[Rpm-maint] [PATCH 1/2] selinux: reopen label between transactions if necessary (RhBug: 746073)
Ales Kozumplik
akozumpl at redhat.com
Thu Jan 12 10:19:10 UTC 2012
On 01/12/2012 10:36 AM, Panu Matilainen wrote:
>>
>> /* if SELinux isn't enabled, init fails or test run, don't
>> bother... */
>> - if (!is_selinux_enabled() || (rpmtsFlags(ts)&
>> RPMTRANS_FLAG_TEST)) {
>> + if (!is_selinux_enabled() || (rpmtsFlags(ts)&
>> RPMTRANS_FLAG_TEST) ||
>> + (rpmtsFlags(ts)& RPMTRANS_FLAG_NOCONTEXTS) ||
>> + rpmtsSELabelInit(ts, 1, selinux_file_context_path())) {
>
> This logic here is backwards: it'll now only call rpmtsSELabelInit()
> when selinux is *disabled* (by transaction flags or system-wide state).
I think it is correct like this, when selinux is system-wide disabled
!is_selinux_enabled() is 1 so it short circuits the other tests
(inlcuding an attempt to call rpmtsSELabelInit), no?
> I'd leave the current disable logic (ie "should we even try to do
> selinux stuff?") as it is, and instead check for rpmtsSELabelInit()
> return code for failure.
I did it this way to avoid repeating this line twice, in two if branches:
rpmlog(RPMLOG_DEBUG, "Selinux disabled.\n");
now I see obfuscation ensued.
> and instead check for rpmtsSELabelInit() return code for failure.
Yep, I'll do that instead.
Ales
More information about the Rpm-maint
mailing list