[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Re: [PATCH] selinux support on mkswap applet
From:       KaiGai Kohei <kaigai () ak ! jp ! nec ! com>
Date:       2008-04-25 10:32:01
Message-ID: 4811B321.7050002 () ak ! jp ! nec ! com
[Download RAW message or body]

>> In addition, the above fgetfilecon_raw() should be replaced by fgetfilecon().
>>
>> Index: busybox/util-linux/mkswap.c
>> ===================================================================
>> --- busybox/util-linux/mkswap.c	(revision 21854)
>> +++ busybox/util-linux/mkswap.c	(working copy)
>> @@ -23,7 +23,7 @@
>>  		security_context_t oldcon = NULL;
>>  		context_t context;
>>
>> -		if (fgetfilecon_raw(fd, &oldcon) < 0) {
>> +		if (fgetfilecon(fd, &oldcon) < 0) {
>>  			if (errno != ENODATA)
>>  				goto error;
>>  			if (matchpathcon(path, stbuf.st_mode, &oldcon) < 0)
> 
> ok, will do this.
> What about the other _raw() calls? Why don't you use the normal calls
> there? Specifically:
> 
> libbb/update_passwd.c:  if (getprevcon_raw(&context) < 0)

The above one can be replaced by getprevcon().
The reason why I used _raw() version is to skip translation operations
between raw and normal because we don't need MLS part here.

Non raw version API translate MLS part of the given security context into
raw format, as follows:
   e.g)  root:object_r:var_log_t:Classified
           ->  root:object_r:var_log_t:s0:c0
                                       ^^^^^ MLS part

> selinux/setfiles.c:     ret = lgetfilecon_raw(my_file, &context);
> selinux/setfiles.c:     if (security_canonicalize_context_raw(context, &tmpcon)

They came from the original implementation of setfiles command within
policycoreutils package.
However, setfiles has to use _raw version API, because it compares the current
security context of files and entries within catalog files as a text described
in raw format.

I'm also unclear why it can link with _raw version symbols.
I'll ask it libselinux developer. Please wait for a while.

Thanks,

> I may have missed additional occurances of these.
> thanks,

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic