-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/29/2011 11:07 AM, Stephen Smalley wrote: > On Fri, 2011-04-29 at 00:37 +0200, Michał Piotrowski wrote: >> Hi, >> >> I think it's a very good decision - I never understood why selinux dir >> is directly under /. > > I guess I missed some discussion of this. You'd need to update > libselinux at least, definition of SELINUXMNT in > libselinux/src/policy.h, used by selinux_init_load_policy() to mount > selinuxfs for initial policy load. And it may break rc scripts and > other scripts/programs that have become accustomed to /selinux. >
Here is the patch I am thinking about. I think mock might need to be updated, maybe livecd tools. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2615cACgkQrlYvE4MpobPYlQCfeB3H0/eTVITUbOkv66/P+0DB 7pAAn3nYJZSDLyJnDv7+VXwTlZQ3TW9R =2hkb -----END PGP SIGNATURE-----
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index a948920..43aa296 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -45,6 +45,18 @@ static void init_selinuxmnt(void)
}
}
+ /* We check to see if the original mount point for selinux file
+ * system has a selinuxfs. */
+ do {
+ rc = statfs("/selinux", &sfbuf);
+ } while (rc < 0 && errno == EINTR);
+ if (rc == 0) {
+ if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
+ selinux_mnt = strdup("/selinux");
+ return;
+ }
+ }
+
/* Drop back to detecting it the long way. */
fp = fopen("/proc/filesystems", "r");
if (!fp)
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 83d2143..4078f69 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce)
* Check for the existence of SELinux via selinuxfs, and
* mount it if present for use in the calls below.
*/
- if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno !=
EBUSY) {
+ char *mntpoint = NULL;
+ if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) == 0 || errno ==
EBUSY) {
+ mntpoint = SELINUXMNT;
+ } else {
+ /* check old mountpoint */
+ if (mount("selinuxfs", "/selinux", "selinuxfs", 0, 0) == 0 ||
errno == EBUSY) {
+ mntpoint = "/selinux";
+ }
+ }
+
+ if (! mntpoint ) {
if (errno == ENODEV) {
/*
* SELinux was disabled in the kernel, either
@@ -384,8 +394,8 @@ int selinux_init_load_policy(int *enforce)
}
goto noload;
- }
- set_selinuxmnt(SELINUXMNT);
+ }
+ set_selinuxmnt(mntpoint);
/*
* Note: The following code depends on having selinuxfs
@@ -397,7 +407,7 @@ int selinux_init_load_policy(int *enforce)
rc = security_disable();
if (rc == 0) {
/* Successfully disabled, so umount selinuxfs too. */
- umount(SELINUXMNT);
+ umount(selinux_mnt);
fini_selinuxmnt();
}
/*
diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h
index 10e8712..76f968e 100644
--- a/libselinux/src/policy.h
+++ b/libselinux/src/policy.h
@@ -13,7 +13,7 @@
#define SELINUX_MAGIC 0xf97cff8c
/* Preferred selinux mount location */
-#define SELINUXMNT "/selinux"
+#define SELINUXMNT "/sys/fs/selinux"
/* selinuxfs mount point */
extern char *selinux_mnt;
libselinux-mountpoint.patch.sig
Description: PGP signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
