67f83cbf08
Fix the selection of an SA for an outgoing packet to be at the same context as the originating socket/flow. This eliminates the SELinux policy's ability to use/sendto SAs with contexts other than the socket's. With this patch applied, the SELinux policy will require one or more of the following for a socket to be able to communicate with/without SAs: 1. To enable a socket to communicate without using labeled-IPSec SAs: allow socket_t unlabeled_t:association { sendto recvfrom } 2. To enable a socket to communicate with labeled-IPSec SAs: allow socket_t self:association { sendto }; allow socket_t peer_sa_t:association { recvfrom }; Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org> |
||
---|---|---|
.. | ||
include | ||
ss | ||
avc.c | ||
exports.c | ||
hooks.c | ||
Kconfig | ||
Makefile | ||
netif.c | ||
netlink.c | ||
nlmsgtab.c | ||
selinuxfs.c | ||
xfrm.c |