mount: (new) add selinux warning

Signed-off-by: Karel Zak <kzak@redhat.com>

1 files changed, 35 insertions, 1 deletions

diff --git a/sys-utils/mount.c b/sys-utils/mount.c
index b59790501..b2f0be8b3 100644
--- a/sys-utils/mount.c
+++ b/sys-utils/mount.c
@@ -258,6 +258,37 @@ static int handle_generic_errors(int rc, const char *msg)
 	return EX_FAIL;
 }
 
+#if defined(HAVE_LIBSELINUX) && defined(HAVE_SECURITY_GET_INITIAL_CONTEXT)
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+
+static void selinux_warning(struct libmnt_context *cxt, const char *tgt)
+{
+
+	if (tgt && mnt_context_is_verbose(cxt) && is_selinux_enabled() > 0) {
+		security_context_t raw = NULL, def = NULL;
+
+		if (getfilecon(tgt, &raw) > 0
+		    && security_get_initial_context("file", &def) == 0) {
+
+		if (!selinux_file_context_cmp(raw, def))
+			printf(_(
+	"mount: %s does not contain SELinux labels.\n"
+	"       You just mounted an file system that supports labels which does not\n"
+	"       contain labels, onto an SELinux box. It is likely that confined\n"
+	"       applications will generate AVC messages and not be allowed access to\n"
+	"       this file system.  For more details see restorecon(8) and mount(8).\n"),
+				tgt);
+		}
+		freecon(raw);
+		freecon(def);
+	}
+}
+#else
+# define selinux_warning(_x)
+#endif
+
+
 /*
  * rc = 0 success
  *     <0 error (usually -errno or -1)
@@ -282,11 +313,14 @@ try_readonly:
 		 */
 		return mnt_context_get_helper_status(cxt);
 
-	if (rc == 0 && mnt_context_get_status(cxt) == 1)
+	if (rc == 0 && mnt_context_get_status(cxt) == 1) {
 		/*
 		 * Libmount success && syscall success.
 		 */
+		selinux_warning(cxt, tgt);
+
 		return EX_SUCCESS;	/* mount(2) success */
+	}
 
 	if (!mnt_context_syscall_called(cxt)) {
 		/*