rpms/kernel/devel linux-2.6-selinux-deffered-context-mapping.patch, NONE, 1.1 kernel.spec, 1.628, 1.629
Eric Paris (eparis)
fedora-extras-commits at redhat.com
Fri May 9 15:23:34 UTC 2008
Author: eparis
Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21405
Modified Files:
kernel.spec
Added Files:
linux-2.6-selinux-deffered-context-mapping.patch
Log Message:
* Fri May 09 2008 Eric Paris <eparis at redhat.com>
- support deffered context validation in selinux. aka rpm can lay down illegal labels. (won't upstream until .27 opens)
linux-2.6-selinux-deffered-context-mapping.patch:
--- NEW FILE linux-2.6-selinux-deffered-context-mapping.patch ---
--- linux-2.6.25.x86_64/security/selinux/hooks.c.pre.illegal 2008-05-09 09:57:36.000000000 -0400
+++ linux-2.6.25.x86_64/security/selinux/hooks.c 2008-05-09 10:15:19.000000000 -0400
@@ -2453,7 +2453,7 @@ static int selinux_inode_init_security(s
}
if (value && len) {
- rc = security_sid_to_context(newsid, &context, &clen);
+ rc = security_sid_to_context_force(newsid, &context, &clen);
if (rc) {
kfree(namep);
return rc;
@@ -2626,6 +2626,11 @@ static int selinux_inode_setxattr(struct
return rc;
rc = security_context_to_sid(value, size, &newsid);
+ if (rc == -EINVAL) {
+ if (!capable(CAP_MAC_ADMIN))
+ return rc;
+ rc = security_context_to_sid_force(value, size, &newsid);
+ }
if (rc)
return rc;
@@ -2659,10 +2664,11 @@ static void selinux_inode_post_setxattr(
return;
}
- rc = security_context_to_sid(value, size, &newsid);
+ rc = security_context_to_sid_force(value, size, &newsid);
if (rc) {
- printk(KERN_WARNING "%s: unable to obtain SID for context "
- "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
+ printk(KERN_ERR "SELinux: unable to map context to SID"
+ "for (%s, %lu), rc=%d\n",
+ inode->i_sb->s_id, inode->i_ino, -rc);
return;
}
@@ -5106,6 +5112,12 @@ static int selinux_setprocattr(struct ta
size--;
}
error = security_context_to_sid(value, size, &sid);
+ if (error == -EINVAL && !strcmp(name, "fscreate")) {
+ if (!capable(CAP_MAC_ADMIN))
+ return error;
+ error = security_context_to_sid_force(value, size,
+ &sid);
+ }
if (error)
return error;
}
--- linux-2.6.25.x86_64/security/selinux/include/security.h.pre.illegal 2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25.x86_64/security/selinux/include/security.h 2008-05-09 10:16:53.000000000 -0400
@@ -83,9 +83,14 @@ int security_change_sid(u32 ssid, u32 ts
int security_sid_to_context(u32 sid, char **scontext,
u32 *scontext_len);
+int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);
+
int security_context_to_sid(char *scontext, u32 scontext_len,
u32 *out_sid);
+int security_context_to_sid_force(const char *scontext, u32 scontext_len,
+ u32 *sid);
+
int security_context_to_sid_default(char *scontext, u32 scontext_len,
u32 *out_sid, u32 def_sid, gfp_t gfp_flags);
--- linux-2.6.25.x86_64/security/selinux/ss/services.c.pre.illegal 2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25.x86_64/security/selinux/ss/services.c 2008-05-09 10:43:39.000000000 -0400
@@ -587,6 +587,14 @@ static int context_struct_to_string(stru
*scontext = NULL;
*scontext_len = 0;
+ if (context->len) {
+ *scontext_len = context->len;
+ *scontext = kstrdup(context->str, GFP_ATOMIC);
+ if (!(*scontext))
+ return -ENOMEM;
+ return 0;
+ }
+
/* Compute the size of the context. */
*scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
*scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
@@ -627,17 +635,8 @@ const char *security_get_initial_sid_con
return initial_sid_to_string[sid];
}
-/**
- * security_sid_to_context - Obtain a context for a given SID.
- * @sid: security identifier, SID
- * @scontext: security context
- * @scontext_len: length in bytes
- *
- * Write the string representation of the context associated with @sid
- * into a dynamically allocated string of the correct size. Set @scontext
- * to point to this string and set @scontext_len to the length of the string.
- */
-int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
+static int security_sid_to_context_core(u32 sid, char **scontext,
+ u32 *scontext_len, int force)
{
struct context *context;
int rc = 0;
@@ -665,7 +664,10 @@ int security_sid_to_context(u32 sid, cha
goto out;
}
POLICY_RDLOCK;
- context = sidtab_search(&sidtab, sid);
+ if (force)
+ context = sidtab_search_force(&sidtab, sid);
+ else
+ context = sidtab_search(&sidtab, sid);
if (!context) {
printk(KERN_ERR "security_sid_to_context: unrecognized SID "
"%d\n", sid);
@@ -680,36 +682,44 @@ out:
}
-static int security_context_to_sid_core(char *scontext, u32 scontext_len,
- u32 *sid, u32 def_sid, gfp_t gfp_flags)
+/**
+ * security_sid_to_context - Obtain a context for a given SID.
+ * @sid: security identifier, SID
+ * @scontext: security context
+ * @scontext_len: length in bytes
+ *
+ * Write the string representation of the context associated with @sid
+ * into a dynamically allocated string of the correct size. Set @scontext
+ * to point to this string and set @scontext_len to the length of the string.
+ */
+int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
{
- char *scontext2;
- struct context context;
+ return security_sid_to_context_core(sid, scontext, scontext_len, 0);
+}
+
+int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
+{
+ return security_sid_to_context_core(sid, scontext, scontext_len, 1);
+}
+
+static int string_to_context_struct(struct policydb *pol,
+ struct sidtab *sidtabp,
+ const char *scontext,
+ u32 scontext_len,
+ struct context *ctx,
+ u32 def_sid,
+ gfp_t gfp_flags)
+{
+ char *scontext2 = NULL;
struct role_datum *role;
struct type_datum *typdatum;
struct user_datum *usrdatum;
char *scontextp, *p, oldc;
int rc = 0;
- if (!ss_initialized) {
- int i;
-
- for (i = 1; i < SECINITSID_NUM; i++) {
- if (!strcmp(initial_sid_to_string[i], scontext)) {
- *sid = i;
- goto out;
- }
- }
- *sid = SECINITSID_KERNEL;
- goto out;
- }
- *sid = SECSID_NULL;
+ context_init(ctx);
- /* Copy the string so that we can modify the copy as we parse it.
- The string should already by null terminated, but we append a
- null suffix to the copy to avoid problems with the existing
- attr package, which doesn't view the null terminator as part
- of the attribute value. */
+ /* Copy the string so that we can modify the copy as we parse it. */
scontext2 = kmalloc(scontext_len+1, gfp_flags);
if (!scontext2) {
rc = -ENOMEM;
@@ -718,11 +728,6 @@ static int security_context_to_sid_core(
memcpy(scontext2, scontext, scontext_len);
scontext2[scontext_len] = 0;
- context_init(&context);
- *sid = SECSID_NULL;
-
- POLICY_RDLOCK;
-
/* Parse the security context. */
rc = -EINVAL;
@@ -734,15 +739,15 @@ static int security_context_to_sid_core(
p++;
if (*p == 0)
- goto out_unlock;
+ goto out;
*p++ = 0;
