On Mon, 2011-02-14 at 14:18 +0100, Steffen Klassert wrote:
> Postroute access control checks are just performed on the packets final
> way out, so there is no need to check for further transformations
> in the xfrm state bundle.
>
> Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
For similar reasons as patch 2/10 I have to NACK this patch. The
selinux_xfrm_postroute_last() function is a holdout from the previous
network access controls. If you want the new behavior, use a modern
SELinux policy on a modern kernel.
> ---
> security/selinux/xfrm.c | 15 ---------------
> 1 files changed, 0 insertions(+), 15 deletions(-)
>
> diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
> index 728c57e..62f3b26 100644
> --- a/security/selinux/xfrm.c
> +++ b/security/selinux/xfrm.c
> @@ -445,23 +445,8 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
> int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
> struct common_audit_data *ad, u8 proto)
> {
> - struct dst_entry *dst;
> int rc = 0;
>
> - dst = skb_dst(skb);
> -
> - if (dst) {
> - struct dst_entry *dst_test;
> -
> - for (dst_test = dst; dst_test != NULL;
> - dst_test = dst_test->child) {
> - struct xfrm_state *x = dst_test->xfrm;
> -
> - if (x && selinux_authorizable_xfrm(x))
> - goto out;
> - }
> - }
> -
> switch (proto) {
> case IPPROTO_AH:
> case IPPROTO_ESP:
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
