From 5f8ac64b15172c7ced7d7990eb28342092bc751b Mon Sep 17 00:00:00 2001 From: Trent Jaeger Date: Fri, 6 Jan 2006 13:22:39 -0800 Subject: [LSM-IPSec]: Corrections to LSM-IPSec Nethooks This patch contains two corrections to the LSM-IPsec Nethooks patches previously applied. (1) free a security context on a failed insert via xfrm_user interface in xfrm_add_policy. Memory leak. (2) change the authorization of the allocation of a security context in a xfrm_policy or xfrm_state from both relabelfrom and relabelto to setcontext. Signed-off-by: Trent Jaeger Signed-off-by: David S. Miller --- security/selinux/xfrm.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'security/selinux/xfrm.c') diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index c4d87d4dca7b..5b7776504e4c 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -137,15 +137,9 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us * Must be permitted to relabel from default socket type (process type) * to specified context */ - rc = avc_has_perm(tsec->sid, tsec->sid, - SECCLASS_ASSOCIATION, - ASSOCIATION__RELABELFROM, NULL); - if (rc) - goto out; - rc = avc_has_perm(tsec->sid, ctx->ctx_sid, SECCLASS_ASSOCIATION, - ASSOCIATION__RELABELTO, NULL); + ASSOCIATION__SETCONTEXT, NULL); if (rc) goto out; -- cgit v1.2.1