1 files changed, 27 insertions, 9 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a3230de656e4..8b1656f053f8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1418,15 +1418,33 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                isec->sid = sbsec->sid;
                if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
-                        if (opt_dentry) {
+                        /* We must have a dentry to determine the label on
-                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
+                         * procfs inodes */
-                                rc = selinux_proc_get_sid(opt_dentry,
+                        if (opt_dentry)
-                                                          isec->sclass,
+                                /* Called from d_instantiate or
-                                                          &sid);
+                                 * d_splice_alias. */
-                                if (rc)
+                                dentry = dget(opt_dentry);
-                                        goto out_unlock;
+                        else
-                                isec->sid = sid;
+                                /* Called from selinux_complete_init, try to
-                        }
+                                 * find a dentry. */
+                                dentry = d_find_alias(inode);
+                        /*
+                         * This can be hit on boot when a file is accessed
+                         * before the policy is loaded.  When we load policy we
+                         * may find inodes that have no dentry on the
+                         * sbsec->isec_head list.  No reason to complain as
+                         * these will get fixed up the next time we go through
+                         * inode_doinit() with a dentry, before these inodes
+                         * could be used again by userspace.
+                         */
+                        if (!dentry)
+                                goto out_unlock;
+                        isec->sclass = inode_mode_to_security_class(inode->i_mode);
+                        rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
+                        dput(dentry);
+                        if (rc)
+                                goto out_unlock;
+                        isec->sid = sid;
                }
                break;
        }

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a3230de656e4..8b1656f053f8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1418,15 +1418,33 @@ static int inode_doinit_with_dentry(struct inode inode, struct dentry opt_dent
1418	isec->sid = sbsec->sid;	1418	isec->sid = sbsec->sid;
1419		1419
1420	if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {	1420	if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1421	if (opt_dentry) {	1421	/* We must have a dentry to determine the label on
1422	isec->sclass = inode_mode_to_security_class(inode->i_mode);	1422	* procfs inodes */
1423	rc = selinux_proc_get_sid(opt_dentry,	1423	if (opt_dentry)
1424	isec->sclass,	1424	/* Called from d_instantiate or
1425	&sid);	1425	* d_splice_alias. */
1426	if (rc)	1426	dentry = dget(opt_dentry);
1427	goto out_unlock;	1427	else
1428	isec->sid = sid;	1428	/* Called from selinux_complete_init, try to
1429	}	1429	* find a dentry. */
		1430	dentry = d_find_alias(inode);
		1431	/*
		1432	* This can be hit on boot when a file is accessed
		1433	* before the policy is loaded. When we load policy we
		1434	* may find inodes that have no dentry on the
		1435	* sbsec->isec_head list. No reason to complain as
		1436	* these will get fixed up the next time we go through
		1437	* inode_doinit() with a dentry, before these inodes
		1438	* could be used again by userspace.
		1439	*/
		1440	if (!dentry)
		1441	goto out_unlock;
		1442	isec->sclass = inode_mode_to_security_class(inode->i_mode);
		1443	rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
		1444	dput(dentry);
		1445	if (rc)
		1446	goto out_unlock;
		1447	isec->sid = sid;
1430	}	1448	}
1431	break;	1449	break;
1432	}	1450	}