* [PATCH][SELINUX] Add DAC check for setxattr(security.selinux)
@ 2004-10-20 16:10 Stephen Smalley
0 siblings, 0 replies; only message in thread
From: Stephen Smalley @ 2004-10-20 16:10 UTC (permalink / raw)
To: Andrew Morton, James Morris, lkml, selinux
This patch against 2.6.9 adds a DAC ownership check to the existing MAC
permission checks when setting the security.selinux attribute via
setxattr. In the past, the MAC permission checks were viewed as
sufficient for controlling relabeling operations, but experience in the
Fedora SELinux integration has shown that a DAC check is also
appropriate here, particularly under targeted policy. Please apply.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
security/selinux/hooks.c | 3 +++
1 files changed, 3 insertions(+)
--- linux-2.6.9/security/selinux/hooks.c.orig 2004-10-20 10:32:18.653598056 -0400
+++ linux-2.6.9/security/selinux/hooks.c 2004-10-20 10:32:39.712396632 -0400
@@ -2243,6 +2243,9 @@ static int selinux_inode_setxattr(struct
if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
return -EOPNOTSUPP;
+ if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
+ return -EPERM;
+
AVC_AUDIT_DATA_INIT(&ad,FS);
ad.u.fs.dentry = dentry;
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-10-20 16:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-10-20 16:10 [PATCH][SELINUX] Add DAC check for setxattr(security.selinux) Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).