
-    $1 = (char **) malloc((size+1)*sizeof(char *));
-    if ($1 == NULL) {
-	PyErr_SetString(PyExc_MemoryError,"Out of memory");
-	return NULL;
-    }
-    for (i = 0; i < size; i++) {
-      PyObject *o = PyList_GetItem($input,i);
-      if (PyString_Check(o))
-	$1[i] = PyString_AsString(PyList_GetItem($input,i));
-      else {
-	PyErr_SetString(PyExc_TypeError,"list must contain strings");
-	free($1);
-	return NULL;
-      }
-    }
-    $1[i] = 0;
-  } else {
-    PyErr_SetString(PyExc_TypeError,"not a list");
-    return NULL;
-  }
+%typemap(freearg) (char ***names, int *len) {
+	int i;
+	if (*$1) {
+		for (i = 0; i < *$2; i++) {
+			free((*$1)[i]);
+		}
+		free(*$1);
+	}
 }
-#endif
 
-extern int rpm_execcon(unsigned int verified, 
-		       const char *filename, 
-		       char **, char **);
-
-extern int is_context_customizable (security_context_t scontext);
-
-extern int selinux_trans_to_raw_context(char *trans, 
-					security_context_t *rawp);
-extern int selinux_raw_to_trans_context(char *raw, 
-					security_context_t *transp);
-
-%typemap(in, numinputs=0) char **(char *temp=NULL) {
+%typemap(in, numinputs=0) (security_context_t **) (security_context_t *temp) {
 	$1 = &temp;
 }
 
-%typemap(argout) char ** {
-	$result = SWIG_Python_AppendOutput($result, PyString_FromString(*$1));
+%typemap(freearg) (security_context_t **) {
+	if (*$1) freeconary(*$1);
 }
-extern int selinux_getpolicytype(char **enforce);
-extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
 
-int selinux_file_context_cmp(const security_context_t a, const security_context_t b);
-int selinux_file_context_verify(const char *path, mode_t mode);
-int selinux_lsetfilecon_default(const char *path);
+/* Ignore functions that don't make sense when wrapped */
+%ignore freecon;
+%ignore freeconary;
+
+/* Ignore functions that take a function pointer as an argument */
+%ignore set_matchpathcon_printf;
+%ignore set_matchpathcon_invalidcon;
+%ignore set_matchpathcon_canoncon;
+
+/* Ignore the _raw functions, they are hidden_def'd */
+%ignore getcon_raw;
+%ignore setcon_raw;
+%ignore getpidcon_raw;
+%ignore getprevcon_raw;
+%ignore getexeccon_raw;
+%ignore setexeccon_raw;
+%ignore getfscreatecon_raw;
+%ignore setfscreatecon_raw;
+%ignore getkeycreatecon_raw;
+%ignore setkeycreatecon_raw;
+%ignore getsockcreatecon_raw;
+%ignore setsockcreatecon_raw;
+%ignore getfilecon_raw;
+%ignore lgetfilecon_raw;
+%ignore fgetfilecon_raw;
+%ignore setfilecon_raw;
+%ignore lsetfilecon_raw;
+%ignore fsetfilecon_raw;
+%ignore getpeercon_raw;
+%ignore security_compute_av_raw;
+%ignore security_compute_create_raw;
+%ignore security_compute_relabel_raw;
+%ignore security_compute_member_raw;
+%ignore security_compute_user_raw;
+%ignore security_get_initial_context_raw;
+%ignore security_check_context_raw;
+%ignore security_canonicalize_context_raw;
+%ignore selinux_raw_to_trans_context;
+%ignore selinux_trans_to_raw_context;
+
+%include "../include/selinux/selinux.h"
+%include "../include/selinux/get_default_type.h"
+%include "../include/selinux/get_context_list.h"
Index: libselinux/src/selinuxswig_python.i
===================================================================
--- libselinux/src/selinuxswig_python.i	(revision 0)
+++ libselinux/src/selinuxswig_python.i	(revision 0)
@@ -0,0 +1,101 @@
+/* Author: James Athey
+ *
+ * Copyright (C) 2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+%module selinux
+%{
+	#include "selinux/selinux.h"
+%}
+
+/* security_get_boolean_names() typemap */
+%typemap(argout) (char ***names, int *len) {
+	PyObject* list = PyList_New(*$2);
+	int i;
+	for (i = 0; i < *$2; i++) {
+		PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
+	}
+	$result = SWIG_Python_AppendOutput($result, list);
+}
+
+/* Makes security_compute_user() return a Python list of contexts */
+%typemap(argout) (security_context_t **con) {
+	PyObject* plist;
+	int i, len = 0;
+	
+	if (*$1) {
+		while((*$1)[len])
+			len++;
+		plist = PyList_New(len);
+		for (i = 0; i < len; i++) {
+			PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
+		}
+	} else {
+		plist = PyList_New(0);
+	}
+
+	$result = SWIG_Python_AppendOutput($result, plist);
+}
+
+/* Makes functions in get_context_list.h return a Python list of contexts */
+%typemap(argout) (security_context_t **list) {
+	PyObject* plist;
+	int i;
+	
+	if (*$1) {
+		plist = PyList_New(result);
+		for (i = 0; i < result; i++) {
+			PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
+		}
+	} else {
+		plist = PyList_New(0);
+	}
+	/* Only return the Python list, don't need to return the length anymore */
+	$result = plist;
+}
+
+%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) {
+	$1 = &temp;
+}
+%typemap(freearg,match="in") security_context_t * "";
+%typemap(argout,noblock=1) security_context_t * {
+	if (*$1) {
+		%append_output(SWIG_FromCharPtr(*$1));
+		freecon(*$1);
+	}
+	else {
+		Py_INCREF(Py_None);
+		%append_output(Py_None);
+	}
+}
+
+%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) {
+	$1 = &temp;
+}
+%typemap(freearg,match="in") char ** "";
+%typemap(argout,noblock=1) char ** {
+	if (*$1) {
+		%append_output(SWIG_FromCharPtr(*$1));
+		free(*$1);
+	}
+	else {
+		Py_INCREF(Py_None);
+		%append_output(Py_None);
+	}
+}
+
+%include "selinuxswig.i"
Index: libselinux/src/Makefile
===================================================================
--- libselinux/src/Makefile	(revision 2470)
+++ libselinux/src/Makefile	(working copy)
@@ -12,7 +12,7 @@
 
