On Fri, Mar 22, 2024 at 10:59 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> If no policy has been loaded yet and thus the current context is still
> "kernel" avoid logging failures in get_ordered_context_list(), like:
>
> get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/users/root
> get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/default_contexts
>
> Move the context parsing from get_context_user() to its caller
> get_ordered_context_list(), so an invalid context is not treated as an
> get_context_user() failure and not logged.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> v2:
> - move the context parsing from get_context_user() to its caller
> - add Signed-off-by
> ---
> libselinux/src/get_context_list.c | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
> index 7e23be05..0ad24654 100644
> --- a/libselinux/src/get_context_list.c
> +++ b/libselinux/src/get_context_list.c
> @@ -130,7 +130,7 @@ static int is_in_reachable(char **reachable, const char *usercon_str)
> }
>
> static int get_context_user(FILE * fp,
> - const char * fromcon,
> + context_t fromcon,
> const char * user,
> char ***reachable,
> unsigned int *nreachable)
> @@ -146,7 +146,6 @@ static int get_context_user(FILE * fp,
> char **new_reachable = NULL;
> char *usercon_str;
> const char *usercon_str2;
> - context_t con;
> context_t usercon;
>
> int rc;
> @@ -155,14 +154,10 @@ static int get_context_user(FILE * fp,
>
> /* Extract the role and type of the fromcon for matching.
> User identity and MLS range can be variable. */
> - con = context_new(fromcon);
> - if (!con)
> - return -1;
> - fromrole = context_role_get(con);
> - fromtype = context_type_get(con);
> - fromlevel = context_range_get(con);
> + fromrole = context_role_get(fromcon);
> + fromtype = context_type_get(fromcon);
> + fromlevel = context_range_get(fromcon);
> if (!fromrole || !fromtype) {
> - context_free(con);
> return -1;
> }
>
> @@ -296,7 +291,6 @@ static int get_context_user(FILE * fp,
> rc = 0;
>
> out:
> - context_free(con);
> free(line);
> return rc;
> }
> @@ -418,6 +412,7 @@ int get_ordered_context_list(const char *user,
> char *fname = NULL;
> size_t fname_len;
> const char *user_contexts_path = selinux_user_contexts_path();
> + context_t con = NULL;
>
> if (!fromcon) {
> /* Get the current context and use it for the starting context */
> @@ -427,6 +422,10 @@ int get_ordered_context_list(const char *user,
> fromcon = backup_fromcon;
> }
>
> + con = context_new(fromcon);
> + if (!con)
> + goto failsafe;
> +
> /* Determine the ordering to apply from the optional per-user config
> and from the global config. */
> fname_len = strlen(user_contexts_path) + strlen(user) + 2;
> @@ -437,7 +436,7 @@ int get_ordered_context_list(const char *user,
> fp = fopen(fname, "re");
> if (fp) {
> __fsetlocking(fp, FSETLOCKING_BYCALLER);
> - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
> + rc = get_context_user(fp, con, user, &reachable, &nreachable);
>
> fclose(fp);
> if (rc < 0 && errno != ENOENT) {
> @@ -451,7 +450,7 @@ int get_ordered_context_list(const char *user,
> fp = fopen(selinux_default_context_path(), "re");
> if (fp) {
> __fsetlocking(fp, FSETLOCKING_BYCALLER);
> - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
> + rc = get_context_user(fp, con, user, &reachable, &nreachable);
> fclose(fp);
> if (rc < 0 && errno != ENOENT) {
> selinux_log(SELINUX_ERROR,
> @@ -472,6 +471,7 @@ int get_ordered_context_list(const char *user,
> else
> freeconary(reachable);
>
> + context_free(con);
> freecon(backup_fromcon);
>
> return rc;
> --
> 2.43.0
>
>
