libselinux question for httpd
Ivan Gyurdiev
ivg2 at cornell.edu
Thu Nov 3 15:45:27 UTC 2005
Stephen Smalley wrote:
> On Thu, 2005-11-03 at 10:05 -0500, Ivan Gyurdiev wrote:
>
>> Chances are that if something's possible without a warning, someone will
>> eventually do it...
>> Also, it seems rather confusing to me to have two data structures for
>> the same thing
>> (not to mention the 2+ other ones used in sepol/semanage).
>>
>
> Hysterical raisins, er historical reasons.
>
Someone should write a bug, er...book on the history of SELinux...
It's fascinating how much code exists purely for historical
considerations :)
> The separate context structure type was introduced to allow
> security-aware applications to further manipulate the individual fields
> without needing to know the internal format of the string. Naturally,
> you can extract the string from the structure, so one could have then
> replaced all direct uses of the string with the struct, but I don't
> think that would be optimal; plenty of applications only want to deal
> with the string. ls -Z, ps -Z, mkdir -Z, ...
>
So, there should be convert functions to go from one to the other, and the
library interfaces should work with the opaque structure, not with the
string.
Anyway, I'm not volunteering to do this right now - just making some
observations.
More information about the fedora-selinux-list
mailing list