> + if (ret >= 0) {
> + int err = security_socket_post_recvmsg(sock, msg, size, flags);
> + if (err)
> + ret = err;
> + }
> return ret;
> }
Is there some reason why you can't use security_socket_recvmsg()? Also,
On Thursday, July 5 2007 10:01:59 pm Tetsuo Handa wrote:
> Paul Moore wrote:
> > I believe the existing security_inet_conn_request() LSM hook should allow
> > you to do what you want. Adding another hook _after_ the inbound
> > connection has been accepted i
justification for the change.
Thinking about your problem (personal firewall) a bit more I can't help but
wonder if your solution would be better implemented as a netfilter module?
Or maybe in userspace using the netfilter userspace queue feature?
--
paul moore
linux security @ hp
-
To u
nal-firewall patch. You may also want to CC other relevant lists
(based on this discussion netdev comes to mind) on your posting as they
should probably review your suggested changes too.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe
linux-
amp;secattr);
+ if (secattr.flags != 0)
Please use the constants defined for the flag values in the NetLabel LSM
security attributes; it makes life easier if for some freak reason we have to
change them. For example, 0 == NETLBL_SECATTR_NONE.
This applies to a few other places in the code too.
I'm sure there will be more comments but these are the ones that jumped out at
me.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Monday, July 16 2007 10:59:41 pm Casey Schaufler wrote:
> --- Paul Moore <[EMAIL PROTECTED]> wrote:
> > On Saturday, July 14 2007 5:47:38 pm Casey Schaufler wrote:
> > +#include "../../net/netlabel/netlabel_domainhash.h"
> > +#include
> > +
> &
On Tuesday, July 17 2007 2:51:14 pm Casey Schaufler wrote:
> --- Paul Moore <[EMAIL PROTECTED]> wrote:
> > > > Also, any reason why you don't just use the NetLabel default domain
> > > > mapping?
> > >
> > > Uh, only that I couldn'
n whenever possible and so far I haven't seen anything
crop up that warrants private email. A public list might also help attract
some warm bodies willing to write code ;)
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-mod
ection attempts.
Please take a look at the existing LSM stream connection request hooks as
well as how SELinux makes use of them.
>* post_recv_datagram is added in skb_recv_datagram.
Can you explain to me why this is not possible using the existing
security_socket_sock_rcv_skb() LSM hook?
On Tuesday, August 28 2007 6:39:13 am Tetsuo Handa wrote:
> Hello.
Hello.
> Paul Moore wrote:
> > >* post_recv_datagram is added in skb_recv_datagram.
> >
> > Can you explain to me why this is not possible using the existing
> > securi
On Monday 03 September 2007 9:15:27 am Tetsuo Handa wrote:
> Hello.
Hi.
> Paul Moore wrote:
> > I apologize for not recognizing your approach from our earlier discussion
> > on the LSM mailing list in July. Unfortunately, I have the same
> > objections to these changes
next patchset as they might have
some thoughts on your network design.
[1]http://www.netfilter.org/projects/libnetfilter_queue/index.html
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMA
rough
the entire TCP handshake and then terminate the connection, which is what
allowing security_socket_post_accept() to fail would do.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
he netdev and LSM lists you will see that there are a
set of users who care very much about this functionality. Our support of
CIPSO is helping Linux operate in areas it wouldn't be able to elsewhere and
I consider that a "win".
--
paul moore
linux security @ hp
-
To unsubscribe fr
On Sunday 30 September 2007 4:16:18 am Andrew Morton wrote:
> - hm, netlabels. Who might be a suitable person to review that code?
> Seems that Paul Moore is the man. Maybe he'd be interested in taking a
> look over it (please?)
Yep, I've been tracking Casey's work
, including files, SVIPC,
> and other tasks. Smack is a kernel based scheme that requires
> an absolute minimum of application support and a very small
> amount of configuration data.
>
> {snip}
>
> This patch includes changes made by Paul Moore <[EMAIL PROTECTED]>
> in
y of its
> own.
The how/why of the packet rejection probably isn't all that important, but the
most likely scenario based on the ICMP error code is that the router simply
does not know about the CIPSO IP option type and is dropping the packet as a
result. I'd be very surprised to see
::1
* Show labels
"netlabelctl -p unlbl list"
Examples:
# netlabelctl unlbl list
# netlabelctl -p unlbl list
If you have any questions/problems/comments feel free to either drop me mail
privately or post something to the list.
