From: Sven Schnelle <svens@linux.ibm.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>, SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling
Date: Thu, 05 Nov 2020 10:03:12 +0100 [thread overview]
Message-ID: <yt9dh7q4kwfj.fsf@linux.ibm.com> (raw)
In-Reply-To: <CAFqZXNuM_Cv6jrxibEMZpzJA2jUiU8jif9_LrnN8oS2LU8Q_oA@mail.gmail.com> (Ondrej Mosnacek's message of "Thu, 5 Nov 2020 09:55:38 +0100")
Ondrej Mosnacek <omosnace@redhat.com> writes:
> On Thu, Nov 5, 2020 at 2:13 AM Paul Moore <paul@paul-moore.com> wrote:
>> A previous fix, commit 83370b31a915 ("selinux: fix error initialization
>> in inode_doinit_with_dentry()"), changed how failures were handled
>> before a SELinux policy was loaded. Unfortunately that patch was
>> potentially problematic for two reasons: it set the isec->initialized
>> state without holding a lock, and it didn't set the inode's SELinux
>> label to the "default" for the particular filesystem. The later can
>> be a problem if/when a later attempt to revalidate the inode fails
>> and SELinux reverts to the existing inode label.
>>
>> This patch should restore the default inode labeling that existed
>> before the original fix, without affecting the LABEL_INVALID marking
>> such that revalidation will still be attempted in the future.
>>
>> Fixes: 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()")
>> Reported-by: Sven Schnelle <svens@linux.ibm.com>
>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>> ---
>> security/selinux/hooks.c | 31 +++++++++++++------------------
>> 1 file changed, 13 insertions(+), 18 deletions(-)
>
> FWIW, the patch looks good to me.
>
> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
I just tested it on s390, works fine.
Tested-by: Sven Schnelle <svens@linux.ibm.com>
Thanks
Sven
next prev parent reply other threads:[~2020-11-05 9:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-05 1:13 [PATCH] selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling Paul Moore
2020-11-05 8:55 ` Ondrej Mosnacek
2020-11-05 9:03 ` Sven Schnelle [this message]
2020-11-06 4:00 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yt9dh7q4kwfj.fsf@linux.ibm.com \
--to=svens@linux.ibm.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.