that this procedure would need to be done for each SPD rule.
I haven't thought about this too much yet, but I suspect proactively creating
SAs is not going to be a practical solution.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body
On Wednesday 10 January 2007 5:01 am, Jarek Poplawski wrote:
On Tue, Jan 09, 2007 at 09:26:46AM -0500, Paul Moore wrote:
On Tuesday 09 January 2007 3:43 am, Jarek Poplawski wrote:
... But if you consider this code will probably become classical
and will be read, quoted and teached next
);
}
}
local_bh_enable();
- if (err)
- obj = ERR_PTR(err);
return obj;
}
}
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev
me, I'll send out a patch to the patch later today.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
A quick patch to change the inet_sock-is_icsk assignment to better fit with
existing kernel coding style.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
Cc: Jarek Poplawski [EMAIL PROTECTED]
Cc: Arnaldo Carvalho de Melo [EMAIL PROTECTED]
---
net/ipv4/af_inet.c |2 +-
net/ipv6/af_inet6.c |2
On Monday, January 8 2007 8:25 am, Jarek Poplawski wrote:
On 04-01-2007 21:04, Paul Moore wrote:
+++ net-2.6.20_bugfix_2/net/ipv4/af_inet.c
@@ -305,7 +305,7 @@ lookup_protocol:
sk-sk_reuse = 1;
inet = inet_sk(sk);
- inet-is_icsk = INET_PROTOSW_ICSK answer_flags
of these patches with what I believe to be pretty much all of
the kernel debug options enabled and I have not encountered any problems.
Please consider these for the 2.6.20 release.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body
The spinlock protecting the update of the sksec-nlbl_state variable is not
currently softirq safe which can lead to problems. This patch fixes this by
changing the spin_{un}lock() functions into spin_{un}lock_bh() functions.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux/ss
sporadic
failures.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
net/netlabel/netlabel_cipso_v4.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: net-2.6.20_bugfix_3/net/netlabel/netlabel_cipso_v4.c
===
--- net
On Tuesday, January 2 2007 6:37 pm, David Miller wrote:
From: Paul Moore [EMAIL PROTECTED]
Date: Tue, 2 Jan 2007 16:25:24 -0500
I'm sorry I just saw this mail (mail not sent directly to me get
shuffled off to a folder). I agree with your patch, I think
dropping and then re-taking the RCU
and send it out.
Once again, sorry for the regression.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
example
you could send?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
promise to do so as soon as I am
able.
. paul moore
. linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
if you think that has merit for the stable tree and I'll send
the patch to the stable mailing list.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org
From: Paul Moore [EMAIL PROTECTED]
Back when the original NetLabel patches were being changed to use Netlink
attributes correctly some code was accidentially dropped which set all of the
undefined CIPSOv4 level and category mappings to a sentinel value. The result
is the mappings data
as well; is there anything special I need to do for that?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Paul Moore [EMAIL PROTECTED]
There are a couple of cases where the user input for a CIPSOv4 DOI add
operation was not being done soon enough; the result was unexpected behavior
which was resulting in oops/panics/lockups on some platforms. This patch moves
the existing input validation code
From: Paul Moore [EMAIL PROTECTED]
Add a pointer to the OSDL wiki page on Generic Netlink.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
Documentation/networking/00-INDEX|2 ++
Documentation/networking/generic_netlink.txt |3 +++
2 files changed, 5 insertions(+)
Index
.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
with this patchset; please
consider this for net-2.6.20. Thanks.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Paul Moore [EMAIL PROTECTED]
Add support for the enumerated tag (tag type #2) to the CIPSOv4 protocol.
The enumerated tag allows for 15 categories to be specified in a CIPSO option,
where each category is an unsigned 16 bit field with a maximum value of 65534.
See Documentation/netlabel
From: Paul Moore [EMAIL PROTECTED]
Add support for the ranged tag (tag type #5) to the CIPSOv4 protocol.
