e numbers of
SAs involved I believe it would still be quite a task. It also should be
said that this procedure would need to be done for each SPD rule.
I haven't thought about this too much yet, but I suspect proactively creating
SAs is not going to be a practical solution.
--
if (obj)
> - atomic_inc(fle->object_ref);
> + atomic_inc(obj_ref);
> }
> }
> local_bh_enable();
>
> - if (err)
> - obj = ERR_PTR(err);
> return obj;
> }
> }
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wednesday 10 January 2007 5:01 am, Jarek Poplawski wrote:
> On Tue, Jan 09, 2007 at 09:26:46AM -0500, Paul Moore wrote:
> > On Tuesday 09 January 2007 3:43 am, Jarek Poplawski wrote:
> > > ... But if you consider this code will probably become classical
> > > a
A quick patch to change the inet_sock->is_icsk assignment to better fit with
existing kernel coding style.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Cc: Jarek Poplawski <[EMAIL PROTECTED]>
Cc: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]>
---
net/ipv4/af_inet.c |2 +-
;)
All right, you convinced me, I'll send out a patch to the patch later today.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Monday, January 8 2007 8:25 am, Jarek Poplawski wrote:
> On 04-01-2007 21:04, Paul Moore wrote:
> > +++ net-2.6.20_bugfix_2/net/ipv4/af_inet.c
> > @@ -305,7 +305,7 @@ lookup_protocol:
> > sk->sk_reuse = 1;
> >
> > inet = inet_sk(sk);
>
The spinlock protecting the update of the "sksec->nlbl_state" variable is not
currently softirq safe which can lead to problems. This patch fixes this by
changing the spin_{un}lock() functions into spin_{un}lock_bh() functions.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
--
caused sporadic
failures.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
net/netlabel/netlabel_cipso_v4.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: net-2.6.20_bugfix_3/net/netlabel/netlabe
both of these patches with what I believe to be pretty much all of
the kernel debug options enabled and I have not encountered any problems.
Please consider these for the 2.6.20 release.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev"
From: Paul Moore <[EMAIL PROTECTED]>
The inet_create() and inet6_create() functions incorrectly set the
inet_sock->is_icsk field. Both functions assume that the is_icsk field is
large enough to hold at least a INET_PROTOSW_ICSK value when it is actually
only a single bit. This patch
On Tuesday, January 2 2007 6:37 pm, David Miller wrote:
> From: Paul Moore <[EMAIL PROTECTED]>
> Date: Tue, 2 Jan 2007 16:25:24 -0500
>
> > I'm sorry I just saw this mail (mail not sent directly to me get
> > shuffled off to a folder). I agree with your patch,
ove I'm not sure I like that approach so much,
however, I could be misunderstanding something. Do you have a small example
you could send?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
e goes so any
comments/feedback on the above proposal are welcome. If it turns out this
approach has some merit I'll put together a patch and send it out.
Once again, sorry for the regression.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
n developing and testing new kernel code. And everything else in that
>file, too.
>
I apologize for the mistake - I'm still trying to get a firm grasp on some of
the finer points of Linux kernel development and I obviously missed something
here. Unfortunately, due to the holiday I won
ertain configurations, return security attributes/contexts which are incorrect.
Please let me know if you think that has merit for the stable tree and I'll send
the patch to the stable mailing list.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubs
From: Paul Moore <[EMAIL PROTECTED]>
There are a couple of cases where the user input for a CIPSOv4 DOI add
operation was not being done soon enough; the result was unexpected behavior
which was resulting in oops/panics/lockups on some platforms. This patch moves
the existing input vali
as well; is there anything special I need to do for that?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Paul Moore <[EMAIL PROTECTED]>
Back when the original NetLabel patches were being changed to use Netlink
attributes correctly some code was accidentially dropped which set all of the
undefined CIPSOv4 level and category mappings to a sentinel value. The result
is the mappings data
From: Paul Moore <[EMAIL PROTECTED]>
Add a pointer to the OSDL wiki page on Generic Netlink.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
Documentation/networking/00-INDEX|2 ++
Documentation/networking/generic_netlink.txt |3 +++
2 files changed, 5 insertio
list.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
James Morris wrote:
> All applied to:
> git://git.infradead.org/~jmorris/selinux-net-2.6.20
Thanks.
Did you mean your kernel.org git tree?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
From: Paul Moore <[EMAIL PROTECTED]>
Add support for the ranged tag (tag type #5) to the CIPSOv4 protocol.
The ranged tag allows for seven, or eight if zero is the lowest category,
category ranges to be specified in a CIPSO option. Each range is specified by
two unsigned 16 bit fields
sions with this patchset; please
consider this for net-2.6.20. Thanks.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Paul Moore <[EMAIL PROTECTED]>
Add support for the enumerated tag (tag type #2) to the CIPSOv4 protocol.
The enumerated tag allows for 15 categories to be specified in a CIPSO option,
where each category is an unsigned 16 bit field with a maximum value of 65534.
See Documentation/ne
From: Paul Moore <[EMAIL PROTECTED]>
The original NetLabel category bitmap was a straight char bitmap which worked
fine for the initial release as it only supported 240 bits due to limitations
in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that
straight char bitma
that ... thanks for accepting the patches and making the fix.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
airly small so people wouldn't be afraid by the
length of the document. However, if we try to partition the document into two
sections then it's probably won't be too bad.
> So keep me as a coauthor - it will keep me on the hook for now; i will
> bail out the moment i think it
From: Paul Moore <[EMAIL PROTECTED]>
The cipso_v4_doi_search() function behaves the same as cipso_v4_doi_getdef()
but is a local, static function so use it whenever possibile in the CIPSOv4
code base.
Signed-of-by: Paul Moore <[EMAIL PROTECTED]>
---
net/ipv4/cipso_ipv4.c |6 +++
From: Paul Moore <[EMAIL PROTECTED]>
While the original CIPSOv4 code had provisions for multiple tag types the
implementation was not as great as it could be, pushing a lot of non-tag
specific processing into the tag specific code blocks. This patch fixes that
issue making it easier to s
From: Paul Moore <[EMAIL PROTECTED]>
Now that labeled IPsec makes use of the peer_sid field in the
sk_security_struct we can remove a lot of the special cases between labeled
IPsec and NetLabel. In addition, create a new function,
security_skb_extlbl_sid(), which we can use in several pla
From: Paul Moore <[EMAIL PROTECTED]>
Right now the NetLabel code always jumps into the CIPSOv4 layer to determine if
a CIPSO IP option is present. However, we can do this check directly in the
NetLabel code by making use of the CIPSO_V4_OPTEXIST() macro which should save
us a function c
From: Paul Moore <[EMAIL PROTECTED]>
The audit_enabled flag is used to signal when syscall auditing is to be
performed. While NetLabel uses a Netlink interface instead of syscalls, it is
reasonable to consider the NetLabel Netlink interface as a form of syscall so
pay attention
From: Paul Moore <[EMAIL PROTECTED]>
The existing netlbl_lsm_secattr struct required the LSM to check all of the
fields to determine if any security attributes were present resulting in a lot
of work in the common case of no attributes. This patch adds a 'flags' field
which is
From: Paul Moore <[EMAIL PROTECTED]>
Currently the CIPSOv4 engine does not do any sort of checking when a new DOI
definition is added. The tags are still verified but only as a side effect of
normal NetLabel operation (packet processing, socket labeling, etc.) which
would cause appli
From: Paul Moore <[EMAIL PROTECTED]>
There were a few places in the NetLabel code where the int type was being used
instead of the gfp_t type, this patch corrects this mistake.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/net/netlabel.h |2 +-
1 files changed, 1 ins
From: Paul Moore <[EMAIL PROTECTED]>
The netlbl_secattr_init() function would always return 0 making it pointless
to have a return value. This patch changes the function to return void.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/net/netlabel.h |6 ++
1 file
From: Paul Moore <[EMAIL PROTECTED]>
Currently the NetLabel unlabeled packet accept flag is an atomic type and it
is checked for every non-NetLabel packet which comes into the system but rarely
ever changed. This patch changes this flag to a normal integer and protects it
with RCU l
From: Paul Moore <[EMAIL PROTECTED]>
The CIPSOv4 engine currently has MLS label limits which are slightly larger
than what the draft allows. This is not a major problem due to the current
implementation but we should fix this so it doesn't bite us later.
Signed-off-by: Paul Mo
it doesn't make sense to go into too much
details here, please see each patch for an explanation of what it does.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info a
From: Paul Moore <[EMAIL PROTECTED]>
This patch does a lot of cleanup in the SELinux NetLabel support code. A
summary of the changes include:
* Use RCU locking for the NetLabel state variable in the skk_security_struct
instead of using the inode_security_struct mutex.
