aboutsummaryrefslogtreecommitdiffstats
path: root/CREDITS
diff options
context:
space:
mode:
authorPaul Moore <pmoore@redhat.com>2014-03-19 16:46:11 -0400
committerPaul Moore <pmoore@redhat.com>2014-03-19 16:46:11 -0400
commit98883bfd9d603a2760f6d53eccfaa3ae2c053e72 (patch)
tree48454c4cd6d2c490796be28f0376d4f21dad227c /CREDITS
parentselinux: fix the output of ./scripts/get_maintainer.pl for SELinux (diff)
downloadlinux-dev-98883bfd9d603a2760f6d53eccfaa3ae2c053e72.tar.xz
linux-dev-98883bfd9d603a2760f6d53eccfaa3ae2c053e72.zip
selinux: put the mmap() DAC controls before the MAC controls
It turns out that doing the SELinux MAC checks for mmap() before the DAC checks was causing users and the SELinux policy folks headaches as users were seeing a lot of SELinux AVC denials for the memprotect:mmap_zero permission that would have also been denied by the normal DAC capability checks (CAP_SYS_RAWIO). Example: # cat mmap_test.c #include <stdlib.h> #include <stdio.h> #include <errno.h> #include <sys/mman.h> int main(int argc, char *argv[]) { int rc; void *mem; mem = mmap(0x0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (mem == MAP_FAILED) return errno; printf("mem = %p\n", mem); munmap(mem, 4096); return 0; } # gcc -g -O0 -o mmap_test mmap_test.c # ./mmap_test mem = (nil) # ausearch -m AVC | grep mmap_zero type=AVC msg=audit(...): avc: denied { mmap_zero } for pid=1025 comm="mmap_test" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect This patch corrects things so that when the above example is run by a user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as the DAC capability check fails before the SELinux permission check. Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'CREDITS')
0 files changed, 0 insertions, 0 deletions