On 04/17/2015 03:42 PM, Stephen Smalley wrote: > SELinux can be disabled via the selinux=0 kernel parameter or via > /sys/fs/selinux/disable (triggered by setting SELINUX=disabled in > /etc/selinux/config). In either case, selinuxfs will be unmounted > and unregistered and therefore it is sufficient to check for the > selinuxfs mount. We do not need to check for no-policy-loaded and > treat that as SELinux-disabled anymore; that is a relic of Fedora Core 2 > days. Drop the no-policy-loaded test, which was a bit of a hack anyway > (checking whether getcon_raw() returned "kernel" as that can only happen > if no policy is yet loaded and therefore security_sid_to_context() only > has the initial SID name available to return as the context). > > May possibly fix https://bugzilla.redhat.com/show_bug.cgi?id=1195074 > by virtue of removing the call to getcon_raw() and therefore avoiding > use of tls on is_selinux_enabled() calls. Regardless, it will make > is_selinux_enabled() faster and simpler. > This patch breaks system with SELinux enabled kernel and without loaded/installed an SELinux policy, see [1]. Would it be feasible to have is_selinux_enabled() connected to existence of SELINUX variable in /etc/selinux/config file for the cases when there's no specific kernel command line option used in running system? Or would it break something else? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1219045 Thanks, Petr -- Petr Lautrbach
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
