This patch against 2.6.6-rc1-mm1 removes a hardcoded policy assumption
from the get_user_sids logic in the SELinux module that was preventing
it from returning contexts that had the same type as the caller even if
the policy allowed such a transition. The assumption is not valid for
all policies, and can be handled via policy configuration and userspace
rather than hardcoding it in the module logic.
security/selinux/ss/services.c | 2 --
1 files changed, 2 deletions(-)
diff -X /home/sds/dontdiff -ru linux-2.6.old/security/selinux/ss/services.c linux-2.6/security/selinux/ss/services.c
--- linux-2.6.old/security/selinux/ss/services.c 2004-04-20 10:11:03.000000000 -0400
+++ linux-2.6/security/selinux/ss/services.c 2004-04-20 10:48:30.772189123 -0400
@@ -1341,8 +1341,6 @@
if (!ebitmap_get_bit(&role->types, j))
continue;
usercon.type = j+1;
- if (usercon.type == fromcon->type)
- continue;
mls_for_user_ranges(user,usercon) {
rc = context_struct_compute_av(fromcon, &usercon,
SECCLASS_PROCESS,
--
Stephen Smalley <[email protected]>
National Security Agency