[redhat-lspp] [PATCH] Updated NetLabel patch
Paul Moore
paul.moore at hp.com
Tue Jun 6 18:29:11 UTC 2006
Attached is an updated NetLabel as requested on Monday's LSPP conference
call. While I don't want to discourage anyone from looking over the
code, I should be honest when I say not much has changed since the last
patch. If you have already looked at the previous patch I would
recommend waiting for the next patch if you are interested in reviewing
the code. As usual, there is still more work on my todo list.
For the curious, the following changes have been made since the last patch:
* Bug fixes (duh)
* Inclusion of comments made by James
* Minor changes to the NetLabel MGMT ADD[DEF] and VERSION commands
* Crude capability checks on the NETLINK messages
* Rework the unlabeled packet handling in SELinux
This morning I briefly tested the follwing, although not necessarily all
of the permutations:
* x86 SMP
* x86_64 (AMD) SMP
* targeted policy, enforcing
* mls policy, enforcing
This patch should not require policy changes when used in the
default/unlabeled mode. However, those wishing to configure the
NetLabel subsystem and utilize the CIPSO bits should switch to
permissive mode first as I haven't yet written any policy to support
NetLabel.
Also, due to the changes made to the NetLabel commands a new version of
the NetLabel userspace has been posted. There is no change to the
syntax or behavior of the tools, just the library and the NETLINK
messages. The tarball can be found here:
* http://free.linux.hp.com/~pmoore/projects/linux_cipso
The patch was generated against the lspp.28 kernel and applies against
the lspp.34 kernel sources without problem (there is a one line
adjustment in security/selinux/hooks.c but it is okay). Now the patch
summary:
CREDITS | 7
Documentation/00-INDEX | 2
Documentation/netlabel/00-INDEX | 10
Documentation/netlabel/cipso_ipv4.txt | 48
Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt | 791 +++++
Documentation/netlabel/introduction.txt | 44
Documentation/netlabel/lsm_interface.txt | 47
include/linux/ip.h | 1
include/linux/netlink.h | 1
include/net/cipso_ipv4.h | 187 +
include/net/inet_sock.h | 2
include/net/netlabel.h | 354 ++
net/Kconfig | 2
net/Makefile | 1
net/ipv4/Makefile | 1
net/ipv4/cipso_ipv4.c | 1576 ++++++
net/ipv4/ip_options.c | 15
net/netlabel/Kconfig | 47
net/netlabel/Makefile | 15
net/netlabel/netlabel_cipso_v4.c | 519 +++
net/netlabel/netlabel_cipso_v4.h | 185 +
net/netlabel/netlabel_domainhash.c | 629 +++
net/netlabel/netlabel_domainhash.h | 64
net/netlabel/netlabel_kapi.c | 385 ++
net/netlabel/netlabel_mgmt.c | 681 ++++
net/netlabel/netlabel_mgmt.h | 253 +
net/netlabel/netlabel_unlabeled.c | 286 +
net/netlabel/netlabel_unlabeled.h | 90
net/netlabel/netlabel_user.c | 174 +
net/netlabel/netlabel_user.h | 42
security/selinux/hooks.c | 80
security/selinux/include/av_inherit.h | 1
security/selinux/include/av_perm_to_string.h | 2
security/selinux/include/av_permissions.h | 1
security/selinux/include/flask.h | 1
security/selinux/include/security.h | 6
security/selinux/nlmsgtab.c | 159 -
security/selinux/ss/ebitmap.c | 155
security/selinux/ss/ebitmap.h | 6
security/selinux/ss/mls.c | 160 +
security/selinux/ss/mls.h | 25
security/selinux/ss/services.c | 252 +
security/selinux/xfrm.c | 22
43 files changed, 7240 insertions(+), 89 deletions(-)
--
paul moore
linux security @ hp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: netlabel_06062006.diff
Type: text/x-patch
Size: 246364 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20060606/616b307f/attachment.bin>
More information about the redhat-lspp
mailing list