selinux-policy/policy
Chris PeBenito 9b45c60308 This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.

NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).

I am submitting the below limited patch pending a comprehensive patch from
Joy Latten at IBM (latten@austin.ibm.com).

I am not sure if I needed to manually do a "make tolib" in the flask subdir
and submit the results as well. Please let me know if I needed to.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-09-01 17:06:53 +00:00
..
flask This patch adds a polmatch avperm to arbitrate flow/state's access to 2006-09-01 17:06:53 +00:00
modules patch from dan Thu, 31 Aug 2006 15:16:30 -0400 2006-09-01 15:52:05 +00:00
support add helpers for printing warning and error messages 2006-07-25 17:27:00 +00:00
constraints clean up constraints 2006-08-15 15:30:08 +00:00
global_booleans patch from dan Wed, 26 Jul 2006 14:42:46 -0400 2006-07-28 15:13:58 +00:00
global_tunables patch from dan Wed, 26 Jul 2006 14:42:46 -0400 2006-07-28 15:13:58 +00:00
mcs patch from dan Wed, 26 Jul 2006 14:42:46 -0400 2006-07-28 15:13:58 +00:00
mls This patch adds a polmatch avperm to arbitrate flow/state's access to 2006-09-01 17:06:53 +00:00
rolemap remove extra level of directory 2006-07-12 20:32:27 +00:00
users remove extra level of directory 2006-07-12 20:32:27 +00:00