Re: libselinux does not work properly in upstart/initrd

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2831 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Thu, 2008-02-28 at 13:48 -0500, Daniel J Walsh wrote:
> Stephen Smalley wrote:
>>>> On Thu, 2008-02-28 at 12:33 -0500, Daniel J Walsh wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=434793
>>>>>
>>>>> The way the upstart initrd works is to run nash with a builtin
>>>>> loadpolicy.  The problem is nash starts before the /sysmount files
>>>>> system is mounted, so libselinux does not have an /etc/selinux/config to
>>>>> read.  It defaults to targeted.  So when nash finally executes
>>>>> loadpolicy (selinux_init_load_policy) it has the wrong config.
>>>>> Switching to any other type of policy will fail and
>>>>> selinux_init_load_policy will look for targeted.
>>>>>
>>>>> I changed this function to reload the config, to fix this problem.
>>>>>
>>>>> I think I did all the hidden stuff correctly.  I don't think we want to
>>>>> expose these functions.
>>>> To make a function hidden, just mark it with hidden.
>>>> hidden_def and hidden_proto are about creating a private definition
>>>> within the library for intra-library calls that do not cause a
>>>> relocation, not about hiding the definition altogether.
>>>>
> So the hidden_def and hidden_proto lines can be removed as login as the
> extern hidden remains.
>>>> Concerns about this patch:
>>>> - it isn't thread safe,
> selinux_init_load_policy should not be called repeatedly, or probably
> from a threaded app.
>>>> - it only "fixes" the load policy case, not any other libselinux
>>>> function call.
> Well this is a very strange occurrance where the config is not there and
> then when the function gets called, it is there.
> 
>> Fair enough - we can just handle this specific case then.
>> I'd suggest a single reset_selinux_config() or similar function added to
>> src/selinux_config.c that does the fini_ and init_ calls internally, and
>> then call that single function from load policy.
> 
>>>> As an alternative, maybe we should revive Steve Grubb's lazy init patch
>>>> for libselinux?  That won't reload each time, but will defer the initial
>>>> reading until you first invoke a libselinux function.  The last version
>>>> of the patch that I saw is attached.
>>>>
>>>>
>>
- --
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.

New simplified patch to reset the selinux_config.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfHDRMACgkQrlYvE4MpobNEjACgygyCp4ISNXrpMajwozPEbqwH
2kQAoLgnTNDv9KlsFpIBGGYnCEFHThfA
=HcRn
-----END PGP SIGNATURE-----

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 1527 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/src/load_policy.c libselinux-2.0.57/src/load_policy.c
--- nsalibselinux/src/load_policy.c	2008-02-13 11:16:14.000000000 -0500
+++ libselinux-2.0.57/src/load_policy.c	2008-02-28 14:30:24.000000000 -0500
@@ -308,6 +308,12 @@
 	FILE *cfg;
 	char *buf;
 
+
+	/*
+	  Reinitialize the library, so chroot will work correctly.
+	 */
+	reset_selinux_config();
+
 	/*
 	 * Get desired mode (disabled, permissive, enforcing) from 
 	 * /etc/selinux/config. 
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-2.0.57/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c	2007-08-03 16:02:56.000000000 -0400
+++ libselinux-2.0.57/src/selinux_config.c	2008-02-28 14:33:02.000000000 -0500
@@ -223,6 +223,12 @@
 	selinux_policytype = NULL;
 }
 
+void reset_selinux_config(void)
+{
+	fini_selinux_policyroot();
+	init_selinux_config();
+}
+
 static const char *get_path(int idx)
 {
 	return file_paths[idx];
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_internal.h libselinux-2.0.57/src/selinux_internal.h
--- nsalibselinux/src/selinux_internal.h	2007-08-03 16:02:56.000000000 -0400
+++ libselinux-2.0.57/src/selinux_internal.h	2008-02-28 14:30:24.000000000 -0500
@@ -80,6 +80,7 @@
 hidden_proto(security_get_initial_context);
 hidden_proto(security_get_initial_context_raw);
 
+extern void reset_selinux_config(void) hidden;
 extern int load_setlocaldefs hidden;
 extern int require_seusers hidden;
 extern int selinux_page_size hidden;

[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]