Martin Orr wrote: > The differences here are that the new code ensures that /proc is > mounted, and !is_selinux_enabled() becomes (is_selinux_enabled() > > 0). > I think the change was due to this: > http://thread.gmane.org/gmane.comp.security.selinux/13320 > (is_selinux_enabled() returns -1 if /proc not mounted). They might have been inspired by it, but it is a completely different fix than I proposed. In the original context, the C expression "!is_selinux_enabled()" means "is_selinux_enabled() == 0". However, the function is tristate, as its return values are -1, 0, and 1. In addition to 0, we also want -1 to execute the code block below, so the expression becomes "(foo = is_selinux_enabled(), foo == 0 || foo == -1)", or simply put "is_selinux_enabled() != 1". And why we want that? Because the function checks if we already have a policy loaded in the kernel. 1 means yes, 0 means no and -1 means no as well. No need to mess with mounting /proc ;-) Michal Svoboda
Attachment:
pgpCed8SUv5EL.pgp
Description: PGP signature
