diff options
author | Richard Haines <richard_c_haines@btinternet.com> | 2018-03-19 17:33:36 +0000 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2018-03-20 16:26:15 -0400 |
commit | d3cc2cd7c8d7adfb43075036878e319d5893280d (patch) | |
tree | d32051445aa3bb3692760e35a54d8d2e5be7ba74 /Documentation/security | |
parent | 68741a8adab900fafb407532e6bae0887f14fbe0 (diff) | |
download | linux-d3cc2cd7c8d7adfb43075036878e319d5893280d.tar.gz linux-d3cc2cd7c8d7adfb43075036878e319d5893280d.tar.bz2 linux-d3cc2cd7c8d7adfb43075036878e319d5893280d.zip |
selinux: Update SELinux SCTP documentation
Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect
how the association permission is validated.
Reported-by: Dominick Grift <dac.override@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r-- | Documentation/security/SELinux-sctp.rst | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst index 2f66bf30658a..a332cb1c5334 100644 --- a/Documentation/security/SELinux-sctp.rst +++ b/Documentation/security/SELinux-sctp.rst @@ -116,11 +116,12 @@ statement as shown in the following example:: SCTP Peer Labeling =================== An SCTP socket will only have one peer label assigned to it. This will be -assigned during the establishment of the first association. Once the peer -label has been assigned, any new associations will have the ``association`` -permission validated by checking the socket peer sid against the received -packets peer sid to determine whether the association should be allowed or -denied. +assigned during the establishment of the first association. Any further +associations on this socket will have their packet peer label compared to +the sockets peer label, and only if they are different will the +``association`` permission be validated. This is validated by checking the +socket peer sid against the received packets peer sid to determine whether +the association should be allowed or denied. NOTES: 1) If peer labeling is not enabled, then the peer context will always be |