Re: [libvirt] [PATCH 1/2] selinux: load and free selinux active file contexts configuration database
On 10/15/2012 09:12 AM, Guannan Ren wrote: If we use matchpathcon() to look up selinux context for specific pathname, it'd better actively load file contexts database by matchpathcon_init() and free memory when finished using matchpathcon by matchpathcon_fini(). --- src/security/security_selinux.c | 8 1 file changed, 8 insertions(+) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 10135ed..b278e2c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -667,6 +667,10 @@ virSecuritySELinuxSecurityDriverProbe(const char *virtDriver) static int virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr) { +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_init(NULL) 0) +VIR_WARN(cannot load selinux active file contexts configuration); +#endif return virSecuritySELinuxInitialize(mgr); } @@ -685,6 +689,10 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr) VIR_FREE(data-file_context); VIR_FREE(data-content_context); +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_fini() 0) +VIR_WARN(cannot free allocated memory for selinux); +#endif return 0; } ACK, Martin -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] selinux: load and free selinux active file contexts configuration database
On Mon, Oct 15, 2012 at 03:12:45PM +0800, Guannan Ren wrote: If we use matchpathcon() to look up selinux context for specific pathname, it'd better actively load file contexts database by matchpathcon_init() and free memory when finished using matchpathcon by matchpathcon_fini(). --- src/security/security_selinux.c | 8 1 file changed, 8 insertions(+) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 10135ed..b278e2c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -667,6 +667,10 @@ virSecuritySELinuxSecurityDriverProbe(const char *virtDriver) static int virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr) { +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_init(NULL) 0) +VIR_WARN(cannot load selinux active file contexts configuration); +#endif return virSecuritySELinuxInitialize(mgr); } @@ -685,6 +689,10 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr) VIR_FREE(data-file_context); VIR_FREE(data-content_context); +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_fini() 0) +VIR_WARN(cannot free allocated memory for selinux); +#endif return 0; } I'm not convinced this is safe, because the security drivers can be opened multiple times, eg LXC and QEMU, and this is changing the global static state of the SELinux library. Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] selinux: load and free selinux active file contexts configuration database
On 10/15/2012 12:22 PM, Daniel P. Berrange wrote: On Mon, Oct 15, 2012 at 03:12:45PM +0800, Guannan Ren wrote: If we use matchpathcon() to look up selinux context for specific pathname, it'd better actively load file contexts database by matchpathcon_init() and free memory when finished using matchpathcon by matchpathcon_fini(). --- src/security/security_selinux.c | 8 1 file changed, 8 insertions(+) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 10135ed..b278e2c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -667,6 +667,10 @@ virSecuritySELinuxSecurityDriverProbe(const char *virtDriver) static int virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr) { +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_init(NULL) 0) +VIR_WARN(cannot load selinux active file contexts configuration); +#endif return virSecuritySELinuxInitialize(mgr); } @@ -685,6 +689,10 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr) VIR_FREE(data-file_context); VIR_FREE(data-content_context); +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_fini() 0) +VIR_WARN(cannot free allocated memory for selinux); +#endif return 0; } I'm not convinced this is safe, because the security drivers can be opened multiple times, eg LXC and QEMU, and this is changing the global static state of the SELinux library. I didn't think the driver is opened for every other driver used. In this case the initialization of the matchpathcon should be dealt with in some other way. Or can't we open the security driver only once? @Guannan: is there a problem this fixes? How come it worked without the init before? Martin -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] selinux: load and free selinux active file contexts configuration database
On Mon, Oct 15, 2012 at 12:40:56PM +0200, Martin Kletzander wrote: On 10/15/2012 12:22 PM, Daniel P. Berrange wrote: On Mon, Oct 15, 2012 at 03:12:45PM +0800, Guannan Ren wrote: If we use matchpathcon() to look up selinux context for specific pathname, it'd better actively load file contexts database by matchpathcon_init() and free memory when finished using matchpathcon by matchpathcon_fini(). --- src/security/security_selinux.c | 8 1 file changed, 8 insertions(+) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 10135ed..b278e2c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -667,6 +667,10 @@ virSecuritySELinuxSecurityDriverProbe(const char *virtDriver) static int virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr) { +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_init(NULL) 0) +VIR_WARN(cannot load selinux active file contexts configuration); +#endif return virSecuritySELinuxInitialize(mgr); } @@ -685,6 +689,10 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr) VIR_FREE(data-file_context); VIR_FREE(data-content_context); +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_fini() 0) +VIR_WARN(cannot free allocated memory for selinux); +#endif return 0; } I'm not convinced this is safe, because the security drivers can be opened multiple times, eg LXC and QEMU, and this is changing the global static state of the SELinux library. I didn't think the driver is opened for every other driver used. In this case the initialization of the matchpathcon should be dealt with in some other way. Or can't we open the security driver only once? I say we ignore use of matchpathcon_fini(), and simply call matchpathcon_init() from a VIR_GLOBAL_INIT macro Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] selinux: load and free selinux active file contexts configuration database
On 10/15/2012 06:40 PM, Martin Kletzander wrote: On 10/15/2012 12:22 PM, Daniel P. Berrange wrote: On Mon, Oct 15, 2012 at 03:12:45PM +0800, Guannan Ren wrote: If we use matchpathcon() to look up selinux context for specific pathname, it'd better actively load file contexts database by matchpathcon_init() and free memory when finished using matchpathcon by matchpathcon_fini(). --- src/security/security_selinux.c | 8 1 file changed, 8 insertions(+) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 10135ed..b278e2c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -667,6 +667,10 @@ virSecuritySELinuxSecurityDriverProbe(const char *virtDriver) static int virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr) { +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_init(NULL) 0) +VIR_WARN(cannot load selinux active file contexts configuration); +#endif return virSecuritySELinuxInitialize(mgr); } @@ -685,6 +689,10 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr) VIR_FREE(data-file_context); VIR_FREE(data-content_context); +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_fini() 0) +VIR_WARN(cannot free allocated memory for selinux); +#endif return 0; } I'm not convinced this is safe, because the security drivers can be opened multiple times, eg LXC and QEMU, and this is changing the global static state of the SELinux library. I didn't think the driver is opened for every other driver used. In this case the initialization of the matchpathcon should be dealt with in some other way. Or can't we open the security driver only once? @Guannan: is there a problem this fixes? How come it worked without the init before? Martin No, there is no a bug/problem to fix, the patch just actively initializes the active context configuration database. If we don't do this, the matchpathcon will do it instead. I am going to add them in a better way later. This patch has nothing to do with the 2/2 patch. Guannan -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] selinux: load and free selinux active file contexts configuration database
On Mon, Oct 15, 2012 at 07:03:07PM +0800, Guannan Ren wrote: On 10/15/2012 06:40 PM, Martin Kletzander wrote: On 10/15/2012 12:22 PM, Daniel P. Berrange wrote: On Mon, Oct 15, 2012 at 03:12:45PM +0800, Guannan Ren wrote: If we use matchpathcon() to look up selinux context for specific pathname, it'd better actively load file contexts database by matchpathcon_init() and free memory when finished using matchpathcon by matchpathcon_fini(). --- src/security/security_selinux.c | 8 1 file changed, 8 insertions(+) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 10135ed..b278e2c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -667,6 +667,10 @@ virSecuritySELinuxSecurityDriverProbe(const char *virtDriver) static int virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr) { +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_init(NULL) 0) +VIR_WARN(cannot load selinux active file contexts configuration); +#endif return virSecuritySELinuxInitialize(mgr); } @@ -685,6 +689,10 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr) VIR_FREE(data-file_context); VIR_FREE(data-content_context); +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_fini() 0) +VIR_WARN(cannot free allocated memory for selinux); +#endif return 0; } I'm not convinced this is safe, because the security drivers can be opened multiple times, eg LXC and QEMU, and this is changing the global static state of the SELinux library. I didn't think the driver is opened for every other driver used. In this case the initialization of the matchpathcon should be dealt with in some other way. Or can't we open the security driver only once? @Guannan: is there a problem this fixes? How come it worked without the init before? Martin No, there is no a bug/problem to fix, the patch just actively initializes the active context configuration database. If we don't do this, the matchpathcon will do it instead. I am going to add them in a better way later. There *is* a bug, because you are calling the init/fini methods multiple times and the libselinux code does not handle that usage in a safe manner. Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] selinux: load and free selinux active file contexts configuration database
On 10/15/2012 07:35 PM, Daniel P. Berrange wrote: On Mon, Oct 15, 2012 at 07:03:07PM +0800, Guannan Ren wrote: On 10/15/2012 06:40 PM, Martin Kletzander wrote: On 10/15/2012 12:22 PM, Daniel P. Berrange wrote: On Mon, Oct 15, 2012 at 03:12:45PM +0800, Guannan Ren wrote: If we use matchpathcon() to look up selinux context for specific pathname, it'd better actively load file contexts database by matchpathcon_init() and free memory when finished using matchpathcon by matchpathcon_fini(). --- src/security/security_selinux.c | 8 1 file changed, 8 insertions(+) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 10135ed..b278e2c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -667,6 +667,10 @@ virSecuritySELinuxSecurityDriverProbe(const char *virtDriver) static int virSecuritySELinuxSecurityDriverOpen(virSecurityManagerPtr mgr) { +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_init(NULL) 0) +VIR_WARN(cannot load selinux active file contexts configuration); +#endif return virSecuritySELinuxInitialize(mgr); } @@ -685,6 +689,10 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr) VIR_FREE(data-file_context); VIR_FREE(data-content_context); +#ifndef HAVE_SELINUX_LABEL_H +if (matchpathcon_fini() 0) +VIR_WARN(cannot free allocated memory for selinux); +#endif return 0; } I'm not convinced this is safe, because the security drivers can be opened multiple times, eg LXC and QEMU, and this is changing the global static state of the SELinux library. I didn't think the driver is opened for every other driver used. In this case the initialization of the matchpathcon should be dealt with in some other way. Or can't we open the security driver only once? @Guannan: is there a problem this fixes? How come it worked without the init before? Martin No, there is no a bug/problem to fix, the patch just actively initializes the active context configuration database. If we don't do this, the matchpathcon will do it instead. I am going to add them in a better way later. There *is* a bug, because you are calling the init/fini methods multiple times and the libselinux code does not handle that usage in a safe manner. Daniel Yes, I learned this from your comments in other emails I means this patch is not to fix particular existing BZ. I will try to add init/fini in a global way later. :) -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list