selinux: dynamic class/perm discovery

Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux.  A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.

The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC.  The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.

The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed.  The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers.  Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values.  The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.

The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping.  The old kernel class validation
logic is completely replaced by the mapping logic.

The handle unknown logic is reworked.  reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic.  allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector.  If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.

avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.

The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel.  It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

scripts/selinux/mdp/mdp.c

@@ -29,86 +29,27 @@
 #include <unistd.h>
 #include <string.h>
 
-#include "flask.h"
-
 static void usage(char *name)
 {
 	printf("usage: %s [-m] policy_file context_file\n", name);
 	exit(1);
 }
 
-static void find_common_name(char *cname, char *dest, int len)
-{
-	char *start, *end;
-
-	start = strchr(cname, '_')+1;
-	end = strchr(start, '_');
-	if (!start || !end || start-cname > len || end-start > len) {
-		printf("Error with commons defines\n");
-		exit(1);
-	}
-	strncpy(dest, start, end-start);
-	dest[end-start] = '\0';
-}
-
-#define S_(x) x,
-static char *classlist[] = {
-#include "class_to_string.h"
-	NULL
+/* Class/perm mapping support */
+struct security_class_mapping {
+	const char *name;
+	const char *perms[sizeof(unsigned) * 8 + 1];
 };
-#undef S_
 
+#include "classmap.h"
 #include "initial_sid_to_string.h"
 
-#define TB_(x) char *x[] = {
-#define TE_(x) NULL };
-#define S_(x) x,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-struct common {
-	char *cname;
-	char **perms;
-};
-struct common common[] = {
-#define TB_(x) { #x, x },
-#define S_(x)
-#define TE_(x)
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-};
-
-#define S_(x, y, z) {x, #y},
-struct av_inherit {
-	int class;
-	char *common;
-};
-struct av_inherit av_inherit[] = {
-#include "av_inherit.h"
-};
-#undef S_
-
-#include "av_permissions.h"
-#define S_(x, y, z) {x, y, z},
-struct av_perms {
-	int class;
-	int perm_i;
-	char *perm_s;
-};
-struct av_perms av_perms[] = {
-#include "av_perm_to_string.h"
-};
-#undef S_
-
 int main(int argc, char *argv[])
 {
 	int i, j, mls = 0;
+	int initial_sid_to_string_len;
 	char **arg, *polout, *ctxout;
-	int classlist_len, initial_sid_to_string_len;
+
 	FILE *fout;
 
 	if (argc < 3)
@@ -127,64 +68,25 @@ int main(int argc, char *argv[])
 		usage(argv[0]);
 	}
 
-	classlist_len = sizeof(classlist) / sizeof(char *);
 	/* print out the classes */
-	for (i=1; i < classlist_len; i++) {
-		if(classlist[i])
-			fprintf(fout, "class %s\n", classlist[i]);
-		else
-			fprintf(fout, "class user%d\n", i);
-	}
+	for (i = 0; secclass_map[i].name; i++)
+		fprintf(fout, "class %s\n", secclass_map[i].name);
 	fprintf(fout, "\n");
 
 	initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
 	/* print out the sids */
-	for (i=1; i < initial_sid_to_string_len; i++)
+	for (i = 1; i < initial_sid_to_string_len; i++)
 		fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
 	fprintf(fout, "\n");
 
-	/* print out the commons */
-	for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
-		char cname[101];
-		find_common_name(common[i].cname, cname, 100);
-		cname[100] = '\0';
-		fprintf(fout, "common %s\n{\n", cname);
-		for (j=0; common[i].perms[j]; j++)
-			fprintf(fout, "\t%s\n", common[i].perms[j]);
-		fprintf(fout, "}\n\n");
-	}
-	fprintf(fout, "\n");
-
 	/* print out the class permissions */
-	for (i=1; i < classlist_len; i++) {
-		if (classlist[i]) {
-			int firstperm = -1, numperms = 0;
-
-			fprintf(fout, "class %s\n", classlist[i]);
-			/* does it inherit from a common? */
-			for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
-				if (av_inherit[j].class == i)
-					fprintf(fout, "inherits %s\n", av_inherit[j].common);
-
-			for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
-				if (av_perms[j].class == i) {
-					if (firstperm == -1)
-						firstperm = j;
-					numperms++;
-				}
-			}
-			if (!numperms) {
-				fprintf(fout, "\n");
-				continue;
-			}
-
-			fprintf(fout, "{\n");
-			/* print out the av_perms */
-			for (j=0; j < numperms; j++) {
-				fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
-			}
-			fprintf(fout, "}\n\n");
-		}
+	for (i = 0; secclass_map[i].name; i++) {
+		struct security_class_mapping *map = &secclass_map[i];
+		fprintf(fout, "class %s\n", map->name);
+		fprintf(fout, "{\n");
+		for (j = 0; map->perms[j]; j++)
+			fprintf(fout, "\t%s\n", map->perms[j]);
+		fprintf(fout, "}\n\n");
 	}
 	fprintf(fout, "\n");
 
@@ -197,31 +99,34 @@ int main(int argc, char *argv[])
 	/* types, roles, and allows */
 	fprintf(fout, "type base_t;\n");
 	fprintf(fout, "role base_r types { base_t };\n");
-	for (i=1; i < classlist_len; i++) {
-		if (classlist[i])
-			fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
-		else
-			fprintf(fout, "allow base_t base_t:user%d *;\n", i);
-	}
+	for (i = 0; secclass_map[i].name; i++)
+		fprintf(fout, "allow base_t base_t:%s *;\n",
+			secclass_map[i].name);
 	fprintf(fout, "user user_u roles { base_r };\n");
 	fprintf(fout, "\n");
 
 	/* default sids */
-	for (i=1; i < initial_sid_to_string_len; i++)
+	for (i = 1; i < initial_sid_to_string_len; i++)
 		fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
 	fprintf(fout, "\n");
 
-
 	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
 
+	fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
 
+	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
 	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
 

security/selinux/avc.c

@@ -31,43 +31,7 @@
 #include <net/ipv6.h>
 #include "avc.h"
 #include "avc_ss.h"
-
-static const struct av_perm_to_string av_perm_to_string[] = {
-#define S_(c, v, s) { c, v, s },
-#include "av_perm_to_string.h"
-#undef S_
-};
-
-static const char *class_to_string[] = {
-#define S_(s) s,
-#include "class_to_string.h"
-#undef S_
-};
-
-#define TB_(s) static const char *s[] = {
-#define TE_(s) };
-#define S_(s) s,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-static const struct av_inherit av_inherit[] = {
-#define S_(c, i, b) {	.tclass = c,\
-			.common_pts = common_##i##_perm_to_string,\
-			.common_base =  b },
-#include "av_inherit.h"
-#undef S_
-};
-
-const struct selinux_class_perm selinux_class_perm = {
-	.av_perm_to_string = av_perm_to_string,
-	.av_pts_len = ARRAY_SIZE(av_perm_to_string),
-	.class_to_string = class_to_string,
-	.cts_len = ARRAY_SIZE(class_to_string),
-	.av_inherit = av_inherit,
-	.av_inherit_len = ARRAY_SIZE(av_inherit)
-};
+#include "classmap.h"
 
