On Fri, 2010-01-08 at 09:28 -0500, Stephen Smalley wrote:
> On Wed, 2009-12-23 at 18:25 -0500, Caleb Case wrote:
> > This patch moves the module store from /etc/selinux/<store>/modules to
> > /var/lib/selinux/<store>.
>
> Can the path prefix (i.e. /var/lib/selinux) be made configurable?
>
There would be no other prefixes other than /var/lib/selinux
or /etc/selinux, or do you have something else in mind?
I guess that you are thinking of backwards compatibility, but you still
won't have it even if you change the prefix because the directory
structure is different (priority directories and such). I don't see
what you would gain with changing the prefix.
> > This move will allow for the use of a read-only /etc/selinux. Currently
> > that is not possible with semanage because of the lock files.
> >
> > A consequence of this move is that packagers of libsemanage should
> > create the /var/lib/selinux directory.
> > ---
> > libsemanage/src/direct_api.c | 20 ++----------------
> > libsemanage/src/semanage_store.c | 39 ++++++++++++++++++++++++-------------
> > libsemanage/src/semanage_store.h | 5 +++-
> > 3 files changed, 32 insertions(+), 32 deletions(-)
> >
> > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> > index f09c7cf..5fb4523 100644
> > --- a/libsemanage/src/direct_api.c
> > +++ b/libsemanage/src/direct_api.c
> > @@ -89,12 +89,7 @@ static struct semanage_policy_table direct_funcs = {
> >
> > int semanage_direct_is_managed(semanage_handle_t * sh)
> > {
> > - char polpath[PATH_MAX];
> > -
> > - snprintf(polpath, PATH_MAX, "%s%s", selinux_path(),
> > - sh->conf->store_path);
> > -
> > - if (semanage_check_init(polpath))
> > + if (semanage_check_init(sh, semanage_root_path()))
> > goto err;
> >
> > if (semanage_access_check(sh) < 0)
> > @@ -111,13 +106,9 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
> > */
> > int semanage_direct_connect(semanage_handle_t * sh)
> > {
> > - char polpath[PATH_MAX];
> > const char *path;
> >
> > - snprintf(polpath, PATH_MAX, "%s%s", selinux_path(),
> > - sh->conf->store_path);
> > -
> > - if (semanage_check_init(polpath))
> > + if (semanage_check_init(sh, semanage_root_path()))
> > goto err;
> >
> > if (sh->create_store)
> > @@ -1416,12 +1407,7 @@ static int semanage_direct_list(semanage_handle_t * sh,
> >
> > int semanage_direct_access_check(semanage_handle_t * sh)
> > {
> > - char polpath[PATH_MAX];
> > -
> > - snprintf(polpath, PATH_MAX, "%s%s", selinux_path(),
> > - sh->conf->store_path);
> > -
> > - if (semanage_check_init(polpath))
> > + if (semanage_check_init(sh, semanage_root_path()))
> > return -1;
> >
> > return semanage_store_access_check(sh);
> > diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
> > index 0a55ce0..049818a 100644
> > --- a/libsemanage/src/semanage_store.c
> > +++ b/libsemanage/src/semanage_store.c
> > @@ -3,8 +3,9 @@
> > * Jason Tang <jtang@xxxxxxxxxx>
> > * Christopher Ashworth <cashworth@xxxxxxxxxx>
> > * Chris PeBenito <cpebenito@xxxxxxxxxx>
> > + * Caleb Case <ccase@xxxxxxxxxx>
> > *
> > - * Copyright (C) 2004-2006 Tresys Technology, LLC
> > + * Copyright (C) 2004-2006,2009 Tresys Technology, LLC
> > * Copyright (C) 2005 Red Hat, Inc.
