Menu
▾
▴
selinux-commits
|
From: <ssm...@us...> - 2007-04-27 16:32:12
|
Revision: 2411
http://svn.sourceforge.net/selinux/?rev=2411&view=rev
Author: ssmalley
Date: 2007-04-27 09:32:08 -0700 (Fri, 27 Apr 2007)
Log Message:
-----------
Author: Dax Kelson
Email: da...@gu...
Subject: libselinux: helpful message when /selinux won't mount
Date: Thu, 26 Apr 2007 14:07:47 -0600
Last night a co-worker was trying to do a Phyical-2-Virtual (P2V)
migration of a RHEL5 box.
During bootup, the following not-so-helpful message was seen:
"Unable to load SELinux Policy. Machine is in enforcing mode. Halting
now."
I ran it down to the /selinux mount point not existing on the root
filesystem, but the troubleshooting was more difficult than it should
have been (it didn't help that it was a 3am).
Please consider the following trivial patch for inclusion into
libselinux so that others may have an easier time if they happen into
the same situation.
Signed-off-by: Dax Kelson <da...@gu...>
Acked-by: Stephen Smalley <sd...@ty...>
===================================================================
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2007-04-27 15:43:48 UTC (rev 2410)
+++ trunk/libselinux/src/load_policy.c 2007-04-27 16:32:08 UTC (rev 2411)
@@ -226,6 +226,7 @@
*/
*enforce = 0;
}
+ printf("Mount failed for selinuxfs on /selinux\n");
goto noload;
}
set_selinuxmnt(SELINUXMNT);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-27 16:37:52
|
Revision: 2413
http://svn.sourceforge.net/selinux/?rev=2413&view=rev
Author: ssmalley
Date: 2007-04-27 09:37:51 -0700 (Fri, 27 Apr 2007)
Log Message:
-----------
Tweak the error message a bit.
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2007-04-27 16:34:56 UTC (rev 2412)
+++ trunk/libselinux/src/load_policy.c 2007-04-27 16:37:51 UTC (rev 2413)
@@ -226,7 +226,7 @@
*/
*enforce = 0;
}
- printf("Mount failed for selinuxfs on /selinux\n");
+ fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno));
goto noload;
}
set_selinuxmnt(SELINUXMNT);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-20 18:47:06
|
Revision: 2689
http://selinux.svn.sourceforge.net/selinux/?rev=2689&view=rev
Author: ssmalley
Date: 2007-11-20 10:46:30 -0800 (Tue, 20 Nov 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: dlopen libsepol.so.1 rather than libsepol.so
Date: Tue, 20 Nov 2007 11:22:31 -0500
James Morris noticed that libselinux was not downgrading the policy
image to the kernel's policy version on a F8 system (when building a
kernel with the version max option using the default of policy.19). I
realized that this is most likely due to the fact that libselinux now
dlopen's libsepol, and at present, it dlopen's libsepol.so rather
libsepol.so.1. This is similar to the problems encountered with procps
dlopen'ing libselinux.so - the .so file lives in /usr/lib and is only
installed by the -devel package, whereas the .so.1 file lives in /lib
and is installed by the main package, so a user may not have a
libsepol.so at all or it might not be mounted if /usr is a separate
partition at initial policy load. So change it to dlopen libsepol.so.1
instead.
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2007-11-20 16:22:43 UTC (rev 2688)
+++ trunk/libselinux/src/load_policy.c 2007-11-20 18:46:30 UTC (rev 2689)
@@ -71,7 +71,7 @@
#ifdef SHARED
char *errormsg = NULL;
void *libsepolh = NULL;
- libsepolh = dlopen("libsepol.so", RTLD_NOW);
+ libsepolh = dlopen("libsepol.so.1", RTLD_NOW);
if (libsepolh) {
usesepol = 1;
dlerror();
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-05 21:17:12
|
Revision: 2789
http://selinux.svn.sourceforge.net/selinux/?rev=2789&view=rev
Author: ssmalley
Date: 2008-02-05 13:17:02 -0800 (Tue, 05 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: don't preservebools for Linux >= 2.6.22
Date: Tue, 05 Feb 2008 10:42:25 -0500
Since Linux >= 2.6.22 includes the logic to automatically preserve
active boolean values across a policy reload, the libselinux load policy
logic can check the kernel version and skip the userspace preservebools
processing in that case. This is cleaner than introducing a config
option to /etc/selinux/config, as it will auto-detect the support and
fall back to the compatibility behavior for older kernels. Thus,
this change does not change behavior for RHEL 5 or Debian etch.
