selinux patch

Stephen Smalley <sds@xxxxxxxxxxxxx> · Mon, 11 Feb 2008 09:32:29 -0500

Hi,

Could the patch below (already in Linus' git tree for 2.6.25) be added
to the rawhide kernel?  It is to support polyinstantiation by
XACE/XSELinux.

Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2e08c0c1c3977a5ddc88887dd3af1b26c433e9d0
Commit:     2e08c0c1c3977a5ddc88887dd3af1b26c433e9d0
Parent:     1996a10948e50e546dc2b64276723c0b64d3173b
Author:     Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
AuthorDate: Thu Jan 24 15:30:52 2008 -0500
Committer:  James Morris <jmorris@xxxxxxxxx>
CommitDate: Fri Jan 25 11:29:56 2008 +1100

    selinux: make mls_compute_sid always polyinstantiate
    
    This patch removes the requirement that the new and related object types
    differ in order to polyinstantiate by MLS level.  This allows MLS
    polyinstantiation to occur in the absence of explicit type_member rules or
    when the type has not changed.
    
    Potential users of this support include pam_namespace.so (directory
    polyinstantiation) and the SELinux X support (property polyinstantiation).
    
    Signed-off-by: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
    Acked-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>
    Signed-off-by: James Morris <jmorris@xxxxxxxxx>
---
 security/selinux/ss/mls.c |   11 ++---------
 1 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index fb5d70a..3bbcb53 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
 			/* Use the process effective MLS attributes. */
 			return mls_context_cpy_low(newcontext, scontext);
 	case AVTAB_MEMBER:
-		/* Only polyinstantiate the MLS attributes if
-		   the type is being polyinstantiated */
-		if (newcontext->type != tcontext->type) {
-			/* Use the process effective MLS attributes. */
-			return mls_context_cpy_low(newcontext, scontext);
-		} else {
-			/* Use the related object MLS attributes. */
-			return mls_context_cpy(newcontext, tcontext);
-		}
+		/* Use the process effective MLS attributes. */
+		return mls_context_cpy_low(newcontext, scontext);
 	default:
 		return -EINVAL;
 	}


-- 
Stephen Smalley
National Security Agency

_______________________________________________
Fedora-kernel-list mailing list
Fedora-kernel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-kernel-list




