All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-01 22:36 Guido Trentalancia
  2010-02-04 19:12 ` Eric Paris
  0 siblings, 1 reply; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-01 22:36 UTC (permalink / raw)
  To: sds; +Cc: selinux, eparis, jmorris


[-- Attachment #1.1: Type: text/plain, Size: 17677 bytes --]

Stephen,

my reply follows your quoted text.

>On Mon, 2010-02-01 at 22:49 +0100, Guido Trentalancia wrote:
>> +	if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
>> +		oc = args->newp->ocontexts[OCON_ISID];
>> +		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
>> +			oc = oc->next;
>
>Just in case, I'd test if (!oc) and bail with an error.

if (!oc) {
                        printk(KERN_ERR "SELinux:  unable to look up"
                                " the initial SIDs listn");
                        goto bad;
                }

>> +		range = &oc->context[0].range;
>> +		rc = mls_range_set(c, range);
>> +		if (rc) {
>> +			if (context_struct_to_string(&oldc, &s, &len))
>> +				return -ENOMEM;
>> +			context_destroy(&oldc);
>> +			context_destroy(c);
>> +			c->str = s;
>> +			c->len = len;
>> +			printk(KERN_ERR "SELinux:  Failed to set"
>> +				" the MLS/MCS range for context"
>> +				" %sn", c->str);
>> +			goto out;
>
>goto bad ?

Ok, goto bad. It improves readability.

Final version follows. You don't like to appear as any of Acked-by, Signed-off-by or Reviewed-by ? Nobody else commented, I would say it's ready to be submitted then (has been reviewed, checks fine, builds fine, diffstat included and I will have a kernel ready in a few minutes for a final test just in case).

Author: Guido Trentalancia <guido@trentalancia.com>
Date:   Mon Feb 01 23:29:52 2010 +0100

    Allow runtime switching between different policy types (e.g. from a MLS/MCS
    policy to a non-MLS/non-MCS policy or viceversa).

    Signed-off-by: Guido Trentalancia <guido@trentalancia.com>

 security/selinux/include/security.h |    3 -
 security/selinux/selinuxfs.c        |    3 -
 security/selinux/ss/.policydb.c.swp |binary
 security/selinux/ss/context.h       |    9 +--
 security/selinux/ss/mls.c           |   26 ++++-----
 security/selinux/ss/mls.h           |    2
 security/selinux/ss/mls_types.h     |    5 +
 security/selinux/ss/policydb.c      |   24 +-------
 security/selinux/ss/policydb.h      |    4 +
 security/selinux/ss/services.c      |   74 +++++++++++++++++++++++---
 10 files changed, 101 insertions(+), 49 deletions(-)

diff -pruN security-testing-2.6/security/selinux/include/security.h security-testing-2.6-new/security/selinux/include/security.h
--- security-testing-2.6/security/selinux/include/security.h	2010-01-29 02:02:47.737045258 +0100
+++ security-testing-2.6-new/security/selinux/include/security.h	2010-02-01 23:12:28.898233272 +0100
@@ -57,7 +57,6 @@
 struct netlbl_lsm_secattr;

 extern int selinux_enabled;
-extern int selinux_mls_enabled;

 /* Policy capabilities */
 enum {
@@ -80,6 +79,8 @@ extern int selinux_policycap_openperm;
 /* limitation of boundary depth  */
 #define POLICYDB_BOUNDS_MAXDEPTH	4

+int security_mls_enabled(void);
+
 int security_load_policy(void *data, size_t len);

 int security_policycap_supported(unsigned int req_cap);
diff -pruN security-testing-2.6/security/selinux/selinuxfs.c security-testing-2.6-new/security/selinux/selinuxfs.c
--- security-testing-2.6/security/selinux/selinuxfs.c	2010-01-29 02:02:47.738046835 +0100
+++ security-testing-2.6-new/security/selinux/selinuxfs.c	2010-02-01 22:06:21.709234039 +0100
@@ -282,7 +282,8 @@ static ssize_t sel_read_mls(struct file
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;

-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
+			   security_mls_enabled());
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }

diff -pruN security-testing-2.6/security/selinux/ss/context.h security-testing-2.6-new/security/selinux/ss/context.h
--- security-testing-2.6/security/selinux/ss/context.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.h	2010-02-01 23:13:35.857235582 +0100
@@ -41,7 +41,7 @@ static inline int mls_context_cpy(struct
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;

 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -64,7 +64,7 @@ static inline int mls_context_cpy_low(st
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;

 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -82,7 +82,7 @@ out:

 static inline int mls_context_cmp(struct context *c1, struct context *c2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;

 	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
@@ -93,9 +93,6 @@ static inline int mls_context_cmp(struct

 static inline void mls_context_destroy(struct context *c)
 {
-	if (!selinux_mls_enabled)
-		return;
-
 	ebitmap_destroy(&c->range.level[0].cat);
 	ebitmap_destroy(&c->range.level[1].cat);
 	mls_context_init(c);
diff -pruN security-testing-2.6/security/selinux/ss/mls.c security-testing-2.6-new/security/selinux/ss/mls.c
--- security-testing-2.6/security/selinux/ss/mls.c	2010-01-29 02:02:47.739046177 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.c	2010-02-01 22:15:48.062233721 +0100
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct conte
 	struct ebitmap *e;
 	struct ebitmap_node *node;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *
 	struct ebitmap *e;
 	struct ebitmap_node *node;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;

 	scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb
 {
 	struct user_datum *usrdatum;

-	if (!selinux_mls_enabled)
+	if (!p->mls_enabled)
 		return 1;

 	if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *
 	struct cat_datum *catdatum, *rngdatum;
 	int l, rc = -EINVAL;

-	if (!selinux_mls_enabled) {
+	if (!pol->mls_enabled) {
 		if (def_sid != SECSID_NULL && oldc)
 			*scontext += strlen(*scontext)+1;
 		return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct co
 	char *tmpstr, *freestr;
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return -EINVAL;

 	/* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct co
 /*
  * Copies the MLS range `range' into `context'.
  */
-static inline int mls_range_set(struct context *context,
+int mls_range_set(struct context *context,
 				struct mls_range *range)
 {
 	int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct c
 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
 			 struct context *usercon)
 {
-	if (selinux_mls_enabled) {
+	if (policydb.mls_enabled) {
 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
 		struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb
 	struct ebitmap_node *node;
 	int l, i;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	for (l = 0; l < 2; l++) {
@@ -516,7 +516,7 @@ int mls_compute_sid(struct context *scon
 	struct range_trans rtr;
 	struct mls_range *r;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	switch (specified) {
@@ -559,7 +559,7 @@ int mls_compute_sid(struct context *scon
 void mls_export_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;

 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -579,7 +579,7 @@ void mls_export_netlbl_lvl(struct contex
 void mls_import_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;

 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -601,7 +601,7 @@ int mls_export_netlbl_cat(struct context
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -629,7 +629,7 @@ int mls_import_netlbl_cat(struct context
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
diff -pruN security-testing-2.6/security/selinux/ss/mls.h security-testing-2.6-new/security/selinux/ss/mls.h
--- security-testing-2.6/security/selinux/ss/mls.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.h	2010-02-01 23:17:31.025223083 +0100
@@ -39,6 +39,8 @@ int mls_context_to_sid(struct policydb *

 int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);

+int mls_range_set(struct context *context, struct mls_range *range);
+
 int mls_convert_context(struct policydb *oldp,
 			struct policydb *newp,
 			struct context *context);
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.h security-testing-2.6-new/security/selinux/ss/mls_types.h
--- security-testing-2.6/security/selinux/ss/mls_types.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.h	2010-02-01 22:23:11.799224771 +0100
@@ -15,6 +15,7 @@
 #define _SS_MLS_TYPES_H_

 #include "security.h"
+#include "ebitmap.h"

 struct mls_level {
 	u32 sens;		/* sensitivity */
@@ -27,7 +28,7 @@ struct mls_range {

 static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;

 	return ((l1->sens == l2->sens) &&
@@ -36,7 +37,7 @@ static inline int mls_level_eq(struct ml

 static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;

 	return ((l1->sens >= l2->sens) &&
diff -pruN security-testing-2.6/security/selinux/ss/policydb.c security-testing-2.6-new/security/selinux/ss/policydb.c
--- security-testing-2.6/security/selinux/ss/policydb.c	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.c	2010-02-01 22:12:18.601226073 +0100
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
 };
 #endif

-int selinux_mls_enabled;
-
 static unsigned int symtab_sizes[SYM_NUM] = {
 	2,
 	32,
@@ -455,7 +453,7 @@ static int policydb_index_others(struct

 	printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
-	if (selinux_mls_enabled)
+	if (p->mls_enabled)
 		printk(", %d sens, %d cats", p->p_levels.nprim,
 		       p->p_cats.nprim);
 	printk("n");
@@ -1717,14 +1715,12 @@ int policydb_read(struct policydb *p, vo
 	int i, j, rc;
 	__le32 buf[4];
 	u32 nodebuf[8];
-	u32 len, len2, config, nprim, nel, nel2;
+	u32 len, len2, nprim, nel, nel2;
 	char *policydb_str;
 	struct policydb_compat_info *info;
 	struct range_trans *rt;
 	struct mls_range *r;

-	config = 0;
-
 	rc = policydb_init(p);
 	if (rc)
 		goto out;
@@ -1772,7 +1768,7 @@ int policydb_read(struct policydb *p, vo
 	kfree(policydb_str);
 	policydb_str = NULL;

-	/* Read the version, config, and table sizes. */
+	/* Read the version and table sizes. */
 	rc = next_entry(buf, fp, sizeof(u32)*4);
 	if (rc < 0)
 		goto bad;
@@ -1787,13 +1783,7 @@ int policydb_read(struct policydb *p, vo
 	}

 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
-		if (ss_initialized && !selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
-				" and MLS policiesn");
-			goto bad;
-		}
-		selinux_mls_enabled = 1;
-		config |= POLICYDB_CONFIG_MLS;
+		p->mls_enabled = 1;

 		if (p->policyvers < POLICYDB_VERSION_MLS) {
 			printk(KERN_ERR "SELinux: security policydb version %d "
@@ -1801,12 +1791,6 @@ int policydb_read(struct policydb *p, vo
 				p->policyvers);
 			goto bad;
 		}
-	} else {
-		if (ss_initialized && selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between MLS and"
-				" non-MLS policiesn");
-			goto bad;
-		}
 	}
 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
diff -pruN security-testing-2.6/security/selinux/ss/policydb.h security-testing-2.6-new/security/selinux/ss/policydb.h
--- security-testing-2.6/security/selinux/ss/policydb.h	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.h	2010-02-01 20:47:08.352232380 +0100
@@ -27,6 +27,8 @@
 #include "symtab.h"
 #include "avtab.h"
 #include "sidtab.h"
+#include "ebitmap.h"
+#include "mls_types.h"
 #include "context.h"
 #include "constraint.h"

@@ -185,6 +187,8 @@ struct genfs {

 /* The policy database */
 struct policydb {
+	int mls_enabled;
+
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
 #define p_commons symtab[SYM_COMMONS]
diff -pruN security-testing-2.6/security/selinux/ss/services.c security-testing-2.6-new/security/selinux/ss/services.c
--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.c	2010-02-01 23:28:02.338227931 +0100
@@ -26,6 +26,10 @@
  *
  *  Added support for bounds domain and audit messaged on masked permissions
  *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
  * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -232,6 +236,16 @@ static void map_decision(u16 tclass, str
 	}
 }

+/*
+ * Returns a boolean value.
+ * True: if the specified policy is MLS or MCS
+ * False: if the specified policy is a standard policy
+ * 	  without MLS/MCS support
+ */
+int security_mls_enabled(void)
+{
+	return policydb.mls_enabled;
+}

 /*
  * Return the boolean value of a constraint expression
@@ -1547,6 +1561,8 @@ static int convert_context(u32 key,
 {
 	struct convert_context_args *args;
 	struct context oldc;
+	struct ocontext *oc;
+	struct mls_range *range;
 	struct role_datum *role;
 	struct type_datum *typdatum;
 	struct user_datum *usrdatum;
@@ -1614,9 +1630,43 @@ static int convert_context(u32 key,
 		goto bad;
 	c->type = typdatum->value;

-	rc = mls_convert_context(args->oldp, args->newp, c);
-	if (rc)
-		goto bad;
+	/* Convert the MLS/MCS fields if dealing with MLS/MCS policies */
+	if (args->oldp->mls_enabled
+	    && args->newp->mls_enabled) {
+		rc = mls_convert_context(args->oldp, args->newp, c);
+		if (rc)
+			goto bad;
+	}
+
+	/*
+	 * Switching between MLS/MCS and non-MLS/non-MCS policy:
+	 * free any storage used by the MLS fields in the
+	 * context for all existing entries in the sidtab.
+	 */
+	if (args->oldp->mls_enabled && !args->newp->mls_enabled)
+		mls_context_destroy(c);
+
+	/*
+	 * Switching between non-MLS/non-MCS and MLS/MCS policy:
+	 * ensure that the MLS fields of the context for all
+	 * existing entries in the sidtab are filled in with a
+	 * suitable default value, likely taken from one of the
+	 * initial SIDs.
+	 */
+	if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
+		oc = args->newp->ocontexts[OCON_ISID];
+		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
+			oc = oc->next;
+		if (!oc) {
+			printk(KERN_ERR "SELinux:  unable to look up"
+				" the initial SIDs listn");
+			goto bad;
+		}
+		range = &oc->context[0].range;
+		rc = mls_range_set(c, range);
+		if (rc)
+			goto bad;
+	}

 	/* Check the validity of the new context. */
 	if (!policydb_context_isvalid(args->newp, c)) {
@@ -1712,6 +1762,14 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;

+	/* If switching between different policy types, log it */
+	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between MLS/MCS"
+			" and standard policy...n");
+	else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between standard"
+			" and MLS/MCS policy...n");
+
 	if (sidtab_init(&newsidtab)) {
 		policydb_destroy(&newpolicydb);
 		return -ENOMEM;
@@ -1741,8 +1799,12 @@ int security_load_policy(void *data, siz
 	args.oldp = &policydb;
 	args.newp = &newpolicydb;
 	rc = sidtab_map(&newsidtab, convert_context, &args);
-	if (rc)
+	if (rc) {
+		printk(KERN_ERR "SELinux:  unable to convert the internal"
+			" representation of contexts in the new SID"
+			" tablen");
 		goto err;
+	}

 	/* Save the old policydb and SID table to free later. */
 	memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -2338,7 +2400,7 @@ int security_sid_mls_copy(u32 sid, u32 m
 	u32 len;
 	int rc = 0;

-	if (!ss_initialized || !selinux_mls_enabled) {
+	if (!ss_initialized || !policydb.mls_enabled) {
 		*new_sid = sid;
 		goto out;
 	}
@@ -2439,7 +2501,7 @@ int security_net_peersid_resolve(u32 nlb
 	/* we don't need to check ss_initialized here since the only way both
 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
 	 * security server was initialized and ss_initialized was true */
-	if (!selinux_mls_enabled) {
+	if (!policydb.mls_enabled) {
 		*peer_sid = SECSID_NULL;
 		return 0;
 	}

[-- Attachment #2: switch-policy.patch --]
[-- Type: application/octet-stream, Size: 15911 bytes --]

Author: Guido Trentalancia <guido@trentalancia.com>
Date:   Mon Feb 01 23:29:52 2010 +0100

    Allow runtime switching between different policy types (e.g. from a MLS/MCS
    policy to a non-MLS/non-MCS policy or viceversa).

    Signed-off-by: Guido Trentalancia <guido@trentalancia.com>

 security/selinux/include/security.h |    3 -
 security/selinux/selinuxfs.c        |    3 -
 security/selinux/ss/.policydb.c.swp |binary
 security/selinux/ss/context.h       |    9 +--
 security/selinux/ss/mls.c           |   26 ++++-----
 security/selinux/ss/mls.h           |    2
 security/selinux/ss/mls_types.h     |    5 +
 security/selinux/ss/policydb.c      |   24 +-------
 security/selinux/ss/policydb.h      |    4 +
 security/selinux/ss/services.c      |   74 +++++++++++++++++++++++---
 10 files changed, 101 insertions(+), 49 deletions(-)

diff -pruN security-testing-2.6/security/selinux/include/security.h security-testing-2.6-new/security/selinux/include/security.h
--- security-testing-2.6/security/selinux/include/security.h	2010-01-29 02:02:47.737045258 +0100
+++ security-testing-2.6-new/security/selinux/include/security.h	2010-02-01 23:12:28.898233272 +0100
@@ -57,7 +57,6 @@
 struct netlbl_lsm_secattr;
 
 extern int selinux_enabled;
-extern int selinux_mls_enabled;
 
 /* Policy capabilities */
 enum {
@@ -80,6 +79,8 @@ extern int selinux_policycap_openperm;
 /* limitation of boundary depth  */
 #define POLICYDB_BOUNDS_MAXDEPTH	4
 
+int security_mls_enabled(void);
+
 int security_load_policy(void *data, size_t len);
 
 int security_policycap_supported(unsigned int req_cap);
diff -pruN security-testing-2.6/security/selinux/selinuxfs.c security-testing-2.6-new/security/selinux/selinuxfs.c
--- security-testing-2.6/security/selinux/selinuxfs.c	2010-01-29 02:02:47.738046835 +0100
+++ security-testing-2.6-new/security/selinux/selinuxfs.c	2010-02-01 22:06:21.709234039 +0100
@@ -282,7 +282,8 @@ static ssize_t sel_read_mls(struct file 
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;
 
-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
+			   security_mls_enabled());
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }
 
diff -pruN security-testing-2.6/security/selinux/ss/context.h security-testing-2.6-new/security/selinux/ss/context.h
--- security-testing-2.6/security/selinux/ss/context.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.h	2010-02-01 23:13:35.857235582 +0100
@@ -41,7 +41,7 @@ static inline int mls_context_cpy(struct
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;
 
 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -64,7 +64,7 @@ static inline int mls_context_cpy_low(st
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;
 
 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -82,7 +82,7 @@ out:
 
 static inline int mls_context_cmp(struct context *c1, struct context *c2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;
 
 	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
@@ -93,9 +93,6 @@ static inline int mls_context_cmp(struct
 
 static inline void mls_context_destroy(struct context *c)
 {
-	if (!selinux_mls_enabled)
-		return;
-
 	ebitmap_destroy(&c->range.level[0].cat);
 	ebitmap_destroy(&c->range.level[1].cat);
 	mls_context_init(c);
diff -pruN security-testing-2.6/security/selinux/ss/mls.c security-testing-2.6-new/security/selinux/ss/mls.c
--- security-testing-2.6/security/selinux/ss/mls.c	2010-01-29 02:02:47.739046177 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.c	2010-02-01 22:15:48.062233721 +0100
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct conte
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb 
 {
 	struct user_datum *usrdatum;
 
-	if (!selinux_mls_enabled)
+	if (!p->mls_enabled)
 		return 1;
 
 	if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *
 	struct cat_datum *catdatum, *rngdatum;
 	int l, rc = -EINVAL;
 
-	if (!selinux_mls_enabled) {
+	if (!pol->mls_enabled) {
 		if (def_sid != SECSID_NULL && oldc)
 			*scontext += strlen(*scontext)+1;
 		return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct co
 	char *tmpstr, *freestr;
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return -EINVAL;
 
 	/* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct co
 /*
  * Copies the MLS range `range' into `context'.
  */
-static inline int mls_range_set(struct context *context,
+int mls_range_set(struct context *context,
 				struct mls_range *range)
 {
 	int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct c
 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
 			 struct context *usercon)
 {
-	if (selinux_mls_enabled) {
+	if (policydb.mls_enabled) {
 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
 		struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb 
 	struct ebitmap_node *node;
 	int l, i;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	for (l = 0; l < 2; l++) {
@@ -516,7 +516,7 @@ int mls_compute_sid(struct context *scon
 	struct range_trans rtr;
 	struct mls_range *r;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	switch (specified) {
@@ -559,7 +559,7 @@ int mls_compute_sid(struct context *scon
 void mls_export_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -579,7 +579,7 @@ void mls_export_netlbl_lvl(struct contex
 void mls_import_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -601,7 +601,7 @@ int mls_export_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -629,7 +629,7 @@ int mls_import_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
diff -pruN security-testing-2.6/security/selinux/ss/mls.h security-testing-2.6-new/security/selinux/ss/mls.h
--- security-testing-2.6/security/selinux/ss/mls.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.h	2010-02-01 23:17:31.025223083 +0100
@@ -39,6 +39,8 @@ int mls_context_to_sid(struct policydb *
 
 int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);
 
