Commit 877181a8 authored Nov 13, 2018 by Paul Moore

selinux: fix non-MLS handling in mls_context_to_sid()



Commit 95ffe194 ("selinux: refactor mls_context_to_sid() and make
it stricter") inadvertently changed how we handle labels that did not
contain MLS information.  This patch restores the proper behavior in
mls_context_to_sid() and adds a comment explaining the proper
behavior to help ensure this doesn't happen again.

Fixes: 95ffe194 ("selinux: refactor mls_context_to_sid() and make it stricter")
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent c138325f

security/selinux/ss/mls.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -245,9 +245,13 @@ int mls_context_to_sid(struct policydb *pol,
		char *rangep[2];

		if (!pol->mls_enabled) {
		if ((def_sid != SECSID_NULL && oldc) \|\| (*scontext) == '\0')
		return 0;
		/*
		* With no MLS, only return -EINVAL if there is a MLS field
		* and it did not come from an xattr.
		*/
		if (oldc && def_sid == SECSID_NULL)
		return -EINVAL;
		return 0;
		}

		/*