From: Andrew Morton <akpm@linux-foundation.org>
To: Eric Paris <eparis@redhat.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>,
linux-next@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, James Morris <jmorris@namei.org>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: linux-next: Tree for Apr 12
Date: Tue, 5 Jun 2012 12:50:19 -0700 [thread overview]
Message-ID: <20120605125019.dca1fd02.akpm@linux-foundation.org> (raw)
In-Reply-To: <1338864128.17933.2.camel@localhost>
On Mon, 04 Jun 2012 22:42:08 -0400
Eric Paris <eparis@redhat.com> wrote:
> > I really do not want to revert this and feel that the only right fix is
> > going to be to update your selinux policy to allow this new check. I'd
> > rather not allow (whatever program) to truncate() files willy-nilly (in
> > violation of the intentions of selinux policy)
> >
> > I'm sorry I never saw it sooner. We've had it in RHEL for even longer
> > than the 3 months it's been in -next. I think the 'right' fix is going
> > to have to be an update to SELinux policy (for your long dead system, if
> > you give me the denial I can build you a new policy) rather than leaving
> > the potential security hole in mainline...
>
> Andrew sent me his audit log and it didn't show anything. But it got me
> thinking. Now I think this actually is a code bug. Andrew, can you
> test this?
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2e7bd67..20a4315 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2758,7 +2758,7 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
> ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
> return dentry_has_perm(cred, dentry, FILE__SETATTR);
>
> - if (ia_valid & ATTR_SIZE)
> + if ((ia_valid & ATTR_SIZE) && selinux_policycap_openperm)
> av |= FILE__OPEN;
>
> return dentry_has_perm(cred, dentry, av);
That fixed it.
next prev parent reply other threads:[~2012-06-05 19:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-12 4:59 linux-next: Tree for Apr 12 Stephen Rothwell
2012-04-12 21:24 ` Andrew Morton
2012-04-13 12:11 ` Alan Cox
2012-06-04 22:04 ` Andrew Morton
2012-06-04 22:46 ` Eric Paris
2012-06-05 2:42 ` Eric Paris
2012-06-05 19:50 ` Andrew Morton [this message]
-- strict thread matches above, loose matches on Subject: below --
2013-04-12 6:19 Stephen Rothwell
2013-04-12 6:19 ` Stephen Rothwell
2016-04-12 4:34 Stephen Rothwell
2017-04-12 7:35 Stephen Rothwell
2018-04-12 3:21 Stephen Rothwell
2019-04-12 8:17 Stephen Rothwell
2020-04-12 3:54 Stephen Rothwell
2021-04-12 13:01 Stephen Rothwell
2022-04-12 5:50 Stephen Rothwell
2023-04-12 4:50 Stephen Rothwell
2024-04-12 7:09 Stephen Rothwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120605125019.dca1fd02.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=sfr@canb.auug.org.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.