|
| From: | Jarkko Sakkinen |
| Subject: | Re: [PATCH] id: show SMACK security context |
| Date: | Thu, 29 Aug 2013 12:18:22 +0300 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 |
Hi Casey, On 08/28/2013 03:21 AM, Pádraig Brady wrote:
On 04/22/2013 02:09 PM, Jarkko Sakkinen wrote:On Mon, Apr 22, 2013, at 13:15, Pádraig Brady wrote:On 04/17/2013 09:30 PM, Jarkko Sakkinen wrote:diff --git a/src/id.c b/src/id.c@@ -189,14 +199,17 @@ main (int argc, char **argv) and we're not in POSIXLY_CORRECT mode, get our context. Otherwise, leave the context variable alone - it has been initialized to an invalid value that will be not displayed in print_full_info(). */ - if (selinux_enabled - && n_ids == 0 + if (n_ids == 0 && (just_context || (default_format && ! getenv ("POSIXLY_CORRECT")))) { /* Report failure only if --context (-Z) was explicitly requested. */ - if (getcon (&context) && just_context) + if (selinux_enabled && getcon (&context) && just_context) + error (EXIT_FAILURE, 0, _("can't get process context")); +#ifdef HAVE_SMACK + else if (smack_enabled && smack_new_label_from_self ((char **) &context)) error (EXIT_FAILURE, 0, _("can't get process context")); +#endifSo smack defers to SELinux. In that case you probably don't want --with-smack above, and instead auto detect smack availability.Well, actually you couldn't have SELinux and SMACK active in the kernel at the same time. Kernel can only have one LSM enabled at a time (and you cannot switch or disable LSM). So this essentially detects, which one is enabled in the kernel.It seems like this will no longer be the case: https://lkml.org/lkml/2013/7/25/482
Looks like your LSM stacker has been progressing. Do you have recommendations how should this work together with coreutils? For example, what ls show if we have both SELinux and SMACK enabled?
thanks, Pádraig.
/Jarkko
| [Prev in Thread] | Current Thread | [Next in Thread] |