From mboxrd@z Thu Jan 1 00:00:00 1970 From: Luke Kenneth Casson Leighton Date: Tue, 03 Aug 2004 13:37:55 +0000 Subject: Re: matchfilecon (the program) vs matchfilecon (the libselinux1 fn) Message-Id: <20040803133755.GC4043@lkcl.net> List-Id: References: <20040801172751.GD20103@lkcl.net> <1091455223.23449.66.camel@moss-spartans.epoch.ncsc.mil> <20040802145724.GG4194@lkcl.net> <1091458325.23449.102.camel@moss-spartans.epoch.ncsc.mil> <20040802191243.GJ4194@lkcl.net> <1091474356.23449.272.camel@moss-spartans.epoch.ncsc.mil> <20040802211212.GB6260@lkcl.net> <1091531491.7645.5.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1091531491.7645.5.camel@moss-spartans.epoch.ncsc.mil> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Stephen Smalley Cc: SE-Linux , Daniel J Walsh , Linux Hotplug Dev List On Tue, Aug 03, 2004 at 07:11:32AM -0400, Stephen Smalley wrote: > On Mon, 2004-08-02 at 17:12, Luke Kenneth Casson Leighton wrote: > > okay, quick question: if i use setfscreatecon(), is it a "one-time" > > create, or is it effective on all creates up until the time that > > freecon() is called? > > Once set, the fscreate context remains set for all file creations until > the program explicitly resets it (via another setfscreatecon() call) or > the program performs an execve (in which case the context is reset so > that all programs start in a known state, defaulting to the > policy-defined labeling behavior). eek okay so i should use getcon() and restore the context afterwards. > The freecon() is irrelevant to the > "lifetime" of the fscreate context, as it just frees the context in the > application's memory; it doesn't affect the saved value for the task in > the kernel. ack. > > [because if it's "up until freecon() is called", then the bug that > > the selinux patch to udev was suffering from was that free(scontext) > > was being used instead of freecon().] > > While it is preferable to use freecon() for encapsulation, it is > presently true that freecon(x) = free(x). > > With regard to your patch, please pass the actual mode to matchpathcon, > not 0, as the second parameter. This allows the matching to take into > account the file type, e.g. whether it is a character device or a block > device. oh yeah i forgot. l. ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel