path: root/security
diff options
authorStephen Smalley <sds@tycho.nsa.gov>2006-03-22 00:09:13 -0800
committerLinus Torvalds <torvalds@g5.osdl.org>2006-03-22 07:54:06 -0800
commit8aad38752e81d1d4de67e3d8e2524618ce7c9276 (patch)
tree5813d3f31133313a5bcd77cb3298f7cb26b814ed /security
parentb20a35035f983f4ac7e29c4a68f30e43510007e0 (diff)
[PATCH] selinux: Disable automatic labeling of new inodes when no policy is loaded
This patch disables the automatic labeling of new inodes on disk when no policy is loaded. Discussion is here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180296 In short, we're changing the behavior so that when no policy is loaded, SELinux does not label files at all. Currently it does add an 'unlabeled' label in this case, which we've found causes problems later. SELinux always maintains a safe internal label if there is none, so with this patch, we just stick with that and wait until a policy is loaded before adding a persistent label on disk. The effect is simply that if you boot with SELinux enabled but no policy loaded and create a file in that state, SELinux won't try to set a security extended attribute on the new inode on the disk. This is the only sane behavior for SELinux in that state, as it cannot determine the right label to assign in the absence of a policy. That state usually doesn't occur, but the rawhide installer seemed to be misbehaving temporarily so it happened to show up on a test install. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security')
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5b16196f282..9ff51c668f0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1957,7 +1957,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
inode_security_set_sid(inode, newsid);
- if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
+ if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
if (name) {