linux/security
Paul Moore 9faf65fb6e SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
These changes will make NetLabel behave like labeled IPsec where there is an
access check for both labeled and unlabeled packets as well as providing the
ability to restrict domains to receiving only labeled packets when NetLabel
is in use.  The changes to the policy are straight forward with the
following necessary to receive labeled traffic (with SECINITSID_NETMSG
defined as "netlabel_peer_t"):

 allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

The policy for unlabeled traffic would be:

 allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

These policy changes, as well as more general NetLabel support, are included
in the SELinux Reference Policy SVN tree, r2352 or later.  Users who enable
NetLabel support in the kernel are strongly encouraged to upgrade their
policy to avoid network problems.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
2007-07-11 22:52:31 -04:00
..
keys [AF_RXRPC]: Key facility changes for AF_RXRPC 2007-04-26 15:46:23 -07:00
selinux SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel 2007-07-11 22:52:31 -04:00
capability.c header cleaning: don't include smp_lock.h when not used 2007-05-08 11:15:07 -07:00
commoncap.c header cleaning: don't include smp_lock.h when not used 2007-05-08 11:15:07 -07:00
dummy.c security: Protection for exploiting null dereference using mmap 2007-07-11 22:52:29 -04:00
inode.c remove "struct subsystem" as it is no longer needed 2007-05-02 18:57:59 -07:00
Kconfig [PATCH] LSM: remove BSD secure level security module 2006-09-29 09:18:10 -07:00
Makefile [PATCH] LSM: remove BSD secure level security module 2006-09-29 09:18:10 -07:00
root_plug.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
security.c security: Protection for exploiting null dereference using mmap 2007-07-11 22:52:29 -04:00