This patch removes the requirement that the new and related object types
differ in order to polyinstantiate by MLS level. This allows MLS
polyinstantiation to occur in the absence of explicit type_member rules
or when the type has not changed.
Potential users of this support include pam_namespace.so (directory
polyinstantiation) and the SELinux X support (property polyinstantiation).
Signed-off-by: Eamon Walsh <[email protected]>
---
mls.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index fb5d70a..3bbcb53 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
/* Use the process effective MLS attributes. */
return mls_context_cpy_low(newcontext, scontext);
case AVTAB_MEMBER:
- /* Only polyinstantiate the MLS attributes if
- the type is being polyinstantiated */
- if (newcontext->type != tcontext->type) {
- /* Use the process effective MLS attributes. */
- return mls_context_cpy_low(newcontext, scontext);
- } else {
- /* Use the related object MLS attributes. */
- return mls_context_cpy(newcontext, tcontext);
- }
+ /* Use the process effective MLS attributes. */
+ return mls_context_cpy_low(newcontext, scontext);
default:
return -EINVAL;
}
--
Eamon Walsh <[email protected]>
National Security Agency
On Thu, 2008-01-24 at 15:30 -0500, Eamon Walsh wrote:
> This patch removes the requirement that the new and related object types
> differ in order to polyinstantiate by MLS level. This allows MLS
> polyinstantiation to occur in the absence of explicit type_member rules
> or when the type has not changed.
>
> Potential users of this support include pam_namespace.so (directory
> polyinstantiation) and the SELinux X support (property polyinstantiation).
>
> Signed-off-by: Eamon Walsh <[email protected]>
Acked-by: Stephen Smalley <[email protected]>
> ---
>
> mls.c | 11 ++---------
> 1 file changed, 2 insertions(+), 9 deletions(-)
(nit: use diffstat -p1 in the future)
>
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index fb5d70a..3bbcb53 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
> /* Use the process effective MLS attributes. */
> return mls_context_cpy_low(newcontext, scontext);
> case AVTAB_MEMBER:
> - /* Only polyinstantiate the MLS attributes if
> - the type is being polyinstantiated */
> - if (newcontext->type != tcontext->type) {
> - /* Use the process effective MLS attributes. */
> - return mls_context_cpy_low(newcontext, scontext);
> - } else {
> - /* Use the related object MLS attributes. */
> - return mls_context_cpy(newcontext, tcontext);
> - }
> + /* Use the process effective MLS attributes. */
> + return mls_context_cpy_low(newcontext, scontext);
> default:
> return -EINVAL;
> }
>
>
>
--
Stephen Smalley
National Security Agency
Eamon Walsh wrote:
> This patch removes the requirement that the new and related object
> types differ in order to polyinstantiate by MLS level. This allows
> MLS polyinstantiation to occur in the absence of explicit type_member
> rules or when the type has not changed.
>
> Potential users of this support include pam_namespace.so (directory
> polyinstantiation) and the SELinux X support (property
> polyinstantiation).
>
> Signed-off-by: Eamon Walsh <[email protected]>
> ---
>
> mls.c | 11 ++---------
> 1 file changed, 2 insertions(+), 9 deletions(-)
>
>
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index fb5d70a..3bbcb53 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
> /* Use the process effective MLS attributes. */
> return mls_context_cpy_low(newcontext, scontext);
> case AVTAB_MEMBER:
> - /* Only polyinstantiate the MLS attributes if
> - the type is being polyinstantiated */
> - if (newcontext->type != tcontext->type) {
> - /* Use the process effective MLS attributes. */
> - return mls_context_cpy_low(newcontext, scontext);
> - } else {
> - /* Use the related object MLS attributes. */
> - return mls_context_cpy(newcontext, tcontext);
> - }
> + /* Use the process effective MLS attributes. */
> + return mls_context_cpy_low(newcontext, scontext);
> default:
> return -EINVAL;
> }
Should there be a patch to update mls.c in libsepol as well? I hope we
are keeping the kss and uss in sync.
On Thu, 24 Jan 2008, Eamon Walsh wrote:
> This patch removes the requirement that the new and related object types
> differ in order to polyinstantiate by MLS level. This allows MLS
> polyinstantiation to occur in the absence of explicit type_member rules or
> when the type has not changed.
>
> Potential users of this support include pam_namespace.so (directory
> polyinstantiation) and the SELinux X support (property polyinstantiation).
>
> Signed-off-by: Eamon Walsh <[email protected]>
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm
--
James Morris
<[email protected]>
Is this in rawhide, if not when will it be?
On Thu, Jan 24, 2008 at 2:30 PM, Eamon Walsh <[email protected]> wrote:
> This patch removes the requirement that the new and related object types
> differ in order to polyinstantiate by MLS level. This allows MLS
> polyinstantiation to occur in the absence of explicit type_member rules
> or when the type has not changed.
>
> Potential users of this support include pam_namespace.so (directory
> polyinstantiation) and the SELinux X support (property polyinstantiation).
>
> Signed-off-by: Eamon Walsh <[email protected]>
> ---
>
> mls.c | 11 ++---------
> 1 file changed, 2 insertions(+), 9 deletions(-)
>
>
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index fb5d70a..3bbcb53 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
> /* Use the process effective MLS attributes. */
> return mls_context_cpy_low(newcontext, scontext);
> case AVTAB_MEMBER:
> - /* Only polyinstantiate the MLS attributes if
> - the type is being polyinstantiated */
> - if (newcontext->type != tcontext->type) {
> - /* Use the process effective MLS attributes. */
> - return mls_context_cpy_low(newcontext, scontext);
> - } else {
> - /* Use the related object MLS attributes. */
> - return mls_context_cpy(newcontext, tcontext);
> - }
> + /* Use the process effective MLS attributes. */
> + return mls_context_cpy_low(newcontext, scontext);
> default:
> return -EINVAL;
> }
>
>
>
> --
> Eamon Walsh <[email protected]>
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to [email protected] with
> the words "unsubscribe selinux" without quotes as the message.
>