selinux June 2013 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: [PATCH 0/9] Labeled networking patches for 3.11

Re: [PATCH 0/9] Labeled networking patches for 3.11

From: Paul Moore <paul_at_nospam>
Date: Wed Jun 26 2013 - 13:52:35 GMT
To: Casey Schaufler <>

On Tuesday, June 25, 2013 04:53:02 PM Casey Schaufler wrote:
> On 6/25/2013 2:18 PM, Paul Moore wrote:
> > Nothing new here, all of these patches have been posted before. I'm
> >
> > posting these patches again for two reasons:
> > 1. Remind Eric he still hasn't merged them into the SELinux tree
> > 2. Send notice that I've pushed the patches to my -next tree so
> > they should be in the next spin of linux-next
> >
> > I was hoping that there patches would have hit linux-next by now via
> > the SELinux tree but that hasn't happened so I'm going to do it via
> > my labeled networking tree (all the patches are labeled networking
> > related anyway).
> No objection from this end, but I'm curious about the motivation
> for the changes as they affect the LSM interface.

I assume you are talking about patch 2/9?

I guess first things first, the changes don't affect how the rest of the
kernel sees the LSM, only how an individual LSM is implemented. If you look
at the pre-patch LSM hook implementation for security_xfrm_state_alloc() and
security_xfrm_state_alloc_acquire() you notice that they share a common LSM-
specific implementation function, xfrm_state_alloc_security(), which takes
different arguments depending on the LSM hook. If you look at how SELinux
implements this function (SELinux is the only example available that uses this
hook) you will notice that there the behavior varies quite a bit depending on
the LSM hook caller; in reality, the function is much cleaner and simpler if
we split it so that we have one hook implementation for each LSM hook - like
pretty much everything else in the LSM.

-- paul moore security and virtualization @ redhat -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.