)]}' { "log": [ { "commit": "389fb800ac8be2832efedd19978a2b8ced37eb61", "tree": "fa0bc16050dfb491aa05f76b54fa4c167de96376", "parents": [ "284904aa79466a4736f4c775fdbe5c7407fa136c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Mar 27 17:10:34 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Mar 28 15:01:36 2009 +1100" }, "message": "netlabel: Label incoming TCP connections correctly in SELinux\n\nThe current NetLabel/SELinux behavior for incoming TCP connections works but\nonly through a series of happy coincidences that rely on the limited nature of\nstandard CIPSO (only able to convey MLS attributes) and the write equality\nimposed by the SELinux MLS constraints. The problem is that network sockets\ncreated as the result of an incoming TCP connection were not on-the-wire\nlabeled based on the security attributes of the parent socket but rather based\non the wire label of the remote peer. The issue had to do with how IP options\nwere managed as part of the network stack and where the LSM hooks were in\nrelation to the code which set the IP options on these newly created child\nsockets. While NetLabel/SELinux did correctly set the socket\u0027s on-the-wire\nlabel it was promptly cleared by the network stack and reset based on the IP\noptions of the remote peer.\n\nThis patch, in conjunction with a prior patch that adjusted the LSM hook\nlocations, works to set the correct on-the-wire label format for new incoming\nconnections through the security_inet_conn_request() hook. Besides the\ncorrect behavior there are many advantages to this change, the most significant\nis that all of the NetLabel socket labeling code in SELinux now lives in hooks\nwhich can return error codes to the core stack which allows us to finally get\nride of the selinux_netlbl_inode_permission() logic which greatly simplfies\nthe NetLabel/SELinux glue code. In the process of developing this patch I\nalso ran into a small handful of AF_INET6 cleanliness issues that have been\nfixed which should make the code safer and easier to extend in the future.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d7f59dc4642ce2fc7b79fcd4ec02ffce7f21eb02", "tree": "1557550ed6478a38cc04ad480a5977580d97b5cd", "parents": [ "778ef1e6cbb049c9bcbf405936ee6f2b6e451892" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Feb 27 15:00:03 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 02 09:30:04 2009 +1100" }, "message": "selinux: Fix a panic in selinux_netlbl_inode_permission()\n\nRick McNeal from LSI identified a panic in selinux_netlbl_inode_permission()\ncaused by a certain sequence of SUNRPC operations. The problem appears to be\ndue to the lack of NULL pointer checking in the function; this patch adds the\npointer checks so the function will exit safely in the cases where the socket\nis not completely initialized.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "09c50b4a52c01a1f450b8eec819089e228655bfb", "tree": "d97bcaf9544e58a8a6bc6aeb40ca9793411d3e79", "parents": [ "586c25003707067f074043d80fb2071671c58db0" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Feb 20 16:33:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 10:05:55 2009 +1100" }, "message": "selinux: Fix the NetLabel glue code for setsockopt()\n\nAt some point we (okay, I) managed to break the ability for users to use the\nsetsockopt() syscall to set IPv4 options when NetLabel was not active on the\nsocket in question. The problem was noticed by someone trying to use the\n\"-R\" (record route) option of ping:\n\n # ping -R 10.0.0.1\n ping: record route: No message of desired type\n\nThe solution is relatively simple, we catch the unlabeled socket case and\nclear the error code, allowing the operation to succeed. Please note that we\nstill deny users the ability to override IPv4 options on socket\u0027s which have\nNetLabel labeling active; this is done to ensure the labeling remains intact.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6c5b3fc0147f79d714d2fe748b5869d7892ef2e7", "tree": "2cff691b2d4da2afd69660cb4ee647f6b553cdf9", "parents": [ "014ab19a69c325f52d7bae54ceeda73d6307ae0c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Cache NetLabel secattrs in the socket\u0027s security struct\n\nPrevious work enabled the use of address based NetLabel selectors, which\nwhile highly useful, brought the potential for additional per-packet overhead\nwhen used. This patch attempts to mitigate some of that overhead by caching\nthe NetLabel security attribute struct within the SELinux socket security\nstructure. This should help eliminate the need to recreate the NetLabel\nsecattr structure for each packet resulting in less overhead.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "014ab19a69c325f52d7bae54ceeda73d6307ae0c", "tree": "8a69c490accb7d5454bdfeb8c078d846729aeb60", "parents": [ "948bf85c1bc9a84754786a9d5dd99b7ecc46451e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:33 2008 -0400" }, "message": "selinux: Set socket NetLabel based on connection endpoint\n\nPrevious work enabled the use of address based NetLabel selectors, which while\nhighly useful, brought the potential for additional per-packet overhead when\nused. This patch attempts to solve that by applying NetLabel socket labels\nwhen sockets are connect()\u0027d. This should alleviate the per-packet NetLabel\nlabeling for all connected sockets (yes, it even works for connected DGRAM\nsockets).