SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: [PATCH -v3 4/4] SELinux: use new cap_noaudit interface This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Fri, 07 Nov 2008 10:38:10 -0500 On Fri, 2008-11-07 at 10:23 -0500, Eric Paris wrote: > Currently SELinux jumps through some ugly hoops to not audit a capbility > check when determining if a process has additional powers to override > memory limits or when trying to read/write illegal file labels. Use > the new noaudit call instead. > > Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > > security/selinux/hooks.c \| 19 ++----------------- > 1 files changed, 2 insertions(+), 17 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0d4ee8c..d3fd051 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1978,16 +1978,8 @@ static int selinux_syslog(int type) > static int selinux_vm_enough_memory(struct mm_struct mm, long pages)* > { > int rc, cap_sys_admin = 0; > - struct task_security_struct tsec = current->security;* > - > - rc = secondary_ops->capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); > - if (rc == 0) > - rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, *> - SECCLASS_CAPABILITY,* *> - CAP_TO_MASK(CAP_SYS_ADMIN),* > - 0, *> - NULL);* > > + rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT); > if (rc == 0) > cap_sys_admin = 1; > > @@ -2812,7 +2804,6 @@ static int selinux_inode_getsecurity(const struct inode inode, const char name > u32 size; > int error; > char context = NULL;* > - struct task_security_struct tsec = current->security;* > struct inode_security_struct isec = inode->i_security;* > > if (strcmp(name, XATTR_SELINUX_SUFFIX)) > @@ -2827,13 +2818,7 @@ static int selinux_inode_getsecurity(const struct inode inode, const char name > and lack of permission just means that we fall back to the* > in-core context value, not a denial.* > /* > - error = secondary_ops->capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); > - if (!error) > - error = avc_has_perm_noaudit(tsec->sid, tsec->sid, *> - SECCLASS_CAPABILITY2,* *> - CAPABILITY2__MAC_ADMIN,* > - 0, *> - NULL);* > + error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT); > if (!error) > error = security_sid_to_context_force(isec->sid, &context, > &size); -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 7 Nov 2008 - 10:39:21 EST This message: [ Message body ] Next message: Stephen Smalley: "Re: [PATCH -v3 2/4] vm: use new has_capability_noaudit" Previous message: Stephen Smalley: "Re: seobject_mls.patch" In reply to: Eric Paris: "[PATCH -v3 4/4] SELinux: use new cap_noaudit interface" Next in thread: Eric Paris: "[PATCH -v3 3/4] filesystems: use has_capability_noaudit interface for reserved blocks checks" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom