[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: [RFC]integrity: SELinux patch
From:       Stephen Smalley <sds () tycho ! nsa ! gov>
Date:       2007-09-19 21:04:00
Message-ID: 1190235840.25863.98.camel () moss-spartans ! epoch ! ncsc ! mil
[Download RAW message or body]

On Wed, 2007-09-19 at 15:41 -0400, Mimi Zohar wrote:
> On Wed, 2007-08-29 at 06:14 -0400, Mimi Zohar wrote:
> > On Wed, 2007-08-29 at 00:16 -0400, Joshua Brindle wrote:
> > > Mimi Zohar wrote:
> > > 
> > > > Index: linux-2.6.23-rc3-mm1/security/selinux/ss/services.c
> > > > ===================================================================
> > > > --- linux-2.6.23-rc3-mm1.orig/security/selinux/ss/services.c
> > > > +++ linux-2.6.23-rc3-mm1/security/selinux/ss/services.c
> > > > @@ -305,12 +305,12 @@ static int context_struct_compute_av(str
> > > >  		    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
> > > >  			tclass = SECCLASS_NETLINK_SOCKET;
> > > >  
> > > > -	if (!tclass || tclass > policydb.p_classes.nprim) {
> > > > -		printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",
> > > > -		       tclass);
> > > > -		return -EINVAL;
> > > > -	}
> > > > -	tclass_datum = policydb.class_val_to_struct[tclass - 1];
> > > > +//	if (!tclass || tclass > policydb.p_classes.nprim) {
> > > > +//		printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",
> > > > +//		       tclass);
> > > > +//		return -EINVAL;
> > > > +//	}
> > > > +//	tclass_datum = policydb.class_val_to_struct[tclass - 1];
> > > >  
> > > >   
> > > 
> > > Err? Did you mean to submit it like this? This should be fixed by Eric's 
> > > patch to handle unknown classes anyway.
> > 
> > I'm working off the latest -mm tree and that patch hasn't made it in yet,
> > as well as some other patches.  For example, additional security class 
> > numbers have been defined.  So I will need to update SECCLASS_INTEGRITY
> > as well. The above code was added in order to test the patch. Once the 
> > basic integrity concept has been reviewed and accepted, I will repost 
> > based on the latest selinux development source tree.
> 
> Ok, so how do I get the latest selinux development source tree?

James Morris maintains a selinux git tree on kernel.org, but even that
wouldn't yet have Eric's patch (that patch has been posted a few times
on list, but there are still a couple of changes to be made).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]