Commit Graph

63 Commits

Author SHA1 Message Date
Yuri Chornoivan
f032946cf9 Fix minor typos
Signed-off-by: Yuri Chornoivan <yurchor@ukr.net>
2018-06-30 20:28:25 +02:00
Marcus Folkesson
b24980ec07 libselinux: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 15:59:36 +01:00
Christian Göttsche
d1ff68ffee libselinux: add security_get_checkreqprot
Add security_get_checkreqprot() function, returning the current active
checkreqprot value
2017-05-08 12:44:07 -04:00
Richard Haines
454768f56d setfiles: Fix setfiles progress indicator
This fixes the following bug:
UX regression: setfiles progress indicator is now misleading and
confusing in fixfiles.

The outputting of * is replaced by the number of files in 1k increments
as the previous versions. If "/" is specified on the pathname, then this
will indicate a mass relabel, an example output will be:
restorecon -nRp /etc /tmp /boot /
/etc 100.0%
/tmp 100.0%
/boot 100.0%
3.2%

Also setfiles(8) and restorecon(8) versions that are implemented using
the selinux_restorecon(3) function do not support the [-o filename]
option as this was deprecated. This has now been made clear by displaying
a message to stderr.

The documentation has also been updated to reflect these changes.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-01-27 09:39:22 -05:00
Nicolas Iooss
6c853f3fb9 libselinux: fix argument order in get_default_context_with_rolelevel() doc
libselinux/src/get_context_list.c defines

    get_default_context_with_rolelevel(user, role, level...

libselinux/utils/getdefaultcon.c uses

    get_default_context_with_rolelevel(seuser, role, level...

but libselinux/include/selinux/get_context_list.h declares

    get_default_context_with_rolelevel(user, level, role...

and libselinux/man/man3/get_ordered_context_list.3 follows this
declaration.

Fix the header and the man page.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 11:52:41 -05:00
Janis Danisevskis
6dd85b9e0e libselinux: android: fix lax service context lookup
We use the same lookup function for service contexts
that we use for property contexts. However, property
contexts are namespace based and only compare the
prefix. This may lead to service associations with
a wrong label.

This patch introduces a new back end for android
services with a stricter lookup function. Now the
service name must match the key of the service label
exactly.

Signed-off-by: Janis Danisevskis <jdanis@android.com>
2016-09-29 09:59:44 -04:00
Richard Haines
2d814ff4c7 libselinux: Add function to find security.restorecon_last entries
This patch adds a new selinux_restorecon_xattr(3) function to find
and/or remove security.restorecon_last entries added by setfiles(8)
or restorecon(8).

Also review and update the man pages.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-09-26 14:05:54 -04:00
Jason Zaman
09d99e8bec libselinux: Add openrc_contexts functions
The file will initially contain:
run_init=run_init_t
There can not be any spaces around the = since OpenRC's existing config
files and the methods it uses require it.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-09-22 13:27:45 -04:00
Richard Haines
f2e77865e1 libselinux: Add setfiles support to selinux_restorecon(3)
Add additional error handling, flags, xdev handling, alt_rootpath and
add/remove non-seclabel fs's to support setfiles(8), restorecon(8)
and restorecond(8) functionality.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-08-11 14:33:55 -04:00
Richard Haines
d4a46eec3f libselinux: Evaluate inodes in selinux_restorecon(3)
This patch adds inode evaluation services from policycoreutiles/setfiles
to selinux_restorecon.c

The overall objective is to modify restorecon(8) and setfiles(8)
to use selinux_restorecon(3) services.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-08-11 14:33:51 -04:00
Petr Lautrbach
b2c1b0baaf libselinux: add selinux_snapperd_contexts_path()
Snapper needs a way how to set a proper selinux context on btrfs
subvolumes originating in snapshot create command. Fs can't handle it on
its own so snapper will enforce .snapshots subvolume relabeling
according to a file returned by selinux_snapperd_contexts_path().

The format of the file will be similar to other contexts file:

snapperd_data = system_u:object_r:snapperd_data_t:s0

Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1247530
https://bugzilla.redhat.com/show_bug.cgi?id=1247532

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-06-23 12:51:23 -04:00
Richard Haines
bdd4e6d2b1 libselinux: Add selinux_restorecon function
The selinux_restorecon(3) man page details this function.

It has been built using the work from Android where an SHA1 hash
of the specfiles is held in an extended attribute to enhance
performance. Also contains components from policycoreutils/setfiles.

The utils/selinux_restorecon.c utility demonstrates the functionality.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-02-17 09:12:50 -05:00
Petr Lautrbach
554f75b4ee libselinux: Don't wrap rpm_execcon with DISABLE_RPM
a2737333 commit introduced a possibility to build libselinux without
rpm_execcon() when DISABLE_RPM is set. However, it didn't cover SWIG
bindings. With this commit the rpm_execcon() bindings are not created.

Fixes:
ImportError: /usr/lib64/python3.5/site-packages/selinux/_selinux.so: undefined symbol: rpm_execcon
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-12-17 08:56:01 -05:00
Richard Haines
e40bbea95f libselinux: Add selabel_digest function
selabel_digest(3) if enabled by the SELABEL_OPT_DIGEST option during
selabel_open(3) will return an SHA1 digest of the spec files, plus
a list of the specfiles used to calculate the digest. There is a
test utility supplied that will demonstrate the functionality.

The use case for selabel_digest(3) is to implement an selinux_restorecon
function based on the Android version that writes a hash of the
file_contexts files to an extended attribute to enhance performance
(see external/libselinux/src/android.c selinux_android_restorecon()).

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-10-13 17:13:24 -04:00
Stephen Smalley
6f295008ef libselinux: add selabel_cmp interface and label_file backend
Add a selabel_cmp() interface for comparing two label configurations,
and implement it for the file backend (i.e. for file_contexts). This
allows comparing two file_contexts configurations to see if the first
is a subset of, equal/identical to, a superset of, or incomparable to
the second.  The motivating use case is to allow comparing two
file_contexts.bin files in Android CTS to confirm that a device
file_contexts.bin file contains all of the entries in the AOSP
general file_contexts.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-06 11:34:00 -04:00
Richard Haines
f2cd2f821f libselinux: Add const to selinux_opt for label backends.
Change selabel_open and label backends to take a
'const struct selinux_opt' argument. This work has already
been done for the Android version components.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-07-10 12:30:09 -04:00
Petr Lautrbach
8d7c2854c5 libselinux: add selinux_openssh_contexts_path()
openssh in Fedora uses "sshd_net_t" type for privilege separated
processes in the preauthentication phase. Similarly, openssh portable uses
"sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
Therefore selinux_openssh_contexts_path() was created to get a path where sshd
can get a correct types prepared by a distribution or an administrator.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-05-21 13:11:36 -04:00
Richard Haines
e7f970ffd1 libselinux: Add selabel partial and best match APIs
Add support for new API functions selabel_partial_match and
selabel_lookup_best_match ported from the Android libselinux
fork.

Add supporting man(3) pages and test utilities: selabel_lookup,
selabel_lookup_best_match and selabel_partial_match.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-06 11:58:44 -04:00
Stephen Smalley
76913d8adb Deprecate use of flask.h and av_permissions.h.
Also remove all internal uses by libselinux.
This requires deleting the old class/perm string lookup tables
and compatibility code for kernels that predate the /sys/fs/selinux/class
tree, i.e. Linux < 2.6.23.

This also fixes a longstanding bug in the stringrep code; it was allocating
NVECTORS (number of vectors in the legacy av_perm_to_string table, i.e.
the total number of legacy permissions) entries in the per-class perms array
rather than MAXVECTORS (the maximum number of permissions in any
access vector).  Ho hum.  I already fixed this in Android but forgot it
here.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-09 13:49:18 -04:00
Artyom Smirnov
056efe85d6 Add db_exception and db_datatype support to label_db backend
Hi,

in https://github.com/TresysTechnology/refpolicy/pull/1 db_exception
and db_datatype were added to reference policy. This small patch
extends ability of label_db backend to work with these objects.

Regards.
2014-06-26 10:51:15 -04:00
Stephen Smalley
9eb9c93275 Get rid of security_context_t and fix const declarations.
In attempting to enable building various part of Android with -Wall -Werror,
we found that the const security_context_t declarations in libselinux
are incorrect; const char * was intended, but const security_context_t
translates to char * const and triggers warnings on passing
const char * from the caller.   Easiest fix is to replace them all with
const char *.  And while we are at it, just get rid of all usage of
security_context_t itself as it adds no value - there is no true
encapsulation of the security context strings and callers already
directly use string functions on them.  typedef left to permit
building legacy users until such a time as all are updated.

