[PATCH] selinux: change context_to_sid handling for no-policy case

From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch changes the behavior of security_context_to_sid in the no-policy
case so that it simply accepts all contexts and maps them to the kernel SID
rather than rejecting anything other than an initial SID.  The change avoids
error conditions when using SELinux in permissive/no-policy mode, so that any
file contexts left on disk from prior use of SELinux with a policy will not
cause an error when they are looked up and userspace attempts to set contexts
can succeed.

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 7532053898a6b6c87bd1c4bd31fc7bb2686099bc..12e6777f5d23fca666742864bf0a324451285e45 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -456,9 +456,7 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
                                goto out;
                        }
                }
-               printk(KERN_ERR "security_context_to_sid: called before "
-                      "initial load_policy on unknown context %s\n", scontext);
-               rc = -EINVAL;
+               *sid = SECINITSID_KERNEL;
                goto out;
        }
        *sid = SECSID_NULL;