LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH] selinux: make mls_compute_sid always polyinstantiate
@ 2008-01-24 20:30 Eamon Walsh
  2008-01-24 20:36 ` Stephen Smalley
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Eamon Walsh @ 2008-01-24 20:30 UTC (permalink / raw)
  To: SELinux List; +Cc: linux-kernel, James Morris, Stephen Smalley

This patch removes the requirement that the new and related object types 
differ in order to polyinstantiate by MLS level.  This allows MLS 
polyinstantiation to occur in the absence of explicit type_member rules 
or when the type has not changed.

Potential users of this support include pam_namespace.so (directory 
polyinstantiation) and the SELinux X support (property polyinstantiation).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
---

 mls.c |   11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)


diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index fb5d70a..3bbcb53 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
 			/* Use the process effective MLS attributes. */
 			return mls_context_cpy_low(newcontext, scontext);
 	case AVTAB_MEMBER:
-		/* Only polyinstantiate the MLS attributes if
-		   the type is being polyinstantiated */
-		if (newcontext->type != tcontext->type) {
-			/* Use the process effective MLS attributes. */
-			return mls_context_cpy_low(newcontext, scontext);
-		} else {
-			/* Use the related object MLS attributes. */
-			return mls_context_cpy(newcontext, tcontext);
-		}
+		/* Use the process effective MLS attributes. */
+		return mls_context_cpy_low(newcontext, scontext);
 	default:
 		return -EINVAL;
 	}



-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate
  2008-01-24 20:30 [PATCH] selinux: make mls_compute_sid always polyinstantiate Eamon Walsh
@ 2008-01-24 20:36 ` Stephen Smalley
  2008-01-24 20:46 ` Joshua Brindle
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2008-01-24 20:36 UTC (permalink / raw)
  To: Eamon Walsh; +Cc: SELinux List, linux-kernel, James Morris


On Thu, 2008-01-24 at 15:30 -0500, Eamon Walsh wrote:
> This patch removes the requirement that the new and related object types 
> differ in order to polyinstantiate by MLS level.  This allows MLS 
> polyinstantiation to occur in the absence of explicit type_member rules 
> or when the type has not changed.
> 
> Potential users of this support include pam_namespace.so (directory 
> polyinstantiation) and the SELinux X support (property polyinstantiation).
> 
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

> ---
> 
>  mls.c |   11 ++---------
>  1 file changed, 2 insertions(+), 9 deletions(-)

(nit:  use diffstat -p1 in the future)

> 
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index fb5d70a..3bbcb53 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>  			/* Use the process effective MLS attributes. */
>  			return mls_context_cpy_low(newcontext, scontext);
>  	case AVTAB_MEMBER:
> -		/* Only polyinstantiate the MLS attributes if
> -		   the type is being polyinstantiated */
> -		if (newcontext->type != tcontext->type) {
> -			/* Use the process effective MLS attributes. */
> -			return mls_context_cpy_low(newcontext, scontext);
> -		} else {
> -			/* Use the related object MLS attributes. */
> -			return mls_context_cpy(newcontext, tcontext);
> -		}
> +		/* Use the process effective MLS attributes. */
> +		return mls_context_cpy_low(newcontext, scontext);
>  	default:
>  		return -EINVAL;
>  	}
> 
> 
> 
-- 
Stephen Smalley
National Security Agency


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate
  2008-01-24 20:30 [PATCH] selinux: make mls_compute_sid always polyinstantiate Eamon Walsh
  2008-01-24 20:36 ` Stephen Smalley
@ 2008-01-24 20:46 ` Joshua Brindle
  2008-01-24 22:43 ` James Morris
  2008-02-05 17:52 ` Xavier Toth
  3 siblings, 0 replies; 5+ messages in thread
From: Joshua Brindle @ 2008-01-24 20:46 UTC (permalink / raw)
  To: Eamon Walsh; +Cc: SELinux List, linux-kernel, James Morris, Stephen Smalley

