| Message ID | 20180926151254.1794-1-sds@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | libselinux: fix selinux_restorecon() on non-SELinux hosts | expand |
On Wed, Sep 26, 2018 at 8:12 AM Stephen Smalley <sds@tycho.nsa.gov> wrote: > The kernel only supports seclabel if it is >= 2.6.30 _and_ > SELinux is enabled, since seclabel is generated by SELinux > based partly on policy (e.g. is the filesystem type configured in policy > with a labeling behavior that supports userspace labeling). For some > reason, when this logic was moved from setfiles to libselinux, > the test of whether SELinux was enabled was dropped. Restore it. > > This is necessary to enable use of setfiles on non-SELinux hosts > without requiring explicit use of the -m option. > > Fixes: 602347c7422e971a5674fe2767267a96e3b4f61c ("policycoreutils: > setfiles - Modify to use selinux_restorecon") > Reported-by: sajjad ahmed <sajjad_ahmed782@yahoo.com> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > Cc: Richard Haines <richard_c_haines@btinternet.com> > --- > libselinux/src/selinux_restorecon.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libselinux/src/selinux_restorecon.c > b/libselinux/src/selinux_restorecon.c > index 41f22250..34a6408a 100644 > --- a/libselinux/src/selinux_restorecon.c > +++ b/libselinux/src/selinux_restorecon.c > @@ -241,6 +241,8 @@ static int exclude_non_seclabel_mounts(void) > /* Check to see if the kernel supports seclabel */ > if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0) > return 0; > + if (is_selinux_enabled() <= 0) > + return 0; > > LGTM > fp = fopen("/proc/mounts", "re"); > if (!fp) > -- > 2.14.4 > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. > <div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Wed, Sep 26, 2018 at 8:12 AM Stephen Smalley <<a href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The kernel only supports seclabel if it is >= 2.6.30 _and_<br> SELinux is enabled, since seclabel is generated by SELinux<br> based partly on policy (e.g. is the filesystem type configured in policy<br> with a labeling behavior that supports userspace labeling). For some<br> reason, when this logic was moved from setfiles to libselinux,<br> the test of whether SELinux was enabled was dropped. Restore it.<br> <br> This is necessary to enable use of setfiles on non-SELinux hosts<br> without requiring explicit use of the -m option.<br> <br> Fixes: 602347c7422e971a5674fe2767267a96e3b4f61c ("policycoreutils: setfiles - Modify to use selinux_restorecon")<br> Reported-by: sajjad ahmed <<a href="mailto:sajjad_ahmed782@yahoo.com" target="_blank">sajjad_ahmed782@yahoo.com</a>><br> Signed-off-by: Stephen Smalley <<a href="mailto:sds@tycho.nsa.gov" target="_blank">sds@tycho.nsa.gov</a>><br> Cc: Richard Haines <<a href="mailto:richard_c_haines@btinternet.com" target="_blank">richard_c_haines@btinternet.com</a>><br> ---<br> libselinux/src/selinux_restorecon.c | 2 ++<br> 1 file changed, 2 insertions(+)<br> <br> diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c<br> index 41f22250..34a6408a 100644<br> --- a/libselinux/src/selinux_restorecon.c<br> +++ b/libselinux/src/selinux_restorecon.c<br> @@ -241,6 +241,8 @@ static int exclude_non_seclabel_mounts(void)<br> /* Check to see if the kernel supports seclabel */<br> if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)<br> return 0;<br> + if (is_selinux_enabled() <= 0)<br> + return 0;<br> <br></blockquote><div> </div><div>LGTM</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> fp = fopen("/proc/mounts", "re");<br> if (!fp)<br> -- <br> 2.14.4<br> <br> _______________________________________________<br> Selinux mailing list<br> <a href="mailto:Selinux@tycho.nsa.gov" target="_blank">Selinux@tycho.nsa.gov</a><br> To unsubscribe, send email to <a href="mailto:Selinux-leave@tycho.nsa.gov" target="_blank">Selinux-leave@tycho.nsa.gov</a>.<br> To get help, send an email containing "help" to <a href="mailto:Selinux-request@tycho.nsa.gov" target="_blank">Selinux-request@tycho.nsa.gov</a>.<br> </blockquote></div></div>
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c index 41f22250..34a6408a 100644 --- a/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c @@ -241,6 +241,8 @@ static int exclude_non_seclabel_mounts(void) /* Check to see if the kernel supports seclabel */ if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0) return 0; + if (is_selinux_enabled() <= 0) + return 0; fp = fopen("/proc/mounts", "re"); if (!fp)
The kernel only supports seclabel if it is >= 2.6.30 _and_ SELinux is enabled, since seclabel is generated by SELinux based partly on policy (e.g. is the filesystem type configured in policy with a labeling behavior that supports userspace labeling). For some reason, when this logic was moved from setfiles to libselinux, the test of whether SELinux was enabled was dropped. Restore it. This is necessary to enable use of setfiles on non-SELinux hosts without requiring explicit use of the -m option. Fixes: 602347c7422e971a5674fe2767267a96e3b4f61c ("policycoreutils: setfiles - Modify to use selinux_restorecon") Reported-by: sajjad ahmed <sajjad_ahmed782@yahoo.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Cc: Richard Haines <richard_c_haines@btinternet.com> --- libselinux/src/selinux_restorecon.c | 2 ++ 1 file changed, 2 insertions(+)