From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: SE-Linux <selinux@tycho.nsa.gov>,
Daniel J Walsh <dwalsh@redhat.com>,
Linux Hotplug Dev List
<linux-hotplug-devel@lists.sourceforge.net>
Subject: Re: matchfilecon (the program) vs matchfilecon (the libselinux1 fn)
Date: Tue, 03 Aug 2004 13:37:55 +0000 [thread overview]
Message-ID: <20040803133755.GC4043@lkcl.net> (raw)
In-Reply-To: <1091531491.7645.5.camel@moss-spartans.epoch.ncsc.mil>
On Tue, Aug 03, 2004 at 07:11:32AM -0400, Stephen Smalley wrote:
> On Mon, 2004-08-02 at 17:12, Luke Kenneth Casson Leighton wrote:
> > okay, quick question: if i use setfscreatecon(), is it a "one-time"
> > create, or is it effective on all creates up until the time that
> > freecon() is called?
>
> Once set, the fscreate context remains set for all file creations until
> the program explicitly resets it (via another setfscreatecon() call) or
> the program performs an execve (in which case the context is reset so
> that all programs start in a known state, defaulting to the
> policy-defined labeling behavior).
eek okay so i should use getcon() and restore the context afterwards.
> The freecon() is irrelevant to the
> "lifetime" of the fscreate context, as it just frees the context in the
> application's memory; it doesn't affect the saved value for the task in
> the kernel.
ack.
> > [because if it's "up until freecon() is called", then the bug that
> > the selinux patch to udev was suffering from was that free(scontext)
> > was being used instead of freecon().]
>
> While it is preferable to use freecon() for encapsulation, it is
> presently true that freecon(x) = free(x).
>
> With regard to your patch, please pass the actual mode to matchpathcon,
> not 0, as the second parameter. This allows the matching to take into
> account the file type, e.g. whether it is a character device or a block
> device.
oh yeah i forgot.
l.
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
next prev parent reply other threads:[~2004-08-03 13:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20040801172751.GD20103@lkcl.net>
[not found] ` <1091455223.23449.66.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <20040802145724.GG4194@lkcl.net>
[not found] ` <1091458325.23449.102.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <20040802191243.GJ4194@lkcl.net>
[not found] ` <1091474356.23449.272.camel@moss-spartans.epoch.ncsc.mil>
2004-08-02 21:12 ` matchfilecon (the program) vs matchfilecon (the libselinux1 fn) Luke Kenneth Casson Leighton
2004-08-03 11:11 ` Stephen Smalley
2004-08-03 13:37 ` Luke Kenneth Casson Leighton [this message]
2004-08-06 12:05 ` Russell Coker
2004-08-07 12:23 ` Luke Kenneth Casson Leighton
2004-08-02 21:25 ` Luke Kenneth Casson Leighton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040803133755.GC4043@lkcl.net \
--to=lkcl@lkcl.net \
--cc=dwalsh@redhat.com \
--cc=linux-hotplug-devel@lists.sourceforge.net \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).