aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2009-03-28 20:30:42 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-03-28 20:30:42 -0400
commit7541bba880fb6989f489f0c68fa246a375b44035 (patch)
tree19ce55af8e8732aa61cb8db529cf2304d9d738b5 /Documentation
parent795e2fe0a3b69dbc040d7efcf517e0cbad6901d0 (diff)
parent4303154e86597885bc3cbc178a48ccbc8213875f (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: smack: Add a new '-CIPSO' option to the network address label configuration netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections lsm: Remove the socket_post_accept() hook selinux: Remove the "compat_net" compatibility code netlabel: Label incoming TCP connections correctly in SELinux lsm: Relocate the IPv4 security_inet_conn_request() hooks TOMOYO: Fix a typo. smack: convert smack to standard linux lists
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/Smack.txt42
-rw-r--r--Documentation/feature-removal-schedule.txt11
-rw-r--r--Documentation/kernel-parameters.txt9
3 files changed, 37 insertions, 25 deletions
diff --git a/Documentation/Smack.txt b/Documentation/Smack.txt
index 989c2fcd8111..629c92e99783 100644
--- a/Documentation/Smack.txt
+++ b/Documentation/Smack.txt
@@ -184,14 +184,16 @@ length. Single character labels using special characters, that being anything
184other than a letter or digit, are reserved for use by the Smack development 184other than a letter or digit, are reserved for use by the Smack development
185team. Smack labels are unstructured, case sensitive, and the only operation 185team. Smack labels are unstructured, case sensitive, and the only operation
186ever performed on them is comparison for equality. Smack labels cannot 186ever performed on them is comparison for equality. Smack labels cannot
187contain unprintable characters or the "/" (slash) character. 187contain unprintable characters or the "/" (slash) character. Smack labels
188cannot begin with a '-', which is reserved for special options.
188 189
189There are some predefined labels: 190There are some predefined labels:
190 191
191 _ Pronounced "floor", a single underscore character. 192 _ Pronounced "floor", a single underscore character.
192 ^ Pronounced "hat", a single circumflex character. 193 ^ Pronounced "hat", a single circumflex character.
193 * Pronounced "star", a single asterisk character. 194 * Pronounced "star", a single asterisk character.
194 ? Pronounced "huh", a single question mark character. 195 ? Pronounced "huh", a single question mark character.
196 @ Pronounced "Internet", a single at sign character.
195 197
196Every task on a Smack system is assigned a label. System tasks, such as 198Every task on a Smack system is assigned a label. System tasks, such as
197init(8) and systems daemons, are run with the floor ("_") label. User tasks 199init(8) and systems daemons, are run with the floor ("_") label. User tasks
@@ -412,6 +414,36 @@ sockets.
412 A privileged program may set this to match the label of another 414 A privileged program may set this to match the label of another
413 task with which it hopes to communicate. 415 task with which it hopes to communicate.
414 416
417Smack Netlabel Exceptions
418
419You will often find that your labeled application has to talk to the outside,
420unlabeled world. To do this there's a special file /smack/netlabel where you can
421add some exceptions in the form of :
422@IP1 LABEL1 or
423@IP2/MASK LABEL2
424
425It means that your application will have unlabeled access to @IP1 if it has
426write access on LABEL1, and access to the subnet @IP2/MASK if it has write
427access on LABEL2.
428
429Entries in the /smack/netlabel file are matched by longest mask first, like in
430classless IPv4 routing.
431
432A special label '@' and an option '-CIPSO' can be used there :
433@ means Internet, any application with any label has access to it
434-CIPSO means standard CIPSO networking
435
436If you don't know what CIPSO is and don't plan to use it, you can just do :
437echo 127.0.0.1 -CIPSO > /smack/netlabel
438echo 0.0.0.0/0 @ > /smack/netlabel
439
440If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled
441Internet access, you can have :
442echo 127.0.0.1 -CIPSO > /smack/netlabel
443echo 192.168.0.0/16 -CIPSO > /smack/netlabel
444echo 0.0.0.0/0 @ > /smack/netlabel
445
446
415Writing Applications for Smack 447Writing Applications for Smack
416 448
417There are three sorts of applications that will run on a Smack system. How an 449There are three sorts of applications that will run on a Smack system. How an
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 7907586c6e08..1135996bec8b 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -356,17 +356,6 @@ Who: Hans de Goede <hdegoede@redhat.com>
356 356
357--------------------------- 357---------------------------
358 358
359What: SELinux "compat_net" functionality
360When: 2.6.30 at the earliest
361Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
362 network access control functionality of SELinux. Secmark offers both
363 better performance and greater flexibility than the "compat_net"
364 mechanism. Now that the major Linux distributions have moved to
365 Secmark, it is time to deprecate the older mechanism and start the
366 process of removing the old code.
367Who: Paul Moore <paul.moore@hp.com>
368---------------------------
369
370What: sysfs ui for changing p4-clockmod parameters 359What: sysfs ui for changing p4-clockmod parameters
371When: September 2009 360When: September 2009
372Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and 361Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index d1e2fcb6298b..be3bde51b564 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2030,15 +2030,6 @@ and is between 256 and 4096 characters. It is defined in the file
2030 If enabled at boot time, /selinux/disable can be used 2030 If enabled at boot time, /selinux/disable can be used
2031 later to disable prior to initial policy load. 2031 later to disable prior to initial policy load.
2032 2032
2033 selinux_compat_net =
2034 [SELINUX] Set initial selinux_compat_net flag value.
2035 Format: { "0" | "1" }
2036 0 -- use new secmark-based packet controls
2037 1 -- use legacy packet controls
2038 Default value is 0 (preferred).
2039 Value can be changed at runtime via
2040 /selinux/compat_net.
2041
2042 serialnumber [BUGS=X86-32] 2033 serialnumber [BUGS=X86-32]
2043 2034
2044 shapers= [NET] 2035 shapers= [NET]