I finally got a chance to cobble together some tests to verify both getpeercon() on the client end of a connected UNIX domain socket as well as the proper operation of fsetxattr() on sockets. I'm happy to report that everything worked as I expected it to (UNIX sockets now behave like INET sockets) and nothing exploded. This latest version of the patchset should include all the feedback I've received so far as well as my sign-off on each patch so I think we should be in good shape at this point. As a result, I'm submitting these patches for whatever kernel release looks most appropriate - maybe to late for .35, but you might be able to make a weak argument that some of the patches are bugfixes - regardless, I'll let you guys make that call; as long as they go somewhere I'll be happy. For those of you using git, you can also find a copy of the patches at the URL below. * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing Thanks. --- Paul Moore (6): selinux: Update socket's label alongside inode's label selinux: Set the peer label correctly on connected UNIX domain sockets selinux: Consolidate sockcreate_sid logic selinux: Shuffle the sk_security_struct alloc and free routines selinux: Convert socket related access controls to use socket labels selinux: Use current_security() when possible security/selinux/hooks.c | 286 +++++++++++++++++------------------ security/selinux/include/netlabel.h | 5 - security/selinux/netlabel.c | 8 + 3 files changed, 144 insertions(+), 155 deletions(-) -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.