rpms/kernel/devel selinux-netlabel_setsockopt_fix.patch, NONE, 1.1 kernel.spec, 1.1321, 1.1322
Kyle McMartin
kyle at fedoraproject.org
Sun Feb 22 18:13:41 UTC 2009
Author: kyle
Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13166
Modified Files:
kernel.spec
Added Files:
selinux-netlabel_setsockopt_fix.patch
Log Message:
* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
when selinux is enabled.) resolves bz#486225.
selinux-netlabel_setsockopt_fix.patch:
--- NEW FILE selinux-netlabel_setsockopt_fix.patch ---
selinux: Fix the NetLabel glue code for setsockopt()
From: Paul Moore <paul.moore at hp.com>
At some point we (okay, I) managed to break the ability for users to use the
setsockopt() syscall to set IPv4 options when NetLabel was not active on the
socket in question. The problem was noticed by someone trying to use the
"-R" (record route) option of ping:
# ping -R 10.0.0.1
ping: record route: No message of desired type
The solution is relatively simple, we catch the unlabeled socket case and
clear the error code, allowing the operation to succeed. Please note that we
still deny users the ability to override IPv4 options on socket's which have
NetLabel labeling active; this is done to ensure the labeling remains intact.
Signed-off-by: Paul Moore <paul.moore at hp.com>
---
security/selinux/netlabel.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index f58701a..7c0be4f 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -490,8 +490,8 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
lock_sock(sk);
rc = netlbl_sock_getattr(sk, &secattr);
release_sock(sk);
- if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
- rc = -EACCES;
+ if (rc == -ENOMSG)
+ rc = 0;
netlbl_secattr_destroy(&secattr);
}
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.1321
retrieving revision 1.1322
diff -u -r1.1321 -r1.1322
--- kernel.spec 21 Feb 2009 22:31:26 -0000 1.1321
+++ kernel.spec 22 Feb 2009 18:13:09 -0000 1.1322
@@ -618,6 +618,7 @@
Patch530: linux-2.6-silence-fbcon-logo.patch
Patch570: linux-2.6-selinux-mprotect-checks.patch
Patch580: linux-2.6-sparc-selinux-mprotect-checks.patch
+Patch581: selinux-netlabel_setsockopt_fix.patch
Patch591: linux-2.6-ext4-ENOSPC-debug.patch
@@ -1112,6 +1113,8 @@
# Fix SELinux for sparc
ApplyPatch linux-2.6-sparc-selinux-mprotect-checks.patch
+ApplyPatch selinux-netlabel_setsockopt_fix.patch
+
# Changes to upstream defaults.
# squelch hda_beep by default
@@ -1743,6 +1746,10 @@
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
+* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
+- Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
+ when selinux is enabled.) resolves bz#486225.
+
* Sun Feb 22 2009 Dave Airlie <airlied at redhat.com> 2.6.29-0.140.rc5.git5
- rebase drm bits
- temp disable drm-intel-next need krh to rebase - bump gitrev to 5
More information about the scm-commits
mailing list