\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "948bf85c1bc9a84754786a9d5dd99b7ecc46451e", "tree": "a4706be1f4a5a37408774ef3c4cab8cf2e7775b5", "parents": [ "63c41688743760631188cf0f4ae986a6793ccb0a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:32 2008 -0400" }, "message": "netlabel: Add functionality to set the security attributes of a packet\n\nThis patch builds upon the new NetLabel address selector functionality by\nproviding the NetLabel KAPI and CIPSO engine support needed to enable the\nnew packet-based labeling. The only new addition to the NetLabel KAPI at\nthis point is shown below:\n\n * int netlbl_skbuff_setattr(skb, family, secattr)\n\n... and is designed to be called from a Netfilter hook after the packet\u0027s\nIP header has been populated such as in the FORWARD or LOCAL_OUT hooks.\n\nThis patch also provides the necessary SELinux hooks to support this new\nfunctionality. Smack support is not currently included due to uncertainty\nregarding the permissions needed to expand the Smack network access controls.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dfaebe9825ff34983778f287101bc5f3bce00640", "tree": "4dccdcdcecd57fc8bfc083ff30d9e0ecb2e7ecba", "parents": [ "99d854d231ce141850b988bdc7e2e7c78f49b03a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:31 2008 -0400" }, "message": "selinux: Fix missing calls to netlbl_skbuff_err()\n\nAt some point I think I messed up and dropped the calls to netlbl_skbuff_err()\nwhich are necessary for CIPSO to send error notifications to remote systems.\nThis patch re-introduces the error handling calls into the SELinux code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "accc609322ef5ed44cba6d2d70c741afc76385fb", "tree": "4a86c08a2fad7302b14e0f419b5e6bd11111330f", "parents": [ "561967010edef40f539dacf2aa125e20773ab40b" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "committer": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Oct 10 10:16:29 2008 -0400" }, "message": "selinux: Cleanup the NetLabel glue code\n\nWe were doing a lot of extra work in selinux_netlbl_sock_graft() what wasn\u0027t\nnecessary so this patch removes that code. It also removes the redundant\nsecond argument to selinux_netlbl_sock_setsid() which allows us to simplify a\nfew other functions.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a6aaafeecca7ea1ddb5d7dac09e468ae14751fcd", "tree": "15b33a43a2d6335b2d7c72b131e614d547f7f195", "parents": [ "338366cbba686a06f9e17f33c31d533901e8639f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Apr 18 17:38:23 2008 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 21 19:05:04 2008 +1000" }, "message": "SELinux: netlabel.c whitespace, syntax, and static declaraction cleanups\n\nThis patch changes netlabel.c to fix whitespace and syntax issues. Things that\nare fixed may include (does not not have to include)\n\nwhitespace at end of lines\nspaces followed by tabs\nspaces used instead of tabs\nspacing around parenthesis\nlocateion of { around struct and else clauses\nlocation of * in pointer declarations\nremoval of initialization of static data to keep it in the right section\nuseless {} in if statemetns\nuseless checking for NULL before kfree\nfixing of the indentation depth of switch statements\nand any number of other things I forgot to mention\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d4ee4231a3a8731576ef0e0a7e1225e4fde1e659", "tree": "c7d265135f1cbfabf7eaa8bb31bcc56120d2e022", "parents": [ "454d972c24e6efce3d7b07a97f1ad18b14845de9" ], "author": { "name": "Adrian Bunk", "email": "bunk@kernel.org", "time": "Wed Feb 27 23:20:42 2008 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:06 2008 +1000" }, "message": "selinux: selinux/netlabel.c should #include \"netlabel.h\"\n\nEvery file should include the headers containing the externs for its\nglobal code.\n\nSigned-off-by: Adrian Bunk \u003cbunk@kernel.org\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f74af6e816c940c678c235d49486fe40d7e49ce9", "tree": "06f2fa54bd7ceabac2ad29a6ab0aca1deb87c032", "parents": [ "4b119e21d0c66c22e8ca03df05d9de623d0eb50f" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Feb 25 11:40:33 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 18 20:26:03 2008 +1000" }, "message": "SELinux: Correct the NetLabel locking for the sk_security_struct\n\nThe RCU/spinlock locking approach for the nlbl_state in the sk_security_struct\nwas almost certainly overkill. This patch removes both the RCU and spinlock\nlocking, relying on the existing socket locks to handle the case of multiple\nwriters. This change also makes several code reductions possible.\n\nLess locking, less code - it\u0027s a Good Thing.