* Remove unnec
From: Paul Moore <[EMAIL PROTECTED]>
The CIPSOv4 translated tag #1 mapping does not always return the correct error
code if the desired mapping does not exist; instead of returning -EPERM it
returns -ENOSPC indicating that the buffer is not large enough to hold the
translated value. Th
ytes removed
> [EMAIL PROTECTED] net-2.6.20]$
>
> Signed-off-by: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]>
Acked-by: Paul Moore <[EMAIL PROTECTED]>
Looks fine to me.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev"
Thomas Graf wrote:
> Various simplifications to the generic netlink interface partially
> based on suggestions by Paul Moore.
Acked-by: Paul Moore <[EMAIL PROTECTED]>
These changes all look good to me.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: s
jamal wrote:
> On Mon, 2006-13-11 at 09:08 -0500, Paul Moore wrote:
>
>>I want to give Jamal a little bit longer to reply.
>
> Sorry, family emergency - still ongoing today, so havent looked at
> anything (including presentation that was supposed to be done) ;-<
>
>
uot;);
>if (rc != 0)
>goto failure;
>/* finalize the message */
So here I am applying this patch by hand because the diffs are a bit off and I
come across this ... I think I might have to nix this change on the basis of
rudimentary quality standards :)
Besides, *I* brought
hat is the current version.
Thanks. I'm going to mail out the latest version (my first draft with
everybody's patches) later today - I want to give Jamal a little bit longer
to reply.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe n
Thomas Graf wrote:
> * Paul Moore <[EMAIL PROTECTED]> 2006-11-10 11:04
>
>>I like this approach, it makes much more sense to me then the previous
>>implementation which was a simple "alias" to alloc_skb(). Also, the NetLabel
>>relevant sections look fine
Randy Dunlap wrote:
> On Fri, 10 Nov 2006 01:08:23 -0500 Paul Moore wrote:
>
>>An Introduction To Using Generic Netlink
>>===
>>3.1.2. The genl_family Structure
>>
>>Generic Netlink ser
Stephen Hemminger wrote:
> Paul Moore wrote:
>
>>A couple of months ago I promised Jamal and Thomas I would post some comments
>>to
>>Jamal's original genetlink how-to. However, as I started to work on the
>>document the diff from the original started to get
jamal wrote:
> On Fri, 2006-10-11 at 01:45 -0500, Paul Moore wrote:
>
>>James Morris wrote:
>>
>>>>An Introduction To Using Generic Netlink
>>>>===
>>>
>>>
Jarek Poplawski wrote:
> On 10-11-2006 07:08, Paul Moore wrote:
> ...
>
>>An Introduction To Using Generic Netlink
>>===
>
> ...
>
> Here is a proposal of small adjustments.
> Mayb
Thomas Graf wrote:
> * Paul Moore <[EMAIL PROTECTED]> 2006-11-10 01:08
>
> Excellent!
Thanks.
>> - u32 snd_pid
>>
>> This is the PID of the client which issued the request.
>
> In order to avoid confusion it might be better to call it
> "ne
implementation which was a simple "alias" to alloc_skb(). Also, the NetLabel
relevant sections look fine to me.
Acked-by: Paul Moore <[EMAIL PROTECTED]>
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
rst few iterations of NetLabel ;)
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
ent an explicit
acknowledgment message as Netlink already provides a flexible acknowledgment
and error reporting message type called NLMSG_ERROR. When an error occurs a
NLMSG_ERROR message is returned to the client with the error code returned by
the Generic Netlink operation handler. Clients ca
James Morris wrote:
> On Thu, 9 Nov 2006, Paul Moore wrote:
>
>>It sounds like you have an idea of how you would like to see this implemented,
>>can you give me a rough outline? Is this the partitioned SECMARK field you
>>talked about earlier?
>
> No, just the
James Morris wrote:
> On Wed, 8 Nov 2006, Paul Moore wrote:
>
>>James Morris wrote:
>>
>>>On Wed, 8 Nov 2006, Paul Moore wrote:
>>>
>>>>1. Functionality is available right now, no additional kernel changes needed
>>>>2. No speci
James Morris wrote:
> On Wed, 8 Nov 2006, Paul Moore wrote:
>
>>1. Functionality is available right now, no additional kernel changes needed
>>2. No special handling for localhost, I tend to like the idea of having
>>consistent behavior for all addresses/interfaces
>
&
anges needed
2. No special handling for localhost, I tend to like the idea of having
consistent behavior for all addresses/interfaces
Besides the performance penalty of IPsec and the untested nature of this
solution is there some gotcha here which would prevent this from working?
