diff options
author | Harry Ciao <qingtao.cao@windriver.com> | 2011-03-02 06:32:33 +0100 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2011-03-03 21:19:43 +0100 |
commit | 6f5317e730505d5cbc851c435a2dfe3d5a21d343 (patch) | |
tree | 02088cf519a00db5c6fbdb2cc8776402413eb662 /security/selinux/ss/mls.c | |
parent | SELinux: Auto-generate security_is_socket_class (diff) | |
download | linux-6f5317e730505d5cbc851c435a2dfe3d5a21d343.tar.xz linux-6f5317e730505d5cbc851c435a2dfe3d5a21d343.zip |
SELinux: Socket retains creator role and MLS attribute
The socket SID would be computed on creation and no longer inherit
its creator's SID by default. Socket may have a different type but
needs to retain the creator's role and MLS attribute in order not
to break labeled networking and network access control.
The kernel value for a class would be used to determine if the class
if one of socket classes. If security_compute_sid is called from
userspace the policy value for a class would be mapped to the relevant
kernel value first.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'security/selinux/ss/mls.c')
-rw-r--r-- | security/selinux/ss/mls.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 1ef8e4e89880..e96174216bc9 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -512,7 +512,8 @@ int mls_compute_sid(struct context *scontext, struct context *tcontext, u16 tclass, u32 specified, - struct context *newcontext) + struct context *newcontext, + bool sock) { struct range_trans rtr; struct mls_range *r; @@ -531,7 +532,7 @@ int mls_compute_sid(struct context *scontext, return mls_range_set(newcontext, r); /* Fallthrough */ case AVTAB_CHANGE: - if (tclass == policydb.process_class) + if ((tclass == policydb.process_class) || (sock == true)) /* Use the process MLS attributes. */ return mls_context_cpy(newcontext, scontext); else |