[PATCH] selinux: fix compute_av bug

From: Stephen Smalley <sds@epoch.ncsc.mil> This patch fixes a bug in the SELinux compute_av code; the current code yields the right access computation but can cause unnecessary (but harmless) processing to occur when transition permission wasn't granted in the first place by the TE configuration. Thanks to Chad Hanson of TCS for reporting the bug.

[PATCH] selinux: fix compute_av bug
From: Stephen Smalley <sds@epoch.ncsc.mil> This patch fixes a bug in the SELinux compute_av code; the current code yields the right access computation but can cause unnecessary (but harmless) processing to occur when transition permission wasn't granted in the first place by the TE configuration. Thanks to Chad Hanson of TCS for reporting the bug.
e6c51795 · Andrew Morton · Linus Torvalds · 4a116813 · e6c51795
Commit e6c51795 authored Mar 15, 2004 by Andrew Morton Committed by Linus Torvalds Mar 15, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

security/selinux/ss/services.c security/selinux/ss/services.c +1 -1

No files found.
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -262,7 +262,7 @@ static int context_struct_compute_av(struct context *scontext,
 	 * pair.
 	 */
 	if (tclass == SECCLASS_PROCESS &&
-	    avd->allowed && PROCESS__TRANSITION &&
+	    (avd->allowed & PROCESS__TRANSITION) &&
 	    scontext->role != tcontext->role) {
 		for (ra = policydb.role_allow; ra; ra = ra->next) {
 			if (scontext->role == ra->role &&