--
paul moo
of this function I think we can get away with only
a simple "sid1 == sid2" since the security server shouldn't be creating
duplicate SID/secid values for identical contexts, I think. Did you run into
something in testing that would indicate otherwise?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sunday 05 November 2006 7:45 pm, David Miller wrote:
> From: Paul Moore <[EMAIL PROTECTED]>
> Date: Sun, 5 Nov 2006 16:24:07 -0500 (EST)
>
> > On Sun, 5 Nov 2006, Toralf Förster wrote:
> > > Hello,
> > >
> > > the build
networking ;)
It looks like I was stupid and made NetLabel depend on CONFIG_NET and not
CONFIG_INET, the patch below should fix this by making NetLabel depend on
CONFIG_INET and CONFIG_SECURITY. Please review and apply for 2.6.19.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
diff --git a/n
tests bits and
I'll see what I can do.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Eric Paris wrote:
> On Mon, 2006-10-30 at 13:03 -0500, [EMAIL PROTECTED] wrote:
>
>>plain text document attachment (netlabel-sockopts)
>>From: Paul Moore <[EMAIL PROTECTED]>
>>
>>This patch makes two changes to protect applications from either removing or
>&
NetLabel/CIPSO options on
a socket causing all sorts of nastiness. This patch should solve these
problems.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo inf
From: Paul Moore <[EMAIL PROTECTED]>
This patch makes two changes to protect applications from either removing or
tampering with the CIPSOv4 IP option on a socket. The first is the requirement
that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option
on a socket
From: Paul Moore <[EMAIL PROTECTED]>
Fix several places in the CIPSO code where it was dereferencing fields which
did not have valid pointers by moving those pointer dereferences into code
blocks where the pointers are valid.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
net/ipv
From: Paul Moore <[EMAIL PROTECTED]>
Upon inspection it looked like the error handling for mls_export_cat() was
rather poor. This patch addresses this by NULL'ing out kfree()'d pointers
before returning and checking the return value of the function everywhere
it is called.
Sig
From: Paul Moore <[EMAIL PROTECTED]>
The CIPSO passthrough mapping had a problem when sending categories which
would cause no or incorrect categories to be sent on the wire with a packet.
This patch fixes the problem which was a simple off-by-one bug.
Signed-off-by: Paul Moore <[EMAIL
When doing some more testing today I ran into a few bugs, this patchset
addresses those bugs. This patchset is backed against today's net-2.6 git
tree.
Please apply these patches for 2.6.19, thanks.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "u
ation, and ensuring that
> all the related policy changes are merged upstream first.
I'll keep the patchset up to date and keep tracking the secid patches (I know
there has been discussion around the IGMP hook this morning). Once everything
looks okay I'll resend the patchset (with an
skb->secmark = SECSID_NULL;
}
out:
return err ? NF_DROP : NF_ACCEPT;
@@ -4824,7 +4863,7 @@ static struct security_operations selinu
.inet_conn_request =selinux_inet_conn_request,
.inet_csk_clone = selinux_inet_csk_clone,
.inet_c
o data) */
tcph->doff = sizeof(struct tcphdr)/4;
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
flow_in = selinux_skb_flow_in,
.skb_flow_out = selinux_skb_flow_out,
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
dst_release(dst);
-
-out:
- return peer_sid;
-}
-
-/*
* SELinux internal function to retrieve the context of a UDP packet
- * based on its security association used to connect to the remote socket.
+ * based on its security association.
*
* Retrieve via setsockopt IP_PASSSEC and recvmsg with control message
* type SCM_SECURITY.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
,11 @@ static inline void security_flow_classif
{
}
+static inline void security_skb_classify_flow(struct sk_buff *skb,
+ struct flowi *fl)
+{
+}
+
#endif /* CONFIG_SECURITY_NETWORK */
#endif /* __KERNEL__ */
--
paul moore
linux security @ hp
-
To unsubsc
From: Paul Moore <[EMAIL PROTECTED]>
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
This includes a change to the security_skb_flow_in() LSM hook to indicate if
the hook is in the forwarding path and a change to netlbl_skbuff_err() to carry
the forw
__FLOW_IN 0x0008UL
+#define PACKET__FLOW_OUT 0x0010UL
#define KEY__VIEW 0x0001UL
#define KEY__READ 0x0002UL
--
paul moore
linux security @ hp
-
To unsubscribe from this
vid's net-2.6.20 git tree.
