Re: [v0 PATCH 2/3] SELinux: Compute role in newcontext for all classes

Eric Paris <eparis@xxxxxxxxxx> · Wed, 23 Mar 2011 10:46:35 -0400

On Wed, 2011-03-23 at 10:28 +0800, Harry Ciao wrote:
> From: Harry Ciao <harrytaurus200@xxxxxxxxxxx>
> 
> For the process class, the role_trans.type is compared with
> tcontext->type, that is, the program executable type.
> 
> For all the rest classes, the role_trans.type is compared with
> newcontext.type, that is, the type for the newly created object
> of that class.
> 
> Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>

That's a hard conditional to read, but I guess it's correct.  Feel free
to add my ack on resubmission.

-Eric

> ---
>  security/selinux/ss/services.c |   23 ++++++++++++-----------
>  1 files changed, 12 insertions(+), 11 deletions(-)
> 
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index a03cfaf..01fc3d5 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1443,17 +1443,18 @@ static int security_compute_sid(u32 ssid,
>  	}
>  
>  	/* Check for class-specific changes. */
> -	if  (tclass == policydb.process_class) {
> -		if (specified & AVTAB_TRANSITION) {
> -			/* Look for a role transition rule. */
> -			for (roletr = policydb.role_tr; roletr;
> -			     roletr = roletr->next) {
> -				if (roletr->role == scontext->role &&
> -				    roletr->type == tcontext->type) {
> -					/* Use the role transition rule. */
> -					newcontext.role = roletr->new_role;
> -					break;
> -				}
> +	if (specified & AVTAB_TRANSITION) {
> +		/* Look for a role transition rule. */
> +		for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
> +			if ((roletr->role == scontext->role) &&
> +			    (roletr->cclass == tclass) &&
> +			    ((roletr->cclass == policydb.process_class &&
> +			      roletr->type == tcontext->type) ||
> +			     (roletr->cclass != policydb.process_class &&
> +			      roletr->type == newcontext.type))){
> +				/* Use the role transition rule. */
> +				newcontext.role = roletr->new_role;
> +				break;
>  			}
>  		}
>  	}

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.