[redhat-lspp] RE: [PATCH 1/1] selinux: secid reconciliation fixes V02
Venkat Yekkirala
vyekkirala at TrustedCS.com
Mon Oct 9 16:51:41 UTC 2006
OK. Thanks.
PS: Somehow I didn't run into these on my system.
> -----Original Message-----
> From: Paul Moore [mailto:paul.moore at hp.com]
> Sent: Monday, October 09, 2006 11:49 AM
> To: Venkat Yekkirala
> Cc: selinux at tycho.nsa.gov; jmorris at namei.org; sds at tycho.nsa.gov;
> eparis at redhat.com; jbrindle at tresys.com; redhat-lspp at redhat.com
> Subject: Re: [PATCH 1/1] selinux: secid reconciliation fixes V02
>
>
> FYI: some changes need to be made to avoid compilation
> warnings (see below, and
> selinux_ip_postroute_last() to see what I mean), I'm taking
> the liberty of
> changing the patch myself.
>
> Venkat Yekkirala wrote:
> > -static int selinux_skb_flow_out(struct sk_buff *skb, u32 nf_secid)
> > +static int selinux_skb_flow_out(struct sk_buff *skb, u32 nf_secid,
> > + const struct net_device *out, unsigned
> short family)
> > {
> > int err;
> > + char *addrp;
> > + int len;
> > + struct avc_audit_data ad;
>
> Add the following:
>
> struct net_device *dev = (struct net_device *)out;
>
>
> > if (selinux_compat_net)
> > return 1;
> > @@ -3738,9 +3749,17 @@ static int selinux_skb_flow_out(struct s
> > }
> > }
> >
> > + AVC_AUDIT_DATA_INIT(&ad, NET);
> > + ad.u.net.netif = out->name;
>
> Replace the above line with:
>
> ad.u.net.netif = dev->name;
>
> > + ad.u.net.family = family;
> > + err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
> > + if (err)
> > + goto out;
> > +
> > err = avc_has_perm(skb->secmark, nf_secid, SECCLASS_PACKET,
> > - PACKET__FLOW_OUT, NULL);
> > + PACKET__FLOW_OUT, &ad);
> >
> > +out:
> > return err ? 0 : 1;
> > }
>
> --
> paul moore
> linux security @ hp
>
More information about the redhat-lspp
mailing list