* [PATCH] mcstrans: Fix translation for uncached entries
@ 2026-02-16 19:40 Vit Mojzis
2026-04-15 17:45 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: Vit Mojzis @ 2026-02-16 19:40 UTC (permalink / raw)
To: selinux
trans_context:
In case the raw context is not found in cache (find_in_hashtable returns
NULL) and the context does not contain a dash (dashp == NULL),
compute_trans_from_raw gets executed, but the translation (trans) gets
freed immediately after caching, at the end of the "for" loop.
untrans_context:
Same as trans_context, if the translation is not cached and "range" does
not contain a dash, compute_raw_from_trans is called, but the
translation (raw) gets freed right after the reverse translation is
computed and cached.
Also, fix the README for "nato" example and add README for "pipes"
example of setrans configuration.
Fixes:
Pipes/NATO examples from /usr/share/mcstrans/examples
$ /usr/share/mcstrans/util/mlstrans-test pipes.test
untrans: 'a:b:c:Restricted Handle Via Iron Pipes Only' -> 'a:b:c:Restricted Handle Via Iron Pipes Only' != 'a:b:c:s2:c102,c200.c511' FAILED
untrans: 'a:b:c:Restricted Handle Via Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Copper Pipes Only' != 'a:b:c:s2:c103,c200.c511' FAILED
untrans: 'a:b:c:Restricted Handle Via Plastic Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic Pipes Only' != 'a:b:c:s2:c101,c200.c511' FAILED
untrans: 'a:b:c:Restricted Handle Via Galvanized Pipes Only' -> 'a:b:c:Restricted Handle Via Galvanized Pipes Only' != 'a:b:c:s2:c104,c200.c511' FAILED
untrans: 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
untrans: 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
mlstrans-test done with 6 errors
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
While working on this patch, I also noticed that s0 is treated
differently in the mcstrans code (as also noted by [1] and [2]).
Could anyone help shed some light on the reason for this?
Thank you.
[1] - https://github.com/SELinuxProject/selinux/issues/191#issuecomment-566124541
[2] - https://lore.kernel.org/selinux/0f7263c2-b16e-2979-cc55-9454a402b6a4@gmail.com/
mcstrans/share/examples/nato/README | 8 +++-----
mcstrans/share/examples/pipes/README | 10 ++++++++++
mcstrans/src/mcstrans.c | 5 ++++-
3 files changed, 17 insertions(+), 6 deletions(-)
create mode 100644 mcstrans/share/examples/pipes/README
diff --git a/mcstrans/share/examples/nato/README b/mcstrans/share/examples/nato/README
index b8b30bf7..7d75e0d6 100644
--- a/mcstrans/share/examples/nato/README
+++ b/mcstrans/share/examples/nato/README
@@ -1,12 +1,10 @@
NATO example test setrans.conf
To use:
-mkdir /etc/selinux/mls/mcstrand.d
-cp rel.conf /etc/selinux/mls/mcstrand.d
-cp eyes-only.conf /etc/selinux/mls/mcstrand.d
-cp constraints.conf /etc/selinux/mls/mcstrand.d
+rm -f /etc/selinux/mls/setrans.d/*
+cp setrans.d/* /etc/selinux/mls/setrans.d
cp setrans.conf /etc/selinux/mls/setrans.conf
-sudo run_init /etc/init.d/mcstrans restart
+run_init /etc/init.d/mcstrans restart
To test:
/usr/share/mcstrans/util/mlstrans-test nato.test
diff --git a/mcstrans/share/examples/pipes/README b/mcstrans/share/examples/pipes/README
new file mode 100644
index 00000000..3963d300
--- /dev/null
