[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] selinux-at: new module
From: |
Jim Meyering |
Subject: |
Re: [PATCH] selinux-at: new module |
Date: |
Fri, 07 Aug 2009 11:08:30 +0200 |
Bruno Haible wrote:
> Hi Jim,
>
>> +int getfileconat (int fd, char const *file, security_context_t *con);
>> +int lgetfileconat (int fd, char const *file, security_context_t *con);
>> +int setfileconat (int fd, char const *file, security_context_t con);
>> +int lsetfileconat (int fd, char const *file, security_context_t con);
>
> These functions have no specification, neither in the .h file nor in the .c
> file. A specification is probably easy to make up, by reference to getfilecon
> and setfilecon (for which gnulib also lacks documentation, btw, see [1] and
> [2]).
>
>> +gl_save_LIBS=$LIBS
>> + LIB_SELINUX=
>> + AC_SEARCH_LIBS([setfilecon], [selinux],
>> + [test "$ac_cv_search_setfilecon" = "none required" ||
>> + LIB_SELINUX=$ac_cv_search_setfilecon])
>> + AC_SUBST(LIB_SELINUX)
>> +LIBS=$gl_save_LIBS
>
> These lines is not necessary; LIB_SELINUX is already set by
> m4/selinux-selinux-h.m4, which is part of the 'selinux-h' module,
> on which 'selinux-at' depends.
>
>> +Include:
>> +selinux-at.h
>
> The filename here should be enclosed in double-quotes or angle brackets,
> otherwise "gnulib-tool --extract-include-directive selinux-at" and
> MODULES.html.sh produce an unusable output.
>
> Bruno
>
>
> [1] http://lists.gnu.org/archive/html/bug-gnulib/2008-10/msg00399.html
> [2] http://lists.gnu.org/archive/html/bug-gnulib/2008-10/msg00400.html
Thanks again.
This addresses your comments in this file (not yet those in the links):
>From 733e7c2482a9c937b3491704fe97fe7f14622dad Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Fri, 7 Aug 2009 10:57:17 +0200
Subject: [PATCH] selinux-at: remove redundant m4 code, add documentation
* modules/selinux-at (configure.ac): Remove redundant code.
LIB_SELINUX is already set via the dependent module, selinux-h.
(Include): Add quotes around selinux-at.h.
* lib/selinux-at.h: Add documentation.
Reported by Bruno Haible in
http://marc.info/?l=gnulib-bug&m=124958988300749
---
ChangeLog | 10 ++++++++++
lib/selinux-at.h | 37 +++++++++++++++++++++++++++++++++----
modules/selinux-at | 9 +--------
3 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 1ce6194..1b3af02 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2009-08-07 Jim Meyering <address@hidden>
+
+ selinux-at: remove redundant m4 code, add documentation
+ * modules/selinux-at (configure.ac): Remove redundant code.
+ LIB_SELINUX is already set via the dependent module, selinux-h.
+ (Include): Add quotes around selinux-at.h.
+ * lib/selinux-at.h: Add documentation.
+ Reported by Bruno Haible in
+ http://marc.info/?l=gnulib-bug&m=124958988300749
+
2009-08-07 Bruno Haible <address@hidden>
Avoid link error on MacOS X 10.3 and 10.4.
diff --git a/lib/selinux-at.h b/lib/selinux-at.h
index 212e252..cd7bf94 100644
--- a/lib/selinux-at.h
+++ b/lib/selinux-at.h
@@ -17,7 +17,36 @@
#include <selinux/selinux.h>
#include <selinux/context.h>
-int getfileconat (int fd, char const *file, security_context_t *con);
-int lgetfileconat (int fd, char const *file, security_context_t *con);
-int setfileconat (int fd, char const *file, security_context_t con);
-int lsetfileconat (int fd, char const *file, security_context_t con);
+/* These are the dir-fd-relative variants of the functions without the
+ "at" suffix. For example, getfileconat (AT_FDCWD, file, &c) is usually
+ equivalent to getfileconat (file, &c). The emulation is accomplished
+ by first attempting getfilecon ("/proc/self/fd/DIRFD/FILE", &c).
+ Failing that, simulate it via save_cwd/fchdir/getfilecon/restore_cwd.
+ If either the save_cwd or the restore_cwd fails (relatively unlikely),
+ then give a diagnostic and exit nonzero. */
+
+/* dir-fd-relative getfilecon. Set *CON to the SELinux security context
+ of the file specified by DIRFD and FILE and return the length of *CON.
+ DIRFD and FILE are interpreted as for fstatat[*]. A non-NULL *CON
+ must be freed with freecon. Upon error, set *CON to NULL, set errno
+ and return -1.
+ [*] with flags=0 here, with flags=AT_SYMLINK_NOFOLLOW for lgetfileconat */
+int getfileconat (int dirfd, char const *file, security_context_t *con);
+
+/* dir-fd-relative lgetfilecon. This function is just like getfileconat,
+ except when DIRFD and FILE specify a symlink: lgetfileconat operates on
+ the symlink, while getfileconat operates on the referent of the symlink. */
+int lgetfileconat (int dirfd, char const *file, security_context_t *con);
+
+/* dir-fd-relative setfilecon. Set the SELinux security context of
+ the file specified by DIRFD and FILE to CON. DIRFD and FILE are
+ interpreted as for fstatat[*]. Upon success, return 0.
+ Otherwise, return -1 and set errno. */
+int setfileconat (int dirfd, char const *file, security_context_t con);
+
+/* dir-fd-relative lsetfilecon. This function is just like setfileconat,
+ except that rather than dereferencing a symlink, this function affects it.
*/
+/* dir-fd-relative lsetfilecon. This function is just like setfileconat,
+ except when DIRFD and FILE specify a symlink: lsetfileconat operates on
+ the symlink, while setfileconat operates on the referent of the symlink. */
+int lsetfileconat (int dirfd, char const *file, security_context_t con);
diff --git a/modules/selinux-at b/modules/selinux-at
index 191429a..925219d 100644
--- a/modules/selinux-at
+++ b/modules/selinux-at
@@ -12,18 +12,11 @@ selinux-h
configure.ac:
AC_CHECK_HEADERS([selinux/flask.h])
AC_LIBOBJ([selinux-at])
-gl_save_LIBS=$LIBS
- LIB_SELINUX=
- AC_SEARCH_LIBS([setfilecon], [selinux],
- [test "$ac_cv_search_setfilecon" = "none required" ||
- LIB_SELINUX=$ac_cv_search_setfilecon])
- AC_SUBST(LIB_SELINUX)
-LIBS=$gl_save_LIBS
Makefile.am:
Include:
-selinux-at.h
+"selinux-at.h"
License:
GPL
--
1.6.4.115.g33d49