67f83cbf08
Fix the selection of an SA for an outgoing packet to be at the same context as the originating socket/flow. This eliminates the SELinux policy's ability to use/sendto SAs with contexts other than the socket's. With this patch applied, the SELinux policy will require one or more of the following for a socket to be able to communicate with/without SAs: 1. To enable a socket to communicate without using labeled-IPSec SAs: allow socket_t unlabeled_t:association { sendto recvfrom } 2. To enable a socket to communicate with labeled-IPSec SAs: allow socket_t self:association { sendto }; allow socket_t peer_sa_t:association { recvfrom }; Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org> |
||
---|---|---|
.. | ||
av_inherit.h | ||
av_perm_to_string.h | ||
av_permissions.h | ||
avc_ss.h | ||
avc.h | ||
class_to_string.h | ||
common_perm_to_string.h | ||
conditional.h | ||
flask.h | ||
initial_sid_to_string.h | ||
netif.h | ||
objsec.h | ||
security.h | ||
selinux_netlabel.h | ||
xfrm.h |