Add ability to set the connection tracking secmark value.
Add ability to set the meta secmark value.
Signed-off-by: Christian Göttsche
---
v3: fix compile error when CONFIG_NF_CONNTRACK_MARK not defined
Based on nf-next
Tested with v4.18.8
net/netfilter/nft_ct.c | 17 -
net
Add the ability to set the security context of packets within the nf_tables
framework.
Add a nft_object for holding security contexts in the kernel and manipulating
packets on the wire.
Convert the security context strings at rule addition time to security
identifiers.
This is the same behavior
> > +struct nft_secmark {
> > + char ctx[NFT_SECMARK_CTX_MAXLEN];
> > + int len;
> > + u32 secid;
> > +};
>
> Can you change this to:
>
> struct nft_secmark {
> u32 secid;
> char *ctx;
> };
Does the nla_policy struct needs an update too? (regarding then .len member)
+s
Add the ability to set the security context of packets within the nf_tables
framework.
Add a nft_object for holding security contexts in the kernel and manipulating
packets on the wire.
Convert the security context strings at rule addition time to security
identifiers.
This is the same behavior
Add ability to set the connection tracking secmark value.
Add ability to set the meta secmark value.
Signed-off-by: Christian Göttsche
---
Based on nf-next
Tested with v4.18.8
net/netfilter/nft_ct.c | 15 +++
net/netfilter/nft_meta.c | 8
2 files changed, 23 insertions
> > > + for (i = 0; i < ARRAY_SIZE(nft_basic_objects); i++) {
> > > + err = nft_register_obj(nft_basic_objects[i]);
> > > + if (err)
> > > + goto err;
> > > + }
> > >
> > > - for (i = 0; i < ARRAY_SIZE(nft_basic_types); i++) {
> > > - err = nft_
> I've only had a cursory look at your patch, but how is it
> different from what's in xt_SECMARK.c ?
xt_SEXMARK.c is for xtables, use-able in iptables; this is for nftables (nft)
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email
Add the ability to set the security context of packets within the nf_tables
framework.
Add a nft_object for holding security contexts in the kernel and manipulating
packets on the wire.
The contexts are kept as strings and are evaluated to security identifiers at
runtime (packet arrival),
so tha
Hello,
in the past systemd was checking operation on systemd units, like
enable, disable... , when using systemctl.
This feature was removed three years ago [1] and nowadays only {
reload start status stop } are checked.
I am trying to re-enable these checks with a new approach [2].
With this pul
Now that nnp transitions are available in kernel v4.14, can the
selinux_err message be skipped? (maybe conditional if the policy
capability for nnp transitions is enabled)
Cause now I am getting these logs:
time->Sat Nov 4 11:30:21 2017
type=PROCTITLE msg=audit(1509791421.220:2221):
proctitle=2F
Since 1cd972f restorecon does not print a warning in recurse mode for child
files without a default label.
Change it back in verbose mode:
$ touch /run/test.pid
$ restorecon -R /run
$ restorecon -v -R /run
Warning no default label for /run/test.pid
Signed-off-by: Christian Göttsche
---
libseli
2017-06-09 14:45 GMT+02:00 Stephen Smalley :
> Kernel version and config, particularly the CONFIG_SECURITY_SELINUX
> ones? And are you using any other SELinux-related kernel command line
> options (e.g. enforcing=, selinux=)?
standard Debian sid kernel: Linux server02 4.9.0-3-amd64 #1 SMP Debian
Add security_get_checkreqprot() function, returning the current active
checkreqprot value
---
libselinux/include/selinux/selinux.h | 3 +++
libselinux/man/man3/security_getenforce.3 | 11 -
libselinux/src/checkreqprot.c | 40 +++
libselinux/src
Show the current active checkreqprot state in sestatus
---
policycoreutils/sestatus/sestatus.8 | 2 ++
policycoreutils/sestatus/sestatus.c | 14 ++
2 files changed, 16 insertions(+)
diff --git a/policycoreutils/sestatus/sestatus.8
b/policycoreutils/sestatus/sestatus.8
index 51ff0566
v3:
improved man-page and sestatus output wording; thanks to Stephen
v2:
rename security_checkreqprot to security_get_checkreqprot
add O_CLOEXEC open flag
improve man page description and fix wrong placement
hopefully improve sestatus output readability
Christian Göttsche (2):
libseli
Add command line tool selinuxenforced to determine the current SELinux enforced
via exit code.
Useful for script usage or monitoring.
---
libselinux/man/man8/selinuxenforced.8 | 24
libselinux/utils/.gitignore | 1 +
libselinux/utils/selinuxenforced.c| 33 +
v2:
rename security_checkreqprot to security_get_checkreqprot
add O_CLOEXEC open flag
improve man page description and fix wrong placement
hopefully improve sestatus output readability
Christian Göttsche (2):
libselinux: add security_get_checkreqprot
sestatus: show checkreqprot status
Show the current active checkreqprot state in sestatus
---
policycoreutils/sestatus/sestatus.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/policycoreutils/sestatus/sestatus.c
b/policycoreutils/sestatus/sestatus.c
index 2111b15d..a461251d 100644
--- a/policycoreutils/sestat
Add security_get_checkreqprot() function, returning the current active
checkreqprot value
---
libselinux/include/selinux/selinux.h | 3 +++
libselinux/man/man3/security_getenforce.3 | 9 ++-
libselinux/src/checkreqprot.c | 40 +++
libselinux/src/s
19 matches
Mail list logo