On Tue, 2012-03-06 at 15:03 +0000, Moray Henderson wrote: > > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > > Sent: 05 March 2012 20:16 > > > > On Mon, 2012-03-05 at 17:26 +0000, Moray Henderson wrote: > > > Is there an easy way for a script to detect whether MLS mode is > > enabled? > > > > > > On CentOS 5 whether running normally or in Anaconda's rescue mode, > > > SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is no > > > /etc/selinux/mls directory and cat /selinux/mls prints "1". > > > > > > However, with CentOS running normally a command to set a context > > works, > > > while from rescue mode the same command fails with "cannot setup > > default > > > context" unless I add and :s0 MLS piece. That's fine when I'm doing > > things > > > manually, but I'd like a script to detect whether it's being run in > > an > > > environment that needs the :s0 added. I don't want to just add :s0 > > all the > > > time, in case it's already there in the context string I'm trying to > > set. > > > > Technically you should always provide the MLS piece if /selinux/mls is > > 1 > > (is_selinux_mls_enabled() in C or selinux.is_selinux_mls_enabled() in > > python). The only reason you get away with not specifying it in > > multi-user mode is that mcstransd is running. > > Thanks Stephen. So if /selinux/mls is 1 a suitable way to fetch the full context of (say) everything in root whether we're in single or multi-user mode would be: > > SUFFIX=`/bin/ps -C mcstransd > /dev/null && echo :s0` > find / -maxdepth 1 -printf "%p:\t%Z${SUFFIX}\n" > > It won't be run on a system that actually uses MLS, so I can get away with hardwiring the :s0. Maybe I'm misreading it, but the logic seems the opposite of what you want presently. Also, as a caveat, while CentOS 5 might be stripping the :s0 entirely when mcstrans is running, it appears that on modern Fedora (and thus likely CentOS 6), it is just translating it to :SystemLow. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