 #define AVC_CACHE_SLOTS			512
 #define AVC_DEF_CACHE_THRESHOLD		512
@@ -139,52 +103,28 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
  */
 static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
 {
-	const char **common_pts = NULL;
-	u32 common_base = 0;
-	int i, i2, perm;
+	const char **perms;
+	int i, perm;
 
 	if (av == 0) {
 		audit_log_format(ab, " null");
 		return;
 	}
 
-	for (i = 0; i < ARRAY_SIZE(av_inherit); i++) {
-		if (av_inherit[i].tclass == tclass) {
-			common_pts = av_inherit[i].common_pts;
-			common_base = av_inherit[i].common_base;
-			break;
-		}
-	}
+	perms = secclass_map[tclass-1].perms;
 
 	audit_log_format(ab, " {");
 	i = 0;
 	perm = 1;
-	while (perm < common_base) {
+	while (i < (sizeof(av) * 8)) {
 		if (perm & av) {
-			audit_log_format(ab, " %s", common_pts[i]);
+			audit_log_format(ab, " %s", perms[i]);
 			av &= ~perm;
 		}
 		i++;
 		perm <<= 1;
 	}
 
-	while (i < sizeof(av) * 8) {
-		if (perm & av) {
-			for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) {
-				if ((av_perm_to_string[i2].tclass == tclass) &&
-				    (av_perm_to_string[i2].value == perm))
-					break;
-			}
-			if (i2 < ARRAY_SIZE(av_perm_to_string)) {
-				audit_log_format(ab, " %s",
-						 av_perm_to_string[i2].name);
-				av &= ~perm;
-			}
-		}
-		i++;
-		perm <<= 1;
-	}
-
 	if (av)
 		audit_log_format(ab, " 0x%x", av);
 
@@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
 		kfree(scontext);
 	}
 
-	BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]);
-	audit_log_format(ab, " tclass=%s", class_to_string[tclass]);
+	BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
+	audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
 }
 
 /**

security/selinux/include/av_inherit.h

@@ -1,34 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-   S_(SECCLASS_DIR, file, 0x00020000UL)
-   S_(SECCLASS_FILE, file, 0x00020000UL)
-   S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
-   S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
-   S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
-   S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
-   S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
-   S_(SECCLASS_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_IPC, ipc, 0x00000200UL)
-   S_(SECCLASS_SEM, ipc, 0x00000200UL)
-   S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
-   S_(SECCLASS_SHM, ipc, 0x00000200UL)
-   S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)

security/selinux/include/av_perm_to_string.h

@@ -1,183 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
-   S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
-   S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
-   S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
-   S_(SECCLASS_DIR, DIR__SEARCH, "search")
-   S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
-   S_(SECCLASS_DIR, DIR__OPEN, "open")
-   S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
-   S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
-   S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
-   S_(SECCLASS_FILE, FILE__OPEN, "open")
-   S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
-   S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
-   S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
-   S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
-   S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
-   S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
-   S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
-   S_(SECCLASS_FD, FD__USE, "use")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
-   S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
-   S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
-   S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
-   S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
-   S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
-   S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
-   S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
-   S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
-   S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
-   S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
-   S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
-   S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
-   S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
-   S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
-   S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
-   S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
-   S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
-   S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
-   S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
-   S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
-   S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
-   S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
-   S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
-   S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
-   S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
-   S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
-   S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
-   S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
-   S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
-   S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
-   S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
-   S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
-   S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
-   S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
-   S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
-   S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
-   S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
-   S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
-   S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
-   S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
-   S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
-   S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
-   S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
-   S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
-   S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
-   S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
-   S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
-   S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
-   S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
-   S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
-   S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
-   S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
-   S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
-   S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
-   S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
-   S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
-   S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
-   S_(SECCLASS_MSG, MSG__SEND, "send")
-   S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
-   S_(SECCLASS_SHM, SHM__LOCK, "lock")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
-   S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
-   S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
-   S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
-   S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
-   S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
-   S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
-   S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
-   S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
-   S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
-   S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
-   S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
-   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
-   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
-   S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
-   S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
-   S_(SECCLASS_PACKET, PACKET__SEND, "send")
-   S_(SECCLASS_PACKET, PACKET__RECV, "recv")
-   S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
-   S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
-   S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
-   S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
-   S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
-   S_(SECCLASS_KEY, KEY__VIEW, "view")
-   S_(SECCLASS_KEY, KEY__READ, "read")
-   S_(SECCLASS_KEY, KEY__WRITE, "write")
-   S_(SECCLASS_KEY, KEY__SEARCH, "search")
-   S_(SECCLASS_KEY, KEY__LINK, "link")
-   S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
-   S_(SECCLASS_KEY, KEY__CREATE, "create")
-   S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
-   S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
-   S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
-   S_(SECCLASS_PEER, PEER__RECV, "recv")
-   S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
-   S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")

security/selinux/include/av_permissions.h

@@ -423,28 +423,6 @@
 #define UNIX_DGRAM_SOCKET__RECV_MSG               0x00080000UL
 #define UNIX_DGRAM_SOCKET__SEND_MSG               0x00100000UL
 #define UNIX_DGRAM_SOCKET__NAME_BIND              0x00200000UL
-#define TUN_SOCKET__IOCTL                         0x00000001UL
-#define TUN_SOCKET__READ                          0x00000002UL
-#define TUN_SOCKET__WRITE                         0x00000004UL
-#define TUN_SOCKET__CREATE                        0x00000008UL
-#define TUN_SOCKET__GETATTR                       0x00000010UL
-#define TUN_SOCKET__SETATTR                       0x00000020UL
-#define TUN_SOCKET__LOCK                          0x00000040UL
-#define TUN_SOCKET__RELABELFROM                   0x00000080UL
-#define TUN_SOCKET__RELABELTO                     0x00000100UL
-#define TUN_SOCKET__APPEND                        0x00000200UL
-#define TUN_SOCKET__BIND                          0x00000400UL
-#define TUN_SOCKET__CONNECT                       0x00000800UL
-#define TUN_SOCKET__LISTEN                        0x00001000UL
-#define TUN_SOCKET__ACCEPT                        0x00002000UL
-#define TUN_SOCKET__GETOPT                        0x00004000UL
-#define TUN_SOCKET__SETOPT                        0x00008000UL
-#define TUN_SOCKET__SHUTDOWN                      0x00010000UL
-#define TUN_SOCKET__RECVFROM                      0x00020000UL
-#define TUN_SOCKET__SENDTO                        0x00040000UL
-#define TUN_SOCKET__RECV_MSG                      0x00080000UL
-#define TUN_SOCKET__SEND_MSG                      0x00100000UL
-#define TUN_SOCKET__NAME_BIND                     0x00200000UL
 #define PROCESS__FORK                             0x00000001UL
 #define PROCESS__TRANSITION                       0x00000002UL
 #define PROCESS__SIGCHLD                          0x00000004UL
@@ -868,3 +846,25 @@
 #define PEER__RECV                                0x00000001UL
 #define KERNEL_SERVICE__USE_AS_OVERRIDE           0x00000001UL
 #define KERNEL_SERVICE__CREATE_FILES_AS           0x00000002UL
+#define TUN_SOCKET__IOCTL                         0x00000001UL
+#define TUN_SOCKET__READ                          0x00000002UL
+#define TUN_SOCKET__WRITE                         0x00000004UL
+#define TUN_SOCKET__CREATE                        0x00000008UL
+#define TUN_SOCKET__GETATTR                       0x00000010UL
+#define TUN_SOCKET__SETATTR                       0x00000020UL
+#define TUN_SOCKET__LOCK                          0x00000040UL
+#define TUN_SOCKET__RELABELFROM                   0x00000080UL
+#define TUN_SOCKET__RELABELTO                     0x00000100UL
+#define TUN_SOCKET__APPEND                        0x00000200UL
+#define TUN_SOCKET__BIND                          0x00000400UL
+#define TUN_SOCKET__CONNECT                       0x00000800UL
+#define TUN_SOCKET__LISTEN                        0x00001000UL
+#define TUN_SOCKET__ACCEPT                        0x00002000UL
+#define TUN_SOCKET__GETOPT                        0x00004000UL
+#define TUN_SOCKET__SETOPT                        0x00008000UL
+#define TUN_SOCKET__SHUTDOWN                      0x00010000UL
+#define TUN_SOCKET__RECVFROM                      0x00020000UL
+#define TUN_SOCKET__SENDTO                        0x00040000UL
+#define TUN_SOCKET__RECV_MSG                      0x00080000UL
+#define TUN_SOCKET__SEND_MSG                      0x00100000UL
+#define TUN_SOCKET__NAME_BIND                     0x00200000UL

