On Thu, 2008-02-28 at 14:35 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Stephen Smalley wrote: > > On Thu, 2008-02-28 at 13:48 -0500, Daniel J Walsh wrote: > > Stephen Smalley wrote: > >>>> On Thu, 2008-02-28 at 12:33 -0500, Daniel J Walsh wrote: > >>>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>>> Hash: SHA1 > >>>>> > >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=434793 > >>>>> > >>>>> The way the upstart initrd works is to run nash with a builtin > >>>>> loadpolicy. The problem is nash starts before the /sysmount files > >>>>> system is mounted, so libselinux does not have an /etc/selinux/config to > >>>>> read. It defaults to targeted. So when nash finally executes > >>>>> loadpolicy (selinux_init_load_policy) it has the wrong config. > >>>>> Switching to any other type of policy will fail and > >>>>> selinux_init_load_policy will look for targeted. > >>>>> > >>>>> I changed this function to reload the config, to fix this problem. > >>>>> > >>>>> I think I did all the hidden stuff correctly. I don't think we want to > >>>>> expose these functions. > >>>> To make a function hidden, just mark it with hidden. > >>>> hidden_def and hidden_proto are about creating a private definition > >>>> within the library for intra-library calls that do not cause a > >>>> relocation, not about hiding the definition altogether. > >>>> > > So the hidden_def and hidden_proto lines can be removed as login as the > > extern hidden remains. > >>>> Concerns about this patch: > >>>> - it isn't thread safe, > > selinux_init_load_policy should not be called repeatedly, or probably > > from a threaded app. > >>>> - it only "fixes" the load policy case, not any other libselinux > >>>> function call. > > Well this is a very strange occurrance where the config is not there and > > then when the function gets called, it is there. > > > >> Fair enough - we can just handle this specific case then. > >> I'd suggest a single reset_selinux_config() or similar function added to > >> src/selinux_config.c that does the fini_ and init_ calls internally, and > >> then call that single function from load policy. > > > >>>> As an alternative, maybe we should revive Steve Grubb's lazy init patch > >>>> for libselinux? That won't reload each time, but will defer the initial > >>>> reading until you first invoke a libselinux function. The last version > >>>> of the patch that I saw is attached. > >>>> > >>>> > >> > - -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx > with > the words "unsubscribe selinux" without quotes as the message. > > New simplified patch to reset the selinux_config. Thanks, merged with minor change to the comments. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
