Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 016b9bdb authored by Stephen Smalley's avatar Stephen Smalley Committed by Linus Torvalds
Browse files

[PATCH] selinux: enable configuration of max policy version 



Enable configuration of SELinux maximum supported policy version to support
legacy userland (init) that does not gracefully handle kernels that support
newer policy versions two or more beyond the installed policy, as in FC3
and FC4.

[bunk@stusta.de: improve Kconfig help text]
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarJames Morris <jmorris@namei.org>
Acked-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 9a2f44f0

security/selinux/Kconfig

+37 −0
Original line number Diff line number Diff line
@@ -124,3 +124,40 @@ config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT 


	  If you are unsure what do do here, select N.



config SECURITY_SELINUX_POLICYDB_VERSION_MAX

	bool "NSA SELinux maximum supported policy format version"

	depends on SECURITY_SELINUX

	default n

	help

	  This option enables the maximum policy format version supported

	  by SELinux to be set to a particular value.  This value is reported

	  to userspace via /selinux/policyvers and used at policy load time.

	  It can be adjusted downward to support legacy userland (init) that

	  does not correctly handle kernels that support newer policy versions.



	  Examples:

	  For the Fedora Core 3 or 4 Linux distributions, enable this option

	  and set the value via the next option. For Fedore Core 5 and later,

	  do not enable this option.



	  If you are unsure how to answer this question, answer N.



config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE

	int "NSA SELinux maximum supported policy format version value"

	depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX

	range 15 20

	default 19

	help

	  This option sets the value for the maximum policy format version

	  supported by SELinux.



	  Examples:

	  For Fedora Core 3, use 18.

	  For Fedora Core 4, use 19.



	  If you are unsure how to answer this question, look for the

	  policy format version supported by your policy toolchain, by

	  running 'checkpolicy -V'. Or look at what policy you have

	  installed under /etc/selinux/$SELINUXTYPE/policy, where

	  SELINUXTYPE is defined in your /etc/selinux/config.

security/selinux/include/security.h

+5 −1
Original line number Diff line number Diff line
@@ -27,7 +27,11 @@ 


/* Range of policy versions we understand*/

#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE

#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX

#define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE

#else

#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_AVTAB

#endif



extern int selinux_enabled;

extern int selinux_mls_enabled;