libselinux: avoid logs in get_ordered_context_list() without policy

If no policy has been loaded yet and thus the current context is still "kernel" avoid logging failures in get_ordered_context_list(), like: get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/users/root get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/default_contexts Move the context parsing from get_context_user() to its caller get_ordered_context_list(), so an invalid context is not treated as an get_context_user() failure and not logged. Signed-off-by: Christian Göttsche <[email protected]> Acked-by: James Carter <[email protected]>
SELinuxProject · Mar 27, 2024 · 6e2f703 · 6e2f703
1 parent 5937e9b
commit 6e2f703
Showing 1 changed file with 12 additions and 12 deletions.
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
@@ -130,7 +130,7 @@ static int is_in_reachable(char **reachable, const char *usercon_str)
 }
 
 static int get_context_user(FILE * fp,
- const char * fromcon,
+ context_t fromcon,
  const char * user,
  char ***reachable,
  unsigned int *nreachable)
@@ -146,7 +146,6 @@ static int get_context_user(FILE * fp,
  char **new_reachable = NULL;
  char *usercon_str;
  const char *usercon_str2;
- context_t con;
  context_t usercon;
 
  int rc;
@@ -155,14 +154,10 @@ static int get_context_user(FILE * fp,
 
  /* Extract the role and type of the fromcon for matching.
  User identity and MLS range can be variable. */
- con = context_new(fromcon);
- if (!con)
- return -1;
- fromrole = context_role_get(con);
- fromtype = context_type_get(con);
- fromlevel = context_range_get(con);
+ fromrole = context_role_get(fromcon);
+ fromtype = context_type_get(fromcon);
+ fromlevel = context_range_get(fromcon);
  if (!fromrole || !fromtype) {
- context_free(con);
  return -1;
  }
 
@@ -296,7 +291,6 @@ static int get_context_user(FILE * fp,
  rc = 0;
 
  out:
- context_free(con);
  free(line);
  return rc;
 }
@@ -418,6 +412,7 @@ int get_ordered_context_list(const char *user,
  char *fname = NULL;
  size_t fname_len;
  const char *user_contexts_path = selinux_user_contexts_path();
+ context_t con = NULL;
 
  if (!fromcon) {
  /* Get the current context and use it for the starting context */
@@ -427,6 +422,10 @@ int get_ordered_context_list(const char *user,
  fromcon = backup_fromcon;
  }
 
+ con = context_new(fromcon);
+ if (!con)
+ goto failsafe;
+
  /* Determine the ordering to apply from the optional per-user config
  and from the global config. */
  fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -437,7 +436,7 @@ int get_ordered_context_list(const char *user,
  fp = fopen(fname, "re");
  if (fp) {
  __fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+ rc = get_context_user(fp, con, user, &reachable, &nreachable);
 
  fclose(fp);
  if (rc < 0 && errno != ENOENT) {
@@ -451,7 +450,7 @@ int get_ordered_context_list(const char *user,
  fp = fopen(selinux_default_context_path(), "re");
  if (fp) {
  __fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+ rc = get_context_user(fp, con, user, &reachable, &nreachable);
  fclose(fp);
  if (rc < 0 && errno != ENOENT) {
  selinux_log(SELINUX_ERROR,
@@ -472,6 +471,7 @@ int get_ordered_context_list(const char *user,
  else
  freeconary(reachable);
 
+ context_free(con);
  freecon(backup_fromcon);
 
  return rc;