+int mls_range_set(struct context *context, struct mls_range *range);
+
 int mls_convert_context(struct policydb *oldp,
 			struct policydb *newp,
 			struct context *context);
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.h security-testing-2.6-new/security/selinux/ss/mls_types.h
--- security-testing-2.6/security/selinux/ss/mls_types.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.h	2010-02-01 22:23:11.799224771 +0100
@@ -15,6 +15,7 @@
 #define _SS_MLS_TYPES_H_
 
 #include "security.h"
+#include "ebitmap.h"
 
 struct mls_level {
 	u32 sens;		/* sensitivity */
@@ -27,7 +28,7 @@ struct mls_range {
 
 static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;
 
 	return ((l1->sens == l2->sens) &&
@@ -36,7 +37,7 @@ static inline int mls_level_eq(struct ml
 
 static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;
 
 	return ((l1->sens >= l2->sens) &&
diff -pruN security-testing-2.6/security/selinux/ss/policydb.c security-testing-2.6-new/security/selinux/ss/policydb.c
--- security-testing-2.6/security/selinux/ss/policydb.c	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.c	2010-02-01 22:12:18.601226073 +0100
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
 };
 #endif
 
-int selinux_mls_enabled;
-
 static unsigned int symtab_sizes[SYM_NUM] = {
 	2,
 	32,
@@ -455,7 +453,7 @@ static int policydb_index_others(struct 
 
 	printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
-	if (selinux_mls_enabled)
+	if (p->mls_enabled)
 		printk(", %d sens, %d cats", p->p_levels.nprim,
 		       p->p_cats.nprim);
 	printk("\n");
@@ -1717,14 +1715,12 @@ int policydb_read(struct policydb *p, vo
 	int i, j, rc;
 	__le32 buf[4];
 	u32 nodebuf[8];
-	u32 len, len2, config, nprim, nel, nel2;
+	u32 len, len2, nprim, nel, nel2;
 	char *policydb_str;
 	struct policydb_compat_info *info;
 	struct range_trans *rt;
 	struct mls_range *r;
 
-	config = 0;
-
 	rc = policydb_init(p);
 	if (rc)
 		goto out;
@@ -1772,7 +1768,7 @@ int policydb_read(struct policydb *p, vo
 	kfree(policydb_str);
 	policydb_str = NULL;
 
-	/* Read the version, config, and table sizes. */
+	/* Read the version and table sizes. */
 	rc = next_entry(buf, fp, sizeof(u32)*4);
 	if (rc < 0)
 		goto bad;
@@ -1787,13 +1783,7 @@ int policydb_read(struct policydb *p, vo
 	}
 
 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
-		if (ss_initialized && !selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
-				" and MLS policies\n");
-			goto bad;
-		}
-		selinux_mls_enabled = 1;
-		config |= POLICYDB_CONFIG_MLS;
+		p->mls_enabled = 1;
 
 		if (p->policyvers < POLICYDB_VERSION_MLS) {
 			printk(KERN_ERR "SELinux: security policydb version %d "
@@ -1801,12 +1791,6 @@ int policydb_read(struct policydb *p, vo
 				p->policyvers);
 			goto bad;
 		}
-	} else {
-		if (ss_initialized && selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between MLS and"
-				" non-MLS policies\n");
-			goto bad;
-		}
 	}
 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
diff -pruN security-testing-2.6/security/selinux/ss/policydb.h security-testing-2.6-new/security/selinux/ss/policydb.h
--- security-testing-2.6/security/selinux/ss/policydb.h	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.h	2010-02-01 20:47:08.352232380 +0100
@@ -27,6 +27,8 @@
 #include "symtab.h"
 #include "avtab.h"
 #include "sidtab.h"
+#include "ebitmap.h"
+#include "mls_types.h"
 #include "context.h"
 #include "constraint.h"
 
@@ -185,6 +187,8 @@ struct genfs {
 
 /* The policy database */
 struct policydb {
+	int mls_enabled;
+
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
 #define p_commons symtab[SYM_COMMONS]
diff -pruN security-testing-2.6/security/selinux/ss/services.c security-testing-2.6-new/security/selinux/ss/services.c
--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.c	2010-02-01 23:28:02.338227931 +0100
@@ -26,6 +26,10 @@
  *
  *  Added support for bounds domain and audit messaged on masked permissions
  *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
  * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -232,6 +236,16 @@ static void map_decision(u16 tclass, str
 	}
 }
 
+/*
+ * Returns a boolean value.
+ * True: if the specified policy is MLS or MCS
+ * False: if the specified policy is a standard policy
+ * 	  without MLS/MCS support
+ */
+int security_mls_enabled(void)
+{
+	return policydb.mls_enabled;
+}
 
 /*
  * Return the boolean value of a constraint expression
@@ -1547,6 +1561,8 @@ static int convert_context(u32 key,
 {
 	struct convert_context_args *args;
 	struct context oldc;
+	struct ocontext *oc;
+	struct mls_range *range;
 	struct role_datum *role;
 	struct type_datum *typdatum;
 	struct user_datum *usrdatum;
@@ -1614,9 +1630,43 @@ static int convert_context(u32 key,
 		goto bad;
 	c->type = typdatum->value;
 
-	rc = mls_convert_context(args->oldp, args->newp, c);
-	if (rc)
-		goto bad;
+	/* Convert the MLS/MCS fields if dealing with MLS/MCS policies */
+	if (args->oldp->mls_enabled
+	    && args->newp->mls_enabled) {
+		rc = mls_convert_context(args->oldp, args->newp, c);
+		if (rc)
+			goto bad;
+	}
+
+	/*
+	 * Switching between MLS/MCS and non-MLS/non-MCS policy:
+	 * free any storage used by the MLS fields in the
+	 * context for all existing entries in the sidtab.
+	 */
+	if (args->oldp->mls_enabled && !args->newp->mls_enabled)
+		mls_context_destroy(c);
+
+	/*
+	 * Switching between non-MLS/non-MCS and MLS/MCS policy:
+	 * ensure that the MLS fields of the context for all
+	 * existing entries in the sidtab are filled in with a
+	 * suitable default value, likely taken from one of the
+	 * initial SIDs.
+	 */
+	if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
+		oc = args->newp->ocontexts[OCON_ISID];
+		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
+			oc = oc->next;
+		if (!oc) {
+			printk(KERN_ERR "SELinux:  unable to look up"
+				" the initial SIDs list\n");
+			goto bad;
+		}
+		range = &oc->context[0].range;
+		rc = mls_range_set(c, range);
+		if (rc)
+			goto bad;
+	}
 
 	/* Check the validity of the new context. */
 	if (!policydb_context_isvalid(args->newp, c)) {
@@ -1712,6 +1762,14 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;
 
+	/* If switching between different policy types, log it */
+	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between MLS/MCS"
+			" and standard policy...\n");
+	else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between standard"
+			" and MLS/MCS policy...\n");
+
 	if (sidtab_init(&newsidtab)) {
 		policydb_destroy(&newpolicydb);
 		return -ENOMEM;
@@ -1741,8 +1799,12 @@ int security_load_policy(void *data, siz
 	args.oldp = &policydb;
 	args.newp = &newpolicydb;
 	rc = sidtab_map(&newsidtab, convert_context, &args);
-	if (rc)
+	if (rc) {
+		printk(KERN_ERR "SELinux:  unable to convert the internal"
+			" representation of contexts in the new SID"
+			" table\n");
 		goto err;
+	}
 
 	/* Save the old policydb and SID table to free later. */
 	memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -2338,7 +2400,7 @@ int security_sid_mls_copy(u32 sid, u32 m
 	u32 len;
 	int rc = 0;
 
-	if (!ss_initialized || !selinux_mls_enabled) {
+	if (!ss_initialized || !policydb.mls_enabled) {
 		*new_sid = sid;
 		goto out;
 	}
@@ -2439,7 +2501,7 @@ int security_net_peersid_resolve(u32 nlb
 	/* we don't need to check ss_initialized here since the only way both
 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
 	 * security server was initialized and ss_initialized was true */
-	if (!selinux_mls_enabled) {
+	if (!policydb.mls_enabled) {
 		*peer_sid = SECSID_NULL;
 		return 0;
 	}

^ permalink raw reply	[flat|nested] 33+ messages in thread
* Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-04 19:27 Guido Trentalancia
  2010-02-04 19:37 ` Eric Paris
  0 siblings, 1 reply; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-04 19:27 UTC (permalink / raw)
  To: Eric Paris; +Cc: selinux

Eric,

thanks for your comments. Unfortunately you are commenting an old
version of the patch.

The latest version of the "initial SIDs loading" patch was posted on
Wed, 03 Feb 2010 at 12:59:13 -0500 (18:59 CET).

The latest version of the "runtime switching between different policy
types" was posted on Wed, 03 Feb 2010 at 16:40:20 +0100.

And they've both been commited already by James Morris on Thu, 4 Feb
2010 at 09:07:38 +1100 (EST) (Wed, 23:07 CET).

The comment about the boolean has been removed by Stephen, I was just
following the other comments. Of course, that's an integer but
functionally it represents a boolean (on/off). To be picky it should
have been unsigned int.

The newline issue has been fixed. I am sorry about that...

You should fix this line to match the line above that you changed ?? I
didn't get that... Do you mean tab misalignment or what ?

Regards,

Guido


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 33+ messages in thread
* [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-03 15:40 Guido Trentalancia
  2010-02-03 15:53 ` Stephen Smalley
  2010-02-03 22:07 ` James Morris
  0 siblings, 2 replies; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-03 15:40 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux

Author: Guido Trentalancia <guido@trentalancia.com>
Date:   Mon Feb 02 23:11:07 2010 +0100

    Allow runtime switching between different policy types (e.g. from a MLS/MCS
    policy to a non-MLS/non-MCS policy or viceversa).

    Signed-off-by: Guido Trentalancia <guido@trentalancia.com>

---

 security/selinux/include/security.h |    3 -
 security/selinux/selinuxfs.c        |    3 -
 security/selinux/ss/context.h       |   12 -----
 security/selinux/ss/mls.c           |   26 +++++-----
 security/selinux/ss/mls.h           |    2 
 security/selinux/ss/mls_types.h     |    7 --
 security/selinux/ss/policydb.c      |   24 +---------
 security/selinux/ss/policydb.h      |    4 +
 security/selinux/ss/services.c      |   62 +++++++++++++++++++++++---
 9 files changed, 84 insertions(+), 59 deletions(-)

diff -pruN security-testing-2.6/security/selinux/include/security.h security-testing-2.6-new/security/selinux/include/security.h
--- security-testing-2.6/security/selinux/include/security.h	2010-01-29 02:02:47.737045258 +0100
+++ security-testing-2.6-new/security/selinux/include/security.h	2010-02-01 23:12:28.898233272 +0100
@@ -57,7 +57,6 @@
 struct netlbl_lsm_secattr;
 
 extern int selinux_enabled;
-extern int selinux_mls_enabled;
 
 /* Policy capabilities */
 enum {
@@ -80,6 +79,8 @@ extern int selinux_policycap_openperm;
 /* limitation of boundary depth  */
 #define POLICYDB_BOUNDS_MAXDEPTH	4
 
+int security_mls_enabled(void);
+
 int security_load_policy(void *data, size_t len);
 
 int security_policycap_supported(unsigned int req_cap);
diff -pruN security-testing-2.6/security/selinux/selinuxfs.c security-testing-2.6-new/security/selinux/selinuxfs.c
--- security-testing-2.6/security/selinux/selinuxfs.c	2010-01-29 02:02:47.738046835 +0100
+++ security-testing-2.6-new/security/selinux/selinuxfs.c	2010-02-01 22:06:21.709234039 +0100
@@ -282,7 +282,8 @@ static ssize_t sel_read_mls(struct file 
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;
 
-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
+			   security_mls_enabled());
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }
 
diff -pruN security-testing-2.6/security/selinux/ss/context.h security-testing-2.6-new/security/selinux/ss/context.h
--- security-testing-2.6/security/selinux/ss/context.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.h	2010-02-02 21:49:41.210011207 +0100
@@ -41,9 +41,6 @@ static inline int mls_context_cpy(struct
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
-		return 0;
-
 	dst->range.level[0].sens = src->range.level[0].sens;
 	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
 	if (rc)
@@ -64,9 +61,6 @@ static inline int mls_context_cpy_low(st
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
-		return 0;
-
 	dst->range.level[0].sens = src->range.level[0].sens;
 	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
 	if (rc)
@@ -82,9 +76,6 @@ out:
 
 static inline int mls_context_cmp(struct context *c1, struct context *c2)
 {
-	if (!selinux_mls_enabled)
-		return 1;
-
 	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
 		ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
 		(c1->range.level[1].sens == c2->range.level[1].sens) &&
@@ -93,9 +84,6 @@ static inline int mls_context_cmp(struct
 
 static inline void mls_context_destroy(struct context *c)
 {
-	if (!selinux_mls_enabled)
-		return;
-
 	ebitmap_destroy(&c->range.level[0].cat);
 	ebitmap_destroy(&c->range.level[1].cat);
 	mls_context_init(c);
diff -pruN security-testing-2.6/security/selinux/ss/mls.c security-testing-2.6-new/security/selinux/ss/mls.c
--- security-testing-2.6/security/selinux/ss/mls.c	2010-01-29 02:02:47.739046177 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.c	2010-02-01 22:15:48.062233721 +0100
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct conte
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb 
 {
 	struct user_datum *usrdatum;
 
-	if (!selinux_mls_enabled)
+	if (!p->mls_enabled)
 		return 1;
 
 	if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *
 	struct cat_datum *catdatum, *rngdatum;
 	int l, rc = -EINVAL;
 
-	if (!selinux_mls_enabled) {
+	if (!pol->mls_enabled) {
 		if (def_sid != SECSID_NULL && oldc)
 			*scontext += strlen(*scontext)+1;
 		return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct co
 	char *tmpstr, *freestr;
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return -EINVAL;
 
 	/* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct co
 /*
  * Copies the MLS range `range' into `context'.
  */
-static inline int mls_range_set(struct context *context,
+int mls_range_set(struct context *context,
 				struct mls_range *range)
 {
 	int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct c
 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
 			 struct context *usercon)
 {
-	if (selinux_mls_enabled) {
+	if (policydb.mls_enabled) {
 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
 		struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb 
 	struct ebitmap_node *node;
 	int l, i;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	for (l = 0; l < 2; l++) {
@@ -516,7 +516,7 @@ int mls_compute_sid(struct context *scon
 	struct range_trans rtr;
 	struct mls_range *r;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	switch (specified) {
@@ -559,7 +559,7 @@ int mls_compute_sid(struct context *scon
 void mls_export_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -579,7 +579,7 @@ void mls_export_netlbl_lvl(struct contex
 void mls_import_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -601,7 +601,7 @@ int mls_export_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -629,7 +629,7 @@ int mls_import_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
diff -pruN security-testing-2.6/security/selinux/ss/mls.h security-testing-2.6-new/security/selinux/ss/mls.h
--- security-testing-2.6/security/selinux/ss/mls.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.h	2010-02-01 23:17:31.025223083 +0100
@@ -39,6 +39,8 @@ int mls_context_to_sid(struct policydb *
 
 int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);
 
+int mls_range_set(struct context *context, struct mls_range *range);
+
 int mls_convert_context(struct policydb *oldp,
 			struct policydb *newp,
 			struct context *context);
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.h security-testing-2.6-new/security/selinux/ss/mls_types.h
--- security-testing-2.6/security/selinux/ss/mls_types.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.h	2010-02-02 21:49:54.108993602 +0100
@@ -15,6 +15,7 @@
 #define _SS_MLS_TYPES_H_
 
 #include "security.h"
+#include "ebitmap.h"
 
 struct mls_level {
 	u32 sens;		/* sensitivity */
@@ -27,18 +28,12 @@ struct mls_range {
 
 static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
-		return 1;
-
 	return ((l1->sens == l2->sens) &&
 		ebitmap_cmp(&l1->cat, &l2->cat));
 }
 
 static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
-		return 1;
-
 	return ((l1->sens >= l2->sens) &&
 		ebitmap_contains(&l1->cat, &l2->cat));
 }
diff -pruN security-testing-2.6/security/selinux/ss/policydb.c security-testing-2.6-new/security/selinux/ss/policydb.c
--- security-testing-2.6/security/selinux/ss/policydb.c	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.c	2010-02-01 22:12:18.601226073 +0100
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
 };
 #endif
 
-int selinux_mls_enabled;
-
 static unsigned int symtab_sizes[SYM_NUM] = {
 	2,
 	32,
@@ -455,7 +453,7 @@ static int policydb_index_others(struct 
 
 	printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
-	if (selinux_mls_enabled)
+	if (p->mls_enabled)
 		printk(", %d sens, %d cats", p->p_levels.nprim,
 		       p->p_cats.nprim);
 	printk("\n");
@@ -1717,14 +1715,12 @@ int policydb_read(struct policydb *p, vo
 	int i, j, rc;
 	__le32 buf[4];
 	u32 nodebuf[8];
-	u32 len, len2, config, nprim, nel, nel2;
+	u32 len, len2, nprim, nel, nel2;
 	char *policydb_str;
 	struct policydb_compat_info *info;
 	struct range_trans *rt;
 	struct mls_range *r;
 
-	config = 0;
-
 	rc = policydb_init(p);
 	if (rc)
 		goto out;
@@ -1772,7 +1768,7 @@ int policydb_read(struct policydb *p, vo
 	kfree(policydb_str);
 	policydb_str = NULL;
 
-	/* Read the version, config, and table sizes. */
+	/* Read the version and table sizes. */
 	rc = next_entry(buf, fp, sizeof(u32)*4);
 	if (rc < 0)
 		goto bad;
@@ -1787,13 +1783,7 @@ int policydb_read(struct policydb *p, vo
 	}
 
 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
-		if (ss_initialized && !selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
-				" and MLS policies\n");
-			goto bad;
-		}
-		selinux_mls_enabled = 1;
-		config |= POLICYDB_CONFIG_MLS;
+		p->mls_enabled = 1;
 
 		if (p->policyvers < POLICYDB_VERSION_MLS) {
 			printk(KERN_ERR "SELinux: security policydb version %d "
@@ -1801,12 +1791,6 @@ int policydb_read(struct policydb *p, vo
 				p->policyvers);
 			goto bad;
 		}
-	} else {
-		if (ss_initialized && selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between MLS and"
-				" non-MLS policies\n");
-			goto bad;
-		}
 	}
 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
diff -pruN security-testing-2.6/security/selinux/ss/policydb.h security-testing-2.6-new/security/selinux/ss/policydb.h
--- security-testing-2.6/security/selinux/ss/policydb.h	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.h	2010-02-01 20:47:08.352232380 +0100
@@ -27,6 +27,8 @@
 #include "symtab.h"
 #include "avtab.h"
 #include "sidtab.h"
+#include "ebitmap.h"
+#include "mls_types.h"
 #include "context.h"
 #include "constraint.h"
 
@@ -185,6 +187,8 @@ struct genfs {
 
 /* The policy database */
 struct policydb {
+	int mls_enabled;
+
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
 #define p_commons symtab[SYM_COMMONS]
diff -pruN security-testing-2.6/security/selinux/ss/services.c security-testing-2.6-new/security/selinux/ss/services.c
--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.c	2010-02-02 23:48:07.637994777 +0100
@@ -26,6 +26,10 @@
  *
  *  Added support for bounds domain and audit messaged on masked permissions
  *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
  * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -232,6 +236,10 @@ static void map_decision(u16 tclass, str
 	}
 }
 
+int security_mls_enabled(void)
+{
+	return policydb.mls_enabled;
+}
 
 /*
  * Return the boolean value of a constraint expression
@@ -1547,6 +1555,8 @@ static int convert_context(u32 key,
 {
 	struct convert_context_args *args;
 	struct context oldc;
+	struct ocontext *oc;
+	struct mls_range *range;
 	struct role_datum *role;
 	struct type_datum *typdatum;
 	struct user_datum *usrdatum;
@@ -1614,9 +1624,39 @@ static int convert_context(u32 key,
 		goto bad;
 	c->type = typdatum->value;
 
