Re: [PATCH] mcstrans: Fix translation for uncached entries

[Petr Lautrbach <lautrbach@redhat.com>]

James Carter <jwcart2@gmail.com> writes:

> On Mon, Feb 16, 2026 at 2:48 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>>
>> trans_context:
>> In case the raw context is not found in cache (find_in_hashtable returns
>> NULL) and the context does not contain a dash (dashp == NULL),
>> compute_trans_from_raw gets executed, but the translation (trans) gets
>> freed immediately after caching, at the end of the "for" loop.
>>
>> untrans_context:
>> Same as trans_context, if the translation is not cached and "range" does
>> not contain a dash, compute_raw_from_trans is called, but the
>> translation (raw) gets freed right after the reverse translation is
>> computed and cached.
>>
>> Also, fix the README for "nato" example and add README for "pipes"
>> example of setrans configuration.
>>
>> Fixes:
>>   Pipes/NATO examples from /usr/share/mcstrans/examples
>>
>>   $ /usr/share/mcstrans/util/mlstrans-test pipes.test
>> untrans: 'a:b:c:Restricted Handle Via Iron Pipes Only' -> 'a:b:c:Restricted Handle Via Iron Pipes Only' != 'a:b:c:s2:c102,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Copper Pipes Only' != 'a:b:c:s2:c103,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Plastic Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic Pipes Only' != 'a:b:c:s2:c101,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Galvanized Pipes Only' -> 'a:b:c:Restricted Handle Via Galvanized Pipes Only' != 'a:b:c:s2:c104,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
>> mlstrans-test done with 6 errors
>>
>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>

Merged.

>> ---
>>
>> While working on this patch, I also noticed that s0 is treated
>> differently in the mcstrans code (as also noted by [1] and [2]).
>> Could anyone help shed some light on the reason for this?
>>
>> Thank you.
>>
>> [1] - https://github.com/SELinuxProject/selinux/issues/191#issuecomment-566124541
>> [2] - https://lore.kernel.org/selinux/0f7263c2-b16e-2979-cc55-9454a402b6a4@gmail.com/
>>
>>  mcstrans/share/examples/nato/README  |  8 +++-----
>>  mcstrans/share/examples/pipes/README | 10 ++++++++++
>>  mcstrans/src/mcstrans.c              |  5 ++++-
>>  3 files changed, 17 insertions(+), 6 deletions(-)
>>  create mode 100644 mcstrans/share/examples/pipes/README
>>
>> diff --git a/mcstrans/share/examples/nato/README b/mcstrans/share/examples/nato/README
>> index b8b30bf7..7d75e0d6 100644
>> --- a/mcstrans/share/examples/nato/README
>> +++ b/mcstrans/share/examples/nato/README
>> @@ -1,12 +1,10 @@
>>  NATO example test setrans.conf
>>
>>  To use:
>> -mkdir /etc/selinux/mls/mcstrand.d
>> -cp rel.conf /etc/selinux/mls/mcstrand.d
>> -cp eyes-only.conf /etc/selinux/mls/mcstrand.d
>> -cp constraints.conf /etc/selinux/mls/mcstrand.d
>> +rm -f /etc/selinux/mls/setrans.d/*
>> +cp setrans.d/*  /etc/selinux/mls/setrans.d
>>  cp setrans.conf /etc/selinux/mls/setrans.conf
>> -sudo run_init /etc/init.d/mcstrans restart
>> +run_init /etc/init.d/mcstrans restart
>>
>>  To test:
>>  /usr/share/mcstrans/util/mlstrans-test nato.test
>> diff --git a/mcstrans/share/examples/pipes/README b/mcstrans/share/examples/pipes/README
>> new file mode 100644
>> index 00000000..3963d300
>> --- /dev/null
>> +++ b/mcstrans/share/examples/pipes/README
>> @@ -0,0 +1,10 @@
>> +PIPES example test setrans.conf
>> +
>> +To use:
>> +rm -f /etc/selinux/mls/setrans.d/*
>> +cp setrans.d/*  /etc/selinux/mls/setrans.d
>> +cp setrans.conf /etc/selinux/mls/setrans.conf
>> +run_init /etc/init.d/mcstrans restart
>> +
>> +To test:
>> +/usr/share/mcstrans/util/mlstrans-test pipes.test
>> diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
>> index f18f9da9..5ef6a0b9 100644
>> --- a/mcstrans/src/mcstrans.c
>> +++ b/mcstrans/src/mcstrans.c
>> @@ -1578,12 +1578,14 @@ trans_context(const char *incon, char **rcon) {
>>                         urange = dashp+1;
>>                 } else {
>>                         trans = compute_trans_from_raw(range, domain);
>> -                       if (trans)
>> +                       if (trans) {
>>                                 if (add_cache(domain, range, trans) < 0) {
>>                                         free(trans);
>>                                         free(range);
>>                                         return -1;
>>                                 }
>> +                               break;
>> +                       }
>>                 }
>>
>>                 if (lrange && urange) {
>> @@ -1728,6 +1730,7 @@ untrans_context(const char *incon, char **rcon) {
>>                                         free(raw);
>>                                         return -1;
>>                                 }
>> +                               break;
>>                         } else {
>>                                 log_debug("untrans_context unable to compute raw context %s\n", range);
>>                         }
>> --
>> 2.52.0
>>
>>