On Mon, Aug 22, 2016 at 9:02 AM, Guido Trentalancia <guido@xxxxxxxxxxxxxxxx> wrote: > Modify the SELinux kernel code so that it is able to classify sockets with > the new AF_ALG namespace (used for the user-space interface to the kernel > Crypto API). > > A companion patch has been created for the Reference Policy and it will be > posted to its mailing list, once this patch is merged. > > Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx> > --- > security/selinux/hooks.c | 5 +++-- > security/selinux/include/classmap.h | 2 ++ > 2 files changed, 5 insertions(+), 2 deletions(-) > > --- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-21 18:20:52.788066467 +0200 > +++ linux-4.7.1/security/selinux/hooks.c 2016-08-21 18:23:48.603479911 +0200 > @@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit > return SECCLASS_KEY_SOCKET; > case PF_APPLETALK: > return SECCLASS_APPLETALK_SOCKET; > + case PF_ALG: > + return SECCLASS_ALG_SOCKET; > } Because this patch changes the object class for existing permission checks you will need to wrap this with a policy capability, see selinux_policycap_netpeer for an example. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