-	rc = mls_convert_context(args->oldp, args->newp, c);
-	if (rc)
-		goto bad;
+	/* Convert the MLS fields if dealing with MLS policies */
+	if (args->oldp->mls_enabled && args->newp->mls_enabled) {
+		rc = mls_convert_context(args->oldp, args->newp, c);
+		if (rc)
+			goto bad;
+	} else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
+		/*
+		 * Switching between MLS and non-MLS policy:
+		 * free any storage used by the MLS fields in the
+		 * context for all existing entries in the sidtab.
+		 */
+		mls_context_destroy(c);
+	} else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
+		/*
+		 * Switching between non-MLS and MLS policy:
+		 * ensure that the MLS fields of the context for all
+		 * existing entries in the sidtab are filled in with a
+		 * suitable default value, likely taken from one of the
+		 * initial SIDs.
+		 */
+		oc = args->newp->ocontexts[OCON_ISID];
+		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
+			oc = oc->next;
+		if (!oc) {
+			printk(KERN_ERR "SELinux:  unable to look up"
+				" the initial SIDs list\n");
+			goto bad;
+		}
+		range = &oc->context[0].range;
+		rc = mls_range_set(c, range);
+		if (rc)
+			goto bad;
+	}
 
 	/* Check the validity of the new context. */
 	if (!policydb_context_isvalid(args->newp, c)) {
@@ -1712,6 +1752,12 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;
 
+	/* If switching between different policy types, log MLS status */
+	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Disabling MLS support...\n");
+	else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Enabling MLS support...\n");
+
 	if (sidtab_init(&newsidtab)) {
 		policydb_destroy(&newpolicydb);
 		return -ENOMEM;
@@ -1741,8 +1787,12 @@ int security_load_policy(void *data, siz
 	args.oldp = &policydb;
 	args.newp = &newpolicydb;
 	rc = sidtab_map(&newsidtab, convert_context, &args);
-	if (rc)
+	if (rc) {
+		printk(KERN_ERR "SELinux:  unable to convert the internal"
+			" representation of contexts in the new SID"
+			" table\n");
 		goto err;
+	}
 
 	/* Save the old policydb and SID table to free later. */
 	memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -2338,7 +2388,7 @@ int security_sid_mls_copy(u32 sid, u32 m
 	u32 len;
 	int rc = 0;
 
-	if (!ss_initialized || !selinux_mls_enabled) {
+	if (!ss_initialized || !policydb.mls_enabled) {
 		*new_sid = sid;
 		goto out;
 	}
@@ -2439,7 +2489,7 @@ int security_net_peersid_resolve(u32 nlb
 	/* we don't need to check ss_initialized here since the only way both
 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
 	 * security server was initialized and ss_initialized was true */
-	if (!selinux_mls_enabled) {
+	if (!policydb.mls_enabled) {
 		*peer_sid = SECSID_NULL;
 		return 0;
 	}



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 33+ messages in thread
* Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-02 16:29 Guido Trentalancia
  2010-02-02 16:52 ` Christopher J. PeBenito
  0 siblings, 1 reply; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-02 16:29 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux

Stephen,

the latest patch for runtime switching of different policy types fails
with:

SELinux: Switching between standard and MLS/MCS policy...
SELinux:  permission module_request in class system not defined in
policy
SELinux: the above unknown classes and permissions will be allowed
BUG: unable to handle kernel NULL pointer dereference at 000002ff
IP: [<c05190d2>] ebitmap_destroy+0x12/0x30
*pde = 00000000 
Oops: 0000 [#1] 
last sysfs file: /sys/devices/virtual/block/dm-2/range
Modules linked in: hangcheck_timer softdog ppdev lp ipv6 microcode ne
8390p ext2 snd_ens1371 snd_seq_midi snd_seq_midi_event snd_rawmidi
snd_ac97_codec ac97_bus snd_pcm snd_seq parport_pc snd_timer
snd_seq_device parport snd floppy soundcore pcspkr snd_page_alloc
i2c_piix4 sr_mod i2c_core cdrom sha256_generic aes_i586 aes_generic

Pid: 2858, comm: load_policy Not tainted (2.6.32.7 #1)  
EIP: 0060:[<c05190d2>] EFLAGS: 00010206 CPU: 0
EIP is at ebitmap_destroy+0x12/0x30
EAX: 000002ff EBX: 00000000 ECX: 00000000 EDX: 00000000
ESI: c7097cb8 EDI: c7097ca4 EBP: 00000000 ESP: c7097c60
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process load_policy (pid: 2858, ti=c7097000 task=c736c000
task.ti=c7097000)
Stack:
 00000000 00000000 c0521831 c107bbc0 c048c5ce 00000000 c0803734 c08034f8
<0> 00000020 ffffffff c3dde000 00000020 00000000 00000020 00000202
c219afc0
<0> 00000040 00000000 00000000 00000000 00000000 000001a0 000002ff
c7097ed8
Call Trace:
 [<c0521831>] ? convert_context+0x271/0x350
 [<c048c5ce>] ? __slab_alloc+0x24e/0x540
 [<c0519eb7>] ? sidtab_insert+0xb7/0x1a0
 [<c0520345>] ? security_load_policy+0x265/0x430
 [<c05215c0>] ? convert_context+0x0/0x350
 [<c0519bd0>] ? sidtab_map+0x40/0x70
 [<c05203eb>] ? security_load_policy+0x30b/0x430
 [<c0479c99>] ? __do_fault+0x1f9/0x360
 [<c047a4ba>] ? handle_mm_fault+0x13a/0x550
 [<c041c245>] ? do_page_fault+0xe5/0x2f0
 [<c0404b73>] ? do_IRQ+0x43/0xb0
 [<c041c160>] ? do_page_fault+0x0/0x2f0
 [<c0708506>] ? error_code+0x5e/0x64
 [<c051007b>] ? selinux_inode_rename+0x16b/0x1c0
 [<c051773d>] ? sel_write_load+0xbd/0x630
 [<c047cc4c>] ? vma_link+0x3c/0x50
 [<c0513637>] ? selinux_file_permission+0xe7/0x140
 [<c050a9ac>] ? security_file_permission+0xc/0x10
 [<c0490b24>] ? rw_verify_area+0x64/0xd0
 [<c0517680>] ? sel_write_load+0x0/0x630
 [<c0490c38>] ? vfs_write+0xa8/0x160
 [<c04913a1>] ? sys_write+0x41/0x70
 [<c0402ee4>] ? sysenter_do_call+0x12/0x22
Code: c0 5e c3 8d b6 00 00 00 00 8b 09 eb 9a 8d 74 26 00 5b 31 c0 5e c3
8d 76 00 56 85 c0 53 89 c6 74 22 8b 00 85 c0 75 04 eb 0d 89 d8 <8b> 18
e8 c7 31 f7 ff 85 db 75 f3 c7 46 04 00 00 00 00 c7 06 00 
EIP: [<c05190d2>] ebitmap_destroy+0x12/0x30 SS:ESP 0068:c7097c60
CR2: 00000000000002ff
---[ end trace 17c3aaaa15b3b444 ]---

I suspect, we'd better reintroduce some of my changes so that the
parameter struct policydb is passed when calling
[mls_,o]context_destroy() and sidtab_destroy()... In fact, it seems like
it isn't that safe to always execute mls_context_destroy() even for a
policy which isn't MLS/MCS !

At the end, it wasn't a bad idea to have more general functions (you
never know, in the future we might find them convenient for other
purposes and logically they are more correct, because those function
should be general for any policy, not necessarily the active policy).
You mentioned about the need to change all the family of functions to
accept that extra parameter, I think this is not necessary both from a
logical point of view and a coherency point of view: we can just change
the *context_destroy() and sidtab_destroy() functions and we'll have a
working patch and a more general set of functions.

The test above has been executed on kernel 2.6.32.7 although I am sure
things won't change much with the next branch of the 2.6 security tree.

Please let me know.

Regards,

Guido Trentalancia


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 33+ messages in thread
* [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-02 14:22 Guido Trentalancia
  2010-02-02 16:44 ` Stephen Smalley
  0 siblings, 1 reply; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-02 14:22 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux

[-- Attachment #1: Type: text/plain, Size: 16367 bytes --]

Author: Guido Trentalancia <guido@trentalancia.com>
Date:   Mon Feb 02 14:23:05 2010 +0100

    Allow runtime switching between different policy types (e.g. from a MLS/MCS
    policy to a non-MLS/non-MCS policy or viceversa).

    Signed-off-by: Guido Trentalancia <guido@trentalancia.com>

 security/selinux/include/security.h |    3 -
 security/selinux/selinuxfs.c        |    3 -
 security/selinux/ss/context.h       |    9 +--
 security/selinux/ss/mls.c           |   26 ++++-----
 security/selinux/ss/mls.h           |    2 
 security/selinux/ss/mls_types.h     |    5 +
 security/selinux/ss/policydb.c      |   24 +-------
 security/selinux/ss/policydb.h      |    4 +
 security/selinux/ss/services.c      |   73 +++++++++++++++++++++++---
 9 files changed, 100 insertions(+), 49 deletions(-)

diff -pruN security-testing-2.6/security/selinux/include/security.h security-testing-2.6-new/security/selinux/include/security.h
--- security-testing-2.6/security/selinux/include/security.h	2010-01-29 02:02:47.737045258 +0100
+++ security-testing-2.6-new/security/selinux/include/security.h	2010-02-01 23:12:28.898233272 +0100
@@ -57,7 +57,6 @@
 struct netlbl_lsm_secattr;
 
 extern int selinux_enabled;
-extern int selinux_mls_enabled;
 
 /* Policy capabilities */
 enum {
@@ -80,6 +79,8 @@ extern int selinux_policycap_openperm;
 /* limitation of boundary depth  */
 #define POLICYDB_BOUNDS_MAXDEPTH	4
 
+int security_mls_enabled(void);
+
 int security_load_policy(void *data, size_t len);
 
 int security_policycap_supported(unsigned int req_cap);
diff -pruN security-testing-2.6/security/selinux/selinuxfs.c security-testing-2.6-new/security/selinux/selinuxfs.c
--- security-testing-2.6/security/selinux/selinuxfs.c	2010-01-29 02:02:47.738046835 +0100
+++ security-testing-2.6-new/security/selinux/selinuxfs.c	2010-02-01 22:06:21.709234039 +0100
@@ -282,7 +282,8 @@ static ssize_t sel_read_mls(struct file 
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;
 
-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
+			   security_mls_enabled());
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }
 
diff -pruN security-testing-2.6/security/selinux/ss/context.h security-testing-2.6-new/security/selinux/ss/context.h
--- security-testing-2.6/security/selinux/ss/context.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.h	2010-02-01 23:13:35.857235582 +0100
@@ -41,7 +41,7 @@ static inline int mls_context_cpy(struct
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;
 
 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -64,7 +64,7 @@ static inline int mls_context_cpy_low(st
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;
 
 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -82,7 +82,7 @@ out:
 
 static inline int mls_context_cmp(struct context *c1, struct context *c2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;
 
 	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
@@ -93,9 +93,6 @@ static inline int mls_context_cmp(struct
 
 static inline void mls_context_destroy(struct context *c)
 {
-	if (!selinux_mls_enabled)
-		return;
-
 	ebitmap_destroy(&c->range.level[0].cat);
 	ebitmap_destroy(&c->range.level[1].cat);
 	mls_context_init(c);
diff -pruN security-testing-2.6/security/selinux/ss/mls.c security-testing-2.6-new/security/selinux/ss/mls.c
--- security-testing-2.6/security/selinux/ss/mls.c	2010-01-29 02:02:47.739046177 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.c	2010-02-01 22:15:48.062233721 +0100
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct conte
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb 
 {
 	struct user_datum *usrdatum;
 
-	if (!selinux_mls_enabled)
+	if (!p->mls_enabled)
 		return 1;
 
 	if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *
 	struct cat_datum *catdatum, *rngdatum;
 	int l, rc = -EINVAL;
 
-	if (!selinux_mls_enabled) {
+	if (!pol->mls_enabled) {
 		if (def_sid != SECSID_NULL && oldc)
 			*scontext += strlen(*scontext)+1;
 		return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct co
 	char *tmpstr, *freestr;
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return -EINVAL;
 
 	/* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct co
 /*
  * Copies the MLS range `range' into `context'.
  */
-static inline int mls_range_set(struct context *context,
+int mls_range_set(struct context *context,
 				struct mls_range *range)
 {
 	int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct c
 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
 			 struct context *usercon)
 {
-	if (selinux_mls_enabled) {
+	if (policydb.mls_enabled) {
 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
 		struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb 
 	struct ebitmap_node *node;
 	int l, i;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	for (l = 0; l < 2; l++) {
@@ -516,7 +516,7 @@ int mls_compute_sid(struct context *scon
 	struct range_trans rtr;
 	struct mls_range *r;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	switch (specified) {
@@ -559,7 +559,7 @@ int mls_compute_sid(struct context *scon
 void mls_export_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -579,7 +579,7 @@ void mls_export_netlbl_lvl(struct contex
 void mls_import_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -601,7 +601,7 @@ int mls_export_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -629,7 +629,7 @@ int mls_import_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
diff -pruN security-testing-2.6/security/selinux/ss/mls.h security-testing-2.6-new/security/selinux/ss/mls.h
--- security-testing-2.6/security/selinux/ss/mls.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.h	2010-02-01 23:17:31.025223083 +0100
@@ -39,6 +39,8 @@ int mls_context_to_sid(struct policydb *
 
 int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);
 
+int mls_range_set(struct context *context, struct mls_range *range);
+
 int mls_convert_context(struct policydb *oldp,
 			struct policydb *newp,
 			struct context *context);
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.h security-testing-2.6-new/security/selinux/ss/mls_types.h
--- security-testing-2.6/security/selinux/ss/mls_types.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.h	2010-02-01 22:23:11.799224771 +0100
@@ -15,6 +15,7 @@
 #define _SS_MLS_TYPES_H_
 
 #include "security.h"
+#include "ebitmap.h"
 
 struct mls_level {
 	u32 sens;		/* sensitivity */
@@ -27,7 +28,7 @@ struct mls_range {
 
 static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;
 
 	return ((l1->sens == l2->sens) &&
@@ -36,7 +37,7 @@ static inline int mls_level_eq(struct ml
 
 static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;
 
 	return ((l1->sens >= l2->sens) &&
diff -pruN security-testing-2.6/security/selinux/ss/policydb.c security-testing-2.6-new/security/selinux/ss/policydb.c
--- security-testing-2.6/security/selinux/ss/policydb.c	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.c	2010-02-01 22:12:18.601226073 +0100
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
 };
 #endif
 
-int selinux_mls_enabled;
-
 static unsigned int symtab_sizes[SYM_NUM] = {
 	2,
 	32,
@@ -455,7 +453,7 @@ static int policydb_index_others(struct 
 
 	printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
-	if (selinux_mls_enabled)
+	if (p->mls_enabled)
 		printk(", %d sens, %d cats", p->p_levels.nprim,
 		       p->p_cats.nprim);
 	printk("\n");
@@ -1717,14 +1715,12 @@ int policydb_read(struct policydb *p, vo
 	int i, j, rc;
 	__le32 buf[4];
 	u32 nodebuf[8];
-	u32 len, len2, config, nprim, nel, nel2;
+	u32 len, len2, nprim, nel, nel2;
 	char *policydb_str;
 	struct policydb_compat_info *info;
 	struct range_trans *rt;
 	struct mls_range *r;
 
-	config = 0;
-
 	rc = policydb_init(p);
 	if (rc)
 		goto out;
@@ -1772,7 +1768,7 @@ int policydb_read(struct policydb *p, vo
 	kfree(policydb_str);
 	policydb_str = NULL;
 
-	/* Read the version, config, and table sizes. */
+	/* Read the version and table sizes. */
 	rc = next_entry(buf, fp, sizeof(u32)*4);
 	if (rc < 0)
 		goto bad;
@@ -1787,13 +1783,7 @@ int policydb_read(struct policydb *p, vo
 	}
 
 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
-		if (ss_initialized && !selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
-				" and MLS policies\n");
-			goto bad;
-		}
-		selinux_mls_enabled = 1;
-		config |= POLICYDB_CONFIG_MLS;
+		p->mls_enabled = 1;
 
 		if (p->policyvers < POLICYDB_VERSION_MLS) {
 			printk(KERN_ERR "SELinux: security policydb version %d "
@@ -1801,12 +1791,6 @@ int policydb_read(struct policydb *p, vo
 				p->policyvers);
 			goto bad;
 		}
-	} else {
-		if (ss_initialized && selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between MLS and"
-				" non-MLS policies\n");
-			goto bad;
-		}
 	}
 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
diff -pruN security-testing-2.6/security/selinux/ss/policydb.h security-testing-2.6-new/security/selinux/ss/policydb.h
--- security-testing-2.6/security/selinux/ss/policydb.h	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.h	2010-02-01 20:47:08.352232380 +0100
@@ -27,6 +27,8 @@
 #include "symtab.h"
 #include "avtab.h"
 #include "sidtab.h"
+#include "ebitmap.h"
+#include "mls_types.h"
 #include "context.h"
 #include "constraint.h"
 
@@ -185,6 +187,8 @@ struct genfs {
 
 /* The policy database */
 struct policydb {
+	int mls_enabled;
+
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
 #define p_commons symtab[SYM_COMMONS]
diff -pruN security-testing-2.6/security/selinux/ss/services.c security-testing-2.6-new/security/selinux/ss/services.c
--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.c	2010-02-02 14:28:05.222993305 +0100
@@ -26,6 +26,10 @@
  *
  *  Added support for bounds domain and audit messaged on masked permissions
  *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
  * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -232,6 +236,16 @@ static void map_decision(u16 tclass, str
 	}
 }
 
+/*
+ * Returns a boolean value.
+ * True: if the currently active policy is MLS or MCS
+ * False: if the currently active policy is a standard policy
+ * 	  without MLS/MCS support
+ */
+int security_mls_enabled(void)
+{
+	return policydb.mls_enabled;
+}
 
 /*
  * Return the boolean value of a constraint expression
@@ -1547,6 +1561,8 @@ static int convert_context(u32 key,
 {
 	struct convert_context_args *args;
 	struct context oldc;
+	struct ocontext *oc;
+	struct mls_range *range;
 	struct role_datum *role;
 	struct type_datum *typdatum;
 	struct user_datum *usrdatum;
@@ -1614,9 +1630,42 @@ static int convert_context(u32 key,
 		goto bad;
 	c->type = typdatum->value;
 
-	rc = mls_convert_context(args->oldp, args->newp, c);
-	if (rc)
-		goto bad;
+	/* Convert the MLS/MCS fields if dealing with MLS/MCS policies */
+	if (args->oldp->mls_enabled && args->newp->mls_enabled) {
+		rc = mls_convert_context(args->oldp, args->newp, c);
+		if (rc)
+			goto bad;
+	}
+
+	/*
+	 * Switching between MLS/MCS and non-MLS/non-MCS policy:
+	 * free any storage used by the MLS fields in the
+	 * context for all existing entries in the sidtab.
+	 */
+	else if (args->oldp->mls_enabled && !args->newp->mls_enabled)
+		mls_context_destroy(c);
+
+	/*
+	 * Switching between non-MLS/non-MCS and MLS/MCS policy:
+	 * ensure that the MLS fields of the context for all
+	 * existing entries in the sidtab are filled in with a
+	 * suitable default value, likely taken from one of the
+	 * initial SIDs.
+	 */
+	else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
+		oc = args->newp->ocontexts[OCON_ISID];
+		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
+			oc = oc->next;
+		if (!oc) {
+			printk(KERN_ERR "SELinux:  unable to look up"
+				" the initial SIDs list\n");
+			goto bad;
+		}
+		range = &oc->context[0].range;
+		rc = mls_range_set(c, range);
+		if (rc)
+			goto bad;
+	}
 
 	/* Check the validity of the new context. */
 	if (!policydb_context_isvalid(args->newp, c)) {
@@ -1712,6 +1761,14 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;
 
+	/* If switching between different policy types, log it */
+	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between MLS/MCS"
+			" and standard policy...\n");
+	else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between standard"
+			" and MLS/MCS policy...\n");
+
 	if (sidtab_init(&newsidtab)) {
 		policydb_destroy(&newpolicydb);
 		return -ENOMEM;
@@ -1741,8 +1798,12 @@ int security_load_policy(void *data, siz
 	args.oldp = &policydb;
 	args.newp = &newpolicydb;
 	rc = sidtab_map(&newsidtab, convert_context, &args);
-	if (rc)
+	if (rc) {
+		printk(KERN_ERR "SELinux:  unable to convert the internal"
+			" representation of contexts in the new SID"
+			" table\n");
 		goto err;
+	}
 
 	/* Save the old policydb and SID table to free later. */
 	memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -2338,7 +2399,7 @@ int security_sid_mls_copy(u32 sid, u32 m
 	u32 len;
 	int rc = 0;
 
-	if (!ss_initialized || !selinux_mls_enabled) {
+	if (!ss_initialized || !policydb.mls_enabled) {
 		*new_sid = sid;
 		goto out;
 	}
@@ -2439,7 +2500,7 @@ int security_net_peersid_resolve(u32 nlb
 	/* we don't need to check ss_initialized here since the only way both
 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
 	 * security server was initialized and ss_initialized was true */
-	if (!selinux_mls_enabled) {
+	if (!policydb.mls_enabled) {
 		*peer_sid = SECSID_NULL;
 		return 0;
 	}


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5186 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread
* Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-01 21:56 Guido Trentalancia
  0 siblings, 0 replies; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-01 21:56 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux, eparis, jmorris

Diffstat output of switch-policy.patch

 security/selinux/include/security.h |    4 -
 security/selinux/selinuxfs.c        |    3
 security/selinux/ss/constraint.h    |    1
 security/selinux/ss/context.h       |   10 +--
 security/selinux/ss/mls.c           |   26 ++++----
 security/selinux/ss/mls.h           |    4 +
 security/selinux/ss/mls_types.h     |    5 -
 security/selinux/ss/policydb.c      |   24 +------
 security/selinux/ss/policydb.h      |    4 +
 security/selinux/ss/services.c      |   79 ++++++++++++++++++++++++--
 security/selinux/ss/services.h      |    1
 security/selinux/ss/sidtab.h        |    1
 security/selinux/ss/symtab.h        |    1
 13 files changed, 113 insertions(+), 50 deletions(-)
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 33+ messages in thread
* Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-01 21:49 Guido Trentalancia
  2010-02-01 22:09 ` Stephen Smalley
  0 siblings, 1 reply; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-01 21:49 UTC (permalink / raw)
  To: sds; +Cc: selinux, eparis, jmorris


[-- Attachment #1.1: Type: text/plain, Size: 18572 bytes --]

Stephen,

yes you are right. There is no need to include policydb.h from security.h.

