Re: Making SELinux standard for etch

[Mr Yan <inetuid@yahoo.co.uk>]

Ian Jackson wrote:
> Furthermore, the SELinux patches I have seen in various applications
> have given me an extremely poor impression of the code quality[1].
> This will probably extend to other areas of SELinux.
> 
> I say, ditch SELinux.
> 
> Ian.
> 
> [1] Here's just one example, from src/archives.c in dpkg:
> 
>   #ifdef WITH_SELINUX
>     /*
>      * if selinux is enabled, restore the default security context
>      */
>     if (selinux_enabled > 0)
>       if(setfscreatecon(NULL) < 0)
> 	perror("Error restoring default security context:");
>   #endif /* WITH_SELINUX */
> 
> Error checking ?  We don't need no steenking error checking, this is
> SECURITY software !  Quick, dump your brains and deploy it !

Without checking these functions for what they return its hard to say
how bad this is, but it does look like its checking the return values
for an error (albeit not doing anything other than printing a message).
Without more context its impossible to say whether not resetting the
default security context is bad or not.


Matt.
Send instant messages to your online friends http://uk.messenger.yahoo.com