Thanks.
--
paul moore
linux secur
This patch removes some unneeded RCU read locks as we can treat the reads as
"safe" even without RCU. It also converts the NetLabel configuration refcount
from a spinlock protected u32 into atomic_t to be more consistent with the rest
of the kernel.
---
net/netlabel/netlabel_cipso_v4.c |5 +
The NetLabel/LSM domain hash table search function used a argument to specify
if the default entry should be returned if an exact match couldn't be found in
the hash table. This is a bit against the kernel's style so make two separate
functions to represent the separate behaviors.
---
net/netlab
Add a secctx_to_secid() LSM hook to go along with the existing
secid_to_secctx() LSM hook. This patch also includes a SELinux implementation
for this hook.
---
include/linux/security.h | 13 +
security/dummy.c |6 ++
security/security.c |6 ++
security/
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap
will enable the security server to query the policy to determine which features
it supports.
---
security/selinux/Kconfig|2 -
security/selinux/include/security.h | 15 ++
security/selinux/selinu
Add additional Flask definitions to support the new "peer" object class.
---
security/selinux/include/av_perm_to_string.h |3 +++
security/selinux/include/av_permissions.h|3 +++
security/selinux/include/class_to_string.h |7 +++
security/selinux/include/flask.h
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and w
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks. This patch adds this ability to
the NetLabel packet labeling framework.
If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it first
This patch adds auditing support to the NetLabel static labeling mechanism.
---
include/linux/audit.h |2 +
net/netlabel/netlabel_unlabeled.c | 127 +++--
2 files changed, 107 insertions(+), 22 deletions(-)
diff --git a/include/linux/audit.h b/inc
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels. In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetL
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.
---
include/net/
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we
can do a big optimization - caching the SID and not just the MLS attributes.
This not only saves a lot of per-packet memory allocations and copies but it
has a nice side effect of removing a chunk of code.
---
security/s
Currently we use two separate spinlocks to protect both the hash/mapping table
and the default entry. This could be considered a bit foolish because it adds
complexity without offering any real performance advantage. This patch
removes the dedicated default spinlock and protects the default entry
Rename the existing selinux_skb_extlbl_sid() function to
selinux_skb_peerlbl_sid() and modify it's behavior such that it now reconciles
multiple peer/external labels and if reconciliation is not possible it returns
an error to the caller.
---
security/selinux/hooks.c| 94 +++
On Friday 09 November 2007 5:19:02 pm Casey Schaufler wrote:
> --- Paul Moore <[EMAIL PROTECTED]> wrote:
> > Add a secctx_to_secid() LSM hook to go along with the existing
> > secid_to_secctx() LSM hook.
>
> I'll bite. Where does this get used?
Patch 12/13, fu
On Sunday 11 November 2007 5:31:44 pm James Morris wrote:
> On Fri, 9 Nov 2007, Paul Moore wrote:
> > Add additional Flask definitions to support the new "peer" object class.
>
> Should this be dependent on dynamic class/permission support?
I think it's okay to
On Sunday 11 November 2007 5:34:27 pm James Morris wrote:
> On Fri, 9 Nov 2007, Paul Moore wrote:
> > + /* Between selinux_compat_net and selinux_policycap_netpeer this is
> > +* starting to get a bit messy - we need to setup a timetable for
> > +* deprecating some
Add a secctx_to_secid() LSM hook to go along with the existing
secid_to_secctx() LSM hook. This patch also includes a SELinux implementation
for this hook.
---
include/linux/security.h | 13 +
security/dummy.c |6 ++
security/security.c |6 ++
security/
Add additional Flask definitions to support the new "peer" object class.
---
security/selinux/include/av_perm_to_string.h |3 +++
security/selinux/include/av_permissions.h|3 +++
security/selinux/include/class_to_string.h |7 +++
security/selinux/include/flask.h
Currently we use two separate spinlocks to protect both the hash/mapping table
and the default entry. This could be considered a bit foolish because it adds
complexity without offering any real performance advantage. This patch
removes the dedicated default spinlock and protects the default entry
anch of
netlabel_tools. For those of you who are playing with this code I recommend
you update to r50 to get the latest bits.
As usual, if you have any comments/bug-reports/questions let me know.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe
This patch removes some unneeded RCU read locks as we can treat the reads as
"safe" even without RCU. It also converts the NetLabel configuration refcount
from a spinlock protected u32 into atomic_t to be more consistent with the rest
of the kernel.