The ranged tag allows for seven, or eight if zero is the lowest category,
category ranges to be specified in a CIPSO option. Each range is specified by
two unsigned 16 bit fields, each
James Morris wrote:
All applied to:
git://git.infradead.org/~jmorris/selinux-net-2.6.20
Thanks.
Did you mean your kernel.org git tree?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More
the fix.
/scratching head
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
-2.6.20]$
Signed-off-by: Arnaldo Carvalho de Melo [EMAIL PROTECTED]
Acked-by: Paul Moore [EMAIL PROTECTED]
Looks fine to me.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info
From: Paul Moore [EMAIL PROTECTED]
The CIPSOv4 translated tag #1 mapping does not always return the correct error
code if the desired mapping does not exist; instead of returning -EPERM it
returns -ENOSPC indicating that the buffer is not large enough to hold the
translated value
From: Paul Moore [EMAIL PROTECTED]
This patch does a lot of cleanup in the SELinux NetLabel support code. A
summary of the changes include:
* Use RCU locking for the NetLabel state variable in the skk_security_struct
instead of using the inode_security_struct mutex.
* Remove unnecessary
make sense to go into too much
details here, please see each patch for an explanation of what it does.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org
From: Paul Moore [EMAIL PROTECTED]
Currently the NetLabel unlabeled packet accept flag is an atomic type and it
is checked for every non-NetLabel packet which comes into the system but rarely
ever changed. This patch changes this flag to a normal integer and protects it
with RCU locking.
Signed
From: Paul Moore [EMAIL PROTECTED]
The CIPSOv4 engine currently has MLS label limits which are slightly larger
than what the draft allows. This is not a major problem due to the current
implementation but we should fix this so it doesn't bite us later.
Signed-off-by: Paul Moore [EMAIL PROTECTED
From: Paul Moore [EMAIL PROTECTED]
The netlbl_secattr_init() function would always return 0 making it pointless
to have a return value. This patch changes the function to return void.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/net/netlabel.h |6 ++
1 files changed, 2
From: Paul Moore [EMAIL PROTECTED]
Currently the CIPSOv4 engine does not do any sort of checking when a new DOI
definition is added. The tags are still verified but only as a side effect of
normal NetLabel operation (packet processing, socket labeling, etc.) which
would cause application errors
From: Paul Moore [EMAIL PROTECTED]
There were a few places in the NetLabel code where the int type was being used
instead of the gfp_t type, this patch corrects this mistake.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
include/net/netlabel.h |2 +-
1 files changed, 1 insertion(+), 1
From: Paul Moore [EMAIL PROTECTED]
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is used to indicate
From: Paul Moore [EMAIL PROTECTED]
The audit_enabled flag is used to signal when syscall auditing is to be
performed. While NetLabel uses a Netlink interface instead of syscalls, it is
reasonable to consider the NetLabel Netlink interface as a form of syscall so
pay attention
From: Paul Moore [EMAIL PROTECTED]
Right now the NetLabel code always jumps into the CIPSOv4 layer to determine if
a CIPSO IP option is present. However, we can do this check directly in the
NetLabel code by making use of the CIPSO_V4_OPTEXIST() macro which should save
us a function call
From: Paul Moore [EMAIL PROTECTED]
Now that labeled IPsec makes use of the peer_sid field in the
sk_security_struct we can remove a lot of the special cases between labeled
IPsec and NetLabel. In addition, create a new function,
security_skb_extlbl_sid(), which we can use in several places
From: Paul Moore [EMAIL PROTECTED]
While the original CIPSOv4 code had provisions for multiple tag types the
implementation was not as great as it could be, pushing a lot of non-tag
specific processing into the tag specific code blocks. This patch fixes that
issue making it easier to support
From: Paul Moore [EMAIL PROTECTED]
The cipso_v4_doi_search() function behaves the same as cipso_v4_doi_getdef()
but is a local, static function so use it whenever possibile in the CIPSOv4
code base.
Signed-of-by: Paul Moore [EMAIL PROTECTED]
---
net/ipv4/cipso_ipv4.c |6 +++---
1 files
trying to keep the document
alive.
[1] http://en.wikipedia.org/wiki/Foobar
My favorite wikipedia page - http://en.wikipedia.org/wiki/Mad_Scientist
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED
Thomas Graf wrote:
Various simplifications to the generic netlink interface partially
based on suggestions by Paul Moore.
Acked-by: Paul Moore [EMAIL PROTECTED]
These changes all look good to me.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe
.
Thanks. I'm going to mail out the latest version (my first draft with
everybody's patches) later today - I want to give Jamal a little bit longer
to reply.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL
;
/* finalize the message */
So here I am applying this patch by hand because the diffs are a bit off and I
come across this ... I think I might have to nix this change on the basis of
rudimentary quality standards :)
Besides, *I* brought sexy back.
--
paul moore
linux security @ hp
jamal wrote:
On Mon, 2006-13-11 at 09:08 -0500, Paul Moore wrote:
I want to give Jamal a little bit longer to reply.
Sorry, family emergency - still ongoing today, so havent looked at
anything (including presentation that was supposed to be done) ;-
Give me a day or two (I know i
alloc_skb(size, flags);
+ return alloc_skb(nlmsg_total_size(payload), flags);
}
I like this approach, it makes much more sense to me then the previous
implementation which was a simple alias to alloc_skb(). Also, the NetLabel
relevant sections look fine to me.
Acked-by: Paul Moore [EMAIL PROTECTED
Thomas Graf wrote:
* Paul Moore [EMAIL PROTECTED] 2006-11-10 01:08
Excellent!
Thanks.
- u32 snd_pid
This is the PID of the client which issued the request.
In order to avoid confusion it might be better to call it
netlink PID as it is not equal to the process ID.
Good point, I
Jarek Poplawski wrote:
On 10-11-2006 07:08, Paul Moore wrote:
...
An Introduction To Using Generic Netlink
===
...
Here is a proposal of small adjustments.
Maybe some of them will be useful.
They all look very
jamal wrote:
On Fri, 2006-10-11 at 01:45 -0500, Paul Moore wrote:
James Morris wrote:
An Introduction To Using Generic Netlink
===
Wow, this is great!
Thanks. I consider it an act of penance for all of the evil
Stephen Hemminger wrote:
Paul Moore wrote:
A couple of months ago I promised Jamal and Thomas I would post some comments
to
Jamal's original genetlink how-to. However, as I started to work on the
document the diff from the original started to get a little ridiculous so
instead of posting
Randy Dunlap wrote:
On Fri, 10 Nov 2006 01:08:23 -0500 Paul Moore wrote:
An Introduction To Using Generic Netlink
===
3.1.2. The genl_family Structure
Generic Netlink services are defined by the genl_family structure
Thomas Graf wrote:
* Paul Moore [EMAIL PROTECTED] 2006-11-10 11:04
I like this approach, it makes much more sense to me then the previous
implementation which was a simple alias to alloc_skb(). Also, the NetLabel
relevant sections look fine to me.
Question is wheter to do the same
James Morris wrote:
On Thu, 9 Nov 2006, Paul Moore wrote:
It sounds like you have an idea of how you would like to see this implemented,
can you give me a rough outline? Is this the partitioned SECMARK field you
talked about earlier?
No, just the fact that you are in the same kernel address
request a NLMSG_ERROR
message when no error has occurred by setting the NLM_F_ACK flag on requests.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo
;)
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
consistent behavior for all addresses/interfaces
Besides the performance penalty of IPsec and the untested nature of this
solution is there some gotcha here which would prevent this from working?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev
James Morris wrote:
On Wed, 8 Nov 2006, Paul Moore wrote:
1. Functionality is available right now, no additional kernel changes needed
2. No special handling for localhost, I tend to like the idea of having
consistent behavior for all addresses/interfaces
I don't agree. SO_PEERSEC should
James Morris wrote:
On Wed, 8 Nov 2006, Paul Moore wrote:
James Morris wrote:
On Wed, 8 Nov 2006, Paul Moore wrote:
1. Functionality is available right now, no additional kernel changes needed
2. No special handling for localhost, I tend to like the idea of having
consistent behavior for all
On Sunday 05 November 2006 1:43 pm, Toralf Förster wrote:
Hello,
the build with the attached .config failed, make ends with:
...
