Fix SELinux issue with conditional rules (rhbz 1298192)
This commit is contained in:
parent
ee1deda33b
commit
f0bf733bf0
|
@ -674,6 +674,9 @@ Patch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch
|
|||
#rhbz 1298996
|
||||
Patch625: block-ensure-to-split-after-potentially-bouncing-a-b.patch
|
||||
|
||||
#rhbz 1298192
|
||||
Patch626: selinux-fix-bug-in-conditional-rules-handling.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2117,6 +2120,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Jan 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix SELinux issue with conditional rules (rhbz 1298192)
|
||||
|
||||
* Fri Jan 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix block errors on PAE machines (rhbz 1298996)
|
||||
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
From f3bef67992e8698897b584616535803887c4a73e Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Date: Mon, 23 Nov 2015 16:07:41 -0500
|
||||
Subject: [PATCH] selinux: fix bug in conditional rules handling
|
||||
|
||||
commit fa1aa143ac4a ("selinux: extended permissions for ioctls")
|
||||
introduced a bug into the handling of conditional rules, skipping the
|
||||
processing entirely when the caller does not provide an extended
|
||||
permissions (xperms) structure. Access checks from userspace using
|
||||
/sys/fs/selinux/access do not include such a structure since that
|
||||
interface does not presently expose extended permission information.
|
||||
As a result, conditional rules were being ignored entirely on userspace
|
||||
access requests, producing denials when access was allowed by
|
||||
conditional rules in the policy. Fix the bug by only skipping
|
||||
computation of extended permissions in this situation, not the entire
|
||||
conditional rules processing.
|
||||
|
||||
Reported-by: Laurent Bigonville <bigon@debian.org>
|
||||
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
[PM: fixed long lines in patch description]
|
||||
Cc: stable@vger.kernel.org # 4.3
|
||||
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
||||
---
|
||||
security/selinux/ss/conditional.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
|
||||
index 18643bf9894d..456e1a9bcfde 100644
|
||||
--- a/security/selinux/ss/conditional.c
|
||||
+++ b/security/selinux/ss/conditional.c
|
||||
@@ -638,7 +638,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
|
||||
{
|
||||
struct avtab_node *node;
|
||||
|
||||
- if (!ctab || !key || !avd || !xperms)
|
||||
+ if (!ctab || !key || !avd)
|
||||
return;
|
||||
|
||||
for (node = avtab_search_node(ctab, key); node;
|
||||
@@ -657,7 +657,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
|
||||
if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
|
||||
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
|
||||
avd->auditallow |= node->datum.u.data;
|
||||
- if ((node->key.specified & AVTAB_ENABLED) &&
|
||||
+ if (xperms && (node->key.specified & AVTAB_ENABLED) &&
|
||||
(node->key.specified & AVTAB_XPERMS))
|
||||
services_compute_xperms_drivers(xperms, node);
|
||||
}
|
||||
--
|
||||
2.5.0
|
||||
|
Loading…
Reference in New Issue