maybe a bug in SELinux: security_context_to_sid_core

From: Zhang, Ning A
Date: Wed Feb 28 2018 - 01:47:16 EST

Next message: Alex Hung: "[PATCH][V2] firmware: dmi_scan: add DMI_OEM_STRING support to dmi_matches"
Previous message: Baolin Wang: "[PATCH] nios2: Use read_persistent_clock64() instead of read_persistent_clock()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Before SELinux is initialized, get scontext by secid by using:

security_secctx_to_secid() may return wrong numbe

eg:
security_secctx_to_secid("devnull", strlen("devnull"), &sid);

sid here will be 1

because:

in security_context_to_sid_core:

...
if (!ss_initialized) {
int i;

for (i = 1; i < SECINITSID_NUM; i++) {
if (!strcmp(initial_sid_to_string[i],
scontext)) {
*sid = i;
return 0;
}
}
*sid = SECINITSID_KERNEL;
return 0;
}
...

and SECINITSID_DEVNULL equals to SECINITSID_NUM, and it will never get
right secid for "devnull".

is this by design or bug?

BR.
Ning.

Next message: Alex Hung: "[PATCH][V2] firmware: dmi_scan: add DMI_OEM_STRING support to dmi_matches"
Previous message: Baolin Wang: "[PATCH] nios2: Use read_persistent_clock64() instead of read_persistent_clock()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]