On Mon, 2017-04-17 at 10:40 -0400, Daniel Walsh wrote: > On 04/17/2017 09:34 AM, Stephen Smalley wrote: > > On Sat, 2017-04-15 at 06:23 -0400, Daniel Walsh wrote: > > > I believe that libselinux still reports that the system is > > > running > > > with > > > SELinux, if the selinuxfs is not mounted > > > inside of the container at all. > > > > Not after the commit referenced in the subject line; you removed > > the > > fallback code to check /proc/filesystems for selinuxfs from > > is_selinux_enabled(), so if selinuxfs is not mounted at all, it > > will > > return 0 (not enabled). On non-Android, you can also cause > > is_selinux_enabled() to return 0 by not providing an > > /etc/selinux/config file in your container's root directory (see > > commit > > > > c08c4eacab8d55598b9e5caaef8a871a7a476cab), i.e. as long as you do > > not > > install selinux-policy in your container root, then it will return > > disabled. > > That seems to a chancy way of handling this. Since I can see it as > pretty easy to accidently pull in selinux-policy package into a > container and then the container gets /etc/selinux/config and stuff > starts blowing up. Not sure why the availability of this file should > indicate selinux is enabled.
The existence of /etc/selinux/config is necessary but not sufficient; is_selinux_enabled() only returns 1 if selinuxfs is mounted (read-write with the current logic) _and_ (on non-Android) if /etc/selinux/config exists. The /etc/selinux/config test was added to avoid a regression when we dropped the old no-policy-loaded test. In any event, not mounting selinuxfs within the container would suffice to cause is_selinux_enabled() to return 0. _______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
