Commit b7e41f90 authored by Stephen D. Smalley's avatar Stephen D. Smalley Committed by Linus Torvalds

[PATCH] Add DAC check for setxattr(security.selinux)

This patch against 2.6.9 adds a DAC ownership check to the existing MAC
permission checks when setting the security.selinux attribute via setxattr.
In the past, the MAC permission checks were viewed as sufficient for
controlling relabeling operations, but experience in the Fedora SELinux
integration has shown that a DAC check is also appropriate here,
particularly under targeted policy.
Signed-off-by: default avatarStephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent a710802b
...@@ -2237,6 +2237,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value ...@@ -2237,6 +2237,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
return -EOPNOTSUPP; return -EOPNOTSUPP;
if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
return -EPERM;
AVC_AUDIT_DATA_INIT(&ad,FS); AVC_AUDIT_DATA_INIT(&ad,FS);
ad.u.fs.dentry = dentry; ad.u.fs.dentry = dentry;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment