Re: oprofile / selinux / security_port_sid

From: James Morris
Date: Tue Mar 27 2007 - 10:12:35 EST

Next message: Russell King: "Re: [PATCH] Add support for ITE887x serial chipsets"
Previous message: Andi Kleen: "Re: [patch] cache pipe buf page address for non-highmem arch"
In reply to: Sami Farin: "Re: oprofile / selinux / security_port_sid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 27 Mar 2007, Sami Farin wrote:

> On Tue, Mar 27, 2007 at 09:40:23 -0400, Stephen Smalley wrote:
> > On Tue, 2007-03-27 at 13:06 +0300, Sami Farin wrote:
> > > is there room for improvement in security_port_sid() ?
> >
> > Yes, lots of room. Also, it won't get called per-packet if you enable
> > secmark (echo 0 > /selinux/compat_net or boot with selinux_compat_net=0
> > or build with SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT), although that
> > may require updating your policy.
>
> Hmm, test was done with
> CONFIG_NETWORK_SECMARK=y
> CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
> and /selinux/compat_net = 0

Even with this setting, you'll be hitting security_port_sid() via
connect(2) and bind(2). We need to fix it.

- James
--
James Morris
<jmorris@xxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Russell King: "Re: [PATCH] Add support for ITE887x serial chipsets"
Previous message: Andi Kleen: "Re: [patch] cache pipe buf page address for non-highmem arch"
In reply to: Sami Farin: "Re: oprofile / selinux / security_port_sid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]