On Thu, Nov 5, 2020 at 2:13 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> A previous fix, commit 83370b31a915 ("selinux: fix error initialization
> in inode_doinit_with_dentry()"), changed how failures were handled
> before a SELinux policy was loaded. Unfortunately that patch was
> potentially problematic for two reasons: it set the isec->initialized
> state without holding a lock, and it didn't set the inode's SELinux
> label to the "default" for the particular filesystem. The later can
> be a problem if/when a later attempt to revalidate the inode fails
> and SELinux reverts to the existing inode label.
>
> This patch should restore the default inode labeling that existed
> before the original fix, without affecting the LABEL_INVALID marking
> such that revalidation will still be attempted in the future.
>
> Fixes: 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()")
> Reported-by: Sven Schnelle <svens@xxxxxxxxxxxxx>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> security/selinux/hooks.c | 31 +++++++++++++------------------
> 1 file changed, 13 insertions(+), 18 deletions(-)
FWIW, the patch looks good to me.
Reviewed-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