Eamon Walsh wrote:
> This patch removes the requirement that the new and related object 
> types differ in order to polyinstantiate by MLS level.  This allows 
> MLS polyinstantiation to occur in the absence of explicit type_member 
> rules or when the type has not changed.
>
> Potential users of this support include pam_namespace.so (directory 
> polyinstantiation) and the SELinux X support (property 
> polyinstantiation).
>
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
> ---
>
> mls.c |   11 ++---------
> 1 file changed, 2 insertions(+), 9 deletions(-)
>
>
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index fb5d70a..3bbcb53 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>             /* Use the process effective MLS attributes. */
>             return mls_context_cpy_low(newcontext, scontext);
>     case AVTAB_MEMBER:
> -        /* Only polyinstantiate the MLS attributes if
> -           the type is being polyinstantiated */
> -        if (newcontext->type != tcontext->type) {
> -            /* Use the process effective MLS attributes. */
> -            return mls_context_cpy_low(newcontext, scontext);
> -        } else {
> -            /* Use the related object MLS attributes. */
> -            return mls_context_cpy(newcontext, tcontext);
> -        }
> +        /* Use the process effective MLS attributes. */
> +        return mls_context_cpy_low(newcontext, scontext);
>     default:
>         return -EINVAL;
>     }

Should there be a patch to update mls.c in libsepol as well? I hope we 
are keeping the kss and uss in sync.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate
  2008-01-24 20:30 [PATCH] selinux: make mls_compute_sid always polyinstantiate Eamon Walsh
  2008-01-24 20:36 ` Stephen Smalley
  2008-01-24 20:46 ` Joshua Brindle
@ 2008-01-24 22:43 ` James Morris
  2008-02-05 17:52 ` Xavier Toth
  3 siblings, 0 replies; 5+ messages in thread
From: James Morris @ 2008-01-24 22:43 UTC (permalink / raw)
  To: Eamon Walsh; +Cc: SELinux List, linux-kernel, Stephen Smalley

On Thu, 24 Jan 2008, Eamon Walsh wrote:

> This patch removes the requirement that the new and related object types
> differ in order to polyinstantiate by MLS level.  This allows MLS
> polyinstantiation to occur in the absence of explicit type_member rules or
> when the type has not changed.
> 
> Potential users of this support include pam_namespace.so (directory
> polyinstantiation) and the SELinux X support (property polyinstantiation).
> 
> Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

Applied to 
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm

-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] selinux: make mls_compute_sid always polyinstantiate
  2008-01-24 20:30 [PATCH] selinux: make mls_compute_sid always polyinstantiate Eamon Walsh
                   ` (2 preceding siblings ...)
  2008-01-24 22:43 ` James Morris
@ 2008-02-05 17:52 ` Xavier Toth
  3 siblings, 0 replies; 5+ messages in thread
From: Xavier Toth @ 2008-02-05 17:52 UTC (permalink / raw)
  To: Eamon Walsh; +Cc: SELinux List, linux-kernel, James Morris, Stephen Smalley

Is this in rawhide, if not when will it be?

On Thu, Jan 24, 2008 at 2:30 PM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> This patch removes the requirement that the new and related object types
>  differ in order to polyinstantiate by MLS level.  This allows MLS
>  polyinstantiation to occur in the absence of explicit type_member rules
>  or when the type has not changed.
>
>  Potential users of this support include pam_namespace.so (directory
>  polyinstantiation) and the SELinux X support (property polyinstantiation).
>
>  Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
>  ---
>
>   mls.c |   11 ++---------
>   1 file changed, 2 insertions(+), 9 deletions(-)
>
>
>  diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
>  index fb5d70a..3bbcb53 100644
>  --- a/security/selinux/ss/mls.c
>  +++ b/security/selinux/ss/mls.c
>  @@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
>                         /* Use the process effective MLS attributes. */
>                         return mls_context_cpy_low(newcontext, scontext);
>         case AVTAB_MEMBER:
>  -               /* Only polyinstantiate the MLS attributes if
>  -                  the type is being polyinstantiated */
>  -               if (newcontext->type != tcontext->type) {
>  -                       /* Use the process effective MLS attributes. */
>  -                       return mls_context_cpy_low(newcontext, scontext);
>  -               } else {
>  -                       /* Use the related object MLS attributes. */
>  -                       return mls_context_cpy(newcontext, tcontext);
>  -               }
>  +               /* Use the process effective MLS attributes. */
>  +               return mls_context_cpy_low(newcontext, scontext);
>         default:
>                 return -EINVAL;
>         }
>
>
>
>  --
>  Eamon Walsh <ewalsh@tycho.nsa.gov>
>  National Security Agency
>
>
>  --
>  This message was distributed to subscribers of the selinux mailing list.
>  If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>  the words "unsubscribe selinux" without quotes as the message.
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2008-02-05 17:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-01-24 20:30 [PATCH] selinux: make mls_compute_sid always polyinstantiate Eamon Walsh
2008-01-24 20:36 ` Stephen Smalley
2008-01-24 20:46 ` Joshua Brindle
2008-01-24 22:43 ` James Morris
2008-02-05 17:52 ` Xavier Toth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).