Commit 22df4adb authored Jun 09, 2008 by Stephen Smalley Committed by James Morris Jul 14, 2008

selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine)

On Mon, 2008-06-09 at 01:24 -0700, Andrew Morton wrote:
> Getting a few of these with FC5:
>
> SELinux: context_struct_compute_av:  unrecognized class 69
> SELinux: context_struct_compute_av:  unrecognized class 69
>
> one came out when I logged in.
>
> No other symptoms, yet.

Change handling of invalid classes by SELinux, reporting class values
unknown to the kernel as errors (w/ ratelimit applied) and handling
class values unknown to policy as normal denials.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

parent 89abd0ac

security/selinux/ss/services.c

+13 −3

Original line number	Diff line number	Diff line
		@@ -407,11 +407,21 @@ static int context_struct_compute_av(struct context *scontext,
		return 0;

		inval_class:
		printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
		tclass);
		if (!tclass \|\| tclass > kdefs->cts_len \|\|
		!kdefs->class_to_string[tclass]) {
		if (printk_ratelimit())
		printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
		__func__, tclass);
		return -EINVAL;
		}

		/*
		* Known to the kernel, but not to the policy.
		* Handle as a denial (allowed is 0).
		*/
		return 0;
		}

		/*
		* Given a sid find if the type has the permissive flag set
		*/