commit e8087cb36d3d2c6eab77 ("selinux: init inode from nearest
initialized namespace") wrongly assumed that there must be at least one
ancestor namespace that is initialized. In the case where the init
SELinux namespace was never initialized (i.e. no policy loaded on the
host), then this assumption can be false. Fix the logic to defer
initialization of the inode in that situation.
Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
---
security/selinux/hooks.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a6c980f9117b..da8f76707c8c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1441,8 +1441,14 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
if (isec->sclass == SECCLASS_FILE)
isec->sclass = inode_mode_to_security_class(inode->i_mode);
+ /*
+ * Find an initialized state to use.
+ */
+ while (state && !selinux_initialized(state))
+ state = state->parent;
+
sbsec = selinux_superblock(inode->i_sb);
- if (!(sbsec->flags & SE_SBINITIALIZED)) {
+ if (!state || !(sbsec->flags & SE_SBINITIALIZED)) {
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
server is ready to handle calls. */
@@ -1453,13 +1459,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
goto out_unlock;
}
- /*
- * Find an initialized state to use; there must be at least
- * one or else the sbsec won't have been initialized.
- */
- while (!selinux_initialized(state))
- state = state->parent;
-
sclass = isec->sclass;
task_sid = isec->task_sid;
sid = isec->sid;
--
2.47.1
