From 1e44080a17535361587f90608d03562b8925a07c Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Mon, 23 Jun 2008 13:00:00 +0200 Subject: [PATCH] mount: warn on "file_t" selinux context Currently if I mount a file system without labels, it works fine, but later or SELinux will start printing denials and stopping certain applications from working. It would be nice if the mount command checked it in selinux mode. Addresses-Red-Hat-Bugzilla: #390691 Signed-off-by: Karel Zak --- mount/mount.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/mount/mount.c b/mount/mount.c index 11d408ba..0d28a518 100644 --- a/mount/mount.c +++ b/mount/mount.c @@ -331,7 +331,7 @@ append_context(const char *optname, char *optdata, char **extra_opts) security_context_t raw = NULL; char *data = NULL; - if (!is_selinux_enabled()) + if (is_selinux_enabled() != 1) /* ignore the option if we running without selinux */ return 0; @@ -342,8 +342,8 @@ append_context(const char *optname, char *optdata, char **extra_opts) data = *optdata =='"' ? strip_quotes(optdata) : optdata; if (selinux_trans_to_raw_context( - (security_context_t) data, &raw)==-1 || - raw==NULL) + (security_context_t) data, &raw) == -1 || + raw == NULL) return -1; if (verbose) @@ -1374,6 +1374,29 @@ try_mount_one (const char *spec0, const char *node0, const char *types0, res = EX_FAIL; out: + +#ifdef HAVE_LIBSELINUX + if (res != EX_FAIL && is_selinux_enabled() > 0) { + security_context_t raw = NULL, def = NULL; + + if (getfilecon(node, &raw) > 0 && + security_get_initial_context("file", &def) == 0) { + + if (!selinux_file_context_cmp(raw, def)) + printf(_("mount: %s does not contain SELinux labels.\n" + " You just mounted an file system that supports labels which does not\n" + " contain labels, onto an SELinux box. It is likely that confined\n" + " applications will generate AVC messages and not be allowed access to\n" + " this file system. You can add labels to this file system by executing\n" + " restorecon(8). If you do not want to add labels to this file system,\n" + " you should mount the file system using one of the \"context\" mount\n" + " option."), node); + } + freecon(raw); + freecon(def); + } +#endif + my_free(extra_opts1); my_free(spec1); my_free(node1); -- 2.39.5