Hello, libselinux sets selinut_mnt and has_selinux_config only in its constructor and is_selinux_enabled() and others just use selinux_mnt to check if SELinux is enabled. But it doesn't work correctly when you use chroot() to a directory without /proc and /sys/fs/selinux mounted as it was discovered in https://bugzilla.redhat.com/show_bug.cgi?id=1321375 In this case, is_selinux_enabled() after chroot() returns true while in a new program run from chrooted process it returns false. It can be demonstrated by the steps below. The solution could be to check if selinux_mnt still exists whenever a function depending on this is called. Would this be acceptable? $ sudo dnf --nogpg --installroot=/var/lib/machines/example install systemd $ cat > test_libselinux.c <<EOF #include <selinux/selinux.h> #include <stdio.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> int main(int argc, char *argv[]) { pid_t pid; int wstatus; if (argc > 1) { printf("SELinux in chrooted process: %d\n", is_selinux_enabled()); return 0; } if (chroot("/var/lib/machines/example") != 0) return -1; printf("SELinux in process after chroot(): %d\n", is_selinux_enabled()); printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK)); printf("/etc/selinux/config exists: %d\n\n", access("/etc/selinux/config", F_OK)); if ((pid = fork()) == 0 ) { execv("./test_is_selinux_enabled", (char *[]){ "./test_is_selinux_enabled", "chrooted", NULL}); } wait(&wstatus); return 0; } EOF $ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux $ sudo ./test_is_selinux_enabled SELinux in process after chroot(): 1 /sys/fs/selinux exists: -1 /etc/selinux/config exists: -1 SELinux in chrooted process: 0
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