- usrdatum = hashtab_search(policydb.p_users.table, scontextp);
+ usrdatum = hashtab_search(pol->p_users.table, scontextp);
if (!usrdatum)
- goto out_unlock;
+ goto out;
- context.user = usrdatum->value;
+ ctx->user = usrdatum->value;
/* Extract role. */
scontextp = p;
@@ -750,14 +755,14 @@ static int security_context_to_sid_core(
p++;
if (*p == 0)
- goto out_unlock;
+ goto out;
*p++ = 0;
- role = hashtab_search(policydb.p_roles.table, scontextp);
+ role = hashtab_search(pol->p_roles.table, scontextp);
if (!role)
- goto out_unlock;
- context.role = role->value;
+ goto out;
+ ctx->role = role->value;
/* Extract type. */
scontextp = p;
@@ -766,33 +771,74 @@ static int security_context_to_sid_core(
oldc = *p;
*p++ = 0;
- typdatum = hashtab_search(policydb.p_types.table, scontextp);
+ typdatum = hashtab_search(pol->p_types.table, scontextp);
if (!typdatum)
- goto out_unlock;
+ goto out;
- context.type = typdatum->value;
+ ctx->type = typdatum->value;
- rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
+ rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
if (rc)
- goto out_unlock;
+ goto out;
if ((p - scontext2) < scontext_len) {
rc = -EINVAL;
- goto out_unlock;
+ goto out;
}
/* Check the validity of the new context. */
- if (!policydb_context_isvalid(&policydb, &context)) {
+ if (!policydb_context_isvalid(pol, ctx)) {
rc = -EINVAL;
- goto out_unlock;
+ context_destroy(ctx);
+ goto out;
}
- /* Obtain the new sid. */
- rc = sidtab_context_to_sid(&sidtab, &context, sid);
-out_unlock:
- POLICY_RDUNLOCK;
- context_destroy(&context);
+ rc = 0;
+out:
kfree(scontext2);
+ return rc;
+}
+
+static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
+ u32 *sid, u32 def_sid, gfp_t gfp_flags,
+ int force)
+{
+ struct context context;
+ int rc = 0;
+
+ if (!ss_initialized) {
+ int i;
+
+ for (i = 1; i < SECINITSID_NUM; i++) {
+ if (!strcmp(initial_sid_to_string[i], scontext)) {
+ *sid = i;
+ goto out;
+ }
+ }
+ *sid = SECINITSID_KERNEL;
+ goto out;
+ }
+ *sid = SECSID_NULL;
+
+ POLICY_RDLOCK;
+ rc = string_to_context_struct(&policydb, &sidtab,
+ scontext, scontext_len,
+ &context, def_sid, gfp_flags);
+ if (rc == -EINVAL && force) {
+ context.str = kmalloc(scontext_len+1, gfp_flags);
+ if (!context.str) {
+ rc = -ENOMEM;
+ goto out;
+ }
+ memcpy(context.str, scontext, scontext_len);
+ context.str[scontext_len] = 0;
+ context.len = scontext_len;
+ } else if (rc)
+ goto out;
+ rc = sidtab_context_to_sid(&sidtab, &context, sid);
+ if (rc)
+ context_destroy(&context);
out:
+ POLICY_RDUNLOCK;
return rc;
}
@@ -810,7 +856,7 @@ out:
int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
{
return security_context_to_sid_core(scontext, scontext_len,
- sid, SECSID_NULL, GFP_KERNEL);
+ sid, SECSID_NULL, GFP_KERNEL, 0);
}
/**
@@ -827,6 +873,7 @@ int security_context_to_sid(char *sconte
* The default SID is passed to the MLS layer to be used to allow
* kernel labeling of the MLS field if the MLS field is not present
* (for upgrading to MLS without full relabel).
+ * Implicitly forces adding of the context even if it cannot be mapped yet.
* Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
* memory is available, or 0 on success.
*/
@@ -834,7 +881,14 @@ int security_context_to_sid_default(char
u32 def_sid, gfp_t gfp_flags)
{
return security_context_to_sid_core(scontext, scontext_len,
- sid, def_sid, gfp_flags);
+ sid, def_sid, gfp_flags, 1);
+}
+
+int security_context_to_sid_force(const char *scontext, u32 scontext_len,
+ u32 *sid)
+{
+ return security_context_to_sid_core(scontext, scontext_len,
+ sid, SECSID_NULL, GFP_KERNEL, 1);
}
static int compute_sid_handle_invalid_context(
@@ -1218,9 +1272,12 @@ static inline int convert_context_handle
char *s;
u32 len;
- context_struct_to_string(context, &s, &len);
- printk(KERN_ERR "security: context %s is invalid\n", s);
- kfree(s);
+ if (!context_struct_to_string(context, &s, &len)) {
+ printk(KERN_WARNING
+ "SELinux: Context %s would be invalid if enforcing\n",
+ s);
+ kfree(s);
+ }
}
return rc;
}
@@ -1252,6 +1309,32 @@ static int convert_context(u32 key,
args = p;
+ if (c->str) {
+ struct context ctx;
+ rc = string_to_context_struct(args->newp, NULL, c->str,
+ c->len, &ctx, SECSID_NULL,
+ GFP_KERNEL);
+ if (!rc) {
+ printk(KERN_INFO
+ "SELinux: Context %s became valid (mapped).\n",
+ c->str);
+ /* Replace string with mapped representation. */
+ kfree(c->str);
+ memcpy(c, &ctx, sizeof(*c));
+ goto out;
+ } else if (rc == -EINVAL) {
+ /* Retain string representation for later mapping. */
+ rc = 0;
+ goto out;
+ } else {
+ /* Other error condition, e.g. ENOMEM. */
+ printk(KERN_ERR
+ "SELinux: Unable to map context %s, rc = %d.\n",
+ c->str, -rc);
+ goto out;
+ }
+ }
+
rc = context_cpy(&oldc, c);
if (rc)
goto out;
@@ -1294,13 +1377,21 @@ static int convert_context(u32 key,
}
context_destroy(&oldc);
+ rc = 0;
out:
return rc;
bad:
- context_struct_to_string(&oldc, &s, &len);
+ /* Map old representation to string and save it. */
+ if (context_struct_to_string(&oldc, &s, &len))
+ return -ENOMEM;
context_destroy(&oldc);
- printk(KERN_ERR "security: invalidating context %s\n", s);
- kfree(s);
+ context_destroy(c);
+ c->str = s;
+ c->len = len;
+ printk(KERN_INFO
+ "SELinux: Context %s became invalid (unmapped).\n",
+ c->str);
+ rc = 0;
goto out;
}
@@ -1379,7 +1470,11 @@ int security_load_policy(void *data, siz
return -EINVAL;
}
- sidtab_init(&newsidtab);
+ if (sidtab_init(&newsidtab)) {
+ LOAD_UNLOCK;
+ policydb_destroy(&newpolicydb);
+ return -ENOMEM;
+ }
/* Verify that the kernel defined classes are correct. */
if (validate_classes(&newpolicydb)) {
@@ -1402,11 +1497,15 @@ int security_load_policy(void *data, siz
goto err;
}
- /* Convert the internal representations of contexts
- in the new SID table and remove invalid SIDs. */
+ /*
+ * Convert the internal representations of contexts
+ * in the new SID table.
+ */
args.oldp = &policydb;
args.newp = &newpolicydb;
- sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
+ rc = sidtab_map(&newsidtab, convert_context, &args);
+ if (rc)
+ goto err;
/* Save the old policydb and SID table to free later. */
memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -1652,6 +1751,8 @@ int security_get_user_sids(u32 fromsid,
POLICY_RDLOCK;
+ context_init(&usercon);
+
fromcon = sidtab_search(&sidtab, fromsid);
if (!fromcon) {
rc = -EINVAL;
--- linux-2.6.25.x86_64/security/selinux/ss/mls.c.pre.illegal 2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25.x86_64/security/selinux/ss/mls.c 2008-05-09 10:21:25.000000000 -0400
@@ -239,7 +239,8 @@ int mls_context_isvalid(struct policydb
* Policy read-lock must be held for sidtab lookup.
