Description of problem: Currently if I mount a file system without labels, it works fine, but later or SELinux will start printing denials and stopping certain applications from working. It would be nice if the mount command checked it selinux mode. if is_selinux_enabled() > 0 if getfscon(ROOT) == file_t print "Warning: You just mounted an file system that supports labels which does not contain labels, onto an SELinux box. It is likely that confined applications will generate AVC messages and not be allowed access to this file system. You can add labels to this file system by executing restorecon MOUNTPOINT. If you do not want to add labels to this file system, you should mount the file system using one of the "context" options.
"getfscon" -- I can't found this function. Do you mean "getfilecon"?
Yes I mean getfilecon.
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Created attachment 310018 [details] proposed upstream patch Dan, review this patch, please.
Steve, Eric? Is there a better way to check if a file that supports extended attributes/file_context is unlabeled, other then hard coding file_t check?
We shouldn't hardcode the type in the code. You should be able to call security_get_initial_context("file", &fcon) to obtain the default file context in fcan in the absence of an xattr, and then strcmp against fcon. Might also want to compare against ucon returned by security_get_initial_context("unlabeled", &ucon) to test for filesystem type that doesn't support labeling.
Created attachment 310274 [details] patch v2 The security_get_initial_context() based solution seems better. Stephen, Dan, review a new version of the patch. Thanks.
I think you want the is_selinux_enabled() test to be > 0 so that it will fall back on the non-SELinux code path if it cannot determine whether SELinux is enabled, and I think you want the security_get_initial_context() test to be == 0 rather than > 0; I believe it returns only 0 or -1 for success/fail rather than the actual length, unlike getfilecon.
:(In reply to comment #8) > I think you want the is_selinux_enabled() test to be > 0 so that it will > fall Uf... according to the libselinux source code you are right. This is pretty strange behavior. The name of the function is "is_" -- it means true/false test. I guess many applications use "if (is_selinux_enabled())" only. Dan, can you fix the is_selinux_enabled.3 man page or the function to return 0/1 only? Thanks. [Stephen, thanks for your review. I'm going to commit a fixed version to upstream repository.]