From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: SE Linux <selinux@tycho.nsa.gov>,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
Joshua Brindle <jbrindle@tresys.com>
Subject: Re: [patch] libselinux: handle conflicting file contexts as a fatal error
Date: Fri, 18 Jul 2008 15:04:52 -0400 [thread overview]
Message-ID: <4880E954.5070601@redhat.com> (raw)
In-Reply-To: <1216407672.17602.366.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> Ensure that conflicting file context errors are propagated to the
> caller. This causes setfiles -c to exit with an error status, which in
> turn causes libsemanage to roll back the transaction and prevents such
> entries from being added by semanage.
>
> Duplicate same entries are left as warnings-only since they don't create
> any ambiguity for file labeling.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> ---
>
> Index: trunk/libselinux/src/label_file.c
> ===================================================================
> --- trunk/libselinux/src/label_file.c (revision 2927)
> +++ trunk/libselinux/src/label_file.c (working copy)
> @@ -146,8 +146,9 @@
> /*
> * Warn about duplicate specifications.
> */
> -static void nodups_specs(struct saved_data *data, const char *path)
> +static int nodups_specs(struct saved_data *data, const char *path)
> {
> + int rc = 0;
> unsigned int ii, jj;
> struct spec *curr_spec, *spec_arr = data->spec_arr;
>
> @@ -161,8 +162,10 @@
> if (strcmp
> (spec_arr[jj].lr.ctx_raw,
> curr_spec->lr.ctx_raw)) {
> + rc = -1;
> + errno = EINVAL;
> COMPAT_LOG
> - (SELINUX_WARNING,
> + (SELINUX_ERROR,
> "%s: Multiple different specifications for %s (%s and %s).\n",
> path, curr_spec->regex_str,
> spec_arr[jj].lr.ctx_raw,
> @@ -176,6 +179,7 @@
> }
> }
> }
> + return rc;
> }
>
> /* Determine if the regular expression specification has any meta characters. */
> @@ -503,6 +507,10 @@
> }
> free(line_buf);
>
> + status = nodups_specs(data, path);
> + if (status)
> + goto finish;
> +
> /* Move exact pathname specifications to the end. */
> spec_copy = malloc(sizeof(spec_t) * data->nspec);
> if (!spec_copy)
> @@ -519,8 +527,6 @@
> free(data->spec_arr);
> data->spec_arr = spec_copy;
>
> - nodups_specs(data, path);
> -
> status = 0;
> finish:
> fclose(fp);
>
What about the other half. why are we allowing you to add dups that match?
If we are going to blab on about it being a problem then we should not
allow it in the first place.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-07-18 19:04 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-18 17:16 Patch to make libselinux shut up when SELinux is disabled Daniel J Walsh
2008-07-18 17:27 ` Stephen Smalley
2008-07-18 17:40 ` Daniel J Walsh
2008-07-18 17:54 ` Stephen Smalley
2008-07-18 18:34 ` [rfc][patch] setfiles: validate all file_contexts files when using -c Stephen Smalley
2008-07-18 18:37 ` [rfc][patch] setfiles: validate all file_contexts files whenusing -c Joshua Brindle
2008-07-18 18:47 ` Stephen Smalley
2008-07-18 19:09 ` [rfc][patch] setfiles: validate all file_contexts fileswhenusing -c Joshua Brindle
2008-07-18 19:10 ` Stephen Smalley
2008-07-18 19:12 ` [rfc][patch] setfiles: validate all file_contextsfileswhenusing -c Joshua Brindle
2008-07-18 19:23 ` Stephen Smalley
2008-07-18 19:01 ` [patch] libselinux: handle conflicting file contexts as a fatal error Stephen Smalley
2008-07-18 19:04 ` Daniel J Walsh [this message]
2008-07-18 19:09 ` [patch v2] libselinux: handle duplicate file context entries " Stephen Smalley
2008-07-18 18:50 ` Patch to make libselinux shut up when SELinux is disabled Daniel J Walsh
2008-08-04 15:06 ` Paul Howarth
2008-08-04 17:42 ` Daniel J Walsh
2008-08-05 13:50 ` Paul Howarth
2008-08-04 17:51 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4880E954.5070601@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.