On Mon, Mar 25, 2024 at 3:10 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Fri, Mar 22, 2024 at 10:59 AM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > If no policy has been loaded yet and thus the current context is still
> > "kernel" avoid logging failures in get_ordered_context_list(), like:
> >
> > get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/users/root
> > get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/default_contexts
> >
> > Move the context parsing from get_context_user() to its caller
> > get_ordered_context_list(), so an invalid context is not treated as an
> > get_context_user() failure and not logged.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
Merged.
Thanks,
Jim
> > ---
> > v2:
> > - move the context parsing from get_context_user() to its caller
> > - add Signed-off-by
> > ---
> > libselinux/src/get_context_list.c | 24 ++++++++++++------------
> > 1 file changed, 12 insertions(+), 12 deletions(-)
> >
> > diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
> > index 7e23be05..0ad24654 100644
> > --- a/libselinux/src/get_context_list.c
> > +++ b/libselinux/src/get_context_list.c
> > @@ -130,7 +130,7 @@ static int is_in_reachable(char **reachable, const char *usercon_str)
> > }
> >
> > static int get_context_user(FILE * fp,
> > - const char * fromcon,
> > + context_t fromcon,
> > const char * user,
> > char ***reachable,
> > unsigned int *nreachable)
> > @@ -146,7 +146,6 @@ static int get_context_user(FILE * fp,
> > char **new_reachable = NULL;
> > char *usercon_str;
> > const char *usercon_str2;
> > - context_t con;
> > context_t usercon;
> >
> > int rc;
> > @@ -155,14 +154,10 @@ static int get_context_user(FILE * fp,
> >
> > /* Extract the role and type of the fromcon for matching.
> > User identity and MLS range can be variable. */
> > - con = context_new(fromcon);
> > - if (!con)
> > - return -1;
> > - fromrole = context_role_get(con);
> > - fromtype = context_type_get(con);
> > - fromlevel = context_range_get(con);
> > + fromrole = context_role_get(fromcon);
> > + fromtype = context_type_get(fromcon);
> > + fromlevel = context_range_get(fromcon);
> > if (!fromrole || !fromtype) {
> > - context_free(con);
> > return -1;
> > }
> >
> > @@ -296,7 +291,6 @@ static int get_context_user(FILE * fp,
> > rc = 0;
> >
> > out:
> > - context_free(con);
> > free(line);
> > return rc;
> > }
> > @@ -418,6 +412,7 @@ int get_ordered_context_list(const char *user,
> > char *fname = NULL;
> > size_t fname_len;
> > const char *user_contexts_path = selinux_user_contexts_path();
> > + context_t con = NULL;
> >
> > if (!fromcon) {
> > /* Get the current context and use it for the starting context */
> > @@ -427,6 +422,10 @@ int get_ordered_context_list(const char *user,
> > fromcon = backup_fromcon;
> > }
> >
> > + con = context_new(fromcon);
> > + if (!con)
> > + goto failsafe;
> > +
> > /* Determine the ordering to apply from the optional per-user config
> > and from the global config. */
> > fname_len = strlen(user_contexts_path) + strlen(user) + 2;
> > @@ -437,7 +436,7 @@ int get_ordered_context_list(const char *user,
> > fp = fopen(fname, "re");
> > if (fp) {
> > __fsetlocking(fp, FSETLOCKING_BYCALLER);
> > - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
> > + rc = get_context_user(fp, con, user, &reachable, &nreachable);
> >
> > fclose(fp);
> > if (rc < 0 && errno != ENOENT) {
> > @@ -451,7 +450,7 @@ int get_ordered_context_list(const char *user,
> > fp = fopen(selinux_default_context_path(), "re");
> > if (fp) {
> > __fsetlocking(fp, FSETLOCKING_BYCALLER);
> > - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
> > + rc = get_context_user(fp, con, user, &reachable, &nreachable);
> > fclose(fp);
> > if (rc < 0 && errno != ENOENT) {
> > selinux_log(SELINUX_ERROR,
> > @@ -472,6 +471,7 @@ int get_ordered_context_list(const char *user,
> > else
> > freeconary(reachable);
> >
> > + context_free(con);
> > freecon(backup_fromcon);
> >
> > return rc;
> > --
> > 2.43.0
> >
> >
