On 04/17/2017 10:49 AM, Stephen Smalley wrote: > On Mon, 2017-04-17 at 10:40 -0400, Daniel Walsh wrote: >> On 04/17/2017 09:34 AM, Stephen Smalley wrote: >>> On Sat, 2017-04-15 at 06:23 -0400, Daniel Walsh wrote: >>>> I believe that libselinux still reports that the system is >>>> running >>>> with >>>> SELinux, if the selinuxfs is not mounted >>>> inside of the container at all. >>> Not after the commit referenced in the subject line; you removed >>> the >>> fallback code to check /proc/filesystems for selinuxfs from >>> is_selinux_enabled(), so if selinuxfs is not mounted at all, it >>> will >>> return 0 (not enabled). On non-Android, you can also cause >>> is_selinux_enabled() to return 0 by not providing an >>> /etc/selinux/config file in your container's root directory (see >>> commit >>> >>> c08c4eacab8d55598b9e5caaef8a871a7a476cab), i.e. as long as you do >>> not >>> install selinux-policy in your container root, then it will return >>> disabled. >> That seems to a chancy way of handling this. Since I can see it as >> pretty easy to accidently pull in selinux-policy package into a >> container and then the container gets /etc/selinux/config and stuff >> starts blowing up. Not sure why the availability of this file should >> indicate selinux is enabled. > The existence of /etc/selinux/config is necessary but not sufficient; > is_selinux_enabled() only returns 1 if selinuxfs is mounted (read-write > with the current logic) _and_ (on non-Android) if /etc/selinux/config > exists. The /etc/selinux/config test was added to avoid a regression > when we dropped the old no-policy-loaded test. > > In any event, not mounting selinuxfs within the container would suffice > to cause is_selinux_enabled() to return 0. > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. If that is the case, then I have no problem removing the read/only check. We can make sure /sys/fs/selinux is not mounted into the container. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
