On Thu, Dec 8, 2016 at 4:43 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> commit 79c8b348f215 ("selinux: support distinctions among all network
> address families") mapped datagram ICMP sockets to the new icmp_socket
> security class, but left ICMPv6 sockets unchanged. This change fixes
> that oversight to handle both kinds of sockets consistently.
>
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
> security/selinux/hooks.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
Merged, thanks for fixing this.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 8a90a0b..b508a5a 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1295,7 +1295,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
> case SOCK_DGRAM:
> if (default_protocol_dgram(protocol))
> return SECCLASS_UDP_SOCKET;
> - else if (extsockclass && protocol == IPPROTO_ICMP)
> + else if (extsockclass && (protocol == IPPROTO_ICMP ||
> + protocol == IPPROTO_ICMPV6))
> return SECCLASS_ICMP_SOCKET;
> else
> return SECCLASS_RAWIP_SOCKET;
> --
> 2.7.4
>
--
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
