| Message ID | 20180319173336.24730-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Mon, Mar 19, 2018 at 1:33 PM, Richard Haines via Selinux <selinux@tycho.nsa.gov> wrote: > Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect > how the association permission is validated. > > Reported-by: Dominick Grift <dac.override@gmail.com> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > --- > Documentation/security/SELinux-sctp.rst | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) Merged, thanks Richard and Dominick. > diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst > index 2f66bf3..a332cb1 100644 > --- a/Documentation/security/SELinux-sctp.rst > +++ b/Documentation/security/SELinux-sctp.rst > @@ -116,11 +116,12 @@ statement as shown in the following example:: > SCTP Peer Labeling > =================== > An SCTP socket will only have one peer label assigned to it. This will be > -assigned during the establishment of the first association. Once the peer > -label has been assigned, any new associations will have the ``association`` > -permission validated by checking the socket peer sid against the received > -packets peer sid to determine whether the association should be allowed or > -denied. > +assigned during the establishment of the first association. Any further > +associations on this socket will have their packet peer label compared to > +the sockets peer label, and only if they are different will the > +``association`` permission be validated. This is validated by checking the > +socket peer sid against the received packets peer sid to determine whether > +the association should be allowed or denied. > > NOTES: > 1) If peer labeling is not enabled, then the peer context will always be > -- > 2.14.3
diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst index 2f66bf3..a332cb1 100644 --- a/Documentation/security/SELinux-sctp.rst +++ b/Documentation/security/SELinux-sctp.rst @@ -116,11 +116,12 @@ statement as shown in the following example:: SCTP Peer Labeling =================== An SCTP socket will only have one peer label assigned to it. This will be -assigned during the establishment of the first association. Once the peer -label has been assigned, any new associations will have the ``association`` -permission validated by checking the socket peer sid against the received -packets peer sid to determine whether the association should be allowed or -denied. +assigned during the establishment of the first association. Any further +associations on this socket will have their packet peer label compared to +the sockets peer label, and only if they are different will the +``association`` permission be validated. This is validated by checking the +socket peer sid against the received packets peer sid to determine whether +the association should be allowed or denied. NOTES: 1) If peer labeling is not enabled, then the peer context will always be
Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect how the association permission is validated. Reported-by: Dominick Grift <dac.override@gmail.com> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- Documentation/security/SELinux-sctp.rst | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)