aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2006-06-09 03:27:28 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-06-18 00:29:53 -0400
commit29a395eac4c320c570e73f0a90d8953d80da8359 (patch)
tree9d34d7987754004e76de76d3f9facbee804779b7 /security
parent3e3ff15e6d8ba931fa9a6c7f9fe711edc77e96e5 (diff)
[SECMARK]: Add new flask definitions to SELinux
Secmark implements a new scheme for adding security markings to packets via iptables, as well as changes to SELinux to use these markings for security policy enforcement. The rationale for this scheme is explained and discussed in detail in the original threads: http://thread.gmane.org/gmane.linux.network/34927/ http://thread.gmane.org/gmane.linux.network/35244/ Examples of policy and rulesets, as well as a full archive of patches for iptables and SELinux userland, may be found at: http://people.redhat.com/jmorris/selinux/secmark/ The code has been tested with various compilation options and in several scenarios, including with 'complicated' protocols such as FTP and also with the new generic conntrack code with IPv6 connection tracking. This patch: Add support for a new object class ('packet'), and associated permissions ('send', 'recv', 'relabelto'). These are used to enforce security policy for network packets labeled with SECMARK, and for adding labeling rules. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/include/av_perm_to_string.h3
-rw-r--r--security/selinux/include/av_permissions.h3
-rw-r--r--security/selinux/include/class_to_string.h1
-rw-r--r--security/selinux/include/flask.h1
4 files changed, 8 insertions, 0 deletions
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 591e98d9315a..70ee65a58817 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -239,3 +239,6 @@
239 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") 239 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
240 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") 240 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
241 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext") 241 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
242 S_(SECCLASS_PACKET, PACKET__SEND, "send")
243 S_(SECCLASS_PACKET, PACKET__RECV, "recv")
244 S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 41b073b8da09..1d9cf3d306bc 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -956,3 +956,6 @@
956#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL 956#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL
957#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL 957#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL
958 958
959#define PACKET__SEND 0x00000001UL
960#define PACKET__RECV 0x00000002UL
961#define PACKET__RELABELTO 0x00000004UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index cc15069d0742..3aec75fee4f7 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -59,3 +59,4 @@
59 S_("association") 59 S_("association")
60 S_("netlink_kobject_uevent_socket") 60 S_("netlink_kobject_uevent_socket")
61 S_("appletalk_socket") 61 S_("appletalk_socket")
62 S_("packet")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index e4c8535d78c2..a0eb9e281d18 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -61,6 +61,7 @@
61#define SECCLASS_ASSOCIATION 54 61#define SECCLASS_ASSOCIATION 54
62#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55 62#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
63#define SECCLASS_APPLETALK_SOCKET 56 63#define SECCLASS_APPLETALK_SOCKET 56
64#define SECCLASS_PACKET 57
64 65
65/* 66/*
66 * Security identifier indices for initial entities 67 * Security identifier indices for initial entities