secmark=XXX mapping
Stephen Smalley
sds at tycho.nsa.gov
Tue Sep 21 14:00:54 UTC 2010
On Tue, 2010-09-21 at 09:40 -0400, Eric Paris wrote:
> On Tue, Sep 21, 2010 at 8:10 AM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > On Fri, 2010-09-17 at 22:56 +0100, Mr Dash Four wrote:
> >> > Is there any way I can link or map the number shown in the secmark
> >> > field (secmark=XXX) when listing the current connections with "cat
> >> > /proc/net/ip_conntrack" or "cat /proc/net/nf_conntrack"?
> >> I should have been a bit clear - I need to map the number shown in the
> >> secmark field to the actual SELinux context - is that possible?
> >
> > Not from userspace. So that likely ought to be mapping to a security
> > context and displaying it instead of displaying the secmark (SID).
> > Kernel issue. Kernel code can use security_secid_to_secctx() to map the
> > value to a string, and then security_release_secctx() to free it
> > afterward.
>
> Sorry I saw your e-mail and put it on my list of things to work on.
> I'm playing with SECMARK a bit today so I'll try to send a kernel
> patch to fix this up.
One item to note: xt_SECMARK.c is presently using selinux-specific
interfaces for mapping the security context string to a sid originally,
as well as to check permissions, manage refcounts, etc. So if you use
the LSM hooks for mapping the secid back to a context, there will be an
inconsistency in the interface. Likely they should all be LSM hooks and
both include/linux/selinux.h and security/selinux/exports.c should go
away.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list