On Tue, 2012-02-21 at 16:49 -0500, Daniel J Walsh wrote:
> Right now we added selinux_current_policy_path and we are using it as
> the default for seinfo, audit2allow, sepolgen-ifgen
I'm not sure this is a good idea to always use it, as it is definitely
more costly to generate the policy image in the kernel than to just read
the policy file. I had only envisioned it being used by tools that want
to verify that the kernel policy matches the policy file.
> It currently looks like
>
> const char *selinux_current_policy_path(void)
> {
> int rc = 0;
> int vers = 0;
> static char policy_path[PATH_MAX];
>
> snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt);
> if (access(policy_path, F_OK) != 0 ) {
> vers = security_policyvers();
The selinux_mkload_policy() logic starts with
sepol_policy_kern_vers_max() rather than security_policyvers() if
libsepol is available, since it can downgrade the policy file via
libsepol to the kernel version. So your logic may end up using the
wrong policy file.
> do {
> /* Check prior versions to see if old policy is available */
> snprintf(policy_path, sizeof(policy_path), "%s.%d",
> selinux_binary_policy_path(), vers);
> } while ((rc = access(policy_path, F_OK)) && --vers > 0);
>
> if (rc) return NULL;
> }
>
> return policy_path;
> }
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
