rpms/kernel/devel selinux-netlabel_setsockopt_fix.patch, NONE, 1.1 kernel.spec, 1.1321, 1.1322

Kyle McMartin kyle at fedoraproject.org
Sun Feb 22 18:13:41 UTC 2009 

Author: kyle

Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13166

Modified Files:
	kernel.spec 
Added Files:
	selinux-netlabel_setsockopt_fix.patch 
Log Message:
* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
   when selinux is enabled.) resolves bz#486225.


selinux-netlabel_setsockopt_fix.patch:

--- NEW FILE selinux-netlabel_setsockopt_fix.patch ---
selinux: Fix the NetLabel glue code for setsockopt()

From: Paul Moore <paul.moore at hp.com>

At some point we (okay, I) managed to break the ability for users to use the
setsockopt() syscall to set IPv4 options when NetLabel was not active on the
socket in question.  The problem was noticed by someone trying to use the
"-R" (record route) option of ping:

 # ping -R 10.0.0.1
 ping: record route: No message of desired type

The solution is relatively simple, we catch the unlabeled socket case and
clear the error code, allowing the operation to succeed.  Please note that we
still deny users the ability to override IPv4 options on socket's which have
NetLabel labeling active; this is done to ensure the labeling remains intact.

Signed-off-by: Paul Moore <paul.moore at hp.com>
---

 security/selinux/netlabel.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)


diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index f58701a..7c0be4f 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -490,8 +490,8 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
 		lock_sock(sk);
 		rc = netlbl_sock_getattr(sk, &secattr);
 		release_sock(sk);
-		if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-			rc = -EACCES;
+		if (rc == -ENOMSG)
+			rc = 0;
 		netlbl_secattr_destroy(&secattr);
 	}
 


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.1321
retrieving revision 1.1322
diff -u -r1.1321 -r1.1322
--- kernel.spec	21 Feb 2009 22:31:26 -0000	1.1321
+++ kernel.spec	22 Feb 2009 18:13:09 -0000	1.1322
@@ -618,6 +618,7 @@
 Patch530: linux-2.6-silence-fbcon-logo.patch
 Patch570: linux-2.6-selinux-mprotect-checks.patch
 Patch580: linux-2.6-sparc-selinux-mprotect-checks.patch
+Patch581: selinux-netlabel_setsockopt_fix.patch
 
 Patch591: linux-2.6-ext4-ENOSPC-debug.patch
 
@@ -1112,6 +1113,8 @@
 # Fix SELinux for sparc
 ApplyPatch linux-2.6-sparc-selinux-mprotect-checks.patch
 
+ApplyPatch selinux-netlabel_setsockopt_fix.patch
+
 # Changes to upstream defaults.
 
 # squelch hda_beep by default
@@ -1743,6 +1746,10 @@
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
+- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
+   when selinux is enabled.) resolves bz#486225.
+
 * Sun Feb 22 2009 Dave Airlie <airlied at redhat.com> 2.6.29-0.140.rc5.git5
 - rebase drm bits
 - temp disable drm-intel-next need krh to rebase - bump gitrev to 5

More information about the scm-commits mailing list