Red Hat Bugzilla – Bug 390691
mount should check selinux context on mount, and warn on file_t.
Last modified: 2008-07-01 09:12:36 EDT
Description of problem:
Currently if I mount a file system without labels, it works fine, but later or
SELinux will start printing denials and stopping certain applications from
working. It would be nice if the mount command checked it selinux mode.
if is_selinux_enabled() > 0
if getfscon(ROOT) == file_t
print "Warning: You just mounted an file system that supports labels
which does not contain labels, onto an SELinux box. It is likely that confined
applications will generate AVC messages and not be allowed access to this file
system. You can add labels to this file system by executing restorecon
MOUNTPOINT. If you do not want to add labels to this file system, you should
mount the file system using one of the "context" options.
"getfscon" -- I can't found this function. Do you mean "getfilecon"?
Yes I mean getfilecon.
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Created attachment 310018 [details]
proposed upstream patch
Dan, review this patch, please.
Steve, Eric? Is there a better way to check if a file that supports extended
attributes/file_context is unlabeled, other then hard coding file_t check?
We shouldn't hardcode the type in the code.
You should be able to call security_get_initial_context("file", &fcon) to obtain
the default file context in fcan in the absence of an xattr, and then strcmp
against fcon. Might also want to compare against ucon returned by
security_get_initial_context("unlabeled", &ucon) to test for filesystem type
that doesn't support labeling.
Created attachment 310274 [details]
The security_get_initial_context() based solution seems better. Stephen, Dan,
review a new version of the patch. Thanks.
I think you want the is_selinux_enabled() test to be > 0 so that it will fall
back on the non-SELinux code path if it cannot determine whether SELinux is
enabled, and I think you want the security_get_initial_context() test to be == 0
rather than > 0; I believe it returns only 0 or -1 for success/fail rather than
the actual length, unlike getfilecon.
:(In reply to comment #8)
> I think you want the is_selinux_enabled() test to be > 0 so that it will
Uf... according to the libselinux source code you are right. This is pretty
strange behavior. The name of the function is "is_" -- it means true/false
I guess many applications use "if (is_selinux_enabled())" only.
Dan, can you fix the is_selinux_enabled.3 man page or the function to return
0/1 only? Thanks.
[Stephen, thanks for your review. I'm going to commit a fixed version to