Please have a further look at the attached revised patch, while I do some testing of the resulting compiled kernel. I hope I did not miss any amendment.

If it is fine and nobody else has comments or suggestions to make, then we should probably post it to the kernel mailing list with your Acked-by or Reviewed-by line.

Best regards,

Guido

Author: Guido Trentalancia <guido@trentalancia.com>
Date:   Mon Feb 01 22:34:16 2010 +0100

    Allow runtime switching between different policy types (e.g. from a MLS/MCS
    policy to a non-MLS/non-MCS policy or viceversa).

    Signed-off-by: Guido Trentalancia <guido@trentalancia.com>

diff -pruN security-testing-2.6/security/selinux/include/security.h security-testing-2.6-new/security/selinux/include/security.h
--- security-testing-2.6/security/selinux/include/security.h	2010-01-29 02:02:47.737045258 +0100
+++ security-testing-2.6-new/security/selinux/include/security.h	2010-02-01 22:06:38.053225052 +0100
@@ -57,7 +57,7 @@
 struct netlbl_lsm_secattr;

 extern int selinux_enabled;
-extern int selinux_mls_enabled;
+extern struct policydb policydb;

 /* Policy capabilities */
 enum {
@@ -80,6 +80,8 @@ extern int selinux_policycap_openperm;
 /* limitation of boundary depth  */
 #define POLICYDB_BOUNDS_MAXDEPTH	4

+int security_mls_enabled(void);
+
 int security_load_policy(void *data, size_t len);

 int security_policycap_supported(unsigned int req_cap);
diff -pruN security-testing-2.6/security/selinux/selinuxfs.c security-testing-2.6-new/security/selinux/selinuxfs.c
--- security-testing-2.6/security/selinux/selinuxfs.c	2010-01-29 02:02:47.738046835 +0100
+++ security-testing-2.6-new/security/selinux/selinuxfs.c	2010-02-01 22:06:21.709234039 +0100
@@ -282,7 +282,8 @@ static ssize_t sel_read_mls(struct file
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;

-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
+			   security_mls_enabled());
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }

diff -pruN security-testing-2.6/security/selinux/ss/constraint.h security-testing-2.6-new/security/selinux/ss/constraint.h
--- security-testing-2.6/security/selinux/ss/constraint.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/constraint.h	2010-02-01 20:50:19.860227025 +0100
@@ -12,6 +12,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_CONSTRAINT_H_
 #define _SS_CONSTRAINT_H_

diff -pruN security-testing-2.6/security/selinux/ss/context.h security-testing-2.6-new/security/selinux/ss/context.h
--- security-testing-2.6/security/selinux/ss/context.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.h	2010-02-01 22:22:33.090234587 +0100
@@ -12,6 +12,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_CONTEXT_H_
 #define _SS_CONTEXT_H_

@@ -41,7 +42,7 @@ static inline int mls_context_cpy(struct
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;

 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -64,7 +65,7 @@ static inline int mls_context_cpy_low(st
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;

 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -82,7 +83,7 @@ out:

 static inline int mls_context_cmp(struct context *c1, struct context *c2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;

 	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
@@ -93,9 +94,6 @@ static inline int mls_context_cmp(struct

 static inline void mls_context_destroy(struct context *c)
 {
-	if (!selinux_mls_enabled)
-		return;
-
 	ebitmap_destroy(&c->range.level[0].cat);
 	ebitmap_destroy(&c->range.level[1].cat);
 	mls_context_init(c);
diff -pruN security-testing-2.6/security/selinux/ss/mls.c security-testing-2.6-new/security/selinux/ss/mls.c
--- security-testing-2.6/security/selinux/ss/mls.c	2010-01-29 02:02:47.739046177 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.c	2010-02-01 22:15:48.062233721 +0100
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct conte
 	struct ebitmap *e;
 	struct ebitmap_node *node;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *
 	struct ebitmap *e;
 	struct ebitmap_node *node;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;

 	scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb
 {
 	struct user_datum *usrdatum;

-	if (!selinux_mls_enabled)
+	if (!p->mls_enabled)
 		return 1;

 	if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *
 	struct cat_datum *catdatum, *rngdatum;
 	int l, rc = -EINVAL;

-	if (!selinux_mls_enabled) {
+	if (!pol->mls_enabled) {
 		if (def_sid != SECSID_NULL && oldc)
 			*scontext += strlen(*scontext)+1;
 		return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct co
 	char *tmpstr, *freestr;
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return -EINVAL;

 	/* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct co
 /*
  * Copies the MLS range `range' into `context'.
  */
-static inline int mls_range_set(struct context *context,
+int mls_range_set(struct context *context,
 				struct mls_range *range)
 {
 	int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct c
 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
 			 struct context *usercon)
 {
-	if (selinux_mls_enabled) {
+	if (policydb.mls_enabled) {
 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
 		struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb
 	struct ebitmap_node *node;
 	int l, i;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	for (l = 0; l < 2; l++) {
@@ -516,7 +516,7 @@ int mls_compute_sid(struct context *scon
 	struct range_trans rtr;
 	struct mls_range *r;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	switch (specified) {
@@ -559,7 +559,7 @@ int mls_compute_sid(struct context *scon
 void mls_export_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;

 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -579,7 +579,7 @@ void mls_export_netlbl_lvl(struct contex
 void mls_import_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;

 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -601,7 +601,7 @@ int mls_export_netlbl_cat(struct context
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -629,7 +629,7 @@ int mls_import_netlbl_cat(struct context
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;

 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
diff -pruN security-testing-2.6/security/selinux/ss/mls.h security-testing-2.6-new/security/selinux/ss/mls.h
--- security-testing-2.6/security/selinux/ss/mls.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.h	2010-02-01 18:57:42.693221952 +0100
@@ -24,6 +24,8 @@
 #include "context.h"
 #include "policydb.h"

+extern struct policydb policydb;
+
 int mls_compute_context_len(struct context *context);
 void mls_sid_to_context(struct context *context, char **scontext);
 int mls_context_isvalid(struct policydb *p, struct context *c);
@@ -39,6 +41,8 @@ int mls_context_to_sid(struct policydb *

 int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);

+int mls_range_set(struct context *context, struct mls_range *range);
+
 int mls_convert_context(struct policydb *oldp,
 			struct policydb *newp,
 			struct context *context);
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.h security-testing-2.6-new/security/selinux/ss/mls_types.h
--- security-testing-2.6/security/selinux/ss/mls_types.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.h	2010-02-01 22:23:11.799224771 +0100
@@ -15,6 +15,7 @@
 #define _SS_MLS_TYPES_H_

 #include "security.h"
+#include "ebitmap.h"

 struct mls_level {
 	u32 sens;		/* sensitivity */
@@ -27,7 +28,7 @@ struct mls_range {

 static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;

 	return ((l1->sens == l2->sens) &&
@@ -36,7 +37,7 @@ static inline int mls_level_eq(struct ml

 static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;

 	return ((l1->sens >= l2->sens) &&
diff -pruN security-testing-2.6/security/selinux/ss/policydb.c security-testing-2.6-new/security/selinux/ss/policydb.c
--- security-testing-2.6/security/selinux/ss/policydb.c	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.c	2010-02-01 22:12:18.601226073 +0100
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
 };
 #endif

-int selinux_mls_enabled;
-
 static unsigned int symtab_sizes[SYM_NUM] = {
 	2,
 	32,
@@ -455,7 +453,7 @@ static int policydb_index_others(struct

 	printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
-	if (selinux_mls_enabled)
+	if (p->mls_enabled)
 		printk(", %d sens, %d cats", p->p_levels.nprim,
 		       p->p_cats.nprim);
 	printk("n");
@@ -1717,14 +1715,12 @@ int policydb_read(struct policydb *p, vo
 	int i, j, rc;
 	__le32 buf[4];
 	u32 nodebuf[8];
-	u32 len, len2, config, nprim, nel, nel2;
+	u32 len, len2, nprim, nel, nel2;
 	char *policydb_str;
 	struct policydb_compat_info *info;
 	struct range_trans *rt;
 	struct mls_range *r;

-	config = 0;
-
 	rc = policydb_init(p);
 	if (rc)
 		goto out;
@@ -1772,7 +1768,7 @@ int policydb_read(struct policydb *p, vo
 	kfree(policydb_str);
 	policydb_str = NULL;

-	/* Read the version, config, and table sizes. */
+	/* Read the version and table sizes. */
 	rc = next_entry(buf, fp, sizeof(u32)*4);
 	if (rc < 0)
 		goto bad;
@@ -1787,13 +1783,7 @@ int policydb_read(struct policydb *p, vo
 	}

 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
-		if (ss_initialized && !selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
-				" and MLS policiesn");
-			goto bad;
-		}
-		selinux_mls_enabled = 1;
-		config |= POLICYDB_CONFIG_MLS;
+		p->mls_enabled = 1;

 		if (p->policyvers < POLICYDB_VERSION_MLS) {
 			printk(KERN_ERR "SELinux: security policydb version %d "
@@ -1801,12 +1791,6 @@ int policydb_read(struct policydb *p, vo
 				p->policyvers);
 			goto bad;
 		}
-	} else {
-		if (ss_initialized && selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between MLS and"
-				" non-MLS policiesn");
-			goto bad;
-		}
 	}
 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
diff -pruN security-testing-2.6/security/selinux/ss/policydb.h security-testing-2.6-new/security/selinux/ss/policydb.h
--- security-testing-2.6/security/selinux/ss/policydb.h	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.h	2010-02-01 20:47:08.352232380 +0100
@@ -27,6 +27,8 @@
 #include "symtab.h"
 #include "avtab.h"
 #include "sidtab.h"
+#include "ebitmap.h"
+#include "mls_types.h"
 #include "context.h"
 #include "constraint.h"

@@ -185,6 +187,8 @@ struct genfs {

 /* The policy database */
 struct policydb {
+	int mls_enabled;
+
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
 #define p_commons symtab[SYM_COMMONS]
diff -pruN security-testing-2.6/security/selinux/ss/services.c security-testing-2.6-new/security/selinux/ss/services.c
--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.c	2010-02-01 22:41:08.730228020 +0100
@@ -26,6 +26,10 @@
  *
  *  Added support for bounds domain and audit messaged on masked permissions
  *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
  * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -232,6 +236,16 @@ static void map_decision(u16 tclass, str
 	}
 }

+/*
+ * Returns a boolean value.
+ * True: if the specified policy is MLS or MCS
+ * False: if the specified policy is a standard policy
+ * 	  without MLS/MCS support
+ */
+int security_mls_enabled(void)
+{
+	return policydb.mls_enabled;
+}

 /*
  * Return the boolean value of a constraint expression
@@ -1547,6 +1561,8 @@ static int convert_context(u32 key,
 {
 	struct convert_context_args *args;
 	struct context oldc;
+	struct ocontext *oc;
+	struct mls_range *range;
 	struct role_datum *role;
 	struct type_datum *typdatum;
 	struct user_datum *usrdatum;
@@ -1614,9 +1630,48 @@ static int convert_context(u32 key,
 		goto bad;
 	c->type = typdatum->value;

-	rc = mls_convert_context(args->oldp, args->newp, c);
-	if (rc)
-		goto bad;
+	/* Convert the MLS/MCS fields if dealing with MLS/MCS policies */
+	if (args->oldp->mls_enabled
+	    && args->newp->mls_enabled) {
+		rc = mls_convert_context(args->oldp, args->newp, c);
+		if (rc)
+			goto bad;
+	}
+
+	/*
+	 * Switching between MLS/MCS and non-MLS/non-MCS policy:
+	 * free any storage used by the MLS fields in the
+	 * context for all existing entries in the sidtab.
+	 */
+	if (args->oldp->mls_enabled && !args->newp->mls_enabled)
+		mls_context_destroy(c);
+
+	/*
+	 * Switching between non-MLS/non-MCS and MLS/MCS policy:
+	 * ensure that the MLS fields of the context for all
+	 * existing entries in the sidtab are filled in with a
+	 * suitable default value, likely taken from one of the
+	 * initial SIDs.
+	 */
+	if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
+		oc = args->newp->ocontexts[OCON_ISID];
+		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
+			oc = oc->next;
+		range = &oc->context[0].range;
+		rc = mls_range_set(c, range);
+		if (rc) {
+			if (context_struct_to_string(&oldc, &s, &len))
+				return -ENOMEM;
+			context_destroy(&oldc);
+			context_destroy(c);
+			c->str = s;
+			c->len = len;
+			printk(KERN_ERR "SELinux:  Failed to set"
+				" the MLS/MCS range for context"
+				" %sn", c->str);
+			goto out;
+		}
+	}

 	/* Check the validity of the new context. */
 	if (!policydb_context_isvalid(args->newp, c)) {
@@ -1712,6 +1767,14 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;

+	/* If switching between different policy types, log it */
+	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between MLS/MCS"
+			" and standard policy...n");
+	else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between standard"
+			" and MLS/MCS policy...n");
+
 	if (sidtab_init(&newsidtab)) {
 		policydb_destroy(&newpolicydb);
 		return -ENOMEM;
@@ -1741,8 +1804,12 @@ int security_load_policy(void *data, siz
 	args.oldp = &policydb;
 	args.newp = &newpolicydb;
 	rc = sidtab_map(&newsidtab, convert_context, &args);
-	if (rc)
+	if (rc) {
+		printk(KERN_ERR "SELinux:  unable to convert the internal"
+			" representation of contexts in the new SID"
+			" tablen");
 		goto err;
+	}

 	/* Save the old policydb and SID table to free later. */
 	memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -2338,7 +2405,7 @@ int security_sid_mls_copy(u32 sid, u32 m
 	u32 len;
 	int rc = 0;

-	if (!ss_initialized || !selinux_mls_enabled) {
+	if (!ss_initialized || !policydb.mls_enabled) {
 		*new_sid = sid;
 		goto out;
 	}
@@ -2439,7 +2506,7 @@ int security_net_peersid_resolve(u32 nlb
 	/* we don't need to check ss_initialized here since the only way both
 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
 	 * security server was initialized and ss_initialized was true */
-	if (!selinux_mls_enabled) {
+	if (!policydb.mls_enabled) {
 		*peer_sid = SECSID_NULL;
 		return 0;
 	}
diff -pruN security-testing-2.6/security/selinux/ss/services.h security-testing-2.6-new/security/selinux/ss/services.h
--- security-testing-2.6/security/selinux/ss/services.h	2010-01-29 01:06:42.174044406 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.h	2010-02-01 18:26:32.682234915 +0100
@@ -3,6 +3,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_SERVICES_H_
 #define _SS_SERVICES_H_

diff -pruN security-testing-2.6/security/selinux/ss/sidtab.h security-testing-2.6-new/security/selinux/ss/sidtab.h
--- security-testing-2.6/security/selinux/ss/sidtab.h	2010-01-29 01:06:42.175047659 +0100
+++ security-testing-2.6-new/security/selinux/ss/sidtab.h	2010-02-01 20:38:09.350520786 +0100
@@ -51,4 +51,3 @@ void sidtab_shutdown(struct sidtab *s);

 #endif	/* _SS_SIDTAB_H_ */

-
diff -pruN security-testing-2.6/security/selinux/ss/symtab.h security-testing-2.6-new/security/selinux/ss/symtab.h
--- security-testing-2.6/security/selinux/ss/symtab.h	2010-01-29 01:06:42.176055661 +0100
+++ security-testing-2.6-new/security/selinux/ss/symtab.h	2010-02-01 20:50:54.661232717 +0100
@@ -6,6 +6,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_SYMTAB_H_
 #define _SS_SYMTAB_H_


[-- Attachment #2: switch-policy.patch --]
[-- Type: application/octet-stream, Size: 17669 bytes --]

Author: Guido Trentalancia <guido@trentalancia.com>
Date:   Mon Feb 01 22:34:16 2010 +0100

    Allow runtime switching between different policy types (e.g. from a MLS/MCS
    policy to a non-MLS/non-MCS policy or viceversa).

    Signed-off-by: Guido Trentalancia <guido@trentalancia.com>

diff -pruN security-testing-2.6/security/selinux/include/security.h security-testing-2.6-new/security/selinux/include/security.h
--- security-testing-2.6/security/selinux/include/security.h	2010-01-29 02:02:47.737045258 +0100
+++ security-testing-2.6-new/security/selinux/include/security.h	2010-02-01 22:06:38.053225052 +0100
@@ -57,7 +57,7 @@
 struct netlbl_lsm_secattr;
 
 extern int selinux_enabled;
-extern int selinux_mls_enabled;
+extern struct policydb policydb;
 
 /* Policy capabilities */
 enum {
@@ -80,6 +80,8 @@ extern int selinux_policycap_openperm;
 /* limitation of boundary depth  */
 #define POLICYDB_BOUNDS_MAXDEPTH	4
 
+int security_mls_enabled(void);
+
 int security_load_policy(void *data, size_t len);
 
 int security_policycap_supported(unsigned int req_cap);
diff -pruN security-testing-2.6/security/selinux/selinuxfs.c security-testing-2.6-new/security/selinux/selinuxfs.c
--- security-testing-2.6/security/selinux/selinuxfs.c	2010-01-29 02:02:47.738046835 +0100
+++ security-testing-2.6-new/security/selinux/selinuxfs.c	2010-02-01 22:06:21.709234039 +0100
@@ -282,7 +282,8 @@ static ssize_t sel_read_mls(struct file 
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;
 
-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
+			   security_mls_enabled());
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }
 
diff -pruN security-testing-2.6/security/selinux/ss/constraint.h security-testing-2.6-new/security/selinux/ss/constraint.h
--- security-testing-2.6/security/selinux/ss/constraint.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/constraint.h	2010-02-01 20:50:19.860227025 +0100
@@ -12,6 +12,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_CONSTRAINT_H_
 #define _SS_CONSTRAINT_H_
 
diff -pruN security-testing-2.6/security/selinux/ss/context.h security-testing-2.6-new/security/selinux/ss/context.h
--- security-testing-2.6/security/selinux/ss/context.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.h	2010-02-01 22:22:33.090234587 +0100
@@ -12,6 +12,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_CONTEXT_H_
 #define _SS_CONTEXT_H_
 
@@ -41,7 +42,7 @@ static inline int mls_context_cpy(struct
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;
 
 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -64,7 +65,7 @@ static inline int mls_context_cpy_low(st
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 0;
 
 	dst->range.level[0].sens = src->range.level[0].sens;
@@ -82,7 +83,7 @@ out:
 
 static inline int mls_context_cmp(struct context *c1, struct context *c2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;
 
 	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
@@ -93,9 +94,6 @@ static inline int mls_context_cmp(struct
 
 static inline void mls_context_destroy(struct context *c)
 {
-	if (!selinux_mls_enabled)
-		return;
-
 	ebitmap_destroy(&c->range.level[0].cat);
 	ebitmap_destroy(&c->range.level[1].cat);
 	mls_context_init(c);
diff -pruN security-testing-2.6/security/selinux/ss/mls.c security-testing-2.6-new/security/selinux/ss/mls.c
--- security-testing-2.6/security/selinux/ss/mls.c	2010-01-29 02:02:47.739046177 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.c	2010-02-01 22:15:48.062233721 +0100
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct conte
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb 
 {
 	struct user_datum *usrdatum;
 
