History log of /external/selinux/libselinux/src/init.c
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
c08c4eacab8d55598b9e5caaef8a871a7a476cab 11-May-2015 Stephen Smalley <sds@tycho.nsa.gov> libselinux: is_selinux_enabled: Add /etc/selinux/config test.

To avoid regressions such as the one reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1219045
add a test for /etc/selinux/config to is_selinux_enabled().

This ensures that systems that do not install selinux-policy
will continue to return 0 from is_selinux_enabled().

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libselinux/src/init.c
9df498884665d79474b79f0f30d1cd67df11bd3e 15-Apr-2015 Ben Shelton <ben.shelton@ni.com> libselinux: Mount procfs before checking /proc/filesystems

In the case where the SELinux security module is not loaded in the
kernel and it's early enough in the boot process that /proc has not yet
been mounted, selinuxfs_exists() will incorrectly return 1, and
selinux_init_load_policy() will print a message like this to the
console:

Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory

To fix this, mount the procfs before attempting to open
/proc/filesystems, and unmount it when done if it was initially not
mounted. This is the same thing that selinux_init_load_policy() does
when reading /proc/cmdline.

Signed-off-by: Ben Shelton <ben.shelton@ni.com>
/external/selinux/libselinux/src/init.c
b82b7e02dfcd46db75a94352815830fdb651fa94 23-Jan-2012 Daniel P. Berrange <berrange@redhat.com> libselinux: Fix const-correctness

* include/selinux/selinux.h, src/init.c: set_selinuxmnt should take
a const char *mntpath
* src/get_default_type.c: Avoid bad cast discarding const
* load_policy.c: Fix var decl to avoid discarding const

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/init.c
b3b19fdce58ff6ddfa6dfb8e5576c922c96e1e45 22-Sep-2011 Eric Paris <eparis@redhat.com> libselinux: load_policy: handle selinux=0 and /sys/fs/selinux not exist

Handle situation where selinux=0 passed to the kernel and both /selinux and
/sys/fs/selinux directories do not exist. We used to handle selinux=0
(or kernel compile without selinux) by getting ENODEV when we tried to
mount selinuxfs on /selinux. Now selinux=0 means that /sys/fs/selinux
won't exist and we never create the real directory /selinux at all. So
we get ENOENT instead of ENODEV. The solution is to check to see if the
mount failure was for ENODEV and if not to check if selinuxfs exists in
/proc/filesystems at all. If it doesn't exist, that's equivalent to
ENODEV.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/init.c
e3cab998b48ab293a9962faf9779d70ca339c65d 03-May-2011 Daniel J Walsh <dwalsh@redhat.com> libselinux mountpoint changing patch.

The Fedora Distribution is looking to standardize kernel subsystem file
systems to be mounted under /sys/fs. They would like us to move /selinux
to /sys/fs/selinux. This patch changes libselinux in the following
ways:

1. load_policy will first check if /sys/fs/selinux exists and mount the
selinuxfs at this location, if it does not exists it will fall back to
mounting the file system at /selinux (if it exists).

2. The init functions of selinux will now check if /sys/fs/selinux is
mounted, if it is and has an SELinuxfs mounted on it, the code will then
check if the selinuxfs is mounted rw, if it is, libselinux will set the
mountpoint, if it is readonly, libselinux will return no mountpoint. If
/sys/fs/selinux does not exists, the same check will be done for
/selinux and finally for an entry in /proc/mounts.

NOTE: We added the check for RO, to allow tools like mock to be able to
tell a chroot that SELinux is disabled while enforcing it outside the
chroot.

$ getenforce
Enabled
$ mount --bind /selinux /var/chroot/selinux
$ mount -o remount,ro /var/chroot/selinux
$ chroot /var/chroot
$ getenforce
Disabled

3. In order to make this work, I needed to stop enabled from checking if
/proc/filesystem for entries if selinux_mnt did not exist. Now enabeled
checks if selinux_mnt has been discovered otherwise it will report
selinux disabled.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/init.c
1629d2f89a8c5f758413b87b94740aaaa5f21144 06-Apr-2011 Daniel J Walsh <dwalsh@redhat.com> This patch cleans up a couple of crashes caused by libselinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you fail to load_policy in the init or SELinux is disabled, you need
to free the selinux_mnt variable and clear the memory.

systemd was calling load_polcy on a DISABLED system then later on it
would call is_selinux_enabled() and get incorrect response, since
selinux_mnt still had valid data.

The second bug in libselinux, resolves around calling the
selinux_key_delete(destructor_key) if the selinux_key_create call had
never been called. This was causing data to be freed in other
applications that loaded an unloaded the libselinux library but never
setup setrans or matchpathcon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM
mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj
=jpyr
-----END PGP SIGNATURE-----

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libselinux/src/init.c
660f70f4c4c169214da8ac670fbecfb37ce3d2d5 28-Feb-2010 Daniel J Walsh <dwalsh@redhat.com> Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Fix memory leak on disabled selinux machines.
Date: Wed, 24 Feb 2010 14:15:31 -0500

I think this patch originally came from Eric Paris and was updated by
others but has not been adopted yet. Not sure why.

Always free buf on exit.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libselinux/src/init.c
8c372f665db44cf753bb299e2ee7dcf6143b9e9e 01-Jul-2009 Stephen Smalley <sds@tycho.nsa.gov> libselinux: lazy init

Revive Steve Grubb's patch for libselinux lazy init and extend it to
address not only the reading of /etc/selinux/config but also probing
for /selinux/class and reading of /selinux/mls. This should reduce the
need for dontaudit rules for programs that link with libselinux and it
should reduce unnecessary overhead.

I did not convert init_selinuxmnt over to lazy init since the functions
that use selinux_mnt are not localized, and it only requires stat'ing
of /selinux in the common case.

I couldn't see a valid reason why we needed fini_obj_class_compat(), as
the existence of /selinux/class will only change across a reboot with
different kernel versions. fini_context_translations() already had a
comment saying that it was unnecessary as well.

Before:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat64("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3

After:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0

Original-patch-by: Steve Grubb <linux_4ever@yahoo.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libselinux/src/init.c
f057914941e29c460f5cd700d55b4d193c7927ef 24-Jun-2009 Eric Paris <eparis@redhat.com> check /proc/filesystems before /proc/mounts for selinuxfs

Al was complaining that he has selinux disabled and has 100,000+ mounts
in /proc/mounts. Every time he runs ls the thing takes 5 seconds
because the libselinux constructor runs the entirety of his /proc/mounts
looking for selinuxfs, which doesn't exist. Speed things up by first
checking for selinuxfs in /proc/filesystems, only if the fs is even
registered should we bother to run all of /proc/mounts.

Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/libselinux/src/init.c
13cd4c8960688af11ad23b4c946149015c80d549 19-Aug-2008 Joshua Brindle <method@manicmethod.com> initial import from svn trunk revision 2950
/external/selinux/libselinux/src/init.c