 LIBA=libselinux.a 
 TARGET=libselinux.so
-SWIGIF= selinuxswig.i
+SWIGIF= selinuxswig_python.i
 SWIGCOUT= selinuxswig_wrap.c
 SWIGLOBJ:= $(patsubst %.c,%.lo,$(SWIGCOUT)) 
 SWIGSO=_selinux.so

Re: [RFC][PATCH] libselinux: refactored SWIG bindings

[Stephen Smalley]

On Wed, 2007-06-13 at 10:27 -0400, James Athey wrote:
> I've attached refactored SWIG bindings for libselinux.  As
> requested, I've moved the Python specific wrappers into their own file.
> Here are some of the highlights:
> 
> * Should leak a lot less memory, because the wrapper handles memory
> management for lists and strings automatically
> * security_get_boolean_names is now usable
> * Instead of whitelisting functions to be wrapped, it blacklists
> functions that should not be wrapped
> 
> It's still not an ideal wrapper, partly because many functions still
> return two values - a return code, and the actual returned data.  In
> every language except C, the desired semantics would be just returning
> the data and throwing an exception if the return code != 0.  I didn't
> add this feature because it would definitely break existing code.

Ted reports that this patch solves his problems with the libselinux
python bindings.  However, I noticed that it breaks
system-config-selinux due to excluding selinux_raw_to_trans_context and
friends.  Dan, can you check over the patch and see if there are any
other omissions from these python bindings that you need?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] libselinux: refactored SWIG bindings

[James Athey]

[-- Attachment #1: Type: text/plain, Size: 544 bytes --]

On Tue, 2007-06-19 at 07:40 -0400, Stephen Smalley wrote:
> Ted reports that this patch solves his problems with the libselinux
> python bindings.  However, I noticed that it breaks
> system-config-selinux due to excluding selinux_raw_to_trans_context and
> friends.  Dan, can you check over the patch and see if there are any
> other omissions from these python bindings that you need?

That's an oversight on my part - I had already included the _raw
functions in the wrapper, but had neglected to update the patch.

A new patch is attached.

[-- Attachment #2: libselinux_swig_with_raw.patch --]
[-- Type: text/x-patch, Size: 11232 bytes --]

Index: libselinux/src/selinuxswig.i
===================================================================
--- libselinux/src/selinuxswig.i	(revision 2476)
+++ libselinux/src/selinuxswig.i	(working copy)
@@ -1,7 +1,9 @@
-/* Author: Dan Walsh
+/* Authors: Dan Walsh
+ *          James Athey
  *
  * Copyright (C) 2004-2005 Red Hat
- * 
+ * Copyright (C) 2007 Tresys Technology, LLC
+ *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
  *  License as published by the Free Software Foundation; either
@@ -17,170 +19,47 @@
  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  */
 
-
 %module selinux
 %{
 	#include "selinux/selinux.h"
-	#include "selinux/get_context_list.h"
 %}
-%apply int *OUTPUT { int * };
+%apply int *OUTPUT { int *enforce };
 %apply int *OUTPUT { size_t * };
 
