[patch 38/45] selinux: fix labeling of /proc/net inodes

[Greg KH]

2.6.24-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Stephen Smalley <sds@xxxxxxxxxxxxx>

patch b1aa5301b9f88a4891061650c591fb8fe1c1d1da in mainline.

The proc net rewrite had a side effect on selinux, leading it to mislabel
the /proc/net inodes, thereby leading to incorrect denials.  Fix
security_genfs_sid to ignore extra leading / characters in the path supplied
by selinux_proc_get_sid since we now get "//net/..." rather than "/net/...".

Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Signed-off-by: James Morris <jmorris@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
 security/selinux/ss/services.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1744,6 +1744,9 @@ int security_genfs_sid(const char *fstyp
 	struct ocontext *c;
 	int rc = 0, cmp = 0;
 
+	while (path[0] == '/' && path[1] == '/')
+		path++;
+
 	POLICY_RDLOCK;
 
 	for (genfs = policydb.genfs; genfs; genfs = genfs->next) {

-- 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/