Re: selinux + livecd-creator, May 20, 2008

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2008-05-20 at 16:08 -0400, Stephen Smalley wrote:


> Use non-auditing forms of the
> permission checks as getxattr may be called by unprivileged processes
> commonly and lack of permission just means that we fall back to the
> in-core context value, not a denial.

If we do put this on list, lets make this an in code comment so its easy
to remember in another 100 years when the next poor sap has to figure
out what I am doing these days   :)


> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 4be1563..fe4f9ad 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2765,12 +2765,24 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
>  	u32 size;
>  	int error;
>  	char *context = NULL;
> +	struct task_security_struct *tsec = current->security;
>  	struct inode_security_struct *isec = inode->i_security;
>  
>  	if (strcmp(name, XATTR_SELINUX_SUFFIX))
>  		return -EOPNOTSUPP;
>  
> -	error = security_sid_to_context(isec->sid, &context, &size);
> +	error = secondary_ops->capable(current, CAP_MAC_ADMIN);
> +	if (!error)
> +		error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
> +					     SECCLASS_CAPABILITY2,
> +					     CAPABILITY2__MAC_ADMIN,
> +					     0,
> +					     NULL);
> +	if (!error)
> +		error = security_sid_to_context_force(isec->sid, &context,
> +						      &size);
> +	else
> +		error = security_sid_to_context(isec->sid, &context, &size);
>  	if (error)
>  		return error;
>  	error = size;
> 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux