From: Stephen Smalley Date: Tue, 7 Jul 2015 13:43:45 +0000 (-0400) Subject: net/tipc: initialize security state for new connection socket X-Git-Tag: v3.2.72~13 X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79bff4bc9204dec190576741babecf73786f48a3;p=pandora-kernel.git net/tipc: initialize security state for new connection socket [ Upstream commit fdd75ea8df370f206a8163786e7470c1277a5064 ] Calling connect() with an AF_TIPC socket would trigger a series of error messages from SELinux along the lines of: SELinux: Invalid class 0 type=AVC msg=audit(1434126658.487:34500): avc: denied { } for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass= permissive=0 This was due to a failure to initialize the security state of the new connection sock by the tipc code, leaving it with junk in the security class field and an unlabeled secid. Add a call to security_sk_clone() to inherit the security state from the parent socket. Reported-by: Tim Shearer Signed-off-by: Stephen Smalley Acked-by: Paul Moore Acked-by: Ying Xue Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context, indentation] Signed-off-by: Ben Hutchings --- diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 058941e6c936..580ecf28dccc 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1541,6 +1541,8 @@ static int accept(struct socket *sock, struct socket *new_sock, int flags) u32 new_ref = new_tport->ref; struct tipc_msg *msg = buf_msg(buf); + security_sk_clone(sock->sk, new_sock->sk); + lock_sock(new_sk); /*