[RFC PATCH 36/44] selinux: set initial SID context for init to "kernel" in global SID table

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Userspace treats any non-null value other than "kernel" as an
indicator that SELinux policy has already been loaded, so
the global SID table needs to transparently remap the init
initial SID to "kernel" just like the security server does.

Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
---
 security/selinux/global_sidtab.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/security/selinux/global_sidtab.c b/security/selinux/global_sidtab.c
index 983b406389cb..50c3d58a11ed 100644
--- a/security/selinux/global_sidtab.c
+++ b/security/selinux/global_sidtab.c
@@ -21,6 +21,15 @@ int global_sidtab_init(void)
 
 		if (!str)
 			continue;
+		/*
+		 * Before the policy is loaded, translate
+		 * SECINITSID_INIT to "kernel", because systemd and
+		 * libselinux < 2.6 take a getcon_raw() result that is
+		 * both non-null and not "kernel" to mean that a policy
+		 * is already loaded.
+		 */
+		if (sid == SECINITSID_INIT)
+			str = "kernel";
 		ctx.str = (char *)str;
 		ctx.len = strlen(str)+1;
 		rc = sidtab_set_initial(&global_sidtab, sid, &ctx);
-- 
2.47.1





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux