diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-02-18 20:38:00 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-02-22 08:27:24 +0000 |
commit | 1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e (patch) | |
tree | 415eb19d90e2ed1de7236c784c1e28d3acfbcaab /configure | |
parent | Whitelist more /usr/share for okular and others (diff) | |
download | firejail-1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e.tar.gz firejail-1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e.tar.zst firejail-1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e.zip |
Add support for SELinux labeling
Running `firejail --noprofile --private-bin=bash,ls ls -1Za /usr/bin`
shows that the SELinux labels are not correct:
```
user_u:object_r:user_tmpfs_t:s0 .
system_u:object_r:usr_t:s0 ..
user_u:object_r:user_tmpfs_t:s0 bash
user_u:object_r:user_tmpfs_t:s0 ls
```
After fixing this:
```
system_u:object_r:bin_t:s0 .
system_u:object_r:usr_t:s0 ..
system_u:object_r:shell_exec_t:s0 bash
system_u:object_r:bin_t:s0 ls
```
Most copied files and created directories should now have correct
labels (bind mounted objects keep their labels). This is useful to
avoid having to change the SELinux rules when using Firejail.
Diffstat (limited to 'configure')
-rwxr-xr-x | configure | 18 |
1 files changed, 18 insertions, 0 deletions
@@ -628,6 +628,7 @@ HAVE_SECCOMP_H | |||
628 | EGREP | 628 | EGREP |
629 | GREP | 629 | GREP |
630 | CPP | 630 | CPP |
631 | HAVE_SELINUX | ||
631 | HAVE_CONTRIB_INSTALL | 632 | HAVE_CONTRIB_INSTALL |
632 | HAVE_GCOV | 633 | HAVE_GCOV |
633 | BUSYBOX_WORKAROUND | 634 | BUSYBOX_WORKAROUND |
@@ -721,6 +722,7 @@ enable_fatal_warnings | |||
721 | enable_busybox_workaround | 722 | enable_busybox_workaround |
722 | enable_gcov | 723 | enable_gcov |
723 | enable_contrib_install | 724 | enable_contrib_install |
725 | enable_selinux | ||
724 | ' | 726 | ' |
725 | ac_precious_vars='build_alias | 727 | ac_precious_vars='build_alias |
726 | host_alias | 728 | host_alias |
@@ -1365,6 +1367,7 @@ Optional Features: | |||
1365 | --enable-gcov Gcov instrumentation | 1367 | --enable-gcov Gcov instrumentation |
1366 | --enable-contrib-install | 1368 | --enable-contrib-install |
1367 | install contrib scripts | 1369 | install contrib scripts |
1370 | --enable-selinux SELinux labeling support | ||
1368 | 1371 | ||
1369 | Some influential environment variables: | 1372 | Some influential environment variables: |
1370 | CC C compiler command | 1373 | CC C compiler command |
@@ -3695,6 +3698,20 @@ else | |||
3695 | fi | 3698 | fi |
3696 | 3699 | ||
3697 | 3700 | ||
3701 | HAVE_SELINUX="" | ||
3702 | # Check whether --enable-selinux was given. | ||
3703 | if test "${enable_selinux+set}" = set; then : | ||
3704 | enableval=$enable_selinux; | ||
3705 | fi | ||
3706 | |||
3707 | if test "x$enable_selinux" = "xyes"; then : | ||
3708 | |||
3709 | HAVE_SELINUX="-DHAVE_SELINUX" | ||
3710 | EXTRA_LDFLAGS+=" -lselinux " | ||
3711 | |||
3712 | |||
3713 | fi | ||
3714 | |||
3698 | # checking pthread library | 3715 | # checking pthread library |
3699 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 | 3716 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 |
3700 | $as_echo_n "checking for main in -lpthread... " >&6; } | 3717 | $as_echo_n "checking for main in -lpthread... " >&6; } |
@@ -5364,5 +5381,6 @@ echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" | |||
5364 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | 5381 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" |
5365 | echo " Gcov instrumentation: $HAVE_GCOV" | 5382 | echo " Gcov instrumentation: $HAVE_GCOV" |
5366 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" | 5383 | echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" |
5384 | echo " SELinux labeling support: $HAVE_SELINUX" | ||
5367 | echo " Install as a SUID executable: $HAVE_SUID" | 5385 | echo " Install as a SUID executable: $HAVE_SUID" |
5368 | echo | 5386 | echo |