On Tue, 2008-05-13 at 16:06 -0400, Joshua Brindle wrote: > Eric Paris wrote: > > This patch provides the libsepol support for the usage of genfscon > > statements in policy modules. The module must declare/require all of > > the components of the context associated with the declaration but the > > actual validation of that context is delayed until link time. > > > > Comments and criticism appreciated. (note that this patch may require > > the recent bug fix from sds for mls_level_convert()) So I started to get back to this patch and realized it was pretty seriously flawed. I was not checking the validity of the context while it was being linked into the base. When I fixed to pay attention to the return code of the return code of context_copy_and_validate() every single context coming in from the module failed. The reason being because the MLS information is not getting written or read (context_struct_t only reads/writes MLS info for monolithic or the base module) So, I've come to realize I need to start carrying around the mls_semantic_range_t information with my genfs statements in the module so that I can map those into the base and actually have/check MLS validity. I'm looking for any helpful suggestions or hints on how to do this cleanly and things that people can think of off of the top of their head of the gotchas when trying to carry around this MLS information. So really if anyone has tips, tricks, pointers, gotchas, anything really that might be interesting as I try to come up with a way for modules to support full context strings let me know. -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
