Re: [patch] libselinux: handle conflicting file contexts as a fatal error

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Fri, 18 Jul 2008 15:04:52 -0400

Stephen Smalley wrote:
> Ensure that conflicting file context errors are propagated to the
> caller.  This causes setfiles -c to exit with an error status, which in
> turn causes libsemanage to roll back the transaction and prevents such
> entries from being added by semanage.
> 
> Duplicate same entries are left as warnings-only since they don't create
> any ambiguity for file labeling.
> 
> Signed-off-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>
> 
> ---
> 
> Index: trunk/libselinux/src/label_file.c
> ===================================================================
> --- trunk/libselinux/src/label_file.c	(revision 2927)
> +++ trunk/libselinux/src/label_file.c	(working copy)
> @@ -146,8 +146,9 @@
>  /*
>   * Warn about duplicate specifications.
>   */
> -static void nodups_specs(struct saved_data *data, const char *path)
> +static int nodups_specs(struct saved_data *data, const char *path)
>  {
> +	int rc = 0;
>  	unsigned int ii, jj;
>  	struct spec *curr_spec, *spec_arr = data->spec_arr;
>  
> @@ -161,8 +162,10 @@
>  				if (strcmp
>  				    (spec_arr[jj].lr.ctx_raw,
>  				     curr_spec->lr.ctx_raw)) {
> +					rc = -1;
> +					errno = EINVAL;
>  					COMPAT_LOG
> -						(SELINUX_WARNING,
> +						(SELINUX_ERROR,
>  						 "%s: Multiple different specifications for %s  (%s and %s).\n",
>  						 path, curr_spec->regex_str,
>  						 spec_arr[jj].lr.ctx_raw,
> @@ -176,6 +179,7 @@
>  			}
>  		}
>  	}
> +	return rc;
>  }
>  
>  /* Determine if the regular expression specification has any meta characters. */
> @@ -503,6 +507,10 @@
>  	}
>  	free(line_buf);
>  
> +	status = nodups_specs(data, path);
> +	if (status)
> +		goto finish;
> +
>  	/* Move exact pathname specifications to the end. */
>  	spec_copy = malloc(sizeof(spec_t) * data->nspec);
>  	if (!spec_copy)
> @@ -519,8 +527,6 @@
>  	free(data->spec_arr);
>  	data->spec_arr = spec_copy;
>  
> -	nodups_specs(data, path);
> -
>  	status = 0;
>  finish:
>  	fclose(fp);
> 
What about the other half.  why are we allowing you to add dups that match?

If we are going to blab on about it being a problem then we should not
allow it in the first place.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.