From: Colin Walters <walters@verbum.org>
To: Stephen Smalley <sds@tycho.nsa.gov>, selinux@tycho.nsa.gov
Subject: Re: is_selinux_enabled() always returns 0 after selinux_set_policy_root()
Date: Wed, 26 Apr 2017 16:43:08 -0400 [thread overview]
Message-ID: <1493239388.1829342.957407608.3C297B30@webmail.messagingengine.com> (raw)
In-Reply-To: <1493238298.32540.13.camel@tycho.nsa.gov>
[-- Attachment #1: Type: text/plain, Size: 426 bytes --]
On Wed, Apr 26, 2017, at 04:24 PM, Stephen Smalley wrote:
>
> Your analysis and proposed fix sound correct to me. I blame Dan ;)
Thanks. I tested the patch and confirmed it fixed ostree as it stands today,
but I'm going to change ostree to cache the result of `is_selinux_enabled()`
itself to work around this, since for our use cases it should never really
change dynamically.
Here's a git-format-patch version attached:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-config-Don-t-finalize-mount-state-in-selinux_set_pol.patch --]
[-- Type: text/x-patch; name="0001-config-Don-t-finalize-mount-state-in-selinux_set_pol.patch", Size: 1045 bytes --]
From 9268336b3e3a8994e495e7a997c9978453f7b155 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 26 Apr 2017 16:26:21 -0400
Subject: [PATCH] config: Don't finalize mount state in
selinux_set_policy_root()
This breaks every further call to e.g. `is_selinux_enabled()` after a policy
root has been set. This tripped up some code landed in libostree:
https://github.com/ostreedev/ostree/pull/797
Since in some cases we initialize a policy twice in process, and we'd
call `is_selinux_enabled()` each time.
More info in: http://marc.info/?l=selinux&m=149323809332417&w=2
---
libselinux/src/selinux_config.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index d8e140c..292728f 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -282,7 +282,6 @@ int selinux_set_policy_root(const char *path)
}
policy_type++;
- fini_selinuxmnt();
fini_selinux_policyroot();
selinux_policyroot = strdup(path);
--
2.9.3
next prev parent reply other threads:[~2017-04-26 20:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-26 20:10 is_selinux_enabled() always returns 0 after selinux_set_policy_root() Colin Walters
2017-04-26 20:24 ` Stephen Smalley
2017-04-26 20:43 ` Colin Walters [this message]
2017-04-26 21:08 ` Colin Walters
2017-04-27 13:04 ` Stephen Smalley
2017-04-27 16:53 ` Dominick Grift
2017-04-27 20:37 ` Stephen Smalley
2017-04-30 10:51 ` Daniel Walsh
2017-04-30 16:08 ` Dominick Grift
2017-04-27 12:39 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493239388.1829342.957407608.3C297B30@webmail.messagingengine.com \
--to=walters@verbum.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.