+++ b/mcstrans/share/examples/pipes/README
@@ -0,0 +1,10 @@
+PIPES example test setrans.conf
+
+To use:
+rm -f /etc/selinux/mls/setrans.d/*
+cp setrans.d/* /etc/selinux/mls/setrans.d
+cp setrans.conf /etc/selinux/mls/setrans.conf
+run_init /etc/init.d/mcstrans restart
+
+To test:
+/usr/share/mcstrans/util/mlstrans-test pipes.test
diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
index f18f9da9..5ef6a0b9 100644
--- a/mcstrans/src/mcstrans.c
+++ b/mcstrans/src/mcstrans.c
@@ -1578,12 +1578,14 @@ trans_context(const char *incon, char **rcon) {
urange = dashp+1;
} else {
trans = compute_trans_from_raw(range, domain);
- if (trans)
+ if (trans) {
if (add_cache(domain, range, trans) < 0) {
free(trans);
free(range);
return -1;
}
+ break;
+ }
}
if (lrange && urange) {
@@ -1728,6 +1730,7 @@ untrans_context(const char *incon, char **rcon) {
free(raw);
return -1;
}
+ break;
} else {
log_debug("untrans_context unable to compute raw context %s\n", range);
}
--
2.52.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] mcstrans: Fix translation for uncached entries
2026-02-16 19:40 [PATCH] mcstrans: Fix translation for uncached entries Vit Mojzis
@ 2026-04-15 17:45 ` James Carter
2026-04-21 12:45 ` Petr Lautrbach
0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2026-04-15 17:45 UTC (permalink / raw)
To: Vit Mojzis; +Cc: selinux
On Mon, Feb 16, 2026 at 2:48 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>
> trans_context:
> In case the raw context is not found in cache (find_in_hashtable returns
> NULL) and the context does not contain a dash (dashp == NULL),
> compute_trans_from_raw gets executed, but the translation (trans) gets
> freed immediately after caching, at the end of the "for" loop.
>
> untrans_context:
> Same as trans_context, if the translation is not cached and "range" does
> not contain a dash, compute_raw_from_trans is called, but the
> translation (raw) gets freed right after the reverse translation is
> computed and cached.
>
> Also, fix the README for "nato" example and add README for "pipes"
> example of setrans configuration.
>
> Fixes:
> Pipes/NATO examples from /usr/share/mcstrans/examples
>
> $ /usr/share/mcstrans/util/mlstrans-test pipes.test
> untrans: 'a:b:c:Restricted Handle Via Iron Pipes Only' -> 'a:b:c:Restricted Handle Via Iron Pipes Only' != 'a:b:c:s2:c102,c200.c511' FAILED
> untrans: 'a:b:c:Restricted Handle Via Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Copper Pipes Only' != 'a:b:c:s2:c103,c200.c511' FAILED
> untrans: 'a:b:c:Restricted Handle Via Plastic Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic Pipes Only' != 'a:b:c:s2:c101,c200.c511' FAILED
> untrans: 'a:b:c:Restricted Handle Via Galvanized Pipes Only' -> 'a:b:c:Restricted Handle Via Galvanized Pipes Only' != 'a:b:c:s2:c104,c200.c511' FAILED
> untrans: 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
> untrans: 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
> mlstrans-test done with 6 errors
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
>
> While working on this patch, I also noticed that s0 is treated
> differently in the mcstrans code (as also noted by [1] and [2]).
> Could anyone help shed some light on the reason for this?
>
> Thank you.
