From 5d6308abab5b759c26a3cee48329184945647a75 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 2 Aug 2012 18:50:32 -0400 Subject: [PATCH] cache the selabel context between uses (dwalsh) - selinux: hang on to the list of selinux contexts, freeing and reloading it only when the file we read it from is modified, freeing it when the shared library is being unloaded (#845125) --- krb5-1.10.2-selinux-label.patch | 49 ++++++++++++++++++++++++++------- krb5.spec | 9 ++++-- 2 files changed, 46 insertions(+), 12 deletions(-) diff --git a/krb5-1.10.2-selinux-label.patch b/krb5-1.10.2-selinux-label.patch index 448aaec..565c04f 100644 --- a/krb5-1.10.2-selinux-label.patch +++ b/krb5-1.10.2-selinux-label.patch @@ -465,7 +465,7 @@ which we used earlier, is some improvement. --- krb5/src/util/support/selinux.c +++ krb5/src/util/support/selinux.c -@@ -0,0 +1,373 @@ +@@ -0,0 +1,402 @@ +/* + * Copyright 2007,2008,2009,2011,2012 Red Hat, Inc. All Rights Reserved. + * @@ -504,7 +504,7 @@ which we used earlier, is some improvement. +#ifdef USE_SELINUX + +#include -+#include ++#include +#include +#include +#include @@ -535,15 +535,28 @@ which we used earlier, is some improvement. + k5_mutex_finish_init(&labeled_mutex); +} + ++#ifdef HAVE_SELINUX_LABEL_H ++static struct selabel_handle *selabel_ctx; ++static time_t selabel_last_changed; ++ ++MAKE_FINI_FUNCTION(cleanup_fscreatecon); ++ ++static void ++cleanup_fscreatecon(void) ++{ ++ if (selabel_ctx != NULL) { ++ selabel_close(selabel_ctx); ++ selabel_ctx = NULL; ++ } ++} ++#endif ++ +static security_context_t +push_fscreatecon(const char *pathname, mode_t mode) +{ + security_context_t previous, configuredsc, currentsc, derivedsc; + context_t current, derived; + const char *fullpath, *currentuser; -+#ifdef HAVE_SELINUX_LABEL_H -+ struct selabel_handle *ctx; -+#endif + + previous = NULL; + if (is_selinux_enabled()) { @@ -584,18 +597,34 @@ which we used earlier, is some improvement. +#endif + configuredsc = NULL; +#ifdef HAVE_SELINUX_LABEL_H -+ ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); -+ if (ctx != NULL) { -+ if (selabel_lookup(ctx, &configuredsc, ++ if (selabel_ctx != NULL) { ++ const char *cpath; ++ struct stat st; ++ int i = -1; ++ cpath = selinux_file_context_path(); ++ if ((cpath == NULL) || ++ ((i = stat(cpath, &st)) != 0) || ++ (st.st_mtime != selabel_last_changed)) { ++ selabel_close(selabel_ctx); ++ selabel_ctx = NULL; ++ selabel_last_changed = i ? ++ time(NULL) : ++ st.st_mtime; ++ } ++ } ++ if (selabel_ctx == NULL) { ++ selabel_ctx = selabel_open(SELABEL_CTX_FILE, ++ NULL, 0); ++ } ++ if (selabel_ctx != NULL) { ++ if (selabel_lookup(selabel_ctx, &configuredsc, + fullpath, mode) != 0) { -+ selabel_close(ctx); + free(genpath); + if (previous != NULL) { + freecon(previous); + } + return NULL; + } -+ selabel_close(ctx); + } +#else + if (matchpathcon(fullpath, mode, &configuredsc) != 0) { diff --git a/krb5.spec b/krb5.spec index d8c6a09..e5ade6f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -20,7 +20,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10.2 -Release: 6%{?dist} +Release: 7%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -768,7 +768,12 @@ exit 0 %{_sbindir}/uuserver %changelog -* Tue Jul 31 2012 Nalin Dahyabhai 1.10.2-6 +* Thu Aug 2 2012 Nalin Dahyabhai 1.10.2-7 +- selinux: hang on to the list of selinux contexts, freeing and reloading + it only when the file we read it from is modified, freeing it when the + shared library is being unloaded (#845125) + +* Thu Aug 2 2012 Nalin Dahyabhai 1.10.2-6 - go back to not messing with library file paths on Fedora 17: it breaks file path dependencies in other packages, and since Fedora 17 is already released, breaking that is our fault