SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: launching apps at level (MLS) and polyinstantiation This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Xavier Toth <txtoth_at_gmail.com> Date: Thu, 3 May 2007 08:51:06 -0500 On 5/3/07, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Thu, 2007-05-03 at 08:11 -0500, Xavier Toth wrote: > > On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > > On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote: > > > +#include <sepol/policydb/hashtab.h> > > > > > > We don't want newrole to link with the static libsepol, so if you want > > > to use the libsepol hashtab (and symtab) support, copy it into the > > > newrole directory. > > > > > > > I'd prefer it if this was in a shared library. > > It isn't adequately encapsulated for that. > > > > Breaks the "abstraction". Normally this would be done as a > > > hashtab_map() to free the keys and datum followed by a hashtab_destroy() > > > to free the table. Or if you want a unified form, you could do > > > something like hashtab_map_remove_on_error() except always doing the > > > removal, but put it in your copy of the hashtab code. > > > > > > > Hmmm, I pretty much copied this code from semodule_deps.c > > ...which does require static libsepol and is a developer tool rather > than a production system tool. > > > > + char cmd = (char )malloc(strlen(argv[optind+1])); > > > > > > argv[optind+1] or argv[optind]? And you'd need to add 1 to the length (not optind) for terminating NUL. > > > > > > + sscanf(argv[optind+1], "%s", cmd); > > > > > > Pointless, argument vector has already been parsed by the shell. > > > Just use argv[optind] directly, no copy required. > > > > > > > Using 'newrole -l s2-s2 -- -c "/usr/bin/gnome-terminal --disable-factory"' > > agrv[optind] is '-c' > > argv[optind+1] is '/usr/bin/gnome-terminal --disable-factory' > > I see, although you aren't explicitly checking that a "-c" was > specified, so it seems prone to error. True > That form of usage seems > unpleasant, but it is consistent with su. Might be nice if newrole > would just directly invoke the command if specified, but that could > cause problems with domain transitions. > > -- > Stephen Smalley > National Security Agency > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. text/x-patch attachment: policycoreutils-service-name.patch Received on Thu 3 May 2007 - 09:51:10 EDT This message: [ Message body ] Next message: Stephen Smalley: "Re: Where to specific the handling of unknown kernel classes and perms" Previous message: Stephen Smalley: "Re: launching apps at level (MLS) and polyinstantiation" In reply to: Stephen Smalley: "Re: launching apps at level (MLS) and polyinstantiation" Next in thread: Stephen Smalley: "Re: launching apps at level (MLS) and polyinstantiation" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom