This patch resets the security_ops to the secondary_ops before it flushes the avc. It's still possible that a task on another processor could have already passed the security_ops dereference and be executing an selinux hook function which would add a new avc entry. That entry would still not be freed. This should however help to reduce the number of needless avcs the kernel has when selinux is disabled at run time. There is no wasted memory if selinux is disabled on the command line or not compiled. Signed-off-by: Eric Paris <eparis@xxxxxxxxxx> --- security/selinux/hooks.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 417f7c9..e1170ed 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5830,12 +5830,12 @@ int selinux_disable(void) selinux_disabled = 1; selinux_enabled = 0; - /* Try to destroy the avc node cache */ - avc_disable(); - /* Reset security_ops to the secondary module, dummy or capability. */ security_ops = secondary_ops; + /* Try to destroy the avc node cache */ + avc_disable(); + /* Unregister netfilter hooks. */ selinux_nf_ip_exit(); -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
