[patch 1/1] selinux: require SECURITY_NETWORK

Make SELinux depend on SECURITY_NETWORK (which depends on SECURITY),
as it requires the socket hooks for proper operation even in the local
case.  Please apply.

Signed-off-by:  Stephen Smalley <[email protected]>
Acked-by:  James Morris <[email protected]>

---

 security/selinux/Kconfig  |    2 +-
 security/selinux/Makefile |    4 +---
 security/selinux/hooks.c  |   21 +++------------------
 3 files changed, 5 insertions(+), 22 deletions(-)

diff -X /home/sds/dontdiff -rup linux-2.6.16-rc2/security/selinux/hooks.c linux-2.6.16-rc2-x/security/selinux/hooks.c
--- linux-2.6.16-rc2/security/selinux/hooks.c	2006-02-03 10:14:34.000000000 -0500
+++ linux-2.6.16-rc2-x/security/selinux/hooks.c	2006-02-03 10:56:45.000000000 -0500
@@ -232,7 +232,6 @@ static void superblock_free_security(str
 	kfree(sbsec);
 }
 
-#ifdef CONFIG_SECURITY_NETWORK
 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
 {
 	struct sk_security_struct *ssec;
@@ -261,7 +260,6 @@ static void sk_free_security(struct sock
 	sk->sk_security = NULL;
 	kfree(ssec);
 }
-#endif	/* CONFIG_SECURITY_NETWORK */
 
 /* The security server must be initialized before
    any labeling or access decisions can be provided. */
@@ -2736,8 +2734,6 @@ static void selinux_task_to_inode(struct
 	return;
 }
 
-#ifdef CONFIG_SECURITY_NETWORK
-
 /* Returns error only if unable to parse addresses */
 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
 {
@@ -3556,15 +3552,6 @@ static unsigned int selinux_ipv6_postrou
 
 #endif	/* CONFIG_NETFILTER */
 
-#else
-
-static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
-{
-	return 0;
-}
-
-#endif	/* CONFIG_SECURITY_NETWORK */
-
 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
 {
 	struct task_security_struct *tsec;
@@ -4340,7 +4327,6 @@ static struct security_operations selinu
 	.getprocattr =                  selinux_getprocattr,
 	.setprocattr =                  selinux_setprocattr,
 
-#ifdef CONFIG_SECURITY_NETWORK
         .unix_stream_connect =		selinux_socket_unix_stream_connect,
 	.unix_may_send =		selinux_socket_unix_may_send,
 
@@ -4362,7 +4348,6 @@ static struct security_operations selinu
 	.sk_alloc_security =		selinux_sk_alloc_security,
 	.sk_free_security =		selinux_sk_free_security,
 	.sk_getsid = 			selinux_sk_getsid_security,
-#endif
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 	.xfrm_policy_alloc_security =	selinux_xfrm_policy_alloc,
@@ -4440,7 +4425,7 @@ next_sb:
    all processes and objects when they are created. */
 security_initcall(selinux_init);
 
-#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
+#if defined(CONFIG_NETFILTER)
 
 static struct nf_hook_ops selinux_ipv4_op = {
 	.hook =		selinux_ipv4_postroute_last,
@@ -4501,13 +4486,13 @@ static void selinux_nf_ip_exit(void)
 }
 #endif
 
-#else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
+#else /* CONFIG_NETFILTER */
 
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 #define selinux_nf_ip_exit()
 #endif
 
-#endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
+#endif /* CONFIG_NETFILTER */
 
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 int selinux_disable(void)
diff -X /home/sds/dontdiff -rup linux-2.6.16-rc2/security/selinux/Kconfig linux-2.6.16-rc2-x/security/selinux/Kconfig
--- linux-2.6.16-rc2/security/selinux/Kconfig	2006-02-03 10:57:37.000000000 -0500
+++ linux-2.6.16-rc2-x/security/selinux/Kconfig	2006-02-03 10:57:31.000000000 -0500
@@ -1,6 +1,6 @@
 config SECURITY_SELINUX
 	bool "NSA SELinux Support"
-	depends on SECURITY && NET && INET
+	depends on SECURITY_NETWORK && NET && INET
 	default n
 	help
 	  This selects NSA Security-Enhanced Linux (SELinux).
diff -X /home/sds/dontdiff -rup linux-2.6.16-rc2/security/selinux/Makefile linux-2.6.16-rc2-x/security/selinux/Makefile
--- linux-2.6.16-rc2/security/selinux/Makefile	2006-02-03 10:14:34.000000000 -0500
+++ linux-2.6.16-rc2-x/security/selinux/Makefile	2006-02-03 10:55:35.000000000 -0500
@@ -4,9 +4,7 @@
 
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
 
-selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o
-
-selinux-$(CONFIG_SECURITY_NETWORK) += netif.o
+selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o
 
 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
 

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Prev by Date: [2.6 patch] from drivers/video/Kconfig: remove unused BUS_I2C option
• Next by Date: Linux TCP/IP Accept Queue
• Previous by thread: [2.6 patch] from drivers/video/Kconfig: remove unused BUS_I2C option
• Next by thread: Linux TCP/IP Accept Queue
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]