>
> [1] - https://github.com/SELinuxProject/selinux/issues/191#issuecomment-566124541
> [2] - https://lore.kernel.org/selinux/0f7263c2-b16e-2979-cc55-9454a402b6a4@gmail.com/
>
> mcstrans/share/examples/nato/README | 8 +++-----
> mcstrans/share/examples/pipes/README | 10 ++++++++++
> mcstrans/src/mcstrans.c | 5 ++++-
> 3 files changed, 17 insertions(+), 6 deletions(-)
> create mode 100644 mcstrans/share/examples/pipes/README
>
> diff --git a/mcstrans/share/examples/nato/README b/mcstrans/share/examples/nato/README
> index b8b30bf7..7d75e0d6 100644
> --- a/mcstrans/share/examples/nato/README
> +++ b/mcstrans/share/examples/nato/README
> @@ -1,12 +1,10 @@
> NATO example test setrans.conf
>
> To use:
> -mkdir /etc/selinux/mls/mcstrand.d
> -cp rel.conf /etc/selinux/mls/mcstrand.d
> -cp eyes-only.conf /etc/selinux/mls/mcstrand.d
> -cp constraints.conf /etc/selinux/mls/mcstrand.d
> +rm -f /etc/selinux/mls/setrans.d/*
> +cp setrans.d/* /etc/selinux/mls/setrans.d
> cp setrans.conf /etc/selinux/mls/setrans.conf
> -sudo run_init /etc/init.d/mcstrans restart
> +run_init /etc/init.d/mcstrans restart
>
> To test:
> /usr/share/mcstrans/util/mlstrans-test nato.test
> diff --git a/mcstrans/share/examples/pipes/README b/mcstrans/share/examples/pipes/README
> new file mode 100644
> index 00000000..3963d300
> --- /dev/null
> +++ b/mcstrans/share/examples/pipes/README
> @@ -0,0 +1,10 @@
> +PIPES example test setrans.conf
> +
> +To use:
> +rm -f /etc/selinux/mls/setrans.d/*
> +cp setrans.d/* /etc/selinux/mls/setrans.d
> +cp setrans.conf /etc/selinux/mls/setrans.conf
> +run_init /etc/init.d/mcstrans restart
> +
> +To test:
> +/usr/share/mcstrans/util/mlstrans-test pipes.test
> diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
> index f18f9da9..5ef6a0b9 100644
> --- a/mcstrans/src/mcstrans.c
> +++ b/mcstrans/src/mcstrans.c
> @@ -1578,12 +1578,14 @@ trans_context(const char *incon, char **rcon) {
> urange = dashp+1;
> } else {
> trans = compute_trans_from_raw(range, domain);
> - if (trans)
> + if (trans) {
> if (add_cache(domain, range, trans) < 0) {
> free(trans);
> free(range);
> return -1;
> }
> + break;
> + }
> }
>
> if (lrange && urange) {
> @@ -1728,6 +1730,7 @@ untrans_context(const char *incon, char **rcon) {
> free(raw);
> return -1;
> }
> + break;
> } else {
> log_debug("untrans_context unable to compute raw context %s\n", range);
> }
> --
> 2.52.0
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] mcstrans: Fix translation for uncached entries
2026-04-15 17:45 ` James Carter
@ 2026-04-21 12:45 ` Petr Lautrbach
0 siblings, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2026-04-21 12:45 UTC (permalink / raw)
To: selinux; +Cc: James Carter, Vit Mojzis
James Carter <jwcart2@gmail.com> writes:
> On Mon, Feb 16, 2026 at 2:48 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>>
>> trans_context:
>> In case the raw context is not found in cache (find_in_hashtable returns
>> NULL) and the context does not contain a dash (dashp == NULL),
>> compute_trans_from_raw gets executed, but the translation (trans) gets
>> freed immediately after caching, at the end of the "for" loop.
>>
>> untrans_context:
>> Same as trans_context, if the translation is not cached and "range" does
>> not contain a dash, compute_raw_from_trans is called, but the
>> translation (raw) gets freed right after the reverse translation is
>> computed and cached.
>>
>> Also, fix the README for "nato" example and add README for "pipes"
>> example of setrans configuration.
>>
>> Fixes:
>> Pipes/NATO examples from /usr/share/mcstrans/examples
>>
>> $ /usr/share/mcstrans/util/mlstrans-test pipes.test
>> untrans: 'a:b:c:Restricted Handle Via Iron Pipes Only' -> 'a:b:c:Restricted Handle Via Iron Pipes Only' != 'a:b:c:s2:c102,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Copper Pipes Only' != 'a:b:c:s2:c103,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Plastic Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic Pipes Only' != 'a:b:c:s2:c101,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Galvanized Pipes Only' -> 'a:b:c:Restricted Handle Via Galvanized Pipes Only' != 'a:b:c:s2:c104,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
>> untrans: 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
>> mlstrans-test done with 6 errors
>>
>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
Merged.
