Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > Regardless, we need to revert the original patch and create a new one that > addresses the KEY_NEED_PARENT_JOIN issue I mentioned and that adds the > key_perms capability in the right place in the first place, not apply a fix on > top. I think the problem is that selinux_key_permission() is munging the new perm set into the old perm set and then passing that to avc_has_perm(). Really, we need to work backwards if the SELinux policy is described in terms of the old perm set. Is there any way to make that possible? David
