SELinux: Fix SA selection semantics
Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.
With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:
1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };
Signed-off-by: 
Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
Showing
- include/linux/security.h 0 additions, 19 deletionsinclude/linux/security.h
- net/xfrm/xfrm_policy.c 2 additions, 1 deletionnet/xfrm/xfrm_policy.c
- security/dummy.c 0 additions, 7 deletionssecurity/dummy.c
- security/selinux/hooks.c 17 additions, 9 deletionssecurity/selinux/hooks.c
- security/selinux/include/xfrm.h 2 additions, 5 deletionssecurity/selinux/include/xfrm.h
- security/selinux/xfrm.c 49 additions, 52 deletionssecurity/selinux/xfrm.c
Loading
Please register or sign in to comment