On 10/12/2012 04:53 PM, Eric Blake wrote: > On 10/12/2012 08:39 AM, Martin Kletzander wrote: >> We are currently able to work only with non-translated SELinux >> contexts, but we are using functions that work with translated >> contexts throughout the code. This patch swaps all SELinux context >> translation relative calls with their raw sisters to avoid parsing >> problems. >> >> The problems can be experienced with mcstrans for example. >> Thanks Laurent Bigonville for finding this out. >> --- >> configure.ac | 4 ++-- >> src/security/security_selinux.c | 26 +++++++++++++------------- >> src/storage/storage_backend.c | 2 +- >> tests/securityselinuxhelper.c | 6 +++--- >> tests/securityselinuxtest.c | 2 +- >> 5 files changed, 20 insertions(+), 20 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index bcdea9c..08dc63d 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -1440,14 +1440,14 @@ if test "$with_selinux" != "no"; then >> old_libs="$LIBS" >> if test "$with_selinux" = "check"; then >> AC_CHECK_HEADER([selinux/selinux.h],[],[with_selinux=no]) >> - AC_CHECK_LIB([selinux], [fgetfilecon],[],[with_selinux=no]) >> + AC_CHECK_LIB([selinux], [fgetfilecon_raw],[],[with_selinux=no]) > > On my F17 box, 'man fgetfilecon' has a listing, but 'man > fgetfilecon_raw' does not. What is the difference between these > functions, and how far back into the past does fgetfilecon_raw exist? > Do we need to make this patch conditional, and fall back on fgetfilecon > (as it is better than nothing) on older systems that lack the *_raw > variants? > The difference is that if you have translations enabled (yum install mcstrans; service mcstrans start), fgetfilecon_raw() will get you something like 'system_u:object_r:virt_image_t:s0', whereas fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow' that we cannot parse. The translations can be (to my knowledge) very different even though this is the only one I know about. These translated contexts should be used for reporting to users, I guess. It is problem for example with context like: 'unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh' that is basically: 'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023' I'm trying to confirm that the _raw variants were here since the dawn of time, but the only thing I see now is that it was imported together in the upstream repo [1] from svn, so before 2008. [1] http://oss.tresys.com/git/selinux.git -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list