Jim Meyering wrote:
> Stephen Smalley wrote:
> ...
>> Must have previously booted an ancient kernel with SELinux permissive
>> and no policy loaded. Kernel was fixed by the commit below in 2006.
>> I'd recommend that he run the following to clean up the droppings in his
>> filesystem:
>> find / \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 \) -exec setfattr -x security.selinux {} \;
>>
>> commit 8aad38752e81d1d4de67e3d8e2524618ce7c9276
>> Author: Stephen Smalley <sds@xxxxxxxxxxxxx>
>> Date: Wed Mar 22 00:09:13 2006 -0800
>>
>> [PATCH] selinux: Disable automatic labeling of new inodes when no policy is loaded
>
> Thanks for the quick explanation!
I've revised the commit not to say anything in NEWS
and to expand the log message. While the exit-early
change doesn't solve the problem in all cases, it is useful
and does make chcon consistent with runcon in that respect.
>From 3a97d664b9f639fddb5a245775f47d27bfbb56c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Va=C5=A1=C3=ADk?= <ovasik@xxxxxxxxxx>
Date: Mon, 5 Oct 2009 09:20:48 +0200
Subject: [PATCH] chcon: exit immediately if SELinux is disabled
This change happens to avoid an abort in chcon when SELinux is
disabled while operating on a file with an "unlabeled" context from
back in 2006. However, that same abort can still be triggered by the
same file when running chcon with SELinux enabled. This bug in chcon
will be fixed in a subsequent commit via a getfilecon wrapper. See
http://thread.gmane.org/gmane.comp.gnu.coreutils.bugs/18378/focus=18384
for how to correct your disk attributes to avoid triggering this bug.
* src/chcon.c (main): Exit immediately if SELinux is disabled.
Reported in http://bugzilla.redhat.com/527142 by Yanko Kaneti.
* src/runcon.c (main): Do not hardcode program name in error message.
* THANKS: Update.
---
THANKS | 1 +
src/chcon.c | 4 ++++
src/runcon.c | 2 +-
3 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/THANKS b/THANKS
index e0e14e5..65ac1bb 100644
--- a/THANKS
+++ b/THANKS
@@ -612,6 +612,7 @@ Wis Macomson wis.macomson@xxxxxxxxx
Wojciech Purczynski cliph@xxxxxxx
Wolfram Kleff kleff@xxxxxxxxxxxxxx
Won-kyu Park wkpark@xxxxxxxxxxxxxxx
+Yanko Kaneti yaneti@xxxxxxxxxxx
Yann Dirson dirson@xxxxxxxxxx
Zvi Har'El rl@xxxxxxxxxxxxxxxxxxx
diff --git a/src/chcon.c b/src/chcon.c
index fbfdb4d..c0da694 100644
--- a/src/chcon.c
+++ b/src/chcon.c
@@ -519,6 +519,10 @@ main (int argc, char **argv)
usage (EXIT_FAILURE);
}
+ if (is_selinux_enabled () != 1)
+ error (EXIT_FAILURE, 0,
+ _("%s may be used only on a SELinux kernel"), program_name);
+
if (reference_file)
{
if (getfilecon (reference_file, &ref_context) < 0)
diff --git a/src/runcon.c b/src/runcon.c
index e0019da..f87eada 100644
--- a/src/runcon.c
+++ b/src/runcon.c
@@ -195,7 +195,7 @@ main (int argc, char **argv)
if (is_selinux_enabled () != 1)
error (EXIT_FAILURE, 0,
- _("runcon may be used only on a SELinux kernel"));
+ _("%s may be used only on a SELinux kernel"), program_name);
if (context)
{
--
1.6.5.rc2.204.g8ea19
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
