diff mbox

selinux: Update SELinux SCTP documentation

Message ID 20180319173336.24730-1-richard_c_haines@btinternet.com (mailing list archive)
State Accepted
Headers show

Commit Message

Jann Horn via Selinux March 19, 2018, 5:33 p.m. UTC
Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect
how the association permission is validated.

Reported-by: Dominick Grift <dac.override@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 Documentation/security/SELinux-sctp.rst | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

Comments

Paul Moore March 20, 2018, 8:27 p.m. UTC | #1
On Mon, Mar 19, 2018 at 1:33 PM, Richard Haines via Selinux
<selinux@tycho.nsa.gov> wrote:
> Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect
> how the association permission is validated.
>
> Reported-by: Dominick Grift <dac.override@gmail.com>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>  Documentation/security/SELinux-sctp.rst | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)

Merged, thanks Richard and Dominick.

> diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst
> index 2f66bf3..a332cb1 100644
> --- a/Documentation/security/SELinux-sctp.rst
> +++ b/Documentation/security/SELinux-sctp.rst
> @@ -116,11 +116,12 @@ statement as shown in the following example::
>  SCTP Peer Labeling
>  ===================
>  An SCTP socket will only have one peer label assigned to it. This will be
> -assigned during the establishment of the first association. Once the peer
> -label has been assigned, any new associations will have the ``association``
> -permission validated by checking the socket peer sid against the received
> -packets peer sid to determine whether the association should be allowed or
> -denied.
> +assigned during the establishment of the first association. Any further
> +associations on this socket will have their packet peer label compared to
> +the sockets peer label, and only if they are different will the
> +``association`` permission be validated. This is validated by checking the
> +socket peer sid against the received packets peer sid to determine whether
> +the association should be allowed or denied.
>
>  NOTES:
>     1) If peer labeling is not enabled, then the peer context will always be
> --
> 2.14.3
diff mbox

Patch

diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst
index 2f66bf3..a332cb1 100644
--- a/Documentation/security/SELinux-sctp.rst
+++ b/Documentation/security/SELinux-sctp.rst
@@ -116,11 +116,12 @@  statement as shown in the following example::
 SCTP Peer Labeling
 ===================
 An SCTP socket will only have one peer label assigned to it. This will be
-assigned during the establishment of the first association. Once the peer
-label has been assigned, any new associations will have the ``association``
-permission validated by checking the socket peer sid against the received
-packets peer sid to determine whether the association should be allowed or
-denied.
+assigned during the establishment of the first association. Any further
+associations on this socket will have their packet peer label compared to
+the sockets peer label, and only if they are different will the
+``association`` permission be validated. This is validated by checking the
+socket peer sid against the received packets peer sid to determine whether
+the association should be allowed or denied.
 
 NOTES:
    1) If peer labeling is not enabled, then the peer context will always be