Currently, libsepol will write a binary policy with the MLS flag set
even if the policy version is unable to support MLS. For instance, you
can build a policy.18 with mls enabled. The resulting policy binary is
invalid and can't be read by the kernel or the various tools.
Fixing this is just a matter of adding the appropriate check to
policydb_write().
Signed-off-by: Todd C. Miller <tmiller@xxxxxxxxxx>
Index: libsepol/src/write.c
===================================================================
--- libsepol/src/write.c (revision 2704)
+++ libsepol/src/write.c (working copy)
@@ -1531,8 +1531,19 @@
pd.p = p;
config = 0;
- if (p->mls)
+ if (p->mls) {
+ if ((p->policyvers < POLICYDB_VERSION_MLS &&
+ p->policy_type == POLICY_KERN) ||
+ (p->policyvers < MOD_POLICYDB_VERSION_MLS &&
+ p->policy_type == POLICY_BASE) ||
+ (p->policyvers < MOD_POLICYDB_VERSION_MLS &&
+ p->policy_type == POLICY_MOD)) {
+ ERR(fp->handle, "policy version %d cannot support MLS",
+ p->policyvers);
+ return POLICYDB_ERROR;
+ }
config |= POLICYDB_CONFIG_MLS;
+ }
config |= (POLICYDB_CONFIG_UNKNOWN_MASK & p->handle_unknown);
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