security/selinux/include/avc_ss.h

@@ -10,26 +10,13 @@
 
 int avc_ss_reset(u32 seqno);
 
-struct av_perm_to_string {
-	u16 tclass;
-	u32 value;
+/* Class/perm mapping support */
+struct security_class_mapping {
 	const char *name;
+	const char *perms[sizeof(u32) * 8 + 1];
 };
 
-struct av_inherit {
-	const char **common_pts;
-	u32 common_base;
-	u16 tclass;
-};
-
-struct selinux_class_perm {
-	const struct av_perm_to_string *av_perm_to_string;
-	u32 av_pts_len;
-	u32 cts_len;
-	const char **class_to_string;
-	const struct av_inherit *av_inherit;
-	u32 av_inherit_len;
-};
+extern struct security_class_mapping secclass_map[];
 
 #endif /* _SELINUX_AVC_SS_H_ */
 

security/selinux/include/class_to_string.h

@@ -1,80 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-/*
- * Security object class definitions
- */
-    S_(NULL)
-    S_("security")
-    S_("process")
-    S_("system")
-    S_("capability")
-    S_("filesystem")
-    S_("file")
-    S_("dir")
-    S_("fd")
-    S_("lnk_file")
-    S_("chr_file")
-    S_("blk_file")
-    S_("sock_file")
-    S_("fifo_file")
-    S_("socket")
-    S_("tcp_socket")
-    S_("udp_socket")
-    S_("rawip_socket")
-    S_("node")
-    S_("netif")
-    S_("netlink_socket")
-    S_("packet_socket")
-    S_("key_socket")
-    S_("unix_stream_socket")
-    S_("unix_dgram_socket")
-    S_("sem")
-    S_("msg")
-    S_("msgq")
-    S_("shm")
-    S_("ipc")
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_("netlink_route_socket")
-    S_("netlink_firewall_socket")
-    S_("netlink_tcpdiag_socket")
-    S_("netlink_nflog_socket")
-    S_("netlink_xfrm_socket")
-    S_("netlink_selinux_socket")
-    S_("netlink_audit_socket")
-    S_("netlink_ip6fw_socket")
-    S_("netlink_dnrt_socket")
-    S_(NULL)
-    S_(NULL)
-    S_("association")
-    S_("netlink_kobject_uevent_socket")
-    S_("appletalk_socket")
-    S_("packet")
-    S_("key")
-    S_(NULL)
-    S_("dccp_socket")
-    S_("memprotect")
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_("peer")
-    S_("capability2")
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_("kernel_service")
-    S_("tun_socket")

security/selinux/include/classmap.h

@@ -0,0 +1,150 @@
+#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
+    "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
+
+#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
+    "rename", "execute", "swapon", "quotaon", "mounton"
+
+#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
+    "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
+    "sendto", "recv_msg", "send_msg", "name_bind"
+
+#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
+	    "write", "associate", "unix_read", "unix_write"
+
+struct security_class_mapping secclass_map[] = {
+	{ "security",
+	  { "compute_av", "compute_create", "compute_member",
+	    "check_context", "load_policy", "compute_relabel",
+	    "compute_user", "setenforce", "setbool", "setsecparam",
+	    "setcheckreqprot", NULL } },
+	{ "process",
+	  { "fork", "transition", "sigchld", "sigkill",
+	    "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
+	    "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
+	    "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
+	    "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
+	    "execmem", "execstack", "execheap", "setkeycreate",
+	    "setsockcreate", NULL } },
+	{ "system",
+	  { "ipc_info", "syslog_read", "syslog_mod",
+	    "syslog_console", "module_request", NULL } },
+	{ "capability",
+	  { "chown", "dac_override", "dac_read_search",
+	    "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
+	    "linux_immutable", "net_bind_service", "net_broadcast",
+	    "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
+	    "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
+	    "sys_boot", "sys_nice", "sys_resource", "sys_time",
+	    "sys_tty_config", "mknod", "lease", "audit_write",
+	    "audit_control", "setfcap", NULL } },
+	{ "filesystem",
+	  { "mount", "remount", "unmount", "getattr",
+	    "relabelfrom", "relabelto", "transition", "associate", "quotamod",
+	    "quotaget", NULL } },
+	{ "file",
+	  { COMMON_FILE_PERMS,
+	    "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
+	{ "dir",
+	  { COMMON_FILE_PERMS, "add_name", "remove_name",
+	    "reparent", "search", "rmdir", "open", NULL } },
+	{ "fd", { "use", NULL } },
+	{ "lnk_file",
+	  { COMMON_FILE_PERMS, NULL } },
+	{ "chr_file",
+	  { COMMON_FILE_PERMS,
+	    "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
+	{ "blk_file",
+	  { COMMON_FILE_PERMS, "open", NULL } },
+	{ "sock_file",
+	  { COMMON_FILE_PERMS, "open", NULL } },
+	{ "fifo_file",
+	  { COMMON_FILE_PERMS, "open", NULL } },
+	{ "socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ "tcp_socket",
+	  { COMMON_SOCK_PERMS,
+	    "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
+	    NULL } },
+	{ "udp_socket",
+	  { COMMON_SOCK_PERMS,
+	    "node_bind", NULL } },
+	{ "rawip_socket",
+	  { COMMON_SOCK_PERMS,
+	    "node_bind", NULL } },
+	{ "node",
+	  { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
+	    "rawip_recv", "rawip_send", "enforce_dest",
+	    "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
+	{ "netif",
+	  {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
+	     "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
+	     "ingress", "egress", NULL } },
+	{ "netlink_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ "packet_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ "key_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ "unix_stream_socket",
+	  { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
+	  } },
+	{ "unix_dgram_socket",
+	  { COMMON_SOCK_PERMS, NULL
+	  } },
+	{ "sem",
+	  { COMMON_IPC_PERMS, NULL } },
+	{ "msg", { "send", "receive", NULL } },
+	{ "msgq",
+	  { COMMON_IPC_PERMS, "enqueue", NULL } },
+	{ "shm",
+	  { COMMON_IPC_PERMS, "lock", NULL } },
+	{ "ipc",
+	  { COMMON_IPC_PERMS, NULL } },
+	{ "netlink_route_socket",
+	  { COMMON_SOCK_PERMS,
+	    "nlmsg_read", "nlmsg_write", NULL } },
+	{ "netlink_firewall_socket",
+	  { COMMON_SOCK_PERMS,
+	    "nlmsg_read", "nlmsg_write", NULL } },
+	{ "netlink_tcpdiag_socket",
+	  { COMMON_SOCK_PERMS,
+	    "nlmsg_read", "nlmsg_write", NULL } },
+	{ "netlink_nflog_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_xfrm_socket",
+	  { COMMON_SOCK_PERMS,
+	    "nlmsg_read", "nlmsg_write", NULL } },
+	{ "netlink_selinux_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ "netlink_audit_socket",
+	  { COMMON_SOCK_PERMS,
+	    "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
+	    "nlmsg_tty_audit", NULL } },
+	{ "netlink_ip6fw_socket",
+	  { COMMON_SOCK_PERMS,
+	    "nlmsg_read", "nlmsg_write", NULL } },
+	{ "netlink_dnrt_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ "association",
+	  { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
+	{ "netlink_kobject_uevent_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ "appletalk_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ "packet",
+	  { "send", "recv", "relabelto", "flow_in", "flow_out",
+	    "forward_in", "forward_out", NULL } },
+	{ "key",
+	  { "view", "read", "write", "search", "link", "setattr", "create",
+	    NULL } },
+	{ "dccp_socket",
+	  { COMMON_SOCK_PERMS,
+	    "node_bind", "name_connect", NULL } },
+	{ "memprotect", { "mmap_zero", NULL } },
+	{ "peer", { "recv", NULL } },
+	{ "capability2", { "mac_override", "mac_admin", NULL } },
+	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
+	{ "tun_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
+	{ NULL }
+  };

security/selinux/include/common_perm_to_string.h

@@ -1,58 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-TB_(common_file_perm_to_string)
-    S_("ioctl")
-    S_("read")
-    S_("write")
-    S_("create")
-    S_("getattr")
-    S_("setattr")
-    S_("lock")
-    S_("relabelfrom")
-    S_("relabelto")
-    S_("append")
-    S_("unlink")
-    S_("link")
-    S_("rename")
-    S_("execute")
-    S_("swapon")
-    S_("quotaon")
-    S_("mounton")
-TE_(common_file_perm_to_string)
-
-TB_(common_socket_perm_to_string)
-    S_("ioctl")
-    S_("read")
-    S_("write")
-    S_("create")
-    S_("getattr")
-    S_("setattr")
-    S_("lock")
-    S_("relabelfrom")
-    S_("relabelto")
-    S_("append")
-    S_("bind")
-    S_("connect")
-    S_("listen")
-    S_("accept")
-    S_("getopt")
-    S_("setopt")
-    S_("shutdown")
-    S_("recvfrom")
-    S_("sendto")
-    S_("recv_msg")
-    S_("send_msg")
-    S_("name_bind")
-TE_(common_socket_perm_to_string)
-
-TB_(common_ipc_perm_to_string)
-    S_("create")
-    S_("destroy")
-    S_("getattr")
-    S_("setattr")
-    S_("read")
-    S_("write")
-    S_("associate")
-    S_("unix_read")
-    S_("unix_write")
-TE_(common_ipc_perm_to_string)
-

security/selinux/include/flask.h

@@ -34,26 +34,26 @@
 #define SECCLASS_MSGQ                                    27
 #define SECCLASS_SHM                                     28
 #define SECCLASS_IPC                                     29
-#define SECCLASS_NETLINK_ROUTE_SOCKET                    43
-#define SECCLASS_NETLINK_FIREWALL_SOCKET                 44
-#define SECCLASS_NETLINK_TCPDIAG_SOCKET                  45
-#define SECCLASS_NETLINK_NFLOG_SOCKET                    46
-#define SECCLASS_NETLINK_XFRM_SOCKET                     47
-#define SECCLASS_NETLINK_SELINUX_SOCKET                  48
-#define SECCLASS_NETLINK_AUDIT_SOCKET                    49
-#define SECCLASS_NETLINK_IP6FW_SOCKET                    50
-#define SECCLASS_NETLINK_DNRT_SOCKET                     51
-#define SECCLASS_ASSOCIATION                             54
-#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
-#define SECCLASS_APPLETALK_SOCKET                        56
-#define SECCLASS_PACKET                                  57
-#define SECCLASS_KEY                                     58
-#define SECCLASS_DCCP_SOCKET                             60
-#define SECCLASS_MEMPROTECT                              61
-#define SECCLASS_PEER                                    68
-#define SECCLASS_CAPABILITY2                             69
-#define SECCLASS_KERNEL_SERVICE                          74
-#define SECCLASS_TUN_SOCKET                              75
+#define SECCLASS_NETLINK_ROUTE_SOCKET                    30
+#define SECCLASS_NETLINK_FIREWALL_SOCKET                 31
+#define SECCLASS_NETLINK_TCPDIAG_SOCKET                  32
+#define SECCLASS_NETLINK_NFLOG_SOCKET                    33
+#define SECCLASS_NETLINK_XFRM_SOCKET                     34
+#define SECCLASS_NETLINK_SELINUX_SOCKET                  35
+#define SECCLASS_NETLINK_AUDIT_SOCKET                    36
+#define SECCLASS_NETLINK_IP6FW_SOCKET                    37
+#define SECCLASS_NETLINK_DNRT_SOCKET                     38
+#define SECCLASS_ASSOCIATION                             39
+#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           40
+#define SECCLASS_APPLETALK_SOCKET                        41
+#define SECCLASS_PACKET                                  42
+#define SECCLASS_KEY                                     43
+#define SECCLASS_DCCP_SOCKET                             44
+#define SECCLASS_MEMPROTECT                              45
+#define SECCLASS_PEER                                    46
+#define SECCLASS_CAPABILITY2                             47
+#define SECCLASS_KERNEL_SERVICE                          48
+#define SECCLASS_TUN_SOCKET                              49
 
 /*
  * Security identifier indices for initial entities

security/selinux/include/security.h

@@ -97,11 +97,18 @@ struct av_decision {
 #define AVD_FLAGS_PERMISSIVE	0x0001
 
 int security_compute_av(u32 ssid, u32 tsid,
-	u16 tclass, u32 requested,
-	struct av_decision *avd);
+			u16 tclass, u32 requested,
+			struct av_decision *avd);
+
+int security_compute_av_user(u32 ssid, u32 tsid,
+			     u16 tclass, u32 requested,
+			     struct av_decision *avd);
 
 int security_transition_sid(u32 ssid, u32 tsid,
-	u16 tclass, u32 *out_sid);
+			    u16 tclass, u32 *out_sid);
+
+int security_transition_sid_user(u32 ssid, u32 tsid,
+				 u16 tclass, u32 *out_sid);
 
 int security_member_sid(u32 ssid, u32 tsid,
 	u16 tclass, u32 *out_sid);

security/selinux/selinuxfs.c

@@ -522,7 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
 	if (length < 0)
 		goto out2;
 
-	length = security_compute_av(ssid, tsid, tclass, req, &avd);
+	length = security_compute_av_user(ssid, tsid, tclass, req, &avd);
 	if (length < 0)
 		goto out2;
 
@@ -571,7 +571,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
 	if (length < 0)
 		goto out2;
 
