selinux: default to security isid in sel_make_bools() if no sid is found
authorGary Tierney <gary.tierney@gmx.com>
Mon, 9 Jan 2017 15:07:32 +0000 (10:07 -0500)
committerPaul Moore <paul@paul-moore.com>
Mon, 9 Jan 2017 15:07:32 +0000 (10:07 -0500)
Use SECINITSID_SECURITY as the default SID for booleans which don't have
a matching SID returned from security_genfs_sid(), also update the
error message to a warning which matches this.

This prevents the policy failing to load (and consequently the system
failing to boot) when there is no default genfscon statement matched for
the selinuxfs in the new policy.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/selinuxfs.c

index 7672b61d6673d2e70cff7f90ac5e94b045f8cb21..c354807381c11949604a458b5286989385395a7b 100644 (file)
@@ -1311,9 +1311,9 @@ static int sel_make_bools(void)
                isec = (struct inode_security_struct *)inode->i_security;
                ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
                if (ret) {
-                       pr_err("SELinux: failed to lookup sid for %s\n", page);
-                       goto out;
-
+                       pr_warn_ratelimited("SELinux: no sid found, defaulting to security isid for %s\n",
+                                          page);
+                       sid = SECINITSID_SECURITY;
                }
 
                isec->sid = sid;