Signed-off-by: Stephen D. Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2008-02-05 18:59:53 UTC (rev 2788)
+++ trunk/libselinux/src/load_policy.c 2008-02-05 21:17:02 UTC (rev 2789)
@@ -3,6 +3,7 @@
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/mount.h>
+#include <sys/utsname.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
@@ -48,6 +49,7 @@
int vers = kernvers, minvers = DEFAULT_POLICY_VERSION;
char path[PATH_MAX], **names;
struct stat sb;
+ struct utsname uts;
size_t size;
void *map, *data;
int fd, rc = -1, *values, len, i, prot;
@@ -129,6 +131,15 @@
minvers = vers_min();
}
+
+ /*
+ * As of Linux 2.6.22, the kernel preserves boolean
+ * values across a reload, so we do not need to
+ * preserve them in userspace.
+ */
+ if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
+ preservebools = 0;
+
search:
snprintf(path, sizeof(path), "%s.%d",
selinux_binary_policy_path(), vers);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-06 18:57:03
|
Revision: 2792
http://selinux.svn.sourceforge.net/selinux/?rev=2792&view=rev
Author: ssmalley
Date: 2008-02-06 10:57:01 -0800 (Wed, 06 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: disable setlocaldefs if no local boolean or user files exist
Date: Wed, 06 Feb 2008 10:26:32 -0500
If there are no local boolean or user files present, then the libselinux
load policy logic can disable setlocaldefs early and thus avoid creating
a writable mapping of the policy as well as avoiding the overhead of
calling the sepol functions for manipulating local boolean and user
files altogether. This is cleaner than changing the default for the
config option, as it will fall back to compatibility behavior for older
distributions. Thus, this change should not change behavior for RHEL 4.
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-by: Todd C. Miller <tm...@tr...>
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2008-02-06 15:08:20 UTC (rev 2791)
+++ trunk/libselinux/src/load_policy.c 2008-02-06 18:57:01 UTC (rev 2792)
@@ -47,6 +47,7 @@
{
int kernvers = security_policyvers();
int vers = kernvers, minvers = DEFAULT_POLICY_VERSION;
+ int setlocaldefs = load_setlocaldefs;
char path[PATH_MAX], **names;
struct stat sb;
struct utsname uts;
@@ -131,13 +132,29 @@
minvers = vers_min();
}
+ /*
+ * Check whether we need to support local boolean and user definitions.
+ */
+ if (setlocaldefs) {
+ if (access(selinux_booleans_path(), F_OK) == 0)
+ goto checkbool;
+ snprintf(path, sizeof path, "%s.local", selinux_booleans_path());
+ if (access(path, F_OK) == 0)
+ goto checkbool;
+ snprintf(path, sizeof path, "%s/local.users", selinux_users_path());
+ if (access(path, F_OK) == 0)
+ goto checkbool;
+ /* No local definition files, so disable setlocaldefs. */
+ setlocaldefs = 0;
+ }
+checkbool:
/*
* As of Linux 2.6.22, the kernel preserves boolean
* values across a reload, so we do not need to
* preserve them in userspace.
*/
- if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
+ if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
preservebools = 0;
search:
@@ -158,7 +175,7 @@
goto close;
prot = PROT_READ;
- if (load_setlocaldefs || preservebools)
+ if (setlocaldefs || preservebools)
prot |= PROT_WRITE;
size = sb.st_size;
@@ -195,7 +212,7 @@
}
if (usesepol) {
- if (load_setlocaldefs) {
+ if (setlocaldefs) {
void *olddata = data;
size_t oldsize = size;
rc = genusers(olddata, oldsize, selinux_users_path(),
@@ -228,7 +245,7 @@
free(names[i]);
free(names);
}
- } else if (load_setlocaldefs) {
+ } else if (setlocaldefs) {
(void)genbools(data, size,
(char *)selinux_booleans_path());
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-08 16:13:43
|
Revision: 2796
http://selinux.svn.sourceforge.net/selinux/?rev=2796&view=rev
Author: ssmalley
Date: 2008-02-08 08:12:29 -0800 (Fri, 08 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: provide more error reporting on load policy failures
Date: Thu, 07 Feb 2008 14:31:06 -0500
Provide more error reporting on load policy failures. John Reiser has
previously encountered failures where it would have helped to see the
policy file, and David Quigley recently noted that no output is provided
by init in the case where policy cannot be loaded and the system is in
permissive mode.
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-by: Joshua Brindle <me...@ma...>
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2008-02-07 22:07:27 UTC (rev 2795)
+++ trunk/libselinux/src/load_policy.c 2008-02-08 16:12:29 UTC (rev 2796)
@@ -46,7 +46,7 @@
int selinux_mkload_policy(int preservebools)
{
int kernvers = security_policyvers();
- int vers = kernvers, minvers = DEFAULT_POLICY_VERSION;
+ int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION, vers;
int setlocaldefs = load_setlocaldefs;
char path[PATH_MAX], **names;
struct stat sb;
@@ -128,7 +128,7 @@
#endif
if (usesepol) {
- vers = vers_max();
+ maxvers = vers_max();
minvers = vers_min();
}
@@ -157,6 +157,7 @@
if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
preservebools = 0;
+ vers = maxvers;
search:
snprintf(path, sizeof(path), "%s.%d",
selinux_binary_policy_path(), vers);
@@ -168,11 +169,19 @@
selinux_binary_policy_path(), vers);
fd = open(path, O_RDONLY);
}
- if (fd < 0)
+ if (fd < 0) {
+ fprintf(stderr,
+ "SELinux: Could not open policy file <= %s.%d: %s\n",
+ selinux_binary_policy_path(), maxvers, strerror(errno));
goto dlclose;
+ }
- if (fstat(fd, &sb) < 0)
+ if (fstat(fd, &sb) < 0) {
+ fprintf(stderr,
+ "SELinux: Could not stat policy file %s: %s\n",
+ path, strerror(errno));
goto close;
+ }
prot = PROT_READ;
if (setlocaldefs || preservebools)
@@ -180,8 +189,12 @@
size = sb.st_size;
data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
- if (map == MAP_FAILED)
+ if (map == MAP_FAILED) {
+ fprintf(stderr,
+ "SELinux: Could not map policy file %s: %s\n",
+ path, strerror(errno));
goto close;
+ }
if (vers > kernvers && usesepol) {
/* Need to downgrade to kernel-supported version. */
@@ -200,6 +213,9 @@
if (policydb_set_vers(policydb, kernvers) ||
policydb_to_image(NULL, policydb, &data, &size)) {
/* Downgrade failed, keep searching. */
+ fprintf(stderr,
+ "SELinux: Could not downgrade policy file %s, searching for an older version.\n",
+ path);
policy_file_free(pf);
policydb_free(policydb);
munmap(map, sb.st_size);
@@ -254,6 +270,11 @@
rc = security_load_policy(data, size);
+
+ if (rc)
+ fprintf(stderr,
+ "SELinux: Could not load policy file %s: %s\n",
+ path, strerror(errno));
unmap:
if (data != map)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-20 20:01:15
|
Revision: 2853
http://selinux.svn.sourceforge.net/selinux/?rev=2853&view=rev
Author: ssmalley
Date: 2008-03-20 11:59:05 -0700 (Thu, 20 Mar 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: don't warn about failed selinuxfs mount if selinux disabled
Date: Wed, 19 Mar 2008 09:12:20 -0400
Do not warn about a failed mount of selinuxfs if selinux was disabled
in the kernel (either at compile-time or at boot via selinux=0).
Based on a diff in the Debian libselinux package, reformatted for coding style.
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2008-03-18 20:36:20 UTC (rev 2852)
+++ trunk/libselinux/src/load_policy.c 2008-03-20 18:59:05 UTC (rev 2853)
@@ -369,8 +369,11 @@
* commandline enforcing setting.
*/
*enforce = 0;
+ } else {
+ /* Only emit this error if selinux was not disabled */
+ fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno));
}
- fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno));
+
goto noload;
}
set_selinuxmnt(SELINUXMNT);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-04-18 13:52:30
|
Revision: 2863
http://selinux.svn.sourceforge.net/selinux/?rev=2863&view=rev
Author: ssmalley
Date: 2008-04-18 06:50:58 -0700 (Fri, 18 Apr 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: upstart/SELinux problem loading the wrong policy with kernel version change
Date: Tue, 08 Apr 2008 09:29:46 -0400
If we are not setting local definitions or preserving booleans, then the
maximum policy version for load can be the max of the kernel-supported
version and the libsepol-supported version since we do not need to
manipulate the policy image prior to load.
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2008-04-18 13:48:24 UTC (rev 2862)
+++ trunk/libselinux/src/load_policy.c 2008-04-18 13:50:58 UTC (rev 2863)
@@ -43,6 +43,9 @@
int load_setlocaldefs hidden = 1;
+#undef max
+#define max(a, b) (((a) > (b)) ? (a) : (b))
+
int selinux_mkload_policy(int preservebools)
{
int kernvers = security_policyvers();
@@ -127,11 +130,6 @@
#endif
- if (usesepol) {
- maxvers = vers_max();
- minvers = vers_min();
- }
-
/*
* Check whether we need to support local boolean and user definitions.
*/
@@ -157,6 +155,13 @@
if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
preservebools = 0;
+ if (usesepol) {
+ maxvers = vers_max();
+ minvers = vers_min();
+ if (!setlocaldefs && !preservebools)
+ maxvers = max(kernvers, maxvers);
+ }
+
vers = maxvers;
search:
snprintf(path, sizeof(path), "%s.%d",
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X