>> ---
>>
>> While working on this patch, I also noticed that s0 is treated
>> differently in the mcstrans code (as also noted by [1] and [2]).
>> Could anyone help shed some light on the reason for this?
>>
>> Thank you.
>>
>> [1] - https://github.com/SELinuxProject/selinux/issues/191#issuecomment-566124541
>> [2] - https://lore.kernel.org/selinux/0f7263c2-b16e-2979-cc55-9454a402b6a4@gmail.com/
>>
>> mcstrans/share/examples/nato/README | 8 +++-----
>> mcstrans/share/examples/pipes/README | 10 ++++++++++
>> mcstrans/src/mcstrans.c | 5 ++++-
>> 3 files changed, 17 insertions(+), 6 deletions(-)
>> create mode 100644 mcstrans/share/examples/pipes/README
>>
>> diff --git a/mcstrans/share/examples/nato/README b/mcstrans/share/examples/nato/README
>> index b8b30bf7..7d75e0d6 100644
>> --- a/mcstrans/share/examples/nato/README
>> +++ b/mcstrans/share/examples/nato/README
>> @@ -1,12 +1,10 @@
>> NATO example test setrans.conf
>>
>> To use:
>> -mkdir /etc/selinux/mls/mcstrand.d
>> -cp rel.conf /etc/selinux/mls/mcstrand.d
>> -cp eyes-only.conf /etc/selinux/mls/mcstrand.d
>> -cp constraints.conf /etc/selinux/mls/mcstrand.d
>> +rm -f /etc/selinux/mls/setrans.d/*
>> +cp setrans.d/* /etc/selinux/mls/setrans.d
>> cp setrans.conf /etc/selinux/mls/setrans.conf
>> -sudo run_init /etc/init.d/mcstrans restart
>> +run_init /etc/init.d/mcstrans restart
>>
>> To test:
>> /usr/share/mcstrans/util/mlstrans-test nato.test
>> diff --git a/mcstrans/share/examples/pipes/README b/mcstrans/share/examples/pipes/README
>> new file mode 100644
>> index 00000000..3963d300
>> --- /dev/null
>> +++ b/mcstrans/share/examples/pipes/README
>> @@ -0,0 +1,10 @@
>> +PIPES example test setrans.conf
>> +
>> +To use:
>> +rm -f /etc/selinux/mls/setrans.d/*
>> +cp setrans.d/* /etc/selinux/mls/setrans.d
>> +cp setrans.conf /etc/selinux/mls/setrans.conf
>> +run_init /etc/init.d/mcstrans restart
>> +
>> +To test:
>> +/usr/share/mcstrans/util/mlstrans-test pipes.test
>> diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
>> index f18f9da9..5ef6a0b9 100644
>> --- a/mcstrans/src/mcstrans.c
>> +++ b/mcstrans/src/mcstrans.c
>> @@ -1578,12 +1578,14 @@ trans_context(const char *incon, char **rcon) {
>> urange = dashp+1;
>> } else {
>> trans = compute_trans_from_raw(range, domain);
>> - if (trans)
>> + if (trans) {
>> if (add_cache(domain, range, trans) < 0) {
>> free(trans);
>> free(range);
>> return -1;
>> }
>> + break;
>> + }
>> }
>>
>> if (lrange && urange) {
>> @@ -1728,6 +1730,7 @@ untrans_context(const char *incon, char **rcon) {
>> free(raw);
>> return -1;
>> }
>> + break;
>> } else {
>> log_debug("untrans_context unable to compute raw context %s\n", range);
>> }
>> --
>> 2.52.0
>>
>>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-21 12:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-16 19:40 [PATCH] mcstrans: Fix translation for uncached entries Vit Mojzis
2026-04-15 17:45 ` James Carter
2026-04-21 12:45 ` Petr Lautrbach
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox