Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRe: [ LIBSEMANAGE ] Runtime control over preservebools argument
From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Mon, 07 Nov 2005 10:12:47 -0500
>> Stephen Smalley wrote: >> >>> On Fri, 2005-11-04 at 09:22 -0500, Ivan Gyurdiev wrote: >>> >>> >>>> So, how do I specify that this is not a transient change, and I >>>> want my booleans loaded into policy immediately? >>>> >>> >>> >>> Ah, I see - setsebool -P wants to both update the saved settings and >>> load the result rather than preserving current settings. So it wants >>> libsemanage to call load_policy with -b, unlike semodule. Options are: >>> - add a semanage interface to set a property on the handle to control >>> whether booleans are preserved or not (by altering the args to >>> load_policy for that handle), similar to the existing interface for >>> controlling whether reloads are performed, or >>> >> >> Editing an argument string for programs in C is... probably one of >> the most uncool patches I've ever written. >> I guess the end justifies the means... >> >> Should pass valgrind, and work when called repeatedly with values 0 >> or 1. Maybe the reload=0 case is a bit wrong - argument string cannot >> contain "-b" anywhere. >> >> I also fixed the memory leak in setsebool - see other patch (which >> should be applied first). >> >> Now booleans update correctly (minus migration issues - see other mail). >> Next: make them update in less than 10 seconds :) >> >> > <snip> > >> + if (do_reload) { >> + char* prev_args = conf->load_policy->args; >> + int len = (prev_args == NULL)? 0: strlen(prev_args); >> + char* ptr = (char*) realloc(prev_args, len + 4); >> + >> + if (!ptr) { >> + ERR(sh, "out of memory, could not configure " >> + "boolean reload"); >> + return STATUS_ERR; >> + } >> + strcpy(ptr + len, " -b"); >> + conf->load_policy->args = ptr; >> + >> + } else { >> + char* ptr = conf->load_policy->args; >> + >> + while(*ptr++) { >> + if (!strcmp(ptr, "-b")) { >> + *ptr++ = ' '; >> + *ptr++ = ' '; >> + } >> + } >> + } >> + return STATUS_SUCCESS; >> +} >> + > I think you are doing this in the wrong place. Rather than mangling > the argument string every time this function is called you should just > add something to the handle that indicates whether or not to preserve > booleans, and do this at load time. > > However, I don't know if this is the right approach anyway. If someone > sets a boolean without -P , foo, and then sets another boolean with -P > you will revert foo when loading the new policy. > > IMHO while we will need to regenerate the policy we should not load it > and instead just set the runtime state. This will work for the common > case but there is something of a corner case where the above scenerio > happens and a module is also inserted in the same transaction, not > sure how to handle that one. > > Joshua I agree setsebool should not be loading policy. -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 7 Nov 2005 - 10:19:06 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |