From: Joshua Brindle <method@manicmethod.com>
To: Caleb Case <ccase@tresys.com>
Cc: selinux@tycho.nsa.gov, jbrindle@tresys.com, sds@tycho.nsa.gov
Subject: Re: [PATCH] setfiles fails to relabel if selinux not enabled
Date: Wed, 16 Sep 2009 17:13:30 -0400 [thread overview]
Message-ID: <4AB154FA.7020305@manicmethod.com> (raw)
In-Reply-To: <1253042418-28141-1-git-send-email-ccase@tresys.com>
Caleb Case wrote:
> Setfiles now checks the capabilities on the mounted file systems for
> 'seclabel' (see setfiles/setfiles.c:723:exclude_non_seclabel_mounts) on
> newer kernels (>=2.6.30 see setfiles.c:734). However the 'seclabel'
> feature is not available if selinux is not enabled. The result is that
> setfiles silently fails to relabel any filesystems.
>
> The patch below removes the check for seclabel if selinux is disabled.
>
> As an alternative maybe seclabel should be available even if selinux is
> disabled? It seems that whether a fs supports security labels is
> independent of selinux being enabled.
> ---
> policycoreutils/setfiles/setfiles.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
> index 313767a..db2857f 100644
> --- a/policycoreutils/setfiles/setfiles.c
> +++ b/policycoreutils/setfiles/setfiles.c
> @@ -750,6 +750,8 @@ static void exclude_non_seclabel_mounts()
> /* Check to see if the kernel supports seclabel */
> if (uname(&uts) == 0&& strverscmp(uts.release, "2.6.30")< 0)
> return;
> + if (is_selinux_enabled()<= 0)
> + return;
>
> fp = fopen("/proc/mounts", "r");
> if (!fp)
Merged in policycoreutils 2.0.74
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2009-09-16 21:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-15 19:20 [PATCH] setfiles fails to relabel if selinux not enabled Caleb Case
2009-09-15 19:33 ` Stephen Smalley
2009-09-15 20:23 ` Joshua Brindle
2009-09-15 20:48 ` Daniel J Walsh
2009-09-16 14:02 ` Stephen Smalley
2009-09-16 14:16 ` Jeff Johnson
2009-09-16 14:36 ` Stephen Smalley
2009-09-16 17:21 ` Jeff Johnson
2009-09-16 19:26 ` Stephen Smalley
2009-09-16 21:13 ` Joshua Brindle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AB154FA.7020305@manicmethod.com \
--to=method@manicmethod.com \
--cc=ccase@tresys.com \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.