On Friday 11 December 2009 04:59:19 pm Stephen Smalley wrote: > On Fri, 2009-12-11 at 16:42 -0500, Paul Moore wrote: > > It is possible security_compute_av() to return -EINVAL, even when in > > permissive mode, due to unknown object classes. This patch fixes this by > > first checking to see if SELinux is in permissive mode or if the subject > > is a permissive domain, if either of these are true then > > security_compute_av() ignores the unknown class error and allows the > > operation to proceed. > > > > Andrew: I've tested this patch to ensure it boots and does not regress my > > Fedora/Rawhide system but since I don't have a Debian system handy I'm > > not able to verify that this fixes your problem; could you please test > > this patch and report back? > > > > Reported-by: Andrew Worsley <amworsley@xxxxxxxxx> > > Signed-off-by: Paul Moore <paul.moore@xxxxxx> > > --- > > security/selinux/ss/services.c | 21 +++++++++++++++------ > > 1 files changed, 15 insertions(+), 6 deletions(-) ... > Can we simplify this at all? For example, I don't really think > sidtab_search() can ever fail anymore (it falls back to the unlabeled > SID, which has to be defined by the initial policy load). I also think > we could just clear avd->allowed and return 0 rather than returning > -EINVAL in this case so that the existing avc_has_perm() logic would > proceed and check permissive mode on its own. We likely should also > move the permissive map test earlier so that it always get applied > unconditionally. Sure, I just wanted to get something out sooner rather than later in case this turned out to be something which affected a large number of users and we needed a quick patch for -stable. I'll admit it ain't pretty but it should at least work in a pinch. Give me a bit and let me see if I can make it less ugly. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
