FYI: some changes need to be made to avoid compilation warnings (see below, and
selinux_ip_postroute_last() to see what I mean), I'm taking the liberty of
changing the patch myself.
Venkat Yekkirala wrote:
> -static int selinux_skb_flow_out(struct sk_buff *skb, u32 nf_secid)
> +static int selinux_skb_flow_out(struct sk_buff *skb, u32 nf_secid,
> + const struct net_device *out, unsigned short family)
> {
> int err;
> + char *addrp;
> + int len;
> + struct avc_audit_data ad;
Add the following:
struct net_device *dev = (struct net_device *)out;
> if (selinux_compat_net)
> return 1;
> @@ -3738,9 +3749,17 @@ static int selinux_skb_flow_out(struct s
> }
> }
>
> + AVC_AUDIT_DATA_INIT(&ad, NET);
> + ad.u.net.netif = out->name;
Replace the above line with:
ad.u.net.netif = dev->name;
> + ad.u.net.family = family;
> + err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
> + if (err)
> + goto out;
> +
> err = avc_has_perm(skb->secmark, nf_secid, SECCLASS_PACKET,
> - PACKET__FLOW_OUT, NULL);
> + PACKET__FLOW_OUT, &ad);
>
> +out:
> return err ? 0 : 1;
> }
--
paul moore
linux security @ hp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
