On Thu, 2011-10-20 at 09:09 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In reviewing some bugs on these packages we realize we want to update > them to use the latest tool chain. In order to make this easier, we > want to add a new function called selinux_check_access to libselinux. > > Please review patch. For those who are interested in more details, this is in reference to: https://bugzilla.redhat.com/show_bug.cgi?id=518268 and has come up a few times on selinux list as a problem for users due to the lack of any AVC audit message upon certain userspace permission checks. These programs were modified for SELinux before the userspace AVC existed, and thus directly used security_compute_av(). But even with the userspace AVC in existence, they would prefer a simpler interface with fewer discrete calls as they are not long-lived processes and typically only perform a single permission check. This is an attempt to bundle up everything into a single interface similar to security_compute_av (but with string-based classes and permissions so that even that lookup is handled internally) that internally uses the ACV so that we get the benefits of auditing and permissive mode/permissive domain handling that are not provided by security_compute_av(). The program still has to call selinux_set_callback() to set up the logging callback as we don't want to tightly couple libselinux to libaudit, but otherwise is freed from any other setup responsibility (avc_open is handled internally on first use of the interface via __selinux_once magic). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
