SELinux: Better integration between peer labeling subsystems Rework the handling of network peer labels so that the different peer labeling subsystems work better together. This includes moving both subsystems to a single "peer" object class which involves not only changes to the permission checks but an improved method of consolidating multiple packet peer labels. As part of this work the inbound packet permission check code has been heavily modified to handle both the old and new behavior in as sane a fashion as possible. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>

commit: 220deb966ea51e0dedb6a187c0763120809f3e64 [log] [tgz]
author: Paul Moore <paul.moore@hp.com> Tue Jan 29 08:38:23 2008 -0500
committer: James Morris <jmorris@namei.org> Wed Jan 30 08:17:25 2008 +1100
tree: 7d0e5dd8048907c364b4eeff294991937b466c7e
parent: f67f4f315f31e7907779adb3296fb6682e755342 [diff] [blame]
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 272769a..c8c05a6 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h

@@ -49,6 +49,7 @@
 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
 				 u16 family,
 				 u32 base_sid,
+				 u32 *type,
 				 u32 *sid);
 
 void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
@@ -89,8 +90,10 @@
 static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
 					       u16 family,
 					       u32 base_sid,
+					       u32 *type,
 					       u32 *sid)
 {
+	*type = NETLBL_NLTYPE_NONE;
 	*sid = SECSID_NULL;
 	return 0;
 }
commit	220deb966ea51e0dedb6a187c0763120809f3e64	[log] [tgz]
author	Paul Moore <paul.moore@hp.com>	Tue Jan 29 08:38:23 2008 -0500
committer	James Morris <jmorris@namei.org>	Wed Jan 30 08:17:25 2008 +1100
tree	7d0e5dd8048907c364b4eeff294991937b466c7e
parent	f67f4f315f31e7907779adb3296fb6682e755342 [diff] [blame]