[LTP] [PATCH v4 1/2] core: add tst_selinux_enabled() utility

Stephen Smalley stephen.smalley.work@gmail.com
Tue Jul 22 15:48:30 CEST 2025 

On Tue, Jul 22, 2025 at 9:42 AM Petr Vorel <pvorel@suse.cz> wrote:
>
> Hi Stephen, all,
>
> > On Tue, Jul 22, 2025 at 9:18 AM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
>
> > > On Tue, Jul 22, 2025 at 8:06 AM Petr Vorel <pvorel@suse.cz> wrote:
>
> > > > Hi Andrea, all,
>
> > > > [ Cc Stephen, the fix author in case I'm wrong with reproducing on enforcing=0 ]
>
> > > > > Add tst_selinux_enabled() utility in tst_security.h in order to verify
> > > > > if SELinux is currently up and running in the system.
> > > > ...
> > > > > +int tst_selinux_enabled(void)
> > > > > +{
> > > > > +     int res = 0;
> > > > > +
> > > > > +     if (tst_is_mounted(SELINUX_PATH))
> > > > > +             res = 1;
>
> > > > I was wondering if it the test require enforcing or not therefore I retested it
> > > > and it's really reproducible with permissive mode, i.e. with kernel command line
> > > > security=selinux selinux=1 enforcing=0
>
> > > > Because if enforcing was required, I would be for using tst_selinux_enforcing(),
> > > > which checks /sys/fs/selinux/enforce for 1 as Wei suggested in v3:
>
> > > > https://lore.kernel.org/ltp/aHf839WS0BPIa5Zq@MiWiFi-CR6608-srv/
>
> > > > @Cyril @Andrea, just checking if /sys/fs/selinux/enforce exists would be faster
> > > > than looping /proc/mounts (via tst_is_mounted(SELINUX_PATH)). Can we just modify
> > > > the patch?
>
> > > Not sure if I have the full context, but modern libselinux has this
> > > for is_selinux_enabled():
>
> > > int is_selinux_enabled(void)
> > > {
> > >         /* init_selinuxmnt() gets called before this function. We
> > >          * will assume that if a selinux file system is mounted, then
> > >          * selinux is enabled. */
> > > #ifdef ANDROID
> > >         return (selinux_mnt ? 1 : 0);
> > > #else
> > >         return (selinux_mnt && has_selinux_config);
> > > #endif
> > > }
>
> Thanks for your points.  Yes, we also looked into selinux sources how
> selinux_mnt is assigned.
>
> FYI (probably obvious) we don't want to use libselinux to keep LTP dependencies
> minimal. Also, we don't really need that precise checks as detecting properly in
> chroot etc which is in the libselinux (in selinux_init_load_policy()). IMHO my
> suggestion for checking if /sys/fs/selinux/enforce exists (for enabled SELinux
> regardless if enforcing or permissive) or whether the value is 1 (for enabled
> SELinux enforcement) is enough.

I guess my only question here is whether the tests all require SELinux
to be enforcing or if some of them are just exercising SELinux
functionality that would also pass when permissive. And whether you
care about testing that case.

>
> > > And init_selinuxmnt(), a constructor for libselinux, does this:
>
> > > static void init_selinuxmnt(void)
> > > {
> > >         char *buf = NULL, *p;
> > >         FILE *fp = NULL;
> > >         size_t len;
> > >         ssize_t num;
>
> > >         if (selinux_mnt)
> > >                 return;
>
> > >         if (verify_selinuxmnt(SELINUXMNT) == 0) return;
>
> > >         if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;
>
> > >         /* Drop back to detecting it the long way. */
> > >         if (!selinuxfs_exists())
> > >                 goto out;
> > > ...
>
> > > So in the common case we don't need to check /proc/mounts or
> > > /proc/filesystems, only if we don't find selinuxfs on one of the
> > > expected mount directories (/sys/fs/selinux or /selinux).
>
> > Also, for reference, verify_selinuxmnt() is as follows:
>
> > static int verify_selinuxmnt(const char *mnt)
> > {
> >         struct statfs sfbuf;
> >         int rc;
>
> >         do {
> >                 rc = statfs(mnt, &sfbuf);
> >         } while (rc < 0 && errno == EINTR);
> >         if (rc == 0) {
> >                 if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
> >                         struct statvfs vfsbuf;
> >                         rc = statvfs(mnt, &vfsbuf);
> >                         if (rc == 0) {
> >                                 if (!(vfsbuf.f_flag & ST_RDONLY)) {
> >                                         set_selinuxmnt(mnt);
> >                                 }
> >                                 return 0;
> >                         }
> >                 }
> >         }
>
> >         return -1;
> > }
>
> Interesting, I was not aware of SELINUX_MAGIC.
>
> For me was more informative how the setup works to see selinux_init_load_policy()
>
> https://github.com/SELinuxProject/selinux/tree/main/libselinux/src/load_policy.c
>
> Kind regards,
> Petr
> ...

More information about the ltp mailing list