On Wed, Jun 10, 2015 at 10:37:29AM -0400, Stephen Smalley wrote: > The socket, unix_socket, and unix_secure tests were all > for the original SELinux implementation (before Linux 2.6.0), > and never worked for SELinux in mainline. > Delete these legacy tests and their associated policy as they > neither build nor work and embody many assumptions that are no > longer true of SELinux (e.g. permissions that are no longer used, > automatic propagation of security contexts for INET over loopback). > > Add a new set of unix_socket tests that exercise the Unix domain > socket connectto (stream) and sendto (datagram) permission checks > and the SO_PEERSEC (stream) and SCM_SECURITY (datagram) functionality. > These tests use the abstract name space as the purpose is to test the > socket layer hooks, not the file/inode hooks. We currently only > test SCM_SECURITY for datagram sockets but this can be extended to > also test with stream sockets if/when that functionality is accepted > into the kernel. > > Possibly we could add similar tests for INET over loopback if we > were to also add support for loading netlabel configuration in addition > to policy configuration, but that is left to a future change. > > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> Looks good to me. Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
