[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[sysvinit-devel] Re: sysvinit 2.88 and SELinux policy
|
From: |
Michal Svoboda |
|
Subject: |
[sysvinit-devel] Re: sysvinit 2.88 and SELinux policy |
|
Date: |
Sat, 8 May 2010 09:11:14 +0200 |
|
User-agent: |
Mutt/1.5.20 (2009-06-14) |
Martin Orr wrote:
> The differences here are that the new code ensures that /proc is
> mounted, and !is_selinux_enabled() becomes (is_selinux_enabled() >
> 0).
> I think the change was due to this:
> http://thread.gmane.org/gmane.comp.security.selinux/13320
> (is_selinux_enabled() returns -1 if /proc not mounted).
They might have been inspired by it, but it is a completely different
fix than I proposed.
In the original context, the C expression "!is_selinux_enabled()"
means "is_selinux_enabled() == 0". However, the function is tristate, as
its return values are -1, 0, and 1. In addition to 0, we also want -1 to
execute the code block below, so the expression becomes
"(foo = is_selinux_enabled(), foo == 0 || foo == -1)", or simply put
"is_selinux_enabled() != 1".
And why we want that? Because the function checks if we already have a
policy loaded in the kernel. 1 means yes, 0 means no and -1 means no as
well. No need to mess with mounting /proc ;-)
Michal Svoboda
pgpa5At3x6wp5.pgp
Description: PGP signature