From: Daniel J Walsh <dwalsh@redhat.com>
To: Joshua Brindle <jbrindle@tresys.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Caleb Case <ccase@tresys.com>,
selinux@tycho.nsa.gov
Subject: Re: [PATCH] setfiles fails to relabel if selinux not enabled
Date: Tue, 15 Sep 2009 16:48:31 -0400 [thread overview]
Message-ID: <4AAFFD9F.2040908@redhat.com> (raw)
In-Reply-To: <06A6610D4F464D4EBEAFBF2C5F86911E014CEA9F@exchange2.columbia.tresys.com>
On 09/15/2009 04:23 PM, Joshua Brindle wrote:
> On 2009-09-15 Stephen Smalley wrote:
>> On Tue, 2009-09-15 at 15:20 -0400, Caleb Case wrote:
>>> Setfiles now checks the capabilities on the mounted file systems for
>>> 'seclabel' (see setfiles/setfiles.c:723:exclude_non_seclabel_mounts)
> on
>>> newer kernels (>=2.6.30 see setfiles.c:734). However the 'seclabel'
>>> feature is not available if selinux is not enabled. The result is
> that
>>> setfiles silently fails to relabel any filesystems.
>>>
>>> The patch below removes the check for seclabel if selinux is
> disabled.
>>>
>>> As an alternative maybe seclabel should be available even if selinux
>>> is disabled? It seems that whether a fs supports security labels is
>>> independent of selinux being enabled.
>>
>> That would be difficult as the seclabel option is driven by policy,
>> not just by the presence/absence of xattr handlers (the issue is
>> whether SELinux will honor setxattr operations, which is not the case
>> for filesystems using genfscon or context mount options).
>>
>> So I guess this is the best we can do.
>>
>
> What is the best we can do? Should we always attempt to relabel if
> selinux is disabled or not?
>
>>> ---
>>> policycoreutils/setfiles/setfiles.c | 2 ++
>>> 1 files changed, 2 insertions(+), 0 deletions(-)
>>> diff --git a/policycoreutils/setfiles/setfiles.c
>>> b/policycoreutils/setfiles/setfiles.c
>>> index 313767a..db2857f 100644
>>> --- a/policycoreutils/setfiles/setfiles.c
>>> +++ b/policycoreutils/setfiles/setfiles.c
>>> @@ -750,6 +750,8 @@ static void exclude_non_seclabel_mounts()
>>> /* Check to see if the kernel supports seclabel */
>>> if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
>>> return;
>>> + if (is_selinux_enabled() <= 0)
>>> + return;
>>>
>>> fp = fopen("/proc/mounts", "r");
>>> if (!fp)
>
>
>
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
We want setfiles to work if selinux is disabled.
We have a use case of livecd creation on a box with SELinux disabled for example.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-09-15 20:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-15 19:20 [PATCH] setfiles fails to relabel if selinux not enabled Caleb Case
2009-09-15 19:33 ` Stephen Smalley
2009-09-15 20:23 ` Joshua Brindle
2009-09-15 20:48 ` Daniel J Walsh [this message]
2009-09-16 14:02 ` Stephen Smalley
2009-09-16 14:16 ` Jeff Johnson
2009-09-16 14:36 ` Stephen Smalley
2009-09-16 17:21 ` Jeff Johnson
2009-09-16 19:26 ` Stephen Smalley
2009-09-16 21:13 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AAFFD9F.2040908@redhat.com \
--to=dwalsh@redhat.com \
--cc=ccase@tresys.com \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.