From: Venkat Yekkirala <vyekkirala@trustedcs.com>
Date: Wed, 8 Nov 2006 23:04:26 +0000 (-0600)
Subject: SELinux: Fix SA selection semantics
X-Git-Tag: v2.6.20-rc1~34^2~40^2~435
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67f83cbf081a70426ff667e8d14f94e13ed3bdca;p=pandora-kernel.git

SELinux: Fix SA selection semantics

Fix the selection of an SA for an outgoing packet to be at the same
context as the originating socket/flow. This eliminates the SELinux
policy's ability to use/sendto SAs with contexts other than the socket's.

With this patch applied, the SELinux policy will require one or more of the
following for a socket to be able to communicate with/without SAs:

1. To enable a socket to communicate without using labeled-IPSec SAs:

allow socket_t unlabeled_t:association { sendto recvfrom }

2. To enable a socket to communicate with labeled-IPSec SAs:

allow socket_t self:association { sendto };
allow socket_t peer_sa_t:association { recvfrom };

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
---

Reading git-diff-tree failed