aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2012-03-20 14:35:12 -0400
committerEric Paris <eparis@redhat.com>2012-04-09 12:22:48 -0400
commiteed7795d0a2c9b2e934afc088e903fa2c17b7958 (patch)
tree8f402c793774abfea12fd86bec741f0056302324 /security/selinux
parentaa893269de6277b44be88e25dcd5331c934c29c4 (diff)
SELinux: add default_type statements
Because Fedora shipped userspace based on my development tree we now have policy version 27 in the wild defining only default user, role, and range. Thus to add default_type we need a policy.28. Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/ss/policydb.c19
-rw-r--r--security/selinux/ss/policydb.h3
-rw-r--r--security/selinux/ss/services.c14
4 files changed, 33 insertions, 6 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ba53400195c0..dde2005407aa 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -32,13 +32,14 @@
32#define POLICYDB_VERSION_FILENAME_TRANS 25 32#define POLICYDB_VERSION_FILENAME_TRANS 25
33#define POLICYDB_VERSION_ROLETRANS 26 33#define POLICYDB_VERSION_ROLETRANS 26
34#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 34#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
35#define POLICYDB_VERSION_DEFAULT_TYPE 28
35 36
36/* Range of policy versions we understand*/ 37/* Range of policy versions we understand*/
37#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 38#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
38#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX 39#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
39#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE 40#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
40#else 41#else
41#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 42#define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE
42#endif 43#endif
43 44
44/* Mask for just the mount related flags */ 45/* Mask for just the mount related flags */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 2bb9c2fd5f1a..9cd9b7c661ec 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -138,6 +138,11 @@ static struct policydb_compat_info policydb_compat[] = {
138 .sym_num = SYM_NUM, 138 .sym_num = SYM_NUM,
139 .ocon_num = OCON_NUM, 139 .ocon_num = OCON_NUM,
140 }, 140 },
141 {
142 .version = POLICYDB_VERSION_DEFAULT_TYPE,
143 .sym_num = SYM_NUM,
144 .ocon_num = OCON_NUM,
145 },
141}; 146};
142 147
143static struct policydb_compat_info *policydb_lookup_compat(int version) 148static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -1321,6 +1326,13 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1321 cladatum->default_range = le32_to_cpu(buf[2]); 1326 cladatum->default_range = le32_to_cpu(buf[2]);
1322 } 1327 }
1323 1328
1329 if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
1330 rc = next_entry(buf, fp, sizeof(u32) * 1);
1331 if (rc)
1332 goto bad;
1333 cladatum->default_type = le32_to_cpu(buf[0]);
1334 }
1335
1324 rc = hashtab_insert(h, key, cladatum); 1336 rc = hashtab_insert(h, key, cladatum);
1325 if (rc) 1337 if (rc)
1326 goto bad; 1338 goto bad;
@@ -2857,6 +2869,13 @@ static int class_write(void *vkey, void *datum, void *ptr)
2857 return rc; 2869 return rc;
2858 } 2870 }
2859 2871
2872 if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
2873 buf[0] = cpu_to_le32(cladatum->default_type);
2874 rc = put_entry(buf, sizeof(uint32_t), 1, fp);
2875 if (rc)
2876 return rc;
2877 }
2878
2860 return 0; 2879 return 0;
2861} 2880}
2862 2881
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index a949f1ad43bb..da637471d4ce 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -60,11 +60,12 @@ struct class_datum {
60 struct symtab permissions; /* class-specific permission symbol table */ 60 struct symtab permissions; /* class-specific permission symbol table */
61 struct constraint_node *constraints; /* constraints on class permissions */ 61 struct constraint_node *constraints; /* constraints on class permissions */
62 struct constraint_node *validatetrans; /* special transition rules */ 62 struct constraint_node *validatetrans; /* special transition rules */
63 /* Options how a new object user and role should be decided */ 63/* Options how a new object user, role, and type should be decided */
64#define DEFAULT_SOURCE 1 64#define DEFAULT_SOURCE 1
65#define DEFAULT_TARGET 2 65#define DEFAULT_TARGET 2
66 char default_user; 66 char default_user;
67 char default_role; 67 char default_role;
68 char default_type;
68/* Options how a new object range should be decided */ 69/* Options how a new object range should be decided */
69#define DEFAULT_SOURCE_LOW 1 70#define DEFAULT_SOURCE_LOW 1
70#define DEFAULT_SOURCE_HIGH 2 71#define DEFAULT_SOURCE_HIGH 2
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 2ea108c2c048..1ded0ec7e8c2 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1472,12 +1472,18 @@ static int security_compute_sid(u32 ssid,
1472 } 1472 }
1473 1473
1474 /* Set the type to default values. */ 1474 /* Set the type to default values. */
1475 if ((tclass == policydb.process_class) || (sock == true)) { 1475 if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1476 /* Use the type of process. */
1477 newcontext.type = scontext->type; 1476 newcontext.type = scontext->type;
1478 } else { 1477 } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1479 /* Use the type of the related object. */
1480 newcontext.type = tcontext->type; 1478 newcontext.type = tcontext->type;
1479 } else {
1480 if ((tclass == policydb.process_class) || (sock == true)) {
1481 /* Use the type of process. */
1482 newcontext.type = scontext->type;
1483 } else {
1484 /* Use the type of the related object. */
1485 newcontext.type = tcontext->type;
1486 }
1481 } 1487 }
1482 1488
1483 /* Look for a type transition/member/change rule. */ 1489 /* Look for a type transition/member/change rule. */