> > *
> > * This library is free software; you can redistribute it and/or
> > @@ -88,8 +89,6 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = {
> > "/tmp"
> > };
> >
> > -/* this is the module store path relative to selinux_policy_root() */
> > -#define SEMANAGE_MOD_DIR "/modules"
> > /* relative path names to enum sandbox_paths for special files within
> > * a sandbox */
> > static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
> > @@ -157,14 +156,14 @@ static int semanage_init_paths(const char *root)
> > if (!root)
> > return -1;
> >
> > - prefix_len = (strlen(root) + strlen(SEMANAGE_MOD_DIR));
> > + prefix_len = strlen(root);
> >
> > for (i = 0; i < SEMANAGE_NUM_FILES; i++) {
> > len = (strlen(semanage_relative_files[i]) + prefix_len);
> > semanage_files[i] = calloc(len + 1, sizeof(char));
> > if (!semanage_files[i])
> > return -1;
> > - sprintf(semanage_files[i], "%s%s%s", root, SEMANAGE_MOD_DIR,
> > + sprintf(semanage_files[i], "%s%s", root,
> > semanage_relative_files[i]);
> > }
> >
> > @@ -186,16 +185,11 @@ static int semanage_init_store_paths(const char *root)
> > int i, j;
> > size_t len;
> > size_t prefix_len;
> > - char *prefix;
> >
> > if (!root)
> > return -1;
> >
> > - prefix_len = (strlen(root) + strlen(SEMANAGE_MOD_DIR));
> > - prefix = calloc(prefix_len + 1, sizeof(char));
> > - if (!prefix)
> > - return -1;
> > - sprintf(prefix, "%s%s", root, SEMANAGE_MOD_DIR);
> > + prefix_len = strlen(root);
> >
> > for (i = 0; i < SEMANAGE_NUM_STORES; i++) {
> > for (j = 0; j < SEMANAGE_STORE_NUM_PATHS; j++) {
> > @@ -204,14 +198,13 @@ static int semanage_init_store_paths(const char *root)
> > semanage_paths[i][j] = calloc(len + 1, sizeof(char));
> > if (!semanage_paths[i][j])
> > goto cleanup;
> > - sprintf(semanage_paths[i][j], "%s%s%s", prefix,
> > + sprintf(semanage_paths[i][j], "%s%s%s", root,
> > semanage_store_paths[i],
> > semanage_sandbox_paths[j]);
> > }
> > }
> >
> > cleanup:
> > - free(prefix);
> > return 0;
> > }
> >
> > @@ -223,16 +216,28 @@ static int semanage_init_store_paths(const char *root)
> > *
> > * Note that this function is NOT thread-safe.
> > */
> > -int semanage_check_init(const char *root)
> > +int semanage_check_init(semanage_handle_t *sh, const char *prefix)
> > {
> > int rc;
> > if (semanage_paths_initialized == 0) {
> > + char root[PATH_MAX];
> > +
> > + rc = snprintf(root,
> > + sizeof(root),
> > + "%s/%s",
> > + prefix,
> > + sh->conf->store_path);
> > + if (rc < 0 || rc >= (int)sizeof(root))
> > + return -1;
> > +
> > rc = semanage_init_paths(root);
> > if (rc)
> > return rc;
> > +
> > rc = semanage_init_store_paths(root);
> > if (rc)
> > return rc;
> > +
> > semanage_paths_initialized = 1;
> > }
> > return 0;
> > @@ -259,6 +264,12 @@ const char *semanage_path(enum semanage_store_defs store,
> > return semanage_paths[store][path_name];
> > }
> >
> > +/* Return the root of the semanage store. */
> > +const char *semanage_root_path(void)
> > +{
> > + return "/var/lib/selinux";
> > +}
> > +
> > /* Return a fully-qualified path + filename to the semanage
> > * configuration file. The caller must not alter the string returned
> > * (and hence why this function return type is const).
> > diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
> > index 112edb6..c76ecfe 100644
> > --- a/libsemanage/src/semanage_store.h
> > +++ b/libsemanage/src/semanage_store.h
> > @@ -62,11 +62,14 @@ enum semanage_sandbox_defs {
> > SEMANAGE_STORE_NUM_PATHS
> > };
> >
> > +const char *semanage_root_path(void);
> > +
> > /* FIXME: this needs to be made a module store specific init and the
> > * global configuration moved to another file.
> > */
> > const char *semanage_conf_path(void);
> > -int semanage_check_init(const char *root);
> > +
> > +int semanage_check_init(semanage_handle_t *sh, const char *prefix);
> >
> > extern const char *semanage_fname(enum semanage_sandbox_defs file_enum);
> >
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