-	length = security_transition_sid(ssid, tsid, tclass, &newsid);
+	length = security_transition_sid_user(ssid, tsid, tclass, &newsid);
 	if (length < 0)
 		goto out2;
 

security/selinux/ss/mls.c

@@ -532,7 +532,7 @@ int mls_compute_sid(struct context *scontext,
 		}
 		/* Fallthrough */
 	case AVTAB_CHANGE:
-		if (tclass == SECCLASS_PROCESS)
+		if (tclass == policydb.process_class)
 			/* Use the process MLS attributes. */
 			return mls_context_cpy(newcontext, scontext);
 		else

security/selinux/ss/policydb.c

@@ -713,7 +713,6 @@ void policydb_destroy(struct policydb *p)
 			ebitmap_destroy(&p->type_attr_map[i]);
 	}
 	kfree(p->type_attr_map);
-	kfree(p->undefined_perms);
 	ebitmap_destroy(&p->policycaps);
 	ebitmap_destroy(&p->permissive_map);
 
@@ -1640,6 +1639,40 @@ static int policydb_bounds_sanity_check(struct policydb *p)
 
 extern int ss_initialized;
 
+u16 string_to_security_class(struct policydb *p, const char *name)
+{
+	struct class_datum *cladatum;
+
+	cladatum = hashtab_search(p->p_classes.table, name);
+	if (!cladatum)
+		return 0;
+
+	return cladatum->value;
+}
+
+u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
+{
+	struct class_datum *cladatum;
+	struct perm_datum *perdatum = NULL;
+	struct common_datum *comdatum;
+
+	if (!tclass || tclass > p->p_classes.nprim)
+		return 0;
+
+	cladatum = p->class_val_to_struct[tclass-1];
+	comdatum = cladatum->comdatum;
+	if (comdatum)
+		perdatum = hashtab_search(comdatum->permissions.table,
+					  name);
+	if (!perdatum)
+		perdatum = hashtab_search(cladatum->permissions.table,
+					  name);
+	if (!perdatum)
+		return 0;
+
+	return 1U << (perdatum->value-1);
+}
+
 /*
  * Read the configuration data from a policy database binary
  * representation file into a policy database structure.
@@ -1861,6 +1894,16 @@ int policydb_read(struct policydb *p, void *fp)
 	if (rc)
 		goto bad;
 
+	p->process_class = string_to_security_class(p, "process");
+	if (!p->process_class)
+		goto bad;
+	p->process_trans_perms = string_to_av_perm(p, p->process_class,
+						   "transition");
+	p->process_trans_perms |= string_to_av_perm(p, p->process_class,
+						    "dyntransition");
+	if (!p->process_trans_perms)
+		goto bad;
+
 	for (i = 0; i < info->ocon_num; i++) {
 		rc = next_entry(buf, fp, sizeof(u32));
 		if (rc < 0)
@@ -2101,7 +2144,7 @@ int policydb_read(struct policydb *p, void *fp)
 					goto bad;
 				rt->target_class = le32_to_cpu(buf[0]);
 			} else
-				rt->target_class = SECCLASS_PROCESS;
+				rt->target_class = p->process_class;
 			if (!policydb_type_isvalid(p, rt->source_type) ||
 			    !policydb_type_isvalid(p, rt->target_type) ||
 			    !policydb_class_isvalid(p, rt->target_class)) {

security/selinux/ss/policydb.h

@@ -254,7 +254,9 @@ struct policydb {
 
 	unsigned int reject_unknown : 1;
 	unsigned int allow_unknown : 1;
-	u32 *undefined_perms;
+
+	u16 process_class;
+	u32 process_trans_perms;
 };
 
 extern void policydb_destroy(struct policydb *p);
@@ -295,5 +297,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
 	return 0;
 }
 
+extern u16 string_to_security_class(struct policydb *p, const char *name);
+extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
+
 #endif	/* _SS_POLICYDB_H_ */
 

security/selinux/ss/services.c

@@ -70,11 +70,6 @@ unsigned int policydb_loaded_version;
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 
-/*
- * This is declared in avc.c
- */
-extern const struct selinux_class_perm selinux_class_perm;
-
 static DEFINE_RWLOCK(policy_rwlock);
 
 static struct sidtab sidtab;
@@ -98,6 +93,158 @@ static int context_struct_compute_av(struct context *scontext,
 				     u16 tclass,
 				     u32 requested,
 				     struct av_decision *avd);
+
+struct selinux_mapping {
+	u16 value; /* policy value */
+	unsigned num_perms;
+	u32 perms[sizeof(u32) * 8];
+};
+
+static struct selinux_mapping *current_mapping;
+static u16 current_mapping_size;
+
+static int selinux_set_mapping(struct policydb *pol,
+			       struct security_class_mapping *map,
+			       struct selinux_mapping **out_map_p,
+			       u16 *out_map_size)
+{
+	struct selinux_mapping *out_map = NULL;
+	size_t size = sizeof(struct selinux_mapping);
+	u16 i, j;
+	unsigned k;
+	bool print_unknown_handle = false;
+
+	/* Find number of classes in the input mapping */
+	if (!map)
+		return -EINVAL;
+	i = 0;
+	while (map[i].name)
+		i++;
+
+	/* Allocate space for the class records, plus one for class zero */
+	out_map = kcalloc(++i, size, GFP_ATOMIC);
+	if (!out_map)
+		return -ENOMEM;
+
+	/* Store the raw class and permission values */
+	j = 0;
+	while (map[j].name) {
+		struct security_class_mapping *p_in = map + (j++);
+		struct selinux_mapping *p_out = out_map + j;
+
+		/* An empty class string skips ahead */
+		if (!strcmp(p_in->name, "")) {
+			p_out->num_perms = 0;
+			continue;
+		}
+
+		p_out->value = string_to_security_class(pol, p_in->name);
+		if (!p_out->value) {
+			printk(KERN_INFO
+			       "SELinux:  Class %s not defined in policy.\n",
+			       p_in->name);
+			if (pol->reject_unknown)
+				goto err;
+			p_out->num_perms = 0;
+			print_unknown_handle = true;
+			continue;
+		}
+
+		k = 0;
+		while (p_in->perms && p_in->perms[k]) {
+			/* An empty permission string skips ahead */
+			if (!*p_in->perms[k]) {
+				k++;
+				continue;
+			}
+			p_out->perms[k] = string_to_av_perm(pol, p_out->value,
+							    p_in->perms[k]);
+			if (!p_out->perms[k]) {
+				printk(KERN_INFO
+				       "SELinux:  Permission %s in class %s not defined in policy.\n",
+				       p_in->perms[k], p_in->name);
+				if (pol->reject_unknown)
+					goto err;
+				print_unknown_handle = true;
+			}
+
+			k++;
+		}
+		p_out->num_perms = k;
+	}
+
+	if (print_unknown_handle)
+		printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
+		       pol->allow_unknown ? "allowed" : "denied");
+
+	*out_map_p = out_map;
+	*out_map_size = i;
+	return 0;
+err:
+	kfree(out_map);
+	return -EINVAL;
+}
+
+/*
+ * Get real, policy values from mapped values
+ */
+
+static u16 unmap_class(u16 tclass)
+{
+	if (tclass < current_mapping_size)
+		return current_mapping[tclass].value;
+
+	return tclass;
+}
+
+static u32 unmap_perm(u16 tclass, u32 tperm)
+{
+	if (tclass < current_mapping_size) {
+		unsigned i;
+		u32 kperm = 0;
+
+		for (i = 0; i < current_mapping[tclass].num_perms; i++)
+			if (tperm & (1<<i)) {
+				kperm |= current_mapping[tclass].perms[i];
+				tperm &= ~(1<<i);
+			}
+		return kperm;
+	}
+
+	return tperm;
+}
+
+static void map_decision(u16 tclass, struct av_decision *avd,
+			 int allow_unknown)
+{
+	if (tclass < current_mapping_size) {
+		unsigned i, n = current_mapping[tclass].num_perms;
+		u32 result;
+
+		for (i = 0, result = 0; i < n; i++) {
+			if (avd->allowed & current_mapping[tclass].perms[i])
+				result |= 1<<i;
+			if (allow_unknown && !current_mapping[tclass].perms[i])
+				result |= 1<<i;
+		}
+		avd->allowed = result;
+
+		for (i = 0, result = 0; i < n; i++)
+			if (avd->auditallow & current_mapping[tclass].perms[i])
+				result |= 1<<i;
+		avd->auditallow = result;
+
+		for (i = 0, result = 0; i < n; i++) {
+			if (avd->auditdeny & current_mapping[tclass].perms[i])
+				result |= 1<<i;
+			if (!allow_unknown && !current_mapping[tclass].perms[i])
+				result |= 1<<i;
+		}
+		avd->auditdeny = result;
+	}
+}
+
+
 /*
  * Return the boolean value of a constraint expression
  * when it is applied to the specified source and target
@@ -467,7 +614,6 @@ static int context_struct_compute_av(struct context *scontext,
 	struct class_datum *tclass_datum;
 	struct ebitmap *sattr, *tattr;
 	struct ebitmap_node *snode, *tnode;
-	const struct selinux_class_perm *kdefs = &selinux_class_perm;
 	unsigned int i, j;
 
