On Wed, 2008-11-05 at 09:34 -0500, Eric Paris wrote: > Currently when SELinux has not been updated to handle a netlink message > type the operation is denied with EINVAL. This patch will leave the > audit/warning message so things get fixed but if policy chose to allow > unknowns this will allow the netlink operation. > > Signed-off-by: Eric Paris <eparis@xxxxxxxxxx> Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > --- > > security/selinux/hooks.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index f85597a..c6f8f3e 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4387,7 +4387,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) > "SELinux: unrecognized netlink message" > " type=%hu for sclass=%hu\n", > nlh->nlmsg_type, isec->sclass); > - if (!selinux_enforcing) > + if (!selinux_enforcing || security_get_allow_unknown()) > err = 0; > } > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
