selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine)
On Mon, 2008-06-09 at 01:24 -0700, Andrew Morton wrote: > Getting a few of these with FC5: > > SELinux: context_struct_compute_av: unrecognized class 69 > SELinux: context_struct_compute_av: unrecognized class 69 > > one came out when I logged in. > > No other symptoms, yet. Change handling of invalid classes by SELinux, reporting class values unknown to the kernel as errors (w/ ratelimit applied) and handling class values unknown to policy as normal denials. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
89abd0acf0
commit
22df4adb04
1 changed files with 13 additions and 3 deletions
|
@ -407,9 +407,19 @@ static int context_struct_compute_av(struct context *scontext,
|
|||
return 0;
|
||||
|
||||
inval_class:
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
|
||||
tclass);
|
||||
return -EINVAL;
|
||||
if (!tclass || tclass > kdefs->cts_len ||
|
||||
!kdefs->class_to_string[tclass]) {
|
||||
if (printk_ratelimit())
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
|
||||
__func__, tclass);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Known to the kernel, but not to the policy.
|
||||
* Handle as a denial (allowed is 0).
|
||||
*/
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in a new issue