 	/*
@@ -477,9 +623,9 @@ static int context_struct_compute_av(struct context *scontext,
 	 * to remain in the correct class.
 	 */
 	if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-		if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-		    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-			tclass = SECCLASS_NETLINK_SOCKET;
+		if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) &&
+		    tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET))
+			tclass = unmap_class(SECCLASS_NETLINK_SOCKET);
 
 	/*
 	 * Initialize the access vectors to the default values.
@@ -490,33 +636,11 @@ static int context_struct_compute_av(struct context *scontext,
 	avd->seqno = latest_granting;
 	avd->flags = 0;
 
-	/*
-	 * Check for all the invalid cases.
-	 * - tclass 0
-	 * - tclass > policy and > kernel
-	 * - tclass > policy but is a userspace class
-	 * - tclass > policy but we do not allow unknowns
-	 */
-	if (unlikely(!tclass))
-		goto inval_class;
-	if (unlikely(tclass > policydb.p_classes.nprim))
-		if (tclass > kdefs->cts_len ||
-		    !kdefs->class_to_string[tclass] ||
-		    !policydb.allow_unknown)
-			goto inval_class;
-
-	/*
-	 * Kernel class and we allow unknown so pad the allow decision
-	 * the pad will be all 1 for unknown classes.
-	 */
-	if (tclass <= kdefs->cts_len && policydb.allow_unknown)
-		avd->allowed = policydb.undefined_perms[tclass - 1];
-
-	/*
-	 * Not in policy. Since decision is completed (all 1 or all 0) return.
-	 */
-	if (unlikely(tclass > policydb.p_classes.nprim))
-		return 0;
+	if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
+		if (printk_ratelimit())
+			printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
+		return -EINVAL;
+	}
 
 	tclass_datum = policydb.class_val_to_struct[tclass - 1];
 
@@ -568,8 +692,8 @@ static int context_struct_compute_av(struct context *scontext,
 	 * role is changing, then check the (current_role, new_role)
 	 * pair.
 	 */
-	if (tclass == SECCLASS_PROCESS &&
-	    (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
+	if (tclass == policydb.process_class &&
+	    (avd->allowed & policydb.process_trans_perms) &&
 	    scontext->role != tcontext->role) {
 		for (ra = policydb.role_allow; ra; ra = ra->next) {
 			if (scontext->role == ra->role &&
@@ -577,8 +701,7 @@ static int context_struct_compute_av(struct context *scontext,
 				break;
 		}
 		if (!ra)
-			avd->allowed &= ~(PROCESS__TRANSITION |
-					  PROCESS__DYNTRANSITION);
+			avd->allowed &= ~policydb.process_trans_perms;
 	}
 
 	/*
@@ -590,21 +713,6 @@ static int context_struct_compute_av(struct context *scontext,
 				 tclass, requested, avd);
 
 	return 0;
-
-inval_class:
-	if (!tclass || tclass > kdefs->cts_len ||
-	    !kdefs->class_to_string[tclass]) {
-		if (printk_ratelimit())
-			printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
-			       __func__, tclass);
-		return -EINVAL;
-	}
-
-	/*
-	 * Known to the kernel, but not to the policy.
-	 * Handle as a denial (allowed is 0).
-	 */
-	return 0;
 }
 
 static int security_validtrans_handle_fail(struct context *ocontext,
@@ -636,13 +744,14 @@ out:
 }
 
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
-				 u16 tclass)
+				 u16 orig_tclass)
 {
 	struct context *ocontext;
 	struct context *ncontext;
 	struct context *tcontext;
 	struct class_datum *tclass_datum;
 	struct constraint_node *constraint;
+	u16 tclass;
 	int rc = 0;
 
 	if (!ss_initialized)
@@ -650,6 +759,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
 
 	read_lock(&policy_rwlock);
 
+	tclass = unmap_class(orig_tclass);
+
 	/*
 	 * Remap extended Netlink classes for old policy versions.
 	 * Do this here rather than socket_type_to_security_class()
@@ -657,9 +768,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
 	 * to remain in the correct class.
 	 */
 	if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-		if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-		    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-			tclass = SECCLASS_NETLINK_SOCKET;
+		if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) &&
+		    tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET))
+			tclass = unmap_class(SECCLASS_NETLINK_SOCKET);
 
 	if (!tclass || tclass > policydb.p_classes.nprim) {
 		printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
@@ -792,6 +903,38 @@ out:
 }
 
 
+static int security_compute_av_core(u32 ssid,
+				    u32 tsid,
+				    u16 tclass,
+				    u32 requested,
+				    struct av_decision *avd)
+{
+	struct context *scontext = NULL, *tcontext = NULL;
+	int rc = 0;
+
+	scontext = sidtab_search(&sidtab, ssid);
+	if (!scontext) {
+		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+		       __func__, ssid);
+		return -EINVAL;
+	}
+	tcontext = sidtab_search(&sidtab, tsid);
+	if (!tcontext) {
+		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+		       __func__, tsid);
+		return -EINVAL;
+	}
+
+	rc = context_struct_compute_av(scontext, tcontext, tclass,
+				       requested, avd);
+
+	/* permissive domain? */
+	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+		avd->flags |= AVD_FLAGS_PERMISSIVE;
+
+	return rc;
+}
+
 /**
  * security_compute_av - Compute access vector decisions.
  * @ssid: source security identifier
@@ -807,12 +950,45 @@ out:
  */
 int security_compute_av(u32 ssid,
 			u32 tsid,
-			u16 tclass,
-			u32 requested,
+			u16 orig_tclass,
+			u32 orig_requested,
 			struct av_decision *avd)
 {
-	struct context *scontext = NULL, *tcontext = NULL;
-	int rc = 0;
+	u16 tclass;
+	u32 requested;
+	int rc;
+
+	if (!ss_initialized)
+		goto allow;
+
+	read_lock(&policy_rwlock);
+	requested = unmap_perm(orig_tclass, orig_requested);
+	tclass = unmap_class(orig_tclass);
+	if (unlikely(orig_tclass && !tclass)) {
+		if (policydb.allow_unknown)
+			goto allow;
+		return -EINVAL;
+	}
+	rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
+	map_decision(orig_tclass, avd, policydb.allow_unknown);
+	read_unlock(&policy_rwlock);
+	return rc;
+allow:
+	avd->allowed = 0xffffffff;
+	avd->auditallow = 0;
+	avd->auditdeny = 0xffffffff;
+	avd->seqno = latest_granting;
+	avd->flags = 0;
+	return 0;
+}
+
+int security_compute_av_user(u32 ssid,
+			     u32 tsid,
+			     u16 tclass,
+			     u32 requested,
+			     struct av_decision *avd)
+{
+	int rc;
 
 	if (!ss_initialized) {
 		avd->allowed = 0xffffffff;
@@ -823,29 +999,7 @@ int security_compute_av(u32 ssid,
 	}
 
 	read_lock(&policy_rwlock);
-
-	scontext = sidtab_search(&sidtab, ssid);
-	if (!scontext) {
-		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
-		       __func__, ssid);
-		rc = -EINVAL;
-		goto out;
-	}
-	tcontext = sidtab_search(&sidtab, tsid);
-	if (!tcontext) {
-		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
-		       __func__, tsid);
-		rc = -EINVAL;
-		goto out;
-	}
-
-	rc = context_struct_compute_av(scontext, tcontext, tclass,
-				       requested, avd);
-
-	/* permissive domain? */
-	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
-	    avd->flags |= AVD_FLAGS_PERMISSIVE;
-out:
+	rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
 	read_unlock(&policy_rwlock);
 	return rc;
 }
@@ -1204,20 +1358,22 @@ out:
 
 static int security_compute_sid(u32 ssid,
 				u32 tsid,
-				u16 tclass,
+				u16 orig_tclass,
 				u32 specified,
-				u32 *out_sid)
+				u32 *out_sid,
+				bool kern)
 {
 	struct context *scontext = NULL, *tcontext = NULL, newcontext;
 	struct role_trans *roletr = NULL;
 	struct avtab_key avkey;
 	struct avtab_datum *avdatum;
 	struct avtab_node *node;
+	u16 tclass;
 	int rc = 0;
 
 	if (!ss_initialized) {
-		switch (tclass) {
-		case SECCLASS_PROCESS:
+		switch (orig_tclass) {
+		case SECCLASS_PROCESS: /* kernel value */
 			*out_sid = ssid;
 			break;
 		default:
@@ -1231,6 +1387,11 @@ static int security_compute_sid(u32 ssid,
 
 	read_lock(&policy_rwlock);
 
+	if (kern)
+		tclass = unmap_class(orig_tclass);
+	else
+		tclass = orig_tclass;
+
 	scontext = sidtab_search(&sidtab, ssid);
 	if (!scontext) {
 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
@@ -1260,13 +1421,11 @@ static int security_compute_sid(u32 ssid,
 	}
 
 	/* Set the role and type to default values. */
-	switch (tclass) {
-	case SECCLASS_PROCESS:
+	if (tclass == policydb.process_class) {
 		/* Use the current role and type of process. */
 		newcontext.role = scontext->role;
 		newcontext.type = scontext->type;
-		break;
-	default:
+	} else {
 		/* Use the well-defined object role. */
 		newcontext.role = OBJECT_R_VAL;
 		/* Use the type of the related object. */
@@ -1297,8 +1456,7 @@ static int security_compute_sid(u32 ssid,
 	}
 
 	/* Check for class-specific changes. */
-	switch (tclass) {
-	case SECCLASS_PROCESS:
+	if  (tclass == policydb.process_class) {
 		if (specified & AVTAB_TRANSITION) {
 			/* Look for a role transition rule. */
 			for (roletr = policydb.role_tr; roletr;
@@ -1311,9 +1469,6 @@ static int security_compute_sid(u32 ssid,
 				}
 			}
 		}
-		break;
-	default:
-		break;
 	}
 
 	/* Set the MLS attributes.
@@ -1358,7 +1513,17 @@ int security_transition_sid(u32 ssid,
 			    u16 tclass,
 			    u32 *out_sid)
 {
-	return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
+	return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+				    out_sid, true);
+}
+
+int security_transition_sid_user(u32 ssid,
+				 u32 tsid,
+				 u16 tclass,
+				 u32 *out_sid)
+{
+	return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+				    out_sid, false);
 }
 
 /**
@@ -1379,7 +1544,8 @@ int security_member_sid(u32 ssid,
 			u16 tclass,
 			u32 *out_sid)
 {
-	return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
+	return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
+				    false);
 }
 
