aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid P. Quigley <dpquigl@tycho.nsa.gov>2009-01-16 09:22:04 -0500
committerJames Morris <jmorris@macbook.localdomain>2009-01-18 17:47:14 -0500
commitcd89596f0ccfa3ccb8a81ce47782231cf7ea7296 (patch)
treed91149851e14a21d1e535c325aa93ebd15130f51
parent11689d47f0957121920c9ec646eb5d838755853a (diff)
SELinux: Unify context mount and genfs behavior
Context mounts and genfs labeled file systems behave differently with respect to setting file system labels. This patch brings genfs labeled file systems in line with context mounts in that setxattr calls to them should return EOPNOTSUPP and fscreate calls will be ignored. Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@macbook.localdomain>
-rw-r--r--security/selinux/hooks.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1a9768a8b644..3bb4942e39cc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1613,7 +1613,7 @@ static int may_create(struct inode *dir,
1613 if (rc) 1613 if (rc)
1614 return rc; 1614 return rc;
1615 1615
1616 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { 1616 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1617 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid); 1617 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1618 if (rc) 1618 if (rc)
1619 return rc; 1619 return rc;
@@ -2597,7 +2597,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2597 sid = tsec->sid; 2597 sid = tsec->sid;
2598 newsid = tsec->create_sid; 2598 newsid = tsec->create_sid;
2599 2599
2600 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { 2600 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
2601 rc = security_transition_sid(sid, dsec->sid, 2601 rc = security_transition_sid(sid, dsec->sid,
2602 inode_mode_to_security_class(inode->i_mode), 2602 inode_mode_to_security_class(inode->i_mode),
2603 &newsid); 2603 &newsid);
@@ -2619,7 +2619,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2619 isec->initialized = 1; 2619 isec->initialized = 1;
2620 } 2620 }
2621 2621
2622 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2622 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
2623 return -EOPNOTSUPP; 2623 return -EOPNOTSUPP;
2624 2624
2625 if (name) { 2625 if (name) {
@@ -2796,7 +2796,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2796 return selinux_inode_setotherxattr(dentry, name); 2796 return selinux_inode_setotherxattr(dentry, name);
2797 2797
2798 sbsec = inode->i_sb->s_security; 2798 sbsec = inode->i_sb->s_security;
2799 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 2799 if (!(sbsec->flags & SE_SBLABELSUPP))
2800 return -EOPNOTSUPP; 2800 return -EOPNOTSUPP;
2801 2801
2802 if (!is_owner_or_cap(inode)) 2802 if (!is_owner_or_cap(inode))