Re: libselinux: add selinux_status_* interfaces for /selinux/status

[Steve Lawrence <slawrence@tresys.com>]

On 02/11/2011 04:09 PM, Kohei KaiGai wrote:
>> The patch looks okay to me, but I'm seeing unexpected behavior with the
>> selinux_status_policyload(). For example, when running your sample
>> status.c code, I get the following (I'm just calling load_policy after
>> each line is printed):
>>
>>    # ./status
>>    -- selinux kernel status page --
>>    policyload = 0, enforcing = 1, deny_unknown = 0
>>    policyload = 2, enforcing = 1, deny_unknown = 0
>>    policyload = 3, enforcing = 1, deny_unknown = 0
>>    policyload = 4, enforcing = 1, deny_unknown = 0
>>
>> policyload jumps from 0 to 2 when reloading policy the first time, but
>> all other policy loads after that are incremented by 1, as expected. And
>> it doesn't matter if it's using mmap or falls back to netlink. Same
>> behavior in both cases.
>>
>> It doesn't look like the problem is in this patch, so I'm guessing this
>> is a problem in the kernel? Or am I missing something and this is the
>> correct behavior?
>>
> It is a specification, not a problem. :-)
>
> See the manpage part of the patch. It says ...
>
> | +.BR selinux_status_policyload
> | +returns times of policy reloaded on the running system, or -1 on error.
> | +Note that it is not a reliable value on fallback-mode until it receive
> | +the first event message via netlink socket.
> | +Thus, don't use this value to know actual times of policy reloaded.
>
> When we use this interface with fallback mode, it opens a netlink socket
> to receive messages from the kernel space.
> The message packet will deliver userspace number of policy reloaded,
> so it also means application cannot know the information until it receives
> the first message packet.
>
> As the manpage says, our recommendable usage of selinux_status_policyload()
> on fall-back mode is detection of the policy reloaded event, not knowing
> the actual number of policy reloaded in the system.
>
> Of course, when /selinux/status is available, this interface always returns
> the correct number.
>
> Thanks,

I see, looks good then.

Acked-by: Steve Lawrence <slawrence@tresys.com>

Merged as of libselinux to 2.0.99




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.