On 04/17/2017 09:34 AM, Stephen Smalley wrote: > On Sat, 2017-04-15 at 06:23 -0400, Daniel Walsh wrote: >> I believe that libselinux still reports that the system is running >> with >> SELinux, if the selinuxfs is not mounted >> inside of the container at all. > Not after the commit referenced in the subject line; you removed the > fallback code to check /proc/filesystems for selinuxfs from > is_selinux_enabled(), so if selinuxfs is not mounted at all, it will > return 0 (not enabled). On non-Android, you can also cause > is_selinux_enabled() to return 0 by not providing an > /etc/selinux/config file in your container's root directory (see commit > > c08c4eacab8d55598b9e5caaef8a871a7a476cab), i.e. as long as you do not > install selinux-policy in your container root, then it will return > disabled. > _______________________________________________ > Selinux mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to [email protected]. > > That seems to a chancy way of handling this. Since I can see it as pretty easy to accidently pull in selinux-policy package into a container and then the container gets /etc/selinux/config and stuff starts blowing up. Not sure why the availability of this file should indicate selinux is enabled.
_______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
