• Paul Moore's avatar
    SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement · 23bcdc1a
    Paul Moore authored
    Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the
    current runtime status of NetLabel based on the existing configuration.  LSMs
    that make use of NetLabel, i.e. SELinux, can use this new function to determine
    if they should perform NetLabel access checks.  This patch changes the
    NetLabel/SELinux glue code such that SELinux only enforces NetLabel related
    access checks when netlbl_enabled() returns true.
    
    At present NetLabel is considered to be enabled when there is at least one
    labeled protocol configuration present.  The result is that by default NetLabel
    is considered to be disabled, however, as soon as an administrator configured
    a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing
    NetLabel related access controls - including unlabeled packet controls.
    
    This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL"
    blocks into a single block to ease future review as recommended by Linus.
    Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    23bcdc1a
netlabel_mgmt.c 17.6 KB