On 07/14/2014 03:36 PM, Paul Moore wrote: > The sock_graft() hook has special handling for AF_INET, AF_INET, and > AF_UNIX sockets as those address families have special hooks which > label the sock before it is attached its associated socket. > Unfortunately, the sock_graft() hook was missing a default approach > to labeling sockets which meant that any other address family which > made use of connections or the accept() syscall would find the > returned socket to be in an "unlabeled" state. This was recently > demonstrated by the kcrypto/AF_ALG subsystem and the newly released > cryptsetup package (cryptsetup v1.6.5 and later). > > This patch preserves the special handling in selinux_sock_graft(), > but adds a default behavior - setting the sock's label equal to the > associated socket - which resolves the problem with AF_ALG and > presumably any other address family which makes use of accept(). > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx> I tested v2 patch for the cryptsetup use case (ALG_IF crypto subsystem) and it fixes the problem in enforcing mode. So, if you wish, add Tested-by: Milan Broz <gmazyland@xxxxxxxxx> Thanks! Milan _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
