Currently, libsepol will write a binary policy with the MLS flag set even if the policy version is unable to support MLS. For instance, you can build a policy.18 with mls enabled. The resulting policy binary is invalid and can't be read by the kernel or the various tools.

Fixing this is just a matter of adding the appropriate check to policydb_write().

Signed-off-by: Todd C. Miller <tmiller@tresys.com>

Index: libsepol/src/write.c

• libsepol/src/write.c (revision 2704) +++ libsepol/src/write.c (working copy) @@ -1531,8 +1531,19 @@ pd.p = p;

 	config = 0;
-	if (p->mls)


+	if (p->mls) {

+		if ((p->policyvers < POLICYDB_VERSION_MLS &&

+		    p->policy_type == POLICY_KERN) ||

+		    (p->policyvers < MOD_POLICYDB_VERSION_MLS &&

+		    p->policy_type == POLICY_BASE) ||

+		    (p->policyvers < MOD_POLICYDB_VERSION_MLS &&

+		    p->policy_type == POLICY_MOD)) {

+			ERR(fp->handle, "policy version %d cannot support MLS",

+			    p->policyvers);

+			return POLICYDB_ERROR;

+		}

 		config |= POLICYDB_CONFIG_MLS;


+	}

 
 	config |= (POLICYDB_CONFIG_UNKNOWN_MASK & p->handle_unknown);
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.