Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 916950 Details for
Bug 1115120
cryptsetup-1.6.5-1.fc21 breaks booting when using luks partitions
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
09-XXX-selinux-sock_graft_default_fix.patch
09-XXX-selinux-sock_graft_default_fix.patch (text/plain), 1.84 KB, created by
Paul Moore
on 2014-07-09 21:02:20 UTC
(
hide
)
Description:
09-XXX-selinux-sock_graft_default_fix.patch
Filename:
MIME Type:
Creator:
Paul Moore
Created:
2014-07-09 21:02:20 UTC
Size:
1.84 KB
patch
obsolete
>selinux: fix the default socket labeling in sock_graft() > >From: Paul Moore <pmoore@redhat.com> > >The sock_graft() hook has special handling for AF_INET, AF_INET, and >AF_UNIX sockets as those address families have special hooks which >label the sock before it is attached its associated socket. >Unfortunately, the sock_graft() hook was missing a default approach >to labeling sockets which meant that any other address family which >made use of connections or the accept() syscall would find the >returned socket to be in an "unlabeled" state. This was recently >demonstrated by the kcrypto/AF_ALG subsystem and the newly released >cryptsetup package (cryptsetup v1.6.5 and later). > >This patch preserves the special handling in selinux_sock_graft(), >but adds a default behavior - setting the sock's label equal to the >associated socket - which resolves the problem with AF_ALG and >presumably any other address family which makes use of accept(). > >Signed-off-by: Paul Moore <pmoore@redhat.com> >--- > security/selinux/hooks.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > >diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >index 39bc8c9..a6a812b 100644 >--- a/security/selinux/hooks.c >+++ b/security/selinux/hooks.c >@@ -4510,9 +4510,17 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) > struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; > struct sk_security_struct *sksec = sk->sk_security; > >- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || >- sk->sk_family == PF_UNIX) >+ switch (sk->sk_family) { >+ case PF_INET: >+ case PF_INET6: >+ case PF_UNIX: > isec->sid = sksec->sid; >+ break; >+ default: >+ /* by default there is no special labeling mechanism for the >+ * sock label so inherit the label from the parent socket */ >+ sksec->sid = isec->sid; >+ } > sksec->sclass = isec->sclass; > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=916950">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1115120
:
913791
|
913918
|
913920
|
916950
|
921748
|
922040