On Tue, 2010-09-21 at 09:40 -0400, Eric Paris wrote: > On Tue, Sep 21, 2010 at 8:10 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Fri, 2010-09-17 at 22:56 +0100, Mr Dash Four wrote: > >> > Is there any way I can link or map the number shown in the secmark > >> > field (secmark=XXX) when listing the current connections with "cat > >> > /proc/net/ip_conntrack" or "cat /proc/net/nf_conntrack"? > >> I should have been a bit clear - I need to map the number shown in the > >> secmark field to the actual SELinux context - is that possible? > > > > Not from userspace. So that likely ought to be mapping to a security > > context and displaying it instead of displaying the secmark (SID). > > Kernel issue. Kernel code can use security_secid_to_secctx() to map the > > value to a string, and then security_release_secctx() to free it > > afterward. > > Sorry I saw your e-mail and put it on my list of things to work on. > I'm playing with SECMARK a bit today so I'll try to send a kernel > patch to fix this up. One item to note: xt_SECMARK.c is presently using selinux-specific interfaces for mapping the security context string to a sid originally, as well as to check permissions, manage refcounts, etc. So if you use the LSM hooks for mapping the secid back to a context, there will be an inconsistency in the interface. Likely they should all be LSM hooks and both include/linux/selinux.h and security/selinux/exports.c should go away. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
