[Toybox] What's setransd?
Rob Landley
rob at landley.net
Wed Aug 18 03:46:22 PDT 2021
I'm trying to implement tar --selinux and it really looks like setfscreatecon()
and getfileconat() mostly boil down to simple things like "open a /proc file and
read/write a blob of data", ala:
int sefd = -1;
...
if ((FLAG(selinux) && !(FLAG(t)|FLAG(O)))
&& strstart(&pp, "RHT.security.selinux="))
{
i = strlen(pp);
sefd = xopen("/proc/self/attr/fscreate", O_WRONLY|WARN_ONLY);
if (sefd == -1 || i!=write(sefd, pp, i))
perror_msg("setfscreatecon %s", pp);
}
...
if (sefd != -1) {
write(sefd, 0, 0);
close(sefd);
sefd = -1;
}
...except that's the _raw versions of the function. The non-raw versions do a
network transaction (via _iovec_???) with "setransd" and googling for that one
of the first hits is https://selinuxproject.org/page/MLSStatements which talks
about translating security context info to/from "human readable" format?
I'm aware this was invented by Red Hat and is thus at LEAST as insane and
overengineered as systemd, but... do you know what that's all about and is there
an easy way for me to NOT? (I dowanna try to do magic fallback config things to
chop the --selinux help text out of the help text, I've changed my mind about
that level of complexity/configurability being worth it and kind of want to
eliminate that plumbing. So it's going to always DOCUMENT --selinux but can't
link to the library functions without the config symbol enabled, but if I don't
actually NEED the library...
Yeah, I _CAN_ add a lot more "#define setfscreatecon(...)" crap to stub out the
functions when it's disabled, but I don't want to? "Reach out and talk to the
kernel directly" looked almost sane for a moment as long as I didn't have to
care what was IN the data blob. Which none of the other implementations seems
to, but they're using the "cooked" functions which go through this daemon I've
never heard of which doesn't appear to have anything like a man page...
Rob
More information about the Toybox
mailing list