Re: [libvirt] [PATCH 1/2] selinux: load and free selinux active file contexts configuration database

On Mon, Oct 15, 2012 at 07:03:07PM +0800, Guannan Ren wrote: > On 10/15/2012 06:40 PM, Martin Kletzander wrote: >> On 10/15/2012 12:22 PM, Daniel P. Berrange wrote: >>> On Mon, Oct 15, 2012 at 03:12:45PM +0800, Guannan Ren wrote: >>>> If we use matchpathcon() to look up selinux context for specific pathname, >>>> it'd better actively load file contexts database by matchpathcon_init() >>>> and free memory when finished using matchpathcon by matchpathcon_fini(). >>>> --- >>>> src/security/security_selinux.c | 8 ++++++++ >>>> 1 file changed, 8 insertions(+) >>>> >>>> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c >>>> index 10135ed..b278e2c 100644 >>>> --- a/src/security/security_selinux.c >>>> +++ b/src/security/security_selinux.c >>>> @@ -667,6 +667,10 @@ virSecuritySELinuxSecurityDriverProbe(const char *virtDriver) >>>> static int >>>> virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr) >>>> { >>>> +#ifndef HAVE_SELINUX_LABEL_H >>>> + if (matchpathcon_init(NULL) < 0) >>>> + VIR_WARN("cannot load selinux active file contexts configuration"); >>>> +#endif >>>> return virSecuritySELinuxInitialize(mgr); >>>> } >>>> @@ -685,6 +689,10 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr) >>>> VIR_FREE(data->file_context); >>>> VIR_FREE(data->content_context); >>>> +#ifndef HAVE_SELINUX_LABEL_H >>>> + if (matchpathcon_fini() < 0) >>>> + VIR_WARN("cannot free allocated memory for selinux"); >>>> +#endif >>>> return 0; >>>> } >>> I'm not convinced this is safe, because the security drivers can be >>> opened multiple times, eg LXC and QEMU, and this is changing the global >>> static state of the SELinux library. >>> >> I didn't think the driver is opened for every other driver used. In >> this case the initialization of the matchpathcon should be dealt with in >> some other way. Or can't we open the security driver only once? >> >> @Guannan: is there a problem this fixes? How come it worked without the >> init before? >> >> Martin >> > No, there is no a bug/problem to fix, the patch just actively > initializes > the active context configuration database. > If we don't do this, the matchpathcon will do it instead. > I am going to add them in a better way later. There *is* a bug, because you are calling the init/fini methods multiple times and the libselinux code does not handle that usage in a safe manner. Daniel