On Tue, 2010-02-02 at 19:28 +0100, Guido Trentalancia wrote:
> Stephen,
>
> did you mean something like the code below when mentioning about the
> initial SID issue ? I remember you mentioned about matching oc->sid[0]
> with the argument key of convert_context, so we can first scan for the
> "unlabeled" SID and copy the MLS range only (as done in the previous
> patch) and then afterwards if we find a match with the key argument, we
> can copy the whole context over.
>
> On Tue, 2010-02-02 at 11:44 -0500, Stephen Smalley wrote:
> > On Tue, 2010-02-02 at 15:22 +0100, Guido Trentalancia wrote:
> > Did you give up on addressing the initial SID issue or are you saving
> > that for a later, separate patch?
>
> /*
> * Switching between non-MLS and MLS policy:
> * ensure that the MLS fields of the context for all
> * existing entries in the sidtab are filled in with a
> * suitable default value, likely taken from one of the
> * initial SIDs.
> */
> else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
> int number_of_isids = 0;
> int matching_key = 0;
> oc = args->newp->ocontexts[OCON_ISID];
> while (oc) {
> if (oc->sid[0] == key)
> matching_key = 1;
> oc = oc->next;
> number_of_isids = number_of_isids + 1;
> }
> oc = args->newp->ocontexts[OCON_ISID];
> if (!matching_key) {
> while (oc && oc->sid[0] != SECINITSID_UNLABELED)
> oc = oc->next;
> if (!oc) {
> printk(KERN_ERR "SELinux: unable to look up"
> " the initial SIDs list\n");
> goto bad;
> }
> range = &oc->context[0].range;
> /* set only the MLS range from "unlabeled" */
> rc = mls_range_set(c, range);
> if (rc)
> goto bad;
> } else {
> while (oc && oc->sid[0] != key)
> oc = oc->next;
> /* copy the whole context */
> rc = context_cpy(c, oc->context[0]);
> if (rc)
> goto bad;
> }
> }
>
> I look forward to hearing from you about the above issue.
We later talked about using policydb_load_isids(). See:
http://marc.info/?l=selinux&m=126505150603677&w=2
This would be more general and would address reloading of initial SIDs
even when staying within the same kind of policy.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
