linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [patch 1/1] selinux: Disable automatic labeling of new inodes when no policy is loaded
@ 2006-02-22 19:36 Stephen Smalley
  2006-02-22 20:39 ` Andrew Morton
  0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2006-02-22 19:36 UTC (permalink / raw)
  To: Andrew Morton; +Cc: lkml, James Morris

This patch disables the automatic labeling of new inodes on disk
when no policy is loaded.  Please apply.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@namei.org>

---

 security/selinux/hooks.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.16-rc4-mm1/security/selinux/hooks.c	2006-02-21 14:39:53.000000000 -0500
+++ linux-2.6.16-rc4-mm1-x/security/selinux/hooks.c	2006-02-21 14:43:32.000000000 -0500
@@ -1983,7 +1983,7 @@ static int selinux_inode_init_security(s
 
 	inode_security_set_sid(inode, newsid);
 
-	if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
+	if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
 		return -EOPNOTSUPP;
 
 	if (name) {

-- 
Stephen Smalley
National Security Agency


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [patch 1/1] selinux: Disable automatic labeling of new inodes when no policy is loaded
  2006-02-22 19:36 [patch 1/1] selinux: Disable automatic labeling of new inodes when no policy is loaded Stephen Smalley
@ 2006-02-22 20:39 ` Andrew Morton
  2006-02-22 20:55   ` James Morris
  2006-02-22 20:59   ` Stephen Smalley
  0 siblings, 2 replies; 4+ messages in thread
From: Andrew Morton @ 2006-02-22 20:39 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: linux-kernel, jmorris

Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> This patch disables the automatic labeling of new inodes on disk
>  when no policy is loaded.  Please apply.
>

What is the reason for this change, and what will its effects be?

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [patch 1/1] selinux: Disable automatic labeling of new inodes when no policy is loaded
  2006-02-22 20:39 ` Andrew Morton
@ 2006-02-22 20:55   ` James Morris
  2006-02-22 20:59   ` Stephen Smalley
  1 sibling, 0 replies; 4+ messages in thread
From: James Morris @ 2006-02-22 20:55 UTC (permalink / raw)
  To: Andrew Morton; +Cc: Stephen Smalley, linux-kernel

On Wed, 22 Feb 2006, Andrew Morton wrote:

> Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >
> > This patch disables the automatic labeling of new inodes on disk
> >  when no policy is loaded.  Please apply.
> 
> What is the reason for this change, and what will its effects be?

Discussion is here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180296

In short, we're changing the behavior so that when no policy is loaded, 
SELinux does not label files at all.  Currently it does add an 'unlabeled' 
label in this case, which we've found causes problems later.

SELinux always maintains a safe internal label if there is none, so with 
this patch, we just stick with that and wait until a policy is loaded 
before adding a persistent label on disk.


- James
-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [patch 1/1] selinux: Disable automatic labeling of new inodes when no policy is loaded
  2006-02-22 20:39 ` Andrew Morton
  2006-02-22 20:55   ` James Morris
@ 2006-02-22 20:59   ` Stephen Smalley
  1 sibling, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2006-02-22 20:59 UTC (permalink / raw)
  To: Andrew Morton; +Cc: linux-kernel, jmorris

On Wed, 2006-02-22 at 12:39 -0800, Andrew Morton wrote:
> Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >
> > This patch disables the automatic labeling of new inodes on disk
> >  when no policy is loaded.  Please apply.
> >
> 
> What is the reason for this change, and what will its effects be?

Motivated by:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180296

The effect is simply that if you boot with SELinux enabled but no policy
loaded and create a file in that state, SELinux won't try to set a
security extended attribute on the new inode on the disk.  This is the
only sane behavior for SELinux in that state, as it cannot determine the
right label to assign in the absence of a policy.  That state usually
doesn't occur, but the rawhide installer seemed to be misbehaving
temporarily so it happened to show up on a test install.

-- 
Stephen Smalley
National Security Agency


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-02-22 20:55 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-02-22 19:36 [patch 1/1] selinux: Disable automatic labeling of new inodes when no policy is loaded Stephen Smalley
2006-02-22 20:39 ` Andrew Morton
2006-02-22 20:55   ` James Morris
2006-02-22 20:59   ` Stephen Smalley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).