[SECMARK]: Add new packet controls to SELinux

Add new per-packet access controls to SELinux, replacing the old packet controls. Packets are labeled with the iptables SECMARK and CONNSECMARK targets, then security policy for the packets is enforced with these controls. To allow for a smooth transition to the new controls, the old code is still present, but not active by default. To restore previous behavior, the old controls may be activated at runtime by writing a '1' to /selinux/compat_net, and also via the kernel boot parameter selinux_compat_net. Switching between the network control models requires the security load_policy permission. The old controls will probably eventually be removed and any continued use is discouraged. With this patch, the new secmark controls for SElinux are disabled by default, so existing behavior is entirely preserved, and the user is not affected at all. It also provides a config option to enable the secmark controls by default (which can always be overridden at boot and runtime). It is also noted in the kconfig help that the user will need updated userspace if enabling secmark controls for SELinux and that they'll probably need the SECMARK and CONNMARK targets, and conntrack protocol helpers, although such decisions are beyond the scope of kernel configuration. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: James Morris <jmorris@namei.org> 2006-06-09 03:33:33 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-06-18 00:30:05 -0400
commit: 4e5ab4cb85683cf77b507ba0c4d48871e1562305 (patch)
tree: aef7ba8b6050fcaccbaf0d05f8e5ba860a143eaf /Documentation
parent: 100468e9c05c10fb6872751c1af523b996d6afa9 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index b3a6187e5305..a9d3a1794b23 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1402,6 +1402,15 @@ running once the system is up.
                        If enabled at boot time, /selinux/disable can be used
                        later to disable prior to initial policy load.
+        selinux_compat_net =
+                        [SELINUX] Set initial selinux_compat_net flag value.
+                        Format: { "0" | "1" }
+                        0 -- use new secmark-based packet controls
+                        1 -- use legacy packet controls
+                        Default value is 0 (preferred).
+                        Value can be changed at runtime via
+                        /selinux/compat_net.
        serialnumber    [BUGS=IA-32]
        sg_def_reserved_size=   [SCSI]
author	James Morris <jmorris@namei.org>	2006-06-09 03:33:33 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-06-18 00:30:05 -0400
commit	4e5ab4cb85683cf77b507ba0c4d48871e1562305 (patch)
tree	aef7ba8b6050fcaccbaf0d05f8e5ba860a143eaf /Documentation
parent	100468e9c05c10fb6872751c1af523b996d6afa9 (diff)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index b3a6187e5305..a9d3a1794b23 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt
@@ -1402,6 +1402,15 @@ running once the system is up.
1402	If enabled at boot time, /selinux/disable can be used	1402	If enabled at boot time, /selinux/disable can be used
1403	later to disable prior to initial policy load.	1403	later to disable prior to initial policy load.
1404		1404
		1405	selinux_compat_net =
		1406	[SELINUX] Set initial selinux_compat_net flag value.
		1407	Format: { "0" \| "1" }
		1408	0 -- use new secmark-based packet controls
		1409	1 -- use legacy packet controls
		1410	Default value is 0 (preferred).
		1411	Value can be changed at runtime via
		1412	/selinux/compat_net.
		1413
1405	serialnumber [BUGS=IA-32]	1414	serialnumber [BUGS=IA-32]
1406		1415
1407	sg_def_reserved_size= [SCSI]	1416	sg_def_reserved_size= [SCSI]