| From stable-bounces@linux.kernel.org Tue Jun 9 01:08:36 2009 |
| From: Eric Paris <eparis@redhat.com> |
| Date: Mon, 01 Jun 2009 10:21:05 -0400 |
| Subject: SELinux: BUG in SELinux compat_net code |
| To: stable@kernel.org |
| Message-ID: <1243866065.3050.7.camel@dhcp231-142.rdu.redhat.com> |
| |
| From: Eric Paris <eparis@redhat.com> |
| |
| This patch is not applicable to Linus's tree as the code in question has |
| been removed for 2.6.30. I'm sending in case any of the stable |
| maintainers would like to push to their branches (which I think anything |
| pre 2.6.30 would like to do). |
| |
| Ubuntu users were experiencing a kernel panic when they enabled SELinux |
| due to an old bug in our handling of the compatibility mode network |
| controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e |
| Most distros have not used the compat_net code since the new code was |
| introduced and so noone has hit this problem before. Ubuntu is the only |
| distro I know that enabled that legacy cruft by default. But, I was ask |
| to look at it and found that the above patch changed a call to |
| avc_has_perm from if(send_perm) to if(!send_perm) in |
| selinux_ip_postroute_iptables_compat(). The result is that users who |
| turn on SELinux and have compat_net set can (and oftern will) BUG() in |
| avc_has_perm_noaudit since they are requesting 0 permissions. |
| |
| This patch corrects that accidental bug introduction. |
| |
| Signed-off-by: Eric Paris <eparis@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| security/selinux/hooks.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/security/selinux/hooks.c |
| +++ b/security/selinux/hooks.c |
| @@ -4648,7 +4648,7 @@ static int selinux_ip_postroute_iptables |
| if (err) |
| return err; |
| |
| - if (send_perm != 0) |
| + if (!send_perm) |
| return 0; |
| |
| err = sel_netport_sid(sk->sk_protocol, |
