* [PATCH 0/2] Fixes for 2.6.29
@ 2009-02-20 21:32 Paul Moore
2009-02-20 21:32 ` [PATCH 1/2] cipso: Fix documentation comment Paul Moore
2009-02-20 21:33 ` [PATCH 2/2] selinux: Fix the NetLabel glue code for setsockopt() Paul Moore
0 siblings, 2 replies; 3+ messages in thread
From: Paul Moore @ 2009-02-20 21:32 UTC (permalink / raw)
To: selinux
Two small patches I'd like to propose for 2.6.29 as they are low-risk bug
fixes. Please review and merge if acceptable - thanks.
The following changes since commit 402a917aca5daca69fcc91f43e6f1e6939cf393b:
Linus Torvalds (1):
Merge master.kernel.org:/home/rmk/linux-2.6-arm
are available in the git repository at:
git://git.infradead.org/users/pcmoore/lblnet-2.6 master
Paul Moore (2):
cipso: Fix documentation comment
selinux: Fix the NetLabel glue code for setsockopt()
---
Paul Moore (2):
selinux: Fix the NetLabel glue code for setsockopt()
cipso: Fix documentation comment
net/ipv4/cipso_ipv4.c | 9 +++++++--
security/selinux/netlabel.c | 4 +++-
2 files changed, 10 insertions(+), 3 deletions(-)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] cipso: Fix documentation comment
2009-02-20 21:32 [PATCH 0/2] Fixes for 2.6.29 Paul Moore
@ 2009-02-20 21:32 ` Paul Moore
2009-02-20 21:33 ` [PATCH 2/2] selinux: Fix the NetLabel glue code for setsockopt() Paul Moore
1 sibling, 0 replies; 3+ messages in thread
From: Paul Moore @ 2009-02-20 21:32 UTC (permalink / raw)
To: selinux
The CIPSO protocol engine incorrectly stated that the FIPS-188 specification
could be found in the kernel's Documentation directory. This patch corrects
that by removing the comment and directing users to the FIPS-188 documented
hosted online. For the sake of completeness I've also included a link to the
CIPSO draft specification on the NetLabel website.
Thanks to Randy Dunlap for spotting the error and letting me know.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
net/ipv4/cipso_ipv4.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 6bb2635..7bc9929 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -3,11 +3,16 @@
*
* This is an implementation of the CIPSO 2.2 protocol as specified in
* draft-ietf-cipso-ipsecurity-01.txt with additional tag types as found in
- * FIPS-188, copies of both documents can be found in the Documentation
- * directory. While CIPSO never became a full IETF RFC standard many vendors
+ * FIPS-188. While CIPSO never became a full IETF RFC standard many vendors
* have chosen to adopt the protocol and over the years it has become a
* de-facto standard for labeled networking.
*
+ * The CIPSO draft specification can be found in the kernel's Documentation
+ * directory as well as the following URL:
+ * http://netlabel.sourceforge.net/files/draft-ietf-cipso-ipsecurity-01.txt
+ * The FIPS-188 specification can be found at the following URL:
+ * http://www.itl.nist.gov/fipspubs/fip188.htm
+ *
* Author: Paul Moore <paul.moore@hp.com>
*
*/
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] selinux: Fix the NetLabel glue code for setsockopt()
2009-02-20 21:32 [PATCH 0/2] Fixes for 2.6.29 Paul Moore
2009-02-20 21:32 ` [PATCH 1/2] cipso: Fix documentation comment Paul Moore
@ 2009-02-20 21:33 ` Paul Moore
1 sibling, 0 replies; 3+ messages in thread
From: Paul Moore @ 2009-02-20 21:33 UTC (permalink / raw)
To: selinux
At some point we (okay, I) managed to break the ability for users to use the
setsockopt() syscall to set IPv4 options when NetLabel was not active on the
socket in question. The problem was noticed by someone trying to use the
"-R" (record route) option of ping:
# ping -R 10.0.0.1
ping: record route: No message of desired type
The solution is relatively simple, we catch the unlabeled socket case and
clear the error code, allowing the operation to succeed. Please note that we
still deny users the ability to override IPv4 options on socket's which have
NetLabel labeling active; this is done to ensure the labeling remains intact.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
security/selinux/netlabel.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index f58701a..3f4b266 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -490,8 +490,10 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
lock_sock(sk);
rc = netlbl_sock_getattr(sk, &secattr);
release_sock(sk);
- if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+ if (rc == 0)
rc = -EACCES;
+ else if (rc == -ENOMSG)
+ rc = 0;
netlbl_secattr_destroy(&secattr);
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-02-20 21:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-20 21:32 [PATCH 0/2] Fixes for 2.6.29 Paul Moore
2009-02-20 21:32 ` [PATCH 1/2] cipso: Fix documentation comment Paul Moore
2009-02-20 21:33 ` [PATCH 2/2] selinux: Fix the NetLabel glue code for setsockopt() Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.