diff --git a/src/cp.c b/src/cp.c index a0ec06714..da3f6a8a7 100644 --- a/src/cp.c +++ b/src/cp.c @@ -993,7 +993,7 @@ main (int argc, char **argv) atexit (close_stdin); - selinux_enabled = (0 < is_selinux_enabled ()); + selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0); cp_option_init (&x); while ((c = getopt_long (argc, argv, "abdfHilLnprst:uvxPRS:TZ", @@ -1174,7 +1174,7 @@ main (int argc, char **argv) { error (0, 0, _("warning: ignoring --context; " - "it requires an SELinux-enabled kernel")); + "it requires an SELinux-enabled kernel and root access")); } break; @@ -1253,7 +1253,7 @@ main (int argc, char **argv) if (x.require_preserve_context && ! selinux_enabled) error (EXIT_FAILURE, 0, _("cannot preserve security context " - "without an SELinux-enabled kernel")); + "without an SELinux-enabled kernel and root access")); /* FIXME: This handles new files. But what about existing files? I.e., if updating a tree, new files would have the specified context, diff --git a/src/install.c b/src/install.c index b3b26abdb..11caa873b 100644 --- a/src/install.c +++ b/src/install.c @@ -325,6 +325,10 @@ setdefaultfilecon (char const *file) struct stat st; char *scontext_raw = nullptr; + /* NOTE: Return early, before `install`'s selinux logic, + * because we do not have suitable workaround for it */ + return; + if (selinux_enabled != 1) { /* Indicate no context found. */ @@ -789,7 +793,7 @@ main (int argc, char **argv) bool strip_program_specified = false; char const *scontext = nullptr; /* set iff kernel has extra selinux system calls */ - selinux_enabled = (0 < is_selinux_enabled ()); + selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0); initialize_main (&argc, &argv); set_program_name (argv[0]); @@ -876,7 +880,7 @@ main (int argc, char **argv) if (! selinux_enabled) { error (0, 0, _("WARNING: ignoring --preserve-context; " - "this kernel is not SELinux-enabled")); + "this kernel is not SELinux-enabled, or you are using Termux and not running as root")); break; } x.preserve_security_context = true; @@ -902,7 +906,7 @@ main (int argc, char **argv) { error (0, 0, _("warning: ignoring --context; " - "it requires an SELinux-enabled kernel")); + "it requires an SELinux-enabled kernel and root access")); } break; case_GETOPT_HELP_CHAR; diff --git a/src/mkdir.c b/src/mkdir.c index df4c81976..7225c21b7 100644 --- a/src/mkdir.c +++ b/src/mkdir.c @@ -228,7 +228,7 @@ main (int argc, char **argv) /* We don't yet support -Z to restore context with SMACK. */ scontext = optarg; } - else if (is_selinux_enabled () > 0) + else if (is_selinux_enabled () > 0 && geteuid () == 0) { if (optarg) scontext = optarg; @@ -244,7 +244,7 @@ main (int argc, char **argv) { error (0, 0, _("warning: ignoring --context; " - "it requires an SELinux/SMACK-enabled kernel")); + "it requires an SELinux/SMACK-enabled kernel and root access")); } break; case_GETOPT_HELP_CHAR; diff --git a/src/mkfifo.c b/src/mkfifo.c index 52bfa566a..fad605386 100644 --- a/src/mkfifo.c +++ b/src/mkfifo.c @@ -102,7 +102,7 @@ main (int argc, char **argv) /* We don't yet support -Z to restore context with SMACK. */ scontext = optarg; } - else if (is_selinux_enabled () > 0) + else if (is_selinux_enabled () > 0 && geteuid () == 0) { if (optarg) scontext = optarg; @@ -118,7 +118,7 @@ main (int argc, char **argv) { error (0, 0, _("warning: ignoring --context; " - "it requires an SELinux/SMACK-enabled kernel")); + "it requires an SELinux/SMACK-enabled kernel and root access")); } break; case_GETOPT_HELP_CHAR; diff --git a/src/mknod.c b/src/mknod.c index 6bfa0f7f7..6ff36f21c 100644 --- a/src/mknod.c +++ b/src/mknod.c @@ -119,7 +119,7 @@ main (int argc, char **argv) /* We don't yet support -Z to restore context with SMACK. */ scontext = optarg; } - else if (is_selinux_enabled () > 0) + else if (is_selinux_enabled () > 0 && geteuid () == 0) { if (optarg) scontext = optarg; @@ -135,7 +135,7 @@ main (int argc, char **argv) { error (0, 0, _("warning: ignoring --context; " - "it requires an SELinux/SMACK-enabled kernel")); + "it requires an SELinux/SMACK-enabled kernel and root access")); } break; case_GETOPT_HELP_CHAR; diff --git a/src/mv.c b/src/mv.c index cf1ac56e8..4b68574e0 100644 --- a/src/mv.c +++ b/src/mv.c @@ -120,7 +120,7 @@ rm_option_init (struct rm_options *x) static void cp_option_init (struct cp_options *x) { - bool selinux_enabled = (0 < is_selinux_enabled ()); + bool selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0); cp_options_default (x); x->copy_as_regular = false; /* FIXME: maybe make this an option */ @@ -326,7 +326,7 @@ main (int argc, char **argv) bool no_target_directory = false; int n_files; char **file; - bool selinux_enabled = (0 < is_selinux_enabled ()); + bool selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0); initialize_main (&argc, &argv); set_program_name (argv[0]); diff --git a/src/runcon.c b/src/runcon.c index 32c419427..b62538a41 100644 --- a/src/runcon.c +++ b/src/runcon.c @@ -190,8 +190,8 @@ main (int argc, char **argv) usage (EXIT_CANCELED); } - if (is_selinux_enabled () != 1) - error (EXIT_CANCELED, 0, _("%s may be used only on a SELinux kernel"), + if (is_selinux_enabled () != 1 || geteuid () != 0) + error (EXIT_CANCELED, 0, _("%s may be used only on a SELinux kernel and must be run as root"), program_name); if (context)