This patch adds the selinux_relabel_packet_permission() check to the
SECMARK target, so that SELinux policy is consulted to ensure that the
labeling operation is permitted by the current task.
Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
net/netfilter/xt_SECMARK.c | 6 ++++++
1 file changed, 6 insertions(+)
diff -purN -X dontdiff linux-2.6.17-rc3-git7.p/net/netfilter/xt_SECMARK.c
linux-2.6.17-rc3-git7.w/net/netfilter/xt_SECMARK.c
--- linux-2.6.17-rc3-git7.p/net/netfilter/xt_SECMARK.c 2006-05-03
11:34:12.000000000 -0400
+++ linux-2.6.17-rc3-git7.w/net/netfilter/xt_SECMARK.c 2006-05-07
00:35:44.000000000 -0400
@@ -72,6 +72,12 @@ static int checkentry_selinux(struct xt_
return 0;
}
+ err = selinux_relabel_packet_permission(sel->selsid);
+ if (err) {
+ printk(KERN_INFO PFX "unable to obtain relabeling
permission\n");
+ return 0;
+ }
+
return 1;
}
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
