The kernel only supports seclabel if it is >= 2.6.30 _and_
SELinux is enabled, since seclabel is generated by SELinux
based partly on policy (e.g. is the filesystem type configured in policy
with a labeling behavior that supports userspace labeling). For some
reason, when this logic was moved from setfiles to libselinux,
the test of whether SELinux was enabled was dropped. Restore it.
This is necessary to enable use of setfiles on non-SELinux hosts
without requiring explicit use of the -m option.
Fixes: 602347c7422e971a5674fe2767267a96e3b4f61c ("policycoreutils: setfiles -
Modify to use selinux_restorecon")
Reported-by: sajjad ahmed <[email protected]>
Signed-off-by: Stephen Smalley <[email protected]>
Cc: Richard Haines <[email protected]>
---
libselinux/src/selinux_restorecon.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c
b/libselinux/src/selinux_restorecon.c
index 41f22250..34a6408a 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -241,6 +241,8 @@ static int exclude_non_seclabel_mounts(void)
/* Check to see if the kernel supports seclabel */
if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
return 0;
+ if (is_selinux_enabled() <= 0)
+ return 0;
fp = fopen("/proc/mounts", "re");
if (!fp)
--
2.14.4
_______________________________________________
Selinux mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to [email protected].
