[LSM-IPSec]: Corrections to LSM-IPSec Nethooks This patch contains two corrections to the LSM-IPsec Nethooks patches previously applied. (1) free a security context on a failed insert via xfrm_user interface in xfrm_add_policy. Memory leak. (2) change the authorization of the allocation of a security context in a xfrm_policy or xfrm_state from both relabelfrom and relabelto to setcontext. Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 5f8ac64b15172c7ced7d7990eb28342092bc751b [log] [tgz]
author: Trent Jaeger <tjaeger@cse.psu.edu> Fri Jan 06 13:22:39 2006 -0800
committer: David S. Miller <davem@davemloft.net> Fri Jan 06 13:22:39 2006 -0800
tree: 63046817c9a6e8db513379337f01289c045a5d63
parent: 69549ddd2f894c4cead50ee2b60cc02990c389ad [diff] [blame]
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index c4d87d4..5b77765 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c

@@ -137,15 +137,9 @@
 	 * Must be permitted to relabel from default socket type (process type)
 	 * to specified context
 	 */
-	rc = avc_has_perm(tsec->sid, tsec->sid,
-			  SECCLASS_ASSOCIATION,
-			  ASSOCIATION__RELABELFROM, NULL);
-	if (rc)
-		goto out;
-
 	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
 			  SECCLASS_ASSOCIATION,
-			  ASSOCIATION__RELABELTO, NULL);
+			  ASSOCIATION__SETCONTEXT, NULL);
 	if (rc)
 		goto out;
commit	5f8ac64b15172c7ced7d7990eb28342092bc751b	[log] [tgz]
author	Trent Jaeger <tjaeger@cse.psu.edu>	Fri Jan 06 13:22:39 2006 -0800
committer	David S. Miller <davem@davemloft.net>	Fri Jan 06 13:22:39 2006 -0800
tree	63046817c9a6e8db513379337f01289c045a5d63
parent	69549ddd2f894c4cead50ee2b60cc02990c389ad [diff] [blame]