rpms/kernel/devel linux-2.6-selinux-get-invalid-xattrs.patch, NONE, 1.1 kernel.spec, 1.682, 1.683

Eric Paris (eparis) fedora-extras-commits at redhat.com
Wed Jun 11 14:49:40 UTC 2008 

Author: eparis

Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24904

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-selinux-get-invalid-xattrs.patch 
Log Message:
* Wed Jun 11 2008 Eric Paris <eparis at redhat.com>
- allow things like restorecon to read invalid labels from the disk


linux-2.6-selinux-get-invalid-xattrs.patch:

--- NEW FILE linux-2.6-selinux-get-invalid-xattrs.patch ---
Enable processes with CAP_MAC_ADMIN + mac_admin permission in policy
to get undefined contexts on inodes.  This extends the support for
deferred mapping of security contexts in order to permit restorecon
and similar programs to see the raw file contexts unknown to the
system policy in order to check them.


Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>

---

 security/selinux/hooks.c |   27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4be1563..91b666a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2754,9 +2754,7 @@ static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
 }
 
 /*
- * Copy the in-core inode security context value to the user.  If the
- * getxattr() prior to this succeeded, check to see if we need to
- * canonicalize the value to be finally returned to the user.
+ * Copy the inode security context value to the user.
  *
  * Permission check is handled by selinux_inode_getxattr hook.
  */
@@ -2765,12 +2763,33 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
 	u32 size;
 	int error;
 	char *context = NULL;
+	struct task_security_struct *tsec = current->security;
 	struct inode_security_struct *isec = inode->i_security;
 
 	if (strcmp(name, XATTR_SELINUX_SUFFIX))
 		return -EOPNOTSUPP;
 
-	error = security_sid_to_context(isec->sid, &context, &size);
+	/*
+	 * If the caller has CAP_MAC_ADMIN, then get the raw context
+	 * value even if it is not defined by current policy; otherwise,
+	 * use the in-core value under current policy.
+	 * Use the non-auditing forms of the permission checks since
+	 * getxattr may be called by unprivileged processes commonly
+	 * and lack of permission just means that we fall back to the
+	 * in-core context value, not a denial.
+	 */
+	error = secondary_ops->capable(current, CAP_MAC_ADMIN);
+	if (!error)
+		error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
+					     SECCLASS_CAPABILITY2,
+					     CAPABILITY2__MAC_ADMIN,
+					     0,
+					     NULL);
+	if (!error)
+		error = security_sid_to_context_force(isec->sid, &context,
+						      &size);
+	else
+		error = security_sid_to_context(isec->sid, &context, &size);
 	if (error)
 		return error;
 	error = size;

-- 
Stephen Smalley
National Security Agency



Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.682
retrieving revision 1.683
diff -u -r1.682 -r1.683
--- kernel.spec	10 Jun 2008 19:08:27 -0000	1.682
+++ kernel.spec	11 Jun 2008 14:48:52 -0000	1.683
@@ -620,6 +620,7 @@
 Patch801: linux-2.6-selinux-deffered-context-mapping-no-sleep.patch
 Patch802: linux-2.6-selinux-generic-ioctl.patch
 Patch803: linux-2.6-selinux-new-proc-checks.patch
+Patch804: linux-2.6-selinux-get-invalid-xattrs.patch
 #
 
 Patch1101: linux-2.6-default-mmf_dump_elf_headers.patch
@@ -1127,6 +1128,7 @@
 ApplyPatch linux-2.6-selinux-deffered-context-mapping-no-sleep.patch
 ApplyPatch linux-2.6-selinux-generic-ioctl.patch
 ApplyPatch linux-2.6-selinux-new-proc-checks.patch
+ApplyPatch linux-2.6-selinux-get-invalid-xattrs.patch
 
 # wireless patches headed for 2.6.26
 ApplyPatch linux-2.6-wireless.patch
@@ -1774,6 +1776,9 @@
 %kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL}.xen -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.xen.conf %{with_xen} xen
 
 %changelog
+* Wed Jun 11 2008 Eric Paris <eparis at redhat.com>
+- allow things like restorecon to read invalid labels from the disk
+
 * Tue Jun 10 2008 John W. Linville <linville at redhat.com>
 - Upstream wireless fixes from 2008-06-09
   (http://marc.info/?l=linux-kernel&m=121304710726632&w=2)

More information about the fedora-extras-commits mailing list