• Venkat Yekkirala's avatar
    SELinux: Fix SA selection semantics · 67f83cbf
    Venkat Yekkirala authored
    Fix the selection of an SA for an outgoing packet to be at the same
    context as the originating socket/flow. This eliminates the SELinux
    policy's ability to use/sendto SAs with contexts other than the socket's.
    
    With this patch applied, the SELinux policy will require one or more of the
    following for a socket to be able to communicate with/without SAs:
    
    1. To enable a socket to communicate without using labeled-IPSec SAs:
    
    allow socket_t unlabeled_t:association { sendto recvfrom }
    
    2. To enable a socket to communicate with labeled-IPSec SAs:
    
    allow socket_t self:association { sendto };
    allow socket_t peer_sa_t:association { recvfrom };
    Signed-off-by: default avatarVenkat Yekkirala <vyekkirala@TrustedCS.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    67f83cbf
xfrm_policy.c 47.8 KB