: undefined reference to `cipso_v4_sock_getattr'
Hmm, that's both strange and not good :( I'm grabbing Linus' latests bits and
I'll see what I can do.
--
paul
;)
It looks like I was stupid and made NetLabel depend on CONFIG_NET and not
CONFIG_INET, the patch below should fix this by making NetLabel depend on
CONFIG_INET and CONFIG_SECURITY. Please review and apply for 2.6.19.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
diff --git a/net/Kconfig b/net
On Sunday 05 November 2006 7:45 pm, David Miller wrote:
From: Paul Moore [EMAIL PROTECTED]
Date: Sun, 5 Nov 2006 16:24:07 -0500 (EST)
On Sun, 5 Nov 2006, Toralf Förster wrote:
Hello,
the build with the attached .config failed, make ends with:
...
: undefined reference
with the NetLabel/CIPSO options on
a socket causing all sorts of nastiness. This patch should solve these
problems.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http
From: Paul Moore [EMAIL PROTECTED]
This patch makes two changes to protect applications from either removing or
tampering with the CIPSOv4 IP option on a socket. The first is the requirement
that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
on a socket; this prevents
Eric Paris wrote:
On Mon, 2006-10-30 at 13:03 -0500, [EMAIL PROTECTED] wrote:
plain text document attachment (netlabel-sockopts)
From: Paul Moore [EMAIL PROTECTED]
This patch makes two changes to protect applications from either removing or
tampering with the CIPSOv4 IP option on a socket
When doing some more testing today I ran into a few bugs, this patchset
addresses those bugs. This patchset is backed against today's net-2.6 git
tree.
Please apply these patches for 2.6.19, thanks.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe
From: Paul Moore [EMAIL PROTECTED]
Fix several places in the CIPSO code where it was dereferencing fields which
did not have valid pointers by moving those pointer dereferences into code
blocks where the pointers are valid.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
net/ipv4/cipso_ipv4.c
From: Paul Moore [EMAIL PROTECTED]
Upon inspection it looked like the error handling for mls_export_cat() was
rather poor. This patch addresses this by NULL'ing out kfree()'d pointers
before returning and checking the return value of the function everywhere
it is called.
Signed-off-by: Paul
From: Paul Moore [EMAIL PROTECTED]
The CIPSO passthrough mapping had a problem when sending categories which
would cause no or incorrect categories to be sent on the wire with a packet.
This patch fixes the problem which was a simple off-by-one bug.
Signed-off-by: Paul Moore [EMAIL PROTECTED
CONFIG_SECURITY_NETWORK_XFRM
set_to_dummy_if_null(ops, xfrm_policy_alloc_security);
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
;
}
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
;
+ return xfrm_policy_check(sk, dir, skb, AF_INET6);
}
-#endif
static __inline__
xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL
From: Paul Moore [EMAIL PROTECTED]
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
This includes a change to the security_skb_flow_in() LSM hook to indicate if
the hook is in the forwarding path and a change to netlbl_skbuff_err() to carry
the forwarding
0x0001UL
#define KEY__READ 0x0002UL
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
= selinux_skb_flow_out,
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
to retrieve the context of a UDP packet
- * based on its security association used to connect to the remote socket.
+ * based on its security association.
*
* Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
* type SCM_SECURITY.
--
paul moore
linux security @ hp
inline void security_flow_classif
{
}
+static inline void security_skb_classify_flow(struct sk_buff *skb,
+ struct flowi *fl)
+{
+}
+
#endif /* CONFIG_SECURITY_NETWORK */
#endif /* __KERNEL__ */
--
paul moore
linux security @ hp
-
To unsubscribe from
(no data) */
tcph-doff = sizeof(struct tcphdr)/4;
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
=selinux_igmp_classify_skb,
.skb_flow_in = selinux_skb_flow_in,
.skb_flow_out = selinux_skb_flow_out,
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo
first.
I'll keep the patchset up to date and keep tracking the secid patches (I know
there has been discussion around the IGMP hook this morning). Once everything
looks okay I'll resend the patchset (with any updates/corrections/etc.) again.
--
paul moore
linux security @ hp
-
To unsubscribe from
This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of
SELinux type information when generating a NetLabel context.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux/ss/services.c | 29 +
1 files changed, 9 insertions(+), 20
address the issue.
This patch does not rely on the secid patches currently in progress and should
be considered a bugfix against the current net-2.6 tree.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL
if it would also make sense to
update the secmark to SECINITSID_UNLABELED in the abscence of any
external labeling (labeled IPsec or NetLabel)?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More
Paul Moore wrote:
Venkat Yekkirala wrote:
The following replaces unlabeled_t with network_t for
better characterization of the flow out/in checks in
SELinux, as well as to allow for mls packets to
flow out/in from the network since network_t would allow
the full range of MLS labels, as opposed
Christopher J. PeBenito wrote:
On Wed, 2006-10-04 at 10:33 -0400, Paul Moore wrote:
Venkat Yekkirala wrote:
The following replaces unlabeled_t with network_t for
better characterization of the flow out/in checks in
SELinux, as well as to allow for mls packets to
flow out/in from the network
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux/hooks.c| 104 +--
security/selinux/include/objsec.h |1
security/selinux/include
a bug
which has been around since the very first NetLabel patches (not sure why I
didn't see this sooner).
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org
-off-by: Paul Moore [EMAIL PROTECTED]
---
include/net/netlabel.h | 62 +++--
net/ipv4/cipso_ipv4.c | 18 ++-
net/netlabel/netlabel_kapi.c |2 -
security/selinux/ss/services.c | 37 +---
4 files changed, 79
way or the
other unless the above differences in behavior are desired or somehow
accounted for in policy and apps.
I agree - I'd like to hear what others (namely Stephen Smalley, James
Morris and all of the Tresys folks past and present) have to say on
this issue.
--
paul moore
linux security
.
I think it's easier to decide on policy, review the design, and test it
all if there is one place/patchset with all of the latest bits/patches.
Right not it's not that easy with different patches scattered around.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line
)
+ goto out;
+
+ if (xfrm_sid)
+ skb-secmark = xfrm_sid;
+
+ /* See if NetLabel can flow in thru the current secmark here */
+
+out:
+ return err ? 0 : 1;
+};
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev
Stephen Smalley wrote:
On Mon, 2006-10-02 at 12:12 -0400, Paul Moore wrote:
Venkat Yekkirala wrote:
This defines SELinux enforcement of the 2 new LSM hooks as well
as related changes elsewhere in the SELinux code.
This also now keeps track of the peersid thru the establishment
of a connection
out like the rest
of the code already does (if that meets your needs that is).
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
deal with the other cleanups once I
can prove them during testing.
Please consider this for inclusion in 2.6.19.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux/hooks.c| 67 +++--
security/selinux/include/objsec.h |1
security/selinux/include
Stephen Smalley wrote:
On Mon, 2006-10-02 at 14:06 -0400, [EMAIL PROTECTED] wrote:
plain text document attachment (netlabel-secid_support)
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux
Stephen Smalley wrote:
On Mon, 2006-10-02 at 14:06 -0400, [EMAIL PROTECTED] wrote:
plain text document attachment (netlabel-secid_support)
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux/hooks.c| 80 ++---
security/selinux/include/objsec.h |1
security/selinux/include
Version 3 of the NetLabel support for the secid patchset. This version takes
into account comments made by Stephen Smalley.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info
and allow both labeling methods on the
same connection we'll need to decide how to handle resolving the two -
maybe use a transition is this one case?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED
something like that would
be acceptable. So, in summary, we would do the normal flow_in checks
for both IPsec and NetLabel and then set the secmark using the IPsec
label as the base sid for the NetLabel's generated SID?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line
.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
301 - 400 of 515 matches
Mail list logo