I can boot again with this patch...
On 5/3/06, Stephen Smalley <[email protected]> wrote:
On Wed, 2006-05-03 at 15:28 +0100, Al Viro wrote:
> On Wed, May 03, 2006 at 10:11:52AM -0400, Jon Smirl wrote:
> > Something seems to be wrong in selinux_get_task_sid. I am getting
> > thousands of these and can't boot the kernel.
>
> It's actually in security/selinux/hooks.c::selinux_disable() and gets
> triggered if you have selinux enabled and explicitly disable afterwards.
> Stephen Smalley had done a fix yesterday, basically adding
> selinux_enabled = 0;
> after
> selinux_disabled = 1;
> in there. selinux_get_task_sid() happens to step on that in visible way
> and nobody had caught that while this stuff was sitting in -mm ;-/
>
> The only question I have about that patch: what would happen if we do not
> have CONFIG_SECURITY_SELINUX_BOOTPARAM? In that case selinux_enabled is
> defined to 1, so...
Good point. Ok, take two.
[patch 1/1] selinux: Clear selinux_enabled flag upon runtime disable.
Clear selinux_enabled flag upon runtime disable of SELinux by userspace,
and make sure it is defined even if selinux= boot parameter support is
not enabled in configuration.
Signed-off-by: Stephen Smalley <[email protected]>
---
security/selinux/hooks.c | 3 +++
security/selinux/include/security.h | 5 -----
2 files changed, 3 insertions(+), 5 deletions(-)
diff -X /home/sds/dontdiff -rup linux-2.6.17-rc3-mm1/security/selinux/hooks.c linux-2.6.17-rc3-mm1-x2/security/selinux/hooks.c
--- linux-2.6.17-rc3-mm1/security/selinux/hooks.c 2006-05-02 09:08:02.000000000 -0400
+++ linux-2.6.17-rc3-mm1-x2/security/selinux/hooks.c 2006-05-03 10:26:43.000000000 -0400
@@ -101,6 +101,8 @@ static int __init selinux_enabled_setup(
return 1;
}
__setup("selinux=", selinux_enabled_setup);
+#else
+int selinux_enabled = 1;
#endif
/* Original (dummy) security module. */
@@ -4535,6 +4537,7 @@ int selinux_disable(void)
printk(KERN_INFO "SELinux: Disabled at runtime.\n");
selinux_disabled = 1;
+ selinux_enabled = 0;
/* Reset security_ops to the secondary module, dummy or capability. */
security_ops = secondary_ops;
diff -X /home/sds/dontdiff -rup linux-2.6.17-rc3-mm1/security/selinux/include/security.h linux-2.6.17-rc3-mm1-x2/security/selinux/include/security.h
--- linux-2.6.17-rc3-mm1/security/selinux/include/security.h 2006-03-20 00:53:29.000000000 -0500
+++ linux-2.6.17-rc3-mm1-x2/security/selinux/include/security.h 2006-05-03 10:25:39.000000000 -0400
@@ -29,12 +29,7 @@
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_AVTAB
-#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
extern int selinux_enabled;
-#else
-#define selinux_enabled 1
-#endif
-
extern int selinux_mls_enabled;
int security_load_policy(void * data, size_t len);
--
Stephen Smalley
National Security Agency
--
Jon Smirl
[email protected]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
