From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH 0/3] libselinux: quirks of the status page
Date: Mon, 10 May 2021 12:56:45 +0200 [thread overview]
Message-ID: <20210510105648.14635-1-cgzones@googlemail.com> (raw)
Dominick Grift made me over IRC aware of the issue that systemd on
Fedora 34 no longer updates its selabel database automatically on
SELinux policy reloads.
The issue is caused by libselinux 3.2 defaulting to use the status page
instead of a netlink socket for reload/enforcing change queries[1].
I prepared a patch for systemd over at [2].
While writing the patch I noticed two possible issues:
1. selinux_status_open(3) is not reentrant
selinux_status_open() unconditionally calls mmap(2), regardless whether
the page is already opened.
selinux_status_open() might get called multiple times by a client
application unintentionally, e.g. once manually to be able to call
selinux_status_updated(3) and react to changes, and indirectly by
calling selinux_check_access(3), which calls avc_open(3), which since
3.2[1] also calls selinux_status_open().
2. In fallback mode selinux_status_open(3) sets internal callbacks
If selinux_status_open() gets called with fallback enabled and the
fallback is actually used, it sets the two callbacks for
SELINUX_CB_SETENFORCE and SELINUX_CB_POLICYLOAD.
These might be later overridden by client applications, which want to
install their own callbacks.
avc_open(3) since 3.2 calls selinux_status_open() with fallback mode
enabled.
[1]: https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503
[2]: https://github.com/systemd/systemd/pull/19551
Christian Göttsche (3):
libselinux: avc_destroy(3) closes status page
libselinux: make selinux_status_open(3) reentrant
libselinux: do not use status page fallback mode internally
libselinux/man/man3/avc_open.3 | 3 +++
libselinux/src/avc.c | 2 +-
libselinux/src/sestatus.c | 4 ++++
3 files changed, 8 insertions(+), 1 deletion(-)
--
2.31.1
next reply other threads:[~2021-05-10 11:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-10 10:56 Christian Göttsche [this message]
2021-05-10 10:56 ` [PATCH 1/3] libselinux: avc_destroy(3) closes status page Christian Göttsche
2021-06-01 13:53 ` Petr Lautrbach
2021-05-10 10:56 ` [PATCH 2/3] libselinux: make selinux_status_open(3) reentrant Christian Göttsche
2021-06-01 13:53 ` Petr Lautrbach
2021-05-10 10:56 ` [PATCH 3/3] libselinux: do not use status page fallback mode internally Christian Göttsche
2021-06-01 14:13 ` Petr Lautrbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210510105648.14635-1-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.