[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] id: show SMACK security context
|
From: |
Pádraig Brady |
|
Subject: |
Re: [PATCH] id: show SMACK security context |
|
Date: |
Wed, 28 Aug 2013 01:21:37 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 |
On 04/22/2013 02:09 PM, Jarkko Sakkinen wrote:
> On Mon, Apr 22, 2013, at 13:15, Pádraig Brady wrote:
>> On 04/17/2013 09:30 PM, Jarkko Sakkinen wrote:
>>> diff --git a/src/id.c b/src/id.c
>>> @@ -189,14 +199,17 @@ main (int argc, char **argv)
>>> and we're not in POSIXLY_CORRECT mode, get our context. Otherwise,
>>> leave the context variable alone - it has been initialized to an
>>> invalid value that will be not displayed in print_full_info(). */
>>> - if (selinux_enabled
>>> - && n_ids == 0
>>> + if (n_ids == 0
>>> && (just_context
>>> || (default_format && ! getenv ("POSIXLY_CORRECT"))))
>>> {
>>> /* Report failure only if --context (-Z) was explicitly requested.
>>> */
>>> - if (getcon (&context) && just_context)
>>> + if (selinux_enabled && getcon (&context) && just_context)
>>> + error (EXIT_FAILURE, 0, _("can't get process context"));
>>> +#ifdef HAVE_SMACK
>>> + else if (smack_enabled && smack_new_label_from_self ((char **)
>>> &context))
>>> error (EXIT_FAILURE, 0, _("can't get process context"));
>>> +#endif
>>
>> So smack defers to SELinux.
>> In that case you probably don't want --with-smack above,
>> and instead auto detect smack availability.
>
> Well, actually you couldn't have SELinux and SMACK active in the
> kernel at the same time. Kernel can only have one LSM enabled at
> a time (and you cannot switch or disable LSM). So this essentially
> detects, which one is enabled in the kernel.
It seems like this will no longer be the case:
https://lkml.org/lkml/2013/7/25/482
thanks,
Pádraig.
- Re: [PATCH] id: show SMACK security context,
Pádraig Brady <=