SELinux changes in the 2.6.17 kernel

Here’s a summary of the SELinux-related changes in the recently released 2.6.17 kernel.

Alexey Dobriyan

Darrel Goeddel

Steve Grubb

Serge Hallyn

Dustin Kirkland

Ingo Molnar

James Morris

Jamal Hadi Salim

Stephen Smalley

Ron Yorston

Catherine Zhang

  • TCP/UDP getpeersec. This provides a mechanism for applications to determine the security context of peers they’re communicating with, via IPSec xfrm labeling. For TCP, there’s a new SO_GETPEERSEC option for getsockopt() which returns the peer security context. For UDP, the peer security context may be retrieved on a per-message basis after setting a new IP_PASSEC socket option, then accessing the value via CMSG auxiliary data.
  • Authorize deletion of IPSec/xfrm labeling policies.