Commit Graph

17 Commits

Author SHA1 Message Date
Chris PeBenito f3da31d339 trunk: Labeled networking peer object class updates. 2008-01-03 16:20:01 +00:00
Chris PeBenito e83edee5d2 trunk: fix do not userspace commons in kernel version of av_permissions.h. 2007-10-16 19:05:27 +00:00
Chris PeBenito 32c05ccbcd trunk: fix flask.py Flask class userspace dictionary usage. 2007-10-16 18:56:32 +00:00
Chris PeBenito 651df3ceb6 trunk: do not emit lines in the kernel version of av_inherit.h for commons that are only inherited by userspace object classes. 2007-10-16 18:30:23 +00:00
Chris PeBenito 3a9096d94f trunk: do not emit S_(0, 0, 0) in kernel headers for userspace classes that inherit commons. 2007-10-16 16:02:51 +00:00
Chris PeBenito 9760cbec2d trunk: Database userspace object manager classes from KaiGai Kohei. 2007-08-09 13:15:07 +00:00
Chris PeBenito 924f3cc2cb trunk: add getserv and shmemserv nscd permissions. 2007-07-24 19:52:18 +00:00
Chris PeBenito 41337aa8b9 Memprotect support patch from Stephen Smalley. 2007-06-19 13:02:26 +00:00
Chris PeBenito f88ef60ac0 emit "null" instead of NULL for userspace headers 2007-03-30 20:33:51 +00:00
Chris PeBenito e9b0042f35 Output different header sets for kernel and userland from flask headers. 2007-03-23 20:32:23 +00:00
Chris PeBenito 1852cdabce deprecated pax class 2007-03-23 20:21:06 +00:00
Chris PeBenito a715dc0995 add dccp_socket object class 2007-02-26 15:39:59 +00:00
Chris PeBenito c6a60bb28d On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:
> Here is the policy changes needed for the context contains security
> checking in PAM and cron.
2006-11-14 13:38:52 +00:00
Chris PeBenito a8671ae5b2 enhanced setransd support from darrel goeddel 2006-10-20 14:44:23 +00:00
Chris PeBenito 8708d9bef2 patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
Chris PeBenito 9b45c60308 This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.

NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).

I am submitting the below limited patch pending a comprehensive patch from
Joy Latten at IBM (latten@austin.ibm.com).

I am not sure if I needed to manually do a "make tolib" in the flask subdir
and submit the results as well. Please let me know if I needed to.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-09-01 17:06:53 +00:00
Chris PeBenito 17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00