On Wed, Mar 4, 2009 at 3:34 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Eliminate lots of avc calls that can not be done in scripting languages. > > Throw an exception on error rather then just returning an error code. > > setfilecon(x,y) will now throw exeptions. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkmu5e4ACgkQrlYvE4MpobNyBwCg1hmyqzJw7HLf7nV9qokqOmwW > akwAnjKcWtv3EM84nZgDt6IYN9QQxZa3 > =5lpv > -----END PGP SIGNATURE----- > > --- nsalibselinux/src/selinuxswig.i 2008-08-28 09:34:24.000000000 -0400 > +++ libselinux-2.0.78/src/selinuxswig.i 2009-03-04 15:23:52.000000000 -0500 > @@ -47,8 +47,36 @@ > %ignore set_matchpathcon_printf; > %ignore set_matchpathcon_invalidcon; > %ignore set_matchpathcon_canoncon; > - > +%ignore set_selinuxmnt; > +%ignore avc_entry_ref_init; > +%ignore avc_entry_ref; > +%ignore avc_memory_callback; > +%ignore avc_log_callback; > +%ignore avc_thread_callback; > +%ignore avc_lock_callback; > +%ignore avc_cache_stats; > +%ignore av_decision; > +%ignore selinux_opt; > +%ignore selinux_callback; > +%ignore selinux_get_callback; > +%ignore selinux_set_callback; > +%ignore SELboolean; > +%ignore security_class_mapping; > +%ignore print_access_vector; > +%ignore set_matchpathcon_flags; > +%ignore matchpathcon_fini; > +%ignore matchpathcon_filespec_destroy; > +%ignore matchpathcon_filespec_eval; > +%ignore matchpathcon_checkmatches; > %ignore avc_add_callback; > +%ignore avc_sid_stats; > +%ignore avc_av_stats; > +%ignore avc_audit; > +%ignore avc_destroy; > +%ignore avc_cleanup; > +%ignore avc_computer_member; > +%ignore selinux_set_mapping; > +%ignore security_id; > > %include "../include/selinux/selinux.h" > %include "../include/selinux/avc.h" > --- nsalibselinux/src/selinuxswig_python.i 2009-01-13 08:45:35.000000000 -0500 > +++ libselinux-2.0.78/src/selinuxswig_python.i 2009-03-04 15:23:52.000000000 -0500 > @@ -150,4 +159,12 @@ > free($1); > } > > +%exception { > + $action > + if (result < 0) { > + PyErr_SetFromErrno(PyExc_OSError); > + return NULL; > + } > +} > + > %include "selinuxswig.i" > > Could you please rollback this change as we are using av_decision. > +%ignore av_decision; For example: def check_dominance(con): (rc, raw_con) = selinux.selinux_trans_to_raw_context(con) (rc, dom_context) = selinux.getcon() (rc, dom_raw_context) = selinux.selinux_trans_to_raw_context(dom_context) avd = selinux.av_decision() selinux.avc_reset() rc = selinux.security_compute_av_raw(dom_raw_context, raw_con, SECCLASS_CONT EXT, CONTEXT__CONTAINS, avd) if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS: return True else: return False Thanks Ted -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
