On 04/17/2017 09:34 AM, Stephen Smalley wrote: > On Sat, 2017-04-15 at 06:23 -0400, Daniel Walsh wrote: >> I believe that libselinux still reports that the system is running >> with >> SELinux, if the selinuxfs is not mounted >> inside of the container at all. > Not after the commit referenced in the subject line; you removed the > fallback code to check /proc/filesystems for selinuxfs from > is_selinux_enabled(), so if selinuxfs is not mounted at all, it will > return 0 (not enabled). On non-Android, you can also cause > is_selinux_enabled() to return 0 by not providing an > /etc/selinux/config file in your container's root directory (see commit > > c08c4eacab8d55598b9e5caaef8a871a7a476cab), i.e. as long as you do not > install selinux-policy in your container root, then it will return > disabled. > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > That seems to a chancy way of handling this. Since I can see it as pretty easy to accidently pull in selinux-policy package into a container and then the container gets /etc/selinux/config and stuff starts blowing up. Not sure why the availability of this file should indicate selinux is enabled. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