*
*/
-int mls_context_to_sid(char oldc,
+int mls_context_to_sid(struct policydb *pol,
+ char oldc,
char **scontext,
struct context *context,
struct sidtab *s,
@@ -286,7 +287,7 @@ int mls_context_to_sid(char oldc,
*p++ = 0;
for (l = 0; l < 2; l++) {
- levdatum = hashtab_search(policydb.p_levels.table, scontextp);
+ levdatum = hashtab_search(pol->p_levels.table, scontextp);
if (!levdatum) {
rc = -EINVAL;
goto out;
@@ -310,7 +311,7 @@ int mls_context_to_sid(char oldc,
*rngptr++ = 0;
}
- catdatum = hashtab_search(policydb.p_cats.table,
+ catdatum = hashtab_search(pol->p_cats.table,
scontextp);
if (!catdatum) {
rc = -EINVAL;
@@ -326,7 +327,7 @@ int mls_context_to_sid(char oldc,
if (rngptr) {
int i;
- rngdatum = hashtab_search(policydb.p_cats.table, rngptr);
+ rngdatum = hashtab_search(pol->p_cats.table, rngptr);
if (!rngdatum) {
rc = -EINVAL;
goto out;
@@ -394,7 +395,7 @@ int mls_from_string(char *str, struct co
if (!tmpstr) {
rc = -ENOMEM;
} else {
- rc = mls_context_to_sid(':', &tmpstr, context,
+ rc = mls_context_to_sid(&policydb, ':', &tmpstr, context,
NULL, SECSID_NULL);
kfree(freestr);
}
--- linux-2.6.25.x86_64/security/selinux/ss/sidtab.c.pre.illegal 2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25.x86_64/security/selinux/ss/sidtab.c 2008-05-09 10:45:33.000000000 -0400
@@ -86,7 +86,7 @@ out:
return rc;
}
-struct context *sidtab_search(struct sidtab *s, u32 sid)
+static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force)
{
int hvalue;
struct sidtab_node *cur;
@@ -99,7 +99,10 @@ struct context *sidtab_search(struct sid
while (cur != NULL && sid > cur->sid)
cur = cur->next;
- if (cur == NULL || sid != cur->sid) {
+ if (force && cur && sid == cur->sid && cur->context.len)
+ return &cur->context;
+
+ if (cur == NULL || sid != cur->sid || cur->context.len) {
/* Remap invalid SIDs to the unlabeled SID. */
sid = SECINITSID_UNLABELED;
hvalue = SIDTAB_HASH(sid);
@@ -113,6 +116,16 @@ struct context *sidtab_search(struct sid
return &cur->context;
}
+struct context *sidtab_search(struct sidtab *s, u32 sid)
+{
+ return sidtab_search_core(s, sid, 0);
+}
+
+struct context *sidtab_search_force(struct sidtab *s, u32 sid)
+{
+ return sidtab_search_core(s, sid, 1);
+}
+
int sidtab_map(struct sidtab *s,
int (*apply) (u32 sid,
struct context *context,
@@ -138,45 +151,6 @@ out:
return rc;
}
-void sidtab_map_remove_on_error(struct sidtab *s,
- int (*apply) (u32 sid,
- struct context *context,
- void *args),
- void *args)
-{
- int i, ret;
- struct sidtab_node *last, *cur, *temp;
-
- if (!s)
- return;
-
- for (i = 0; i < SIDTAB_SIZE; i++) {
- last = NULL;
- cur = s->htable[i];
- while (cur != NULL) {
- ret = apply(cur->sid, &cur->context, args);
- if (ret) {
- if (last) {
- last->next = cur->next;
- } else {
- s->htable[i] = cur->next;
- }
-
- temp = cur;
- cur = cur->next;
- context_destroy(&temp->context);
- kfree(temp);
- s->nel--;
- } else {
- last = cur;
- cur = cur->next;
- }
- }
- }
-
- return;
-}
-
static inline u32 sidtab_search_context(struct sidtab *s,
struct context *context)
{
@@ -217,6 +191,10 @@ int sidtab_context_to_sid(struct sidtab
goto unlock_out;
}
sid = s->next_sid++;
+ if (context->len)
+ printk(KERN_INFO
+ "SELinux: Context %s is not valid (left unmapped).\n",
+ context->str);
ret = sidtab_insert(s, sid, context);
if (ret)
s->next_sid--;
--- linux-2.6.25.x86_64/security/selinux/ss/mls.h.pre.illegal 2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25.x86_64/security/selinux/ss/mls.h 2008-05-09 10:23:33.000000000 -0400
@@ -30,7 +30,8 @@ int mls_context_isvalid(struct policydb
int mls_range_isvalid(struct policydb *p, struct mls_range *r);
int mls_level_isvalid(struct policydb *p, struct mls_level *l);
-int mls_context_to_sid(char oldc,
