rpms/kernel/F-10 selinux-netlabel_setsockopt_fix.patch, NONE, 1.1.2.1 kernel.spec, 1.1206.2.32, 1.1206.2.33

Kyle McMartin kyle at fedoraproject.org
Sun Feb 22 18:12:14 UTC 2009 

Author: kyle

Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12968

Modified Files:
      Tag: private-fedora-10-2_6_27
	kernel.spec 
Added Files:
      Tag: private-fedora-10-2_6_27
	selinux-netlabel_setsockopt_fix.patch 
Log Message:
* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
   when selinux is enabled.) resolves bz#486225.


selinux-netlabel_setsockopt_fix.patch:

--- NEW FILE selinux-netlabel_setsockopt_fix.patch ---
selinux: Fix the NetLabel glue code for setsockopt()

From: Paul Moore <paul.moore at hp.com>

At some point we (okay, I) managed to break the ability for users to use the
setsockopt() syscall to set IPv4 options when NetLabel was not active on the
socket in question.  The problem was noticed by someone trying to use the
"-R" (record route) option of ping:

 # ping -R 10.0.0.1
 ping: record route: No message of desired type

The solution is relatively simple, we catch the unlabeled socket case and
clear the error code, allowing the operation to succeed.  Please note that we
still deny users the ability to override IPv4 options on socket's which have
NetLabel labeling active; this is done to ensure the labeling remains intact.

Signed-off-by: Paul Moore <paul.moore at hp.com>
---

 security/selinux/netlabel.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)


diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index f58701a..3f4b266 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -490,8 +490,10 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
 		lock_sock(sk);
 		rc = netlbl_sock_getattr(sk, &secattr);
 		release_sock(sk);
-		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+		if (rc == 0)
 			rc = -EACCES;
+		else if (rc == -ENOMSG)
+			rc = 0;
 		netlbl_secattr_destroy(&secattr);
 	}
 


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1206.2.32
retrieving revision 1.1206.2.33
diff -u -r1.1206.2.32 -r1.1206.2.33
--- kernel.spec	21 Feb 2009 23:56:53 -0000	1.1206.2.32
+++ kernel.spec	22 Feb 2009 18:11:39 -0000	1.1206.2.33
@@ -638,6 +638,7 @@
 Patch570: linux-2.6-selinux-mprotect-checks.patch
 Patch580: linux-2.6-sparc-selinux-mprotect-checks.patch
 Patch590: linux-2.6-selinux-recognise-addrlabel.patch
+Patch591: selinux-netlabel_setsockopt_fix.patch
 # fix for ebus_dma.h
 Patch600: sparc-2.6.git-aae7fb87ec4d2df6cb551670b1765cf4e5795a3b.patch
 
@@ -1252,6 +1253,9 @@
 # selinux: recognize netlink messages for 'ip addrlabel'
 ApplyPatch linux-2.6-selinux-recognise-addrlabel.patch
 
+# bz486225: fix setsockopt when netlabel is enabled
+ApplyPatch selinux-netlabel_setsockopt_fix.patch
+
 # Changes to upstream defaults.
 
 # ia64 ata quirk
@@ -1937,6 +1941,10 @@
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
+- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
+   when selinux is enabled.) resolves bz#486225.
+
 * Sat Feb 21 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.19-170.2.32
 - Set X86_MSR=y and X86_CPUID=y on 32-bit kernel.
 - Copy ext4 ENOSPC fix from rawhide.

More information about the scm-commits mailing list