libselinux: fix selinux_restorecon() on non-SELinux hosts

The kernel only supports seclabel if it is >= 2.6.30 _and_ SELinux is enabled, since seclabel is generated by SELinux based partly on policy (e.g. is the filesystem type configured in policy with a labeling behavior that supports userspace labeling). For some reason, when this logic was moved from setfiles to libselinux, the test of whether SELinux was enabled was dropped. Restore it. This is necessary to enable use of setfiles on non-SELinux hosts without requiring explicit use of the -m option. Fixes: 602347c ("policycoreutils: setfiles - Modify to use selinux_restorecon") Reported-by: sajjad ahmed <[email protected]> Signed-off-by: Stephen Smalley <[email protected]> Cc: Richard Haines <[email protected]> Reported-by: sajjad ahmed <<a href="mailto:[email protected]" target="_blank">[email protected]</a>><br> Signed-off-by: Stephen Smalley <<a href="mailto:[email protected]" target="_blank">[email protected]</a>><br>
UntoSten · Feb 20, 2019 · 6b89b1f · 6b89b1f
1 parent 60a9285
commit 6b89b1f
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
@@ -242,6 +242,8 @@ static int exclude_non_seclabel_mounts(void)
 	/* Check to see if the kernel supports seclabel */
 	if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
 		return 0;
+	if (is_selinux_enabled() <= 0)
+		return 0;
 
 	fp = fopen("/proc/mounts", "re");
 	if (!fp)