-%typemap(in, numinputs=0) security_context_t *(security_context_t temp=NULL) {
-	$1 = &temp;
-}
-%typemap(argout) security_context_t * (char *temp=NULL) {
-	if (*$1)
-		temp = *$1;
-	else
-		temp = "";
-	$result = SWIG_Python_AppendOutput($result, PyString_FromString(temp));
-}
+%typedef unsigned mode_t;
 
-%typemap(in) security_context_t {
-	$1 = (security_context_t)PyString_AsString($input);
+%typemap(in, numinputs=0) (char ***names, int *len) (char **temp1, int temp2) {
+	$1 = &temp1;
+	$2 = &temp2;
 }
 
-%typedef unsigned mode_t;
-
-%include "../include/selinux/get_context_list.h"
-
-extern int is_selinux_enabled(void);
-extern int is_selinux_mls_enabled(void);
-extern void freecon(security_context_t con);
-extern void freeconary(security_context_t * con);
-extern int getcon(security_context_t *con);
-extern int setcon(security_context_t con);
-extern int getpidcon(int pid, security_context_t *con);
-extern int getprevcon(security_context_t *con);
-extern int getexeccon(security_context_t *con);
-extern int setexeccon(security_context_t con);
-extern int getfscreatecon(security_context_t *con);
-extern int setfscreatecon(security_context_t context);
-extern int getkeycreatecon(security_context_t *con);
-extern int setkeycreatecon(security_context_t context);
-extern int getsockcreatecon(security_context_t *con);
-extern int setsockcreatecon(security_context_t context);
-extern int getfilecon(const char *path, security_context_t *con);
-extern int lgetfilecon(const char *path, security_context_t *con);
-extern int fgetfilecon(int fd, security_context_t *con);
-extern int setfilecon(const char *path, security_context_t con);
-extern int lsetfilecon(const char *path, security_context_t con);
-extern int fsetfilecon(int fd, security_context_t con);
-extern int getpeercon(int fd, security_context_t *con);
-extern int selinux_mkload_policy(int preservebools);
-extern int selinux_init_load_policy(int *enforce);
-extern int security_set_boolean_list(size_t boolcnt, 
-				     SELboolean *boollist, 
-				     int permanent);
-extern int security_load_booleans(char *path);
-extern int security_check_context(security_context_t con);
-extern int security_canonicalize_context(security_context_t con,
-					 security_context_t *canoncon);
-extern int security_getenforce(void);
-extern int security_setenforce(int value);
-extern int security_policyvers(void);
-extern int security_get_boolean_names(char ***names, int *len);
-extern int security_get_boolean_pending(const char *name);
-extern int security_get_boolean_active(const char *name);
-extern int security_set_boolean(const char *name, int value);
-extern int security_commit_booleans(void);
-
-/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
-#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
-#define MATCHPATHCON_NOTRANS  2 /* Do not perform any context translation. */
-extern void set_matchpathcon_flags(unsigned int flags);
-extern int matchpathcon_init(const char *path);
-extern int matchpathcon(const char *path,
-			mode_t mode,
-			security_context_t *con);
-
-extern int matchpathcon_init_prefix(const char *path,
-				    const char *prefix);
-extern void matchpathcon_fini(void);
-
-
-extern int matchmediacon(const char *media,
-		 security_context_t *con);
-
-extern int selinux_getenforcemode(int *enforce);
-extern const char *selinux_policy_root(void);
-extern const char *selinux_binary_policy_path(void);
-extern const char *selinux_failsafe_context_path(void);
-extern const char *selinux_removable_context_path(void);
-extern const char *selinux_default_context_path(void);
-extern const char *selinux_user_contexts_path(void);
-extern const char *selinux_file_context_path(void);
-extern const char *selinux_file_context_homedir_path(void);
-extern const char *selinux_file_context_local_path(void);
-extern const char *selinux_homedir_context_path(void);
-extern const char *selinux_media_context_path(void);
-extern const char *selinux_contexts_path(void);
-extern const char *selinux_securetty_types_path(void);
-extern const char *selinux_booleans_path(void);
-extern const char *selinux_customizable_types_path(void);
-extern const char *selinux_users_path(void);
-extern const char *selinux_usersconf_path(void);
-extern const char *selinux_translations_path(void);
-extern const char *selinux_netfilter_context_path(void);
-extern const char *selinux_path(void);
-#extern int selinux_check_passwd_access(access_vector_t requested);
-#extern int checkPasswdAccess(access_vector_t requested);
-
-extern int selinux_check_securetty_context(security_context_t tty_context);
-void set_selinuxmnt(char *mnt);
-
-#ifdef SWIGpython
-// This tells SWIG to treat char ** as a special case
-%typemap(in) char ** {
-  /* Check if is a list */
-  if (PyList_Check($input)) {
-    int size = PyList_Size($input);
-    int i = 0;
-    $1 = (char **) malloc((size+1)*sizeof(char *));
-    if ($1 == NULL) {
-	PyErr_SetString(PyExc_MemoryError,"Out of memory");
-	return NULL;
-    }
-    for (i = 0; i < size; i++) {
-      PyObject *o = PyList_GetItem($input,i);
-      if (PyString_Check(o))
-	$1[i] = PyString_AsString(PyList_GetItem($input,i));
-      else {
-	PyErr_SetString(PyExc_TypeError,"list must contain strings");
-	free($1);
-	return NULL;
-      }
-    }
-    $1[i] = 0;
-  } else {
-    PyErr_SetString(PyExc_TypeError,"not a list");
-    return NULL;
-  }
+%typemap(freearg) (char ***names, int *len) {
+	int i;
+	if (*$1) {
+		for (i = 0; i < *$2; i++) {
+			free((*$1)[i]);
+		}
+		free(*$1);
+	}
 }
-#endif
 
