1. 30 1月, 2008 1 次提交
  2. 21 12月, 2007 1 次提交
  3. 26 10月, 2007 1 次提交
  4. 11 10月, 2007 1 次提交
  5. 08 8月, 2007 1 次提交
  6. 02 8月, 2007 1 次提交
  7. 19 7月, 2007 1 次提交
    • P
      SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement · 23bcdc1a
      Paul Moore 提交于
      Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the
      current runtime status of NetLabel based on the existing configuration.  LSMs
      that make use of NetLabel, i.e. SELinux, can use this new function to determine
      if they should perform NetLabel access checks.  This patch changes the
      NetLabel/SELinux glue code such that SELinux only enforces NetLabel related
      access checks when netlbl_enabled() returns true.
      
      At present NetLabel is considered to be enabled when there is at least one
      labeled protocol configuration present.  The result is that by default NetLabel
      is considered to be disabled, however, as soon as an administrator configured
      a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing
      NetLabel related access controls - including unlabeled packet controls.
      
      This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL"
      blocks into a single block to ease future review as recommended by Linus.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      23bcdc1a
  8. 17 7月, 2007 1 次提交
    • M
      Audit: add TTY input auditing · 522ed776
      Miloslav Trmac 提交于
      Add TTY input auditing, used to audit system administrator's actions.  This is
      required by various security standards such as DCID 6/3 and PCI to provide
      non-repudiation of administrator's actions and to allow a review of past
      actions if the administrator seems to overstep their duties or if the system
      becomes misconfigured for unknown reasons.  These requirements do not make it
      necessary to audit TTY output as well.
      
      Compared to an user-space keylogger, this approach records TTY input using the
      audit subsystem, correlated with other audit events, and it is completely
      transparent to the user-space application (e.g.  the console ioctls still
      work).
      
      TTY input auditing works on a higher level than auditing all system calls
      within the session, which would produce an overwhelming amount of mostly
      useless audit events.
      
      Add an "audit_tty" attribute, inherited across fork ().  Data read from TTYs
      by process with the attribute is sent to the audit subsystem by the kernel.
      The audit netlink interface is extended to allow modifying the audit_tty
      attribute, and to allow sending explanatory audit events from user-space (for
      example, a shell might send an event containing the final command, after the
      interactive command-line editing and history expansion is performed, which
      might be difficult to decipher from the TTY input alone).
      
      Because the "audit_tty" attribute is inherited across fork (), it would be set
      e.g.  for sshd restarted within an audited session.  To prevent this, the
      audit_tty attribute is cleared when a process with no open TTY file
      descriptors (e.g.  after daemon startup) opens a TTY.
      
      See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a
      more detailed rationale document for an older version of this patch.
      
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: NMiloslav Trmac <mitr@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      522ed776
  9. 09 6月, 2007 1 次提交
  10. 08 6月, 2007 1 次提交
  11. 26 4月, 2007 1 次提交
  12. 01 3月, 2007 1 次提交
  13. 11 2月, 2007 1 次提交
  14. 09 1月, 2007 1 次提交
  15. 23 12月, 2006 2 次提交
  16. 03 12月, 2006 8 次提交
  17. 06 11月, 2006 1 次提交
    • P
      [NETLABEL]: Fix build failure. · 38c94377
      Paul Moore 提交于
      > the build with the attached .config failed, make ends with:
      > ...
      > : undefined reference to `cipso_v4_sock_getattr'
      > net/built-in.o: In function `netlbl_socket_getattr':
      
       ...
      
      It looks like I was stupid and made NetLabel depend on CONFIG_NET and not
      CONFIG_INET, the patch below should fix this by making NetLabel depend on
      CONFIG_INET and CONFIG_SECURITY.  Please review and apply for 2.6.19.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      38c94377
  18. 12 10月, 2006 1 次提交
  19. 30 9月, 2006 1 次提交
  20. 29 9月, 2006 1 次提交
  21. 26 9月, 2006 4 次提交
  22. 23 9月, 2006 5 次提交