Description of problem: Currently SELinux policies do not prevent most applications from calling setsockopt() which puts the NetLabel security attributes at risk from tampering by unprivileged applications. A patch has been posted to the netdev and SELinux mailing lists which addresses this problem by preventing applications from removing NetLabel security attributes from a socket as well as requiring the CAP_NET_RAW capability to set a CIPSO option on a socket. The patch can be found here: * http://marc.theaimsgroup.com/?l=linux-netdev&m=116223202106768&w=2 I am also attaching a simple test program which demonstrates the problem. Version-Release number of selected component (if applicable): All current RHEL5 kernels with NetLabel enabled. How reproducible: N/A Steps to Reproduce: 1. N/A 2. 3. Actual results: N/A Expected results: N/A Additional info: This directly effects the LSPP efforts of RH, HP, and IBM.
Created attachment 139738 [details] Simple test program
patch posted for rhel5 kernel inclusion Nov 10
QE ack for RHEL5.
in 2.6.18-1.2817.el5
A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.