-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix can't use empty str as label in some old kernels #50
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -101,9 +101,17 @@ func FormatMountLabel(src, mountLabel string) string { | |
// SetProcessLabel takes a process label and tells the kernel to assign the | ||
// label to the next program executed by the current process. | ||
func SetProcessLabel(processLabel string) error { | ||
if processLabel == "" && selinux.GetEnabled() { | ||
processLabel = "unconfined_u:unconfined_r:unconfined_t:s0" | ||
} | ||
return selinux.SetExecLabel(processLabel) | ||
} | ||
|
||
// ClearProcessLabel is to clear process's label | ||
func ClearProcessLabel() error { | ||
return selinux.SetExecLabel("unconfined_u:unconfined_r:unconfined_t:s0") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No we don't hard code any labels in the library. ClearProcessLabel sets the label to "", which tells the kernel to use default labeling. |
||
} | ||
|
||
// SetSocketLabel takes a process label and tells the kernel to assign the | ||
// label to the next socket that gets created | ||
func SetSocketLabel(processLabel string) error { | ||
|
@@ -118,9 +126,17 @@ func SocketLabel() (string, error) { | |
// SetKeyLabel takes a process label and tells the kernel to assign the | ||
// label to the next kernel keyring that gets created | ||
func SetKeyLabel(processLabel string) error { | ||
if processLabel == "" && selinux.GetEnabled() { | ||
processLabel = "unconfined_u:unconfined_r:unconfined_t:s0" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Wrong see above. |
||
} | ||
return selinux.SetKeyLabel(processLabel) | ||
} | ||
|
||
// ClearKeyLabel is to clear key label | ||
func ClearKeyLabel() error { | ||
return selinux.SetKeyLabel("unconfined_u:unconfined_r:unconfined_t:s0") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Wrong. |
||
} | ||
|
||
// KeyLabel retrieves the current default kernel keyring label setting | ||
func KeyLabel() (string, error) { | ||
return selinux.KeyLabel() | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rhatdan Does it make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or after failure with
""
, then we try"unconfined_u:unconfined_r:unconfined_t:s0"
next?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No we should not hard code this label. "" is a valid label.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It tells the the library to reset the kernel to use default labeling.