• James Morris's avatar
    [PATCH] SELinux: default labeling of MLS field · f5c1d5b2
    James Morris authored
    Implement kernel labeling of the MLS (multilevel security) field of
    security contexts for files which have no existing MLS field.  This is to
    enable upgrades of a system from non-MLS to MLS without performing a full
    filesystem relabel including all of the mountpoints, which would be quite
    painful for users.
    
    With this patch, with MLS enabled, if a file has no MLS field, the kernel
    internally adds an MLS field to the in-core inode (but not to the on-disk
    file).  This MLS field added is the default for the superblock, allowing
    per-mountpoint control over the values via fixed policy or mount options.
    
    This patch has been tested by enabling MLS without relabeling its
    filesystem, and seems to be working correctly.
    Signed-off-by: default avatarJames Morris <jmorris@redhat.com>
    Signed-off-by: default avatarStephen Smalley <sds@epoch.ncsc.mil>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    f5c1d5b2
security.h 2.58 KB