On Tue, Jul 21, 2020 at 8:07 AM Arjun Shankar <arjun.is@xxxxxxxxx> wrote: > > Hi, > > glibc currently uses several recently deprecated libselinux APIs: > > 1. makedb uses matchpathcon: > > https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD Should migrate to selabel_open/lookup/close. > 2. nscd uses avc_init and multiple old style callbacks: > > https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD Wondering if nscd can migrate to using the higher level selinux_check_access() interface instead of direct usage of the avc_*() interfaces. > We are currently trying to replace these uses with the newer interfaces, > with a proposed makedb patch written by Aurelien Jarno attached with this > email, and being discussed here: > https://sourceware.org/pipermail/libc-alpha/2020-July/116504.html > > Would you be able to help review this and any follow-ups? Yes, please cc the selinux list on any future patches. > diff --git a/nss/makedb.c b/nss/makedb.c > index 8e389a16837..a5c4b521172 100644 > --- a/nss/makedb.c > +++ b/nss/makedb.c > @@ -846,7 +847,8 @@ set_file_creation_context (const char *outname, mode_t mode) > { > static int enabled; > static int enforcing; > - security_context_t ctx; > + struct selabel_handle *label_hnd = NULL; > + char* ctx; > > /* Check if SELinux is enabled, and remember. */ > if (enabled == 0) > @@ -858,9 +860,16 @@ set_file_creation_context (const char *outname, mode_t mode) > if (enforcing == 0) > enforcing = security_getenforce () ? 1 : -1; > > + /* Open the file contexts backend. */ > + label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); > + if (!label_hnd) > + if (setfscreatecon (ctx) != 0) The setfscreatecon(ctx) call here makes no sense to me. You haven't yet looked up a context. And if !label_hnd, then selabel_open() failed. > + error (enforcing > 0 ? EXIT_FAILURE : 0, 0, > + gettext ("cannot initialize SELinux context")); > + > /* Determine the context which the file should have. */ > ctx = NULL; > - if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) > + if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0 && ctx != NULL) ctx can't be NULL if selabel_lookup() returned 0. > { > if (setfscreatecon (ctx) != 0) > error (enforcing > 0 ? EXIT_FAILURE : 0, 0, > @@ -868,7 +877,11 @@ set_file_creation_context (const char *outname, mode_t mode) > outname); > > freecon (ctx); > + selabel_close(label_hnd); You don't want to call this twice on the same handle. > } > + > + /* Close the file contexts backend. */ > + selabel_close(label_hnd);