---
net/netlabel/netlabel_cipso_v4.c |5 +
The NetLabel/LSM domain hash table search function used a argument to specify
if the default entry should be returned if an exact match couldn't be found in
the hash table. This is a bit against the kernel's style so make two separate
functions to represent the separate behaviors.
---
net/netlab
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels. In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetL
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and w
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we
can do a big optimization - caching the SID and not just the MLS attributes.
This not only saves a lot of per-packet memory allocations and copies but it
has a nice side effect of removing a chunk of code.
---
security/s
This patch adds auditing support to the NetLabel static labeling mechanism.
---
include/linux/audit.h |2 +
net/netlabel/netlabel_unlabeled.c | 127 +++--
2 files changed, 107 insertions(+), 22 deletions(-)
diff --git a/include/linux/audit.h b/inc
Rework the handling of network peer labels so that the different peer labeling
subsystems work better together. This includes moving both subsystems to a
single "peer" object class which involves not only changes to the permission
checks but an improved method of consolidating multiple packet peer
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap
will enable the security server to query the policy to determine which features
it supports.
---
security/selinux/Kconfig|2 -
security/selinux/include/security.h | 15 ++
security/selinux/selinu
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.
---
include/net/
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks. This patch adds this ability to
the NetLabel packet labeling framework.
If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it first
k_irqrestore(&sk->sk_receive_queue.lock,
> +cpu_flags);
> +no_peek:
> + skb_free_datagram(sk, skb);
> + goto no_packet;
Two things. First you can probably just call kfree_skb() instead of
skb_free_datag
On Friday 16 November 2007 10:45:32 pm Tetsuo Handa wrote:
> Paul Moore wrote:
> > I might be missing something here, but why do you need to do a skb_peek()
> > again? You already have the skb and the sock, just do the unlink.
>
> The skb might be already dequeued by other
On Saturday 17 November 2007 11:00:20 pm Tetsuo Handa wrote:
> Hello.
Hello.
> Paul Moore wrote:
> > Okay, well if that is the case I think you are going to have another
> > problem in that you could end up throwing away skbs that haven't been
> > through your secur
On Monday 19 November 2007 9:29:52 am Tetsuo Handa wrote:
> Paul Moore wrote:
> > If that is the case then the second call to
> > skb_peek() will return a different skb then the one you passed to
> > security_post_recv_datagram().
>
> Yes. The second call to skb_peek() m
<[EMAIL PROTECTED]>
- * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
- * Paul Moore, <[EMAIL PROTECTED]>
+ * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
+ * Paul Moore <[EMAIL PROTECTED]>
* Copyr
Add a secctx_to_secid() LSM hook to go along with the existing
secid_to_secctx() LSM hook. This patch also includes the SELinux
implementation for this hook.
---
include/linux/security.h | 13 +
security/dummy.c |6 ++
security/security.c |6 ++
securit
Instead of storing the packet's network interface name store the ifindex. This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.
---
security/selinux/avc.c |
Add additional Flask definitions to support the new "peer" object class.
---
security/selinux/include/av_perm_to_string.h |3 +++
security/selinux/include/av_permissions.h|3 +++
security/selinux/include/class_to_string.h |7 +++
security/selinux/include/flask.h
The NetLabel/LSM domain hash table search function used an argument to specify
if the default entry should be returned if an exact match couldn't be found in
the hash table. This is a bit against the kernel's style so make two separate
functions to represent the separate behaviors.
---
net/netla
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we
can do a big optimization - caching the SID and not just the MLS attributes.
This not only saves a lot of per-packet memory allocations and copies but it
has a nice side effect of removing a chunk of code.
---
security/s
This patch adds auditing support to the NetLabel static labeling mechanism.
---
include/linux/audit.h |2
net/netlabel/netlabel_unlabeled.c | 207 ++---
2 files changed, 195 insertions(+), 14 deletions(-)
diff --git a/include/linux/audit.h b/incl
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels. In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetL
This patch removes some unneeded RCU read locks as we can treat the reads as
"safe" even without RCU. It also converts the NetLabel configuration refcount
from a spinlock protected u32 into atomic_t to be more consistent with the rest
of the kernel.
---
net/netlabel/netlabel_cipso_v4.c |5 +
Currently we use two separate spinlocks to protect both the hash/mapping table
and the default entry. This could be considered a bit foolish because it adds
complexity without offering any real performance advantage. This patch
removes the dedicated default spinlock and protects the default entry
Most trusted OSs, with the exception of Linux, have the ability to specify
static security labels for unlabeled networks. This patch adds this ability to
the NetLabel packet labeling framework.
