Merge pull request #192 from badochov/is_selinux_mls_enabled

Adds MLSEnabled function.
opencontainers · Oct 21, 2022 · 41ff4c2 · 41ff4c2
2 parents 9832127 + d592efa
commit 41ff4c2
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/go-selinux/selinux.go b/go-selinux/selinux.go
@@ -213,6 +213,11 @@ func ReserveLabel(label string) {
 	reserveLabel(label)
 }
 
+// MLSEnabled checks if MLS is enabled.
+func MLSEnabled() bool {
+	return isMLSEnabled()
+}
+
 // EnforceMode returns the current SELinux mode Enforcing, Permissive, Disabled
 func EnforceMode() int {
 	return enforceMode()

diff --git a/go-selinux/selinux_linux.go b/go-selinux/selinux_linux.go
@@ -781,6 +781,15 @@ func selinuxEnforcePath() string {
 	return filepath.Join(getSelinuxMountPoint(), "enforce")
 }
 
+// isMLSEnabled checks if MLS is enabled.
+func isMLSEnabled() bool {
+	enabledB, err := os.ReadFile(filepath.Join(getSelinuxMountPoint(), "mls"))
+	if err != nil {
+		return false
+	}
+	return bytes.Equal(enabledB, []byte{'1'})
+}
+
 // enforceMode returns the current SELinux mode Enforcing, Permissive, Disabled
 func enforceMode() int {
 	var enforce int

diff --git a/go-selinux/selinux_stub.go b/go-selinux/selinux_stub.go
@@ -95,6 +95,10 @@ func clearLabels() {
 func reserveLabel(label string) {
 }
 
+func isMLSEnabled() bool {
+	return false
+}
+
 func enforceMode() int {
 	return Disabled
 }