[PATCH][SELINUX] Add DAC check for setxattr(security.selinux)

From: Stephen Smalley
Date: Wed Oct 20 2004 - 11:29:16 EST

Next message: Stephen Hemminger: "Re: [ANNOUNCE] iproute2 2.6.9-041019"
Previous message: Timothy Miller: "Re: [PATCH 1/3] Separate IRQ-stacks from 4K-stacks option"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This patch against 2.6.9 adds a DAC ownership check to the existing MAC
permission checks when setting the security.selinux attribute via
setxattr. In the past, the MAC permission checks were viewed as
sufficient for controlling relabeling operations, but experience in the
Fedora SELinux integration has shown that a DAC check is also
appropriate here, particularly under targeted policy. Please apply.

Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxxx>

security/selinux/hooks.c | 3 +++
1 files changed, 3 insertions(+)

--- linux-2.6.9/security/selinux/hooks.c.orig 2004-10-20 10:32:18.653598056 -0400
+++ linux-2.6.9/security/selinux/hooks.c 2004-10-20 10:32:39.712396632 -0400
@@ -2243,6 +2243,9 @@ static int selinux_inode_setxattr(struct
if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
return -EOPNOTSUPP;

+ if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
+ return -EPERM;
+
AVC_AUDIT_DATA_INIT(&ad,FS);
ad.u.fs.dentry = dentry;

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Hemminger: "Re: [ANNOUNCE] iproute2 2.6.9-041019"
Previous message: Timothy Miller: "Re: [PATCH 1/3] Separate IRQ-stacks from 4K-stacks option"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]