[Rpm-maint] [PATCH 3/6] Use selabel interfaces instead of matchpathcon
Steve Lawrence
slawrence at tresys.com
Fri Jul 30 19:50:09 UTC 2010
On Mon, 2010-07-26 at 14:19 +0300, Panu Matilainen wrote:
> On Wed, 14 Jul 2010, Steve Lawrence wrote:
>
> > This replaces the old matchpathcon interfaces with the new selabel
> > interfaces for relabeling files, storing an selabel handle in the
> > transaction set.
> >
> > With this change, also comes an added distinction between --nocontexts
> > being specified and a failure to read the load file contexts.
> > Previously, there was no distinction, and both cases used the
> > RPMTRANS_FLAG_NOCONTEXTS flag.
> >
> > However, with the new policy plugin, it is necessary to make such a
> > distinction. This is because matchpathcon_init (now selabel interfaces)
> > can fail at the beginning of the transaction, but succeed later after
> > new policy is installed. Because of this, we may need to enable/disable
> > RPMTRANS_FLAG_NOCONTEXTS multiple times. However, because this flag
> > could also mean --nocontexts, we cannot do that. By storing the selabel
> > handle in the rpmts, we can easily keep track if the handle has been
> > successfully created, rather than overloading RPMTRANS_FLAG_NOCONTEXTS
> > with two meanings.
>
> [...]
> > diff --git a/lib/rpmts.h b/lib/rpmts.h
> > index 9b7c306..5c4840c 100644
> > --- a/lib/rpmts.h
> > +++ b/lib/rpmts.h
> > @@ -397,6 +397,27 @@ void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd);
> > int rpmtsSELinuxEnabled(rpmts ts);
> >
> > /** \ingroup rpmts
> > + * Get the selabel handle from the transaction set
> > + * @param ts transaction set
> > + * @return selabel handle, or NULL if it hasn't been initialized yet
> > + */
> > +struct selabel_handle * rpmtsSELabelHandle(rpmts ts);
>
> NAK. This causes public API to depend on SELinux which is a compile-time
> optional feature. Please use a void pointer, or wrap it behind an
> rpm-specific typedef which can hide missing selinux as necessary, eg
> something like
>
> #ifdef <some suitable selinux define>
> typedef struct selable_handle * rpm_sehandle_t;
> #else
> typedef void * rpm_sehandle_t;
> #endif
>
> rpm_sehandle_t rpmtsSELabelHandle(rpmts ts);
>
> - Panu -
No problem with this. We'll include this change in the next version on
this patchset.
- Steve
More information about the Rpm-maint
mailing list