From: Stephen Smalley <sds@tycho.nsa.gov>
To: Petr Lautrbach <plautrba@redhat.com>, selinux@tycho.nsa.gov
Subject: Re: [PATCH] libselinux: is_selinux_enabled(): drop no-policy-loaded test.
Date: Mon, 11 May 2015 09:43:26 -0400 [thread overview]
Message-ID: <5550B1FE.5040304@tycho.nsa.gov> (raw)
In-Reply-To: <5550B134.6050606@redhat.com>
On 05/11/2015 09:40 AM, Petr Lautrbach wrote:
> On 04/17/2015 03:42 PM, Stephen Smalley wrote:
>> SELinux can be disabled via the selinux=0 kernel parameter or via
>> /sys/fs/selinux/disable (triggered by setting SELINUX=disabled in
>> /etc/selinux/config). In either case, selinuxfs will be unmounted
>> and unregistered and therefore it is sufficient to check for the
>> selinuxfs mount. We do not need to check for no-policy-loaded and
>> treat that as SELinux-disabled anymore; that is a relic of Fedora Core 2
>> days. Drop the no-policy-loaded test, which was a bit of a hack anyway
>> (checking whether getcon_raw() returned "kernel" as that can only happen
>> if no policy is yet loaded and therefore security_sid_to_context() only
>> has the initial SID name available to return as the context).
>>
>> May possibly fix https://bugzilla.redhat.com/show_bug.cgi?id=1195074
>> by virtue of removing the call to getcon_raw() and therefore avoiding
>> use of tls on is_selinux_enabled() calls. Regardless, it will make
>> is_selinux_enabled() faster and simpler.
>>
>
> This patch breaks system with SELinux enabled kernel and without
> loaded/installed an SELinux policy, see [1].
>
> Would it be feasible to have is_selinux_enabled() connected to existence
> of SELINUX variable in /etc/selinux/config file for the cases when
> there's no specific kernel command line option used in running system?
> Or would it break something else?
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1219045
Sorry, does this occur even if they have SELINUX=disabled in
/etc/selinux/config?
next prev parent reply other threads:[~2015-05-11 13:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-17 13:42 [PATCH] libselinux: is_selinux_enabled(): drop no-policy-loaded test Stephen Smalley
2015-05-11 13:40 ` Petr Lautrbach
2015-05-11 13:43 ` Stephen Smalley [this message]
2015-05-11 13:49 ` Petr Lautrbach
2015-05-11 14:02 ` Stephen Smalley
2015-05-11 14:04 ` Stephen Smalley
2015-05-11 14:11 ` Petr Lautrbach
2015-05-11 14:52 ` Stephen Smalley
2015-05-11 15:27 ` Dominick Grift
2015-05-12 12:54 ` Petr Lautrbach
2015-05-12 12:56 ` Stephen Smalley
2015-05-12 13:51 ` Petr Lautrbach
2015-05-12 13:59 ` Stephen Smalley
2015-05-12 14:27 ` Petr Lautrbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5550B1FE.5040304@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=plautrba@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.