On Fri, Jun 12, 2015 at 11:57 AM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote: > On Wed, Jun 10, 2015 at 10:37:29AM -0400, Stephen Smalley wrote: >> The socket, unix_socket, and unix_secure tests were all >> for the original SELinux implementation (before Linux 2.6.0), >> and never worked for SELinux in mainline. >> Delete these legacy tests and their associated policy as they >> neither build nor work and embody many assumptions that are no >> longer true of SELinux (e.g. permissions that are no longer used, >> automatic propagation of security contexts for INET over loopback). >> >> Add a new set of unix_socket tests that exercise the Unix domain >> socket connectto (stream) and sendto (datagram) permission checks >> and the SO_PEERSEC (stream) and SCM_SECURITY (datagram) functionality. >> These tests use the abstract name space as the purpose is to test the >> socket layer hooks, not the file/inode hooks. We currently only >> test SCM_SECURITY for datagram sockets but this can be extended to >> also test with stream sockets if/when that functionality is accepted >> into the kernel. >> >> Possibly we could add similar tests for INET over loopback if we >> were to also add support for loading netlabel configuration in addition >> to policy configuration, but that is left to a future change. >> >> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > > Looks good to me. > > Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> Me too. I sent mail to Stephen but didn't include the list - my mistake. Regardless, it's in the repo now. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
