[PATCH 00/23] LSM: Full security module stacking

James Morris jmorris at namei.org
Tue May 15 21:49:17 UTC 2018


On Tue, 15 May 2018, Casey Schaufler wrote:

> Both SELinux and Smack use netlbl_sock_setattr() in their socket_post_create()
> hooks to establish the CIPSO to use if nothing else interferes. An unfortunate
> artifact of the Smack "ambient label" implementation is that the default
> configuration is going to delete the netlbl attribute for the floor ("_")
> label. This will conflict with any value that SELinux sets. :( Smack clearly
> needs to have it's use of netlabel revised, and that is work that's going on
> in parallel with stacking. That, however, is not an infrastructure issue, it's
> an issue with how the two modules use the facilities.

Can this kind of problem be prevented at the API level?  i.e. ensure you 
can't accidentally conflict with another LSM's use of the label here?


-- 
James Morris
<jmorris at namei.org>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list