SELinux: allow default source/target selectors for user/role/range

[~andy/linux] / security / selinux / ss / mls.c

diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index fbf9c5816c716a0d9898d7ae5dd91ae6f12575a2..40de8d3f208ecf95db162f4ae355d0d53ba99265 100644 (file)
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -517,6 +517,8 @@ int mls_compute_sid(struct context *scontext,
 {
        struct range_trans rtr;
        struct mls_range *r;
+       struct class_datum *cladatum;
+       int default_range = 0;
 
        if (!policydb.mls_enabled)
                return 0;
@@ -530,6 +532,28 @@ int mls_compute_sid(struct context *scontext,
                r = hashtab_search(policydb.range_tr, &rtr);
                if (r)
                        return mls_range_set(newcontext, r);
+
+               if (tclass && tclass <= policydb.p_classes.nprim) {
+                       cladatum = policydb.class_val_to_struct[tclass - 1];
+                       if (cladatum)
+                               default_range = cladatum->default_range;
+               }
+
+               switch (default_range) {
+               case DEFAULT_SOURCE_LOW:
+                       return mls_context_cpy_low(newcontext, scontext);
+               case DEFAULT_SOURCE_HIGH:
+                       return mls_context_cpy_high(newcontext, scontext);
+               case DEFAULT_SOURCE_LOW_HIGH:
+                       return mls_context_cpy(newcontext, scontext);
+               case DEFAULT_TARGET_LOW:
+                       return mls_context_cpy_low(newcontext, tcontext);
+               case DEFAULT_TARGET_HIGH:
+                       return mls_context_cpy_high(newcontext, tcontext);
+               case DEFAULT_TARGET_LOW_HIGH:
+                       return mls_context_cpy(newcontext, tcontext);
+               }
+
                /* Fallthrough */
        case AVTAB_CHANGE:
                if ((tclass == policydb.process_class) || (sock == true))