From: Eric Paris <eparis@redhat.com>
Date: Thu, 12 Feb 2009 19:50:11 +0000 (-0500)
Subject: SELinux: check seqno when updating an avc_node
X-Git-Tag: v2.6.30-rc1~679^2~20
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5dda683328f99c781f92c66cc52ffc0639bef58;p=pandora-kernel.git

SELinux: check seqno when updating an avc_node

The avc update node callbacks do not check the seqno of the caller with the
seqno of the node found.  It is possible that a policy change could happen
(although almost impossibly unlikely) in which a permissive or
permissive_domain decision is not valid for the entry found.  Simply pass
and check that the seqno of the caller and the seqno of the node found
match.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
---

Reading git-diff-tree failed