From b04ea3cebf79d6808632808072f276dbc98aaf01 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 14 Jul 2006 00:24:33 -0700 Subject: [PATCH] Fix security check for joint context= and fscontext= mount options After some discussion on the actual meaning of the filesystem class security check in try context mount it was determined that the checks for the context= mount options were not correct if fscontext mount option had already been used. When labeling the superblock we should be checking relabel_from and relabel_to. But if the superblock has already been labeled (with fscontext) then context= is actually labeling the inodes, and so we should be checking relabel_from and associate. This patch fixes which checks are called depending on the mount options. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Acked-by: James Morris Cc: Chris Wright Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- security/selinux/hooks.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2e8b4dfcbc74..a91c961ba38b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -523,12 +523,16 @@ static int try_context_mount(struct super_block *sb, void *data) goto out_free; } - rc = may_context_mount_sb_relabel(sid, sbsec, tsec); - if (rc) - goto out_free; - - if (!fscontext) + if (!fscontext) { + rc = may_context_mount_sb_relabel(sid, sbsec, tsec); + if (rc) + goto out_free; sbsec->sid = sid; + } else { + rc = may_context_mount_inode_relabel(sid, sbsec, tsec); + if (rc) + goto out_free; + } sbsec->mntpoint_sid = sid; sbsec->behavior = SECURITY_FS_USE_MNTPOINT; -- cgit v1.2.3-58-ga151