-extern int rpm_execcon(unsigned int verified, 
-		       const char *filename, 
-		       char **, char **);
-
-extern int is_context_customizable (security_context_t scontext);
-
-extern int selinux_trans_to_raw_context(char *trans, 
-					security_context_t *rawp);
-extern int selinux_raw_to_trans_context(char *raw, 
-					security_context_t *transp);
-
-%typemap(in, numinputs=0) char **(char *temp=NULL) {
+%typemap(in, numinputs=0) (security_context_t **) (security_context_t *temp) {
 	$1 = &temp;
 }
 
-%typemap(argout) char ** {
-	$result = SWIG_Python_AppendOutput($result, PyString_FromString(*$1));
+%typemap(freearg) (security_context_t **) {
+	if (*$1) freeconary(*$1);
 }
-extern int selinux_getpolicytype(char **enforce);
-extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
 
-int selinux_file_context_cmp(const security_context_t a, const security_context_t b);
-int selinux_file_context_verify(const char *path, mode_t mode);
-int selinux_lsetfilecon_default(const char *path);
+/* Ignore functions that don't make sense when wrapped */
+%ignore freecon;
+%ignore freeconary;
+
+/* Ignore functions that take a function pointer as an argument */
+%ignore set_matchpathcon_printf;
+%ignore set_matchpathcon_invalidcon;
+%ignore set_matchpathcon_canoncon;
+
+%include "../include/selinux/selinux.h"
+%include "../include/selinux/get_default_type.h"
+%include "../include/selinux/get_context_list.h"
Index: libselinux/src/selinuxswig_python.i
===================================================================
--- libselinux/src/selinuxswig_python.i	(revision 0)
+++ libselinux/src/selinuxswig_python.i	(revision 0)
@@ -0,0 +1,101 @@
+/* Author: James Athey
+ *
+ * Copyright (C) 2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+%module selinux
+%{
+	#include "selinux/selinux.h"
+%}
+
+/* security_get_boolean_names() typemap */
+%typemap(argout) (char ***names, int *len) {
+	PyObject* list = PyList_New(*$2);
+	int i;
+	for (i = 0; i < *$2; i++) {
+		PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
+	}
+	$result = SWIG_Python_AppendOutput($result, list);
+}
+
+/* Makes security_compute_user() return a Python list of contexts */
+%typemap(argout) (security_context_t **con) {
+	PyObject* plist;
+	int i, len = 0;
+	
+	if (*$1) {
+		while((*$1)[len])
+			len++;
+		plist = PyList_New(len);
+		for (i = 0; i < len; i++) {
+			PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
+		}
+	} else {
+		plist = PyList_New(0);
+	}
+
+	$result = SWIG_Python_AppendOutput($result, plist);
+}
+
+/* Makes functions in get_context_list.h return a Python list of contexts */
+%typemap(argout) (security_context_t **list) {
+	PyObject* plist;
+	int i;
+	
+	if (*$1) {
+		plist = PyList_New(result);
+		for (i = 0; i < result; i++) {
+			PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
+		}
+	} else {
+		plist = PyList_New(0);
+	}
+	/* Only return the Python list, don't need to return the length anymore */
+	$result = plist;
+}
+
+%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) {
+	$1 = &temp;
+}
+%typemap(freearg,match="in") security_context_t * "";
+%typemap(argout,noblock=1) security_context_t * {
+	if (*$1) {
+		%append_output(SWIG_FromCharPtr(*$1));
+		freecon(*$1);
+	}
+	else {
+		Py_INCREF(Py_None);
+		%append_output(Py_None);
+	}
+}
+
+%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) {
+	$1 = &temp;
+}
+%typemap(freearg,match="in") char ** "";
+%typemap(argout,noblock=1) char ** {
+	if (*$1) {
+		%append_output(SWIG_FromCharPtr(*$1));
+		free(*$1);
+	}
+	else {
+		Py_INCREF(Py_None);
+		%append_output(Py_None);
+	}
+}
+
+%include "selinuxswig.i"

