path: root/security/selinux/hooks.c
diff options
authorLinus Torvalds <>2019-11-30 16:55:37 -0800
committerLinus Torvalds <>2019-11-30 16:55:37 -0800
commitba75082efc18ced6def42e8f85c494aa2578760e (patch)
treebb2c61dc91320f64f70ee2fba37b938ba564d86a /security/selinux/hooks.c
parent8a99117f6e8793ab945d85db038f09e85703b97b (diff)
parent42345b68c2e3e2b6549fc34b937ff44240dfc3b6 (diff)
Merge tag 'selinux-pr-20191126' of git://
Pull selinux updates from Paul Moore: "Only three SELinux patches for v5.5: - Remove the size limit on SELinux policies, the limitation was a lingering vestige and no longer necessary. - Allow file labeling before the policy is loaded. This should ease some of the burden when the policy is initially loaded (no need to relabel files), but it should also help enable some new system concepts which dynamically create the root filesystem in the initrd. - Add support for the "greatest lower bound" policy construct which is defined as the intersection of the MLS range of two SELinux labels" * tag 'selinux-pr-20191126' of git:// selinux: default_range glblub implementation selinux: allow labeling before policy is loaded selinux: remove load size limit
Diffstat (limited to 'security/selinux/hooks.c')
1 files changed, 12 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 73986c1101b9..5d557318f79b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3144,6 +3144,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+ if (!selinux_state.initialized)
+ return (inode_owner_or_capable(inode) ? 0 : -EPERM);
sbsec = inode->i_sb->s_security;
if (!(sbsec->flags & SBLABEL_MNT))
@@ -3227,6 +3230,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
+ if (!selinux_state.initialized) {
+ /* If we haven't even been initialized, then we can't validate
+ * against a policy, so leave the label as invalid. It may
+ * resolve to a valid label on the next revalidation try if
+ * we've since initialized.
+ */
+ return;
+ }
rc = security_context_to_sid_force(&selinux_state, value, size,
if (rc) {