danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Open Source how do I love thee, let me count the ways.
danwalsh
Yesterday I got contacted by Red Hat Support about a problem we had in libselinux.  If you are setting up confined users you can use the semanage login command to setup a group of linux users to be assigned to a confined user type.

# semanage login -a -s staff_u -r s0-s0:c0.c1023 %wheel

This command would cause all linux users in the wheel group to login as the staff_u SELinux user.  Well we had a bug in getseuserbyname function in libseliunux.  When you login to a system the pam_selinux module uses this function to figure out which SELinux user should be used for your UID.  There was a bug where we were not allocating enough memory for reading the entire group file contents.  Basically if the number of users within a group was too large, the library would stop reading.  

A customer of ours found the problem and reported it.  

Now the reason I love Open Source...

The customer did not stop there.  They downloaded our source, found the problem, built a patch and attached it to the bug report.  So all I had to do was apply the patch and start the errata process.   This is the type of stuff that can't happen in a closed source system, and is why Open Source is better...

Open source is like The Elves and the Shoemaker, just don't tell my boss.  :^)

Looks like the customer in question was also quite serious about what they should get in the errata package and did security review of it in advance. ;)

You are viewing danwalsh