Skip to content

Commit

Permalink
Merge pull request #340 from ckyrouac/selinux-fix
Browse files Browse the repository at this point in the history
Fix selinux_enabled function
  • Loading branch information
cgwalters authored Feb 14, 2024
2 parents c19d87f + 3921b71 commit 92adf21
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 6 deletions.
8 changes: 4 additions & 4 deletions lib/src/install.rs
Original file line number Diff line number Diff line change
Expand Up @@ -732,7 +732,10 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
if srcdata.selinux {
let host_selinux = crate::lsm::selinux_enabled()?;
tracing::debug!("Target has SELinux, host={host_selinux}");
if host_selinux {
if override_disable_selinux {
ret_did_override = true;
println!("notice: Target has SELinux enabled, overriding to disable")
} else if host_selinux {
// /sys/fs/selinuxfs is not normally mounted, so we do that now.
// Because SELinux enablement status is cached process-wide and was very likely
// already queried by something else (e.g. glib's constructor), we would also need
Expand All @@ -741,9 +744,6 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
crate::lsm::container_setup_selinux()?;
// This will re-execute the current process (once).
g = crate::lsm::selinux_ensure_install_or_setenforce()?;
} else if override_disable_selinux {
ret_did_override = true;
println!("notice: Target has SELinux enabled, overriding to disable")
} else if std::env::var_os(skip_check_envvar).is_some() {
eprintln!(
"Host kernel does not have SELinux support, but target enables it by default; {} is set, continuing anyways",
Expand Down
5 changes: 3 additions & 2 deletions lib/src/lsm.rs
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,9 @@ const SELF_CURRENT: &str = "/proc/self/attr/current";

#[context("Querying selinux availability")]
pub(crate) fn selinux_enabled() -> Result<bool> {
let filesystems = std::fs::read_to_string("/proc/filesystems")?;
Ok(filesystems.contains("selinuxfs\n"))
Path::new("/proc/1/root/sys/fs/selinux/enforce")
.try_exists()
.map_err(Into::into)
}

/// Get the current process SELinux security context
Expand Down

0 comments on commit 92adf21

Please sign in to comment.