Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2821] trunk/libselinux/src
|
From: <ssm...@us...> - 2008-02-28 20:38:16
|
Revision: 2821
http://selinux.svn.sourceforge.net/selinux/?rev=2821&view=rev
Author: ssmalley
Date: 2008-02-28 12:38:11 -0800 (Thu, 28 Feb 2008)
Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: libselinux does not work properly in upstart/initrd
Date: Thu, 28 Feb 2008 14:35:48 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
> On Thu, 2008-02-28 at 13:48 -0500, Daniel J Walsh wrote:
> Stephen Smalley wrote:
>>>> On Thu, 2008-02-28 at 12:33 -0500, Daniel J Walsh wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=434793
>>>>>
>>>>> The way the upstart initrd works is to run nash with a builtin
>>>>> loadpolicy. The problem is nash starts before the /sysmount files
>>>>> system is mounted, so libselinux does not have an /etc/selinux/config to
>>>>> read. It defaults to targeted. So when nash finally executes
>>>>> loadpolicy (selinux_init_load_policy) it has the wrong config.
>>>>> Switching to any other type of policy will fail and
>>>>> selinux_init_load_policy will look for targeted.
>>>>>
>>>>> I changed this function to reload the config, to fix this problem.
>>>>>
>>>>> I think I did all the hidden stuff correctly. I don't think we want to
>>>>> expose these functions.
>>>> To make a function hidden, just mark it with hidden.
>>>> hidden_def and hidden_proto are about creating a private definition
>>>> within the library for intra-library calls that do not cause a
>>>> relocation, not about hiding the definition altogether.
>>>>
> So the hidden_def and hidden_proto lines can be removed as login as the
> extern hidden remains.
>>>> Concerns about this patch:
>>>> - it isn't thread safe,
> selinux_init_load_policy should not be called repeatedly, or probably
> from a threaded app.
>>>> - it only "fixes" the load policy case, not any other libselinux
>>>> function call.
> Well this is a very strange occurrance where the config is not there and
> then when the function gets called, it is there.
>
>> Fair enough - we can just handle this specific case then.
>> I'd suggest a single reset_selinux_config() or similar function added to
>> src/selinux_config.c that does the fini_ and init_ calls internally, and
>> then call that single function from load policy.
New simplified patch to reset the selinux_config.
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
trunk/libselinux/src/selinux_config.c
trunk/libselinux/src/selinux_internal.h
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2008-02-28 15:40:04 UTC (rev 2820)
+++ trunk/libselinux/src/load_policy.c 2008-02-28 20:38:11 UTC (rev 2821)
@@ -309,6 +309,13 @@
char *buf;
/*
+ * Reread the selinux configuration in case it has changed.
+ * Example: Caller has chroot'd and is now loading policy from
+ * chroot'd environment.
+ */
+ reset_selinux_config();
+
+ /*
* Get desired mode (disabled, permissive, enforcing) from
* /etc/selinux/config.
*/
Modified: trunk/libselinux/src/selinux_config.c
===================================================================
--- trunk/libselinux/src/selinux_config.c 2008-02-28 15:40:04 UTC (rev 2820)
+++ trunk/libselinux/src/selinux_config.c 2008-02-28 20:38:11 UTC (rev 2821)
@@ -223,6 +223,12 @@
selinux_policytype = NULL;
}
+void reset_selinux_config(void)
+{
+ fini_selinux_policyroot();
+ init_selinux_config();
+}
+
static const char *get_path(int idx)
{
return file_paths[idx];
Modified: trunk/libselinux/src/selinux_internal.h
===================================================================
--- trunk/libselinux/src/selinux_internal.h 2008-02-28 15:40:04 UTC (rev 2820)
+++ trunk/libselinux/src/selinux_internal.h 2008-02-28 20:38:11 UTC (rev 2821)
@@ -80,6 +80,7 @@
hidden_proto(security_get_initial_context);
hidden_proto(security_get_initial_context_raw);
+extern void reset_selinux_config(void) hidden;
extern int load_setlocaldefs hidden;
extern int require_seusers hidden;
extern int selinux_page_size hidden;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