If the NetLabel subsystem is called to determine the security attributes of an
incoming packet it first
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap
will enable the security server to query the policy to determine which features
it supports.
---
security/selinux/Kconfig|2 -
security/selinux/include/security.h | 15 ++
security/selinux/selinu
@@
* Author: James Morris <[EMAIL PROTECTED]>
*
* Copyright (C) 2003 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
+ * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
+ *Paul Moore, <[EMAIL PROTECTED]>
*
* This program is free software; you can
Rework the handling of network peer labels so that the different peer labeling
subsystems work better together. This includes moving both subsystems to a
single "peer" object class which involves not only changes to the permission
checks but an improved method of consolidating multiple packet peer
0644
index 000..1b94450
--- /dev/null
+++ b/security/selinux/include/netnode.h
@@ -0,0 +1,32 @@
+/*
+ * Network node table
+ *
+ * SELinux must keep a mapping of network nodes to labels/SIDs. This
+ * mapping is maintained as part of the normal policy but a fast cache is
+ * needed to reduce the look
even more
welcome. I'll get some SELinux policy patches out next week to help enable
the new functionality and if everything is still looking okay I'll ping Andew
Morton to see if I can get the latest version of these patches included in the
-mm tree (previous versions are already included).
Add an inet_sys_snd_skb() LSM hook to allow the LSM to provide packet level
access control for all outbound packets. Using the existing postroute_last
netfilter hook turns out to be problematic as it is can be invoked multiple
times for a single packet, e.g. individual IPsec transforms, adding unw
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.
---
include/net/
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and w
On Friday 14 December 2007 4:51:29 pm Paul Moore wrote:
> This patch implements packet ingress/egress controls for SELinux which
> allow SELinux security policy to control the flow of all IPv4 and IPv6
> packets into and out of the system. Currently SELinux does not have proper
>
On Monday 17 December 2007 2:45:50 pm Stephen Smalley wrote:
> On Fri, 2007-12-14 at 16:50 -0500, Paul Moore wrote:
> > Add an inet_sys_snd_skb() LSM hook to allow the LSM to provide packet
> > level access control for all outbound packets. Using the existing
> > postrout
On Monday 17 December 2007 2:56:41 pm Stephen Smalley wrote:
> On Fri, 2007-12-14 at 16:50 -0500, Paul Moore wrote:
> > /* Initialize an AVC audit data structure. */
> > #define AVC_AUDIT_DATA_INIT(_d,_t) \
> > -{ memset((_d), 0, sizeof(struct avc_aud
On Monday 17 December 2007 3:35:28 pm Stephen Smalley wrote:
> On Fri, 2007-12-14 at 16:50 -0500, Paul Moore wrote:
> > This patch adds a SELinux IP address/node SID caching mechanism similar
> > to the sel_netif_*() functions. The node SID queries in the SELinux
> > hooks fi
On Monday 17 December 2007 3:05:37 pm Stephen Smalley wrote:
> On Sun, 2007-12-16 at 11:47 -0500, Paul Moore wrote:
> > On Friday 14 December 2007 4:51:29 pm Paul Moore wrote:
> > > This patch implements packet ingress/egress controls for SELinux which
> > > allow
On Tuesday 18 December 2007 8:26:35 am Stephen Smalley wrote:
> On Mon, 2007-12-17 at 15:56 -0500, Paul Moore wrote:
> > On Monday 17 December 2007 3:35:28 pm Stephen Smalley wrote:
> > > On Fri, 2007-12-14 at 16:50 -0500, Paul Moore wrote:
> > > > This patch adds
On Tuesday 18 December 2007 3:25:54 am James Morris wrote:
> On Fri, 14 Dec 2007, Paul Moore wrote:
> > Add a secctx_to_secid() LSM hook to go along with the existing
> > secid_to_secctx() LSM hook. This patch also includes the SELinux
> > implementation for this hook.
>
On Monday 17 December 2007 3:05:37 pm Stephen Smalley wrote:
> On Sun, 2007-12-16 at 11:47 -0500, Paul Moore wrote:
> > We should probably have different permissions for the interface and node
> > cases. Take the example of an admin who is only interested in enforcing
> > i
On Tuesday 18 December 2007 10:14:41 am Stephen Smalley wrote:
> On Tue, 2007-12-18 at 08:59 -0500, Paul Moore wrote:
> > Thoughts? Should I just forget all this and use the peer label as a
> > subject label?
