From 2e08c0c1c3977a5ddc88887dd3af1b26c433e9d0 Mon Sep 17 00:00:00 2001 From: Eamon Walsh Date: Thu, 24 Jan 2008 15:30:52 -0500 Subject: selinux: make mls_compute_sid always polyinstantiate This patch removes the requirement that the new and related object types differ in order to polyinstantiate by MLS level. This allows MLS polyinstantiation to occur in the absence of explicit type_member rules or when the type has not changed. Potential users of this support include pam_namespace.so (directory polyinstantiation) and the SELinux X support (property polyinstantiation). Signed-off-by: Eamon Walsh Acked-by: Stephen Smalley Signed-off-by: James Morris --- security/selinux/ss/mls.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) (limited to 'security/selinux/ss/mls.c') diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index fb5d70a6628d..3bbcb5369af9 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext, /* Use the process effective MLS attributes. */ return mls_context_cpy_low(newcontext, scontext); case AVTAB_MEMBER: - /* Only polyinstantiate the MLS attributes if - the type is being polyinstantiated */ - if (newcontext->type != tcontext->type) { - /* Use the process effective MLS attributes. */ - return mls_context_cpy_low(newcontext, scontext); - } else { - /* Use the related object MLS attributes. */ - return mls_context_cpy(newcontext, tcontext); - } + /* Use the process effective MLS attributes. */ + return mls_context_cpy_low(newcontext, scontext); default: return -EINVAL; } -- cgit v1.2.3 From 16efd45435fa695b501b7f73c3259bd7c77cc12c Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 29 Jan 2008 08:37:59 -0500 Subject: NetLabel: Add secid token support to the NetLabel secattr struct This patch adds support to the NetLabel LSM secattr struct for a secid token and a type field, paving the way for full LSM/SELinux context support and "static" or "fallback" labels. In addition, this patch adds a fair amount of documentation to the core NetLabel structures used as part of the NetLabel kernel API. Signed-off-by: Paul Moore Signed-off-by: James Morris --- security/selinux/ss/mls.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'security/selinux/ss/mls.c') diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 3bbcb5369af9..feaf0a5b828f 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c @@ -562,7 +562,7 @@ void mls_export_netlbl_lvl(struct context *context, if (!selinux_mls_enabled) return; - secattr->mls_lvl = context->range.level[0].sens - 1; + secattr->attr.mls.lvl = context->range.level[0].sens - 1; secattr->flags |= NETLBL_SECATTR_MLS_LVL; } @@ -582,7 +582,7 @@ void mls_import_netlbl_lvl(struct context *context, if (!selinux_mls_enabled) return; - context->range.level[0].sens = secattr->mls_lvl + 1; + context->range.level[0].sens = secattr->attr.mls.lvl + 1; context->range.level[1].sens = context->range.level[0].sens; } @@ -605,8 +605,8 @@ int mls_export_netlbl_cat(struct context *context, return 0; rc = ebitmap_netlbl_export(&context->range.level[0].cat, - &secattr->mls_cat); - if (rc == 0 && secattr->mls_cat != NULL) + &secattr->attr.mls.cat); + if (rc == 0 && secattr->attr.mls.cat != NULL) secattr->flags |= NETLBL_SECATTR_MLS_CAT; return rc; @@ -633,7 +633,7 @@ int mls_import_netlbl_cat(struct context *context, return 0; rc = ebitmap_netlbl_import(&context->range.level[0].cat, - secattr->mls_cat); + secattr->attr.mls.cat); if (rc != 0) goto import_netlbl_cat_failure; -- cgit v1.2.3