Linux Kernel SELinux Policy File Access Vulnerability

A vulnerability in the Linux kernel's SELinux implementation allows multiple processes to open the policy file at /sys/fs/selinux/policy simultaneously. Previously, only one process could access the file at a time, which could lead to interference with other processes trying to read the kernel policy. This restriction was intended to prevent an inconsistent view of the policy size and to control userspace memory allocation, but it created a new problem by allowing processes to block each other. The vulnerability has been addressed by removing the single-open restriction, reducing the critical section where the policy mutex is held, and eliminating unnecessary error checks.

Impact

The vulnerability could cause processes to block each other when accessing the SELinux policy file, potentially leading to delays or failures in policy enforcement.