From: Andrew Morton <akpm@linux-foundation.org>
To: Eric Paris <eparis@redhat.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>,
linux-next@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, James Morris <jmorris@namei.org>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: linux-next: Tree for Apr 12
Date: Tue, 5 Jun 2012 12:50:19 -0700 [thread overview]
Message-ID: <20120605125019.dca1fd02.akpm@linux-foundation.org> (raw)
In-Reply-To: <1338864128.17933.2.camel@localhost>
On Mon, 04 Jun 2012 22:42:08 -0400
Eric Paris <eparis@redhat.com> wrote:
> > I really do not want to revert this and feel that the only right fix is
> > going to be to update your selinux policy to allow this new check. I'd
> > rather not allow (whatever program) to truncate() files willy-nilly (in
> > violation of the intentions of selinux policy)
> >
> > I'm sorry I never saw it sooner. We've had it in RHEL for even longer
> > than the 3 months it's been in -next. I think the 'right' fix is going
> > to have to be an update to SELinux policy (for your long dead system, if
> > you give me the denial I can build you a new policy) rather than leaving
> > the potential security hole in mainline...
>
> Andrew sent me his audit log and it didn't show anything. But it got me
> thinking. Now I think this actually is a code bug. Andrew, can you
> test this?
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2e7bd67..20a4315 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2758,7 +2758,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
> ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
> return dentry_has_perm(cred, dentry, FILE__SETATTR);
>
> - if (ia_valid & ATTR_SIZE)
> + if ((ia_valid & ATTR_SIZE) && selinux_policycap_openperm)
> av |= FILE__OPEN;
>
> return dentry_has_perm(cred, dentry, av);
That fixed it.
next prev parent reply other threads:[~2012-06-05 19:50 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-12 4:59 linux-next: Tree for Apr 12 Stephen Rothwell
2012-04-12 21:24 ` Andrew Morton
2012-04-13 12:11 ` Alan Cox
2012-06-04 22:04 ` Andrew Morton
2012-06-04 22:46 ` Eric Paris
2012-06-05 2:42 ` Eric Paris
2012-06-05 19:50 ` Andrew Morton [this message]
2013-04-12 6:19 Stephen Rothwell
2016-04-12 4:34 Stephen Rothwell
2017-04-12 7:35 Stephen Rothwell
2018-04-12 3:21 Stephen Rothwell
2019-04-12 8:17 Stephen Rothwell
2020-04-12 3:54 Stephen Rothwell
2021-04-12 13:01 Stephen Rothwell
2022-04-12 5:50 Stephen Rothwell
2023-04-12 4:50 Stephen Rothwell
2024-04-12 7:09 Stephen Rothwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120605125019.dca1fd02.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=sfr@canb.auug.org.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).