From: James Morris <[EMAIL PROTECTED]>

Secmark implements a new scheme for adding security markings to packets via
iptables, as well as changes to SELinux to use these markings for security
policy enforcement.  The rationale for this scheme is explained and discussed
in detail in the original threads: 

 http://thread.gmane.org/gmane.linux.network/34927/ 
 http://thread.gmane.org/gmane.linux.network/35244/

Examples of policy and rulesets, as well as a full archive of patches for
iptables and SELinux userland, may be found at:
http://people.redhat.com/jmorris/selinux/secmark/

The code has been tested with various compilation options and in several
scenarios, including with 'complicated' protocols such as FTP and also with
the new generic conntrack code with IPv6 connection tracking.



This patch:

Add support for a new object class ('packet'), and associated permissions
('send', 'recv', 'relabelto').  These are used to enforce security policy for
network packets labeled with SECMARK, and for adding labeling rules.

Signed-off-by: James Morris <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
---

 security/selinux/include/av_perm_to_string.h |    3 +++
 security/selinux/include/av_permissions.h    |    3 +++
 security/selinux/include/class_to_string.h   |    1 +
 security/selinux/include/flask.h             |    1 +
 4 files changed, 8 insertions(+)

diff -puN 
security/selinux/include/av_permissions.h~secmark-add-new-flask-definitions-to-selinux
 security/selinux/include/av_permissions.h
--- 
devel/security/selinux/include/av_permissions.h~secmark-add-new-flask-definitions-to-selinux
        2006-06-01 20:31:50.000000000 -0700
+++ devel-akpm/security/selinux/include/av_permissions.h        2006-06-01 
20:31:50.000000000 -0700
@@ -956,3 +956,6 @@
 #define APPLETALK_SOCKET__SEND_MSG                0x00100000UL
 #define APPLETALK_SOCKET__NAME_BIND               0x00200000UL
 
+#define PACKET__SEND                              0x00000001UL
+#define PACKET__RECV                              0x00000002UL
+#define PACKET__RELABELTO                         0x00000004UL
diff -puN 
security/selinux/include/av_perm_to_string.h~secmark-add-new-flask-definitions-to-selinux
 security/selinux/include/av_perm_to_string.h
--- 
devel/security/selinux/include/av_perm_to_string.h~secmark-add-new-flask-definitions-to-selinux
     2006-06-01 20:31:50.000000000 -0700
+++ devel-akpm/security/selinux/include/av_perm_to_string.h     2006-06-01 
20:31:50.000000000 -0700
@@ -239,3 +239,6 @@
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
+   S_(SECCLASS_PACKET, PACKET__SEND, "send")
+   S_(SECCLASS_PACKET, PACKET__RECV, "recv")
+   S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
diff -puN 
security/selinux/include/class_to_string.h~secmark-add-new-flask-definitions-to-selinux
 security/selinux/include/class_to_string.h
--- 
devel/security/selinux/include/class_to_string.h~secmark-add-new-flask-definitions-to-selinux
       2006-06-01 20:31:50.000000000 -0700
+++ devel-akpm/security/selinux/include/class_to_string.h       2006-06-01 
20:31:50.000000000 -0700
@@ -59,3 +59,4 @@
     S_("association")
     S_("netlink_kobject_uevent_socket")
     S_("appletalk_socket")
+    S_("packet")
diff -puN 
security/selinux/include/flask.h~secmark-add-new-flask-definitions-to-selinux 
security/selinux/include/flask.h
--- 
devel/security/selinux/include/flask.h~secmark-add-new-flask-definitions-to-selinux
 2006-06-01 20:31:50.000000000 -0700
+++ devel-akpm/security/selinux/include/flask.h 2006-06-01 20:31:50.000000000 
-0700
@@ -61,6 +61,7 @@
 #define SECCLASS_ASSOCIATION                             54
 #define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
 #define SECCLASS_APPLETALK_SOCKET                        56
+#define SECCLASS_PACKET                                  57
 
 /*
  * Security identifier indices for initial entities
_
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to