Commit e6c51795 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] selinux: fix compute_av bug

From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch fixes a bug in the SELinux compute_av code; the current code
yields the right access computation but can cause unnecessary (but
harmless) processing to occur when transition permission wasn't granted in
the first place by the TE configuration.  Thanks to Chad Hanson of TCS for
reporting the bug.
parent 4a116813
...@@ -262,7 +262,7 @@ static int context_struct_compute_av(struct context *scontext, ...@@ -262,7 +262,7 @@ static int context_struct_compute_av(struct context *scontext,
* pair. * pair.
*/ */
if (tclass == SECCLASS_PROCESS && if (tclass == SECCLASS_PROCESS &&
avd->allowed && PROCESS__TRANSITION && (avd->allowed & PROCESS__TRANSITION) &&
scontext->role != tcontext->role) { scontext->role != tcontext->role) {
for (ra = policydb.role_allow; ra; ra = ra->next) { for (ra = policydb.role_allow; ra; ra = ra->next) {
if (scontext->role == ra->role && if (scontext->role == ra->role &&
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment