Exempt the creation of the init SELinux namespace from the maxns limit. It was already exempted from the maxnsdepth limit by virtue of only applying that check when there is a parent namespace. Otherwise, if one were to set CONFIG_SECURITY_SELINUX_MAXNS to 0, the creation of the init SELinux namespace would fail. Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5ce0e2afd84f..8c0e44effdbc 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7635,7 +7635,7 @@ int selinux_state_create(const struct cred *cred) struct selinux_state *newstate; int rc; - if (atomic_read(&selinux_nsnum) >= selinux_maxns) + if (parent && atomic_read(&selinux_nsnum) >= selinux_maxns) return -ENOSPC; if (parent && parent->depth >= selinux_maxnsdepth) -- 2.47.1