On Tue, 2008-05-20 at 16:08 -0400, Stephen Smalley wrote: > Use non-auditing forms of the > permission checks as getxattr may be called by unprivileged processes > commonly and lack of permission just means that we fall back to the > in-core context value, not a denial. If we do put this on list, lets make this an in code comment so its easy to remember in another 100 years when the next poor sap has to figure out what I am doing these days :) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 4be1563..fe4f9ad 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2765,12 +2765,24 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name > u32 size; > int error; > char *context = NULL; > + struct task_security_struct *tsec = current->security; > struct inode_security_struct *isec = inode->i_security; > > if (strcmp(name, XATTR_SELINUX_SUFFIX)) > return -EOPNOTSUPP; > > - error = security_sid_to_context(isec->sid, &context, &size); > + error = secondary_ops->capable(current, CAP_MAC_ADMIN); > + if (!error) > + error = avc_has_perm_noaudit(tsec->sid, tsec->sid, > + SECCLASS_CAPABILITY2, > + CAPABILITY2__MAC_ADMIN, > + 0, > + NULL); > + if (!error) > + error = security_sid_to_context_force(isec->sid, &context, > + &size); > + else > + error = security_sid_to_context(isec->sid, &context, &size); > if (error) > return error; > error = size; > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
