67f83cbf08
Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.
With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:
1. To enable a socket to communicate without using labeled-IPSec SAs:
allow socket_t unlabeled_t:association { sendto recvfrom }
2. To enable a socket to communicate with labeled-IPSec SAs:
allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
|
||
|---|---|---|
| .. | ||
| av_inherit.h | ||
| av_perm_to_string.h | ||
| av_permissions.h | ||
| avc.h | ||
| avc_ss.h | ||
| class_to_string.h | ||
| common_perm_to_string.h | ||
| conditional.h | ||
| flask.h | ||
| initial_sid_to_string.h | ||
| netif.h | ||
| objsec.h | ||
| security.h | ||
| selinux_netlabel.h | ||
| xfrm.h | ||