On Mon, 2012-03-05 at 17:26 +0000, Moray Henderson wrote: > Is there an easy way for a script to detect whether MLS mode is enabled? > > On CentOS 5 whether running normally or in Anaconda's rescue mode, > SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is no > /etc/selinux/mls directory and cat /selinux/mls prints "1". > > However, with CentOS running normally a command to set a context works, > while from rescue mode the same command fails with "cannot setup default > context" unless I add and :s0 MLS piece. That's fine when I'm doing things > manually, but I'd like a script to detect whether it's being run in an > environment that needs the :s0 added. I don't want to just add :s0 all the > time, in case it's already there in the context string I'm trying to set. Technically you should always provide the MLS piece if /selinux/mls is 1 (is_selinux_mls_enabled() in C or selinux.is_selinux_mls_enabled() in python). The only reason you get away with not specifying it in multi-user mode is that mcstransd is running. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
