• Paul Moore's avatar
    SELinux: Enable dynamic enable/disable of the network access checks · d621d35e
    Paul Moore authored
    This patch introduces a mechanism for checking when labeled IPsec or SECMARK
    are in use by keeping introducing a configuration reference counter for each
    subsystem.  In the case of labeled IPsec, whenever a labeled SA or SPD entry
    is created the labeled IPsec/XFRM reference count is increased and when the
    entry is removed it is decreased.  In the case of SECMARK, when a SECMARK
    target is created the reference count is increased and later decreased when the
    target is removed.  These reference counters allow SELinux to quickly determine
    if either of these subsystems are enabled.
    
    NetLabel already has a similar mechanism which provides the netlbl_enabled()
    function.
    
    This patch also renames the selinux_relabel_packet_permission() function to
    selinux_secmark_relabel_packet_permission() as the original name and
    description were misleading in that they referenced a single packet label which
    is not the case.
    Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    d621d35e
xfrm.h 2.31 KB