Re: [libvirt] [PATCH] selinux: Use raw contexts

On 10/12/2012 09:17 AM, Martin Kletzander wrote: > On 10/12/2012 04:53 PM, Eric Blake wrote: >> On 10/12/2012 08:39 AM, Martin Kletzander wrote: >>> We are currently able to work only with non-translated SELinux >>> contexts, but we are using functions that work with translated >>> contexts throughout the code. This patch swaps all SELinux context >>> translation relative calls with their raw sisters to avoid parsing >>> problems. >>> >>> The problems can be experienced with mcstrans for example. >>> Thanks Laurent Bigonville for finding this out. > > The difference is that if you have translations enabled (yum install > mcstrans; service mcstrans start), fgetfilecon_raw() will get you > something like 'system_u:object_r:virt_image_t:s0', whereas > fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow' > that we cannot parse. Very useful, and worth including in the commit message. > I'm trying to confirm that the _raw variants were here since the dawn of > time, but the only thing I see now is that it was imported together in > the upstream repo [1] from svn, so before 2008. > > [1] http://oss.tresys.com/git/selinux.git Also useful. Put this in the commit message as well, and you have my ACK, since I just verified that fgetfilecon_raw exists on RHEL 5, which is all the further we have to worry about historically.