diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2008-06-09 16:03:56 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-07-14 01:01:59 -0400 |
commit | 22df4adb049a5cbb340dd935f5bbfa1ab3947562 (patch) | |
tree | 28dead43dd9eb81768e143ced4e9cd45c6a0246f /security/selinux | |
parent | 89abd0acf0335f3f760a3c0698d43bb1eaa83e44 (diff) |
selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine)
On Mon, 2008-06-09 at 01:24 -0700, Andrew Morton wrote:
> Getting a few of these with FC5:
>
> SELinux: context_struct_compute_av: unrecognized class 69
> SELinux: context_struct_compute_av: unrecognized class 69
>
> one came out when I logged in.
>
> No other symptoms, yet.
Change handling of invalid classes by SELinux, reporting class values
unknown to the kernel as errors (w/ ratelimit applied) and handling
class values unknown to policy as normal denials.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/ss/services.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 543fd0f31b33..04c0b70c8012 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -407,9 +407,19 @@ static int context_struct_compute_av(struct context *scontext, | |||
407 | return 0; | 407 | return 0; |
408 | 408 | ||
409 | inval_class: | 409 | inval_class: |
410 | printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__, | 410 | if (!tclass || tclass > kdefs->cts_len || |
411 | tclass); | 411 | !kdefs->class_to_string[tclass]) { |
412 | return -EINVAL; | 412 | if (printk_ratelimit()) |
413 | printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", | ||
414 | __func__, tclass); | ||
415 | return -EINVAL; | ||
416 | } | ||
417 | |||
418 | /* | ||
419 | * Known to the kernel, but not to the policy. | ||
420 | * Handle as a denial (allowed is 0). | ||
421 | */ | ||
422 | return 0; | ||
413 | } | 423 | } |
414 | 424 | ||
415 | /* | 425 | /* |