From 4e45dfb9a608e67753a603aeb16b89e43ec8a540 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Fri, 20 Jan 2012 13:14:26 +0100 Subject: mount: (new) add selinux warning Signed-off-by: Karel Zak --- sys-utils/mount.c | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) (limited to 'sys-utils/mount.c') diff --git a/sys-utils/mount.c b/sys-utils/mount.c index b59790501..b2f0be8b3 100644 --- a/sys-utils/mount.c +++ b/sys-utils/mount.c @@ -258,6 +258,37 @@ static int handle_generic_errors(int rc, const char *msg) return EX_FAIL; } +#if defined(HAVE_LIBSELINUX) && defined(HAVE_SECURITY_GET_INITIAL_CONTEXT) +#include +#include + +static void selinux_warning(struct libmnt_context *cxt, const char *tgt) +{ + + if (tgt && mnt_context_is_verbose(cxt) && is_selinux_enabled() > 0) { + security_context_t raw = NULL, def = NULL; + + if (getfilecon(tgt, &raw) > 0 + && security_get_initial_context("file", &def) == 0) { + + if (!selinux_file_context_cmp(raw, def)) + printf(_( + "mount: %s does not contain SELinux labels.\n" + " You just mounted an file system that supports labels which does not\n" + " contain labels, onto an SELinux box. It is likely that confined\n" + " applications will generate AVC messages and not be allowed access to\n" + " this file system. For more details see restorecon(8) and mount(8).\n"), + tgt); + } + freecon(raw); + freecon(def); + } +} +#else +# define selinux_warning(_x) +#endif + + /* * rc = 0 success * <0 error (usually -errno or -1) @@ -282,11 +313,14 @@ try_readonly: */ return mnt_context_get_helper_status(cxt); - if (rc == 0 && mnt_context_get_status(cxt) == 1) + if (rc == 0 && mnt_context_get_status(cxt) == 1) { /* * Libmount success && syscall success. */ + selinux_warning(cxt, tgt); + return EX_SUCCESS; /* mount(2) success */ + } if (!mnt_context_syscall_called(cxt)) { /* -- cgit v1.2.3-55-g7522