+int mls_context_to_sid(struct policydb *p,
+ char oldc,
char **scontext,
struct context *context,
struct sidtab *s,
--- linux-2.6.25.x86_64/security/selinux/ss/context.h.pre.illegal 2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25.x86_64/security/selinux/ss/context.h 2008-05-09 10:00:55.000000000 -0400
@@ -28,6 +28,8 @@ struct context {
u32 role;
u32 type;
struct mls_range range;
+ char *str; /* string representation if context cannot be mapped. */
+ u32 len; /* length of string in bytes */
};
static inline void mls_context_init(struct context *c)
@@ -106,20 +108,43 @@ static inline void context_init(struct c
static inline int context_cpy(struct context *dst, struct context *src)
{
+ int rc;
+
dst->user = src->user;
dst->role = src->role;
dst->type = src->type;
- return mls_context_cpy(dst, src);
+ if (src->str) {
+ dst->str = kstrdup(src->str, GFP_ATOMIC);
+ if (!dst->str)
+ return -ENOMEM;
+ dst->len = src->len;
+ } else {
+ dst->str = NULL;
+ dst->len = 0;
+ }
+ rc = mls_context_cpy(dst, src);
+ if (rc) {
+ kfree(dst->str);
+ return rc;
+ }
+ return 0;
}
static inline void context_destroy(struct context *c)
{
c->user = c->role = c->type = 0;
+ kfree(c->str);
+ c->str = NULL;
+ c->len = 0;
mls_context_destroy(c);
}
static inline int context_cmp(struct context *c1, struct context *c2)
{
+ if (c1->len && c2->len)
+ return (c1->len == c2->len && !strcmp(c1->str, c2->str));
+ if (c1->len || c2->len)
+ return 0;
return ((c1->user == c2->user) &&
(c1->role == c2->role) &&
(c1->type == c2->type) &&
--- linux-2.6.25.x86_64/security/selinux/ss/sidtab.h.pre.illegal 2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25.x86_64/security/selinux/ss/sidtab.h 2008-05-09 10:00:55.000000000 -0400
@@ -32,6 +32,7 @@ struct sidtab {
int sidtab_init(struct sidtab *s);
int sidtab_insert(struct sidtab *s, u32 sid, struct context *context);
struct context *sidtab_search(struct sidtab *s, u32 sid);
+struct context *sidtab_search_force(struct sidtab *s, u32 sid);
int sidtab_map(struct sidtab *s,
int (*apply) (u32 sid,
@@ -39,12 +40,6 @@ int sidtab_map(struct sidtab *s,
void *args),
void *args);
-void sidtab_map_remove_on_error(struct sidtab *s,
- int (*apply) (u32 sid,
- struct context *context,
- void *args),
- void *args);
-
int sidtab_context_to_sid(struct sidtab *s,
struct context *context,
u32 *sid);
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.628
retrieving revision 1.629
diff -u -r1.628 -r1.629
--- kernel.spec 7 May 2008 21:02:06 -0000 1.628
+++ kernel.spec 9 May 2008 15:22:55 -0000 1.629
@@ -623,7 +623,8 @@
Patch750: linux-2.6-md-fix-oops-in-rdev_attr_store.patch
-# SELinux patches, will go upstream in .26
+# SELinux patches, will go upstream in .27
+Patch800: linux-2.6-selinux-deffered-context-mapping.patch
#
Patch1101: linux-2.6-default-mmf_dump_elf_headers.patch
@@ -1148,6 +1149,9 @@
# fix broken drive detection on some macbooks (#439398)
ApplyPatch linux-2.6-libata-ata_piix-check-sidpr.patch
+# Allow selinux to defer validation of contexts, aka: rpm can write illegal labels
+ApplyPatch linux-2.6-selinux-deffered-context-mapping.patch
+
# wireless patches headed for 2.6.25
#ApplyPatch linux-2.6-wireless.patch
# wireless patches headed for 2.6.26
@@ -1804,6 +1808,9 @@
%kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL}.xen -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.xen.conf %{with_xen} xen
%changelog
+* Fri May 09 2008 Eric Paris <eparis at redhat.com>
+- support deffered context validation in selinux. aka rpm can lay down illegal labels. (won't upstream until .27 opens)
+
* Wed May 07 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.2-5
- Add the patches queued for 2.6.25.3
More information about the fedora-extras-commits
mailing list