rpms/kernel/F-10 selinux-netlabel_setsockopt_fix.patch, 1.1, 1.2 kernel.spec, 1.1269, 1.1270

Kyle McMartin kyle at fedoraproject.org
Sun Feb 22 18:12:42 UTC 2009 

Author: kyle

Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13106

Modified Files:
	kernel.spec 
Added Files:
	selinux-netlabel_setsockopt_fix.patch 
Log Message:
* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
   when selinux is enabled.) resolves bz#486225.


selinux-netlabel_setsockopt_fix.patch:

Index: selinux-netlabel_setsockopt_fix.patch
===================================================================
RCS file: selinux-netlabel_setsockopt_fix.patch
diff -N selinux-netlabel_setsockopt_fix.patch
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ selinux-netlabel_setsockopt_fix.patch	22 Feb 2009 18:12:41 -0000	1.2
@@ -0,0 +1,40 @@
+selinux: Fix the NetLabel glue code for setsockopt()
+
+From: Paul Moore <paul.moore at hp.com>
+
+At some point we (okay, I) managed to break the ability for users to use the
+setsockopt() syscall to set IPv4 options when NetLabel was not active on the
+socket in question.  The problem was noticed by someone trying to use the
+"-R" (record route) option of ping:
+
+ # ping -R 10.0.0.1
+ ping: record route: No message of desired type
+
+The solution is relatively simple, we catch the unlabeled socket case and
+clear the error code, allowing the operation to succeed.  Please note that we
+still deny users the ability to override IPv4 options on socket's which have
+NetLabel labeling active; this is done to ensure the labeling remains intact.
+
+Signed-off-by: Paul Moore <paul.moore at hp.com>
+---
+
+ security/selinux/netlabel.c |    4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+
+diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
+index f58701a..3f4b266 100644
+--- a/security/selinux/netlabel.c
++++ b/security/selinux/netlabel.c
+@@ -490,8 +490,10 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
+ 		lock_sock(sk);
+ 		rc = netlbl_sock_getattr(sk, &secattr);
+ 		release_sock(sk);
+-		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
++		if (rc == 0)
+ 			rc = -EACCES;
++		else if (rc == -ENOMSG)
++			rc = 0;
+ 		netlbl_secattr_destroy(&secattr);
+ 	}
+ 


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1269
retrieving revision 1.1270
diff -u -r1.1269 -r1.1270
--- kernel.spec	21 Feb 2009 23:38:28 -0000	1.1269
+++ kernel.spec	22 Feb 2009 18:12:41 -0000	1.1270
@@ -619,6 +619,7 @@
 Patch530: linux-2.6-silence-fbcon-logo.patch
 Patch570: linux-2.6-selinux-mprotect-checks.patch
 Patch580: linux-2.6-sparc-selinux-mprotect-checks.patch
+Patch581: selinux-netlabel_setsockopt_fix.patch
 
 Patch591: linux-2.6-ext4-ENOSPC-debug.patch
 
@@ -1122,6 +1123,9 @@
 # Fix SELinux for sparc
 ApplyPatch linux-2.6-sparc-selinux-mprotect-checks.patch
 
+# bz486225: fix setsockopt when netlabel is enabled
+ApplyPatch selinux-netlabel_setsockopt_fix.patch
+
 # Changes to upstream defaults.
 
 # squelch hda_beep by default
@@ -1747,6 +1751,10 @@
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
+- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
+   when selinux is enabled.) resolves bz#486225.
+
 * Sat Feb 21 2009 Chuck Ebbert <cebbert at redhat.com>  2.6.29-0.39.rc5.git5
 - Set X86_MSR=y and X86_CPUID=y on 32-bit kernel.

More information about the fedora-extras-commits mailing list