This patch disables the automatic labeling of new inodes on disk
when no policy is loaded. Please apply.
Signed-off-by: Stephen Smalley <[email protected]>
Acked-by: James Morris <[email protected]>
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.16-rc4-mm1/security/selinux/hooks.c 2006-02-21 14:39:53.000000000 -0500
+++ linux-2.6.16-rc4-mm1-x/security/selinux/hooks.c 2006-02-21 14:43:32.000000000 -0500
@@ -1983,7 +1983,7 @@ static int selinux_inode_init_security(s
inode_security_set_sid(inode, newsid);
- if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
+ if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
return -EOPNOTSUPP;
if (name) {
--
Stephen Smalley
National Security Agency
Stephen Smalley <[email protected]> wrote:
>
> This patch disables the automatic labeling of new inodes on disk
> when no policy is loaded. Please apply.
>
What is the reason for this change, and what will its effects be?
On Wed, 2006-02-22 at 12:39 -0800, Andrew Morton wrote:
> Stephen Smalley <[email protected]> wrote:
> >
> > This patch disables the automatic labeling of new inodes on disk
> > when no policy is loaded. Please apply.
> >
>
> What is the reason for this change, and what will its effects be?
Motivated by:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180296
The effect is simply that if you boot with SELinux enabled but no policy
loaded and create a file in that state, SELinux won't try to set a
security extended attribute on the new inode on the disk. This is the
only sane behavior for SELinux in that state, as it cannot determine the
right label to assign in the absence of a policy. That state usually
doesn't occur, but the rawhide installer seemed to be misbehaving
temporarily so it happened to show up on a test install.
--
Stephen Smalley
National Security Agency
On Wed, 22 Feb 2006, Andrew Morton wrote:
> Stephen Smalley <[email protected]> wrote:
> >
> > This patch disables the automatic labeling of new inodes on disk
> > when no policy is loaded. Please apply.
>
> What is the reason for this change, and what will its effects be?
Discussion is here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180296
In short, we're changing the behavior so that when no policy is loaded,
SELinux does not label files at all. Currently it does add an 'unlabeled'
label in this case, which we've found causes problems later.
SELinux always maintains a safe internal label if there is none, so with
this patch, we just stick with that and wait until a policy is loaded
before adding a persistent label on disk.
- James
--
James Morris
<[email protected]>