[libvirt] [PATCH] selinux: Use raw contexts
Martin Kletzander
mkletzan at redhat.com
Fri Oct 12 15:17:51 UTC 2012
On 10/12/2012 04:53 PM, Eric Blake wrote:
> On 10/12/2012 08:39 AM, Martin Kletzander wrote:
>> We are currently able to work only with non-translated SELinux
>> contexts, but we are using functions that work with translated
>> contexts throughout the code. This patch swaps all SELinux context
>> translation relative calls with their raw sisters to avoid parsing
>> problems.
>>
>> The problems can be experienced with mcstrans for example.
>> Thanks Laurent Bigonville for finding this out.
>> ---
>> configure.ac | 4 ++--
>> src/security/security_selinux.c | 26 +++++++++++++-------------
>> src/storage/storage_backend.c | 2 +-
>> tests/securityselinuxhelper.c | 6 +++---
>> tests/securityselinuxtest.c | 2 +-
>> 5 files changed, 20 insertions(+), 20 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index bcdea9c..08dc63d 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -1440,14 +1440,14 @@ if test "$with_selinux" != "no"; then
>> old_libs="$LIBS"
>> if test "$with_selinux" = "check"; then
>> AC_CHECK_HEADER([selinux/selinux.h],[],[with_selinux=no])
>> - AC_CHECK_LIB([selinux], [fgetfilecon],[],[with_selinux=no])
>> + AC_CHECK_LIB([selinux], [fgetfilecon_raw],[],[with_selinux=no])
>
> On my F17 box, 'man fgetfilecon' has a listing, but 'man
> fgetfilecon_raw' does not. What is the difference between these
> functions, and how far back into the past does fgetfilecon_raw exist?
> Do we need to make this patch conditional, and fall back on fgetfilecon
> (as it is better than nothing) on older systems that lack the *_raw
> variants?
>
The difference is that if you have translations enabled (yum install
mcstrans; service mcstrans start), fgetfilecon_raw() will get you
something like 'system_u:object_r:virt_image_t:s0', whereas
fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow'
that we cannot parse. The translations can be (to my knowledge) very
different even though this is the only one I know about. These
translated contexts should be used for reporting to users, I guess.
It is problem for example with context like:
'unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh'
that is basically:
'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023'
I'm trying to confirm that the _raw variants were here since the dawn of
time, but the only thing I see now is that it was imported together in
the upstream repo [1] from svn, so before 2008.
[1] http://oss.tresys.com/git/selinux.git
More information about the libvir-list
mailing list