[PATCH] libselinux: Do not fall back to /selinux on a sysfs mount failure

SELinux Security Module development
 help / color / mirror / Atom feed

* [PATCH] libselinux: Do not fall back to /selinux on a sysfs mount failure
@ 2026-03-04 20:02 Stephen Smalley
  2026-04-23 11:43 ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2026-03-04 20:02 UTC (permalink / raw)
  To: selinux; +Cc: omosnace, jwcart2, Stephen Smalley

Even if we cannot mount sysfs ourselves (e.g. in a user namespace),
we can still try to mount on /sys/fs/selinux first prior to falling
back to /selinux.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 libselinux/src/load_policy.c | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 8e737a23..bb7f2dd0 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -290,16 +290,11 @@ int selinux_init_load_policy(int *enforce)
 	 */
 	const char *mntpoint = NULL;
 	/* First make sure /sys is mounted */
-	if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
-		/* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
-		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
-			mntpoint = SELINUXMNT;
-		} else {
-			/* check old mountpoint */
-			if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
-				mntpoint = OLDSELINUXMNT;
-			}
-		}
+	(void) mount("sysfs", "/sys", "sysfs", 0, 0);
+
+	/* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
+	if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
+		mntpoint = SELINUXMNT;
 	} else {
 		/* check old mountpoint */
 		if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] libselinux: Do not fall back to /selinux on a sysfs mount failure
  2026-03-04 20:02 [PATCH] libselinux: Do not fall back to /selinux on a sysfs mount failure Stephen Smalley
@ 2026-04-23 11:43 ` Petr Lautrbach
  2026-05-11 16:44   ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2026-04-23 11:43 UTC (permalink / raw)
  To: Stephen Smalley, selinux; +Cc: omosnace, jwcart2, Stephen Smalley

Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> Even if we cannot mount sysfs ourselves (e.g. in a user namespace),
> we can still try to mount on /sys/fs/selinux first prior to falling
> back to /selinux.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Acked-by: Petr Lautrbach <lautrbach@redhat.com>


> ---
>  libselinux/src/load_policy.c | 15 +++++----------
>  1 file changed, 5 insertions(+), 10 deletions(-)
>
> diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> index 8e737a23..bb7f2dd0 100644
> --- a/libselinux/src/load_policy.c
> +++ b/libselinux/src/load_policy.c
> @@ -290,16 +290,11 @@ int selinux_init_load_policy(int *enforce)
>  	 */
>  	const char *mntpoint = NULL;
>  	/* First make sure /sys is mounted */
> -	if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
> -		/* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
> -		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
> -			mntpoint = SELINUXMNT;
> -		} else {
> -			/* check old mountpoint */
> -			if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
> -				mntpoint = OLDSELINUXMNT;
> -			}
> -		}
> +	(void) mount("sysfs", "/sys", "sysfs", 0, 0);
> +
> +	/* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
> +	if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
> +		mntpoint = SELINUXMNT;
>  	} else {
>  		/* check old mountpoint */
>  		if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
> -- 
> 2.52.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] libselinux: Do not fall back to /selinux on a sysfs mount failure
  2026-04-23 11:43 ` Petr Lautrbach
@ 2026-05-11 16:44   ` Stephen Smalley
  0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2026-05-11 16:44 UTC (permalink / raw)
  To: Petr Lautrbach; +Cc: selinux, omosnace, jwcart2

On Thu, Apr 23, 2026 at 7:43 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>
> > Even if we cannot mount sysfs ourselves (e.g. in a user namespace),
> > we can still try to mount on /sys/fs/selinux first prior to falling
> > back to /selinux.
> >
> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>
> Acked-by: Petr Lautrbach <lautrbach@redhat.com>

I went ahead and merged this.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-11 16:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-04 20:02 [PATCH] libselinux: Do not fall back to /selinux on a sysfs mount failure Stephen Smalley
2026-04-23 11:43 ` Petr Lautrbach
2026-05-11 16:44   ` Stephen Smalley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox