After some discussion on the actual meaning of the filesystem class
security check in try context mount it was determined that the checks
for the context= mount options were not correct if fscontext mount
option had already been used. When labeling the superblock we should be
checking relabel_from and relabel_to. But if the superblock has already
been labeled (with fscontext) then context= is actually labeling the
inodes, and so we should be checking relabel_from and associate. This
patch fixes which checks are called depending on the mount options.
This is issue is in 2.6.8-rc1-git4 and should probably be fixed before
2.6.18 releases.
Signed-off-by: Eric Paris <[email protected]>
Acked-by: Stephen Smalley <[email protected]>
Acked-by: James Morris <[email protected]>
security/selinux/hooks.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -523,12 +523,16 @@ static int try_context_mount(struct supe
goto out_free;
}
- rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
- if (rc)
- goto out_free;
-
- if (!fscontext)
+ if (!fscontext) {
+ rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
+ if (rc)
+ goto out_free;
sbsec->sid = sid;
+ } else {
+ rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
+ if (rc)
+ goto out_free;
+ }
sbsec->mntpoint_sid = sid;
sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
