libselinux question for httpd
Stephen Smalley
sds at tycho.nsa.gov
Fri Nov 4 13:59:30 UTC 2005
On Thu, 2005-11-03 at 11:15 -0500, Ivan Gyurdiev wrote:
> >
> > I don't think so. Consider: today, ls can call getfilecon(), which
> > internally performs a getxattr(), which returns the string stored in the
> > attribute value, and returns it back to ls for display to the user. Why
> > force that process to go through an extra conversion to struct and back
> > for no reason?
> >
> You could still store it as a string, instead of piecewise, and then
> extract fields on demand, when set() or get() is called. Then the
> conversion can be done as a cast for users that want the whole string.
> Anyway I haven't thought much about this problem, as optimization and
> data hiding are usually the opposite of each other.. but there's
> probably a way to combine them...
But the question is still why do so? You gain nothing from such "data
hiding" in this case, as the application still ends up converting to
string form and can still violate the "encapsulation" at that point by
peeking inside the string. It ends up being no different from directly
returning the string form in that case as far as "data hiding" is
concerned, and the string form is what most users of libselinux want.
The structure is for a minority of users of libselinux that actually
care about the individual fields.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list