On 10/12/2012 04:53 PM, Eric Blake wrote:
On 10/12/2012 08:39 AM, Martin Kletzander wrote:
We are currently able to work only with non-translated SELinux contexts, but we are using functions that work with translated contexts throughout the code. This patch swaps all SELinux context translation relative calls with their raw sisters to avoid parsing problems.
The problems can be experienced with mcstrans for example. Thanks Laurent Bigonville for finding this out. --- configure.ac | 4 ++-- src/security/security_selinux.c | 26 +++++++++++++------------- src/storage/storage_backend.c | 2 +- tests/securityselinuxhelper.c | 6 +++--- tests/securityselinuxtest.c | 2 +- 5 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/configure.ac b/configure.ac index bcdea9c..08dc63d 100644 --- a/configure.ac +++ b/configure.ac @@ -1440,14 +1440,14 @@ if test "$with_selinux" != "no"; then old_libs="$LIBS" if test "$with_selinux" = "check"; then AC_CHECK_HEADER([selinux/selinux.h],[],[with_selinux=no]) - AC_CHECK_LIB([selinux], [fgetfilecon],[],[with_selinux=no]) + AC_CHECK_LIB([selinux], [fgetfilecon_raw],[],[with_selinux=no])
On my F17 box, 'man fgetfilecon' has a listing, but 'man fgetfilecon_raw' does not. What is the difference between these functions, and how far back into the past does fgetfilecon_raw exist? Do we need to make this patch conditional, and fall back on fgetfilecon (as it is better than nothing) on older systems that lack the *_raw variants?
The difference is that if you have translations enabled (yum install mcstrans; service mcstrans start), fgetfilecon_raw() will get you something like 'system_u:object_r:virt_image_t:s0', whereas fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow' that we cannot parse. The translations can be (to my knowledge) very different even though this is the only one I know about. These translated contexts should be used for reporting to users, I guess. It is problem for example with context like: 'unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh' that is basically: 'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023' I'm trying to confirm that the _raw variants were here since the dawn of time, but the only thing I see now is that it was imported together in the upstream repo [1] from svn, so before 2008. [1] http://oss.tresys.com/git/selinux.git