selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Richard Haines <richard_c_haines@btinternet.com>,
	selinux@vger.kernel.org
Cc: xunchang@google.com
Subject: Re: [PATCH 0/3] Update restorecon to support new digest scheme
Date: Fri, 24 May 2019 13:11:00 -0400	[thread overview]
Message-ID: <d508ca78-1166-be9b-7659-9def4728d991@tycho.nsa.gov> (raw)
In-Reply-To: <20190522164240.3062-1-richard_c_haines@btinternet.com>

On 5/22/19 12:42 PM, Richard Haines wrote:
> These patches require [1] and [2] be installed first. They have
> been implemented on Android and sent to the selinux list, however their
> merge has been deferred. They will install the core hashing of
> file_context entries and fix root stem processing.
> 
> Patch 1/3 updates selinux_restorecon() replacing the per-mountpoint
> security.restorecon_last attribute with a per-directory security.sehash
> attribute computed from only those file contexts entries that partially
> match the directory. This is to avoid the need to walk the entire tree
> when any part of file_contexts changes, limiting relabels to only those
> parts of the tree that could have changed.
> 
> One change is to add a new selabel_get_digests_all_partial_matches(3)
> function that is explained in the man page. This could replace the Android
> version of selabel_hash_all_partial_matches(3), that could then be
> converted into a local function (The Android team would need to approve).

Has Android sorted out all of the ramifications of this change?  What 
about the triggering of CAP_SYS_ADMIN denials for setting the 
security.sehash attribute?

> 
> Patches 2/3 and 3/3 update restorecon, setfiles and restorecond.
> 
> I will send a patch for the selinux-testsuite that will perform tests on
> the new code.
>   
> [1] https://lore.kernel.org/selinux/20190311222442.49824-1-xunchang@google.com/
> [2] https://lore.kernel.org/selinux/20190417180955.136942-1-xunchang@google.com/
> 
> Richard Haines (3):
>    libselinux: Save digest of all partial matches for directory
>    setfiles: Update utilities for the new digest scheme
>    restorecond: Update to handle new digest scheme
> 
>   libselinux/include/selinux/label.h            |   5 +
>   libselinux/include/selinux/restorecon.h       |  17 +-
>   .../selabel_get_digests_all_partial_matches.3 |  70 +++++
>   libselinux/man/man3/selinux_restorecon.3      |  91 +++---
>   .../man3/selinux_restorecon_default_handle.3  |   9 +-
>   .../man/man3/selinux_restorecon_xattr.3       |  11 +-
>   libselinux/src/label.c                        |  15 +
>   libselinux/src/label_file.c                   |  51 ++++
>   libselinux/src/label_file.h                   |   4 +
>   libselinux/src/label_internal.h               |   5 +
>   libselinux/src/selinux_restorecon.c           | 267 +++++++++++-------
>   libselinux/utils/.gitignore                   |   1 +
>   .../selabel_get_digests_all_partial_matches.c | 170 +++++++++++
>   policycoreutils/setfiles/restore.c            |   7 +-
>   policycoreutils/setfiles/restore.h            |   2 +-
>   policycoreutils/setfiles/restorecon.8         |  10 +-
>   policycoreutils/setfiles/restorecon_xattr.8   |  19 +-
>   policycoreutils/setfiles/restorecon_xattr.c   |  66 +----
>   policycoreutils/setfiles/setfiles.8           |  10 +-
>   policycoreutils/setfiles/setfiles.c           |  19 +-
>   restorecond/restore.c                         |   8 +-
>   restorecond/restore.h                         |   2 +-
>   restorecond/restorecond.c                     |   5 +-
>   23 files changed, 593 insertions(+), 271 deletions(-)
>   create mode 100644 libselinux/man/man3/selabel_get_digests_all_partial_matches.3
>   create mode 100644 libselinux/utils/selabel_get_digests_all_partial_matches.c
> 


  reply	other threads:[~2019-05-24 17:11 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-22 16:42 [PATCH 0/3] Update restorecon to support new digest scheme Richard Haines
2019-05-24 17:11 ` Stephen Smalley [this message]
     [not found]   ` <cc26a91a5fb500e6c61131965920131782751880.camel@btinternet.com>
2019-05-28 14:24     ` Stephen Smalley
     [not found]       ` <c56a4e4524b98db76c642714c9e4fd927458e3f8.camel@btinternet.com>
2019-05-30 16:29         ` Stephen Smalley
  -- strict thread matches above, loose matches on Subject: below --
2019-05-22  5:41 Richard Haines

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d508ca78-1166-be9b-7659-9def4728d991@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=richard_c_haines@btinternet.com \
    --cc=selinux@vger.kernel.org \
    --cc=xunchang@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).