1 files changed, 38 insertions, 0 deletions

diff --git a/0001-libsemanage-genhomedircon-only-set-MLS-level-if-MLS-.patch b/0001-libsemanage-genhomedircon-only-set-MLS-level-if-MLS-.patch
new file mode 100644
index 000000000000..a55d228df11e
--- /dev/null
+++ b/0001-libsemanage-genhomedircon-only-set-MLS-level-if-MLS-.patch
@@ -0,0 +1,38 @@
+From 58ca300c67ec8aa72e0146ec326281fa92b3259f Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Fri, 14 Oct 2016 13:36:37 -0400
+Subject: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is
+ enabled
+
+When a non-MLS policy was used with genhomedircon context_from_record()
+in sepol would report an error because an MLS level was present when MLS
+is disabled.  Based on a patch by Gary Tierney, amended to use
+sepol_policydb_mls_enabled rather than semanage_mls_enabled because
+we are testing the temporary working policy, not the active policy.
+
+Reported-by: Jason Zaman <jason@perfinion.com>
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ libsemanage/src/genhomedircon.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
+index 6991fffc31cb..5e9d7224a06e 100644
+--- a/libsemanage/src/genhomedircon.c
++++ b/libsemanage/src/genhomedircon.c
+@@ -638,7 +638,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out,
+ 			goto fail;
+ 		}
+ 
+-		if (sepol_context_set_user(sepolh, context, user->sename) < 0 ||
++		if (sepol_context_set_user(sepolh, context, user->sename) < 0) {
++			goto fail;
++		}
++
++		if (sepol_policydb_mls_enabled(s->policydb) &&
+ 		    sepol_context_set_mls(sepolh, context, user->level) < 0) {
+ 			goto fail;
+ 		}
+-- 
+2.10.2
+