>
> I'm not certain what we gain by using the peer as the o
ple packet peer labels.
As part of this work the inbound packet permission check code has been heavily
modified to handle both the old and new behavior in as sane a fashion as
possible.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/hooks.c
routines as it is
redundant since we already have the address family.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/Makefile |9 +
security/selinux/hooks.c | 33 ++-
security/selinux/include/netnode.h | 32 +++
security/selinux/include/objsec.h
thanks to Venkat Yekkirala <[EMAIL PROTECTED]> whose earlier
work on this topic eventually led to this patch.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/hooks.c | 347 --
1 files changed, 240 insertions(+), 107 deleti
also
removes the default message SID from the network interface record, it is
not being used and therefore is "dead code".
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/hooks.c|4 -
security/selinux/include/netif.h|4 -
security/sel
ned-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/hooks.c|6 --
security/selinux/include/netlabel.h |2 -
security/selinux/include/security.h |2 -
security/selinux/netlabel.c | 55 ++--
security/selinux/ss/servic
used as part of the
NetLabel kernel API.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/net/netlabel.h| 91 ++---
net/ipv4/cipso_ipv4.c | 59 +++-
net/netlabel/netlabel_unlabeled.c |1
: Paul Moore <[EMAIL PROTECTED]>
---
include/net/netlabel.h |2 ++
net/netlabel/netlabel_kapi.c|2 ++
security/selinux/hooks.c| 33 ++---
security/selinux/include/netlabel.h |8 +++-
security/selinux/netl
This patch removes some unneeded RCU read locks as we can treat the reads as
"safe" even without RCU. It also converts the NetLabel configuration refcount
from a spinlock protected u32 into atomic_t to be more consistent with the rest
of the kernel.
Signed-off-by: Paul Moore <[EM
unwanted
overhead and complicating the security policy.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/linux/security.h | 11 +++
net/ipv4/ip_output.c |7 +++
net/ipv6/ip6_output.c|5 +
security/dummy.c |8 +++-
security/secu
ned-off-by: Paul Moore <[EMAIL PROTECTED]>
---
net/netlabel/netlabel_domainhash.c | 47 ++--
1 files changed, 34 insertions(+), 13 deletions(-)
diff --git a/net/netlabel/netlabel_domainhash.c
b/net/netlabel/netlabel_domainhash.c
index b3675bd..1f8f7ac
e git tree available here:
* git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.
entry with the
hash/mapping table spinlock.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
net/netlabel/netlabel_domainhash.c | 30 +-
1 files changed, 9 insertions(+), 21 deletions(-)
diff --git a/net/netlabel/netlabel_domainhash.c
b/net/ne
Add a secctx_to_secid() LSM hook to go along with the existing
secid_to_secctx() LSM hook. This patch also includes the SELinux
implementation for this hook.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Acked-by: Stephen Smalley <[EMAIL PROTECTED]>
---
include/linux/secur
Add additional Flask definitions to support the new "peer" object class and
additional permissions to the netif and node object classes.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/include/av_perm_to_string.h |5 +
security/selinux/include/
Instead of storing the packet's network interface name store the ifindex. This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.
Signed-off-by: Paul Moore &l
is not the case.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/linux/selinux.h | 45 +++---
net/netfilter/xt_SECMARK.c | 13 ++-
security/selinux/exports.c | 20 +++--
security/selinux/hooks.c
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap
will enable the security server to query the policy to determine which features
it supports.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/Kconfig|2 -
security/selinux/i
This patch adds auditing support to the NetLabel static labeling mechanism.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/linux/audit.h |2
net/netlabel/netlabel_unlabeled.c | 207 ++---
2 files changed, 195 insertions(
netlabel_tools package. The matching security label is
returned to the caller just as if the packet was explicitly labeled using a
labeling protocol.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/net/netlabel.h|6
net/netlabel/netlabel_kapi.c | 16
On Friday 21 December 2007 12:36:15 pm Stephen Smalley wrote:
> On Fri, 2007-12-21 at 12:09 -0500, Paul Moore wrote:
> > Add additional Flask definitions to support the new "peer" object class
> > and additional permissions to the netif and node object classes.
> >
1 - 100 of 204 matches
Mail list logo
