On Tue, 2008-02-26 at 13:40 -0500, paul.moore@xxxxxx wrote: > The 2.6.25 kernel will introduce a new set of labeled networking controls to > SELinux and this patch makes the necessary changes to the Reference Policy > to support unlabeled network traffic with the new controls. > > A description of the new/improved labeled networking controls was posted to > the SELinux list back in early January 2008. > > * http://marc.info/?l=selinux&m=119991234501200&w=2 > > Signed-off-by: Paul Moore <paul.moore@xxxxxx> > --- > policy/modules/kernel/corenetwork.if.in | 69 +++++++++++++++++++++++--------- Is there a reason why you skipped adding ingress/egress to the "all" interfaces (e.g. corenet_udp_receive_all_if)? > policy/modules/kernel/corenetwork.if.m4 | 20 ++++----- > policy/modules/kernel/kernel.if | 30 +++++++++++++ > policy/modules/kernel/kernel.te | 3 + > 4 files changed, 94 insertions(+), 28 deletions(-) > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > @@ -2380,6 +2392,27 @@ interface(`corenet_sendrecv_unlabeled_pa > > ######################################## > ## <summary> > +## Receive packets from an unlabeled peer. > +## </summary> > +## <desc> > +## <p> > +## Receive packets from an unlabeled peer, > +## these packets do not have any peer labeling > +## information present. > +## </p> > +## </desc> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`corenet_recvfrom_unlabeled_peer',` > + kernel_recvfrom_unlabeled_peer($1) > +') Seems unnecessary since it seems like it should be called from corenet_(tcp|udp|raw)_recvfrom_unlabeled? -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
