summaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2013-07-23 23:38:41 +0200
committerEric Paris <eparis@redhat.com>2013-07-25 19:02:37 +0200
commit5c73fceb8c70466c5876ad94c356922ae75a0820 (patch)
tree992971c8f88d8739aa9708c1f00672ee8d66b65c /security/selinux
parentSELinux: Increase ebitmap_node size for 64-bit configuration (diff)
downloadlinux-5c73fceb8c70466c5876ad94c356922ae75a0820.tar.xz
linux-5c73fceb8c70466c5876ad94c356922ae75a0820.zip
SELinux: Enable setting security contexts on rootfs inodes.
rootfs (ramfs) can support setting of security contexts by userspace due to the vfs fallback behavior of calling the security module to set the in-core inode state for security.* attributes when the filesystem does not provide an xattr handler. No xattr handler required as the inodes are pinned in memory and have no backing store. This is useful in allowing early userspace to label individual files within a rootfs while still providing a policy-defined default via genfs. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/hooks.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4bc068b3773d..911b780fcf80 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -406,6 +406,13 @@ static int sb_finish_set_opts(struct super_block *sb)
if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
sbsec->flags |= SE_SBLABELSUPP;
+ /*
+ * Special handling for rootfs. Is genfs but supports
+ * setting SELinux context on in-core inodes.
+ */
+ if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
+ sbsec->flags |= SE_SBLABELSUPP;
+
/* Initialize the root inode. */
rc = inode_doinit_with_dentry(root_inode, root);