kernel-ark/net
Venkat Yekkirala 67f83cbf08 SELinux: Fix SA selection semantics
Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.

With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:

1. To enable a socket to communicate without using labeled-IPSec SAs:

allow socket_t unlabeled_t:association { sendto recvfrom }

2. To enable a socket to communicate with labeled-IPSec SAs:

allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
2006-12-02 21:21:34 -08:00
..
802 [TR]: endiannness annotations 2006-09-28 17:53:59 -07:00
8021q [PATCH] Finish annotations of struct vlan_ethhdr 2006-10-10 16:15:34 -07:00
appletalk [APPLETALK]: Fix potential OOPS in atalk_sendmsg(). 2006-10-30 15:24:34 -08:00
atm [ATM]: handle sysfs errors 2006-10-21 19:55:22 -07:00
ax25 [NET]: Conversions from kmalloc+memset to k(z|c)alloc. 2006-07-21 14:51:30 -07:00
bluetooth [BLUETOOTH] rfcomm endianness bug: param_mask is little-endian on the wire 2006-12-02 21:21:30 -08:00
bridge [PATCH] bridge: fix possible overflow in get_fdb_entries 2006-11-28 17:26:50 -08:00
core [PATCH] netdev: don't allow register_netdev with blank name 2006-12-02 00:16:37 -05:00
dccp [NET]: Fix kfifo_alloc() error check. 2006-11-25 15:16:49 -08:00
decnet [DECNET]: Endianess fixes (try #2) 2006-11-07 15:10:17 -08:00
econet [NET]: Conversions from kmalloc+memset to k(z|c)alloc. 2006-07-21 14:51:30 -07:00
ethernet [NET]: Annotate dst_ops protocol 2006-09-28 18:02:58 -07:00
ieee80211 [PATCH] softmac: reduce scan debug output 2006-12-02 00:12:06 -05:00
ipv4 SELinux: Return correct context for SO_PEERSEC 2006-12-02 21:21:33 -08:00
ipv6 [IPV6]: ip6_output annotations 2006-12-02 21:21:26 -08:00
ipx [IPX]: Annotate and fix IPX checksum 2006-11-05 14:11:25 -08:00
irda [IRDA]: Lockdep fix. 2006-11-21 17:33:01 -08:00
key [XFRM]: annotate ->new_mapping() 2006-12-02 21:21:18 -08:00
lapb [LAPB]: Fix windowsize check 2006-08-05 21:15:58 -07:00
llc [LLC]: anotations 2006-12-02 21:21:23 -08:00
netfilter [NETFILTER]: trivial annotations 2006-12-02 21:21:25 -08:00
netlabel [NETLABEL]: Fix build failure. 2006-11-05 16:44:06 -08:00
netlink [NET]: fix uaccess handling 2006-10-30 15:24:41 -08:00
netrom [NETROM] lockdep: fix false positive 2006-07-12 13:59:02 -07:00
packet [AF_PACKET]: annotate 2006-12-02 21:21:24 -08:00
rose [ROSE] lockdep: fix false positive 2006-07-12 13:58:59 -07:00
rxrpc [PATCH] kmemdup: some users 2006-10-01 00:39:19 -07:00
sched [PKT_SCHED] sch_htb: Use hlist_del_init(). 2006-11-07 15:10:12 -08:00
sctp [IPV6]: 'info' argument of ipv6 ->err_handler() is net-endian 2006-12-02 21:21:12 -08:00
sunrpc [SUNRPC]: annotate hash_ip() 2006-12-02 21:21:16 -08:00
tipc [TIPC]: endianness annotations 2006-12-02 21:21:08 -08:00
unix [AF_UNIX]: Change max_dgram_qlen sysctl to __read_mostly 2006-09-22 15:18:42 -07:00
wanrouter Fix misc .c/.h comment typos 2006-11-30 05:24:39 +01:00
x25 Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
xfrm SELinux: Fix SA selection semantics 2006-12-02 21:21:34 -08:00
compat.c [NET]: File descriptor loss while receiving SCM_RIGHTS 2006-10-11 23:59:48 -07:00
Kconfig [NETLABEL]: Fix build failure. 2006-11-05 16:44:06 -08:00
Makefile [NetLabel]: core NetLabel subsystem 2006-09-22 14:53:34 -07:00
nonet.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
socket.c [PATCH] file: modify struct fown_struct to use a struct pid 2006-10-02 07:57:14 -07:00
sysctl_net.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
TUNABLE