Detecting MLS mode
Moray Henderson
Moray.Henderson at ict-software.org
Tue Mar 6 15:03:04 UTC 2012
> From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
> Sent: 05 March 2012 20:16
>
> On Mon, 2012-03-05 at 17:26 +0000, Moray Henderson wrote:
> > Is there an easy way for a script to detect whether MLS mode is
> enabled?
> >
> > On CentOS 5 whether running normally or in Anaconda's rescue mode,
> > SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is no
> > /etc/selinux/mls directory and cat /selinux/mls prints "1".
> >
> > However, with CentOS running normally a command to set a context
> works,
> > while from rescue mode the same command fails with "cannot setup
> default
> > context" unless I add and :s0 MLS piece. That's fine when I'm doing
> things
> > manually, but I'd like a script to detect whether it's being run in
> an
> > environment that needs the :s0 added. I don't want to just add :s0
> all the
> > time, in case it's already there in the context string I'm trying to
> set.
>
> Technically you should always provide the MLS piece if /selinux/mls is
> 1
> (is_selinux_mls_enabled() in C or selinux.is_selinux_mls_enabled() in
> python). The only reason you get away with not specifying it in
> multi-user mode is that mcstransd is running.
Thanks Stephen. So if /selinux/mls is 1 a suitable way to fetch the full context of (say) everything in root whether we're in single or multi-user mode would be:
SUFFIX=`/bin/ps -C mcstransd > /dev/null && echo :s0`
find / -maxdepth 1 -printf "%p:\t%Z${SUFFIX}\n"
It won't be run on a system that actually uses MLS, so I can get away with hardwiring the :s0.
Moray.
“To err is human; to purr, feline.”
More information about the selinux
mailing list