Userspace treats any non-null value other than "kernel" as an indicator that SELinux policy has already been loaded, so the global SID table needs to transparently remap the init initial SID to "kernel" just like the security server does. Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- security/selinux/global_sidtab.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/selinux/global_sidtab.c b/security/selinux/global_sidtab.c index 983b406389cb..50c3d58a11ed 100644 --- a/security/selinux/global_sidtab.c +++ b/security/selinux/global_sidtab.c @@ -21,6 +21,15 @@ int global_sidtab_init(void) if (!str) continue; + /* + * Before the policy is loaded, translate + * SECINITSID_INIT to "kernel", because systemd and + * libselinux < 2.6 take a getcon_raw() result that is + * both non-null and not "kernel" to mean that a policy + * is already loaded. + */ + if (sid == SECINITSID_INIT) + str = "kernel"; ctx.str = (char *)str; ctx.len = strlen(str)+1; rc = sidtab_set_initial(&global_sidtab, sid, &ctx); -- 2.47.1