-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/03/2011 01:13 PM, Stephen Smalley wrote:
>
> diff --git a/libselinux/src/init.c b/libselinux/src/init.c
> index a948920..547f1eb 100644
> --- a/libselinux/src/init.c
> +++ b/libselinux/src/init.c
> @@ -79,7 +70,7 @@ static void init_selinuxmnt(void)
> tmp = strchr(p, ' ');
> if (!tmp)
> goto out;
> - if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
> + if (!strncmp(tmp + 1, SELINUXFS, 10)) {
> *tmp = '\0';
> break;
> }
>
> This isn't equivalent. I suppose you could do this:
> + if (!strncmp(tmp + 1, SELINUXFS" ", sizeof SELINUXFS)) {
>
Ok one more time...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk3ARBQACgkQrlYvE4MpobObeQCgwz+m8Ag8hzTWBuPGzXWXjcu6
xC0An3v6Kzia20ZfKwgV/Hq9sx6TfX7q
=akdW
-----END PGP SIGNATURE-----
diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index b3c8c47..018c787 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -11,10 +11,6 @@
int is_selinux_enabled(void)
{
- char *buf=NULL;
- FILE *fp;
- ssize_t num;
- size_t len;
int enabled = 0;
security_context_t con;
@@ -32,37 +28,8 @@ int is_selinux_enabled(void)
enabled = 0;
freecon(con);
}
- return enabled;
}
- /* Drop back to detecting it the long way. */
- fp = fopen("/proc/filesystems", "r");
- if (!fp)
- return -1;
-
- __fsetlocking(fp, FSETLOCKING_BYCALLER);
- while ((num = getline(&buf, &len, fp)) != -1) {
- if (strstr(buf, "selinuxfs")) {
- enabled = 1;
- break;
- }
- }
-
- if (num < 0)
- goto out;
-
- /* Since an selinux file system is available, we consider
- * selinux enabled. If getcon_raw fails, selinux is still
- * enabled. We only consider it disabled if no policy is loaded. */
- if (getcon_raw(&con) == 0) {
- if (!strcmp(con, "kernel"))
- enabled = 0;
- freecon(con);
- }
-
- out:
- free(buf);
- fclose(fp);
return enabled;
}
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index a948920..dd03559 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -7,6 +7,7 @@
#include <stdio.h>
#include <stdio_ext.h>
#include <dlfcn.h>
+#include <sys/statvfs.h>
#include <sys/vfs.h>
#include <stdint.h>
#include <limits.h>
@@ -20,12 +21,41 @@ char *selinux_mnt = NULL;
int selinux_page_size = 0;
int obj_class_compat = 1;
+/* Verify the mount point for selinux file system has a selinuxfs.
+ If the file system:
+ * Exist,
+ * Is mounted with an selinux file system,
+ * The file system is read/write
+ * then set this as the default file system.
+*/
+static int verify_selinuxmnt(char *mnt)
+{
+ struct statfs sfbuf;
+ int rc;
+
+ do {
+ rc = statfs(mnt, &sfbuf);
+ } while (rc < 0 && errno == EINTR);
+ if (rc == 0) {
+ if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
+ struct statvfs vfsbuf;
+ rc = statvfs(mnt, &vfsbuf);
+ if (rc == 0) {
+ if (!(vfsbuf.f_flag & ST_RDONLY)) {
+ set_selinuxmnt(mnt);
+ }
+ return 0;
+ }
+ }
+ }
+
+ return -1;
+}
+
static void init_selinuxmnt(void)
{
char *buf=NULL, *p;
FILE *fp=NULL;
- struct statfs sfbuf;
- int rc;
size_t len;
ssize_t num;
int exists = 0;
@@ -33,17 +63,9 @@ static void init_selinuxmnt(void)
if (selinux_mnt)
return;
- /* We check to see if the preferred mount point for selinux file
- * system has a selinuxfs. */
- do {
- rc = statfs(SELINUXMNT, &sfbuf);
- } while (rc < 0 && errno == EINTR);
- if (rc == 0) {
- if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
- selinux_mnt = strdup(SELINUXMNT);
- return;
- }
- }
+ if (verify_selinuxmnt(SELINUXMNT) == 0) return;
+
+ if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;
/* Drop back to detecting it the long way. */
fp = fopen("/proc/filesystems", "r");
@@ -52,7 +74,7 @@ static void init_selinuxmnt(void)
__fsetlocking(fp, FSETLOCKING_BYCALLER);
while ((num = getline(&buf, &len, fp)) != -1) {
- if (strstr(buf, "selinuxfs")) {
+ if (strstr(buf, SELINUXFS)) {
exists = 1;
break;
}
@@ -79,7 +101,7 @@ static void init_selinuxmnt(void)
tmp = strchr(p, ' ');
if (!tmp)
goto out;
- if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
+ if (!strncmp(tmp + 1, SELINUXFS" ", strlen(SELINUXFS)+1)) {
*tmp = '\0';
break;
}
@@ -87,7 +109,7 @@ static void init_selinuxmnt(void)
/* If we found something, dup it */
if (num > 0)
- selinux_mnt = strdup(p);
+ verify_selinuxmnt(p);
out:
free(buf);
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 83d2143..0961912 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce)
* Check for the existence of SELinux via selinuxfs, and
* mount it if present for use in the calls below.
*/
- if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
+ char *mntpoint = NULL;
+ if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+ mntpoint = SELINUXMNT;
+ } else {
+ /* check old mountpoint */
+ if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+ mntpoint = OLDSELINUXMNT;
+ }
+ }
+
+ if (! mntpoint ) {
if (errno == ENODEV) {
/*
* SELinux was disabled in the kernel, either
@@ -385,7 +395,7 @@ int selinux_init_load_policy(int *enforce)
goto noload;
}
- set_selinuxmnt(SELINUXMNT);
+ set_selinuxmnt(mntpoint);
/*
* Note: The following code depends on having selinuxfs
@@ -397,7 +407,7 @@ int selinux_init_load_policy(int *enforce)
rc = security_disable();
if (rc == 0) {
/* Successfully disabled, so umount selinuxfs too. */
- umount(SELINUXMNT);
+ umount(selinux_mnt);
fini_selinuxmnt();
}
/*
diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h
index 10e8712..bf270b5 100644
--- a/libselinux/src/policy.h
+++ b/libselinux/src/policy.h
@@ -9,11 +9,15 @@
/* Initial length guess for getting contexts. */
#define INITCONTEXTLEN 255
+/* selinux file system type */
+#define SELINUXFS "selinuxfs"
+
/* selinuxfs magic number */
#define SELINUX_MAGIC 0xf97cff8c
/* Preferred selinux mount location */
-#define SELINUXMNT "/selinux"
+#define SELINUXMNT "/sys/fs/selinux"
+#define OLDSELINUXMNT "/selinux"
/* selinuxfs mount point */
extern char *selinux_mnt;
Attachment:
libselinux-mountpoint.patch.sig
Description: PGP signature
