History log of /external/selinux/libselinux/src/selinux_config.c
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
7eec00a5be8b5cebcbbc9a30b42b34f4a623c587 09-Oct-2013 Dan Walsh <dwalsh@redhat.com> Add selinux_current_policy_path, which returns the a pointer to the loaded policy

Also change audit2why to look at the loaded policy rather then searching on disk for
the policy file. It is more likely that you are examining the running policy.
/external/selinux/libselinux/src/selinux_config.c
ce2a8848ad45e375cfdb58cebe28bc12431bb3db 09-Oct-2013 Dan Walsh <dwalsh@redhat.com> Add selinux_systemd_contexts_path

systemd has some internal contexts like generated systemd unit files
that we want to allow it to check against processes trying to manage them.
/external/selinux/libselinux/src/selinux_config.c
7fe6036ca5e3624d6e3a0294b909d93b145eac31 09-Oct-2013 Dan Walsh <dwalsh@redhat.com> Add selinux_set_policy_root sets an alternate policy root directory path

This allows us to specify under which the compiled policy file and context configuration
files exist. We can use this with matchpathcon to check the labels under alternate policies,
and we can use it for sepolicy manpage to build manpages during policy build.
/external/selinux/libselinux/src/selinux_config.c
88c35241535803247bd3044187c6c3b3c7f02c79 18-Apr-2012 Eric Paris <eparis@redhat.com> libselinux: boolean name equivalency

Add support for booleans.subs file. Basically this allows us to finally change
badly named booleans to some standard name.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/selinux_config.c
c802d4a6d53120a7c067c29625a17b09f922f4d3 18-Apr-2012 Dan Walsh <dwalsh@redhat.com> libselinux: Add support for lxc_contexts_path

In order for lxc to look up its process and file labels we add new
libselinux support. This is what we do for everything else, like
libvirt, seposgresql, etc.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/selinux_config.c
86795159d4112b6842584cfff317659cdb931218 23-Jan-2012 Daniel P. Berrange <berrange@redhat.com> libselinux: Fix old style function definitions

Add 'void' parameter to all functions which take no arguments

* selinux_config.c: s/()/(void)/

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/selinux_config.c
20b43b3fd3d392c4f12a963a4e46c264e7ed5163 06-Apr-2011 Daniel J Walsh <dwalsh@redhat.com> This patch adds a new subs_dist file.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The idea is to allow distributions to ship a subs file as well as let
the user modify subs.

In F16 we are looking at shipping a

file_contexts.subs_dist file like this

cat file_contexts.subs_dist
/run /var/run
/run/lock /var/lock
/var/run/lock /var/lock
/lib64 /lib
/usr/lib64 /usr/lib

The we will remove all (64)? from policy.

This will allow us to make sure all /usr/lib/libBLAH is labeled the same
as /usr/lib64/libBLAH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2c1ksACgkQrlYvE4MpobNXcQCgqgAiQJxmwa1+NdIq8E3tQRp6
QT0An0ihA60di9CRsEqEdVbSaHOwtte5
=LXgd
-----END PGP SIGNATURE-----

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libselinux/src/selinux_config.c
70aeeb918aa721ad90ed8e1b433a55c8ecf2cb83 15-Mar-2010 Eamon Walsh <ewalsh@tycho.nsa.gov> This patch allows selabel_*() interfaces to provide an expected security context
for the given database object identified by its name and object class.
It is necessary to implement a feature something like the restorecon on databases.

The specfile shall be described as follows:
------------------------
#
# The specfile for database objects
# (for SE-PostgreSQL)
#
# <object class> <object name> <security context>
#
db_database * system_u:object_r:sepgsql_db_t:s0

db_schema *.pg_catalog system_u:obejct_r:sepgsql_sys_schema_t:s0
db_schema *.* system_u:object_r:sepgsql_schema_t:s0

db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
db_table *.*.* system_u:object_r:sepgsql_table_t:s0
------------------------

- All the characters after the '#' are ignored.
- Wildcards ('*' and '?') are available.
- It returns the first match security context.

