On Mon, Mar 19, 2018 at 1:33 PM, Richard Haines via Selinux <selinux@xxxxxxxxxxxxx> wrote: > Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect > how the association permission is validated. > > Reported-by: Dominick Grift <dac.override@xxxxxxxxx> > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > --- > Documentation/security/SELinux-sctp.rst | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) Merged, thanks Richard and Dominick. > diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst > index 2f66bf3..a332cb1 100644 > --- a/Documentation/security/SELinux-sctp.rst > +++ b/Documentation/security/SELinux-sctp.rst > @@ -116,11 +116,12 @@ statement as shown in the following example:: > SCTP Peer Labeling > =================== > An SCTP socket will only have one peer label assigned to it. This will be > -assigned during the establishment of the first association. Once the peer > -label has been assigned, any new associations will have the ``association`` > -permission validated by checking the socket peer sid against the received > -packets peer sid to determine whether the association should be allowed or > -denied. > +assigned during the establishment of the first association. Any further > +associations on this socket will have their packet peer label compared to > +the sockets peer label, and only if they are different will the > +``association`` permission be validated. This is validated by checking the > +socket peer sid against the received packets peer sid to determine whether > +the association should be allowed or denied. > > NOTES: > 1) If peer labeling is not enabled, then the peer context will always be > -- > 2.14.3 -- paul moore www.paul-moore.com
