From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch against 2.6.9 adds a DAC ownership check to the existing MAC
permission checks when setting the security.selinux attribute via setxattr.
In the past, the MAC permission checks were viewed as sufficient for
controlling relabeling operations, but experience in the Fedora SELinux
integration has shown that a DAC check is also appropriate here,
particularly under targeted policy.

Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/security/selinux/hooks.c |    3 +++
 1 files changed, 3 insertions(+)

diff -puN security/selinux/hooks.c~add-dac-check-for-setxattrsecurityselinux security/selinux/hooks.c
--- 25/security/selinux/hooks.c~add-dac-check-for-setxattrsecurityselinux	Wed Oct 20 16:15:54 2004
+++ 25-akpm/security/selinux/hooks.c	Wed Oct 20 16:15:54 2004
@@ -2237,6 +2237,9 @@ static int selinux_inode_setxattr(struct
 	if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
 		return -EOPNOTSUPP;
 
+	if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
+		return -EPERM;
+
 	AVC_AUDIT_DATA_INIT(&ad,FS);
 	ad.u.fs.dentry = dentry;
 
_