selinux + livecd-creator, May 20, 2008
Eric Paris
eparis at redhat.com
Tue May 20 20:13:04 UTC 2008
On Tue, 2008-05-20 at 16:08 -0400, Stephen Smalley wrote:
> Use non-auditing forms of the
> permission checks as getxattr may be called by unprivileged processes
> commonly and lack of permission just means that we fall back to the
> in-core context value, not a denial.
If we do put this on list, lets make this an in code comment so its easy
to remember in another 100 years when the next poor sap has to figure
out what I am doing these days :)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 4be1563..fe4f9ad 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2765,12 +2765,24 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
> u32 size;
> int error;
> char *context = NULL;
> + struct task_security_struct *tsec = current->security;
> struct inode_security_struct *isec = inode->i_security;
>
> if (strcmp(name, XATTR_SELINUX_SUFFIX))
> return -EOPNOTSUPP;
>
> - error = security_sid_to_context(isec->sid, &context, &size);
> + error = secondary_ops->capable(current, CAP_MAC_ADMIN);
> + if (!error)
> + error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
> + SECCLASS_CAPABILITY2,
> + CAPABILITY2__MAC_ADMIN,
> + 0,
> + NULL);
> + if (!error)
> + error = security_sid_to_context_force(isec->sid, &context,
> + &size);
> + else
> + error = security_sid_to_context(isec->sid, &context, &size);
> if (error)
> return error;
> error = size;
>
More information about the fedora-selinux-list
mailing list