mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-12-08 02:51:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: mount selinuxfs only when SELinux is enabled

Browse Source 
Having selinuxfs mounted might confuse some software, as conventional Linux systems do not have selinuxfs mounted when SELinux is disabled and no policy is loaded.

Fixes #10083

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
This commit is contained in:
Dmitry Sharshakov 2025-01-03 13:11:46 +01:00 committed by Dmitriy Matrenichev
parent 5ccbf4bcdb
commit ae6d065beb
No known key found for this signature in database
GPG Key ID: 94B473337258BFD5
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
internal/pkg/mount/v2/pseudo.go
View File

@ -9,6 +9,7 @@ import (
"golang.org/x/sys/unix"
"github.com/siderolabs/talos/internal/pkg/selinux"
"github.com/siderolabs/talos/pkg/machinery/constants"
)
@ -49,8 +50,8 @@ func PseudoSubMountPoints() Points {
)
}
if _, err := os.Stat("/sys/fs/selinux"); err == nil {
// mount selinuxfs if it exists
if selinux.IsEnabled() {
// mount selinuxfs if it is enabled, which implies SELinux is the major LSM
points = append(points,
NewPoint("selinuxfs", "/sys/fs/selinux", "selinuxfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME)),
)