This is a port of Change-Id I2f9df7bb9f575f76024c3e5f5b660345da2931a7
from Android, augmented to deal with all of the other code in upstream
libselinux and updating the man pages too.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
2014-02-19 16:11:48 -05:00
Guillem Jover
a2737333c7 libselinux: Refactor rpm_execcon() into a new setexecfilecon()
This new function allows a process to invoke helper programs with
a new execution context based on the filename, this is initially
intended for package managers so that they can easily execute
package scriptlets or maintainer scripts.

Base rpm_execcon() off this new function.

Signed-off-by: Guillem Jover <guillem@debian.org>
2014-01-06 14:06:03 -05:00
Colin Walters
d24fb6834d selinux_set_mapping: Document it
This patch may not actually be useful since there's a man page.
2013-11-07 15:43:54 -05:00
Stephen Smalley
f458b76076 Merge branch 'fedora' into master-merge
Conflicts:
	libselinux/src/Makefile
	libselinux/src/selinux_config.c
	policycoreutils/audit2allow/audit2allow.1
	policycoreutils/scripts/fixfiles.8
	policycoreutils/semanage/semanage.8
	policycoreutils/sepolicy/Makefile
	policycoreutils/sepolicy/sepolicy/transition.py
	policycoreutils/setsebool/setsebool.8
2013-10-24 15:24:17 -04:00
Dan Walsh
7eec00a5be Add selinux_current_policy_path, which returns the a pointer to the loaded policy
Also change audit2why to look at the loaded policy rather then searching on disk for
the policy file.  It is more likely that you are examining the running policy.
2013-10-24 13:58:38 -04:00
Dan Walsh
851266c180 define SELINUX_TRANS_DIR in selinux.h
I wanted to separate this directory out in order for a new patch to mcstransd to watch
this directory for newly created files, which it could then translate.

The idea is libvirt would write to /var/run/setrans/c0:c1,c2 with the contents of vm1, then
setrans could translate the processes to show system_u:system_r:svirt_t:vm1
2013-10-24 13:58:37 -04:00
Dan Walsh
ce2a8848ad Add selinux_systemd_contexts_path
systemd has some internal contexts like generated systemd unit files
that we want to allow it to check against processes trying to manage them.
2013-10-24 13:58:37 -04:00
Dan Walsh
7fe6036ca5 Add selinux_set_policy_root sets an alternate policy root directory path
This allows us to specify under which the compiled policy file and context configuration
files exist. We can use this with matchpathcon to check the labels under alternate policies,
and we can use it for sepolicy manpage to build manpages during policy build.
2013-10-24 13:58:37 -04:00
Stephen Smalley
39b5a40295 Fix relabel target.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 12:44:30 -04:00
Sven Vermeulen
32e76a314e Current stable policycoreutils requires selinux_current_policy_path
Without this fix, stolen from Fedora's patchset, recent policycoreutils
just fails.

See http://marc.info/?t=136926404600001&r=1&w=2 and
see http://marc.info/?l=selinux&m=136692033821285&w=2

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-10-16 14:57:02 -04:00
rhatdan
13b599d7b8 libselinux: mode_to_security_class: interface to translate a mode_t in to a security class
coreutils needs to be able to take a statbuf and ask permissions
questions.  This gives us the interface to translate that statbuf mode_t
into a security class which can be used.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2013-02-05 20:14:40 -05:00
Dan Walsh
ee6901618c libselinux: expose selinux_boolean_sub
Make selinux_boolean_sub a public method so getsebool can use it, as well as
potentially used within libsemanage.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 13:15:00 -04:00
Eric Paris
88c3524153 libselinux: boolean name equivalency
Add support for booleans.subs file. Basically this allows us to finally change
badly named booleans to some standard name.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-09-12 13:14:25 -04:00
Dan Walsh
c802d4a6d5 libselinux: Add support for lxc_contexts_path
In order for lxc to look up its process and file labels we add new
libselinux support.  This is what we do for everything else, like
libvirt, seposgresql, etc.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-09-12 12:16:09 -04:00
rpcraig
cfc492cf11 libselinux: New Android property labeling backend
This is already in the android repo.  This is here to prevent potential
conflicts of the selabel indices, and possibly with an eye toward an eventual
reunification of the two libselinuxes down the road.

Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 11:21:16 -04:00
Kohei KaiGai
2b5a0530e7 libselinux: security_compute_create_name(3)
I'd like to use this interface to implement special case handling
for the default labeling behavior on temporary database objects.  Allow
userspace to use the filename_trans rules added to policy.

Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2012-03-28 14:52:14 -04:00
Dan Walsh
46d294f645 libselinux: Update Makefiles to handle /usrmove
Move everything into /usr/* and just put links from /*.  The whole /usr
thing hasn't really worked in all situations for a long long time.  Just
accept that fact and move along.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Daniel P. Berrange
bcdf92aac4 libselinux: Change annotation on include/selinux/avc.h to avoid upsetting SWIG
The earlier patch to avc.c put the struct member annotation at
the end of the line, which works fine for GCC, but upsets SWIG.
Equivalent code in selinux.h demonstrates how to place the
annotation without upsetting SWIG.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Daniel P. Berrange
57928fa1fd libselinux: Add more printf format annotations
The public avc.h file must use a printf annotation in the struct
callback members, otherwise application code will get compiler
warnings that the method should have an annotation set.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:12 -04:00
Daniel P. Berrange
b82b7e02df libselinux: Fix const-correctness
* include/selinux/selinux.h, src/init.c: set_selinuxmnt should take
  a const char *mntpath
* src/get_default_type.c: Avoid bad cast discarding const
* load_policy.c: Fix var decl to avoid discarding const

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:12 -04:00
Eric Paris
2b06f47400 libselinux: rename and export symlink_realpath
symlink_realpath is used by both libselinux and policycoreutils.
Instead of coding it twice, export the libselinux version under a new
name that makes it sound more generic.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-02 15:37:11 -04:00
Dan Walsh
9c46a0a315 libselinux: simple interface for access checks
Some programs, like passwd, need to do simeple one time access checks.
Rather than set up a full avc cache and use that infrastructure they
were directly using security_compute_av.  A problem with this approach
is the lack of audit on denials.  This patch creates a new interface
that is simple to use and which will still listen to things like
permissive and output audit messages on denials.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-02 15:37:10 -04:00
Eric Paris
b3b19fdce5 libselinux: load_policy: handle selinux=0 and /sys/fs/selinux not exist
Handle situation where selinux=0 passed to the kernel and both /selinux and
/sys/fs/selinux directories do not exist.  We used to handle selinux=0
(or kernel compile without selinux) by getting ENODEV when we tried to
mount selinuxfs on /selinux.  Now selinux=0 means that /sys/fs/selinux
won't exist and we never create the real directory /selinux at all. So
we get ENOENT instead of ENODEV.  The solution is to check to see if the
mount failure was for ENODEV and if not to check if selinuxfs exists in
/proc/filesystems at all.  If it doesn't exist, that's equivalent to
ENODEV.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-02 15:37:10 -04:00
Guido Trentalancia
eb695e5a56 whole tree: default make target to all not install
Change the default "make" target for the libraries from "install" to
"all" in the makefiles.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:04 -04:00
Richard Haines
bc1a8e2a4a libselinux: selinux_file_context_verify function returns wrong value.
selinux_file_context_verify(3) should now return the correct codes and
matchpathcon(8) has been modified to handle them.

The selinux_file_context_verify(3)and selinux_file_context_cmp(3) man pages
have also been updated (re-written really) to correct return codes.

I found that selabel_open left errno set to ENOENT because a
file_contexts.subs file did not exist on my system, but left selabel_open
alone and set errno = 0 before calling selinux_filecontext_cmp.

[fix uninitialize init variable in matchpathcon.c::main - eparis]
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:27:51 -04:00
Daniel J Walsh
20b43b3fd3 This patch adds a new subs_dist file.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The idea is to allow distributions to ship a subs file as well as let
the user modify subs.

In F16 we are looking at shipping a

file_contexts.subs_dist file like this

cat file_contexts.subs_dist
/run /var/run
/run/lock /var/lock
/var/run/lock /var/lock
/lib64 /lib
/usr/lib64 /usr/lib

The we will remove all (64)?  from policy.

