diff options
author | Karel Zak | 2012-01-20 13:14:26 +0100 |
---|---|---|
committer | Karel Zak | 2012-01-20 13:14:26 +0100 |
commit | 4e45dfb9a608e67753a603aeb16b89e43ec8a540 (patch) | |
tree | 96029295a4d72d64898fc8c5703b58847f078dad /sys-utils/mount.c | |
parent | findmnt: add note about LIBMOUNT_* env.variables (diff) | |
download | kernel-qcow2-util-linux-4e45dfb9a608e67753a603aeb16b89e43ec8a540.tar.gz kernel-qcow2-util-linux-4e45dfb9a608e67753a603aeb16b89e43ec8a540.tar.xz kernel-qcow2-util-linux-4e45dfb9a608e67753a603aeb16b89e43ec8a540.zip |
mount: (new) add selinux warning
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'sys-utils/mount.c')
-rw-r--r-- | sys-utils/mount.c | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/sys-utils/mount.c b/sys-utils/mount.c index b59790501..b2f0be8b3 100644 --- a/sys-utils/mount.c +++ b/sys-utils/mount.c @@ -258,6 +258,37 @@ static int handle_generic_errors(int rc, const char *msg) return EX_FAIL; } +#if defined(HAVE_LIBSELINUX) && defined(HAVE_SECURITY_GET_INITIAL_CONTEXT) +#include <selinux/selinux.h> +#include <selinux/context.h> + +static void selinux_warning(struct libmnt_context *cxt, const char *tgt) +{ + + if (tgt && mnt_context_is_verbose(cxt) && is_selinux_enabled() > 0) { + security_context_t raw = NULL, def = NULL; + + if (getfilecon(tgt, &raw) > 0 + && security_get_initial_context("file", &def) == 0) { + + if (!selinux_file_context_cmp(raw, def)) + printf(_( + "mount: %s does not contain SELinux labels.\n" + " You just mounted an file system that supports labels which does not\n" + " contain labels, onto an SELinux box. It is likely that confined\n" + " applications will generate AVC messages and not be allowed access to\n" + " this file system. For more details see restorecon(8) and mount(8).\n"), + tgt); + } + freecon(raw); + freecon(def); + } +} +#else +# define selinux_warning(_x) +#endif + + /* * rc = 0 success * <0 error (usually -errno or -1) @@ -282,11 +313,14 @@ try_readonly: */ return mnt_context_get_helper_status(cxt); - if (rc == 0 && mnt_context_get_status(cxt) == 1) + if (rc == 0 && mnt_context_get_status(cxt) == 1) { /* * Libmount success && syscall success. */ + selinux_warning(cxt, tgt); + return EX_SUCCESS; /* mount(2) success */ + } if (!mnt_context_syscall_called(cxt)) { /* |