Commit ed328082 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] selinux: remove hardcoded policy assumption from get_user_sids() logic

From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch removes a hardcoded policy assumption from the get_user_sids logic
in the SELinux module that was preventing it from returning contexts that had
the same type as the caller even if the policy allowed such a transition.  The
assumption is not valid for all policies, and can be handled via policy
configuration and userspace rather than hardcoding it in the module logic.
parent c59f3ad7
...@@ -1341,8 +1341,6 @@ int security_get_user_sids(u32 fromsid, ...@@ -1341,8 +1341,6 @@ int security_get_user_sids(u32 fromsid,
if (!ebitmap_get_bit(&role->types, j)) if (!ebitmap_get_bit(&role->types, j))
continue; continue;
usercon.type = j+1; usercon.type = j+1;
if (usercon.type == fromcon->type)
continue;
mls_for_user_ranges(user,usercon) { mls_for_user_ranges(user,usercon) {
rc = context_struct_compute_av(fromcon, &usercon, rc = context_struct_compute_av(fromcon, &usercon,
SECCLASS_PROCESS, SECCLASS_PROCESS,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment