From 2b510e49039ef435ca1bddcfe84f1b577d5a1f40 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Tue, 19 Nov 2013 17:45:59 +0000 Subject: [PATCH] Fix off-by-1 in default SELinux MCS range For a while we're have random failures of 'securityselinuxtest' which were not at all reproducible. Fortunately we finally caught a failure with VIR_TEST_DEBUG=1 enabled. This revealed TEST: securityselinuxtest 1) GenLabel "dynamic unconfined, s0, c0.c1023" ... OK 2) GenLabel "dynamic unconfined, s0, c0.c1023" ... OK 3) GenLabel "dynamic unconfined, s0, c0.c1023" ... OK 4) GenLabel "dynamic virtd, s0, c0.c1023" ... OK 5) GenLabel "dynamic virtd, s0, c0.c10" ... OK 6) GenLabel "dynamic virtd, s2-s3, c0.c1023" ... OK 7) GenLabel "dynamic virtd, missing range" ... Category two 1024 is out of range 0-1023 FAILED FAIL: securityselinuxtest And sure enough we had an off-by-1 in the MCS range code when the current process has no range set. The test suite randomly allocates 2 categories from 0->1024 so the chances of hitting this in the test suite were slim indeed :-) Signed-off-by: Daniel P. Berrange --- src/security/security_selinux.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 310e30060b..ace9cc0ead 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -218,10 +218,10 @@ virSecuritySELinuxMCSGetProcessRange(char **sens, *tmp = '\0'; /* sens now just contains the sensitivity lower bound */ - /* If there was no category part, just assume c0.c1024 */ + /* If there was no category part, just assume c0.c1023 */ if (!cat) { *catMin = 0; - *catMax = 1024; + *catMax = 1023; ret = 0; goto cleanup; }