aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2011-04-28 15:11:21 -0400
committerEric Paris <eparis@redhat.com>2011-04-28 16:12:41 -0400
commitcb1e922fa104bb0bb3aa5fc6ca7f7e070f3b55e9 (patch)
treec776ceca8e63dd8de70f242fe6883320004884eb /security
parentfe3fa43039d47ee4e22caf460b79b62a14937f79 (diff)
SELinux: pass last path component in may_create
New inodes are created in a two stage process. We first will compute the label on a new inode in security_inode_create() and check if the operation is allowed. We will then actually re-compute that same label and apply it in security_inode_init_security(). The change to do new label calculations based in part on the last component of the path name only passed the path component information all the way down the security_inode_init_security hook. Down the security_inode_create hook the path information did not make it past may_create. Thus the two calculations came up differently and the permissions check might not actually be against the label that is created. Pass and use the same information in both places to harmonize the calculations and checks. Reported-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d52a92507412..9a93af81a0c3 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1573,7 +1573,8 @@ static int may_create(struct inode *dir,
1573 return rc; 1573 return rc;
1574 1574
1575 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { 1575 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
1576 rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid); 1576 rc = security_transition_sid(sid, dsec->sid, tclass,
1577 &dentry->d_name, &newsid);
1577 if (rc) 1578 if (rc)
1578 return rc; 1579 return rc;
1579 } 1580 }