Thread

  1. Re: [v9.1] sepgsql - userspace access vector cache

    Yeb Havinga <yebhavinga@gmail.com> — 2011-07-22T09:23:21Z

    On 2011-07-21 11:29, Kohei Kaigai wrote:
    > The attached patch is revised userspace-avc patch.
    >
    > List of updates:
    > - The GUC of sepgsql.avc_threshold was removed.
    > - "char *ucontext" of avc_cache was replaced by "bool tcontext_is_valid".
    > - Comments added onto static variables
    > - Comments of sepgsql_avc_unlabeled() was revised.
    > - Comments of sepgsql_avc_compute() was simplified.
    > - Comments of sepgsql_avc_check_perms_label() also mention about
    >    permissive domain, that performs similar to system's permissive mode.
    > - selinux_status_close() become invoked on on_proc_exit() hook.
    Thank you for the update, I'm looking at it right now and with a new 
    look have some more questions. I took the liberty to supply a patch to 
    be applied after your v5 uavc patch.
    
    1) At a few call sites of sepgsql_avc_lookup, a null tcontext is 
    detected, and then replaced by "unlabeled". I moved this to 
    sepgsql_avc_lookup itself.
    2) Also I thought if it could work to not remember tcontext is valid, 
    but instead remember the consequence, which is that it is replaced by 
    "unlabeled". It makes the avc_cache struct shorter and the code somewhat 
    simpler.
    
    regards,
    -- 
    
    Yeb Havinga
    http://www.mgrid.net/
    Mastering Medical Data