-	if (!selinux_mls_enabled)
+	if (!p->mls_enabled)
 		return 1;
 
 	if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *
 	struct cat_datum *catdatum, *rngdatum;
 	int l, rc = -EINVAL;
 
-	if (!selinux_mls_enabled) {
+	if (!pol->mls_enabled) {
 		if (def_sid != SECSID_NULL && oldc)
 			*scontext += strlen(*scontext)+1;
 		return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct co
 	char *tmpstr, *freestr;
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return -EINVAL;
 
 	/* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct co
 /*
  * Copies the MLS range `range' into `context'.
  */
-static inline int mls_range_set(struct context *context,
+int mls_range_set(struct context *context,
 				struct mls_range *range)
 {
 	int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct c
 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
 			 struct context *usercon)
 {
-	if (selinux_mls_enabled) {
+	if (policydb.mls_enabled) {
 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
 		struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb 
 	struct ebitmap_node *node;
 	int l, i;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	for (l = 0; l < 2; l++) {
@@ -516,7 +516,7 @@ int mls_compute_sid(struct context *scon
 	struct range_trans rtr;
 	struct mls_range *r;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	switch (specified) {
@@ -559,7 +559,7 @@ int mls_compute_sid(struct context *scon
 void mls_export_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -579,7 +579,7 @@ void mls_export_netlbl_lvl(struct contex
 void mls_import_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return;
 
 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -601,7 +601,7 @@ int mls_export_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -629,7 +629,7 @@ int mls_import_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
diff -pruN security-testing-2.6/security/selinux/ss/mls.h security-testing-2.6-new/security/selinux/ss/mls.h
--- security-testing-2.6/security/selinux/ss/mls.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.h	2010-02-01 18:57:42.693221952 +0100
@@ -24,6 +24,8 @@
 #include "context.h"
 #include "policydb.h"
 
+extern struct policydb policydb;
+
 int mls_compute_context_len(struct context *context);
 void mls_sid_to_context(struct context *context, char **scontext);
 int mls_context_isvalid(struct policydb *p, struct context *c);
@@ -39,6 +41,8 @@ int mls_context_to_sid(struct policydb *
 
 int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);
 
+int mls_range_set(struct context *context, struct mls_range *range);
+
 int mls_convert_context(struct policydb *oldp,
 			struct policydb *newp,
 			struct context *context);
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.h security-testing-2.6-new/security/selinux/ss/mls_types.h
--- security-testing-2.6/security/selinux/ss/mls_types.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.h	2010-02-01 22:23:11.799224771 +0100
@@ -15,6 +15,7 @@
 #define _SS_MLS_TYPES_H_
 
 #include "security.h"
+#include "ebitmap.h"
 
 struct mls_level {
 	u32 sens;		/* sensitivity */
@@ -27,7 +28,7 @@ struct mls_range {
 
 static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;
 
 	return ((l1->sens == l2->sens) &&
@@ -36,7 +37,7 @@ static inline int mls_level_eq(struct ml
 
 static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
 {
-	if (!selinux_mls_enabled)
+	if (!security_mls_enabled())
 		return 1;
 
 	return ((l1->sens >= l2->sens) &&
diff -pruN security-testing-2.6/security/selinux/ss/policydb.c security-testing-2.6-new/security/selinux/ss/policydb.c
--- security-testing-2.6/security/selinux/ss/policydb.c	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.c	2010-02-01 22:12:18.601226073 +0100
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
 };
 #endif
 
-int selinux_mls_enabled;
-
 static unsigned int symtab_sizes[SYM_NUM] = {
 	2,
 	32,
@@ -455,7 +453,7 @@ static int policydb_index_others(struct 
 
 	printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
-	if (selinux_mls_enabled)
+	if (p->mls_enabled)
 		printk(", %d sens, %d cats", p->p_levels.nprim,
 		       p->p_cats.nprim);
 	printk("\n");
@@ -1717,14 +1715,12 @@ int policydb_read(struct policydb *p, vo
 	int i, j, rc;
 	__le32 buf[4];
 	u32 nodebuf[8];
-	u32 len, len2, config, nprim, nel, nel2;
+	u32 len, len2, nprim, nel, nel2;
 	char *policydb_str;
 	struct policydb_compat_info *info;
 	struct range_trans *rt;
 	struct mls_range *r;
 
-	config = 0;
-
 	rc = policydb_init(p);
 	if (rc)
 		goto out;
@@ -1772,7 +1768,7 @@ int policydb_read(struct policydb *p, vo
 	kfree(policydb_str);
 	policydb_str = NULL;
 
-	/* Read the version, config, and table sizes. */
+	/* Read the version and table sizes. */
 	rc = next_entry(buf, fp, sizeof(u32)*4);
 	if (rc < 0)
 		goto bad;
@@ -1787,13 +1783,7 @@ int policydb_read(struct policydb *p, vo
 	}
 
 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
-		if (ss_initialized && !selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
-				" and MLS policies\n");
-			goto bad;
-		}
-		selinux_mls_enabled = 1;
-		config |= POLICYDB_CONFIG_MLS;
+		p->mls_enabled = 1;
 
 		if (p->policyvers < POLICYDB_VERSION_MLS) {
 			printk(KERN_ERR "SELinux: security policydb version %d "
@@ -1801,12 +1791,6 @@ int policydb_read(struct policydb *p, vo
 				p->policyvers);
 			goto bad;
 		}
-	} else {
-		if (ss_initialized && selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between MLS and"
-				" non-MLS policies\n");
-			goto bad;
-		}
 	}
 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
diff -pruN security-testing-2.6/security/selinux/ss/policydb.h security-testing-2.6-new/security/selinux/ss/policydb.h
--- security-testing-2.6/security/selinux/ss/policydb.h	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.h	2010-02-01 20:47:08.352232380 +0100
@@ -27,6 +27,8 @@
 #include "symtab.h"
 #include "avtab.h"
 #include "sidtab.h"
+#include "ebitmap.h"
+#include "mls_types.h"
 #include "context.h"
 #include "constraint.h"
 
@@ -185,6 +187,8 @@ struct genfs {
 
 /* The policy database */
 struct policydb {
+	int mls_enabled;
+
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
 #define p_commons symtab[SYM_COMMONS]
diff -pruN security-testing-2.6/security/selinux/ss/services.c security-testing-2.6-new/security/selinux/ss/services.c
--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.c	2010-02-01 22:41:08.730228020 +0100
@@ -26,6 +26,10 @@
  *
  *  Added support for bounds domain and audit messaged on masked permissions
  *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
  * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -232,6 +236,16 @@ static void map_decision(u16 tclass, str
 	}
 }
 
+/*
+ * Returns a boolean value.
+ * True: if the specified policy is MLS or MCS
+ * False: if the specified policy is a standard policy
+ * 	  without MLS/MCS support
+ */
+int security_mls_enabled(void)
+{
+	return policydb.mls_enabled;
+}
 
 /*
  * Return the boolean value of a constraint expression
@@ -1547,6 +1561,8 @@ static int convert_context(u32 key,
 {
 	struct convert_context_args *args;
 	struct context oldc;
+	struct ocontext *oc;
+	struct mls_range *range;
 	struct role_datum *role;
 	struct type_datum *typdatum;
 	struct user_datum *usrdatum;
@@ -1614,9 +1630,48 @@ static int convert_context(u32 key,
 		goto bad;
 	c->type = typdatum->value;
 
-	rc = mls_convert_context(args->oldp, args->newp, c);
-	if (rc)
-		goto bad;
+	/* Convert the MLS/MCS fields if dealing with MLS/MCS policies */
+	if (args->oldp->mls_enabled
+	    && args->newp->mls_enabled) {
+		rc = mls_convert_context(args->oldp, args->newp, c);
+		if (rc)
+			goto bad;
+	}
+
+	/*
+	 * Switching between MLS/MCS and non-MLS/non-MCS policy:
+	 * free any storage used by the MLS fields in the
+	 * context for all existing entries in the sidtab.
+	 */
+	if (args->oldp->mls_enabled && !args->newp->mls_enabled)
+		mls_context_destroy(c);
+
+	/*
+	 * Switching between non-MLS/non-MCS and MLS/MCS policy:
+	 * ensure that the MLS fields of the context for all
+	 * existing entries in the sidtab are filled in with a
+	 * suitable default value, likely taken from one of the
+	 * initial SIDs.
+	 */
+	if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
+		oc = args->newp->ocontexts[OCON_ISID];
+		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
+			oc = oc->next;
+		range = &oc->context[0].range;
+		rc = mls_range_set(c, range);
+		if (rc) {
+			if (context_struct_to_string(&oldc, &s, &len))
+				return -ENOMEM;
+			context_destroy(&oldc);
+			context_destroy(c);
+			c->str = s;
+			c->len = len;
+			printk(KERN_ERR "SELinux:  Failed to set"
+				" the MLS/MCS range for context"
+				" %s\n", c->str);
+			goto out;
+		}
+	}
 
 	/* Check the validity of the new context. */
 	if (!policydb_context_isvalid(args->newp, c)) {
@@ -1712,6 +1767,14 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;
 
+	/* If switching between different policy types, log it */
+	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between MLS/MCS"
+			" and standard policy...\n");
+	else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between standard"
+			" and MLS/MCS policy...\n");
+
 	if (sidtab_init(&newsidtab)) {
 		policydb_destroy(&newpolicydb);
 		return -ENOMEM;
@@ -1741,8 +1804,12 @@ int security_load_policy(void *data, siz
 	args.oldp = &policydb;
 	args.newp = &newpolicydb;
 	rc = sidtab_map(&newsidtab, convert_context, &args);
-	if (rc)
+	if (rc) {
+		printk(KERN_ERR "SELinux:  unable to convert the internal"
+			" representation of contexts in the new SID"
+			" table\n");
 		goto err;
+	}
 
 	/* Save the old policydb and SID table to free later. */
 	memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -2338,7 +2405,7 @@ int security_sid_mls_copy(u32 sid, u32 m
 	u32 len;
 	int rc = 0;
 
-	if (!ss_initialized || !selinux_mls_enabled) {
+	if (!ss_initialized || !policydb.mls_enabled) {
 		*new_sid = sid;
 		goto out;
 	}
@@ -2439,7 +2506,7 @@ int security_net_peersid_resolve(u32 nlb
 	/* we don't need to check ss_initialized here since the only way both
 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
 	 * security server was initialized and ss_initialized was true */
-	if (!selinux_mls_enabled) {
+	if (!policydb.mls_enabled) {
 		*peer_sid = SECSID_NULL;
 		return 0;
 	}
diff -pruN security-testing-2.6/security/selinux/ss/services.h security-testing-2.6-new/security/selinux/ss/services.h
--- security-testing-2.6/security/selinux/ss/services.h	2010-01-29 01:06:42.174044406 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.h	2010-02-01 18:26:32.682234915 +0100
@@ -3,6 +3,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_SERVICES_H_
 #define _SS_SERVICES_H_
 
diff -pruN security-testing-2.6/security/selinux/ss/sidtab.h security-testing-2.6-new/security/selinux/ss/sidtab.h
--- security-testing-2.6/security/selinux/ss/sidtab.h	2010-01-29 01:06:42.175047659 +0100
+++ security-testing-2.6-new/security/selinux/ss/sidtab.h	2010-02-01 20:38:09.350520786 +0100
@@ -51,4 +51,3 @@ void sidtab_shutdown(struct sidtab *s);
 
 #endif	/* _SS_SIDTAB_H_ */
 
-
diff -pruN security-testing-2.6/security/selinux/ss/symtab.h security-testing-2.6-new/security/selinux/ss/symtab.h
--- security-testing-2.6/security/selinux/ss/symtab.h	2010-01-29 01:06:42.176055661 +0100
+++ security-testing-2.6-new/security/selinux/ss/symtab.h	2010-02-01 20:50:54.661232717 +0100
@@ -6,6 +6,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_SYMTAB_H_
 #define _SS_SYMTAB_H_
 

^ permalink raw reply	[flat|nested] 33+ messages in thread
* Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-01 19:59 Guido Trentalancia
  2010-02-01 20:22 ` Stephen Smalley
  0 siblings, 1 reply; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-01 19:59 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux

Stephen,

I have amended most changes to the patch, according to your feedback and here is a track:

The only function that has been made "standard" from "static inline" is mls_range_set which I am using in ss/services.c. Its return value is now being checked for robustness, an appropriate KERN_ERR is generated in case something goes wrong and the appropriate return code is fed back to the caller.

The new field of structure policydb has been named mls_enabled and a new function security_mls_enabled has been created (and declared in the main global header file security.h).

The comment style in services.c has been changed accordingly to the CodingStyle (checkpatch.pl no longer complains).

External declarations have been removed from .c files (selinuxfs.c) and moved to the global header file security.h.

Missing function declarations have been added to the global include files rather than importing header files from ss.

The unused variable config has been removed from ss/policydb.c.

The "n" problem is due to a problem in my mailer. The attached file does not have the missing control character "".

Issues:

- security.h now defines security_mls_enabled() and this function takes struct policydb * as parameter but this structure is not visible to security.h; I overcome this problem by declaring the parameter void *.

- when trying to build, I get the following compilation errors now:

  CC      security/selinux/ss/sidtab.o
In file included from security/selinux/ss/mls_types.h:20,
                 from security/selinux/ss/context.h:21,
                 from security/selinux/ss/sidtab.h:11,
                 from security/selinux/ss/sidtab.c:13:
security/selinux/ss/policydb.h:97: error: field 'range' has incomplete type
security/selinux/ss/policydb.h:98: error: field 'dfltlevel' has incomplete type
In file included from security/selinux/ss/mls_types.h:20,
                 from security/selinux/ss/context.h:21,
                 from security/selinux/ss/sidtab.h:11,
                 from security/selinux/ss/sidtab.c:13:
security/selinux/ss/policydb.h:156: error: array type has incomplete element type
In file included from security/selinux/ss/mls_types.h:20,
                 from security/selinux/ss/context.h:21,
                 from security/selinux/ss/sidtab.h:11,
                 from security/selinux/ss/sidtab.c:13:
security/selinux/ss/policydb.h:265: warning: 'struct sidtab' declared inside parameter list
security/selinux/ss/policydb.h:265: warning: its scope is only this definition or declaration, which is probably not what you want

Note that policydb.h includes symtab.h, avtab.h, sidtab.h, ebitmap.h, mls_types.h, context.h, constraint.h.

So there must be something wrong in mls_types.h, that's why I moved the inline functions to a separate .c file.

What do you say ?

Regards,

Guido 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 33+ messages in thread
* Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-01 18:25 Guido Trentalancia
  2010-02-01 19:15 ` Stephen Smalley
  0 siblings, 1 reply; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-01 18:25 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux, eparis, jmorris

Stephen,

thanks very much for your last comment. I always forgot to talk about that, despite my intention was to discuss it... It's just that there were many tiny details to discuss.

> ocontexts[OCON_ISID] is a list of initial SIDs and their 
> contexts. Your current code takes the MLS range from 
> whatever happens to be the first entry in the list and uses 
> that for all of the contexts.

At the beginning I was scanning for "unlabeled" in oc->u.name with strcmp(), but then I wasn't sure about adding extra complexity to the code and I left that out waiting for your comments.

At present, for the latest reference policy the first initial SID is "kernel", which surely isn't the best match, but as I already told you I was waiting for some feedback on details.

I will introduce your piece of code (assuming there is always going to be an entry for SECINITSID_UNLABELED in the list).

By the way, is there any drawback in loading the initial SIDs again from security_load_policy() using the appropriate function that you mentioned ?

Regards,

Guido 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 33+ messages in thread
* Re: [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-02-01 16:36 Guido Trentalancia
  2010-02-01 17:41 ` Stephen Smalley
  0 siblings, 1 reply; 33+ messages in thread
From: Guido Trentalancia @ 2010-02-01 16:36 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux, eparis, jmorris

Excellent Stephen, very timely !

I am now going to make the necessary amendments and then I will post a proposed final patch that you can eventually review again or otherwise just add an Acked-by or Reviewed-by line and I will forward it to the kernel mailing list.

Of course comments from other list members are always welcome.

A few notes on your comments...

> Avoid adding extern declarations to .c files - they are
> discouraged. The current code isn't pristine in this
> regard, but let's not make it worse.

You are right, I did check with checkpatch.pl, but because selinuxfs.c hasn't got its own header file, I wasn't sure on how to deal with the warning. Shall I create an header file specifically for it or otherwise try to reuse other global header files ?

> I wouldn't take these functions to their own .c file, and 
> if you do so, then "inline" no longer makes sense.  But 
> why did you do so?  It will add overhead to make them 
> out-of-line with no obvious benefit.

I was getting compilation errors. Perhaps you can give it a try.

> This seems inconsistent with the other functions - here 
> you pass the policydb as an argument rather than just 
> using the active policydb. If that were truly necessary, 
> I'd argue for passing the policydb to all of the 
> functions for consistency.  But I think in fact that we 
> can drop this !mls_enabled check altogether, given that 
> the context is fully initialized by context_init() and 
> thus the ebitmap_destroy() calls should be safe 
> regardless of whether or not MLS is enabled.

The policydb being passed to the modified functions is not necessarily the same as the active policy. Otherwise there was no point of making the modifications. To be more precise, consider the code-paths from security_load_policy() when you need to destroy the old policy and the old sidtab which are no longer active !
So, shall I remove completely the check ? That would make mls_context_destroy() execute even for standard policies...

> Same deal - don't take these to their own .c file without 
> justification.

As already explained, I moved those functions to a separate .c file because there were compilation error (gcc 4.4.1).

> Is that supposed to be "n" aka newline rather than just 
> "n"?

Yes, of course "n". It's weird because if you look at the attached file, everything is normal ! Something went wrong with the "cut-n-paste" from gedit to Mozilla, I shall probably file a bug report !...

That's it for the moment. I'll be back in a short while, after the patch has been amended.

Best regards,

Guido 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 33+ messages in thread
* [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload
@ 2010-01-31 22:43 Guido Trentalancia
  2010-02-01 15:28 ` Stephen Smalley
  2010-02-01 18:16 ` Stephen Smalley
  0 siblings, 2 replies; 33+ messages in thread
From: Guido Trentalancia @ 2010-01-31 22:43 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux, eparis, jmorris


[-- Attachment #1.1: Type: text/plain, Size: 32781 bytes --]

Dear Stephen,

I have created the patch for allowing runtime switch between different policy types, according to your advice and previous discussions on this mailing list. The patch obsoletes the small piece of documentation that I wrote a few days ago to help new users cope with the limitation.

I would be very grateful if you could review the patch so that, as soon as it is reviewed, it can be posted to the kernel mailing list. I have done some basic testing and it works on one of my systems, although sometimes I get the following side-effect:

/dev/pts/0 changed labels.
Unable to restore tty label...

which however doesn't affect the system. I am not sure where that comes from (perhaps bash)...

Regards,

Guido Trentalancia

Author: Guido Trentalancia <guido@trentalancia.com>
Date:   Sun Jan 31 22:10:22 2010 +0100

    Allow runtime switching between different policy types (e.g. from a MLS/MCS
    policy to a non-MLS/non-MCS policy or viceversa).

