This patch disables the setting of SELinux xattrs on files created in
filesystems labeled via mountpoint labeling (mounted with the context=
option). selinux_inode_setxattr already prevents explicit setxattr from
userspace on such filesystems, so this provides consistent behavior for
file creation. Please apply, for 2.6.15 if possible.
Signed-off-by: Stephen Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>
---
security/selinux/hooks.c | 3 +++
1 files changed, 3 insertions(+)
Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.173
diff -u -p -r1.173 hooks.c
--- linux-2.6/security/selinux/hooks.c 31 Oct 2005 15:36:30 -0000 1.173
+++ linux-2.6/security/selinux/hooks.c 4 Nov 2005 20:55:20 -0000
@@ -1986,6 +1986,9 @@ static int selinux_inode_init_security(s
inode_security_set_sid(inode, newsid);
+ if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
+ return -EOPNOTSUPP;
+
if (name) {
namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
if (!namep)
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