Re: [RFC][PATCH] libselinux: refactored SWIG bindings

[Daniel J Walsh]

James Athey wrote:
> On Tue, 2007-06-19 at 07:40 -0400, Stephen Smalley wrote:
>   
>> Ted reports that this patch solves his problems with the libselinux
>> python bindings.  However, I noticed that it breaks
>> system-config-selinux due to excluding selinux_raw_to_trans_context and
>> friends.  Dan, can you check over the patch and see if there are any
>> other omissions from these python bindings that you need?
>>     
>
> That's an oversight on my part - I had already included the _raw
> functions in the wrapper, but had neglected to update the patch.
>
> A new patch is attached.
>   
Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 30, in <module>
    import sepolgen.module as module
  File "/usr/lib/python2.5/site-packages/sepolgen/module.py", line 27, 
in <module>
    import selinux
  File "/usr/lib/python2.5/site-packages/selinux.py", line 7, in <module>
    import _selinux
ImportError: /usr/lib/python2.5/site-packages/_selinux.so: undefined 
symbol: fsetfilecon_raw


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] libselinux: refactored SWIG bindings

[James Athey]

[-- Attachment #1: Type: text/plain, Size: 124 bytes --]

The previous patch did not include the changes to the Makefile or the
typo fix to fsetfilecon.c.  Here's an updated patch.


[-- Attachment #2: libselinux_swig_with_raw_and_Makefile.patch --]
[-- Type: text/x-patch, Size: 12003 bytes --]

Index: libselinux/src/fsetfilecon.c
===================================================================
--- libselinux/src/fsetfilecon.c	(revision 2476)
+++ libselinux/src/fsetfilecon.c	(working copy)
@@ -13,7 +13,7 @@
 			 0);
 }
 
-hidden_def(setfilecon_raw)
+hidden_def(fsetfilecon_raw)
 
 int fsetfilecon(int fd, security_context_t context)
 {
Index: libselinux/src/selinuxswig.i
===================================================================
--- libselinux/src/selinuxswig.i	(revision 2476)
+++ libselinux/src/selinuxswig.i	(working copy)
@@ -1,7 +1,9 @@
-/* Author: Dan Walsh
+/* Authors: Dan Walsh
+ *          James Athey
  *
  * Copyright (C) 2004-2005 Red Hat
- * 
+ * Copyright (C) 2007 Tresys Technology, LLC
+ *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
  *  License as published by the Free Software Foundation; either
@@ -17,170 +19,47 @@
  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  */
 
-
 %module selinux
 %{
 	#include "selinux/selinux.h"
-	#include "selinux/get_context_list.h"
 %}
-%apply int *OUTPUT { int * };
+%apply int *OUTPUT { int *enforce };
 %apply int *OUTPUT { size_t * };
 
-%typemap(in, numinputs=0) security_context_t *(security_context_t temp=NULL) {
-	$1 = &temp;
-}
-%typemap(argout) security_context_t * (char *temp=NULL) {
-	if (*$1)
-		temp = *$1;
-	else
-		temp = "";
-	$result = SWIG_Python_AppendOutput($result, PyString_FromString(temp));
-}
+%typedef unsigned mode_t;
 
-%typemap(in) security_context_t {
-	$1 = (security_context_t)PyString_AsString($input);
+%typemap(in, numinputs=0) (char ***names, int *len) (char **temp1, int temp2) {
+	$1 = &temp1;
+	$2 = &temp2;
 }
 
-%typedef unsigned mode_t;
-
-%include "../include/selinux/get_context_list.h"
-
-extern int is_selinux_enabled(void);
-extern int is_selinux_mls_enabled(void);
-extern void freecon(security_context_t con);
-extern void freeconary(security_context_t * con);
-extern int getcon(security_context_t *con);
-extern int setcon(security_context_t con);
-extern int getpidcon(int pid, security_context_t *con);
-extern int getprevcon(security_context_t *con);
-extern int getexeccon(security_context_t *con);
-extern int setexeccon(security_context_t con);
-extern int getfscreatecon(security_context_t *con);
-extern int setfscreatecon(security_context_t context);
-extern int getkeycreatecon(security_context_t *con);
-extern int setkeycreatecon(security_context_t context);
-extern int getsockcreatecon(security_context_t *con);
-extern int setsockcreatecon(security_context_t context);
-extern int getfilecon(const char *path, security_context_t *con);
-extern int lgetfilecon(const char *path, security_context_t *con);
-extern int fgetfilecon(int fd, security_context_t *con);
-extern int setfilecon(const char *path, security_context_t con);
-extern int lsetfilecon(const char *path, security_context_t con);
-extern int fsetfilecon(int fd, security_context_t con);
-extern int getpeercon(int fd, security_context_t *con);
-extern int selinux_mkload_policy(int preservebools);
-extern int selinux_init_load_policy(int *enforce);
-extern int security_set_boolean_list(size_t boolcnt, 
-				     SELboolean *boollist, 
-				     int permanent);
-extern int security_load_booleans(char *path);
-extern int security_check_context(security_context_t con);
-extern int security_canonicalize_context(security_context_t con,
-					 security_context_t *canoncon);
-extern int security_getenforce(void);
-extern int security_setenforce(int value);
-extern int security_policyvers(void);
-extern int security_get_boolean_names(char ***names, int *len);
-extern int security_get_boolean_pending(const char *name);
-extern int security_get_boolean_active(const char *name);
-extern int security_set_boolean(const char *name, int value);
-extern int security_commit_booleans(void);
-
-/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
-#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
-#define MATCHPATHCON_NOTRANS  2 /* Do not perform any context translation. */
-extern void set_matchpathcon_flags(unsigned int flags);
-extern int matchpathcon_init(const char *path);
-extern int matchpathcon(const char *path,
-			mode_t mode,
-			security_context_t *con);
-
-extern int matchpathcon_init_prefix(const char *path,
-				    const char *prefix);
-extern void matchpathcon_fini(void);
-
-
-extern int matchmediacon(const char *media,
-		 security_context_t *con);
-
-extern int selinux_getenforcemode(int *enforce);
-extern const char *selinux_policy_root(void);
-extern const char *selinux_binary_policy_path(void);
-extern const char *selinux_failsafe_context_path(void);
-extern const char *selinux_removable_context_path(void);
-extern const char *selinux_default_context_path(void);
-extern const char *selinux_user_contexts_path(void);
-extern const char *selinux_file_context_path(void);
-extern const char *selinux_file_context_homedir_path(void);
-extern const char *selinux_file_context_local_path(void);
-extern const char *selinux_homedir_context_path(void);
-extern const char *selinux_media_context_path(void);
-extern const char *selinux_contexts_path(void);
-extern const char *selinux_securetty_types_path(void);
-extern const char *selinux_booleans_path(void);
-extern const char *selinux_customizable_types_path(void);
-extern const char *selinux_users_path(void);
-extern const char *selinux_usersconf_path(void);
-extern const char *selinux_translations_path(void);
-extern const char *selinux_netfilter_context_path(void);
-extern const char *selinux_path(void);
-#extern int selinux_check_passwd_access(access_vector_t requested);
-#extern int checkPasswdAccess(access_vector_t requested);
-
-extern int selinux_check_securetty_context(security_context_t tty_context);
-void set_selinuxmnt(char *mnt);
-
-#ifdef SWIGpython
-// This tells SWIG to treat char ** as a special case
-%typemap(in) char ** {
-  /* Check if is a list */
-  if (PyList_Check($input)) {
-    int size = PyList_Size($input);
-    int i = 0;
-    $1 = (char **) malloc((size+1)*sizeof(char *));
-    if ($1 == NULL) {
-	PyErr_SetString(PyExc_MemoryError,"Out of memory");
-	return NULL;
-    }
-    for (i = 0; i < size; i++) {
-      PyObject *o = PyList_GetItem($input,i);
-      if (PyString_Check(o))
-	$1[i] = PyString_AsString(PyList_GetItem($input,i));
-      else {
-	PyErr_SetString(PyExc_TypeError,"list must contain strings");
-	free($1);
-	return NULL;
-      }
-    }
-    $1[i] = 0;
-  } else {
-    PyErr_SetString(PyExc_TypeError,"not a list");
-    return NULL;
-  }
+%typemap(freearg) (char ***names, int *len) {
+	int i;
+	if (*$1) {
+		for (i = 0; i < *$2; i++) {
+			free((*$1)[i]);
+		}
+		free(*$1);
+	}
 }
-#endif
 
-extern int rpm_execcon(unsigned int verified, 
-		       const char *filename, 
-		       char **, char **);
-
-extern int is_context_customizable (security_context_t scontext);
-
-extern int selinux_trans_to_raw_context(char *trans, 
-					security_context_t *rawp);
-extern int selinux_raw_to_trans_context(char *raw, 
-					security_context_t *transp);
-
-%typemap(in, numinputs=0) char **(char *temp=NULL) {
+%typemap(in, numinputs=0) (security_context_t **) (security_context_t *temp) {
 	$1 = &temp;
 }
 
-%typemap(argout) char ** {
-	$result = SWIG_Python_AppendOutput($result, PyString_FromString(*$1));
+%typemap(freearg) (security_context_t **) {
+	if (*$1) freeconary(*$1);
 }
-extern int selinux_getpolicytype(char **enforce);
-extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
 
-int selinux_file_context_cmp(const security_context_t a, const security_context_t b);
-int selinux_file_context_verify(const char *path, mode_t mode);
-int selinux_lsetfilecon_default(const char *path);
+/* Ignore functions that don't make sense when wrapped */
+%ignore freecon;
+%ignore freeconary;
+
+/* Ignore functions that take a function pointer as an argument */
+%ignore set_matchpathcon_printf;
+%ignore set_matchpathcon_invalidcon;
+%ignore set_matchpathcon_canoncon;
+
+%include "../include/selinux/selinux.h"
+%include "../include/selinux/get_default_type.h"
+%include "../include/selinux/get_context_list.h"
Index: libselinux/src/selinuxswig_python.i
===================================================================
--- libselinux/src/selinuxswig_python.i	(revision 0)
+++ libselinux/src/selinuxswig_python.i	(revision 0)
@@ -0,0 +1,101 @@
+/* Author: James Athey
+ *
+ * Copyright (C) 2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+%module selinux
+%{
+	#include "selinux/selinux.h"
+%}
+
+/* security_get_boolean_names() typemap */
+%typemap(argout) (char ***names, int *len) {
+	PyObject* list = PyList_New(*$2);
+	int i;
+	for (i = 0; i < *$2; i++) {
+		PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
+	}
+	$result = SWIG_Python_AppendOutput($result, list);
+}
+
+/* Makes security_compute_user() return a Python list of contexts */
+%typemap(argout) (security_context_t **con) {
+	PyObject* plist;
+	int i, len = 0;
+	
+	if (*$1) {
+		while((*$1)[len])
+			len++;
+		plist = PyList_New(len);
+		for (i = 0; i < len; i++) {
+			PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
+		}
+	} else {
+		plist = PyList_New(0);
+	}
+
+	$result = SWIG_Python_AppendOutput($result, plist);
+}
+
+/* Makes functions in get_context_list.h return a Python list of contexts */
+%typemap(argout) (security_context_t **list) {
+	PyObject* plist;
+	int i;
+	
+	if (*$1) {
+		plist = PyList_New(result);
+		for (i = 0; i < result; i++) {
+			PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
+		}
+	} else {
+		plist = PyList_New(0);
+	}
+	/* Only return the Python list, don't need to return the length anymore */
+	$result = plist;
+}
+
+%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) {
+	$1 = &temp;
+}
+%typemap(freearg,match="in") security_context_t * "";
+%typemap(argout,noblock=1) security_context_t * {
+	if (*$1) {
+		%append_output(SWIG_FromCharPtr(*$1));
+		freecon(*$1);
+	}
+	else {
+		Py_INCREF(Py_None);
+		%append_output(Py_None);
+	}
+}
+
+%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) {
+	$1 = &temp;
+}
+%typemap(freearg,match="in") char ** "";
+%typemap(argout,noblock=1) char ** {
+	if (*$1) {
+		%append_output(SWIG_FromCharPtr(*$1));
+		free(*$1);
+	}
+	else {
+		Py_INCREF(Py_None);
+		%append_output(Py_None);
+	}
+}
+
+%include "selinuxswig.i"
Index: libselinux/src/Makefile
===================================================================
--- libselinux/src/Makefile	(revision 2476)
+++ libselinux/src/Makefile	(working copy)
@@ -12,7 +12,7 @@
 
 LIBA=libselinux.a 
 TARGET=libselinux.so
-SWIGIF= selinuxswig.i
+SWIGIF= selinuxswig_python.i
 SWIGCOUT= selinuxswig_wrap.c
 SWIGLOBJ:= $(patsubst %.c,%.lo,$(SWIGCOUT)) 
 SWIGSO=_selinux.so

Re: [RFC][PATCH] libselinux: refactored SWIG bindings

[Daniel J Walsh]

James Athey wrote:
> The previous patch did not include the changes to the Makefile or the
> typo fix to fsetfilecon.c.  Here's an updated patch.
>
>   
I have played with this patch and system-config-selinux and semanage 
seem to be working.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] libselinux: refactored SWIG bindings

[Stephen Smalley]

On Tue, 2007-06-19 at 15:51 -0400, James Athey wrote:
> The previous patch did not include the changes to the Makefile or the
> typo fix to fsetfilecon.c.  Here's an updated patch.

Thanks, merged.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC][PATCH] libselinux: refactored SWIG bindings

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Athey wrote:
> I've attached refactored SWIG bindings for libselinux.  As
> requested, I've moved the Python specific wrappers into their own file.
> Here are some of the highlights:
> 
> * Should leak a lot less memory, because the wrapper handles memory
> management for lists and strings automatically
> * security_get_boolean_names is now usable
> * Instead of whitelisting functions to be wrapped, it blacklists
> functions that should not be wrapped
> 
> It's still not an ideal wrapper, partly because many functions still
> return two values - a return code, and the actual returned data.  In
> every language except C, the desired semantics would be just returning
> the data and throwing an exception if the return code != 0.  I didn't
> add this feature because it would definitely break existing code.
> 
> ~James
> 
> 

https://bugzilla.redhat.com/show_bug.cgi?id=276121

Bug in refactored SWIG Bindings.


