提交 2e08c0c1 编写于 作者: E Eamon Walsh 提交者: James Morris

selinux: make mls_compute_sid always polyinstantiate

This patch removes the requirement that the new and related object types
differ in order to polyinstantiate by MLS level.  This allows MLS
polyinstantiation to occur in the absence of explicit type_member rules or
when the type has not changed.

Potential users of this support include pam_namespace.so (directory
polyinstantiation) and the SELinux X support (property polyinstantiation).
Signed-off-by: NEamon Walsh <ewalsh@tycho.nsa.gov>
Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: NJames Morris <jmorris@namei.org>
上级 1996a109
...@@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext, ...@@ -537,15 +537,8 @@ int mls_compute_sid(struct context *scontext,
/* Use the process effective MLS attributes. */ /* Use the process effective MLS attributes. */
return mls_context_cpy_low(newcontext, scontext); return mls_context_cpy_low(newcontext, scontext);
case AVTAB_MEMBER: case AVTAB_MEMBER:
/* Only polyinstantiate the MLS attributes if /* Use the process effective MLS attributes. */
the type is being polyinstantiated */ return mls_context_cpy_low(newcontext, scontext);
if (newcontext->type != tcontext->type) {
/* Use the process effective MLS attributes. */
return mls_context_cpy_low(newcontext, scontext);
} else {
/* Use the related object MLS attributes. */
return mls_context_cpy(newcontext, tcontext);
}
default: default:
return -EINVAL; return -EINVAL;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册