diff options
| author | Karel Zak | 2008-06-23 13:00:00 +0200 |
|---|---|---|
| committer | Karel Zak | 2008-07-01 14:32:44 +0200 |
| commit | 4edebc1486133231e38b3881325c374eda567f74 (patch) | |
| tree | 9001555330677abfe345b5f7ffe5e9abb9582728 /mount/mount.c | |
| parent | hwclock: always reads hardware clock (diff) | |
| download | kernel-qcow2-util-linux-4edebc1486133231e38b3881325c374eda567f74.tar.gz kernel-qcow2-util-linux-4edebc1486133231e38b3881325c374eda567f74.tar.xz kernel-qcow2-util-linux-4edebc1486133231e38b3881325c374eda567f74.zip | |
mount: warn on "file_t" selinux context
Currently if I mount a file system without labels, it works fine, but
later or SELinux will start printing denials and stopping certain
applications from working. It would be nice if the mount command
checked it in selinux mode.
Addresses-Red-Hat-Bugzilla: #390691
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'mount/mount.c')
| -rw-r--r-- | mount/mount.c | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/mount/mount.c b/mount/mount.c index bed792d2e..30688ac7c 100644 --- a/mount/mount.c +++ b/mount/mount.c @@ -327,7 +327,7 @@ append_context(const char *optname, char *optdata, char **extra_opts) security_context_t raw = NULL; char *data = NULL; - if (!is_selinux_enabled()) + if (is_selinux_enabled() != 1) /* ignore the option if we running without selinux */ return 0; @@ -338,8 +338,8 @@ append_context(const char *optname, char *optdata, char **extra_opts) data = *optdata =='"' ? strip_quotes(optdata) : optdata; if (selinux_trans_to_raw_context( - (security_context_t) data, &raw)==-1 || - raw==NULL) + (security_context_t) data, &raw) == -1 || + raw == NULL) return -1; if (verbose) @@ -1370,6 +1370,29 @@ try_mount_one (const char *spec0, const char *node0, const char *types0, res = EX_FAIL; out: + +#ifdef HAVE_LIBSELINUX + if (res != EX_FAIL && is_selinux_enabled() > 0) { + security_context_t raw = NULL, def = NULL; + + if (getfilecon(node, &raw) > 0 && + security_get_initial_context("file", &def) == 0) { + + if (!selinux_file_context_cmp(raw, def)) + printf(_("mount: %s does not contain SELinux labels.\n" + " You just mounted an file system that supports labels which does not\n" + " contain labels, onto an SELinux box. It is likely that confined\n" + " applications will generate AVC messages and not be allowed access to\n" + " this file system. You can add labels to this file system by executing\n" + " restorecon(8). If you do not want to add labels to this file system,\n" + " you should mount the file system using one of the \"context\" mount\n" + " option."), node); + } + freecon(raw); + freecon(def); + } +#endif + my_free(extra_opts1); my_free(spec1); my_free(node1); |