From: Stephen Smalley This patch changes the behavior of security_context_to_sid in the no-policy case so that it simply accepts all contexts and maps them to the kernel SID rather than rejecting anything other than an initial SID. The change avoids error conditions when using SELinux in permissive/no-policy mode, so that any file contexts left on disk from prior use of SELinux with a policy will not cause an error when they are looked up and userspace attempts to set contexts can succeed. --- 25-akpm/security/selinux/ss/services.c | 4 +--- 1 files changed, 1 insertion(+), 3 deletions(-) diff -puN security/selinux/ss/services.c~selinux-change-context_to_sid-handling-for-no-policy-case security/selinux/ss/services.c --- 25/security/selinux/ss/services.c~selinux-change-context_to_sid-handling-for-no-policy-case Tue Apr 20 13:05:56 2004 +++ 25-akpm/security/selinux/ss/services.c Tue Apr 20 13:05:56 2004 @@ -456,9 +456,7 @@ int security_context_to_sid(char *sconte goto out; } } - printk(KERN_ERR "security_context_to_sid: called before " - "initial load_policy on unknown context %s\n", scontext); - rc = -EINVAL; + *sid = SECINITSID_KERNEL; goto out; } *sid = SECSID_NULL; _