Re: [PATCH]: chcon: no longer abort on SELinux disabled kernel

[Jim Meyering]

Jim Meyering wrote:
> Stephen Smalley wrote:
> ...
>> Must have previously booted an ancient kernel with SELinux permissive
>> and no policy loaded.  Kernel was fixed by the commit below in 2006.
>> I'd recommend that he run the following to clean up the droppings in his
>> filesystem:
>> find / \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 \) -exec setfattr -x 
>> security.selinux {} \;
>>
>> commit 8aad38752e81d1d4de67e3d8e2524618ce7c9276
>> Author: Stephen Smalley <address@hidden>
>> Date:   Wed Mar 22 00:09:13 2006 -0800
>>
>>     [PATCH] selinux: Disable automatic labeling of new inodes when no policy 
>> is loaded
>
> Thanks for the quick explanation!

I've revised the commit not to say anything in NEWS
and to expand the log message.  While the exit-early
change doesn't solve the problem in all cases, it is useful
and does make chcon consistent with runcon in that respect.

>From 3a97d664b9f639fddb5a245775f47d27bfbb56c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Va=C5=A1=C3=ADk?= <address@hidden>
Date: Mon, 5 Oct 2009 09:20:48 +0200
Subject: [PATCH] chcon: exit immediately if SELinux is disabled

This change happens to avoid an abort in chcon when SELinux is
disabled while operating on a file with an "unlabeled" context from
back in 2006.  However, that same abort can still be triggered by the
same file when running chcon with SELinux enabled.  This bug in chcon
will be fixed in a subsequent commit via a getfilecon wrapper.  See
http://thread.gmane.org/gmane.comp.gnu.coreutils.bugs/18378/focus=18384
for how to correct your disk attributes to avoid triggering this bug.
* src/chcon.c (main): Exit immediately if SELinux is disabled.
Reported in http://bugzilla.redhat.com/527142 by Yanko Kaneti.
* src/runcon.c (main): Do not hardcode program name in error message.
* THANKS: Update.
---
 THANKS       |    1 +
 src/chcon.c  |    4 ++++
 src/runcon.c |    2 +-
 3 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/THANKS b/THANKS
index e0e14e5..65ac1bb 100644
--- a/THANKS
+++ b/THANKS
@@ -612,6 +612,7 @@ Wis Macomson                        address@hidden
 Wojciech Purczynski                 address@hidden
 Wolfram Kleff                       address@hidden
 Won-kyu Park                        address@hidden
+Yanko Kaneti                        address@hidden
 Yann Dirson                         address@hidden
 Zvi Har'El                          address@hidden

diff --git a/src/chcon.c b/src/chcon.c
index fbfdb4d..c0da694 100644
--- a/src/chcon.c
+++ b/src/chcon.c
@@ -519,6 +519,10 @@ main (int argc, char **argv)
       usage (EXIT_FAILURE);
     }

+  if (is_selinux_enabled () != 1)
+    error (EXIT_FAILURE, 0,
+           _("%s may be used only on a SELinux kernel"), program_name);
+
   if (reference_file)
     {
       if (getfilecon (reference_file, &ref_context) < 0)
diff --git a/src/runcon.c b/src/runcon.c
index e0019da..f87eada 100644
--- a/src/runcon.c
+++ b/src/runcon.c
@@ -195,7 +195,7 @@ main (int argc, char **argv)

   if (is_selinux_enabled () != 1)
     error (EXIT_FAILURE, 0,
-           _("runcon may be used only on a SELinux kernel"));
+           _("%s may be used only on a SELinux kernel"), program_name);

   if (context)
     {
--
1.6.5.rc2.204.g8ea19