-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6wT8EACgkQrlYvE4MpobOajgCgmjREEVQnkhXAOC0o5xzX64WK
JHQAmgIEtZJo7zLMrbY3NKhj5bBlRzm/
=PCxH
-----END PGP SIGNATURE-----
>From 1931ea55cc655822c0865c976bc6d696c1121962 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Thu, 22 Sep 2011 09:32:44 -0400
Subject: [PATCH 36/63] libselinux: load_policy: handle selinux=0 and
/sys/fs/selinux not exist
Handle situation where selinux=0 passed to the kernel and both /selinux and
/sys/fs/selinux directories do not exist. We used to handle selinux=0
(or kernel compile without selinux) by getting ENODEV when we tried to
mount selinuxfs on /selinux. Now selinux=0 means that /sys/fs/selinux
won't exist and we never create the real directory /selinux at all. So
we get ENOENT instead of ENODEV. The solution is to check to see if the
mount failure was for ENODEV and if not to check if selinuxfs exists in
/proc/filesystems at all. If it doesn't exist, that's equivalent to
ENODEV.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
libselinux/include/selinux/selinux.h | 3 ++
libselinux/src/init.c | 45 ++++++++++++++++++++++------------
libselinux/src/load_policy.c | 2 +-
libselinux/src/selinux_internal.h | 1 +
4 files changed, 34 insertions(+), 17 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index d29b0c1..01cf469 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -515,6 +515,9 @@ extern int selinux_check_securetty_context(const security_context_t tty_context)
which performs the initial mount of selinuxfs. */
void set_selinuxmnt(char *mnt);
+/* Check if selinuxfs exists as a kernel filesystem */
+int selinuxfs_exists(void);
+
/* clear selinuxmnt variable and free allocated memory */
void fini_selinuxmnt(void);
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index 31f1ea6..00afde7 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -52,13 +52,40 @@ static int verify_selinuxmnt(char *mnt)
return -1;
}
+int selinuxfs_exists(void)
+{
+ int exists = 0;
+ FILE *fp = NULL;
+ char *buf = NULL;
+ size_t len;
+ ssize_t num;
+
+ fp = fopen("/proc/filesystems", "r");
+ if (!fp)
+ return 1; /* Fail as if it exists */
+ __fsetlocking(fp, FSETLOCKING_BYCALLER);
+
+ num = getline(&buf, &len, fp);
+ while (num != -1) {
+ if (strstr(buf, SELINUXFS)) {
+ exists = 1;
+ break;
+ }
+ num = getline(&buf, &len, fp);
+ }
+
+ free(buf);
+ fclose(fp);
+ return exists;
+}
+hidden_def(selinuxfs_exists)
+
static void init_selinuxmnt(void)
{
char *buf=NULL, *p;
FILE *fp=NULL;
size_t len;
ssize_t num;
- int exists = 0;
if (selinux_mnt)
return;
@@ -68,23 +95,9 @@ static void init_selinuxmnt(void)
if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;
/* Drop back to detecting it the long way. */
- fp = fopen("/proc/filesystems", "r");
- if (!fp)
- return;
-
- __fsetlocking(fp, FSETLOCKING_BYCALLER);
- while ((num = getline(&buf, &len, fp)) != -1) {
- if (strstr(buf, SELINUXFS)) {
- exists = 1;
- break;
- }
- }
-
- if (!exists)
+ if (!selinuxfs_exists())
goto out;
- fclose(fp);
-
/* At this point, the usual spot doesn't have an selinuxfs so
* we look around for it */
fp = fopen("/proc/mounts", "r");
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 868660f..f569664 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -380,7 +380,7 @@ int selinux_init_load_policy(int *enforce)
}
if (! mntpoint ) {
- if (errno == ENODEV) {
+ if (errno == ENODEV || !selinuxfs_exists()) {
/*
* SELinux was disabled in the kernel, either
* omitted entirely or disabled at boot via selinux=0.
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 806e87c..710396a 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -5,6 +5,7 @@
hidden_proto(selinux_mkload_policy)
hidden_proto(fini_selinuxmnt)
hidden_proto(set_selinuxmnt)
+ hidden_proto(selinuxfs_exists)
hidden_proto(security_disable)
hidden_proto(security_policyvers)
hidden_proto(security_load_policy)
--
1.7.7
