selinux: allow MLS->non-MLS and vice versa upon policy reload

Allow runtime switching between different policy types (e.g. from a MLS/MCS policy to a non-MLS/non-MCS policy or viceversa). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
author: Guido Trentalancia <guido@trentalancia.com> 2010-02-03 10:40:20 -0500
committer: James Morris <jmorris@namei.org> 2010-02-03 17:06:36 -0500
commit: 0719aaf5ead7555b7b7a4a080ebf2826a871384e (patch)
tree: 19c0b16b1013d84a8b8092737d38e60f3dd7e939 /security/selinux/ss/policydb.c
parent: 42596eafdd75257a640f64701b9b07090bcd84b0 (diff)
1 files changed, 4 insertions, 20 deletions
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 5b92c0219207..23c6e53c102c 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
 };
 #endif
-int selinux_mls_enabled;
 static unsigned int symtab_sizes[SYM_NUM] = {
        2,
        32,
@@ -455,7 +453,7 @@ static int policydb_index_others(struct policydb *p)
        printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
               p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
-        if (selinux_mls_enabled)
+        if (p->mls_enabled)
                printk(", %d sens, %d cats", p->p_levels.nprim,
                       p->p_cats.nprim);
        printk("\n");
@@ -1717,14 +1715,12 @@ int policydb_read(struct policydb *p, void *fp)
        int i, j, rc;
        __le32 buf[4];
        u32 nodebuf[8];
-        u32 len, len2, config, nprim, nel, nel2;
+        u32 len, len2, nprim, nel, nel2;
        char *policydb_str;
        struct policydb_compat_info *info;
        struct range_trans *rt;
        struct mls_range *r;
-        config = 0;
        rc = policydb_init(p);
        if (rc)
                goto out;
@@ -1772,7 +1768,7 @@ int policydb_read(struct policydb *p, void *fp)
        kfree(policydb_str);
        policydb_str = NULL;
-        /* Read the version, config, and table sizes. */
+        /* Read the version and table sizes. */
        rc = next_entry(buf, fp, sizeof(u32)*4);
        if (rc < 0)
                goto bad;
@@ -1787,13 +1783,7 @@ int policydb_read(struct policydb *p, void *fp)
        }
        if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
-                if (ss_initialized && !selinux_mls_enabled) {
+                p->mls_enabled = 1;
-                        printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
-                                " and MLS policies\n");
-                        goto bad;
-                }
-                selinux_mls_enabled = 1;
-                config |= POLICYDB_CONFIG_MLS;
                if (p->policyvers < POLICYDB_VERSION_MLS) {
                        printk(KERN_ERR "SELinux: security policydb version %d "
@@ -1801,12 +1791,6 @@ int policydb_read(struct policydb *p, void *fp)
                                p->policyvers);
                        goto bad;
                }
-        } else {
-                if (ss_initialized && selinux_mls_enabled) {
-                        printk(KERN_ERR "SELinux: Cannot switch between MLS and"
-                                " non-MLS policies\n");
-                        goto bad;
-                }
        }
        p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
        p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
author	Guido Trentalancia <guido@trentalancia.com>	2010-02-03 10:40:20 -0500
committer	James Morris <jmorris@namei.org>	2010-02-03 17:06:36 -0500
commit	0719aaf5ead7555b7b7a4a080ebf2826a871384e (patch)
tree	19c0b16b1013d84a8b8092737d38e60f3dd7e939 /security/selinux/ss/policydb.c
parent	42596eafdd75257a640f64701b9b07090bcd84b0 (diff)