[libvirt] [PATCH] selinux: Use raw contexts
Martin Kletzander
mkletzan at redhat.com
Fri Oct 12 15:59:04 UTC 2012
On 10/12/2012 05:41 PM, Eric Blake wrote:
> On 10/12/2012 09:17 AM, Martin Kletzander wrote:
>> On 10/12/2012 04:53 PM, Eric Blake wrote:
>>> On 10/12/2012 08:39 AM, Martin Kletzander wrote:
>>>> We are currently able to work only with non-translated SELinux
>>>> contexts, but we are using functions that work with translated
>>>> contexts throughout the code. This patch swaps all SELinux context
>>>> translation relative calls with their raw sisters to avoid parsing
>>>> problems.
>>>>
>>>> The problems can be experienced with mcstrans for example.
>>>> Thanks Laurent Bigonville for finding this out.
>
>>
>> The difference is that if you have translations enabled (yum install
>> mcstrans; service mcstrans start), fgetfilecon_raw() will get you
>> something like 'system_u:object_r:virt_image_t:s0', whereas
>> fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow'
>> that we cannot parse.
>
> Very useful, and worth including in the commit message.
>
>> I'm trying to confirm that the _raw variants were here since the dawn of
>> time, but the only thing I see now is that it was imported together in
>> the upstream repo [1] from svn, so before 2008.
>>
>> [1] http://oss.tresys.com/git/selinux.git
>
> Also useful. Put this in the commit message as well, and you have my
> ACK, since I just verified that fgetfilecon_raw exists on RHEL 5, which
> is all the further we have to worry about historically.
>
Thanks for checking that, I've put the additional info inside the commit
message and pushed.
Martin
More information about the libvir-list
mailing list