diff options
| author | Eric Paris <eparis@redhat.com> | 2011-02-01 11:05:40 -0500 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2011-02-01 11:12:30 -0500 |
| commit | 652bb9b0d6ce007f37c098947b2cc0c45efa3f66 (patch) | |
| tree | 7bf76f04a1fcaa401761a9a734b94682e2ac8b8c /security/selinux/include | |
| parent | 2a7dba391e5628ad665ce84ef9a6648da541ebab (diff) | |
SELinux: Use dentry name in new object labeling
Currently SELinux has rules which label new objects according to 3 criteria.
The label of the process creating the object, the label of the parent
directory, and the type of object (reg, dir, char, block, etc.) This patch
adds a 4th criteria, the dentry name, thus we can distinguish between
creating a file in an etc_t directory called shadow and one called motd.
There is no file globbing, regex parsing, or anything mystical. Either the
policy exactly (strcmp) matches the dentry name of the object or it doesn't.
This patch has no changes from today if policy does not implement the new
rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux/include')
| -rw-r--r-- | security/selinux/include/security.h | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 671273eb1115..348eb00cb668 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
| @@ -8,6 +8,7 @@ | |||
| 8 | #ifndef _SELINUX_SECURITY_H_ | 8 | #ifndef _SELINUX_SECURITY_H_ |
| 9 | #define _SELINUX_SECURITY_H_ | 9 | #define _SELINUX_SECURITY_H_ |
| 10 | 10 | ||
| 11 | #include <linux/dcache.h> | ||
| 11 | #include <linux/magic.h> | 12 | #include <linux/magic.h> |
| 12 | #include <linux/types.h> | 13 | #include <linux/types.h> |
| 13 | #include "flask.h" | 14 | #include "flask.h" |
| @@ -28,13 +29,14 @@ | |||
| 28 | #define POLICYDB_VERSION_POLCAP 22 | 29 | #define POLICYDB_VERSION_POLCAP 22 |
| 29 | #define POLICYDB_VERSION_PERMISSIVE 23 | 30 | #define POLICYDB_VERSION_PERMISSIVE 23 |
| 30 | #define POLICYDB_VERSION_BOUNDARY 24 | 31 | #define POLICYDB_VERSION_BOUNDARY 24 |
| 32 | #define POLICYDB_VERSION_FILENAME_TRANS 25 | ||
| 31 | 33 | ||
| 32 | /* Range of policy versions we understand*/ | 34 | /* Range of policy versions we understand*/ |
| 33 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE | 35 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE |
| 34 | #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX | 36 | #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX |
| 35 | #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE | 37 | #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE |
| 36 | #else | 38 | #else |
| 37 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY | 39 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS |
| 38 | #endif | 40 | #endif |
| 39 | 41 | ||
| 40 | /* Mask for just the mount related flags */ | 42 | /* Mask for just the mount related flags */ |
| @@ -106,8 +108,8 @@ void security_compute_av(u32 ssid, u32 tsid, | |||
| 106 | void security_compute_av_user(u32 ssid, u32 tsid, | 108 | void security_compute_av_user(u32 ssid, u32 tsid, |
| 107 | u16 tclass, struct av_decision *avd); | 109 | u16 tclass, struct av_decision *avd); |
| 108 | 110 | ||
| 109 | int security_transition_sid(u32 ssid, u32 tsid, | 111 | int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, |
| 110 | u16 tclass, u32 *out_sid); | 112 | const struct qstr *qstr, u32 *out_sid); |
| 111 | 113 | ||
| 112 | int security_transition_sid_user(u32 ssid, u32 tsid, | 114 | int security_transition_sid_user(u32 ssid, u32 tsid, |
| 113 | u16 tclass, u32 *out_sid); | 115 | u16 tclass, u32 *out_sid); |