* [PATCH 006/155] libselinux: do not check fcontext duplicates on use @ 2011-08-03 20:48 Daniel J Walsh 2011-08-04 14:48 ` Stephen Smalley 0 siblings, 1 reply; 4+ messages in thread From: Daniel J Walsh @ 2011-08-03 20:48 UTC (permalink / raw) To: eparis; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 346 bytes --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch looks good to me. acked. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk45tB4ACgkQrlYvE4MpobNbVwCgpzlYBRsKdMJ2+MTRcR/JTEt4 VmIAoJjd8nTHf9WyoIJDrs61wl5XaWkM =MfbT -----END PGP SIGNATURE----- [-- Attachment #2: 0006-libselinux-do-not-check-fcontext-duplicates-on-use.patch --] [-- Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 006/155] libselinux: do not check fcontext duplicates on use 2011-08-03 20:48 [PATCH 006/155] libselinux: do not check fcontext duplicates on use Daniel J Walsh @ 2011-08-04 14:48 ` Stephen Smalley 2011-08-04 14:52 ` Eric Paris 0 siblings, 1 reply; 4+ messages in thread From: Stephen Smalley @ 2011-08-04 14:48 UTC (permalink / raw) To: Daniel J Walsh; +Cc: eparis, selinux [-- Attachment #1: Type: text/plain, Size: 1657 bytes --] On Wed, 2011-08-03 at 16:48 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > This patch looks good to me. acked. >From 576af10294e14d03660708d3f7eddf49e71897d7 Mon Sep 17 00:00:00 2001 From: Eric Paris <eparis@redhat.com> Date: Tue, 28 Jun 2011 21:37:38 -0400 Subject: [PATCH 006/155] libselinux: do not check fcontext duplicates on use Tools like restorecon or systemd, which load the fcontext database to make labeling decisions do not need to check for duplicate rules. Only the first rule will be used. Instead we should only check for duplicates when new rules are added to the database. And fail the transaction if we find one. Signed-off-by: Eric Paris <eparis@redhat.com> --- libselinux/src/label_file.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index af7fd8f..3b8346d 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -485,7 +485,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, pass, ++lineno) != 0) goto finish; } - if (pass == 1) { + if (pass == 1 && rec->validating) { status = nodups_specs(data, path); if (status) goto finish; This seems like the wrong fix to me. rec->validating is set based on whether the application passed SELABEL_OPT_VALIDATE in the selinux_opt array to selabel_open(). So you should fix the applications that set this option if you do not want this behavior. Not silently ignore what they requested while leaving the field and option flag intact. -- Stephen Smalley National Security Agency [-- Attachment #2: 0006-libselinux-do-not-check-fcontext-duplicates-on-use.patch --] [-- Type: text/x-patch, Size: 1120 bytes --] >From 576af10294e14d03660708d3f7eddf49e71897d7 Mon Sep 17 00:00:00 2001 From: Eric Paris <eparis@redhat.com> Date: Tue, 28 Jun 2011 21:37:38 -0400 Subject: [PATCH 006/155] libselinux: do not check fcontext duplicates on use Tools like restorecon or systemd, which load the fcontext database to make labeling decisions do not need to check for duplicate rules. Only the first rule will be used. Instead we should only check for duplicates when new rules are added to the database. And fail the transaction if we find one. Signed-off-by: Eric Paris <eparis@redhat.com> --- libselinux/src/label_file.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index af7fd8f..3b8346d 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -485,7 +485,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, pass, ++lineno) != 0) goto finish; } - if (pass == 1) { + if (pass == 1 && rec->validating) { status = nodups_specs(data, path); if (status) goto finish; -- 1.7.6 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 006/155] libselinux: do not check fcontext duplicates on use 2011-08-04 14:48 ` Stephen Smalley @ 2011-08-04 14:52 ` Eric Paris 2011-08-04 15:14 ` Stephen Smalley 0 siblings, 1 reply; 4+ messages in thread From: Eric Paris @ 2011-08-04 14:52 UTC (permalink / raw) To: Stephen Smalley; +Cc: Daniel J Walsh, selinux On 08/04/2011 10:48 AM, Stephen Smalley wrote: > On Wed, 2011-08-03 at 16:48 -0400, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> This patch looks good to me. acked. > >>From 576af10294e14d03660708d3f7eddf49e71897d7 Mon Sep 17 00:00:00 2001 > From: Eric Paris <eparis@redhat.com> > Date: Tue, 28 Jun 2011 21:37:38 -0400 > Subject: [PATCH 006/155] libselinux: do not check fcontext duplicates on use > > Tools like restorecon or systemd, which load the fcontext database to > make labeling decisions do not need to check for duplicate rules. Only > the first rule will be used. Instead we should only check for > duplicates when new rules are added to the database. And fail the > transaction if we find one. > > Signed-off-by: Eric Paris <eparis@redhat.com> > --- > libselinux/src/label_file.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c > index af7fd8f..3b8346d 100644 > --- a/libselinux/src/label_file.c > +++ b/libselinux/src/label_file.c > @@ -485,7 +485,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, > pass, ++lineno) != 0) > goto finish; > } > - if (pass == 1) { > + if (pass == 1 && rec->validating) { > status = nodups_specs(data, path); > if (status) > goto finish; > > > This seems like the wrong fix to me. rec->validating is set based on > whether the application passed SELABEL_OPT_VALIDATE in the selinux_opt > array to selabel_open(). So you should fix the applications that set > this option if you do not want this behavior. Not silently ignore what > they requested while leaving the field and option flag intact. I don't understand. Before this patch rec->validating wasn't being used at all and we always checked for dups. With this patch we actually pay attention to what the application set. As it turns out restorecon/fixfiles don't set the flag, but semanage fcontext does, so this is actually a case where the programs were right but the underlying library was wrong. I'm fixing the library to pay attention to the flag. What am I missing? -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 006/155] libselinux: do not check fcontext duplicates on use 2011-08-04 14:52 ` Eric Paris @ 2011-08-04 15:14 ` Stephen Smalley 0 siblings, 0 replies; 4+ messages in thread From: Stephen Smalley @ 2011-08-04 15:14 UTC (permalink / raw) To: Eric Paris; +Cc: Daniel J Walsh, selinux On Thu, 2011-08-04 at 10:52 -0400, Eric Paris wrote: > I don't understand. Before this patch rec->validating wasn't being used > at all and we always checked for dups. With this patch we actually pay > attention to what the application set. As it turns out > restorecon/fixfiles don't set the flag, but semanage fcontext does, so > this is actually a case where the programs were right but the underlying > library was wrong. I'm fixing the library to pay attention to the flag. > What am I missing? Oops, I read the patch backwards. Never mind. Technically the library was correct in that the original meaning of validate was to validate the contexts, but I suppose this fits with the sense of it. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-08-04 15:14 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-08-03 20:48 [PATCH 006/155] libselinux: do not check fcontext duplicates on use Daniel J Walsh 2011-08-04 14:48 ` Stephen Smalley 2011-08-04 14:52 ` Eric Paris 2011-08-04 15:14 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.