1
linux/security/selinux
Venkat Yekkirala 67f83cbf08 SELinux: Fix SA selection semantics
Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.

With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:

1. To enable a socket to communicate without using labeled-IPSec SAs:

allow socket_t unlabeled_t:association { sendto recvfrom }

2. To enable a socket to communicate with labeled-IPSec SAs:

allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
2006-12-02 21:21:34 -08:00
..
include SELinux: Fix SA selection semantics 2006-12-02 21:21:34 -08:00
ss SELinux: validate kernel object classes and permissions 2006-11-28 12:04:38 -05:00
avc.c SELinux: export object class and permission definitions 2006-11-28 12:04:36 -05:00
exports.c [PATCH] selinux: rename selinux_ctxid_to_string 2006-09-26 08:48:52 -07:00
hooks.c SELinux: Fix SA selection semantics 2006-12-02 21:21:34 -08:00
Kconfig Still more typo fixes 2006-10-03 22:36:44 +02:00
Makefile [PATCH] support for context based audit filtering 2006-05-01 06:06:24 -04:00
netif.c [PATCH] SELinux: convert to kzalloc 2005-10-30 17:37:11 -08:00
netlink.c [NETLINK]: Add "groups" argument to netlink_kernel_create 2005-08-29 16:01:11 -07:00
nlmsgtab.c Merge branch 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current 2006-03-25 09:24:53 -08:00
selinuxfs.c [PATCH] r/o bind mount prepwork: inc_nlink() helper 2006-10-01 00:39:30 -07:00
xfrm.c SELinux: Fix SA selection semantics 2006-12-02 21:21:34 -08:00