aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2006-03-22 03:09:13 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2006-03-22 10:54:06 -0500
commit8aad38752e81d1d4de67e3d8e2524618ce7c9276 (patch)
tree5813d3f31133313a5bcd77cb3298f7cb26b814ed /security
parentb20a35035f983f4ac7e29c4a68f30e43510007e0 (diff)
[PATCH] selinux: Disable automatic labeling of new inodes when no policy is loaded
This patch disables the automatic labeling of new inodes on disk when no policy is loaded. Discussion is here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180296 In short, we're changing the behavior so that when no policy is loaded, SELinux does not label files at all. Currently it does add an 'unlabeled' label in this case, which we've found causes problems later. SELinux always maintains a safe internal label if there is none, so with this patch, we just stick with that and wait until a policy is loaded before adding a persistent label on disk. The effect is simply that if you boot with SELinux enabled but no policy loaded and create a file in that state, SELinux won't try to set a security extended attribute on the new inode on the disk. This is the only sane behavior for SELinux in that state, as it cannot determine the right label to assign in the absence of a policy. That state usually doesn't occur, but the rawhide installer seemed to be misbehaving temporarily so it happened to show up on a test install. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5b16196f2823..9ff51c668f06 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1957,7 +1957,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1957 1957
1958 inode_security_set_sid(inode, newsid); 1958 inode_security_set_sid(inode, newsid);
1959 1959
1960 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) 1960 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1961 return -EOPNOTSUPP; 1961 return -EOPNOTSUPP;
1962 1962
1963 if (name) { 1963 if (name) {