Note that hierarchy of the namespace of database objects depends on RDBMS.
So, author of the specfile needs to write correct patterns which are suitable
for the target RDBMS. The patched selabel_*() interfaces don't have any
heuristics for the namespace hierarchy to be suitable for widespread RDBMSs.
In the case of SE-PgSQL, when we lookup an expected security context for the
'my_table' table in the 'public' schema and 'postgres' database, the caller
shall provide 'postgres.public.my_table' as a key.

In the default, it tries to read a specfile which maps database objects and security
context from the /etc/selinux/$POLICYTYPE/contexts/sepgsql_contexts.
Note that when another RDBMS uses this interface, it needs to give an explicit
SELABEL_OPT_PATH option on the selabel_open().

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_config.c
7d19f9df510daef5dc929df5854c2dda2a64f475 20-Oct-2009 Chad Sellers <csellers@tresys.com> libselinux: Export reset_selinux_config()

In integrating SELinux policy into rpm, we have a need to be
able to reset the configuration data (e.g. policy type) loaded
into libselinux. These values are currently loaded lazily by a
number of different functions (e.g. matchpatchcon_init()).
Since we are changing rpm to install policy, including initial
base policy, we need to be able to reload these configuration
items after the policy has been installed.

reset_selinux_config() already exists and is used by
selinux_init_load_policy() for a similar reason, but it is not
exported. This was probably intentionaly since it is not thread
safe at all. That said, rpm needs to do the same thing. This
patch makes the function public, and places a warning in the
header comment that it is not thread safe.

Signed-off-by: Chad Sellers <csellers@tresys.com>
/external/selinux/libselinux/src/selinux_config.c
8c372f665db44cf753bb299e2ee7dcf6143b9e9e 01-Jul-2009 Stephen Smalley <sds@tycho.nsa.gov> libselinux: lazy init

Revive Steve Grubb's patch for libselinux lazy init and extend it to
address not only the reading of /etc/selinux/config but also probing
for /selinux/class and reading of /selinux/mls. This should reduce the
need for dontaudit rules for programs that link with libselinux and it
should reduce unnecessary overhead.

I did not convert init_selinuxmnt over to lazy init since the functions
that use selinux_mnt are not localized, and it only requires stat'ing
of /selinux in the common case.

I couldn't see a valid reason why we needed fini_obj_class_compat(), as
the existence of /selinux/class will only change across a reboot with
different kernel versions. fini_context_translations() already had a
comment saying that it was unnecessary as well.

Before:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat64("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3

After:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0

Original-patch-by: Steve Grubb <linux_4ever@yahoo.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_config.c
20271d94ed2b26b94b052ba6ed90b63566cecbb7 04-Jun-2009 Daniel J Walsh <dwalsh@redhat.com> Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: SELinux context patch
Date: Mon, 18 May 2009 14:16:12 -0400

This patch adds context files for virtual_domain and virtual_image,
these are both being used to locat the default context to be executed by
svirt.

I also included the subs patch which I submitted before. This patch
allows us to substitute prefixes to matchpathcon.

So we can say /export/home == /home

and

/web == /var/www

Author: Chad Sellers
Email: csellers@tresys.com

Flipped free()'s in original patch when strdup'd fail to proper order.

Signed-off-by: Chad Sellers <csellers@tresys.com>
/external/selinux/libselinux/src/selinux_config.c
f9b1f1a2a17298b60a94780ab5899a8d91cbf100 01-Jan-2009 Eamon Walsh <ewalsh@tycho.nsa.gov> Add config path function for secolor.conf file.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
/external/selinux/libselinux/src/selinux_config.c
13cd4c8960688af11ad23b4c946149015c80d549 19-Aug-2008 Joshua Brindle <method@manicmethod.com> initial import from svn trunk revision 2950
/external/selinux/libselinux/src/selinux_config.c