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5dbe1eb0cfc144a2b0cb1466e22bcb6fc34229a8", "tree": "e1e028acaf0dd08cbcacd2c125f60230f820b442", "parents": [ "d621d35e576aa20a0ddae8022c3810f38357c8ff" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:44:18 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:27 2008 +1100" }, "message": "SELinux: Allow NetLabel to directly cache SIDs\n\nNow that the SELinux NetLabel \"base SID\" is always the netmsg initial SID we\ncan do a big optimization - caching the SID and not just the MLS attributes.\nThis not only saves a lot of per-packet memory allocations and copies but it\nhas a nice side effect of removing a chunk of code.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "220deb966ea51e0dedb6a187c0763120809f3e64", "tree": "7d0e5dd8048907c364b4eeff294991937b466c7e", "parents": [ "f67f4f315f31e7907779adb3296fb6682e755342" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:23 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:25 2008 +1100" }, "message": "SELinux: Better integration between peer labeling subsystems\n\nRework the handling of network peer labels so that the different peer labeling\nsubsystems work better together. This includes moving both subsystems to a\nsingle \"peer\" object class which involves not only changes to the permission\nchecks but an improved method of consolidating multiple packet peer labels.\nAs part of this work the inbound packet permission check code has been heavily\nmodified to handle both the old and new behavior in as sane a fashion as\npossible.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "75e22910cf0c26802b09dac2e34c13e648d3ed02", "tree": "bf5f5c62f6db8a3057a0265dc7748bf310d26d4a", "parents": [ "16efd45435fa695b501b7f73c3259bd7c77cc12c" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:38:04 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:20 2008 +1100" }, "message": "NetLabel: Add IP address family information to the netlbl_skbuff_getattr() function\n\nIn order to do any sort of IP header inspection of incoming packets we need to\nknow which address family, AF_INET/AF_INET6/etc., it belongs to and since the\nsk_buff structure does not store this information we need to pass along the\naddress family separate from the packet itself.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "45c950e0f839fded922ebc0bfd59b1081cc71b70", "tree": "97ca2840c63c0c646daf6b13420157237a3fcbec", "parents": [ "a7da60f41551abb3c520b03d42ec05dd7decfc7f" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 22 09:31:00 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jan 22 09:31:00 2008 +1100" }, "message": "selinux: fix memory leak in netlabel code\n\nFix a memory leak in security_netlbl_sid_to_secattr() as reported here:\n * https://bugzilla.redhat.com/show_bug.cgi?id\u003d352281\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9534f71ca33e5a9de26dfd43c76af86e005005dd", "tree": "344444735f541f79ed98cc38fa9040bc018ec66e", "parents": [ "1ed4395035a6791ebbbf618429a58ab9c207cc83" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Mon Jul 30 16:33:26 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 02 11:52:21 2007 -0400" }, "message": "SELinux: restore proper NetLabel caching behavior\n\nA small fix to the SELinux/NetLabel glue code to ensure that the NetLabel\ncache is utilized when possible. This was broken when the SELinux/NetLabel\nglue code was reorganized in the last kernel release.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f36158c410651fe66f438c17b2ab3ae813f8c060", "tree": "644e57a36d918fe2b2fcdd2f59daffb847cd8d36", "parents": [ "23bcdc1adebd3cb47d5666f2e9ecada95c0134e4" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Jul 18 12:28:46 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jul 19 10:21:13 2007 -0400" }, "message": "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\n\nThese changes will make NetLabel behave like labeled IPsec where there is an\naccess check for both labeled and unlabeled packets as well as providing the\nability to restrict domains to receiving only labeled packets when NetLabel is\nin use. The changes to the policy are straight forward with the following\nnecessary to receive labeled traffic (with SECINITSID_NETMSG defined as\n\"netlabel_peer_t\"):\n\n allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThe policy for unlabeled traffic would be:\n\n allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThese policy changes, as well as more general NetLabel support, are included in\nthe latest SELinux Reference Policy release 20070629 or later. Users who make\nuse of NetLabel are strongly encouraged to upgrade their policy to avoid\nnetwork problems. Users who do not make use of NetLabel will not notice any\ndifference.