On 05/28/2015 02:06 PM, Laurent Bigonville wrote: > Hello, > > In procps(-ng)[0] when the use of libselinux is enabled at build time, > it always uses getpidcon() even if an other (or no) LSM is enabled. > > I tried to use getpidcon() (via the cmd tool getpidcon) with apparmor > enabled instead of selinux, and it returned the apparmor context. > Is this expected and can we rely on this? Fundamentally, getpidcon() just reads the value of /proc/pid/attr/current into a dynamically allocated buffer and returns it. That part should work for any security module. The only other thing getpidcon() does is pass the context to mcstransd for context translation if mcstransd is running. That could potentially break if you happen to be running mcstransd on a non-SELinux system, although I don't know why anyone would. Possibly we ought to have mcstransd test is_selinux_enabled() and bail immediately if it is disabled just to preclude that. > Otherwise, I've prepared the attached patch. Would this patch be > acceptable? > > Cheers, > > Laurent Bigonville > > [0] https://gitlab.com/procps-ng/procps/blob/master/ps/output.c#L1237 > > > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
