In integrating SELinux policy into rpm, we have a need to be
able to reset the configuration data (e.g. policy type) loaded
into libselinux. These values are currently loaded lazily by a
number of different functions (e.g. matchpatchcon_init()).
Since we are changing rpm to install policy, including initial
base policy, we need to be able to reload these configuration
items after the policy has been installed.
reset_selinux_config() already exists and is used by
selinux_init_load_policy() for a similar reason, but it is not
exported. This was probably intentionaly since it is not thread
safe at all. That said, rpm needs to do the same thing. This
patch makes the function public, and places a warning in the
header comment that it is not thread safe.
Signed-off-by: Chad Sellers <csellers@xxxxxxxxxx>
---
libselinux/include/selinux/selinux.h | 7 +++++++
libselinux/src/load_policy.c | 2 +-
libselinux/src/selinux_config.c | 4 +++-
libselinux/src/selinux_internal.h | 2 +-
4 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 56f7900..cacb3cb 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -568,6 +568,13 @@ extern int selinux_file_context_verify(const char *path, mode_t mode);
/* This function sets the file context on to the system defaults returns 0 on success */
extern int selinux_lsetfilecon_default(const char *path);
+/*
+ * Force a reset of the loaded configuration
+ * WARNING: This is not thread safe. Be very sure that no other threads
+ * are calling into libselinux when this is called.
+ */
+extern void selinux_reset_config(void);
+
#ifdef __cplusplus
}
#endif
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index a7800da..36ce029 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -320,7 +320,7 @@ int selinux_init_load_policy(int *enforce)
* Example: Caller has chroot'd and is now loading policy from
* chroot'd environment.
*/
- reset_selinux_config();
+ selinux_reset_config();
/*
* Get desired mode (disabled, permissive, enforcing) from
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index af8731c..7e588cc 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -230,12 +230,14 @@ static void fini_selinux_policyroot(void)
selinux_policytype = NULL;
}
-void reset_selinux_config(void)
+void selinux_reset_config(void)
{
fini_selinux_policyroot();
init_selinux_config();
}
+hidden_def(selinux_reset_config)
+
static const char *get_path(int idx)
{
__selinux_once(once, init_selinux_config);
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 7a2c1ad..88b6bd6 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -88,8 +88,8 @@ hidden_proto(selinux_trans_to_raw_context);
hidden_proto(selinux_raw_context_to_color);
hidden_proto(security_get_initial_context);
hidden_proto(security_get_initial_context_raw);
+hidden_proto(selinux_reset_config);
-extern void reset_selinux_config(void) hidden;
extern int load_setlocaldefs hidden;
extern int require_seusers hidden;
extern int selinux_page_size hidden;
--
1.6.2.5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
