> From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > Sent: 06 March 2012 15:21 > > On Tue, 2012-03-06 at 15:03 +0000, Moray Henderson wrote: > > > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > > > Sent: 05 March 2012 20:16 > > > > > > On Mon, 2012-03-05 at 17:26 +0000, Moray Henderson wrote: > > > > Is there an easy way for a script to detect whether MLS mode is > > > enabled? > > > > > > > > On CentOS 5 whether running normally or in Anaconda's rescue > mode, > > > > SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is > no > > > > /etc/selinux/mls directory and cat /selinux/mls prints "1". > > > > > > > > However, with CentOS running normally a command to set a context > > > works, > > > > while from rescue mode the same command fails with "cannot setup > > > default > > > > context" unless I add and :s0 MLS piece. That's fine when I'm > doing > > > things > > > > manually, but I'd like a script to detect whether it's being run > in > > > an > > > > environment that needs the :s0 added. I don't want to just add > :s0 > > > all the > > > > time, in case it's already there in the context string I'm trying > to > > > set. > > > > > > Technically you should always provide the MLS piece if /selinux/mls > is > > > 1 > > > (is_selinux_mls_enabled() in C or selinux.is_selinux_mls_enabled() > in > > > python). The only reason you get away with not specifying it in > > > multi-user mode is that mcstransd is running. > > > > Thanks Stephen. So if /selinux/mls is 1 a suitable way to fetch the > full context of (say) everything in root whether we're in single or > multi-user mode would be: > > > > SUFFIX=`/bin/ps -C mcstransd > /dev/null && echo :s0` > > find / -maxdepth 1 -printf "%p:\t%Z${SUFFIX}\n" > > > > It won't be run on a system that actually uses MLS, so I can get away > with hardwiring the :s0. > > Maybe I'm misreading it, but the logic seems the opposite of what you > want presently.> > Also, as a caveat, while CentOS 5 might be stripping the :s0 entirely > when mcstrans is running, it appears that on modern Fedora (and thus > likely CentOS 6), it is just translating it to :SystemLow. This is CentOS 5-specific: looks like I'll have to rewrite all sorts of things when we go up to 6 :-) What I'm aiming for is a script that can be run in both single- and multi- user modes to collect a full context string which will be valid for multi- or single- user mode. So in multi-user mode, where the OS doesn't display the MLS context, I need to add it; while in single-user mode it's already there and I shouldn't add it again. Once I've got the full string including MLS piece, I can use it anywhere to set a context as you said earlier. Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