 /**
@@ -1400,144 +1566,8 @@ int security_change_sid(u32 ssid,
 			u16 tclass,
 			u32 *out_sid)
 {
-	return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
-}
-
-/*
- * Verify that each kernel class that is defined in the
- * policy is correct
- */
-static int validate_classes(struct policydb *p)
-{
-	int i, j;
-	struct class_datum *cladatum;
-	struct perm_datum *perdatum;
-	u32 nprim, tmp, common_pts_len, perm_val, pol_val;
-	u16 class_val;
-	const struct selinux_class_perm *kdefs = &selinux_class_perm;
-	const char *def_class, *def_perm, *pol_class;
-	struct symtab *perms;
-	bool print_unknown_handle = 0;
-
-	if (p->allow_unknown) {
-		u32 num_classes = kdefs->cts_len;
-		p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
-		if (!p->undefined_perms)
-			return -ENOMEM;
-	}
-
-	for (i = 1; i < kdefs->cts_len; i++) {
-		def_class = kdefs->class_to_string[i];
-		if (!def_class)
-			continue;
-		if (i > p->p_classes.nprim) {
-			printk(KERN_INFO
-			       "SELinux:  class %s not defined in policy\n",
-			       def_class);
-			if (p->reject_unknown)
-				return -EINVAL;
-			if (p->allow_unknown)
-				p->undefined_perms[i-1] = ~0U;
-			print_unknown_handle = 1;
-			continue;
-		}
-		pol_class = p->p_class_val_to_name[i-1];
-		if (strcmp(pol_class, def_class)) {
-			printk(KERN_ERR
-			       "SELinux:  class %d is incorrect, found %s but should be %s\n",
-			       i, pol_class, def_class);
-			return -EINVAL;
-		}
-	}
-	for (i = 0; i < kdefs->av_pts_len; i++) {
-		class_val = kdefs->av_perm_to_string[i].tclass;
-		perm_val = kdefs->av_perm_to_string[i].value;
-		def_perm = kdefs->av_perm_to_string[i].name;
-		if (class_val > p->p_classes.nprim)
-			continue;
-		pol_class = p->p_class_val_to_name[class_val-1];
-		cladatum = hashtab_search(p->p_classes.table, pol_class);
-		BUG_ON(!cladatum);
-		perms = &cladatum->permissions;
-		nprim = 1 << (perms->nprim - 1);
-		if (perm_val > nprim) {
-			printk(KERN_INFO
-			       "SELinux:  permission %s in class %s not defined in policy\n",
-			       def_perm, pol_class);
-			if (p->reject_unknown)
-				return -EINVAL;
-			if (p->allow_unknown)
-				p->undefined_perms[class_val-1] |= perm_val;
-			print_unknown_handle = 1;
-			continue;
-		}
-		perdatum = hashtab_search(perms->table, def_perm);
-		if (perdatum == NULL) {
-			printk(KERN_ERR
-			       "SELinux:  permission %s in class %s not found in policy, bad policy\n",
-			       def_perm, pol_class);
-			return -EINVAL;
-		}
-		pol_val = 1 << (perdatum->value - 1);
-		if (pol_val != perm_val) {
-			printk(KERN_ERR
-			       "SELinux:  permission %s in class %s has incorrect value\n",
-			       def_perm, pol_class);
-			return -EINVAL;
-		}
-	}
-	for (i = 0; i < kdefs->av_inherit_len; i++) {
-		class_val = kdefs->av_inherit[i].tclass;
-		if (class_val > p->p_classes.nprim)
-			continue;
-		pol_class = p->p_class_val_to_name[class_val-1];
-		cladatum = hashtab_search(p->p_classes.table, pol_class);
-		BUG_ON(!cladatum);
-		if (!cladatum->comdatum) {
-			printk(KERN_ERR
-			       "SELinux:  class %s should have an inherits clause but does not\n",
-			       pol_class);
-			return -EINVAL;
-		}
-		tmp = kdefs->av_inherit[i].common_base;
-		common_pts_len = 0;
-		while (!(tmp & 0x01)) {
-			common_pts_len++;
-			tmp >>= 1;
-		}
-		perms = &cladatum->comdatum->permissions;
-		for (j = 0; j < common_pts_len; j++) {
-			def_perm = kdefs->av_inherit[i].common_pts[j];
-			if (j >= perms->nprim) {
-				printk(KERN_INFO
-				       "SELinux:  permission %s in class %s not defined in policy\n",
-				       def_perm, pol_class);
-				if (p->reject_unknown)
-					return -EINVAL;
-				if (p->allow_unknown)
-					p->undefined_perms[class_val-1] |= (1 << j);
-				print_unknown_handle = 1;
-				continue;
-			}
-			perdatum = hashtab_search(perms->table, def_perm);
-			if (perdatum == NULL) {
-				printk(KERN_ERR
-				       "SELinux:  permission %s in class %s not found in policy, bad policy\n",
-				       def_perm, pol_class);
-				return -EINVAL;
-			}
-			if (perdatum->value != j + 1) {
-				printk(KERN_ERR
-				       "SELinux:  permission %s in class %s has incorrect value\n",
-				       def_perm, pol_class);
-				return -EINVAL;
-			}
-		}
-	}
-	if (print_unknown_handle)
-		printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
-			(security_get_allow_unknown() ? "allowed" : "denied"));
-	return 0;
+	return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
+				    false);
 }
 
 /* Clone the SID into the new SID table. */
@@ -1710,8 +1740,10 @@ int security_load_policy(void *data, size_t len)
 {
 	struct policydb oldpolicydb, newpolicydb;
 	struct sidtab oldsidtab, newsidtab;
+	struct selinux_mapping *oldmap, *map = NULL;
 	struct convert_context_args args;
 	u32 seqno;
+	u16 map_size;
 	int rc = 0;
 	struct policy_file file = { data, len }, *fp = &file;
 
@@ -1721,16 +1753,14 @@ int security_load_policy(void *data, size_t len)
 			avtab_cache_destroy();
 			return -EINVAL;
 		}
-		if (policydb_load_isids(&policydb, &sidtab)) {
+		if (selinux_set_mapping(&policydb, secclass_map,
+					&current_mapping,
+					&current_mapping_size)) {
 			policydb_destroy(&policydb);
 			avtab_cache_destroy();
 			return -EINVAL;
 		}
-		/* Verify that the kernel defined classes are correct. */
-		if (validate_classes(&policydb)) {
-			printk(KERN_ERR
-			       "SELinux:  the definition of a class is incorrect\n");
-			sidtab_destroy(&sidtab);
+		if (policydb_load_isids(&policydb, &sidtab)) {
 			policydb_destroy(&policydb);
 			avtab_cache_destroy();
 			return -EINVAL;
@@ -1759,13 +1789,9 @@ int security_load_policy(void *data, size_t len)
 		return -ENOMEM;
 	}
 
-	/* Verify that the kernel defined classes are correct. */
-	if (validate_classes(&newpolicydb)) {
-		printk(KERN_ERR
-		       "SELinux:  the definition of a class is incorrect\n");
-		rc = -EINVAL;
+	if (selinux_set_mapping(&newpolicydb, secclass_map,
+				&map, &map_size))
 		goto err;
-	}
 
 	rc = security_preserve_bools(&newpolicydb);
 	if (rc) {
@@ -1799,6 +1825,9 @@ int security_load_policy(void *data, size_t len)
 	memcpy(&policydb, &newpolicydb, sizeof policydb);
 	sidtab_set(&sidtab, &newsidtab);
 	security_load_policycaps();
+	oldmap = current_mapping;
+	current_mapping = map;
+	current_mapping_size = map_size;
 	seqno = ++latest_granting;
 	policydb_loaded_version = policydb.policyvers;
 	write_unlock_irq(&policy_rwlock);
@@ -1806,6 +1835,7 @@ int security_load_policy(void *data, size_t len)
 	/* Free the old policydb and SID table. */
 	policydb_destroy(&oldpolicydb);
 	sidtab_destroy(&oldsidtab);
+	kfree(oldmap);
 
 	avc_ss_reset(seqno);
 	selnl_notify_policyload(seqno);
@@ -1815,6 +1845,7 @@ int security_load_policy(void *data, size_t len)
 	return 0;
 
 err:
+	kfree(map);
 	sidtab_destroy(&newsidtab);
 	policydb_destroy(&newpolicydb);
 	return rc;
@@ -2091,7 +2122,7 @@ out_unlock:
 	}
 	for (i = 0, j = 0; i < mynel; i++) {
 		rc = avc_has_perm_noaudit(fromsid, mysids[i],
-					  SECCLASS_PROCESS,
+					  SECCLASS_PROCESS, /* kernel value */
 					  PROCESS__TRANSITION, AVC_STRICT,
 					  NULL);
 		if (!rc)
@@ -2119,10 +2150,11 @@ out:
  */
 int security_genfs_sid(const char *fstype,
 		       char *path,
-		       u16 sclass,
+		       u16 orig_sclass,
 		       u32 *sid)
 {
 	int len;
+	u16 sclass;
 	struct genfs *genfs;
 	struct ocontext *c;
 	int rc = 0, cmp = 0;
@@ -2132,6 +2164,8 @@ int security_genfs_sid(const char *fstype,
 
 	read_lock(&policy_rwlock);
 
+	sclass = unmap_class(orig_sclass);
+
 	for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
 		cmp = strcmp(fstype, genfs->fstype);
 		if (cmp <= 0)