    Signed-off-by: Guido Trentalancia <guido@trentalancia.com>

diff -pruN security-testing-2.6/security/selinux/Makefile security-testing-2.6-new/security/selinux/Makefile
--- security-testing-2.6/security/selinux/Makefile	2010-01-29 01:06:42.132070393 +0100
+++ security-testing-2.6-new/security/selinux/Makefile	2010-01-29 02:13:42.497044862 +0100
@@ -18,7 +18,7 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM)

 selinux-$(CONFIG_NETLABEL) += netlabel.o

-EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
+EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/ss -Isecurity/selinux/include

 $(obj)/avc.o: $(obj)/flask.h

diff -pruN security-testing-2.6/security/selinux/include/security.h security-testing-2.6-new/security/selinux/include/security.h
--- security-testing-2.6/security/selinux/include/security.h	2010-01-29 02:02:47.737045258 +0100
+++ security-testing-2.6-new/security/selinux/include/security.h	2010-01-29 02:13:59.641064788 +0100
@@ -57,7 +57,6 @@
 struct netlbl_lsm_secattr;

 extern int selinux_enabled;
-extern int selinux_mls_enabled;

 /* Policy capabilities */
 enum {
diff -pruN security-testing-2.6/security/selinux/selinuxfs.c security-testing-2.6-new/security/selinux/selinuxfs.c
--- security-testing-2.6/security/selinux/selinuxfs.c	2010-01-29 02:02:47.738046835 +0100
+++ security-testing-2.6-new/security/selinux/selinuxfs.c	2010-01-31 23:17:44.494329730 +0100
@@ -38,6 +38,10 @@
 #include "security.h"
 #include "objsec.h"
 #include "conditional.h"
+#include "services.h"
+#include "policydb.h"
+
+extern struct policydb policydb;

 /* Policy capability filenames */
 static char *policycap_names[] = {
@@ -282,7 +286,8 @@ static ssize_t sel_read_mls(struct file
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;

-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
+		policydb.selinux_mls_enabled);
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }

diff -pruN security-testing-2.6/security/selinux/ss/Makefile security-testing-2.6-new/security/selinux/ss/Makefile
--- security-testing-2.6/security/selinux/ss/Makefile	2010-01-29 01:06:42.157062028 +0100
+++ security-testing-2.6-new/security/selinux/ss/Makefile	2010-01-29 02:15:52.319045091 +0100
@@ -5,5 +5,5 @@
 EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
 obj-y := ss.o

-ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o
+ss-y := context.o ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o mls_types.o

diff -pruN security-testing-2.6/security/selinux/ss/context.c security-testing-2.6-new/security/selinux/ss/context.c
--- security-testing-2.6/security/selinux/ss/context.c	1970-01-01 01:00:00.000000000 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.c	2010-01-31 21:39:01.293500739 +0100
@@ -0,0 +1,131 @@
+/*
+ * Security context auxiliary functions
+ *
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+#include "context.h"
+#include "ebitmap.h"
+#include "mls_types.h"
+#include "security.h"
+#include "policydb.h"
+
+inline void mls_context_init(struct context *c)
+{
+	memset(&c->range, 0, sizeof(c->range));
+}
+
+inline int mls_context_cpy(struct context *dst, struct context *src)
+{
+	int rc;
+
+	if (!policydb.selinux_mls_enabled)
+		return 0;
+
+	dst->range.level[0].sens = src->range.level[0].sens;
+	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
+	if (rc)
+		goto out;
+
+	dst->range.level[1].sens = src->range.level[1].sens;
+	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat);
+	if (rc)
+		ebitmap_destroy(&dst->range.level[0].cat);
+out:
+	return rc;
+}
+
+/*
+ * Sets both levels in the MLS range of 'dst' to the low level of 'src'.
+ */
+inline int mls_context_cpy_low(struct context *dst, struct context *src)
+{
+	int rc;
+
+	if (!policydb.selinux_mls_enabled)
+		return 0;
+
+	dst->range.level[0].sens = src->range.level[0].sens;
+	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
+	if (rc)
+		goto out;
+
+	dst->range.level[1].sens = src->range.level[0].sens;
+	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
+	if (rc)
+		ebitmap_destroy(&dst->range.level[0].cat);
+out:
+	return rc;
+}
+
+inline int mls_context_cmp(struct context *c1, struct context *c2)
+{
+	if (!policydb.selinux_mls_enabled)
+		return 1;
+
+	return c1->range.level[0].sens == c2->range.level[0].sens &&
+		ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
+		c1->range.level[1].sens == c2->range.level[1].sens &&
+		ebitmap_cmp(&c1->range.level[1].cat, &c2->range.level[1].cat);
+}
+
+inline void mls_context_destroy(struct policydb *p, struct context *c)
+{
+	if (!p->selinux_mls_enabled)
+		return;
+
+	ebitmap_destroy(&c->range.level[0].cat);
+	ebitmap_destroy(&c->range.level[1].cat);
+	mls_context_init(c);
+}
+
+inline void context_init(struct context *c)
+{
+	memset(c, 0, sizeof(*c));
+}
+
+inline int context_cpy(struct context *dst, struct context *src)
+{
+	int rc;
+
+	dst->user = src->user;
+	dst->role = src->role;
+	dst->type = src->type;
+	if (src->str) {
+		dst->str = kstrdup(src->str, GFP_ATOMIC);
+		if (!dst->str)
+			return -ENOMEM;
+		dst->len = src->len;
+	} else {
+		dst->str = NULL;
+		dst->len = 0;
+	}
+	rc = mls_context_cpy(dst, src);
+	if (rc) {
+		kfree(dst->str);
+		return rc;
+	}
+	return 0;
+}
+
+inline void context_destroy(struct policydb *p, struct context *c)
+{
+	c->user = c->role = c->type = 0;
+	kfree(c->str);
+	c->str = NULL;
+	c->len = 0;
+	mls_context_destroy(p, c);
+}
+
+inline int context_cmp(struct context *c1, struct context *c2)
+{
+	if (c1->len && c2->len)
+		return (c1->len == c2->len && !strcmp(c1->str, c2->str));
+	if (c1->len || c2->len)
+		return 0;
+	return ((c1->user == c2->user) &&
+		(c1->role == c2->role) &&
+		(c1->type == c2->type) &&
+		mls_context_cmp(c1, c2));
+}
+
diff -pruN security-testing-2.6/security/selinux/ss/context.h security-testing-2.6-new/security/selinux/ss/context.h
--- security-testing-2.6/security/selinux/ss/context.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.h	2010-01-31 21:38:06.517349464 +0100
@@ -12,6 +12,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_CONTEXT_H_
 #define _SS_CONTEXT_H_

@@ -19,6 +20,8 @@
 #include "mls_types.h"
 #include "security.h"

+extern struct policydb policydb;
+
 /*
  * A security context consists of an authenticated user
  * identity, a role, a type and a MLS range.
@@ -32,124 +35,15 @@ struct context {
 	char *str;	/* string representation if context cannot be mapped. */
 };

-static inline void mls_context_init(struct context *c)
-{
-	memset(&c->range, 0, sizeof(c->range));
-}
-
-static inline int mls_context_cpy(struct context *dst, struct context *src)
-{
-	int rc;
-
-	if (!selinux_mls_enabled)
-		return 0;
-
-	dst->range.level[0].sens = src->range.level[0].sens;
-	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
-	if (rc)
-		goto out;
-
-	dst->range.level[1].sens = src->range.level[1].sens;
-	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat);
-	if (rc)
-		ebitmap_destroy(&dst->range.level[0].cat);
-out:
-	return rc;
-}
-
-/*
- * Sets both levels in the MLS range of 'dst' to the low level of 'src'.
- */
-static inline int mls_context_cpy_low(struct context *dst, struct context *src)
-{
-	int rc;
-
-	if (!selinux_mls_enabled)
-		return 0;
-
-	dst->range.level[0].sens = src->range.level[0].sens;
-	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
-	if (rc)
-		goto out;
-
-	dst->range.level[1].sens = src->range.level[0].sens;
-	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
-	if (rc)
-		ebitmap_destroy(&dst->range.level[0].cat);
-out:
-	return rc;
-}
-
-static inline int mls_context_cmp(struct context *c1, struct context *c2)
-{
-	if (!selinux_mls_enabled)
-		return 1;
-
-	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
-		ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
-		(c1->range.level[1].sens == c2->range.level[1].sens) &&
-		ebitmap_cmp(&c1->range.level[1].cat, &c2->range.level[1].cat));
-}
-
-static inline void mls_context_destroy(struct context *c)
-{
-	if (!selinux_mls_enabled)
-		return;
-
-	ebitmap_destroy(&c->range.level[0].cat);
-	ebitmap_destroy(&c->range.level[1].cat);
-	mls_context_init(c);
-}
-
-static inline void context_init(struct context *c)
-{
-	memset(c, 0, sizeof(*c));
-}
-
-static inline int context_cpy(struct context *dst, struct context *src)
-{
-	int rc;
-
-	dst->user = src->user;
-	dst->role = src->role;
-	dst->type = src->type;
-	if (src->str) {
-		dst->str = kstrdup(src->str, GFP_ATOMIC);
-		if (!dst->str)
-			return -ENOMEM;
-		dst->len = src->len;
-	} else {
-		dst->str = NULL;
-		dst->len = 0;
-	}
-	rc = mls_context_cpy(dst, src);
-	if (rc) {
-		kfree(dst->str);
-		return rc;
-	}
-	return 0;
-}
-
-static inline void context_destroy(struct context *c)
-{
-	c->user = c->role = c->type = 0;
-	kfree(c->str);
-	c->str = NULL;
-	c->len = 0;
-	mls_context_destroy(c);
-}
-
-static inline int context_cmp(struct context *c1, struct context *c2)
-{
-	if (c1->len && c2->len)
-		return (c1->len == c2->len && !strcmp(c1->str, c2->str));
-	if (c1->len || c2->len)
-		return 0;
-	return ((c1->user == c2->user) &&
-		(c1->role == c2->role) &&
-		(c1->type == c2->type) &&
-		mls_context_cmp(c1, c2));
-}
+inline void mls_context_init(struct context *c);
+inline int mls_context_cpy(struct context *dst, struct context *src);
+inline int mls_context_cpy_low(struct context *dst, struct context *src);
+inline int mls_context_cmp(struct context *c1, struct context *c2);
+inline void mls_context_destroy(struct policydb *p, struct context *c);
+inline void context_init(struct context *c);
+inline int context_cpy(struct context *dst, struct context *src);
+inline void context_destroy(struct policydb *p, struct context *c);
+inline int context_cmp(struct context *c1, struct context *c2);

 #endif	/* _SS_CONTEXT_H_ */

diff -pruN security-testing-2.6/security/selinux/ss/mls.c security-testing-2.6-new/security/selinux/ss/mls.c
--- security-testing-2.6/security/selinux/ss/mls.c	2010-01-29 02:02:47.739046177 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.c	2010-01-31 21:49:38.704348310 +0100
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct conte
 	struct ebitmap *e;
 	struct ebitmap_node *node;

-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;

 	len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *
 	struct ebitmap *e;
 	struct ebitmap_node *node;

-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return;

 	scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb
 {
 	struct user_datum *usrdatum;

-	if (!selinux_mls_enabled)
+	if (!p->selinux_mls_enabled)
 		return 1;

 	if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *
 	struct cat_datum *catdatum, *rngdatum;
 	int l, rc = -EINVAL;

-	if (!selinux_mls_enabled) {
+	if (!pol->selinux_mls_enabled) {
 		if (def_sid != SECSID_NULL && oldc)
 			*scontext += strlen(*scontext)+1;
 		return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct co
 	char *tmpstr, *freestr;
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return -EINVAL;

 	/* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct co
 /*
  * Copies the MLS range `range' into `context'.
  */
-static inline int mls_range_set(struct context *context,
+inline int mls_range_set(struct context *context,
 				struct mls_range *range)
 {
 	int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct c
 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
 			 struct context *usercon)
 {
-	if (selinux_mls_enabled) {
+	if (policydb.selinux_mls_enabled) {
 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
 		struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb
 	struct ebitmap_node *node;
 	int l, i;

-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;

 	for (l = 0; l < 2; l++) {
@@ -516,7 +516,7 @@ int mls_compute_sid(struct context *scon
 	struct range_trans rtr;
 	struct mls_range *r;

-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;

 	switch (specified) {
@@ -559,7 +559,7 @@ int mls_compute_sid(struct context *scon
 void mls_export_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return;

 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -579,7 +579,7 @@ void mls_export_netlbl_lvl(struct contex
 void mls_import_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return;

 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -601,7 +601,7 @@ int mls_export_netlbl_cat(struct context
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;

 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -629,7 +629,7 @@ int mls_import_netlbl_cat(struct context
 {
 	int rc;

-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;

 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
diff -pruN security-testing-2.6/security/selinux/ss/mls.h security-testing-2.6-new/security/selinux/ss/mls.h
--- security-testing-2.6/security/selinux/ss/mls.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.h	2010-01-31 21:50:17.923330980 +0100
@@ -24,6 +24,8 @@
 #include "context.h"
 #include "policydb.h"

+extern struct policydb policydb;
+
 int mls_compute_context_len(struct context *context);
 void mls_sid_to_context(struct context *context, char **scontext);
 int mls_context_isvalid(struct policydb *p, struct context *c);
@@ -39,6 +41,8 @@ int mls_context_to_sid(struct policydb *

 int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);

+inline int mls_range_set(struct context *context, struct mls_range *range);
+
 int mls_convert_context(struct policydb *oldp,
 			struct policydb *newp,
 			struct context *context);
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.c security-testing-2.6-new/security/selinux/ss/mls_types.c
--- security-testing-2.6/security/selinux/ss/mls_types.c	1970-01-01 01:00:00.000000000 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.c	2010-01-29 02:36:49.528045041 +0100
@@ -0,0 +1,27 @@
+/*
+ * Auxiliary functions for the multi-level security (MLS) policy.
+ *
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+#include "mls_types.h"
+#include "policydb.h"
+
+inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
+{
+	if (!policydb.selinux_mls_enabled)
+		return 1;
+
+	return ((l1->sens == l2->sens) &&
+		ebitmap_cmp(&l1->cat, &l2->cat));
+}
+
+inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
+{
+	if (!policydb.selinux_mls_enabled)
+		return 1;
+
+	return ((l1->sens >= l2->sens) &&
+		ebitmap_contains(&l1->cat, &l2->cat));
+}
+
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.h security-testing-2.6-new/security/selinux/ss/mls_types.h
--- security-testing-2.6/security/selinux/ss/mls_types.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.h	2010-01-29 02:23:39.017044387 +0100
@@ -14,7 +14,9 @@
 #ifndef _SS_MLS_TYPES_H_
 #define _SS_MLS_TYPES_H_

-#include "security.h"
+#include "ebitmap.h"
+
+extern struct policydb policydb;

 struct mls_level {
 	u32 sens;		/* sensitivity */
@@ -25,23 +27,8 @@ struct mls_range {
 	struct mls_level level[2]; /* low == level[0], high == level[1] */
 };

-static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
-{
-	if (!selinux_mls_enabled)
-		return 1;
-
-	return ((l1->sens == l2->sens) &&
-		ebitmap_cmp(&l1->cat, &l2->cat));
-}
-
-static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
-{
-	if (!selinux_mls_enabled)
-		return 1;
-
-	return ((l1->sens >= l2->sens) &&
-		ebitmap_contains(&l1->cat, &l2->cat));
-}
+inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2);
+inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2);

 #define mls_level_incomp(l1, l2)
 (!mls_level_dom((l1), (l2)) && !mls_level_dom((l2), (l1)))
diff -pruN security-testing-2.6/security/selinux/ss/policydb.c security-testing-2.6-new/security/selinux/ss/policydb.c
--- security-testing-2.6/security/selinux/ss/policydb.c	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.c	2010-01-31 21:41:44.306327882 +0100
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
 };
 #endif

-int selinux_mls_enabled;
-
 static unsigned int symtab_sizes[SYM_NUM] = {
 	2,
 	32,
@@ -455,7 +453,7 @@ static int policydb_index_others(struct

 	printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
-	if (selinux_mls_enabled)
+	if (p->selinux_mls_enabled)
 		printk(", %d sens, %d cats", p->p_levels.nprim,
 		       p->p_cats.nprim);
 	printk("n");
@@ -656,10 +654,10 @@ static int range_tr_destroy(void *key, v
 	return 0;
 }

-static void ocontext_destroy(struct ocontext *c, int i)
+static void ocontext_destroy(struct policydb *p, struct ocontext *c, int i)
 {
-	context_destroy(&c->context[0]);
-	context_destroy(&c->context[1]);
+	context_destroy(p, &c->context[0]);
+	context_destroy(p, &c->context[1]);
 	if (i == OCON_ISID || i == OCON_FS ||
 	    i == OCON_NETIF || i == OCON_FSUSE)
 		kfree(c->u.name);
@@ -699,7 +697,7 @@ void policydb_destroy(struct policydb *p
 		while (c) {
 			ctmp = c;
 			c = c->next;
-			ocontext_destroy(ctmp, i);
+			ocontext_destroy(p, ctmp, i);
 		}
 		p->ocontexts[i] = NULL;
 	}
@@ -712,7 +710,7 @@ void policydb_destroy(struct policydb *p
 		while (c) {
 			ctmp = c;
 			c = c->next;
-			ocontext_destroy(ctmp, OCON_FSUSE);
+			ocontext_destroy(p, ctmp, OCON_FSUSE);
 		}
 		gtmp = g;
 		g = g->next;
@@ -942,7 +940,7 @@ static int context_read_and_validate(str

 	if (!policydb_context_isvalid(p, c)) {
 		printk(KERN_ERR "SELinux:  invalid security contextn");
-		context_destroy(c);
+		context_destroy(p, c);
 		rc = -EINVAL;
 	}
 out:
@@ -1787,12 +1785,7 @@ int policydb_read(struct policydb *p, vo
 	}

 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
-		if (ss_initialized && !selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
-				" and MLS policiesn");
-			goto bad;
-		}
-		selinux_mls_enabled = 1;
+		p->selinux_mls_enabled = 1;
 		config |= POLICYDB_CONFIG_MLS;

 		if (p->policyvers < POLICYDB_VERSION_MLS) {
@@ -1801,12 +1794,6 @@ int policydb_read(struct policydb *p, vo
 				p->policyvers);
 			goto bad;
 		}
-	} else {
-		if (ss_initialized && selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between MLS and"
-				" non-MLS policiesn");
-			goto bad;
-		}
 	}
 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
@@ -2234,7 +2221,7 @@ int policydb_read(struct policydb *p, vo
 out:
 	return rc;
 bad_newc:
-	ocontext_destroy(newc, OCON_FSUSE);
+	ocontext_destroy(p, newc, OCON_FSUSE);
 bad:
 	if (!rc)
 		rc = -EINVAL;
diff -pruN security-testing-2.6/security/selinux/ss/policydb.h security-testing-2.6-new/security/selinux/ss/policydb.h
--- security-testing-2.6/security/selinux/ss/policydb.h	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.h	2010-01-29 02:33:01.393045934 +0100
@@ -185,6 +185,8 @@ struct genfs {

 /* The policy database */
 struct policydb {
+	int selinux_mls_enabled;
+
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
 #define p_commons symtab[SYM_COMMONS]
diff -pruN security-testing-2.6/security/selinux/ss/services.c security-testing-2.6-new/security/selinux/ss/services.c
--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.c	2010-01-31 23:28:26.440336638 +0100
@@ -26,6 +26,10 @@
  *
  *  Added support for bounds domain and audit messaged on masked permissions
  *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
  * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -1145,7 +1149,7 @@ static int string_to_context_struct(stru
 	rc = 0;
 out:
 	if (rc)
-		context_destroy(ctx);
+		context_destroy(pol, ctx);
 	return rc;
 }

@@ -1198,7 +1202,7 @@ static int security_context_to_sid_core(
 	} else if (rc)
 		goto out;
 	rc = sidtab_context_to_sid(&sidtab, &context, sid);
-	context_destroy(&context);
+	context_destroy(&policydb, &context);
 out:
 	read_unlock(&policy_rwlock);
 	kfree(scontext2);
@@ -1419,7 +1423,7 @@ static int security_compute_sid(u32 ssid
 	rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
 out_unlock:
 	read_unlock(&policy_rwlock);
-	context_destroy(&newcontext);
+	context_destroy(&policydb, &newcontext);
 out:
 	return rc;
 }
@@ -1547,6 +1551,8 @@ static int convert_context(u32 key,
 {
 	struct convert_context_args *args;
 	struct context oldc;
+	struct ocontext *oc;
+	struct mls_range *range;
 	struct role_datum *role;
 	struct type_datum *typdatum;
 	struct user_datum *usrdatum;
@@ -1614,9 +1620,29 @@ static int convert_context(u32 key,
 		goto bad;
 	c->type = typdatum->value;

-	rc = mls_convert_context(args->oldp, args->newp, c);
-	if (rc)
-		goto bad;
+	/* Convert the MLS/MCS fields or deal with policy type switch */
+	if (args->oldp->selinux_mls_enabled
+	    && args->newp->selinux_mls_enabled) {
+		rc = mls_convert_context(args->oldp, args->newp, c);
+		if (rc)
+			goto bad;
+	} else if (args->oldp->selinux_mls_enabled
+		   && !args->newp->selinux_mls_enabled)
+	/* Switching between MLS/MCS and non-MLS/non-MCS policy: */
+	/* free any storage used by the MLS fields in the        */
+	/* context for all existing entries in the sidtab.       */
+		mls_context_destroy(args->oldp, c);
+	else if (!args->oldp->selinux_mls_enabled
+		 && args->newp->selinux_mls_enabled) {
+	/* Switching between non-MLS/non-MCS and MLS/MCS policy:  */
+	/* ensure that the MLS fields of the context for all      */
+	/* existing entries in the sidtab are filled in with a    */
+	/* suitable default value, likely taken from one of the   */
+	/* initial SIDs.                                          */
+		oc = args->newp->ocontexts[OCON_ISID];
+		range = &oc->context[0].range;
+		mls_range_set(c, range);
+	}

