On Wed, 2019-05-22 at 08:41 -0400, Stephen Smalley wrote: > Another potentially worrisome aspect of the current > ima_lsm_update_rules() logic is that it does a BUG_ON() if the attempt > to update the rule fails, which could occur if e.g. one had an IMA > policy rule based on a given domain/type and that domain/type were > removed from policy (e.g. via policy module removal). Contrast with the > handling in audit_dupe_lsm_field(). The existing ima_lsm_update_rules() > logic could also yield a BUG_ON upon transient memory allocation failure. The original design was based on the assumption that SELinux labels could not be removed, only new ones could be added. Sounds like that isn't the case any longer. Mimi