On Thu, 2008-02-28 at 13:25 -0500, Stephen Smalley wrote: > On Thu, 2008-02-28 at 12:33 -0500, Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > https://bugzilla.redhat.com/show_bug.cgi?id=434793 > > > > The way the upstart initrd works is to run nash with a builtin > > loadpolicy. The problem is nash starts before the /sysmount files > > system is mounted, so libselinux does not have an /etc/selinux/config to > > read. It defaults to targeted. So when nash finally executes > > loadpolicy (selinux_init_load_policy) it has the wrong config. > > Switching to any other type of policy will fail and > > selinux_init_load_policy will look for targeted. > > > > I changed this function to reload the config, to fix this problem. > > > > I think I did all the hidden stuff correctly. I don't think we want to > > expose these functions. > > To make a function hidden, just mark it with hidden. > hidden_def and hidden_proto are about creating a private definition > within the library for intra-library calls that do not cause a > relocation, not about hiding the definition altogether. IOW, hidden_def and hidden_proto are only required when you have a symbol that is exported to users of the library that is also called internally by the library. If the symbol is not exported or if the symbol is not called internally by the library, then you don't need them. "hidden" by itself is to prevent export entirely. > > Concerns about this patch: > - it isn't thread safe, > - it only "fixes" the load policy case, not any other libselinux > function call. > > As an alternative, maybe we should revive Steve Grubb's lazy init patch > for libselinux? That won't reload each time, but will defer the initial > reading until you first invoke a libselinux function. The last version > of the patch that I saw is attached. > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
