[patch v2] libselinux: handle duplicate file context entries as a fatal error

Stephen Smalley <sds@xxxxxxxxxxxxx> · Fri, 18 Jul 2008 15:09:15 -0400

Take two.  Ensure that duplicate file context entry errors are
propagated to the caller, causing setfiles -c to exit with an error
status and libsemanage to roll back the transaction.  Do it for both
duplicate same entries and for duplicate conflicting entries.

Signed-off-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>

---

Index: trunk/libselinux/src/label_file.c
===================================================================

--- trunk/libselinux/src/label_file.c	(revision 2927)
+++ trunk/libselinux/src/label_file.c	(working copy)
@@ -146,8 +146,9 @@
 /*
  * Warn about duplicate specifications.
  */
-static void nodups_specs(struct saved_data *data, const char *path)
+static int nodups_specs(struct saved_data *data, const char *path)
 {
+	int rc = 0;
 	unsigned int ii, jj;
 	struct spec *curr_spec, *spec_arr = data->spec_arr;
 
@@ -158,24 +159,27 @@
 			     (spec_arr[jj].regex_str, curr_spec->regex_str))
 			    && (!spec_arr[jj].mode || !curr_spec->mode
 				|| spec_arr[jj].mode == curr_spec->mode)) {
+				rc = -1;
+				errno = EINVAL;
 				if (strcmp
 				    (spec_arr[jj].lr.ctx_raw,
 				     curr_spec->lr.ctx_raw)) {
 					COMPAT_LOG
-						(SELINUX_WARNING,
+						(SELINUX_ERROR,
 						 "%s: Multiple different specifications for %s  (%s and %s).\n",
 						 path, curr_spec->regex_str,
 						 spec_arr[jj].lr.ctx_raw,
 						 curr_spec->lr.ctx_raw);
 				} else {
 					COMPAT_LOG
-						(SELINUX_WARNING,
+						(SELINUX_ERROR,
 						 "%s: Multiple same specifications for %s.\n",
 						 path, curr_spec->regex_str);
 				}
 			}
 		}
 	}
+	return rc;
 }
 
 /* Determine if the regular expression specification has any meta characters. */
@@ -503,6 +507,10 @@
 	}
 	free(line_buf);
 
+	status = nodups_specs(data, path);
+	if (status)
+		goto finish;
+
 	/* Move exact pathname specifications to the end. */
 	spec_copy = malloc(sizeof(spec_t) * data->nspec);
 	if (!spec_copy)
@@ -519,8 +527,6 @@
 	free(data->spec_arr);
 	data->spec_arr = spec_copy;
 
-	nodups_specs(data, path);
-
 	status = 0;
 finish:
 	fclose(fp);

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.




