/etc/rc.sysinit: restorecon being run even when selinux disabled
Robert P. J. Day
rpjday at mindspring.com
Mon Nov 29 21:47:52 UTC 2004
this might be irrelevant, but in FC3's /etc/rc.sysinit, right near
the top, there's some shell code that handles selinux:
=====
# Check SELinux status
selinuxfs=`awk '/ selinuxfs / { print $2 }' /proc/mounts`
SELINUX=
if [ -n "$selinuxfs" ] && [ "`cat /proc/self/attr/current`" != "kernel" ]; then
if [ -r $selinuxfs/enforce ] ; then
SELINUX=`cat $selinuxfs/enforce`
else
# assume enforcing if you can't read it
SELINUX=1
fi
fi
=====
so far, so good. if selinux is disabled, i'm assuming there won't
be any entry with "selinuxfs" in the output of /proc/mounts. but the
very next check is:
=====
if [ -x /sbin/restorecon ] && LC_ALL=C fgrep -q " /dev " /proc/mounts ; then
/sbin/restorecon -R /dev 2>/dev/null
fi
=====
which will *apparently* be run regardless of whether or not selinux is
enabled or not. if selinux is disabled, is there any point in even
checking whether or not to run restorecon? (from what i read, the
"rectorecon" program is clearly related to selinux.)
rday
More information about the fedora-selinux-list
mailing list