mount: (new) add selinux warning
Signed-off-by: Karel Zak <kzak@redhat.com>
This commit is contained in:
Karel Zak
parent
c0d2c6e11c
commit
4e45dfb9a6
|
|
@ -66,7 +66,7 @@ mount_SOURCES = mount.c \
|
|||
$(top_srcdir)/lib/xgetpass.c \
|
||||
$(top_srcdir)/lib/strutils.c
|
||||
|
||||
mount_LDADD = $(ul_libmount_la)
|
||||
mount_LDADD = $(ul_libmount_la) $(SELINUX_LIBS)
|
||||
mount_CFLAGS = $(SUID_CFLAGS) $(AM_CFLAGS) -I$(ul_libmount_incdir)
|
||||
mount_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS)
|
||||
|
||||
|
|
@ -80,7 +80,7 @@ bin_PROGRAMS += mount.static
|
|||
mount_static_SOURCES = $(mount_SOURCES)
|
||||
mount_static_CFLAGS = $(mount_CFLAGS)
|
||||
mount_static_LDFLAGS = $(mount_LDFLAGS) -all-static
|
||||
mount_static_LDADD = $(mount_LDADD)
|
||||
mount_static_LDADD = $(mount_LDADD) $(SELINUX_LIBS_STATIC)
|
||||
endif
|
||||
|
||||
if HAVE_STATIC_UMOUNT
|
||||
|
|
@ -90,7 +90,6 @@ umount_static_CFLAGS = $(umount_CFLAGS)
|
|||
umount_static_LDFLAGS = $(umount_LDFLAGS) -all-static
|
||||
umount_static_LDADD = $(umount_LDADD)
|
||||
endif
|
||||
|
||||
endif # BUILD_NEW_MOUNT
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -258,6 +258,37 @@ static int handle_generic_errors(int rc, const char *msg)
|
|||
return EX_FAIL;
|
||||
}
|
||||
|
||||
#if defined(HAVE_LIBSELINUX) && defined(HAVE_SECURITY_GET_INITIAL_CONTEXT)
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/context.h>
|
||||
|
||||
static void selinux_warning(struct libmnt_context *cxt, const char *tgt)
|
||||
{
|
||||
|
||||
if (tgt && mnt_context_is_verbose(cxt) && is_selinux_enabled() > 0) {
|
||||
security_context_t raw = NULL, def = NULL;
|
||||
|
||||
if (getfilecon(tgt, &raw) > 0
|
||||
&& security_get_initial_context("file", &def) == 0) {
|
||||
|
||||
if (!selinux_file_context_cmp(raw, def))
|
||||
printf(_(
|
||||
"mount: %s does not contain SELinux labels.\n"
|
||||
" You just mounted an file system that supports labels which does not\n"
|
||||
" contain labels, onto an SELinux box. It is likely that confined\n"
|
||||
" applications will generate AVC messages and not be allowed access to\n"
|
||||
" this file system. For more details see restorecon(8) and mount(8).\n"),
|
||||
tgt);
|
||||
}
|
||||
freecon(raw);
|
||||
freecon(def);
|
||||
}
|
||||
}
|
||||
#else
|
||||
# define selinux_warning(_x)
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
* rc = 0 success
|
||||
* <0 error (usually -errno or -1)
|
||||
|
|
@ -282,11 +313,14 @@ try_readonly:
|
|||
*/
|
||||
return mnt_context_get_helper_status(cxt);
|
||||
|
||||
if (rc == 0 && mnt_context_get_status(cxt) == 1)
|
||||
if (rc == 0 && mnt_context_get_status(cxt) == 1) {
|
||||
/*
|
||||
* Libmount success && syscall success.
|
||||
*/
|
||||
selinux_warning(cxt, tgt);
|
||||
|
||||
return EX_SUCCESS; /* mount(2) success */
|
||||
}
|
||||
|
||||
if (!mnt_context_syscall_called(cxt)) {
|
||||
/*
|
||||
|
|
|
|||
Loading…
Reference in New Issue