KaiGai Kohei wrote: >> 3. Simplifies netlink loops >> >> SE-PostgreSQL needs to implement its own userspace AVC due to >> some reasons. When the backend started up, it creates a worker >> process to receive messages from in-kernel SELinux via netlink >> socket. The worker process invalidates the userspace AVC of >> all the instance of PostgreSQL backend process when the state >> of SELinux is changed. >> >> However, I think the following loop to receive messages from >> netlink socket should be provided via libselinux. >> >> http://code.google.com/p/sepgsql/source/browse/trunk/core/src/backend/security/sepgsql/avc.c#647 >> >> If avc_netlink_loop() provided a callback function, I could push >> the code into the libselinux. >> >> TODO: >> - a set of new interface on libselinux: >> I would like to add a few new interfaces to handle netlink socket >> in libselinux, and expose them to application. I guess we can >> write the existing standard avc with the interfaces. >> > > The attached patch expose the following libselinux interfaces: > - avc_netlink_open() > - avc_netlink_close() > - avc_netlink_loop() > and adds a new callback function on receiving a netlink message. > > It enables to simplifies the implementation of userspace object > managers which need to have its own avc and state monitoring process. > > The existing standard avc becomes to use the new callbacks, > so here is a limitation we cannot use them concurrently, > but it is not a realistic situation. > > Thanks, > The userspace AVC already has support for a callback function whenever the cache is reset: AVC_CALLBACK_RESET. Why don't you simply run the normal userspace AVC in the sepgsqlStateMonitorMain() process, and register a callback function for reset. Then all the netlink stuff is hidden from you. The only thing necessary is then to add an additional callback function AVC_CALLBACK_SETENFORCE to handle the other case. -- Eamon Walsh <ewalsh@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
