rpms/kernel/F-10 selinux-netlabel_setsockopt_fix.patch, 1.1, 1.2 kernel.spec, 1.1269, 1.1270
Kyle McMartin
kyle at fedoraproject.org
Sun Feb 22 18:12:42 UTC 2009
Author: kyle
Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13106
Modified Files:
kernel.spec
Added Files:
selinux-netlabel_setsockopt_fix.patch
Log Message:
* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
when selinux is enabled.) resolves bz#486225.
selinux-netlabel_setsockopt_fix.patch:
Index: selinux-netlabel_setsockopt_fix.patch
===================================================================
RCS file: selinux-netlabel_setsockopt_fix.patch
diff -N selinux-netlabel_setsockopt_fix.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ selinux-netlabel_setsockopt_fix.patch 22 Feb 2009 18:12:41 -0000 1.2
@@ -0,0 +1,40 @@
+selinux: Fix the NetLabel glue code for setsockopt()
+
+From: Paul Moore <paul.moore at hp.com>
+
+At some point we (okay, I) managed to break the ability for users to use the
+setsockopt() syscall to set IPv4 options when NetLabel was not active on the
+socket in question. The problem was noticed by someone trying to use the
+"-R" (record route) option of ping:
+
+ # ping -R 10.0.0.1
+ ping: record route: No message of desired type
+
+The solution is relatively simple, we catch the unlabeled socket case and
+clear the error code, allowing the operation to succeed. Please note that we
+still deny users the ability to override IPv4 options on socket's which have
+NetLabel labeling active; this is done to ensure the labeling remains intact.
+
+Signed-off-by: Paul Moore <paul.moore at hp.com>
+---
+
+ security/selinux/netlabel.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+
+diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
+index f58701a..3f4b266 100644
+--- a/security/selinux/netlabel.c
++++ b/security/selinux/netlabel.c
+@@ -490,8 +490,10 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
+ lock_sock(sk);
+ rc = netlbl_sock_getattr(sk, &secattr);
+ release_sock(sk);
+- if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
++ if (rc == 0)
+ rc = -EACCES;
++ else if (rc == -ENOMSG)
++ rc = 0;
+ netlbl_secattr_destroy(&secattr);
+ }
+
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1269
retrieving revision 1.1270
diff -u -r1.1269 -r1.1270
--- kernel.spec 21 Feb 2009 23:38:28 -0000 1.1269
+++ kernel.spec 22 Feb 2009 18:12:41 -0000 1.1270
@@ -619,6 +619,7 @@
Patch530: linux-2.6-silence-fbcon-logo.patch
Patch570: linux-2.6-selinux-mprotect-checks.patch
Patch580: linux-2.6-sparc-selinux-mprotect-checks.patch
+Patch581: selinux-netlabel_setsockopt_fix.patch
Patch591: linux-2.6-ext4-ENOSPC-debug.patch
@@ -1122,6 +1123,9 @@
# Fix SELinux for sparc
ApplyPatch linux-2.6-sparc-selinux-mprotect-checks.patch
+# bz486225: fix setsockopt when netlabel is enabled
+ApplyPatch selinux-netlabel_setsockopt_fix.patch
+
# Changes to upstream defaults.
# squelch hda_beep by default
@@ -1747,6 +1751,10 @@
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
+* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
+- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
+ when selinux is enabled.) resolves bz#486225.
+
* Sat Feb 21 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.29-0.39.rc5.git5
- Set X86_MSR=y and X86_CPUID=y on 32-bit kernel.
More information about the fedora-extras-commits
mailing list