From: Xiaoguang Li lixiaoguang2@huawei.com
Background: SELinux has three status: disabled, permissive, and enforcing. If the status of the SELinux wasn't disabled, it would configure the rules using `/etc/selinux/targeted`. However, because of the non-existed rules in `/etc/selinux/targeted`, the security lable of processes is `kernel` instead of `unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023` readed from `/proc/<pid>/attr/current`. It will result the failure of criu dumping.
Conflict:NA Reference:https://gitee.com/src-openeuler/criu/pulls/21 Signed-off-by: lixiaoguang2 lixiaoguang2@huawei.com Signed-off-by: fu.lin fu.lin10@huawei.com --- criu/lsm.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/criu/lsm.c b/criu/lsm.c index 7cc3604..6713ca7 100644 --- a/criu/lsm.c +++ b/criu/lsm.c @@ -78,12 +78,22 @@ static int selinux_get_label(pid_t pid, char **output) if (!*output) goto err;
+ pos = (char*)ctx; + /* + * If the SElinux context is not configured, the label maybe look like + * this: + * "kernel" + */ + if (!strstr(pos, ":")) { + ret = 0; + goto err; + } + /* * Make sure it is a valid SELinux label. It should look like this: * * unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 */ - pos = (char*)ctx; for (i = 0; i < 3; i++) { pos = strstr(pos, ":"); if (!pos) {