| c08c4eacab8d55598b9e5caaef8a871a7a476cab |
|
11-May-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
libselinux: is_selinux_enabled: Add /etc/selinux/config test.
To avoid regressions such as the one reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1219045
add a test for /etc/selinux/config to is_selinux_enabled().
This ensures that systems that do not install selinux-policy
will continue to return 0 from is_selinux_enabled().
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libselinux/src/init.c
|
| 9df498884665d79474b79f0f30d1cd67df11bd3e |
|
15-Apr-2015 |
Ben Shelton <ben.shelton@ni.com> |
libselinux: Mount procfs before checking /proc/filesystems
In the case where the SELinux security module is not loaded in the
kernel and it's early enough in the boot process that /proc has not yet
been mounted, selinuxfs_exists() will incorrectly return 1, and
selinux_init_load_policy() will print a message like this to the
console:
Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory
To fix this, mount the procfs before attempting to open
/proc/filesystems, and unmount it when done if it was initially not
mounted. This is the same thing that selinux_init_load_policy() does
when reading /proc/cmdline.
Signed-off-by: Ben Shelton <ben.shelton@ni.com>
/external/selinux/libselinux/src/init.c
|
| b82b7e02dfcd46db75a94352815830fdb651fa94 |
|
23-Jan-2012 |
Daniel P. Berrange <berrange@redhat.com> |
libselinux: Fix const-correctness
* include/selinux/selinux.h, src/init.c: set_selinuxmnt should take
a const char *mntpath
* src/get_default_type.c: Avoid bad cast discarding const
* load_policy.c: Fix var decl to avoid discarding const
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/init.c
|
| b3b19fdce58ff6ddfa6dfb8e5576c922c96e1e45 |
|
22-Sep-2011 |
Eric Paris <eparis@redhat.com> |
libselinux: load_policy: handle selinux=0 and /sys/fs/selinux not exist
Handle situation where selinux=0 passed to the kernel and both /selinux and
/sys/fs/selinux directories do not exist. We used to handle selinux=0
(or kernel compile without selinux) by getting ENODEV when we tried to
mount selinuxfs on /selinux. Now selinux=0 means that /sys/fs/selinux
won't exist and we never create the real directory /selinux at all. So
we get ENOENT instead of ENODEV. The solution is to check to see if the
mount failure was for ENODEV and if not to check if selinuxfs exists in
/proc/filesystems at all. If it doesn't exist, that's equivalent to
ENODEV.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/init.c
|
| e3cab998b48ab293a9962faf9779d70ca339c65d |
|
03-May-2011 |
Daniel J Walsh <dwalsh@redhat.com> |
libselinux mountpoint changing patch.
The Fedora Distribution is looking to standardize kernel subsystem file
systems to be mounted under /sys/fs. They would like us to move /selinux
to /sys/fs/selinux. This patch changes libselinux in the following
ways:
1. load_policy will first check if /sys/fs/selinux exists and mount the
selinuxfs at this location, if it does not exists it will fall back to
mounting the file system at /selinux (if it exists).
2. The init functions of selinux will now check if /sys/fs/selinux is
mounted, if it is and has an SELinuxfs mounted on it, the code will then
check if the selinuxfs is mounted rw, if it is, libselinux will set the
mountpoint, if it is readonly, libselinux will return no mountpoint. If
/sys/fs/selinux does not exists, the same check will be done for
/selinux and finally for an entry in /proc/mounts.
NOTE: We added the check for RO, to allow tools like mock to be able to
tell a chroot that SELinux is disabled while enforcing it outside the
chroot.
$ getenforce
Enabled
$ mount --bind /selinux /var/chroot/selinux
$ mount -o remount,ro /var/chroot/selinux
$ chroot /var/chroot
$ getenforce
Disabled
3. In order to make this work, I needed to stop enabled from checking if
/proc/filesystem for entries if selinux_mnt did not exist. Now enabeled
checks if selinux_mnt has been discovered otherwise it will report
selinux disabled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/init.c
|
| 1629d2f89a8c5f758413b87b94740aaaa5f21144 |
|
06-Apr-2011 |
Daniel J Walsh <dwalsh@redhat.com> |
This patch cleans up a couple of crashes caused by libselinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you fail to load_policy in the init or SELinux is disabled, you need
to free the selinux_mnt variable and clear the memory.
systemd was calling load_polcy on a DISABLED system then later on it
would call is_selinux_enabled() and get incorrect response, since
selinux_mnt still had valid data.
The second bug in libselinux, resolves around calling the
selinux_key_delete(destructor_key) if the selinux_key_create call had
never been called. This was causing data to be freed in other
applications that loaded an unloaded the libselinux library but never
setup setrans or matchpathcon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2c0/UACgkQrlYvE4MpobMP1QCfXAFD3pfWFLd1lylU/vjsZmpM
mcUAnA2l3/GKGC3hT8XB9E+2pTfpy+uj
=jpyr
-----END PGP SIGNATURE-----
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libselinux/src/init.c
|
| 660f70f4c4c169214da8ac670fbecfb37ce3d2d5 |
|
28-Feb-2010 |
Daniel J Walsh <dwalsh@redhat.com> |
Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Fix memory leak on disabled selinux machines.
Date: Wed, 24 Feb 2010 14:15:31 -0500
I think this patch originally came from Eric Paris and was updated by
others but has not been adopted yet. Not sure why.
Always free buf on exit.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libselinux/src/init.c
|
| 8c372f665db44cf753bb299e2ee7dcf6143b9e9e |
|
01-Jul-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
libselinux: lazy init
Revive Steve Grubb's patch for libselinux lazy init and extend it to
address not only the reading of /etc/selinux/config but also probing
for /selinux/class and reading of /selinux/mls. This should reduce the
need for dontaudit rules for programs that link with libselinux and it
should reduce unnecessary overhead.
I did not convert init_selinuxmnt over to lazy init since the functions
that use selinux_mnt are not localized, and it only requires stat'ing
of /selinux in the common case.
I couldn't see a valid reason why we needed fini_obj_class_compat(), as
the existence of /selinux/class will only change across a reboot with
different kernel versions. fini_context_translations() already had a
comment saying that it was unnecessary as well.
Before:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat64("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3
After:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
Original-patch-by: Steve Grubb <linux_4ever@yahoo.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libselinux/src/init.c
|
| f057914941e29c460f5cd700d55b4d193c7927ef |
|
24-Jun-2009 |
Eric Paris <eparis@redhat.com> |
check /proc/filesystems before /proc/mounts for selinuxfs
Al was complaining that he has selinux disabled and has 100,000+ mounts
in /proc/mounts. Every time he runs ls the thing takes 5 seconds
because the libselinux constructor runs the entirety of his /proc/mounts
looking for selinuxfs, which doesn't exist. Speed things up by first
checking for selinuxfs in /proc/filesystems, only if the fs is even
registered should we bother to run all of /proc/mounts.
Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/libselinux/src/init.c
|
| 13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/libselinux/src/init.c
|