On Fri, 2005-09-30 at 02:49 -0400, James Morris wrote:
Please review the following patch.
It changes the SELinux IP socket classification logic, which is currently broken (well, out of date), so that an IPPROTO_IP protocol value passed to socket(2) classify the socket as TCP or UDP. Currently, a SOCK_STREAM with a protocol of IPPROTO_ARBITRARY will default to SECCLASS_TCP_SOCKET. With this patch, it will instead default to SECCLASS_RAWIP_SOCKET, the generic IP socket class.
The patch also drops the check for SOCK_RAW and converts it into a default, so that socket types like SOCK_DCCP and SOCK_SEQPACKET are classified as SECCLASS_RAWIP_SOCKET (instead of generic sockets).
This now causes all SCTP sockets to be classified as SECCLASS_RAWIP_SOCKET.
This patch also unifies the way IP sockets classes are determined in selinux_socket_bind(), so we use the already calculated value instead of trying to recalculate it (which can lead to inconsistencies).
To get SCTP working now in targeted policy, permissions for the rawip_socket classs need to be added to unconfined_domain:
avc: denied { name_bind } for pid=16484 comm="lt-sctp_test" src=3339 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=rawip_socket
(that should be it, I think).
Comments?
security/selinux/hooks.c | 30 ++++++++++++++++++++++++------ 1 files changed, 24 insertions(+), 6 deletions(-)
Looks good.
Signed-off-by: Stephen Smalley sds@tycho.nsa.gov