[LTP] [PATCH v4 1/2] core: add tst_selinux_enabled() utility

Stephen Smalley stephen.smalley.work@gmail.com
Tue Jul 22 15:18:07 CEST 2025 

On Tue, Jul 22, 2025 at 8:06 AM Petr Vorel <pvorel@suse.cz> wrote:
>
> Hi Andrea, all,
>
> [ Cc Stephen, the fix author in case I'm wrong with reproducing on enforcing=0 ]
>
> > Add tst_selinux_enabled() utility in tst_security.h in order to verify
> > if SELinux is currently up and running in the system.
> ...
> > +int tst_selinux_enabled(void)
> > +{
> > +     int res = 0;
> > +
> > +     if (tst_is_mounted(SELINUX_PATH))
> > +             res = 1;
>
> I was wondering if it the test require enforcing or not therefore I retested it
> and it's really reproducible with permissive mode, i.e. with kernel command line
> security=selinux selinux=1 enforcing=0
>
> Because if enforcing was required, I would be for using tst_selinux_enforcing(),
> which checks /sys/fs/selinux/enforce for 1 as Wei suggested in v3:
>
> https://lore.kernel.org/ltp/aHf839WS0BPIa5Zq@MiWiFi-CR6608-srv/
>
> @Cyril @Andrea, just checking if /sys/fs/selinux/enforce exists would be faster
> than looping /proc/mounts (via tst_is_mounted(SELINUX_PATH)). Can we just modify
> the patch?

Not sure if I have the full context, but modern libselinux has this
for is_selinux_enabled():

int is_selinux_enabled(void)
{
        /* init_selinuxmnt() gets called before this function. We
         * will assume that if a selinux file system is mounted, then
         * selinux is enabled. */
#ifdef ANDROID
        return (selinux_mnt ? 1 : 0);
#else
        return (selinux_mnt && has_selinux_config);
#endif
}

And init_selinuxmnt(), a constructor for libselinux, does this:

static void init_selinuxmnt(void)
{
        char *buf = NULL, *p;
        FILE *fp = NULL;
        size_t len;
        ssize_t num;

        if (selinux_mnt)
                return;

        if (verify_selinuxmnt(SELINUXMNT) == 0) return;

        if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;

        /* Drop back to detecting it the long way. */
        if (!selinuxfs_exists())
                goto out;
...

So in the common case we don't need to check /proc/mounts or
/proc/filesystems, only if we don't find selinuxfs on one of the
expected mount directories (/sys/fs/selinux or /selinux).

>
> Kind regards,
> Petr
>
> +++ lib/tst_security.c
> @@ -107,7 +107,7 @@ int tst_selinux_enabled(void)
>  {
>         int res = 0;
>
> -       if (tst_is_mounted(SELINUX_PATH))
> +       if (access(SELINUX_STATUS_PATH, F_OK) == 0)
>                 res = 1;
>
>         tst_res(TINFO, "SELinux enabled: %s", res ? "yes" : "no");

More information about the ltp mailing list