From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] libselinux: Use sestatus if open
Date: Tue, 14 Jul 2020 17:03:12 -0400 [thread overview]
Message-ID: <CAEjxPJ5m31kcXH66viy3R-ncbBJCET8Wm3+DjphDeZ0iV3giEA@mail.gmail.com> (raw)
In-Reply-To: <20200714202934.42424-1-mike.palmiotto@crunchydata.com>
On Tue, Jul 14, 2020 at 4:35 PM Mike Palmiotto
<mike.palmiotto@crunchydata.com> wrote:
>
> Commit bc2a8f418e3b ("libselinux: add selinux_status_* interfaces for
> /selinux/status") introduced the selinux_status page mechanism, which
> allows for mmap()'ing of selinux status state as a replacement for
> avc_netlink.
>
> The mechanism was initially intended for use by userspace object
> managers which were calculating access decisions in-tree and did not
> rely on the libselinux AVC implementation. In order to properly make use
> of sestatus within avc_has_perm, the status mechanism needs to properly
> set avc internals during status events; else, avc_enforcing is never
> updated upon sestatus changes.
>
> This commit moves the netlink notice logic out into convenience
> functions, which are then called by the sestatus code. Since sestatus
> uses netlink as a fallback, we can change the avc_netlink_check_nb()
> call in avc_has_perm_noaudit to check the status page if it is
> available. If it is not, we fall back to
Missing word/phrase here. Also you need to do more than just replace
this one call or selinux_status_updated() will do nothing unless the
application has explicitly done a selinux_status_open() itself, e.g.
avc_netlink_open -> selinux_status_open, avc_netlink_close ->
selinux_status_close, deal with other avc_netlink_* calls including
the multi-threaded case. Finally, I don't think you need to sanitize
the enforcing value from the kernel; it takes care of that itself
these days and no point in fixing it up for old kernels now.
next prev parent reply other threads:[~2020-07-14 21:03 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 20:29 [PATCH] libselinux: Use sestatus if open Mike Palmiotto
2020-07-14 20:29 ` Mike Palmiotto
2020-07-14 21:03 ` Stephen Smalley [this message]
2020-07-14 21:20 ` Mike Palmiotto
2020-07-14 21:35 ` Stephen Smalley
2020-07-14 22:42 ` Mike Palmiotto
2020-07-15 16:04 ` Mike Palmiotto
2020-07-15 16:49 ` Stephen Smalley
2020-07-15 17:10 ` Mike Palmiotto
2020-07-15 18:52 ` Mike Palmiotto
2020-07-15 19:49 ` Stephen Smalley
2020-07-15 22:45 ` Mike Palmiotto
2020-07-16 12:39 ` Stephen Smalley
2020-07-16 13:36 ` Mike Palmiotto
2020-07-16 15:12 ` Stephen Smalley
2020-07-16 15:27 ` Stephen Smalley
2020-07-16 15:44 ` Mike Palmiotto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEjxPJ5m31kcXH66viy3R-ncbBJCET8Wm3+DjphDeZ0iV3giEA@mail.gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=mike.palmiotto@crunchydata.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.