#!/usr/bin/python

import selinux
args = [ "/bin/bash", "--version" ]
selinux.rpm_execcon(0, args[0], args, [ ])

Produces:

Traceback (most recent call last):
  File "test.py", line 5, in <module>
    selinux.rpm_execcon(0, args[0], args, [ ])
TypeError: in method 'rpm_execcon', argument 3 of type 'char *const []'

Version-Release number of selected component (if applicable):
libselinux-2.0.31-3.fc8

James do  you have a nice quick fix for this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG3WpsrlYvE4MpobMRAr6CAJ92i9x0z8pCLfrlLk8IxveRTAY1RgCdGl81
So55zob/LavO32xM1vQCdnc=
=qMG5
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] libselinux: fix rpm_execcon in SWIG bindings

[James Athey]

[-- Attachment #1: Type: text/plain, Size: 727 bytes --]

On Tue, 2007-09-04 at 10:23 -0400, Daniel J Walsh wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=276121
> 
> Bug in refactored SWIG Bindings.
> 
> 
> #!/usr/bin/python
> 
> import selinux
> args = [ "/bin/bash", "--version" ]
> selinux.rpm_execcon(0, args[0], args, [ ])
> 
> Produces:
> 
> Traceback (most recent call last):
>   File "test.py", line 5, in <module>
>     selinux.rpm_execcon(0, args[0], args, [ ])
> TypeError: in method 'rpm_execcon', argument 3 of type 'char *const []'
> 
> Version-Release number of selected component (if applicable):
> libselinux-2.0.31-3.fc8
> 
> James do  you have a nice quick fix for this?

It's nice, it's quick, and I think it's a fix, but I'll let you be the
judge of that.


[-- Attachment #2: libselinux_swig_rpm_execcon.patch --]
[-- Type: text/x-patch, Size: 1080 bytes --]

Index: libselinux/src/selinuxswig_python.i
===================================================================
--- libselinux/src/selinuxswig_python.i	(revision 2549)
+++ libselinux/src/selinuxswig_python.i	(working copy)
@@ -98,4 +98,41 @@
 	}
 }
 
+%typemap(in) char * const [] {
+	int i, size;
+	PyObject * s;
+
+	if (!PySequence_Check($input)) {
+		PyErr_SetString(PyExc_ValueError, "Expected a sequence");
+		return NULL;
+	}
+
+	size = PySequence_Size($input);
+	
+	$1 = (char**) malloc(size + 1);
+
+	for(i = 0; i < size; i++) {
+		if (!PyString_Check(PySequence_GetItem($input, i))) {
+			PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings");
+			return NULL;
+		}
+	}
+		
+	for(i = 0; i < size; i++) {
+		s = PySequence_GetItem($input, i);
+		$1[i] = (char*) malloc(PyString_Size(s) + 1);
+		strcpy($1[i], PyString_AsString(s));
+	}
+	$1[size] = NULL;
+}
+
+%typemap(freearg,match="in") char * const [] {
+	int i = 0;
+	while($1[i]) {
+		free($1[i]);
+		i++;
+	}
+	free($1);
+}
+
 %include "selinuxswig.i"

Re: [PATCH] libselinux: fix rpm_execcon in SWIG bindings

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Athey wrote:
> On Tue, 2007-09-04 at 10:23 -0400, Daniel J Walsh wrote:
>> https://bugzilla.redhat.com/show_bug.cgi?id=276121
>>
>> Bug in refactored SWIG Bindings.
>>
>>
>> #!/usr/bin/python
>>
>> import selinux
>> args = [ "/bin/bash", "--version" ]
>> selinux.rpm_execcon(0, args[0], args, [ ])
>>
>> Produces:
>>
>> Traceback (most recent call last):
>>   File "test.py", line 5, in <module>
>>     selinux.rpm_execcon(0, args[0], args, [ ])
>> TypeError: in method 'rpm_execcon', argument 3 of type 'char *const []'
>>
>> Version-Release number of selected component (if applicable):
>> libselinux-2.0.31-3.fc8
>>
>> James do  you have a nice quick fix for this?
> 
> It's nice, it's quick, and I think it's a fix, but I'll let you be the
> judge of that.
> 
> 
Works for me.

Updated in rawhide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG3/ScrlYvE4MpobMRAqDWAKCb82kdVoqccXUk1KDyGw17kzyRBACghIlB
V4pH947JvzdUUxeKITc+qUU=
=+ZBw
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.