Thanks.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff
*skb)
{
- return 1;
+ return xfrm_policy_check(sk, dir, skb, AF_INET6);
}
-#endif
static __inline__
xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
--
paul moore
linux security @ hp
-
To uns
skb->csum));
+ security_req_classify_skb(req, skb);
err = ip_build_and_send_pkt(skb, sk, ireq->loc_addr,
ireq->rmt_addr,
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
und or done with outbound check or no LSM hook
+* for outbound
+*/
+ if ((*pskb)->secmark != secmark)
+ (*pskb)->secmark = secmark;
+ }
+out:
return XT_CONTINUE;
}
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
);
#endif/* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
set_to_dummy_if_null(ops, xfrm_policy_alloc_security);
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
M
This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of
SELinux type information when generating a NetLabel context.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/ss/services.c | 29 +
1 files changed, 9 insert
hould
address the issue.
This patch does not rely on the secid patches currently in progress and should
be considered a bugfix against the current net-2.6 tree.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a me
Venkat Yekkirala wrote:
>>On Wed, 2006-10-04 at 15:27 -0400, Paul Moore wrote:
>>
>>>Venkat Yekkirala wrote:
>>>
>>>>>* XFRM present
>>>>>
>>>>> xfrm_sid =
>>>>> loc_sid = SECINITSID_NETMSG
>>>
xfrm_sid.
>
>
> You are right, but I was actually referring to the "Nothing"
> case above.
>
>
>>I have a hunch we are still on different pages here ...
>>
>>
>>>In the NetLabel case: final skb->secmark would be network_t
>
ture. As James says, let's
> get policy done, the design proven, and tested and then we will
> go to netdev with one patchset.
I think it's easier to decide on policy, review the design, and test it
all if there is one place/patchset with all of the latest bits/patches.
Right not it's not that easy with different patches scattered around.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Any calls made to getpeercon() would
return success with the context matching xfrm_sid.
I have a hunch we are still on different pages here ...
> In the NetLabel case: final skb->secmark would be network_t resulting in
> getpeercon to return network_t
Yep, and I understand you would
enkat, can you please merge the latest my latest NetLabel secid support
patch in with your next release? If not, would you have a problem if I
pushed out a patchset which included your latest patches with the
NetLabel secid support patch and we used this patchset as the basis for
future work?
--
pau
ay be an argument made that it is appropriate.
> What does the community think? We need to resolve it one way or the
> other unless the above differences in behavior are desired or somehow
> accounted for in policy and apps.
I agree - I'd like to hear what others (namely Stephen Smalley, James
Morris and all of the Tresys folks ) have to say on
this issue.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
-off-by: Paul Moore <[EMAIL PROTECTED]>
---
include/net/netlabel.h | 62 +++--
net/ipv4/cipso_ipv4.c | 18 ++-
net/netlabel/netlabel_kapi.c |2 -
security/selinux/ss/services.c | 37 +---
4 files c
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/hooks.c| 104 +--
security/selinux/include/objsec.h |1
security/selinux/i
s it fixes a bug
which has been around since the very first NetLabel patches (not sure why I
didn't see this sooner).
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
Mor
Christopher J. PeBenito wrote:
> On Wed, 2006-10-04 at 10:33 -0400, Paul Moore wrote:
>
>>Venkat Yekkirala wrote:
>>
>>>The following replaces unlabeled_t with network_t for
>>>better characterization of the flow out/in checks in
>>>SELinux, as well
Paul Moore wrote:
> Venkat Yekkirala wrote:
>
>>The following replaces unlabeled_t with network_t for
>>better characterization of the flow out/in checks in
>>SELinux, as well as to allow for mls packets to
>>flow out/in from the network since network_t would allow
cmark, SECINITSID_NETMSG,
> SECCLASS_PACKET, PACKET__FLOW_OUT, &ad);
> }
> out:
Considering the above change, I wonder if it would also make sense to
update the secmark to SECINITSID_UNLABELED in the abscence of any
external labeling (labeled IPse
Version 3 of the NetLabel support for the secid patchset. This version takes
into account comments made by Stephen Smalley.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordo
This patch provides the missing NetLabel support to the secid reconciliation
patchset.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---
security/selinux/hooks.c| 80 ++---
security/selinux/include/objsec.h |1
security/selinux/i
Stephen Smalley wrote:
> On Mon, 2006-10-02 at 14:06 -0400, [EMAIL PROTECTED] wrote:
>
>>plain text document attachment (netlabel-secid_support)
>>This patch provides the missing NetLabel support to the secid reconciliation
>>patchset.
>>
>>Signed-
401 - 500 of 639 matches
Mail list logo