 	/* Check the validity of the new context. */
 	if (!policydb_context_isvalid(args->newp, c)) {
@@ -1625,7 +1651,7 @@ static int convert_context(u32 key,
 			goto bad;
 	}

-	context_destroy(&oldc);
+	context_destroy(args->oldp, &oldc);
 	rc = 0;
 out:
 	return rc;
@@ -1633,8 +1659,8 @@ bad:
 	/* Map old representation to string and save it. */
 	if (context_struct_to_string(&oldc, &s, &len))
 		return -ENOMEM;
-	context_destroy(&oldc);
-	context_destroy(c);
+	context_destroy(args->oldp, &oldc);
+	context_destroy(args->newp, c);
 	c->str = s;
 	c->len = len;
 	printk(KERN_INFO
@@ -1712,6 +1738,15 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;

+	/* If switching between different policy types, log it */
+	if (policydb.selinux_mls_enabled && newpolicydb.selinux_mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between MLS/MCS"
+			" and standard policy...n");
+	else if (!policydb.selinux_mls_enabled
+	  && newpolicydb.selinux_mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between standard"
+			" and MLS/MCS policy...n");
+
 	if (sidtab_init(&newsidtab)) {
 		policydb_destroy(&newpolicydb);
 		return -ENOMEM;
@@ -1741,8 +1776,12 @@ int security_load_policy(void *data, siz
 	args.oldp = &policydb;
 	args.newp = &newpolicydb;
 	rc = sidtab_map(&newsidtab, convert_context, &args);
-	if (rc)
+	if (rc) {
+		printk(KERN_ERR "SELinux:  unable to convert the internal"
+			" representation of contexts in the new SID"
+			" tablen");
 		goto err;
+	}

 	/* Save the old policydb and SID table to free later. */
 	memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -1761,7 +1800,7 @@ int security_load_policy(void *data, siz

 	/* Free the old policydb and SID table. */
 	policydb_destroy(&oldpolicydb);
-	sidtab_destroy(&oldsidtab);
+	sidtab_destroy(&oldpolicydb, &oldsidtab);
 	kfree(oldmap);

 	avc_ss_reset(seqno);
@@ -1773,7 +1812,7 @@ int security_load_policy(void *data, siz

 err:
 	kfree(map);
-	sidtab_destroy(&newsidtab);
+	sidtab_destroy(&newpolicydb, &newsidtab);
 	policydb_destroy(&newpolicydb);
 	return rc;

@@ -2338,7 +2377,7 @@ int security_sid_mls_copy(u32 sid, u32 m
 	u32 len;
 	int rc = 0;

-	if (!ss_initialized || !selinux_mls_enabled) {
+	if (!ss_initialized || !policydb.selinux_mls_enabled) {
 		*new_sid = sid;
 		goto out;
 	}
@@ -2388,7 +2427,7 @@ bad:

 out_unlock:
 	read_unlock(&policy_rwlock);
-	context_destroy(&newcon);
+	context_destroy(&policydb, &newcon);
 out:
 	return rc;
 }
@@ -2439,7 +2478,7 @@ int security_net_peersid_resolve(u32 nlb
 	/* we don't need to check ss_initialized here since the only way both
 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
 	 * security server was initialized and ss_initialized was true */
-	if (!selinux_mls_enabled) {
+	if (!policydb.selinux_mls_enabled) {
 		*peer_sid = SECSID_NULL;
 		return 0;
 	}
@@ -2612,7 +2651,7 @@ void selinux_audit_rule_free(void *vrule
 	struct selinux_audit_rule *rule = vrule;

 	if (rule) {
-		context_destroy(&rule->au_ctxt);
+		context_destroy(&policydb, &rule->au_ctxt);
 		kfree(rule);
 	}
 }
diff -pruN security-testing-2.6/security/selinux/ss/services.h security-testing-2.6-new/security/selinux/ss/services.h
--- security-testing-2.6/security/selinux/ss/services.h	2010-01-29 01:06:42.174044406 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.h	2010-01-31 23:24:36.677347711 +0100
@@ -3,6 +3,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_SERVICES_H_
 #define _SS_SERVICES_H_

@@ -11,5 +12,51 @@

 extern struct policydb policydb;

+int security_bounded_transition(u32 old_sid, u32 new_sid);
+void security_compute_av(u32 ssid, u32 tsid, u16 orig_tclass,
+			 struct av_decision *avd);
+void security_compute_av_user(u32 ssid, u32 tsid, u16 tclass,
+			      struct av_decision *avd);
+const char *security_get_initial_sid_context(u32 sid);
+int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len);
+int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);
+int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid);
+int security_context_to_sid_default(const char *scontext, u32 scontext_len,
+				    u32 *sid, u32 def_sid, gfp_t gfp_flags);
+int security_context_to_sid_force(const char *scontext, u32 scontext_len,
+				  u32 *sid);
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
+int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
+int security_member_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
+int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
+int security_load_policy(void *data, size_t len);
+int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
+int security_netif_sid(char *name, u32 *if_sid);
+int security_node_sid(u16 domain, void *addrp, u32 addrlen, u32 *out_sid);
+int security_get_user_sids(u32 fromsid, char *username, u32 **sids, u32 *nel);
+int security_genfs_sid(const char *fstype, char *path, u16 orig_sclass,
+		       u32 *sid);
+int security_fs_use(const char *fstype, unsigned int *behavior, u32 *sid);
+int security_get_bools(int *len, char ***names, int **values);
+int security_set_bools(int len, int *values);
+int security_get_bool_value(int bool);
+int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
+int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, u32 xfrm_sid,
+				 u32 *peer_sid);
+int security_get_classes(char ***classes, int *nclasses);
+int security_get_permissions(char *class, char ***perms, int *nperms);
+int security_get_reject_unknown(void);
+int security_get_allow_unknown(void);
+int security_policycap_supported(unsigned int req_cap);
+void selinux_audit_rule_free(void *vrule);
+int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
+int selinux_audit_rule_known(struct audit_krule *rule);
+int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+			     struct audit_context *actx);
+int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
+				   u32 *sid);
+int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr);
+
+
 #endif	/* _SS_SERVICES_H_ */

diff -pruN security-testing-2.6/security/selinux/ss/sidtab.c security-testing-2.6-new/security/selinux/ss/sidtab.c
--- security-testing-2.6/security/selinux/ss/sidtab.c	2010-01-29 01:06:42.174044406 +0100
+++ security-testing-2.6-new/security/selinux/ss/sidtab.c	2010-01-31 21:42:55.649896349 +0100
@@ -232,7 +232,7 @@ void sidtab_hash_eval(struct sidtab *h,
 	       max_chain_len);
 }

-void sidtab_destroy(struct sidtab *s)
+void sidtab_destroy(struct policydb *p, struct sidtab *s)
 {
 	int i;
 	struct sidtab_node *cur, *temp;
@@ -245,7 +245,7 @@ void sidtab_destroy(struct sidtab *s)
 		while (cur) {
 			temp = cur;
 			cur = cur->next;
-			context_destroy(&temp->context);
+			context_destroy(p, &temp->context);
 			kfree(temp);
 		}
 		s->htable[i] = NULL;
diff -pruN security-testing-2.6/security/selinux/ss/sidtab.h security-testing-2.6-new/security/selinux/ss/sidtab.h
--- security-testing-2.6/security/selinux/ss/sidtab.h	2010-01-29 01:06:42.175047659 +0100
+++ security-testing-2.6-new/security/selinux/ss/sidtab.h	2010-01-31 21:42:31.052348740 +0100
@@ -45,7 +45,7 @@ int sidtab_context_to_sid(struct sidtab
 			  u32 *sid);

 void sidtab_hash_eval(struct sidtab *h, char *tag);
-void sidtab_destroy(struct sidtab *s);
+void sidtab_destroy(struct policydb *p, struct sidtab *s);
 void sidtab_set(struct sidtab *dst, struct sidtab *src);
 void sidtab_shutdown(struct sidtab *s);


[-- Attachment #2: switch-policy.patch --]
[-- Type: application/octet-stream, Size: 31154 bytes --]

Author: Guido Trentalancia <guido@trentalancia.com>
Date:   Sun Jan 31 22:10:22 2010 +0100

    Allow runtime switching between different policy types (e.g. from a MLS/MCS
    policy to a non-MLS/non-MCS policy or viceversa).

    Signed-off-by: Guido Trentalancia <guido@trentalancia.com>

diff -pruN security-testing-2.6/security/selinux/Makefile security-testing-2.6-new/security/selinux/Makefile
--- security-testing-2.6/security/selinux/Makefile	2010-01-29 01:06:42.132070393 +0100
+++ security-testing-2.6-new/security/selinux/Makefile	2010-01-29 02:13:42.497044862 +0100
@@ -18,7 +18,7 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM) 
 
 selinux-$(CONFIG_NETLABEL) += netlabel.o
 
-EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
+EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/ss -Isecurity/selinux/include
 
 $(obj)/avc.o: $(obj)/flask.h
 
diff -pruN security-testing-2.6/security/selinux/include/security.h security-testing-2.6-new/security/selinux/include/security.h
--- security-testing-2.6/security/selinux/include/security.h	2010-01-29 02:02:47.737045258 +0100
+++ security-testing-2.6-new/security/selinux/include/security.h	2010-01-29 02:13:59.641064788 +0100
@@ -57,7 +57,6 @@
 struct netlbl_lsm_secattr;
 
 extern int selinux_enabled;
-extern int selinux_mls_enabled;
 
 /* Policy capabilities */
 enum {
diff -pruN security-testing-2.6/security/selinux/selinuxfs.c security-testing-2.6-new/security/selinux/selinuxfs.c
--- security-testing-2.6/security/selinux/selinuxfs.c	2010-01-29 02:02:47.738046835 +0100
+++ security-testing-2.6-new/security/selinux/selinuxfs.c	2010-01-31 23:17:44.494329730 +0100
@@ -38,6 +38,10 @@
 #include "security.h"
 #include "objsec.h"
 #include "conditional.h"
+#include "services.h"
+#include "policydb.h"
+
+extern struct policydb policydb;
 
 /* Policy capability filenames */
 static char *policycap_names[] = {
@@ -282,7 +286,8 @@ static ssize_t sel_read_mls(struct file 
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;
 
-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);
+	length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
+		policydb.selinux_mls_enabled);
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }
 
diff -pruN security-testing-2.6/security/selinux/ss/Makefile security-testing-2.6-new/security/selinux/ss/Makefile
--- security-testing-2.6/security/selinux/ss/Makefile	2010-01-29 01:06:42.157062028 +0100
+++ security-testing-2.6-new/security/selinux/ss/Makefile	2010-01-29 02:15:52.319045091 +0100
@@ -5,5 +5,5 @@
 EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
 obj-y := ss.o
 
-ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o
+ss-y := context.o ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o mls_types.o
 
diff -pruN security-testing-2.6/security/selinux/ss/context.c security-testing-2.6-new/security/selinux/ss/context.c
--- security-testing-2.6/security/selinux/ss/context.c	1970-01-01 01:00:00.000000000 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.c	2010-01-31 21:39:01.293500739 +0100
@@ -0,0 +1,131 @@
+/*
+ * Security context auxiliary functions
+ *
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+#include "context.h"
+#include "ebitmap.h"
+#include "mls_types.h"
+#include "security.h"
+#include "policydb.h"
+
+inline void mls_context_init(struct context *c)
+{
+	memset(&c->range, 0, sizeof(c->range));
+}
+
+inline int mls_context_cpy(struct context *dst, struct context *src)
+{
+	int rc;
+
+	if (!policydb.selinux_mls_enabled)
+		return 0;
+
+	dst->range.level[0].sens = src->range.level[0].sens;
+	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
+	if (rc)
+		goto out;
+
+	dst->range.level[1].sens = src->range.level[1].sens;
+	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat);
+	if (rc)
+		ebitmap_destroy(&dst->range.level[0].cat);
+out:
+	return rc;
+}
+
+/*
+ * Sets both levels in the MLS range of 'dst' to the low level of 'src'.
+ */
+inline int mls_context_cpy_low(struct context *dst, struct context *src)
+{
+	int rc;
+
+	if (!policydb.selinux_mls_enabled)
+		return 0;
+
+	dst->range.level[0].sens = src->range.level[0].sens;
+	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
+	if (rc)
+		goto out;
+
+	dst->range.level[1].sens = src->range.level[0].sens;
+	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
+	if (rc)
+		ebitmap_destroy(&dst->range.level[0].cat);
+out:
+	return rc;
+}
+
+inline int mls_context_cmp(struct context *c1, struct context *c2)
+{
+	if (!policydb.selinux_mls_enabled)
+		return 1;
+
+	return c1->range.level[0].sens == c2->range.level[0].sens &&
+		ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
+		c1->range.level[1].sens == c2->range.level[1].sens &&
+		ebitmap_cmp(&c1->range.level[1].cat, &c2->range.level[1].cat);
+}
+
+inline void mls_context_destroy(struct policydb *p, struct context *c)
+{
+	if (!p->selinux_mls_enabled)
+		return;
+
+	ebitmap_destroy(&c->range.level[0].cat);
+	ebitmap_destroy(&c->range.level[1].cat);
+	mls_context_init(c);
+}
+
+inline void context_init(struct context *c)
+{
+	memset(c, 0, sizeof(*c));
+}
+
+inline int context_cpy(struct context *dst, struct context *src)
+{
+	int rc;
+
+	dst->user = src->user;
+	dst->role = src->role;
+	dst->type = src->type;
+	if (src->str) {
+		dst->str = kstrdup(src->str, GFP_ATOMIC);
+		if (!dst->str)
+			return -ENOMEM;
+		dst->len = src->len;
+	} else {
+		dst->str = NULL;
+		dst->len = 0;
+	}
+	rc = mls_context_cpy(dst, src);
+	if (rc) {
+		kfree(dst->str);
+		return rc;
+	}
+	return 0;
+}
+
+inline void context_destroy(struct policydb *p, struct context *c)
+{
+	c->user = c->role = c->type = 0;
+	kfree(c->str);
+	c->str = NULL;
+	c->len = 0;
+	mls_context_destroy(p, c);
+}
+
+inline int context_cmp(struct context *c1, struct context *c2)
+{
+	if (c1->len && c2->len)
+		return (c1->len == c2->len && !strcmp(c1->str, c2->str));
+	if (c1->len || c2->len)
+		return 0;
+	return ((c1->user == c2->user) &&
+		(c1->role == c2->role) &&
+		(c1->type == c2->type) &&
+		mls_context_cmp(c1, c2));
+}
+
diff -pruN security-testing-2.6/security/selinux/ss/context.h security-testing-2.6-new/security/selinux/ss/context.h
--- security-testing-2.6/security/selinux/ss/context.h	2010-01-29 01:06:42.160060332 +0100
+++ security-testing-2.6-new/security/selinux/ss/context.h	2010-01-31 21:38:06.517349464 +0100
@@ -12,6 +12,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_CONTEXT_H_
 #define _SS_CONTEXT_H_
 
@@ -19,6 +20,8 @@
 #include "mls_types.h"
 #include "security.h"
 
+extern struct policydb policydb;
+
 /*
  * A security context consists of an authenticated user
  * identity, a role, a type and a MLS range.
@@ -32,124 +35,15 @@ struct context {
 	char *str;	/* string representation if context cannot be mapped. */
 };
 
-static inline void mls_context_init(struct context *c)
-{
-	memset(&c->range, 0, sizeof(c->range));
-}
-
-static inline int mls_context_cpy(struct context *dst, struct context *src)
-{
-	int rc;
-
-	if (!selinux_mls_enabled)
-		return 0;
-
-	dst->range.level[0].sens = src->range.level[0].sens;
-	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
-	if (rc)
-		goto out;
-
-	dst->range.level[1].sens = src->range.level[1].sens;
-	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat);
-	if (rc)
-		ebitmap_destroy(&dst->range.level[0].cat);
-out:
-	return rc;
-}
-
-/*
- * Sets both levels in the MLS range of 'dst' to the low level of 'src'.
- */
-static inline int mls_context_cpy_low(struct context *dst, struct context *src)
-{
-	int rc;
-
-	if (!selinux_mls_enabled)
-		return 0;
-
-	dst->range.level[0].sens = src->range.level[0].sens;
-	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
-	if (rc)
-		goto out;
-
-	dst->range.level[1].sens = src->range.level[0].sens;
-	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat);
-	if (rc)
-		ebitmap_destroy(&dst->range.level[0].cat);
-out:
-	return rc;
-}
-
-static inline int mls_context_cmp(struct context *c1, struct context *c2)
-{
-	if (!selinux_mls_enabled)
-		return 1;
-
-	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
-		ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
-		(c1->range.level[1].sens == c2->range.level[1].sens) &&
-		ebitmap_cmp(&c1->range.level[1].cat, &c2->range.level[1].cat));
-}
-
-static inline void mls_context_destroy(struct context *c)
-{
-	if (!selinux_mls_enabled)
-		return;
-
-	ebitmap_destroy(&c->range.level[0].cat);
-	ebitmap_destroy(&c->range.level[1].cat);
-	mls_context_init(c);
-}
-
-static inline void context_init(struct context *c)
-{
-	memset(c, 0, sizeof(*c));
-}
-
-static inline int context_cpy(struct context *dst, struct context *src)
-{
-	int rc;
-
-	dst->user = src->user;
-	dst->role = src->role;
-	dst->type = src->type;
-	if (src->str) {
-		dst->str = kstrdup(src->str, GFP_ATOMIC);
-		if (!dst->str)
-			return -ENOMEM;
-		dst->len = src->len;
-	} else {
-		dst->str = NULL;
-		dst->len = 0;
-	}
-	rc = mls_context_cpy(dst, src);
-	if (rc) {
-		kfree(dst->str);
-		return rc;
-	}
-	return 0;
-}
-
-static inline void context_destroy(struct context *c)
-{
-	c->user = c->role = c->type = 0;
-	kfree(c->str);
-	c->str = NULL;
-	c->len = 0;
-	mls_context_destroy(c);
-}
-
-static inline int context_cmp(struct context *c1, struct context *c2)
-{
-	if (c1->len && c2->len)
-		return (c1->len == c2->len && !strcmp(c1->str, c2->str));
-	if (c1->len || c2->len)
-		return 0;
-	return ((c1->user == c2->user) &&
-		(c1->role == c2->role) &&
-		(c1->type == c2->type) &&
-		mls_context_cmp(c1, c2));
-}
+inline void mls_context_init(struct context *c);
+inline int mls_context_cpy(struct context *dst, struct context *src);
+inline int mls_context_cpy_low(struct context *dst, struct context *src);
+inline int mls_context_cmp(struct context *c1, struct context *c2);
+inline void mls_context_destroy(struct policydb *p, struct context *c);
+inline void context_init(struct context *c);
+inline int context_cpy(struct context *dst, struct context *src);
+inline void context_destroy(struct policydb *p, struct context *c);
+inline int context_cmp(struct context *c1, struct context *c2);
 
 #endif	/* _SS_CONTEXT_H_ */
 
diff -pruN security-testing-2.6/security/selinux/ss/mls.c security-testing-2.6-new/security/selinux/ss/mls.c
--- security-testing-2.6/security/selinux/ss/mls.c	2010-01-29 02:02:47.739046177 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.c	2010-01-31 21:49:38.704348310 +0100
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct conte
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;
 
 	len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *
 	struct ebitmap *e;
 	struct ebitmap_node *node;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return;
 
 	scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb 
 {
 	struct user_datum *usrdatum;
 
-	if (!selinux_mls_enabled)
+	if (!p->selinux_mls_enabled)
 		return 1;
 
 	if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *
 	struct cat_datum *catdatum, *rngdatum;
 	int l, rc = -EINVAL;
 
-	if (!selinux_mls_enabled) {
+	if (!pol->selinux_mls_enabled) {
 		if (def_sid != SECSID_NULL && oldc)
 			*scontext += strlen(*scontext)+1;
 		return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct co
 	char *tmpstr, *freestr;
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return -EINVAL;
 
 	/* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct co
 /*
  * Copies the MLS range `range' into `context'.
  */
-static inline int mls_range_set(struct context *context,
+inline int mls_range_set(struct context *context,
 				struct mls_range *range)
 {
 	int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct c
 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
 			 struct context *usercon)
 {
-	if (selinux_mls_enabled) {
+	if (policydb.selinux_mls_enabled) {
 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
 		struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb 
 	struct ebitmap_node *node;
 	int l, i;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;
 
 	for (l = 0; l < 2; l++) {
@@ -516,7 +516,7 @@ int mls_compute_sid(struct context *scon
 	struct range_trans rtr;
 	struct mls_range *r;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;
 
 	switch (specified) {
@@ -559,7 +559,7 @@ int mls_compute_sid(struct context *scon
 void mls_export_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return;
 
