From 58bfbb51ff2b0fdc6c732ff3d72f50aa632b67a2 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 27 Mar 2009 17:10:41 -0400 Subject: selinux: Remove the "compat_net" compatibility code The SELinux "compat_net" is marked as deprecated, the time has come to finally remove it from the kernel. Further code simplifications are likely in the future, but this patch was intended to be a simple, straight-up removal of the compat_net code. Signed-off-by: Paul Moore Signed-off-by: James Morris --- Documentation/feature-removal-schedule.txt | 11 ----------- Documentation/kernel-parameters.txt | 9 --------- 2 files changed, 20 deletions(-) (limited to 'Documentation') diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index 02ea3773535..049a96247f5 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt @@ -355,17 +355,6 @@ Who: Hans de Goede --------------------------- -What: SELinux "compat_net" functionality -When: 2.6.30 at the earliest -Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net" - network access control functionality of SELinux. Secmark offers both - better performance and greater flexibility than the "compat_net" - mechanism. Now that the major Linux distributions have moved to - Secmark, it is time to deprecate the older mechanism and start the - process of removing the old code. -Who: Paul Moore ---------------------------- - What: sysfs ui for changing p4-clockmod parameters When: September 2009 Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index fa4e1239a8f..d1b082772e3 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -2019,15 +2019,6 @@ and is between 256 and 4096 characters. It is defined in the file If enabled at boot time, /selinux/disable can be used later to disable prior to initial policy load. - selinux_compat_net = - [SELINUX] Set initial selinux_compat_net flag value. - Format: { "0" | "1" } - 0 -- use new secmark-based packet controls - 1 -- use legacy packet controls - Default value is 0 (preferred). - Value can be changed at runtime via - /selinux/compat_net. - serialnumber [BUGS=X86-32] shapers= [NET] -- cgit v1.2.3 From 4303154e86597885bc3cbc178a48ccbc8213875f Mon Sep 17 00:00:00 2001 From: Etienne Basset Date: Fri, 27 Mar 2009 17:11:01 -0400 Subject: smack: Add a new '-CIPSO' option to the network address label configuration This patch adds a new special option '-CIPSO' to the Smack subsystem. When used in the netlabel list, it means "use CIPSO networking". A use case is when your local network speaks CIPSO and you want also to connect to the unlabeled Internet. This patch also add some documentation describing that. The patch also corrects an oops when setting a '' SMACK64 xattr to a file. Signed-off-by: Etienne Basset Signed-off-by: Paul Moore Acked-by: Casey Schaufler Signed-off-by: James Morris --- Documentation/Smack.txt | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) (limited to 'Documentation') diff --git a/Documentation/Smack.txt b/Documentation/Smack.txt index 989c2fcd811..629c92e9978 100644 --- a/Documentation/Smack.txt +++ b/Documentation/Smack.txt @@ -184,14 +184,16 @@ length. Single character labels using special characters, that being anything other than a letter or digit, are reserved for use by the Smack development team. Smack labels are unstructured, case sensitive, and the only operation ever performed on them is comparison for equality. Smack labels cannot -contain unprintable characters or the "/" (slash) character. +contain unprintable characters or the "/" (slash) character. Smack labels +cannot begin with a '-', which is reserved for special options. There are some predefined labels: - _ Pronounced "floor", a single underscore character. - ^ Pronounced "hat", a single circumflex character. - * Pronounced "star", a single asterisk character. - ? Pronounced "huh", a single question mark character. + _ Pronounced "floor", a single underscore character. + ^ Pronounced "hat", a single circumflex character. + * Pronounced "star", a single asterisk character. + ? Pronounced "huh", a single question mark character. + @ Pronounced "Internet", a single at sign character. Every task on a Smack system is assigned a label. System tasks, such as init(8) and systems daemons, are run with the floor ("_") label. User tasks @@ -412,6 +414,36 @@ sockets. A privileged program may set this to match the label of another task with which it hopes to communicate. +Smack Netlabel Exceptions + +You will often find that your labeled application has to talk to the outside, +unlabeled world. To do this there's a special file /smack/netlabel where you can +add some exceptions in the form of : +@IP1 LABEL1 or +@IP2/MASK LABEL2 + +It means that your application will have unlabeled access to @IP1 if it has +write access on LABEL1, and access to the subnet @IP2/MASK if it has write +access on LABEL2. + +Entries in the /smack/netlabel file are matched by longest mask first, like in +classless IPv4 routing. + +A special label '@' and an option '-CIPSO' can be used there : +@ means Internet, any application with any label has access to it +-CIPSO means standard CIPSO networking + +If you don't know what CIPSO is and don't plan to use it, you can just do : +echo 127.0.0.1 -CIPSO > /smack/netlabel +echo 0.0.0.0/0 @ > /smack/netlabel + +If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled +Internet access, you can have : +echo 127.0.0.1 -CIPSO > /smack/netlabel +echo 192.168.0.0/16 -CIPSO > /smack/netlabel +echo 0.0.0.0/0 @ > /smack/netlabel + + Writing Applications for Smack There are three sorts of applications that will run on a Smack system. How an -- cgit v1.2.3