Commit 9530a3e0 authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore

selinux: permit removing security.selinux xattr before policy load

Currently SELinux denies attempts to remove the security.selinux xattr
always, even when permissive or no policy is loaded.  This was originally
motivated by the view that all files should be labeled, even if that label
is unlabeled_t, and we shouldn't permit files that were once labeled to
have their labels removed entirely.  This however prevents removing
SELinux xattrs in the case where one "disables" SELinux by not loading
a policy (e.g. a system where runtime disable is removed and selinux=0
was not specified).  Allow removing the xattr before SELinux is
initialized.  We could conceivably permit it even after initialization
if permissive, or introduce a separate permission check here.
Signed-off-by: default avatarStephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 87922931
...@@ -3271,6 +3271,9 @@ static int selinux_inode_removexattr(struct dentry *dentry, const char *name) ...@@ -3271,6 +3271,9 @@ static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
} }
if (!selinux_initialized(&selinux_state))
return 0;
/* No one is allowed to remove a SELinux security label. /* No one is allowed to remove a SELinux security label.
You can change the label, but all data must be labeled. */ You can change the label, but all data must be labeled. */
return -EACCES; return -EACCES;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment