From: Tomas Mraz Date: Tue, 21 Dec 2010 08:54:14 +0000 (+0000) Subject: Relevant BUGIDs: X-Git-Tag: v1.1.4~30 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4c2362ccac4c8e967af619f4550be3a5fb165433;p=linux-pam Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2010-12-21 Tomas Mraz * modules/pam_selinux/pam_selinux.c (mls_range_allowed): Unhardcode values for security class and av permission bit. --- diff --git a/ChangeLog b/ChangeLog index f1cf525e..ac4feb98 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2010-12-21 Tomas Mraz + + * modules/pam_selinux/pam_selinux.c (mls_range_allowed): Unhardcode + values for security class and av permission bit. + 2010-12-14 Tomas Mraz * modules/pam_limits/pam_limits.c (parse_uid_range): New function diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index c31278e9..a6ca8af2 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -236,19 +236,35 @@ static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, securit { struct av_decision avd; int retval; - unsigned int bit = CONTEXT__CONTAINS; - context_t src_context = context_new (src); - context_t dst_context = context_new (dst); + security_class_t class; + access_vector_t bit; + context_t src_context; + context_t dst_context; + + class = string_to_security_class("context"); + if (!class) { + pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m"); + return 0; + } + + bit = string_to_av_perm(class, "contains"); + if (!bit) { + pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m"); + return 0; + } + + src_context = context_new (src); + dst_context = context_new (dst); context_range_set(dst_context, context_range_get(src_context)); if (debug) pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); - retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd); + retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd); context_free(src_context); context_free(dst_context); if (retval || ((bit & avd.allowed) != bit)) return 0; - + return 1; }