This will allow us to make sure all /usr/lib/libBLAH is labeled the same
as /usr/lib64/libBLAH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2c1ksACgkQrlYvE4MpobNXcQCgqgAiQJxmwa1+NdIq8E3tQRp6
QT0An0ihA60di9CRsEqEdVbSaHOwtte5
=LXgd
-----END PGP SIGNATURE-----

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-08 10:28:02 -04:00
Daniel J Walsh
1629d2f89a This patch cleans up a couple of crashes caused by libselinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you fail to load_policy in the init or SELinux is disabled, you need
to free the selinux_mnt variable and clear the memory.

systemd was calling load_polcy on a DISABLED system then later on it
would call is_selinux_enabled() and get incorrect response, since
selinux_mnt still had valid data.

The second bug in libselinux, resolves around calling the
selinux_key_delete(destructor_key) if the selinux_key_create call had
never been called.  This was causing data to be freed in other
applications that loaded an unloaded the libselinux library but never
setup setrans or matchpathcon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM
mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj
=jpyr
-----END PGP SIGNATURE-----

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-04-08 10:22:17 -04:00
KaiGai Kohei
c4737c2e32 add db_language support on label_db.c
The attached patch add support db_language object class
to the selabel_lookup(_raw) interfaces.
It is needed to inform object manager initial label of
procedural language object.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2011-03-23 08:53:13 -04:00
KaiGai Kohei
bc2a8f418e libselinux: add selinux_status_* interfaces for /selinux/status
The attached patch adds several interfaces to reference /selinux/status
according to sequential-lock logic.

selinux_status_open() open the kernel status page and mmap it with
read-only mode, or open netlink socket as a fallback in older kernels.

Then, we can obtain status information from the mmap'ed page using
selinux_status_updated(), selinux_status_getenfoce(),
selinux_status_policyload() or selinux_status_deny_unknown().

It enables to help to implement userspace avc with heavy access control
decision; that we cannot ignore the cost to communicate with kernel for
validation of userspace caches.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2011-03-01 11:21:19 -05:00
KaiGai Kohei
6a17cfaafc Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: libselinux APIs should take "const" qualifier?
Date: Tue, 23 Mar 2010 11:56:36 +0900

(2010/03/19 22:32), Stephen Smalley wrote:
> On Fri, 2010-03-19 at 16:52 +0900, KaiGai Kohei wrote:
>> Right now, security_context_t is an alias of char *, declared in selinux.h.
>>
>> Various kind of libselinux API takes security_context_t arguments,
>> however, it is inconvenience in several situations.
>>
>> For example, the following query is parsed, then delivered to access
>> control subsystem with the security context as "const char *" cstring.
>>
>>    ALTER TABLE my_tbl SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:SystemHigh';
>>                  const char *<----    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> In this case, we want to call selinux_trans_to_raw_context() to translate
>> the given security context into raw format. But it takes security_context_t
>> argument for the source context, although this pointer is read-only.
>> In the result, compiler raises warnings because we gave "const char *" pointer
>> into functions which take security_context_t (= char *).
>>
>> Any comments?
>>
>> It seems to me the following functions' prototype should be qualified by
>> "const".
>
> That seems reasonable and should have no impact on library ABI.
> On the other hand, others have pointed out that security_context_t is
> not a properly encapsulated data type at all, and perhaps should be
> deprecated and replaced with direct use of char*/const char* throughout.
>
> There are other library API issues as well that have come up in the
> past, such as lack of adequate namespacing (with approaches put forth),
> but we don't ever seem to get a round tuit.

At first, I tried to add const qualifiers read-only security_context_t
pointers, but didn't replace them by char */const char * yet, right now.

BTW, I could find out the following code:

  int security_compute_create(security_context_t scon,
                              security_context_t tcon,
                              security_class_t tclass,
                              security_context_t * newcon)
  {
          int ret;
          security_context_t rscon = scon;
          security_context_t rtcon = tcon;
          security_context_t rnewcon;

          if (selinux_trans_to_raw_context(scon, &rscon))
                  return -1;
          if (selinux_trans_to_raw_context(tcon, &rtcon)) {
                  freecon(rscon);
                  return -1;
          }
      :

In this case, scon and tcon can be qualified by const, and the first
argument of selinux_trans_to_raw_context() can take const pointer.
But it tries to initialize rscon and tscon by const pointer, although
these are used to store raw security contexts.
The selinux_trans_to_raw_context() always set dynamically allocated
text string on the second argument, so we don't need to initialize it
anyway. I also removed these initializations in this patch.

Does the older mcstrans code could return without allocation of raw
format when the given scon is already raw format? I don't know why
these are initialized in this manner.

Thanks.
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-14 15:21:51 -04:00