diff options
| author | Karel Zak | 2012-01-20 13:14:26 +0100 |
|---|---|---|
| committer | Karel Zak | 2012-01-20 13:14:26 +0100 |
| commit | 4e45dfb9a608e67753a603aeb16b89e43ec8a540 (patch) | |
| tree | 96029295a4d72d64898fc8c5703b58847f078dad | |
| parent | findmnt: add note about LIBMOUNT_* env.variables (diff) | |
| download | kernel-qcow2-util-linux-4e45dfb9a608e67753a603aeb16b89e43ec8a540.tar.gz kernel-qcow2-util-linux-4e45dfb9a608e67753a603aeb16b89e43ec8a540.tar.xz kernel-qcow2-util-linux-4e45dfb9a608e67753a603aeb16b89e43ec8a540.zip | |
mount: (new) add selinux warning
Signed-off-by: Karel Zak <kzak@redhat.com>
| -rw-r--r-- | sys-utils/Makefile.am | 5 | ||||
| -rw-r--r-- | sys-utils/mount.c | 36 |
2 files changed, 37 insertions, 4 deletions
diff --git a/sys-utils/Makefile.am b/sys-utils/Makefile.am index 7038abaf4..c5cb57082 100644 --- a/sys-utils/Makefile.am +++ b/sys-utils/Makefile.am @@ -66,7 +66,7 @@ mount_SOURCES = mount.c \ $(top_srcdir)/lib/xgetpass.c \ $(top_srcdir)/lib/strutils.c -mount_LDADD = $(ul_libmount_la) +mount_LDADD = $(ul_libmount_la) $(SELINUX_LIBS) mount_CFLAGS = $(SUID_CFLAGS) $(AM_CFLAGS) -I$(ul_libmount_incdir) mount_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS) @@ -80,7 +80,7 @@ bin_PROGRAMS += mount.static mount_static_SOURCES = $(mount_SOURCES) mount_static_CFLAGS = $(mount_CFLAGS) mount_static_LDFLAGS = $(mount_LDFLAGS) -all-static -mount_static_LDADD = $(mount_LDADD) +mount_static_LDADD = $(mount_LDADD) $(SELINUX_LIBS_STATIC) endif if HAVE_STATIC_UMOUNT @@ -90,7 +90,6 @@ umount_static_CFLAGS = $(umount_CFLAGS) umount_static_LDFLAGS = $(umount_LDFLAGS) -all-static umount_static_LDADD = $(umount_LDADD) endif - endif # BUILD_NEW_MOUNT diff --git a/sys-utils/mount.c b/sys-utils/mount.c index b59790501..b2f0be8b3 100644 --- a/sys-utils/mount.c +++ b/sys-utils/mount.c @@ -258,6 +258,37 @@ static int handle_generic_errors(int rc, const char *msg) return EX_FAIL; } +#if defined(HAVE_LIBSELINUX) && defined(HAVE_SECURITY_GET_INITIAL_CONTEXT) +#include <selinux/selinux.h> +#include <selinux/context.h> + +static void selinux_warning(struct libmnt_context *cxt, const char *tgt) +{ + + if (tgt && mnt_context_is_verbose(cxt) && is_selinux_enabled() > 0) { + security_context_t raw = NULL, def = NULL; + + if (getfilecon(tgt, &raw) > 0 + && security_get_initial_context("file", &def) == 0) { + + if (!selinux_file_context_cmp(raw, def)) + printf(_( + "mount: %s does not contain SELinux labels.\n" + " You just mounted an file system that supports labels which does not\n" + " contain labels, onto an SELinux box. It is likely that confined\n" + " applications will generate AVC messages and not be allowed access to\n" + " this file system. For more details see restorecon(8) and mount(8).\n"), + tgt); + } + freecon(raw); + freecon(def); + } +} +#else +# define selinux_warning(_x) +#endif + + /* * rc = 0 success * <0 error (usually -errno or -1) @@ -282,11 +313,14 @@ try_readonly: */ return mnt_context_get_helper_status(cxt); - if (rc == 0 && mnt_context_get_status(cxt) == 1) + if (rc == 0 && mnt_context_get_status(cxt) == 1) { /* * Libmount success && syscall success. */ + selinux_warning(cxt, tgt); + return EX_SUCCESS; /* mount(2) success */ + } if (!mnt_context_syscall_called(cxt)) { /* |