1. 07 Aug, 2013 21 commits
  2. 04 Aug, 2013 1 commit
  3. 03 Aug, 2013 17 commits
  4. 02 Aug, 2013 1 commit
    • Paul Moore's avatar
      netlabel: use domain based selectors when address based selectors are not available · 6a8b7f0c
      Paul Moore authored
      NetLabel has the ability to selectively assign network security labels
      to outbound traffic based on either the LSM's "domain" (different for
      each LSM), the network destination, or a combination of both.  Depending
      on the type of traffic, local or forwarded, and the type of traffic
      selector, domain or address based, different hooks are used to label the
      traffic; the goal being minimal overhead.
      
      Unfortunately, there is a bug such that a system using NetLabel domain
      based traffic selectors does not correctly label outbound local traffic
      that is not assigned to a socket.  The issue is that in these cases
      the associated NetLabel hook only looks at the address based selectors
      and not the domain based selectors.  This patch corrects this by
      checking both the domain and address based selectors so that the correct
      labeling is applied, regardless of the configuration type.
      
      In order to acomplish this fix, this patch also simplifies some of the
      NetLabel domainhash structures to use a more common outbound traffic
      mapping type: struct netlbl_dommap_def.  This simplifies some of the code
      in this patch and paves the way for further simplifications in the
      future.
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6a8b7f0c