From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch reduces the full capability check in the SELinux module for the
KDSKBENT/SENT ioctls to only check the corresponding SELinux permission,
avoiding a change to the Linux permissions model for these operations.



 25-akpm/security/selinux/hooks.c |    3 +--
 1 files changed, 1 insertion(+), 2 deletions(-)

diff -puN security/selinux/hooks.c~selinux-ioctl-check-fix security/selinux/hooks.c
--- 25/security/selinux/hooks.c~selinux-ioctl-check-fix	Fri Dec 19 17:31:48 2003
+++ 25-akpm/security/selinux/hooks.c	Fri Dec 19 17:31:48 2003
@@ -1992,8 +1992,7 @@ static int selinux_file_ioctl(struct fil
 
 	        case KDSKBENT:
 	        case KDSKBSENT:
-		  	if (!capable(CAP_SYS_TTY_CONFIG))
-				error = -EPERM;
+			error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
 			break;
 
 		/* default case assumes that the command will go

_