 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -579,7 +579,7 @@ void mls_export_netlbl_lvl(struct contex
 void mls_import_netlbl_lvl(struct context *context,
 			   struct netlbl_lsm_secattr *secattr)
 {
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return;
 
 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -601,7 +601,7 @@ int mls_export_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -629,7 +629,7 @@ int mls_import_netlbl_cat(struct context
 {
 	int rc;
 
-	if (!selinux_mls_enabled)
+	if (!policydb.selinux_mls_enabled)
 		return 0;
 
 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
diff -pruN security-testing-2.6/security/selinux/ss/mls.h security-testing-2.6-new/security/selinux/ss/mls.h
--- security-testing-2.6/security/selinux/ss/mls.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls.h	2010-01-31 21:50:17.923330980 +0100
@@ -24,6 +24,8 @@
 #include "context.h"
 #include "policydb.h"
 
+extern struct policydb policydb;
+
 int mls_compute_context_len(struct context *context);
 void mls_sid_to_context(struct context *context, char **scontext);
 int mls_context_isvalid(struct policydb *p, struct context *c);
@@ -39,6 +41,8 @@ int mls_context_to_sid(struct policydb *
 
 int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);
 
+inline int mls_range_set(struct context *context, struct mls_range *range);
+
 int mls_convert_context(struct policydb *oldp,
 			struct policydb *newp,
 			struct context *context);
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.c security-testing-2.6-new/security/selinux/ss/mls_types.c
--- security-testing-2.6/security/selinux/ss/mls_types.c	1970-01-01 01:00:00.000000000 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.c	2010-01-29 02:36:49.528045041 +0100
@@ -0,0 +1,27 @@
+/*
+ * Auxiliary functions for the multi-level security (MLS) policy.
+ *
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+#include "mls_types.h"
+#include "policydb.h"
+
+inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
+{
+	if (!policydb.selinux_mls_enabled)
+		return 1;
+
+	return ((l1->sens == l2->sens) &&
+		ebitmap_cmp(&l1->cat, &l2->cat));
+}
+
+inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
+{
+	if (!policydb.selinux_mls_enabled)
+		return 1;
+
+	return ((l1->sens >= l2->sens) &&
+		ebitmap_contains(&l1->cat, &l2->cat));
+}
+
diff -pruN security-testing-2.6/security/selinux/ss/mls_types.h security-testing-2.6-new/security/selinux/ss/mls_types.h
--- security-testing-2.6/security/selinux/ss/mls_types.h	2010-01-29 01:06:42.168051431 +0100
+++ security-testing-2.6-new/security/selinux/ss/mls_types.h	2010-01-29 02:23:39.017044387 +0100
@@ -14,7 +14,9 @@
 #ifndef _SS_MLS_TYPES_H_
 #define _SS_MLS_TYPES_H_
 
-#include "security.h"
+#include "ebitmap.h"
+
+extern struct policydb policydb;
 
 struct mls_level {
 	u32 sens;		/* sensitivity */
@@ -25,23 +27,8 @@ struct mls_range {
 	struct mls_level level[2]; /* low == level[0], high == level[1] */
 };
 
-static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
-{
-	if (!selinux_mls_enabled)
-		return 1;
-
-	return ((l1->sens == l2->sens) &&
-		ebitmap_cmp(&l1->cat, &l2->cat));
-}
-
-static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
-{
-	if (!selinux_mls_enabled)
-		return 1;
-
-	return ((l1->sens >= l2->sens) &&
-		ebitmap_contains(&l1->cat, &l2->cat));
-}
+inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2);
+inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2);
 
 #define mls_level_incomp(l1, l2) \
 (!mls_level_dom((l1), (l2)) && !mls_level_dom((l2), (l1)))
diff -pruN security-testing-2.6/security/selinux/ss/policydb.c security-testing-2.6-new/security/selinux/ss/policydb.c
--- security-testing-2.6/security/selinux/ss/policydb.c	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.c	2010-01-31 21:41:44.306327882 +0100
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
 };
 #endif
 
-int selinux_mls_enabled;
-
 static unsigned int symtab_sizes[SYM_NUM] = {
 	2,
 	32,
@@ -455,7 +453,7 @@ static int policydb_index_others(struct 
 
 	printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
-	if (selinux_mls_enabled)
+	if (p->selinux_mls_enabled)
 		printk(", %d sens, %d cats", p->p_levels.nprim,
 		       p->p_cats.nprim);
 	printk("\n");
@@ -656,10 +654,10 @@ static int range_tr_destroy(void *key, v
 	return 0;
 }
 
-static void ocontext_destroy(struct ocontext *c, int i)
+static void ocontext_destroy(struct policydb *p, struct ocontext *c, int i)
 {
-	context_destroy(&c->context[0]);
-	context_destroy(&c->context[1]);
+	context_destroy(p, &c->context[0]);
+	context_destroy(p, &c->context[1]);
 	if (i == OCON_ISID || i == OCON_FS ||
 	    i == OCON_NETIF || i == OCON_FSUSE)
 		kfree(c->u.name);
@@ -699,7 +697,7 @@ void policydb_destroy(struct policydb *p
 		while (c) {
 			ctmp = c;
 			c = c->next;
-			ocontext_destroy(ctmp, i);
+			ocontext_destroy(p, ctmp, i);
 		}
 		p->ocontexts[i] = NULL;
 	}
@@ -712,7 +710,7 @@ void policydb_destroy(struct policydb *p
 		while (c) {
 			ctmp = c;
 			c = c->next;
-			ocontext_destroy(ctmp, OCON_FSUSE);
+			ocontext_destroy(p, ctmp, OCON_FSUSE);
 		}
 		gtmp = g;
 		g = g->next;
@@ -942,7 +940,7 @@ static int context_read_and_validate(str
 
 	if (!policydb_context_isvalid(p, c)) {
 		printk(KERN_ERR "SELinux:  invalid security context\n");
-		context_destroy(c);
+		context_destroy(p, c);
 		rc = -EINVAL;
 	}
 out:
@@ -1787,12 +1785,7 @@ int policydb_read(struct policydb *p, vo
 	}
 
 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
-		if (ss_initialized && !selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
-				" and MLS policies\n");
-			goto bad;
-		}
-		selinux_mls_enabled = 1;
+		p->selinux_mls_enabled = 1;
 		config |= POLICYDB_CONFIG_MLS;
 
 		if (p->policyvers < POLICYDB_VERSION_MLS) {
@@ -1801,12 +1794,6 @@ int policydb_read(struct policydb *p, vo
 				p->policyvers);
 			goto bad;
 		}
-	} else {
-		if (ss_initialized && selinux_mls_enabled) {
-			printk(KERN_ERR "SELinux: Cannot switch between MLS and"
-				" non-MLS policies\n");
-			goto bad;
-		}
 	}
 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
@@ -2234,7 +2221,7 @@ int policydb_read(struct policydb *p, vo
 out:
 	return rc;
 bad_newc:
-	ocontext_destroy(newc, OCON_FSUSE);
+	ocontext_destroy(p, newc, OCON_FSUSE);
 bad:
 	if (!rc)
 		rc = -EINVAL;
diff -pruN security-testing-2.6/security/selinux/ss/policydb.h security-testing-2.6-new/security/selinux/ss/policydb.h
--- security-testing-2.6/security/selinux/ss/policydb.h	2010-01-29 02:02:47.740046077 +0100
+++ security-testing-2.6-new/security/selinux/ss/policydb.h	2010-01-29 02:33:01.393045934 +0100
@@ -185,6 +185,8 @@ struct genfs {
 
 /* The policy database */
 struct policydb {
+	int selinux_mls_enabled;
+
 	/* symbol tables */
 	struct symtab symtab[SYM_NUM];
 #define p_commons symtab[SYM_COMMONS]
diff -pruN security-testing-2.6/security/selinux/ss/services.c security-testing-2.6-new/security/selinux/ss/services.c
--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.c	2010-01-31 23:28:26.440336638 +0100
@@ -26,6 +26,10 @@
  *
  *  Added support for bounds domain and audit messaged on masked permissions
  *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
  * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -1145,7 +1149,7 @@ static int string_to_context_struct(stru
 	rc = 0;
 out:
 	if (rc)
-		context_destroy(ctx);
+		context_destroy(pol, ctx);
 	return rc;
 }
 
@@ -1198,7 +1202,7 @@ static int security_context_to_sid_core(
 	} else if (rc)
 		goto out;
 	rc = sidtab_context_to_sid(&sidtab, &context, sid);
-	context_destroy(&context);
+	context_destroy(&policydb, &context);
 out:
 	read_unlock(&policy_rwlock);
 	kfree(scontext2);
@@ -1419,7 +1423,7 @@ static int security_compute_sid(u32 ssid
 	rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
 out_unlock:
 	read_unlock(&policy_rwlock);
-	context_destroy(&newcontext);
+	context_destroy(&policydb, &newcontext);
 out:
 	return rc;
 }
@@ -1547,6 +1551,8 @@ static int convert_context(u32 key,
 {
 	struct convert_context_args *args;
 	struct context oldc;
+	struct ocontext *oc;
+	struct mls_range *range;
 	struct role_datum *role;
 	struct type_datum *typdatum;
 	struct user_datum *usrdatum;
@@ -1614,9 +1620,29 @@ static int convert_context(u32 key,
 		goto bad;
 	c->type = typdatum->value;
 
-	rc = mls_convert_context(args->oldp, args->newp, c);
-	if (rc)
-		goto bad;
+	/* Convert the MLS/MCS fields or deal with policy type switch */
+	if (args->oldp->selinux_mls_enabled
+	    && args->newp->selinux_mls_enabled) {
+		rc = mls_convert_context(args->oldp, args->newp, c);
+		if (rc)
+			goto bad;
+	} else if (args->oldp->selinux_mls_enabled
+		   && !args->newp->selinux_mls_enabled)
+	/* Switching between MLS/MCS and non-MLS/non-MCS policy: */
+	/* free any storage used by the MLS fields in the        */
+	/* context for all existing entries in the sidtab.       */
+		mls_context_destroy(args->oldp, c);
+	else if (!args->oldp->selinux_mls_enabled
+		 && args->newp->selinux_mls_enabled) {
+	/* Switching between non-MLS/non-MCS and MLS/MCS policy:  */
+	/* ensure that the MLS fields of the context for all      */
+	/* existing entries in the sidtab are filled in with a    */
+	/* suitable default value, likely taken from one of the   */
+	/* initial SIDs.                                          */
+		oc = args->newp->ocontexts[OCON_ISID];
+		range = &oc->context[0].range;
+		mls_range_set(c, range);
+	}
 
 	/* Check the validity of the new context. */
 	if (!policydb_context_isvalid(args->newp, c)) {
@@ -1625,7 +1651,7 @@ static int convert_context(u32 key,
 			goto bad;
 	}
 
-	context_destroy(&oldc);
+	context_destroy(args->oldp, &oldc);
 	rc = 0;
 out:
 	return rc;
@@ -1633,8 +1659,8 @@ bad:
 	/* Map old representation to string and save it. */
 	if (context_struct_to_string(&oldc, &s, &len))
 		return -ENOMEM;
-	context_destroy(&oldc);
-	context_destroy(c);
+	context_destroy(args->oldp, &oldc);
+	context_destroy(args->newp, c);
 	c->str = s;
 	c->len = len;
 	printk(KERN_INFO
@@ -1712,6 +1738,15 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;
 
+	/* If switching between different policy types, log it */
+	if (policydb.selinux_mls_enabled && newpolicydb.selinux_mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between MLS/MCS"
+			" and standard policy...\n");
+	else if (!policydb.selinux_mls_enabled
+	  && newpolicydb.selinux_mls_enabled)
+		printk(KERN_INFO "SELinux: Switching between standard"
+			" and MLS/MCS policy...\n");
+
 	if (sidtab_init(&newsidtab)) {
 		policydb_destroy(&newpolicydb);
 		return -ENOMEM;
@@ -1741,8 +1776,12 @@ int security_load_policy(void *data, siz
 	args.oldp = &policydb;
 	args.newp = &newpolicydb;
 	rc = sidtab_map(&newsidtab, convert_context, &args);
-	if (rc)
+	if (rc) {
+		printk(KERN_ERR "SELinux:  unable to convert the internal"
+			" representation of contexts in the new SID"
+			" table\n");
 		goto err;
+	}
 
 	/* Save the old policydb and SID table to free later. */
 	memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -1761,7 +1800,7 @@ int security_load_policy(void *data, siz
 
 	/* Free the old policydb and SID table. */
 	policydb_destroy(&oldpolicydb);
-	sidtab_destroy(&oldsidtab);
+	sidtab_destroy(&oldpolicydb, &oldsidtab);
 	kfree(oldmap);
 
 	avc_ss_reset(seqno);
@@ -1773,7 +1812,7 @@ int security_load_policy(void *data, siz
 
 err:
 	kfree(map);
-	sidtab_destroy(&newsidtab);
+	sidtab_destroy(&newpolicydb, &newsidtab);
 	policydb_destroy(&newpolicydb);
 	return rc;
 
@@ -2338,7 +2377,7 @@ int security_sid_mls_copy(u32 sid, u32 m
 	u32 len;
 	int rc = 0;
 
-	if (!ss_initialized || !selinux_mls_enabled) {
+	if (!ss_initialized || !policydb.selinux_mls_enabled) {
 		*new_sid = sid;
 		goto out;
 	}
@@ -2388,7 +2427,7 @@ bad:
 
 out_unlock:
 	read_unlock(&policy_rwlock);
-	context_destroy(&newcon);
+	context_destroy(&policydb, &newcon);
 out:
 	return rc;
 }
@@ -2439,7 +2478,7 @@ int security_net_peersid_resolve(u32 nlb
 	/* we don't need to check ss_initialized here since the only way both
 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
 	 * security server was initialized and ss_initialized was true */
-	if (!selinux_mls_enabled) {
+	if (!policydb.selinux_mls_enabled) {
 		*peer_sid = SECSID_NULL;
 		return 0;
 	}
@@ -2612,7 +2651,7 @@ void selinux_audit_rule_free(void *vrule
 	struct selinux_audit_rule *rule = vrule;
 
 	if (rule) {
-		context_destroy(&rule->au_ctxt);
+		context_destroy(&policydb, &rule->au_ctxt);
 		kfree(rule);
 	}
 }
diff -pruN security-testing-2.6/security/selinux/ss/services.h security-testing-2.6-new/security/selinux/ss/services.h
--- security-testing-2.6/security/selinux/ss/services.h	2010-01-29 01:06:42.174044406 +0100
+++ security-testing-2.6-new/security/selinux/ss/services.h	2010-01-31 23:24:36.677347711 +0100
@@ -3,6 +3,7 @@
  *
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
  */
+
 #ifndef _SS_SERVICES_H_
 #define _SS_SERVICES_H_
 
@@ -11,5 +12,51 @@
 
 extern struct policydb policydb;
 
+int security_bounded_transition(u32 old_sid, u32 new_sid);
+void security_compute_av(u32 ssid, u32 tsid, u16 orig_tclass,
+			 struct av_decision *avd);
+void security_compute_av_user(u32 ssid, u32 tsid, u16 tclass,
+			      struct av_decision *avd);
+const char *security_get_initial_sid_context(u32 sid);
+int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len);
+int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);
+int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid);
+int security_context_to_sid_default(const char *scontext, u32 scontext_len,
+				    u32 *sid, u32 def_sid, gfp_t gfp_flags);
+int security_context_to_sid_force(const char *scontext, u32 scontext_len,
+				  u32 *sid);
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
+int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
+int security_member_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
+int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid);
+int security_load_policy(void *data, size_t len);
+int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
+int security_netif_sid(char *name, u32 *if_sid);
+int security_node_sid(u16 domain, void *addrp, u32 addrlen, u32 *out_sid);
+int security_get_user_sids(u32 fromsid, char *username, u32 **sids, u32 *nel);
+int security_genfs_sid(const char *fstype, char *path, u16 orig_sclass,
+		       u32 *sid);
+int security_fs_use(const char *fstype, unsigned int *behavior, u32 *sid);
+int security_get_bools(int *len, char ***names, int **values);
+int security_set_bools(int len, int *values);
+int security_get_bool_value(int bool);
+int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
+int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, u32 xfrm_sid,
+				 u32 *peer_sid);
+int security_get_classes(char ***classes, int *nclasses);
+int security_get_permissions(char *class, char ***perms, int *nperms);
+int security_get_reject_unknown(void);
+int security_get_allow_unknown(void);
+int security_policycap_supported(unsigned int req_cap);
+void selinux_audit_rule_free(void *vrule);
+int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
+int selinux_audit_rule_known(struct audit_krule *rule);
+int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+			     struct audit_context *actx);
+int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
+				   u32 *sid);
+int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr);
+
+
 #endif	/* _SS_SERVICES_H_ */
 
diff -pruN security-testing-2.6/security/selinux/ss/sidtab.c security-testing-2.6-new/security/selinux/ss/sidtab.c
--- security-testing-2.6/security/selinux/ss/sidtab.c	2010-01-29 01:06:42.174044406 +0100
+++ security-testing-2.6-new/security/selinux/ss/sidtab.c	2010-01-31 21:42:55.649896349 +0100
@@ -232,7 +232,7 @@ void sidtab_hash_eval(struct sidtab *h, 
 	       max_chain_len);
 }
 
-void sidtab_destroy(struct sidtab *s)
+void sidtab_destroy(struct policydb *p, struct sidtab *s)
 {
 	int i;
 	struct sidtab_node *cur, *temp;
@@ -245,7 +245,7 @@ void sidtab_destroy(struct sidtab *s)
 		while (cur) {
 			temp = cur;
 			cur = cur->next;
-			context_destroy(&temp->context);
+			context_destroy(p, &temp->context);
 			kfree(temp);
 		}
 		s->htable[i] = NULL;
diff -pruN security-testing-2.6/security/selinux/ss/sidtab.h security-testing-2.6-new/security/selinux/ss/sidtab.h
--- security-testing-2.6/security/selinux/ss/sidtab.h	2010-01-29 01:06:42.175047659 +0100
+++ security-testing-2.6-new/security/selinux/ss/sidtab.h	2010-01-31 21:42:31.052348740 +0100
@@ -45,7 +45,7 @@ int sidtab_context_to_sid(struct sidtab 
 			  u32 *sid);
 
 void sidtab_hash_eval(struct sidtab *h, char *tag);
-void sidtab_destroy(struct sidtab *s);
+void sidtab_destroy(struct policydb *p, struct sidtab *s);
 void sidtab_set(struct sidtab *dst, struct sidtab *src);
 void sidtab_shutdown(struct sidtab *s);
 

^ permalink raw reply	[flat|nested] 33+ messages in thread
end of thread, other threads:[~2010-02-04 19:37 UTC | newest]

Thread overview: 33+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-01 22:36 [PATCH] Allowing MLS->non-MLS and vice versa upon policy reload Guido Trentalancia
2010-02-04 19:12 ` Eric Paris
  -- strict thread matches above, loose matches on Subject: below --
2010-02-04 19:27 Guido Trentalancia
2010-02-04 19:37 ` Eric Paris
2010-02-03 15:40 Guido Trentalancia
2010-02-03 15:53 ` Stephen Smalley
2010-02-03 22:07 ` James Morris
2010-02-02 16:29 Guido Trentalancia
2010-02-02 16:52 ` Christopher J. PeBenito
2010-02-02 14:22 Guido Trentalancia
2010-02-02 16:44 ` Stephen Smalley
2010-02-02 16:58   ` Guido Trentalancia
2010-02-02 17:34     ` Stephen Smalley
2010-02-02 17:49       ` Guido Trentalancia
2010-02-02 19:01         ` Stephen Smalley
2010-02-02 18:28   ` Guido Trentalancia
2010-02-02 19:03     ` Stephen Smalley
2010-02-02 19:11       ` Stephen Smalley
2010-02-01 21:56 Guido Trentalancia
2010-02-01 21:49 Guido Trentalancia
2010-02-01 22:09 ` Stephen Smalley
2010-02-01 19:59 Guido Trentalancia
2010-02-01 20:22 ` Stephen Smalley
2010-02-01 18:25 Guido Trentalancia
2010-02-01 19:15 ` Stephen Smalley
2010-02-01 16:36 Guido Trentalancia
2010-02-01 17:41 ` Stephen Smalley
2010-01-31 22:43 Guido Trentalancia
2010-02-01 15:28 ` Stephen Smalley
2010-02-01 15:37   ` Stephen Smalley
2010-02-01 18:16 ` Stephen Smalley
2010-02-02 22:28   ` Guido Trentalancia
2010-02-03 15:48     ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.