[PATCH] Add DAC check for setxattr(security.selinux)

This patch against 2.6.9 adds a DAC ownership check to the existing MAC permission checks when setting the security.selinux attribute via setxattr. In the past, the MAC permission checks were viewed as sufficient for controlling relabeling operations, but experience in the Fedora SELinux integration has shown that a DAC check is also appropriate here, particularly under targeted policy. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] Add DAC check for setxattr(security.selinux)
This patch against 2.6.9 adds a DAC ownership check to the existing MAC permission checks when setting the security.selinux attribute via setxattr. In the past, the MAC permission checks were viewed as sufficient for controlling relabeling operations, but experience in the Fedora SELinux integration has shown that a DAC check is also appropriate here, particularly under targeted policy. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
b7e41f90 · Stephen D. Smalley · Linus Torvalds · a710802b · b7e41f90
Commit b7e41f90 authored Oct 25, 2004 by Stephen D. Smalley Committed by Linus Torvalds Oct 25, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

security/selinux/hooks.c security/selinux/hooks.c +3 -0

No files found.
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2237,6 +2237,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value
 	if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
 		return -EOPNOTSUPP;

+	if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
+		return -EPERM;
+
 	AVC_AUDIT_DATA_INIT(&ad,FS);
 	ad.u.fs.dentry = dentry;