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "23bcdc1adebd3cb47d5666f2e9ecada95c0134e4", "tree": "71caf0ac9fa86e4a9cf423d968a2486656c2e196", "parents": [ "589f1e81bde732dd0b1bc5d01b6bddd4bcb4527b" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Jul 18 12:28:45 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jul 19 10:21:11 2007 -0400" }, "message": "SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement\n\nCreate a new NetLabel KAPI interface, netlbl_enabled(), which reports on the\ncurrent runtime status of NetLabel based on the existing configuration. LSMs\nthat make use of NetLabel, i.e. SELinux, can use this new function to determine\nif they should perform NetLabel access checks. This patch changes the\nNetLabel/SELinux glue code such that SELinux only enforces NetLabel related\naccess checks when netlbl_enabled() returns true.\n\nAt present NetLabel is considered to be enabled when there is at least one\nlabeled protocol configuration present. The result is that by default NetLabel\nis considered to be disabled, however, as soon as an administrator configured\na CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing\nNetLabel related access controls - including unlabeled packet controls.\n\nThis patch also tries to consolidate the multiple \"#ifdef CONFIG_NETLABEL\"\nblocks into a single block to ease future review as recommended by Linus.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8d9107e8c50e1c4ff43c91c8841805833f3ecfb9", "tree": "abc57f38cf659d4031d5a9915a088f2c47b2cc7e", "parents": [ "16cefa8c3863721fd40445a1b34dea18cd16ccfe" ], "author": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Jul 13 16:53:18 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Jul 13 16:53:18 2007 -0700" }, "message": "Revert \"SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\"\n\nThis reverts commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0.\n\nIt bit people like Michal Piotrowski:\n\n \"My system is too secure, I can not login :)\"\n\nbecause it changed how CONFIG_NETLABEL worked, and broke older SElinux\npolicies.\n\nAs a result, quoth James Morris:\n\n \"Can you please revert this patch?\n\n We thought it only affected people running MLS, but it will affect others.\n\n Sorry for the hassle.\"\n\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: Michal Piotrowski \u003cmichal.k.k.piotrowski@gmail.com\u003e\nCc: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0", "tree": "ee167dc8c575dee062cdaf91d0b60a5997bba0c3", "parents": [ "ed0321895182ffb6ecf210e066d87911b270d587" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Jun 29 11:48:16 2007 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jul 11 22:52:31 2007 -0400" }, "message": "SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel\n\nThese changes will make NetLabel behave like labeled IPsec where there is an\naccess check for both labeled and unlabeled packets as well as providing the\nability to restrict domains to receiving only labeled packets when NetLabel\nis in use. The changes to the policy are straight forward with the\nfollowing necessary to receive labeled traffic (with SECINITSID_NETMSG\ndefined as \"netlabel_peer_t\"):\n\n allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThe policy for unlabeled traffic would be:\n\n allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;\n\nThese policy changes, as well as more general NetLabel support, are included\nin the SELinux Reference Policy SVN tree, r2352 or later. Users who enable\nNetLabel support in the kernel are strongly encouraged to upgrade their\npolicy to avoid network problems.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ba6ff9f2b5c6018b293bd21083ffaa5ad710e671", "tree": "7a868d3a1948ab9e1aaf7b6e64e114e0f790370d", "parents": [ "6363097cc4d182f93788131b5d8f72aa91d950a0" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Jun 07 18:37:15 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Jun 08 13:33:09 2007 -0700" }, "message": "[NetLabel]: consolidate the struct socket/sock handling to just struct sock\n\nThe current NetLabel code has some redundant APIs which allow both\n\"struct socket\" and \"struct sock\" types to be used; this may have made\nsense at some point but it is wasteful now. Remove the functions that\noperate on sockets and convert the callers. Not only does this make\nthe code smaller and more consistent but it pushes the locking burden\nup to the caller which can be more intelligent about the locks. Also,\nperform the same conversion (socket to sock) on the SELinux/NetLabel\nglue code where it make sense.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5778eabd9cdbf16ea3e40248c452b4fd25554d11", "tree": "a488fd5fc07c01b93fe38621888cc50c64cfc0a1", "parents": [ "128c6b6cbffc8203e13ea5712a8aa65d2ed82e4e" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Wed Feb 28 15:14:22 2007 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Apr 26 01:35:48 2007 -0400" }, "message": "SELinux: extract the NetLabel SELinux support from the security server\n\nUp until this patch the functions which have provided NetLabel support to\nSELinux have been integrated into the SELinux security server, which for\nvarious reasons is not really ideal. This patch makes an effort to extract as\nmuch of the NetLabel support from the security server as possibile and move it\ninto it\u0027s own file within the SELinux directory structure.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ] }