BTW, I have noticed a few symbols are not available unexpectedly when I've been under development.
1. create_instance() of the default_engine.c is not available, even if --enable-default-engine was provided. 2. safe_strtoull() of the util.c is not available from the engine module. It seems to me lack of the -rdynamic option drops these unreferenced symbols (at the build time) from the binary. The gcc man page says as follows: | -rdynamic | Pass the flag -export-dynamic to the ELF linker, on targets that | support it. This instructs the linker to add all symbols, not only | used ones, to the dynamic symbol table. This option is needed | for some uses of "dlopen" or to allow obtaining backtraces from | within a program. and | -dynamic | These options are passed to the Darwin linker. The Darwin linker | man page describes them in detail. How about the attached patch? And, I have a question. Do we have an explicit release schedule of the memcached with engine interfaces? Thanks, (2010/07/21 18:03), KaiGai Kohei wrote: > Sorry for the late. > > I tried to implement an engine module which also provides access control > feature based on SELinux. Right now, it does not have any design problems > and works fine. > > At the first, I had a plan that selinux_engine.so provides only access > control features, so any actual key/value stores are pushed to any other > engine modules like the bucket system. > However, it was a hard way because here is no guarantee an item which > contains security label in text representation being never wiped out. > So, I also implement its own storage engine that enables to associate > a security label for each items. > > Step to use: > (we assume engine based memcached is installed at: /usr/local/memcached ) > > % svn co http://sepgsql.googlecode.com/svn/trunk/memcached selinux-engine > % cd selinux-engine > % make&& make install > > % /usr/local/memcached/bin/memcached -E selinux_engine.so \ > -s /tmp/memcached.sock > > Example of usage: > > [kai...@saba ~]$ runcon -l s0 mcdclient.php add abc 'hello world' > unix:///tmp/memcached.sock > success to add [key:abc, value:hello world] > [kai...@saba ~]$ runcon -l s0:c0 -- mcdclient.php add xyz 'i like curry' > unix:///tmp/memcached.sock > success to add [key:xyz, value:i like curry] > [kai...@saba ~]$ runcon -l s0:c1 -- mcdclient.php add zzz 'i like coke' > unix:///tmp/memcached.sock > success to add [key:zzz, value:i like coke] > > (*) runcon allows to launch a program with more restrict privileges. > In this case, default label of the item is same as client's label. > > [kai...@saba ~]$ runcon -l s0 -- mcdclient.php get abc > unix:///tmp/memcached.sock > 'abc' => 'hello world' > [kai...@saba ~]$ runcon -l s0 -- mcdclient.php get xyz > unix:///tmp/memcached.sock > no entry for 'xyz' > [kai...@saba ~]$ runcon -l s0 -- mcdclient.php get zzz > unix:///tmp/memcached.sock > no entry for 'zzz' > > The 's0' domain dominates 's0', but not both of 's0:c0' and 's0:c1', so 'xyz' > and 'zzz' > are invisible. > > The debug log also shows: > uavc: denied { read } for > scontext=unconfined_u:unconfined_r:unconfined_t:s0 \ > > tcontext=unconfined_u:object_r:sepgsql_blob_t:s0:c0 tclass=db_blob > > [kai...@saba ~]$ runcon -l s0:c0 -- mcdclient.php get abc > unix:///tmp/memcached.sock > 'abc' => 'hello world' > [kai...@saba ~]$ runcon -l s0:c0 -- mcdclient.php get xyz > unix:///tmp/memcached.sock > 'xyz' => 'i like curry' > [kai...@saba ~]$ runcon -l s0:c0 -- mcdclient.php get zzz > unix:///tmp/memcached.sock > no entry for 'zzz' > > The 's0:c0' domain dominates 's0' and 's0:c0', but not 's0:c1', so 'zzz' is > invisible. > > [kai...@saba ~]$ runcon -l s0:c1 -- mcdclient.php get abc > unix:///tmp/memcached.sock > 'abc' => 'hello world' > [kai...@saba ~]$ runcon -l s0:c1 -- mcdclient.php get xyz > unix:///tmp/memcached.sock > no entry for 'xyz' > [kai...@saba ~]$ runcon -l s0:c1 -- mcdclient.php get zzz > unix:///tmp/memcached.sock > 'zzz' => 'i like coke' > > The 's0:c1' domain dominates 's0' and 's0:c1', but not 's0:c0', so 'xyz' is > invisible. > > Thanks, -- KaiGai Kohei <[email protected]>
memcached-add-rdynamic.patch
Description: application/octect-stream
