diff options
| author | Paul Moore <paul.moore@hp.com> | 2008-12-31 12:54:11 -0500 |
|---|---|---|
| committer | Paul Moore <paul.moore@hp.com> | 2008-12-31 12:54:11 -0500 |
| commit | 277d342fc423fca5e66e677fe629d1b2f8f1b9e2 (patch) | |
| tree | 733f8694020df6ff8d9e21e2419b0df71aeb4351 /security/selinux/selinuxfs.c | |
| parent | 6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07 (diff) | |
selinux: Deprecate and schedule the removal of the the compat_net functionality
This patch is the first step towards removing the old "compat_net" code from
the kernel. Secmark, the "compat_net" replacement was first introduced in
2.6.18 (September 2006) and the major Linux distributions with SELinux support
have transitioned to Secmark so it is time to start deprecating the "compat_net"
mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of
Fedora Core 5 did not show any problems when running in enforcing mode.
This patch adds an entry to the feature-removal-schedule.txt file and removes
the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing
Secmark on by default although it can still be disabled at runtime. The patch
also makes the Secmark permission checks "dynamic" in the sense that they are
only executed when Secmark is configured; this should help prevent problems
with older distributions that have not yet migrated to Secmark.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/selinuxfs.c')
| -rw-r--r-- | security/selinux/selinuxfs.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index c86303638235..77fb3c8d9267 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -47,13 +47,7 @@ static char *policycap_names[] = { | |||
| 47 | 47 | ||
| 48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; | 48 | unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; |
| 49 | 49 | ||
| 50 | #ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT | 50 | int selinux_compat_net = 0; |
| 51 | #define SELINUX_COMPAT_NET_VALUE 0 | ||
| 52 | #else | ||
| 53 | #define SELINUX_COMPAT_NET_VALUE 1 | ||
| 54 | #endif | ||
| 55 | |||
| 56 | int selinux_compat_net = SELINUX_COMPAT_NET_VALUE; | ||
| 57 | 51 | ||
| 58 | static int __init checkreqprot_setup(char *str) | 52 | static int __init checkreqprot_setup(char *str) |
| 59 | { | 53 | { |
| @@ -494,7 +488,13 @@ static ssize_t sel_write_compat_net(struct file *file, const char __user *buf, | |||
| 494 | if (sscanf(page, "%d", &new_value) != 1) | 488 | if (sscanf(page, "%d", &new_value) != 1) |
| 495 | goto out; | 489 | goto out; |
| 496 | 490 | ||
| 497 | selinux_compat_net = new_value ? 1 : 0; | 491 | if (new_value) { |
| 492 | printk(KERN_NOTICE | ||
| 493 | "SELinux: compat_net is deprecated, please use secmark" | ||
| 494 | " instead\n"); | ||
| 495 | selinux_compat_net = 1; | ||
| 496 | } else | ||
| 497 | selinux_compat_net = 0; | ||
| 498 | length = count; | 498 | length = count; |
| 499 | out: | 499 | out: |
| 500 | free_page((unsigned long) page); | 500 | free_page((unsigned long) page); |